cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1717
Views
0
Helpful
8
Replies

TFTP from a DNA fabric enabled switch

adrian916
Level 1
Level 1

Is it possible to tftp from an edge / border switch within the DNA fabric to a tftp server outside the fabric?

I am wanting to backup the switch configs, but the tftp connections are failing (timing out).

I can do this successfully from the fusion routers (outside the fabric) but not from any switch inside.

The initial connection to the server is made (we see the source ip appear) but then the switch never seems to receive a reply and the connection times out. The only time I have seen this before (outside of DNA) is when a switch had to use a 'transit' network internally, that wasn't routable on the MPLS. In these instances, creating an 'ip tftp source-interface' solved the problem by changing the source address to a routable one.

In DNA, this doesn't appear to make any difference. I have used both vlan and physical interfaces as the source and vlans both in the overlay and the underlay. In each case, we see the new source address appear on the tftp server, but the connection then times out again. All of these source addresses are routable and can be used to ping or ssh from the tftp server.

 

Does DNA actively block tftp connections? or is there something else that needs configuring - either within DNA-C or on the switches? If a source-interface should work, which one? (one within the vrf, one in the underlay, LISP etc.?)

 

Any advice greatly appreciated.

8 Replies 8

ammahend
VIP
VIP

I am not aware of any such restrictions, can you ping to TFTP from border or edge ? 
if you install TFTP on a laptop and connect to one of the edge, does the TFTP works then?

since you are dealing with multiple VRF, does the IP where you are connecting via TFTP has access to global VRF where TFTP server exists ? 

-hope this helps-

Thanks for your replies

 

The edge / border switches can ping the tftp server and vice versa - both underlay and overlay addresses, so routing exists.

we have multiple sites connected via MPLS. At present we are only implementing DNA on a site by site basis, so are not 'full fabric'.

The TFTP server exists in a data centre that is not fabric enabled so is outside of the switch sites vrf and therfore cannot be moved into the vrf or put on a local vlan.

Unfortunately, I cannot test the direct connection of a laptop at present - with the current coronavirus lockdown, we do not have physical access to any sites and can only work remotely :(  As and when restrictions are lifted, that is something I can try when we can get back on site.

 

It was just strange that no matter which interface I set as source, we see the appropriate IP address appear on the tftp server and can ping it to validate the path, but no tftp data is passed. There are no ACLs in place other than what DNA-C implements automatically during provisioning

on what kind of machine you have TFTP running ?

-hope this helps-

Mike.Cifelli
VIP Alumni
VIP Alumni

AKAIK DNAC would not block the TFTP connections. I agree with @ammahend...To me this sounds like a routing issue to your underlay devices. I would suggest tshooting the path and ensure you are not missing any necessary leaking at the FR level or routes from your legacy gear to fusions to inside the fabric.  Have you considered possibly creating a "backend" vlan connection that hangs off the EBNs for certain servers and direct underlay connectivity? We actually do this to limit traffic (such as radius traffic) through the fusions and core.  Essentially we have a vlan that allows underlay connectivity directly from the EBNs utilizing GLBP on the EBNs and redistributing the vlan into ISIS.  In this setup things like ISE, solarwinds, etc. hang right off the fabric.  Good luck!

Preston Chilcote
Cisco Employee
Cisco Employee

Is there a firewall in between?

 

 

adrian916
Level 1
Level 1
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Generator" content="Microsoft Word 15 (filtered medium)" /><!--<br>/* Font Definitions */<br>@font-face<br> {font-family:"Cambria Math";<br> panose-1:2 4 5 3 5 4 6 3 2 4;}<br>@font-face<br> {font-family:Calibri;<br> panose-1:2 15 5 2 2 2 4 3 2 4;}<br>/* Style Definitions */<br>p.MsoNormal, li.MsoNormal, div.MsoNormal<br> {margin:0cm;<br> margin-bottom:.0001pt;<br> font-size:11.0pt;<br> font-family:"Calibri",sans-serif;}<br>a:link, span.MsoHyperlink<br> {mso-style-priority:99;<br> color:blue;<br> text-decoration:underline;}<br>.MsoChpDefault<br> {mso-style-type:export-only;}<br>@page WordSection1<br> {size:612.0pt 792.0pt;<br> margin:72.0pt 72.0pt 72.0pt 72.0pt;}<br>div.WordSection1<br> {page:WordSection1;}<br><br>

adrian916
Level 1
Level 1
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Generator" content="Microsoft Word 15 (filtered medium)" /><!--<br>/* Font Definitions */<br>@font-face<br> {font-family:"Cambria Math";<br> panose-1:2 4 5 3 5 4 6 3 2 4;}<br>@font-face<br> {font-family:Calibri;<br> panose-1:2 15 5 2 2 2 4 3 2 4;}<br>/* Style Definitions */<br>p.MsoNormal, li.MsoNormal, div.MsoNormal<br> {margin:0cm;<br> margin-bottom:.0001pt;<br> font-size:11.0pt;<br> font-family:"Calibri",sans-serif;}<br>a:link, span.MsoHyperlink<br> {mso-style-priority:99;<br> color:blue;<br> text-decoration:underline;}<br>.MsoChpDefault<br> {mso-style-type:export-only;}<br>@page WordSection1<br> {size:612.0pt 792.0pt;<br> margin:72.0pt 72.0pt 72.0pt 72.0pt;}<br>div.WordSection1<br> {page:WordSection1;}<br><br>

frickhwa2
Level 1
Level 1

Did you ever figure this out? I'm running into the same issue trying to transfer a pcap file from a fabric access switch to a laptop tftp server connected to that switch, and can't find anything. I tested transferring from other non fabric devices and that works fine, just any fabric switch gets !.....  %Error writing tftp://xxxxxxx (Timed out).....

Review Cisco Networking for a $25 gift card