Re: 3550 bootp service

From: Darby Weaver (darbyweaver@yahoo.com)
Date: Thu Jan 10 2008 - 21:28:16 ARST

• Next message: Darby Weaver: "Re: Router-id Harmful?"
• Previous message: Paul Cosgrove: "Re: 3550 bootp service"
• Maybe in reply to: George Goglidze: "3550 bootp service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Paul

Gotta admit I was running out of options.

Since I manage several hundred 3550/3560/3750's in
various sites - I thought I'd compare and contrast and
see what was different.

I own 2 more 3550's too but they are not up as of
today.

Whew!!!!

--- Paul Cosgrove <paul.cosgrove@heanet.ie> wrote:

> Oops, meant "ip address dhcp" (its late).
>
> Paul Cosgrove wrote:
> > Hi Darby,
> >
> > Sorry, I misunderstood. Was assuming you had an IP
> on the switch already.
> >
> > What you are seeing is the normal DHCP based auto
> configuration process.
> > Switches use DHCP to try to obtain an address if
> the configuration file
> > is deleted or they have no IP address.
> >
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swipaddr.html#wp1036156
>
> >
> >
> > With an IP on the switch, if you then enable "ip
> dhcp client" on another
> > svi, before removing that command (or deleting the
> svi), you will find
> > that port 68 still remains open in show ip
> sockets.
> >
> > Paul.
> >
> >
> > Darby Weaver wrote:
> >> Not yet it hasn't.
> >>
> >> Still got it. Wiped everything but the default
> >> directory where the tar originally dropped it.
> >>
> >> Hmmm...
> >>
> >> This is like the third reboot.
> >>
> >> Just left one of my 3750's and it has neither 67
> nor
> >> 68 but it does have routing enabled and it is
> does
> >> have an IP Address assigned...
> >>
> >> Ahah!
> >>
> >> Hmmm...
> >>
> >> Well Paul it worked like this:
> >>
> >> While I had a blank configuration on m switch or
> one
> >> with no layer 3 addressing yet... I was a DHCP
> >> client.
> >>
> >> As soon as I enabled IP routing and assigned an
> IP
> >> Address, followed by a reboot:
> >>
> >> I finally got only port 67
> >>
> >> And then I issued the command "no service dhcp"
> to
> >> kill port 67
> >>
> >> Whew!!!
> >>
> >> Try it.
> >>
> >> But I promise, and I saved the session... just in
> case
> >> that ip address dhcp was never used.
> >>
> >>
> >> But as you wisely stated - "other conditions".
> >>
> >> No service dhcp should kill port 67.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --- Paul Cosgrove <paul.cosgrove@heanet.ie>
> wrote:
> >>
> >>> If you set an interface to learn its IP from
> DHCP
> >>> and you then remove the "ip address dhcp"
> command, manually set an IP or
> >>> delete that SVI, the switch continues to listen
> on port 68.
> >>>
> >>> The same happens on both 3550s and 3560s, and
> there
> >>> may be other triggers which cause similar
> behaviour.
> >>>
> >>> A reload will fix it, though perhaps there may
> be a
> >>> better solution.
> >>>
> >>> Paul.
> >>>
> >>> Darby Weaver wrote:
> >>>> I do agree about no ip bootp (tried it myself -
> >>> before
> >>>> I just looked it up).
> >>>>
> >>>> Here's the 3550:
> >>>>
> >>>>
> >>>> RACK3R10(config)#do sh ver
> >>>> Cisco IOS Software, C3550 Software
> >>>> (C3550-IPSERVICESK9-M), Version 12.2(25)SEE2,
> >>> RELEASE
> >>>> SOFTWARE (fc1)
> >>>> Copyright (c) 1986-2006 by Cisco Systems, Inc.
> >>>> Compiled Fri 28-Jul-06 12:20 by yenanh
> >>>> Image text-base: 0x00003000, data-base:
> 0x00DC0AC4
> >>>>
> >>>> ROM: Bootstrap program is C3550 boot loader
> >>>>
> >>>> RACK3R10 uptime is 16 weeks, 2 days, 1 minute
> >>>> System returned to ROM by power-on
> >>>> System image file is
> >>>> "flash:c3550-ipservicesk9-mz.122-25.SEE2.bin"
> >>>>
> >>>> RACK3R10#sh ip sockets
> >>>> Proto Remote Port Local Port
>
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.10.10 68
>
> >>> 0
> >>>> 0 1 0 17 --listen-- 3.3.10.10
> 1975
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.10.10
> 2228
> >>> 0
> >>>> 0 211 0 17 0.0.0.0 0 3.3.10.10
> 67
> >>> 0
> >>>> 0 2211 0 RACK3R10#conf t
> >>>> Enter configuration commands, one per line.
> End
> >>> with
> >>>> CNTL/Z.
> >>>> RACK3R10(config)#no service dhcp
> >>>> RACK3R10(config)#do sh ip sockets
> >>>> Proto Remote Port Local Port
>
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.10.10 68
>
> >>> 0
> >>>> 0 1 0 17 --listen-- 3.3.10.10
> 1975
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.10.10
> 2228
> >>> 0
> >>>> 0 211 0
> >>>> Funny port 68 will not go way now... on the
> 3550
> >>>>
> >>>>
> >>>> Here's the 3560:
> >>>>
> >>>>
> >>>> RACK3R7(config)#do sh ip soc
