Recently i have configured DHCP SNOOPING & IP VERIFY SOURCE in all the ports of the switch for enabling anti spoofing. It is also working perfectly as getting the IP address from the DHCP server and not allowing the users to assign the IP Address on their own. They have to configure the PCs to get the IP Address only from DHCP server which is trusted port of the 3560 Switch
At this moment, I have a few CISCO 1310 Autonomous wireless Access points also connected to CE500 switch which is connected to this 3560 switch.
The requirement and the issue is I want these Access points to have static IP address and not from DHCP server. But the clients connecting to these Access points should get the IP address from the DHCP Server. These clients should not be able to assign the IP Address on their own, Even if they do so they should not be able to access the network, similar to they I configured the 3560 switch ports.
Hope the description is clear to understand.
I experimented a bit with the LWAP WLC. I have a NM-WLC module but things should be almost identical if you are using the standalone controller.
It seems that the controller itself implements a functionality similar to the IP Source Guard. When you access the Web management interface of the controller, click on the "WLANs" tab and in the displayed list, click on the "Edit" link at the line with the selected WLAN SSID. In the next page, notice the checkbox "DHCP Addr. Assignment". If this option is active, the clients absolutely have to get their IP addresses using DHCP. If they assign IP addresses on their own, they will be denied access.
Can you test it in your network and tell us if it worked for you?