Wired

I have a question for the community regarding an issue we are experiencing with DHCP snooping. Maybe you all might have a suggestion on what I could be doing wrong. 

I configured DHCP snooping on two access layer switches (2930F and 2920). The 2930F (closer to the DHCP servers and Core layer of the network) provides the uplink for the 2920. 

On the 2930F DHCP snooping is enable globally and applied to the vlans and authorized DHCP servers are configured (doubled checked that they are correct), and the uplink interface for the 2930F is set to trusted. The downlink interface (connected to the 2920) is set to untrusted as well as access interfaces are set to untrusted.

On the 2920 DHCP snooping was enabled globally (I disabled it due to the issue I will describe below), authorized servers are configured same as the other switch and applied snooping to vlans and the uplink interface leading to the 2930F is set as trusted with all access interfaces set as untrusted.

With all that being said, with DHCP snooping enabled on the 2920, our access points weren't receiving their IP address assignment from the server causing the APs to go offline and their respective switch ports to flap.

Also, the 2930F switch was reporting the following event: (edited to output)

" W  00856 dhcp-snoop: backplane: Received untrusted relay info from client" <error shows mac address of Aruba AP connected to 2920 switch> on port <error shows interface of 2930F which is connected to the 2920 switch>.

I would like to have dhcp-snooping enabled on the switches where clients direct connect for obvious reasons.

Any ideas of what I could be doing wrong? Is it a DHCP setting that I should consider? Is it an issue with the 2920 being daisy chained to the 2930? Or something else?

We have other access switches with APs and other clients attached with DHCP snooping configured and so far haven't had an issues like this. The APs and wired clients connected to the 2930F switch aren't affected, just the ones on the 2920 when snooping is enabled on the 2920.

Attached is a simplified topology.

-------------------------------------------

I've seen issues with DHCP option 82 (port/location information). You may try to disable the option 82 injection or checking in the DHCP snooping.

Also, if all downlink ports are untrusted on your switches, you may put the port on your 2930F to the 2920 as trusted as well.

If this doesn't help, it may be good to work with yout partner or TAC as having access to the environment, config, logs may be useful to resolve...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Thanks Herman!

I thought I read something about option 82 being a probable cause and your response confirmed that. 

After disabling option 82 on the secondary switch (the 2920) (no dhcp-snooping option 82) I reenabled dhcp-snooping on the secondary switch and rebooted one of the APs attached to it and the AP was able to receive an IP address with no errors reported on the lead switch (the 2930F).

Here is an overview of the dhcp snooping config on lead switch and the secondary switch:

 lead/uplink 2930F switch DHCP Snooping Information

  DHCP Snooping              : Yes
  Enabled VLANs              : <vlan IDs>

  Verify MAC address         : Yes
  Option 82 untrusted policy : drop
  Option 82 insertion        : Yes
  Option 82 remote-id        : mac
  Store lease database       : Not configured
  Rate-Limit (PPS)           : 100

 downlink/secondary 2920 switch DHCP Snooping Information

  DHCP Snooping              : Yes
  Enabled VLANs              : <vlan IDs>
  Verify MAC address         : Yes
  Option 82 untrusted policy : drop
  Option 82 insertion        : No
  Store lease database       : Not configured

Thanks for your help.

-------------------------------------------

Original Message:
Sent: Jan 14, 2026 07:20 AM
From: Herman Robers
Subject: DHCP Snooping AOS-S

I've seen issues with DHCP option 82 (port/location information). You may try to disable the option 82 injection or checking in the DHCP snooping.

Also, if all downlink ports are untrusted on your switches, you may put the port on your 2930F to the 2920 as trusted as well.

If this doesn't help, it may be good to work with yout partner or TAC as having access to the environment, config, logs may be useful to resolve...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------