Troubleshooting DHCP-Snooping Option 82 Packet Drops on HP ProCurve 2610 Series Switches


5 views

During our DHCP-snooping implementation on HP ProCurve 2610 switches (firmware R.11.72), we encountered unexpected packet drops with the error: Received untrusted relay information from client <mac-address> on port <port-number>. This occurs specifically with DHCP requests originating from downstream switches, despite having a flat Layer 3 topology.

The problematic configuration involves:

Topology:
[DHCP Server] -> [Switch A (48-port)] -> [Switch B (24-port)] -> [Clients]

The switch configurations show proper trust settings:

// Switch A Configuration
dhcp-snooping
dhcp-snooping authorized-server 192.168.0.254
dhcp-snooping vlan 1 168
interface 25
    name "Server"
    dhcp-snooping trust
exit

// Switch B Configuration  
dhcp-snooping
dhcp-snooping authorized-server 192.168.0.254
dhcp-snooping vlan 1
interface Trk1
   dhcp-snooping trust
exit

Despite no explicit DHCP-relay configuration, the switches show relay activity:

SWITCH B# show dhcp-relay
  DHCP Relay Agent         : Enabled 
  Option 82                : Disabled
  Response validation      : Disabled
  Option 82 handle policy  : append
  Remote ID                : mac  
  
  Client Requests       Server Responses
  ---------- ---------- ---------- ----------
  40156      0          0          0

The issue stems from HP's default DHCP-relay behavior. Even though Option 82 is disabled, the switches still process relay information differently than expected. The 2610 series has a particular implementation where:

  1. DHCP-relay is enabled by default
  2. It modifies packets in ways that trigger DHCP-snooping validation
  3. The validation occurs even when Option 82 appears unmodified

The most effective workaround we found was:

// On all upstream switches:
no dhcp-snooping option 82

For environments requiring stricter security, consider these alternatives:

Option 1: Disable DHCP-relay completely
no dhcp-relay

Option 2: Configure consistent Option 82 handling
dhcp-relay
dhcp-relay option 82 replace
dhcp-relay remote-id hostname

Disabling Option 82 validation does reduce some security protections. However, in a flat network with properly configured trust boundaries, the risk is minimal. The key protections remain:

  • Authorized server validation
  • Port trust settings
  • VLAN boundary enforcement

To confirm the solution works:

show dhcp-snooping statistics
show dhcp-relay statistics
debug dhcp-snooping packet
debug dhcp-relay packet

Look for successful DHCP transactions after implementation.

When implementing DHCP-snooping on HP ProCurve 2610 switches (firmware R.11.72), we encountered unexpected packet drops with the error: Received untrusted relay information from client <mac-address> on port <port-number>. This occurs specifically for DHCP requests originating from downstream switches, despite having a flat L2/L3 topology where DHCP relay shouldn't be necessary.

Topology:
[DHCP Server]──[Switch A]──DSL──[Switch B]──[Clients]
           (trusted port)     (trunk trusted)

Both switches have nearly identical configurations:

Switch A (Upstream)

dhcp-snooping
dhcp-snooping authorized-server 192.168.0.254
dhcp-snooping vlan 1 168
interface 25
    name "Server"
    dhcp-snooping trust
exit

Switch B (Downstream)

dhcp-snooping
dhcp-snooping authorized-server 192.168.0.254
dhcp-snooping vlan 1
interface Trk1
   dhcp-snooping trust
exit

Despite not explicitly configuring DHCP relay, the switches show:

SWITCH A# show dhcp-relay
  DHCP Relay Agent         : Enabled
  Option 82                : Disabled
  ...

SWITCH B# show dhcp-relay
  DHCP Relay Agent         : Enabled
  Option 82                : Disabled
  Client Requests       Server Responses
  Valid      Dropped
  ---------- ----------
  40156      0

The key observations:

  • DHCP relay is enabled by default on ProCurve switches
  • Switch B shows heavy relay activity (40K+ requests) despite no L3 boundaries
  • Option 82 is disabled, yet we see Option 82-related drops

Even with Option 82: Disabled in DHCP relay settings, the switch is still inspecting Option 82 fields due to:

  1. The inherent behavior of DHCP-snooping to validate relay information
  2. Potential firmware bug in R.11.72 where disabled options still trigger validation

Option 1: Disable Option 82 Validation (Quick Fix)

Switch A(config)# no dhcp-snooping option 82

Pros: Immediately resolves the issue
Cons: Disables security validation for legitimate Option 82 modifications

Option 2: Properly Configure Trust Boundaries

Switch A(config)# interface 25
Switch A(config-if)# dhcp-snooping trust option 82
Switch A(config-if)# exit

Option 3: Disable DHCP Relay Entirely

Switch B(config)# no dhcp-relay
Switch B(config)# write memory

Disabling Option 82 validation means:

Security Aspect Impact
Spoofed DHCP servers Still protected by authorized-server list
Option 82 injection Vulnerable to malicious circuit-id/remote-id insertion
IP source guard Unaffected if using separate bindings

For most flat networks with ProCurve 2610 switches:

! On all upstream switches
dhcp-snooping
no dhcp-snooping option 82
dhcp-snooping authorized-server [ip]
dhcp-snooping vlan [list]

! On all downstream switches
no dhcp-relay
dhcp-snooping
dhcp-snooping authorized-server [ip]
dhcp-snooping vlan [list]
show dhcp-snooping
show dhcp-relay
debug dhcp-snooping packet
debug dhcp-relay packet

The root cause appears to be a combination of default DHCP relay activation and strict Option 82 validation in the DHCP-snooping implementation. For flat networks without actual relay requirements, completely disabling DHCP relay on downstream switches while keeping basic DHCP-snooping provides the cleanest solution.