There are several tools available to protect against ARP spoofing:
Static ARP records are the easiest way to protect against ARP spoofing. This entry is entered manually, preventing the device from automatically changing the ARP cache. Remember, this method can only be used for some records (for example, standard gateway addresses), and client nodes still remain vulnerable to attack.
Software for checking ARP requests. It certifies IP/MAC addresses and blocks non-certified responses. There is another version of such software that informs the host about changes in the ARP cache.
Firewalls with packet filtering. They detect attempts by hackers to disguise themselves as another host by marking packets sent from duplicate addresses.
Encryption. This is the most important way to protect against ARP attacks. It significantly complicates ARP hacking and prevents a hacker from reading messages after they are intercepted.
VPN. When you connect to a VPN, all your data will pass through an encrypted tunnel that is guaranteed to protect against any hacker attacks.
The best defense is attack?
In the end, I would like to mention an unusual way of protection – imitation of ARP spoofing in your network to find gaps in security systems. Tools for pentest are widely available and easy to use, so this strategy of protection against ARP attacks has every right to exist.