cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6744
Views
0
Helpful
4
Comments
firemtngems
Level 1
Level 1

At present, we are using a Cisco 2960g-48 port switch. I've attempted to use DHCP snooping and save the binding database to a location, either tftp: or flash to no avail. I have upgraded to the latest IOS (c2960-lanbasek9-mz.122-52.SE.bin). Still no difference. We are not using the DHCP option 82 information.

In our configs, we have:

ip dhcp snooping vlan 2-798,800-4094
no ip dhcp snooping information option
ip dhcp snooping database tftp:/snoop.dhcp
ip dhcp snooping database write-delay 15
ip dhcp snooping database timeout 15
ip dhcp snooping
ip arp inspection vlan 2-798,800-4094

Our uplinks are configured for

ip arp inspection trust

ip dhcp snooping trust

Settings on the ports are:

interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100

dc-r2-s3#show ip dhcp snooping database
Agent URL : tftp:/snoop.dhcp
Write delay Timer : 15 seconds
Abort Timer : 15 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

Any idea's why we are not able to save the DHCP snooping table to either flash or tftp?

Thanks.

Comments
lesogorp11
Level 1
Level 1

you are not pointed to a tftp server in your config:

ip dhcp snooping database tftp:/snoop.dhcp

also you need to have an empty file on the tftp/ftp server. if you read  the config guide.

ip dhcp snooping database tftp:/10.1.1.1/snoop.dhcp

i have also found that if you setup the database agent initially and there is not tftp/ftp server, but then you bring it up after the config. the agent will never work properly, you must remove the config. Add a completely different tftp/ftp server in the config, and then put the old config back. This is just what I experienced on 4500/6500 platforms.

no ip dhcp snooping database tftp:/10.1.1.1/snoop.dhcp

ip dhcp snooping database tftp:/10.1.1.254/snoop.dhcp

database transfers successfully

no ip dhcp snooping database tftp:/10.1.1.254/snoop.dhcp

ip dhcp snooping database tftp:/10.1.1.1/snoop.dhcp

also you have your write-delay timer set to 15 seconds, thats pretty low. I would suggest bumping that up so that you are not transferring this that often, most often its pretty static and you will have dhcp addresses come in and out, but ultimately this is just to back up (especially for arp inspection) if the switch reloads/fails for some reason. i have all my devices set for 900 sec write delays, (15 mins). This has been quite adequate for our environment, but mileage may vary of course.

-Paul

firemtngems
Level 1
Level 1

Paul, thanks for your feedback. I did in fact fix the missing server name following the tftp://. After updating the name though, it continued to fail. Apparently in the top of the config was a statement reflecting NO DHCP SERVICE. Unknown why it was there. Apparently the default is to start the service. I had set the 15 second on the write-delay for testing purposes. I'll adjust it up to 15 mins as you recommend.There was also a bug entered on our IOS version 12.2(50). I have since upgraded to (52).

I was finally able to get binding information written out to tftp. As you mention, the files do have to be initially created with correct permissions. I noted though, while testing at one point, the data file got created automatically. I'm uncertain why. I did test changing the tftp: as you mention; yet seemed to have no effect on our 2960g's.

One Cisco engineer told me we can use a single tftp file for multiple switches. This is not correct. In fact, it will only save the bindings from the last switch.

What I notice now is the following fields never seem to be updated:

Agent Running: No

Delay Timer Expiry : Not Running

Abort Timer Expiry : Not Running

However; I did note bindings are making their way into the tftp: file. I'm having difficulties finding the exact meaning for the above.

Another interesting note. To enter a static entry into the dhcp snooping table, the expiry field is required. To enter an indefinite lease, I have to enter the maximum value of 4294967295. Displaying the bindinds afterwards will show an indefinite lease - the behavior I'd expect if I left the expiry keyword off.

I'm uncertain the best method to entering a static reservation - using dhcp snooping binding or arp acl. How do you handle your static entries? We use DHCP to hand out addresses, yet have some machines with static reservations as well. Did you apply snooping to just your access layer, or distribution as well?

yangcage168
Level 1
Level 1

I got same issue with catalyst 2960G

WS-C2960G-48TC-L

IOS: c2960-lanbasek9-mz.150-2.SE4.bin

How to do?

Hi,

Your switch & ftp/tftp server shoyuld be sync with ntp

Br/Subhojit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: