The arp table being a layer 2 to layer 3 mapping is stored in the layer 3 devices. The mac-address table (or CAM) is stored in a switch. The two are related but different. Those defaults are correct per my recollection. I'm not sure of the context of the statement, but I don't think I completely in agreement with it. MAC address spoofing can easily make a switch act like a hub. That makes frames go out to locations that are not appropriate. ARP Spoofing can cause an outright MiTM and from that respect it is a greater risk. While the statement seems to indicate that the reason it is a greater risk is due to the timeout, the timeout is rarely reached. The next arp request that the router makes will update all of the arp tables in the broadcast domain anyway.
At the end of the day, MAC spoofing is easy to protect against with switchport port-security. Arp spoofing is a weakness in the protocol. Cisco can use the DHCP snooping table in conjunction with DAI (dynamic arp inspection) to help with this problem. I think that statement is one of those that it really depends on your perspective, situation and exploit being attempted. Based on those factors I think some would disagree on which one (and why) it is worse.
Arp Spoofing being a Layer3 Attack and Mac spoofing being a layer2 attack gives the main difference between the attacks, which also answer the last part of the question.
A) ARP table is only on a Router that holds the MAC-to-IP associations.
- On a layer3 switch. if you configured a port as routed. you would not get any macs by command
sh mac address-table dyna int g0/1.
-However you will get arp for the configured IP.
B) Switch has the CAM table which holds the Mac.
Switch doesnt know about layer3 and hence there is no arp.
Hence it would be wrong to think that if Switches flush out the cam entry even routers do.
There is no connection as such between the two tables.
This method (the ARP Spoofing attack) can be considered more threatening than MAC address spoofing because, while the CAM table stores these addresses for only 5 minutes (by default), most Cisco devices default to holding their ARP table associations for 4 hours".
On mac address spoofing you are just faking your mac to hide your machine identify and/or to bypass some access-list
Mac spoofing is mostly limited to a broadcast domain
With arp spoofing a step further is taken where-in you can make your self default-gateway and intercept all the traffic (MITM)
As the arp is kept for a longer time it would create more chaos.
Specifically about the ARP table and the CAM i totally agree with you because ARP tables are a L3 thing, and not L2 because switches use and build the CAM table looking at the source MAC address of the ethernet frame, but this distintion on the book is not very consistent, for that i wanted another perspective, from a CCIE maybe.
MAC address spoofing can easily make a switch act like a hub.
You meant MAC address flooding attacks, right?
Thanks for your answer.