04-03-2020 01:00 AM
Is it possible to tftp from an edge / border switch within the DNA fabric to a tftp server outside the fabric?
I am wanting to backup the switch configs, but the tftp connections are failing (timing out).
I can do this successfully from the fusion routers (outside the fabric) but not from any switch inside.
The initial connection to the server is made (we see the source ip appear) but then the switch never seems to receive a reply and the connection times out. The only time I have seen this before (outside of DNA) is when a switch had to use a 'transit' network internally, that wasn't routable on the MPLS. In these instances, creating an 'ip tftp source-interface' solved the problem by changing the source address to a routable one.
In DNA, this doesn't appear to make any difference. I have used both vlan and physical interfaces as the source and vlans both in the overlay and the underlay. In each case, we see the new source address appear on the tftp server, but the connection then times out again. All of these source addresses are routable and can be used to ping or ssh from the tftp server.
Does DNA actively block tftp connections? or is there something else that needs configuring - either within DNA-C or on the switches? If a source-interface should work, which one? (one within the vrf, one in the underlay, LISP etc.?)
Any advice greatly appreciated.
04-03-2020 05:29 AM
I am not aware of any such restrictions, can you ping to TFTP from border or edge ?
if you install TFTP on a laptop and connect to one of the edge, does the TFTP works then?
since you are dealing with multiple VRF, does the IP where you are connecting via TFTP has access to global VRF where TFTP server exists ?
04-03-2020 06:53 AM
Thanks for your replies
The edge / border switches can ping the tftp server and vice versa - both underlay and overlay addresses, so routing exists.
we have multiple sites connected via MPLS. At present we are only implementing DNA on a site by site basis, so are not 'full fabric'.
The TFTP server exists in a data centre that is not fabric enabled so is outside of the switch sites vrf and therfore cannot be moved into the vrf or put on a local vlan.
Unfortunately, I cannot test the direct connection of a laptop at present - with the current coronavirus lockdown, we do not have physical access to any sites and can only work remotely :( As and when restrictions are lifted, that is something I can try when we can get back on site.
It was just strange that no matter which interface I set as source, we see the appropriate IP address appear on the tftp server and can ping it to validate the path, but no tftp data is passed. There are no ACLs in place other than what DNA-C implements automatically during provisioning
04-03-2020 07:27 AM
on what kind of machine you have TFTP running ?
04-03-2020 05:46 AM
AKAIK DNAC would not block the TFTP connections. I agree with @ammahend...To me this sounds like a routing issue to your underlay devices. I would suggest tshooting the path and ensure you are not missing any necessary leaking at the FR level or routes from your legacy gear to fusions to inside the fabric. Have you considered possibly creating a "backend" vlan connection that hangs off the EBNs for certain servers and direct underlay connectivity? We actually do this to limit traffic (such as radius traffic) through the fusions and core. Essentially we have a vlan that allows underlay connectivity directly from the EBNs utilizing GLBP on the EBNs and redistributing the vlan into ISIS. In this setup things like ISE, solarwinds, etc. hang right off the fabric. Good luck!
04-03-2020 09:42 AM
Is there a firewall in between?
04-03-2020 12:09 PM
04-04-2020 02:11 AM
01-24-2023 07:24 AM
Did you ever figure this out? I'm running into the same issue trying to transfer a pcap file from a fabric access switch to a laptop tftp server connected to that switch, and can't find anything. I tested transferring from other non fabric devices and that works fine, just any fabric switch gets !..... %Error writing tftp://xxxxxxx (Timed out).....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide