Consider a switch without any VLAN's defined with 2 subnets configured. Is it possible to ARP spoof from one subnet to another?
According to Evans reply in What are the implications of having two subnets on the same switch? that should not be possible ("The computers in the different subnets won't ARP across-subnet") My assumption is that it is possible as the same broadcast domain is shared and ARP request are on layer 2.
That is correct. With no Vlans, and therefore no network segmentation, ARP spoofing is particularly problematic because all clients are affected regardless of subnet.
For example, if you have a client on say 172.21.1.100/24, a gateway on 172.21.1.1/24 and a malicious actor on 192.168.1.100, gratuitous ARP messages can be sent to all devices, pertaining to originate from 172.21.1.1 but with the MAC address of the maclicious actor. Because the switch ports are all in the same VLAN, it will happily forward the ARP broadcast to all attached devices.
