[cisco-voip] DHCP snooping agent (slightly OT?)

Mike Newell mnewell at spottydogs.org
Mon Jul 25 11:29:25 EDT 2005 

Thanks Kevin - no one has suggested that so far.  The time is WAY off on
all the swtiches, so getting NTP working might indeed help.  They are all
set up for NTP but for some reason they are not syncing.  That was on my
list to track down, so I'll bubble it on up... :-)!!

THanks,

Mike

On Wed, 20 Jul 2005, Kevin Thorngren wrote:

kthorn> Hi Mike,
kthorn>
kthorn> Not sure if anyone answered your question.  I am not familiar with DHCP
kthorn> Snooping nor the requirements to make it work.  I found one TAC case
kthorn> that had the same messages that you have.  The resolution was to
kthorn> synchronize NTP.  Once they resolved the NTP sync issue the DB started
kthorn> receiving updates.
kthorn>
kthorn> Maybe this will help, not sure.
kthorn>
kthorn> Kevin
kthorn> On Jul 20, 2005, at 11:45 AM, Mike Newell wrote:
kthorn>
kthorn> > I have a question about a problem we're seeing that relates to DHCP
kthorn> > snooping.  I know it's not directly a phone question, but we enabled
kthorn> > DHCP
kthorn> > snooping on our phone network as a security precaution and so I kind of
kthorn> > think I can ask this here... :-)
kthorn> >
kthorn> > Anyway we have DHCP snooping and source guard turned on on our network
kthorn> > on
kthorn> > the phone VLAN to ensure a rogue DHCP server does not inject bad DHCP
kthorn> > information in the network.  The snooping agent is properly recording
kthorn> > the
kthorn> > leases in the in-memory database as expected.  Normally you configure a
kthorn> > server to which the agent periodically replicates its data - either via
kthorn> > TFTP, FTP, SCP, etc. - so that if the switch reboots it can recover its
kthorn> > context.
kthorn> >
kthorn> > Our switches (3560s) stopped writing the backend databases for some
kthorn> > reason.  When we debug the agent we get the messages:
kthorn> >
kthorn> > 	*Jul 30 00:01:04: Safe write timer expired.
kthorn> > 	*Jul 30 00:01:04: Trying to open url in safe write mode..
kthorn> > 	*Jul 30 00:01:04: Safe write mode failed.  Restarting timer.
kthorn> >
kthorn> > I get this regardless of the method I use for trying to write the
kthorn> > backend
kthorn> > database - TFTP, FTP, SCP, even FLASH.  Norman "copy running-config
kthorn> > tftp:..." commands work fine, so it's not the server.  Monitoring
kthorn> > Ethernet
kthorn> > traffic shows that when the database writes fail I do not see any
kthorn> > traffic
kthorn> > from the switch to the target server; this is consistent with the fact
kthorn> > that even FLASH writes fail.  Updates are indeed being applied to the
kthorn> > in-memory database; just the replication to permanent storage is
kthorn> > failing.
kthorn> >
kthorn> > I've asked some Cisco people what these messages mean and the uniform
kthorn> > response I'm getting is "Here's how to configure DHCP snooping".  I
kthorn> > already know how to do that;  I'm trying to understand the meaning of
kthorn> > the
kthorn> > error messages so I can figure out what's wrong.  I've searched the
kthorn> > Net,
kthorn> > Cisco sites, etc. and found nothing... :-(
kthorn> >
kthorn> > Anyone here happen to have any pointers?  I'd appreciate any help...
kthorn> > :-)
kthorn> >
kthorn> > Thanks!!!!
kthorn> >
kthorn> > Mike
kthorn> > _______________________________________________
kthorn> > cisco-voip mailing list
kthorn> > cisco-voip at puck.nether.net
kthorn> > https://puck.nether.net/mailman/listinfo/cisco-voip
kthorn> >
kthorn>

More information about the cisco-voip mailing list