|
Home > Archive > Voice over IP Cisco > July 2005 > DHCP snooping agent (slightly OT?)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
DHCP snooping agent (slightly OT?)
|
|
| Mike Newell 2005-07-20, 5:45 pm |
| I have a question about a problem we're seeing that relates to DHCP
snooping. I know it's not directly a phone question, but we enabled DHCP
snooping on our phone network as a security precaution and so I kind of
think I can ask this here... :-)
Anyway we have DHCP snooping and source guard turned on on our network on
the phone VLAN to ensure a rogue DHCP server does not inject bad DHCP
information in the network. The snooping agent is properly recording the
leases in the in-memory database as expected. Normally you configure a
server to which the agent periodically replicates its data - either via
TFTP, FTP, SCP, etc. - so that if the switch reboots it can recover its
context.
Our switches (3560s) stopped writing the backend databases for some
reason. When we debug the agent we get the messages:
*Jul 30 00:01:04: Safe write timer expired.
*Jul 30 00:01:04: Trying to open url in safe write mode..
*Jul 30 00:01:04: Safe write mode failed. Restarting timer.
I get this regardless of the method I use for trying to write the backend
database - TFTP, FTP, SCP, even FLASH. Norman "copy running-config
tftp:..." commands work fine, so it's not the server. Monitoring Ethernet
traffic shows that when the database writes fail I do not see any traffic
from the switch to the target server; this is consistent with the fact
that even FLASH writes fail. Updates are indeed being applied to the
in-memory database; just the replication to permanent storage is failing.
I've asked some cisco people what these messages mean and the uniform
response I'm getting is "Here's how to configure DHCP snooping". I
already know how to do that; I'm trying to understand the meaning of the
error messages so I can figure out what's wrong. I've searched the Net,
Cisco sites, etc. and found nothing... :-(
Anyone here happen to have any pointers? I'd appreciate any help... :-)
Thanks!!!!
Mike
| |
| Kevin Thorngren 2005-07-21, 2:45 am |
| Hi Mike,
Not sure if anyone answered your question. I am not familiar with DHCP
Snooping nor the requirements to make it work. I found one TAC case
that had the same messages that you have. The resolution was to
synchronize NTP. Once they resolved the NTP sync issue the DB started
receiving updates.
Maybe this will help, not sure.
Kevin
On Jul 20, 2005, at 11:45 AM, Mike Newell wrote:
> I have a question about a problem we're seeing that relates to DHCP
> snooping. I know it's not directly a phone question, but we enabled
> DHCP
> snooping on our phone network as a security precaution and so I kind of
> think I can ask this here... :-)
>
> Anyway we have DHCP snooping and source guard turned on on our network
> on
> the phone VLAN to ensure a rogue DHCP server does not inject bad DHCP
> information in the network. The snooping agent is properly recording
> the
> leases in the in-memory database as expected. Normally you configure a
> server to which the agent periodically replicates its data - either via
> TFTP, FTP, SCP, etc. - so that if the switch reboots it can recover its
> context.
>
> Our switches (3560s) stopped writing the backend databases for some
> reason. When we debug the agent we get the messages:
>
> *Jul 30 00:01:04: Safe write timer expired.
> *Jul 30 00:01:04: Trying to open url in safe write mode..
> *Jul 30 00:01:04: Safe write mode failed. Restarting timer.
>
> I get this regardless of the method I use for trying to write the
> backend
> database - TFTP, FTP, SCP, even FLASH. Norman "copy running-config
> tftp:..." commands work fine, so it's not the server. Monitoring
> Ethernet
> traffic shows that when the database writes fail I do not see any
> traffic
> from the switch to the target server; this is consistent with the fact
> that even FLASH writes fail. Updates are indeed being applied to the
> in-memory database; just the replication to permanent storage is
> failing.
