Dynamic ARP inspection, starts with a man in the middle attack, with the rogue user and PC sending a gratuitous ARP to say the MAC address for your default gateway is this, then the user accessing anything using the default gateway is sending all its traffic to the rogue users pc, which is then copying all the packets before sending it on to its destination.
DHCP snooping must be enabled, for DAI to be enabled.
Here is how to configure DAI:
tpw-sw1(conf)# ip arp inspection vlan 10 tpw-sw1(conf)# int gi0/1 tpw-sw1(config-int)#ip arp inspection trust
How to Check and Verify DAI:
tpw-sw1# show ip arp inspection