Skip to main content

1E 24.1 (SaaS)

Support for networks with DHCP Snooping enabled

DHCP Snooping is a network security measure implemented in network switches that stops DHCP packets from being forwarded to switch ports that are not authorized. The intention of this security measure is to prevent rogue DHCP servers from issuing IP addresses to devices on the network. A side effect of this measure being enabled is that PXE requests, which are a form of DHCP request, are also blocked. This prevents 1E PXE Everywhere from functioning as expected, as peers are no longer able to receive or respond to PXE requests as their switch ports are not authorized.

With PXE Everywhere 4.0, it is possible to set up one or more 'responders' that are connected to switch ports authorized to receive and respond to DHCP requests. The responder is simply a PXE server that provides the initial boot loader (as this is around 50K in size, it is safe to transfer over the WAN). As PXE clients will not be on the same subnet as the Responder, it is necessary to configure DHCP Relay agents on routers (known as IP helpers in Cisco terminology) to forward DHCP (including PXE) requests from each subnet to the Responder, in addition to any existing DHCP servers that you have configured. The Responder will discard any DHCP packets that are not PXE requests.

When the responder receives a PXE request, it responds with a boot loader that the booting PXE client downloads. The boot loader then broadcasts a new PXE request on a custom UDP port that is not blocked by the DHCP Snooping filter on the switch. The PXE Everywhere agents on the subnet are configured to listen on the custom port and can therefore continue to function as normal - electing an agent to check for active deployments and respond with an offer of the appropriate boot image - unobstructed by DHCP Snooping.