How to protect against ARP poisoning?

Since it is so easy to do, say on a corporate scale, how can an admin protect their network from nat poisoning? I know using vlans to segment the network and secure off different areas of the place would help, but what if say joe the accounting intern on the accounting network nat poisoned another computer in there which allowed him to receive information or passwords from another computer on the accounting vlan? I can not see any way to protect this? And also, is the only way to detect it is being done to a specific computer by doing a tracert to that computer, right?

 

The one thing i was thinking of is if a script could be written to auto tracert a packet to every host and then compare it against the known good connection path. And if different raise a flag. Is any of this possible on router level without using a script?

I know there are a few networking guys here

 

Someones gotta know...

 

What's NAT poisoning? Do you mean DNS poisoning or DNS cache poisoning?

 

Frick i meant ARP poisoning! I dunno why i said nat lol!

 

Have you had a look-see at the Wikipedia article on ARP Spoofing?