>
> I've asked some cisco people what these messages mean and the uniform
> response I'm getting is "Here's how to configure DHCP snooping". I
> already know how to do that; I'm trying to understand the meaning of
> the
> error messages so I can figure out what's wrong. I've searched the
> Net,
> cisco sites, etc. and found nothing... :-(
>
> Anyone here happen to have any pointers? I'd appreciate any help...
> :-)
>
> Thanks!!!!
>
> Mike
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Mike Newell 2005-07-25, 5:45 pm |
| Thanks Kevin - no one has suggested that so far. The time is WAY off on
all the swtiches, so getting NTP working might indeed help. They are all
set up for NTP but for some reason they are not syncing. That was on my
list to track down, so I'll bubble it on up... :-)!!
THanks,
Mike
On Wed, 20 Jul 2005, Kevin Thorngren wrote:
kthorn> Hi Mike,
kthorn>
kthorn> Not sure if anyone answered your question. I am not familiar with DHCP
kthorn> Snooping nor the requirements to make it work. I found one TAC case
kthorn> that had the same messages that you have. The resolution was to
kthorn> synchronize NTP. Once they resolved the NTP sync issue the DB started
kthorn> receiving updates.
kthorn>
kthorn> Maybe this will help, not sure.
kthorn>
kthorn> Kevin
kthorn> On Jul 20, 2005, at 11:45 AM, Mike Newell wrote:
kthorn>
kthorn> > I have a question about a problem we're seeing that relates to DHCP
kthorn> > snooping. I know it's not directly a phone question, but we enabled
kthorn> > DHCP
kthorn> > snooping on our phone network as a security precaution and so I kind of
kthorn> > think I can ask this here... :-)
kthorn> >
kthorn> > Anyway we have DHCP snooping and source guard turned on on our network
kthorn> > on
kthorn> > the phone VLAN to ensure a rogue DHCP server does not inject bad DHCP
kthorn> > information in the network. The snooping agent is properly recording
kthorn> > the
kthorn> > leases in the in-memory database as expected. Normally you configure a
kthorn> > server to which the agent periodically replicates its data - either via
kthorn> > TFTP, FTP, SCP, etc. - so that if the switch reboots it can recover its
kthorn> > context.
kthorn> >
kthorn> > Our switches (3560s) stopped writing the backend databases for some
kthorn> > reason. When we debug the agent we get the messages:
kthorn> >
kthorn> > *Jul 30 00:01:04: Safe write timer expired.
kthorn> > *Jul 30 00:01:04: Trying to open url in safe write mode..
kthorn> > *Jul 30 00:01:04: Safe write mode failed. Restarting timer.
kthorn> >
kthorn> > I get this regardless of the method I use for trying to write the
kthorn> > backend
kthorn> > database - TFTP, FTP, SCP, even FLASH. Norman "copy running-config
kthorn> > tftp:..." commands work fine, so it's not the server. Monitoring
kthorn> > Ethernet
kthorn> > traffic shows that when the database writes fail I do not see any
kthorn> > traffic
kthorn> > from the switch to the target server; this is consistent with the fact
kthorn> > that even FLASH writes fail. Updates are indeed being applied to the
kthorn> > in-memory database; just the replication to permanent storage is
kthorn> > failing.
kthorn> >
kthorn> > I've asked some cisco people what these messages mean and the uniform
kthorn> > response I'm getting is "Here's how to configure DHCP snooping". I
kthorn> > already know how to do that; I'm trying to understand the meaning of
kthorn> > the
kthorn> > error messages so I can figure out what's wrong. I've searched the
kthorn> > Net,
kthorn> > cisco sites, etc. and found nothing... :-(
kthorn> >
kthorn> > Anyone here happen to have any pointers? I'd appreciate any help...
kthorn> > :-)
kthorn> >
kthorn> > Thanks!!!!
kthorn> >
kthorn> > Mike
kthorn> > ________________________________________
_______
kthorn> > cisco-voip mailing list
kthorn> > cisco-voip@puck.nether.net
kthorn> > https://puck.nether.net/mailman/listinfo/cisco-voip
kthorn> >
kthorn>
|
|
|
|
|