I've implemented DHCP snooping on parts of the network where I have control over them to avoid rogue DHCP servers being introduced by students or teachers plugging some home routers into the plugs if our wireless APs. However I've come across a situation where I realized that DHCP snooping was doing harm when enabled one one particular (not same model as others) switch impairing DHCP replies from the servers being received by clients.

My understanding has been this far as follows:
- All uplinks leading to the core and server switch need to be "trusted"
- All access ports should stay untrusted
- The port of the DHCP server should be trusted as well

Is that correct so far? Now I've encountered issues when moving a (wireless) client from sector connected another area that is connected
to another switch, thus they don't share the same snooping DB.

My network goes (simplified) as follows: server <-> server (and AP) switch <-> wirecenter (fibre) <-> all other switches (A, B, C...)
I've checked the switch in the server room has the same settings as all the other access switches. Moving between A, B, or C works DHCP allways works.

However when moving from APs connected to the same switch as the server switch to any other, the DHCP server replies never arrive at the client when DHCP snooping is enabled.
Going back to APs connected to the server switch it works again, or after waiting for $RANDOM/UNKNOWN period of inactivity.

I've tracked down this behaviour to the switch with the DHCP server via wireshark and port mirroring so that I could verifiy the location where the DHCP replies started missing.
Any input would be highly appreciated.