Send, clear, ignore and spoof ARP. Know how to truly disable the processing of gratuitous ARP in a Cisco router.
Getting started
Here we have a simple topology with Kali Linux (running Wireshark) connected to a Cisco 3725:
Current ARP table in the router:

We see only the router itself is in its own ARP table.
Send an unsolicited (gratuitous) ARP
Let’s manually shoot out a single unsolicited ARP “reply” (using arping) to the router from the Linux client:

Wireshark on the Linux client shows the action:

“debug arp” on the router also shows some action:

Let’s check the router’s ARP table now with “sh arp“:

Ok, we see the Linux client now. The router accepted the gratuitous/unsolicited ARP “reply”.
Clear the ARP entry
Let’s attempt to clear the ARP entry:

Interesting! The router automatically sent an ARP request when we attempted “clear ip arp 10.2.1.30” and immediately added it back to its ARP table:

Let’s just clear it again with Linux disconnected:

There we go!
Ignore the gratuitous ARP “replies”
Now let’s add “ip arp gratuitous none” to our global configuration to ignore these unsolicited ARP “replies”:

Now let’s fire off that unsolicited ARP “reply” from Linux again:

We can see our router received it and ignored it!:

Even when we clear the ARP entry, the router ignores the response to its own ARP request!:

Be aware:
FYI: “no ip gratuitous-arps” is only applicable to PPP/SLIP peer addresses, you can see it has no effect:

To prove the vulnerability to malicious intent, let’s use arpspoof:

Poof, we can poison the table all we want:

To prove “ip arp gratuitous none” guards us against this threat, let’s do the exact same attack with it applied:

As you can see, the gratuitous ARP was ignored and our table is still squeaky clean:

Mission accomplished.