Your worried about "man in the middle" attacks, correct? Or do you want to create a group of ports that "whitelist" a DHCP server? This is set port by port (i.e. the port is trusted or untrusted)
Dynamic ARP Inspection: You can use DAI even with non-DHCP hosts
Background: Please read this link from a Cisco Book:
With your question are you saying you don't want to introduce the switch overhead on untrusted ports to detect and prevent ARP Poison Routing of the man in the middle inserting a rouge IP Gateway in the frame?
Does this get you the info your looking for?
The links you provided are useful. But I think I found the answer.
suppose I have interface fast0/2 configured as DHCP-trusted. If we configure DAI, this will use DHCP snooping database. So the interface will be DAI-trusted and DAI will not inspect ARP packets coming from it.
So I think the answer to my question is: no, an interface cannot be DHCP-trusted and DAI-untrusted at the same time.
DHCP snooping checks replies on "untrusted" ports which is where client PCs are typically connected. Likewise, DAI checks for invlaid ARP replies on "untrusted" ports which is where client PCs are typically connected. In both cases, the "trusted" ports connect to other switches or in the case of DHCP snooping the server farm where the DHCP server is located.
DHCP Snooping and Dynamic ARP Inspection are two different security features, although DAI relies on the DHCP Snooping Database to function in addition to a static list of entries for non-DHCP hosts/servers. If you have a port that is DHCP Snooping trusted any DHCP OFFER packets that originates at that interface will be permitted, however this would not automatically trust the interface for DAI. For example if you had a DHCP Server and set it to be trusted but then had DAI enabled for the VLAN that the DHCP Server belonged to you would either have to have a static entry for DAI for that server (it would have a static IP and would not be in the DHCP Snooping Database which DAI relies on) or you would have to set the interface as DAI trusted using the command ip arp inspection trust interface command; if you did neither of these then you would see DAI errors for that interface and it would not be able to communicate on the network.