I have 3 2960L switches running c2960l-universalk9-mz.152-5c.E.bin. These are primarily meant for a management network. All I want to do is have one vlan with one dhcp server. That server only needs to handout addresses from a single range (100-199). I also need to be able to not allow any rogue dhcp servers on any of the ports. Looking at the snooping commands it seems to me that you have to define a port or interface you trust....but if your DHCP server is served from a VLAN how do you define that? There doesn't seem to be an "ip dhcp snooping trust" command for vlan interfaces. I'm probably missing something simple here.
All switches are connected over a simple trunk between the switches.
On "primary" switch1:
ip routing ! no ip dhcp conflict logging ip dhcp excluded-address 192.168.1.1 192.168.1.99 ip dhcp ping packets 3 ip dhcp ping timeout 1000 ! ip dhcp pool mgmt network 192.168.1.0 255.255.255.0 lease 0 0 5 class mgmt-dhcp-class address range 192.168.1.100 192.168.1.199 ! ! ! ip dhcp class mgmt-dhcp-class ! ip dhcp snooping vlan 1 ip dhcp snooping interface GigabitEthernet0/1 switchport mode trunk interface Vlan1 description Management ip address 192.168.1.2 255.255.255.0 standby 1 ip 192.168.1.1 standby 1 preempt !
Switch2: interface Vlan1 ip address 192.168.1.3 255.255.255.0 ip helper-address 192.168.1.2 standby 1 ip 192.168.1.1 standby 1 priority 95 !
Switch3: interface Vlan1 ip address 192.168.1.4 255.255.255.0 ip helper-address 192.168.1.2 standby 1 ip 192.168.1.1 standby 1 priority 90 !