DAI validates ARP packets against the DHCP snooping binding table — blocking ARP replies that don't match known IP-MAC-port bindings, preventing ARP poisoning attacks.
DAI requires DHCP snooping to be configured first (creates the binding table DAI validates against). Trust uplink ports (same as DHCP snooping). DAI + DHCP snooping + port security = comprehensive Layer 2 security. Must be explicitly configured — not enabled by default.