I am thinking about implementing DHCP Snooping and Dynamic ARP Inspection. I understand that ARP packets would be compared to the DHCP snooping database to determine if those ARP packets are legitimate.
However, I have many machines that have hardcoded IP addresses. I assume that these machines would not be in the DHCP snooping database since they have hard-coded IP addresses. In the cases of these machines, what if these machines are compromised and start sending out ARP packets for IP addresses that they are not supposed to have? Would dynamic ARP inspection be able to detect this and reconcile these ARP packets with the DHCP Snooping database?
No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.
You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.