Thanks; I took a quick glance at vShield but I don't think it would work.  It comes close in that it lets you segment traffic, but I've effectively already done that by putting different machines on different vlan's, so when one causes a problem, it is at least limited to that vlan.  It also appears to let you firewall down to the vm level, but I'm not sure if the rules could be granular enough to accomplish what I need, and even if it could, it would likely be a very heavy administrative burden; i.e. I would need it to support adding a rule to every guest that states "if a gratuitous arp is generated by this VM that announces it has IP addresses other than X, Y and Z, drop it."  With that much work, I'd probably be better off just hard coding the arp table on the routers since I can automate that.

I'm going to investigate vshield further with our sales rep though just to make sure.

The option to disable mac changes won't help because this is not what the guests are doing.  Basically what I'm wanting to prevent is a compromised server (guest) from sending out fraudulent arp responses or gratuitous arp packets for ip addresses that are not on that guest.  It's not changing it's mac, it's just trying to announce it's mac for ip's it doesn't have.  vmware tools has knowledge of every ip address configured on the guest OS, so I was hoping there'd be some automated way to let vsphere block what vmware tools would know to be bogus arp's.

Correct, the normal port group security features such as MAC address changes and forged transmits are useless in this case. Unfortunately vSphere offers nothing out of the box to prevent ARP-spoofing.

The Cisco 1000V dvSwitch should be able to protect against it through the standard Cisco security features though.

As for vShield App (a vNIC level firewall), it offers an IP-spoofing protection feature with which the offending guest will at least be unable to forward IP packets with a forged source IP:

http://vshieldsuite.wordpress.com/2012/07/12/spoof-guard/