> >>>> Proto Remote Port Local Port
>
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.7.7 1975
>
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.7.7
> 2228
> >>> 0
> >>>> 0 211 0 17 0.0.0.0 0 3.3.7.7
> 67
> >>> 0
> >>>> 0 2211 0 RACK3R7(config)#no service dhcp
> >>>> RACK3R7(config)#do sh ip soc Proto Remote
> Port
> >>>> Local Port
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.7.7 1975
>
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.7.7
> 2228
> >>> 0
> >>>> 0 211 0
> >>>> Here's my other 3560:
> >>>>
> >>>> RACK3R8(config)#no service udp-small-servers
> RACK3R8(config)#do sh
> >>>> ip sock
> >>>> Proto Remote Port Local Port
>
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.8.8 1975
>
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.8.8
> 2228
> >>> 0
> >>>> 0 211 0 17 0.0.0.0 0 3.3.8.8
> 67
> >>> 0
> >>>> 0 2211 0 RACK3R8(config)# service
> udp-small-servers
> >>>> RACK3R8(config)#no service dhcp
> >>>> RACK3R8(config)#do sh ip sock
> >>>> Proto Remote Port Local Port
>
> >>> In
> >>>> Out Stat TTY OutputIF
> >>>> 17 --listen-- 3.3.8.8 1975
>
> >>> 0
> >>>> 0 11 0 17 0.0.0.0 0 3.3.8.8
> 2228
> >>> 0
> >>>> 0 211 0
> >>>> --- George Goglidze <goglidze@gmail.com> wrote:
> >>>>
> >>>>> Hi There,
> >>>>>
> >>>>> So is it not possible to disable BOOTP service
> on
> >>> a
> >>>>> switch ?????
> >>>>>
> >>>>> I guess it is impssible to do it, as there is
> no
> >>>>> command "no ip bootp
> >>>>> server",
> >>>>> neither "no ip service dhcp".
> >>>>>
> >>>>> by the way, I've tried to disable bootp
> service
> >>> on
> >>>>> one router too,
> >>>>> on dynamips, 3725,
> >>>>> I did
> >>>>> "no ip bootp service"
> >>>>> but I still have port 67 open as we can see on
> >>>>> following output:
> >>>>>
> >>>>> R1#sh ip sockets
> >>>>> Proto Remote Port Local
> Port
> >>> In
> >>>>> Out Stat TTY OutputIF
> >>>>> 17 --listen-- 1.1.1.1
> 2887
> >>> 0
> >>>>> 0 11 0
> >>>>> 17 0.0.0.0 0 1.1.1.1
> 67
> >>> 0
> >>>>> 0 2211 0
> >>>>>
> >>>>>
> >>>>> To Darby: I do not have DHCP service running
> on
> >>> the
> >>>>> router, so I don't have
> >>>>> to
> >>>>> disable DHCP, as it listens on port 67 as
> well.
> >>>>> by the way I think we disable it with command
> "ip
> >>>>> dhcp bootp ignore",
> >>>>> but as I understand it, it listens only when
> you
> >>>>> enable dhcp service on the
> >>>>> router.
> >>>>>
> >>>>> anyway I did introduce both commands:
> >>>>> "ip dhcp bootp ignore"
> >>>>> and
> >>>>> "no ip bootp server"
> >>>>> on 3725 router (dynamips) , and the output of
> >>> show
> >>>>> ip sockets is the same.
> >>>>> port 67 is still open.
> >>>>>
> >>>>> So, how do I really disable that ports, or
> does
> >>> the
> >>>>> show ip sockets output
> >>>>> lie to me?
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Jan 9, 2008 1:25 PM, Darby Weaver
> >>>>> <darbyweaver@yahoo.com> wrote:
> >>>>>
> >>>>>> Have you considered:
> >>>>>>
> >>>>>> no ip bootp server
> >>>>>>
> >>>>>> Bootstrap Protocol (BOOTP) services: To
> disable
> >>>>> BOOTP
> >>>>>> services, use the no ip bootp server command
> in
> >>>>> IOS
> >>>>>> global configuration mode. Using the no ip
> bootp
> >>>>>> server command by itself will not stop the
> >>> router
> >>>>> from
> >>>>>> listening on UDP port 67 because this
> >>> "well-known"
> >>>>>> port is also used by DHCP, which is described
> >>>>> later in
> >>>>>> this list. This command is widely available
> >>> within
> >>>>>> IOS.
> >>>>>>
> >>>>>> So....
> >>>>>>
> >>>>>> no ip service dhcp might be needed as well.
> >>>>>>
> >>>>>> My rack is off at the moment...
> >>>>>>
> >>>>>> That should do it.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --- George Goglidze <goglidze@gmail.com>
> wrote:
> >>>>>>
> >>>>>>> Hi all,
> >>>>>>>
> >>>>>>> Hi can I disable bootp service on a 3550
> >>> switch?
> >>>>>>> SW1#sh ip sockets
> >>>>>>> Proto Remote Port Local
> Port
> >>>>> In
> >>>>>>> Out Stat TTY OutputIF
> >>>>>>> 17 --listen-- --any--
> 1975
> >>>>> 0
> >>>>>>> 0 11 0
> >>>>>>> 17 0.0.0.0 0 1.1.1.1
> 2228
> >>>>> 0
> >>>>>>> 0 211 0
> >>>>>>> 17 0.0.0.0 0 1.1.1.1
> 67
> >>>>> 0
> >>>>>>> 0 2211 0
> >>>>>>>
> >>>>>>>
> >>>>>>> it shows that it's active.
> >>>>>>> but I have no command "no ip bootp service"
> >>>>>>> available.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>>
> >>
>

• Next message: Darby Weaver: "Re: Router-id Harmful?"
• Previous message: Paul Cosgrove: "Re: 3550 bootp service"
• Maybe in reply to: George Goglidze: "3550 bootp service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST