arp spoofing protection on LAN
Suggest you research the latest Cisco APs. I believe these devices are able to isolate each wireless client from each other and from the network. All client traffic is routed instead of switched.
You can then setup ACLs to keep WiFi attached clients from reaching anything they should not have access to.
Also most enterprise-grade switches support anti-ARP-spoofing. Ports can be configured to allow no more than one MAC address. Alternately MAC addresses can be limited to DHCP assigned values (dynamic ARP). Virtual server ports and ports for cross- connects to other network devices would not get the restrictive policy.
If you're feeling seriously paranoid, you might look into configuring IPSEC between all the critical systems on the LAN using X509 certificate authentication. This prevents all forms of traffic sniffing and MITM attacks. Be sure to setup a CRL (certificate revocation list) so that if any one system is compromised or simply goes end-of-life and is discarded, that it's certificate can be revoked and never used to communicate on the LAN again.
One caveat: If one of the critical systems becomes compromised by a hacker, the hacker will be on the "inside" and can still do all the bad things that hackers do.
You can't protect a layer-2 network from ARP spoofing. And a single wireless AP consists of a single wireless layer-2 network.
I do not know if your wireless AP acts as a bridge (which would propogate the "original" MAC address used by the client wireless card) or a router (which would retransmit using the AP's MAC address). If it's in router mode, then your wired clients are already protected against ARP spoofing by wireless clients. If it's in bridge mode, and an attacker knows the MAC address of a wired LAN user, then they can knock it off the network.
You can't drop ARP requests without breaking your network. It wouldn't help, anyway, because any packet transmitted with a duplicated MAC address is enough to cause problems.
As for isolating your WIFI, that's easy. Stick a router in between the AP and the rest of the wired network. You could plug it into a physical LAN or a VLAN, you don't need to muck with VLAN tagging and card support, it's just plain old layer 3 networking.