How to prevent ARP spoofing

I have a WiFi network with 60 cnPilot AP, controlled my cnMaestro, used by ~1000 clients daily.

I try to prevent clients to use IP addresses not offered by my DHCP, without any success :(
(some iOS devices try to use the GW IP: https://documentation.meraki.com/MX/Monitoring_and_Reporting/IP_Conflict_Events_Triggered_by_iOS_Devices )

I tried:

- Client isolation

- Turn off Proxy ARP

- Deny protected IP-s from wifi with ACL

neither prevent spoofing client to introduce its MAC for the GW IP :(

So, how can I protect my network against ARP poisoning?

ps.: Clients are unknown guest, so maintaining a MAC access table, or a static MAC-IP table is not possible.

What gateway are using?  If using Mikrotik you can set the DHCP to add ARP entries, and then set the bridge or interface to Reply-Only.

This will ensure the gateway only responds to clients its assigned the DHCP for and will not allow clients with a static IP address.

On this network, I don't use Mikrotik router, but I know that solution. It prevents only the gateway to talk with unidentified clients and they can't talk thru the gateway, but still not prevents spoofing clients to get and answer the ARP broadcast on the WiFi network :/

Client Isolation + NO Arp Proxy combined with tunneled traffic with default L2 filters on the GRE server do the work.

But tunneling all the traffic of a huge network to a single cnMaestro controller is a big SPOF :(

cnPilot does not have the option to prevent clients with static ip address in accessing the network. looks like you want to prevent any clients with static ip address in your deployment. do you see any kind of attack is happening in the network