And remember that switches aren't security enforcement devices and shouldn't be expected to be.
The 3com switches that we have (SuperStack II) certainly have some active security measures. Enabling "Port Security" on a port makes the switch remember the first MAC address it receives and locks that MAC address to that port until overridden by manual intervention. Although unfortunately they cannot perform any kind of ARP poison countermeasures.
AFAIK, some other switches even let you configure the valid MAC addresses per port. However, there have been reports of switches being confused if they're swamped with MAC addresses and resorting to broadcast mode. Actually, that's perfectly normal spanning tree algorithm behaviour, that algorithm being the basis of all switches. As such, it's buried deep in the devices' logic and it probably isn't being disabled by 'port security'. Switches have some features that are marketed as security benefits, and some even are, but switches remain devices designed to provide efficient connectivity, i.e. mainly speed. They are not designed as security enforcers, while other devices, e.g. firewalls, are (or should be). One can even argue that it is a Bad Idea (TM) to use managed switches in sensitive environments, because the switch constitutes a further point of attack and often a single point of failure. The point is strengthened by the fact that the OS on switches is generally not designed with security a top priority, it usually supports a number of services (Cisco switches, e.g. support NTP, SNMP, TFTP, Telnet, CDP) that can be exploited. And more often than not, I wager, the personnel is pretty clueless with regards to the switch configuration, since these boxes are typically plug'n'play. Now don't get me started on VLANs. Just this much: don't use VLANs to 'separate' networks of (more or less substantially) different trust. Instead, implement physical separation. Tobias