[ipxe-devel] iPXE with specific list of DHCP server(s)

Gene Cumm gene.cumm at gmail.com
Tue Oct 15 03:21:56 UTC 2013 

On Mon, Oct 14, 2013 at 2:39 PM, Shantanu Gadgil
<shantanugadgil at yahoo.com> wrote:

> The IT guys already have one DHCP server running per subnet. (for network booting)
>
> I want to deploy my own PXE booting network, parallel to theirs to try out iPXE.
> (which would point the PXE clients to *my* installation server, rather than theirs.

This actually is a clear misconfiguration UNLESS they're doing IP
config and you're only doing PXE boot data (sname, file).  It's
allowed per PXE.

Few things to keep in mind:

- Talk with your IT department on how to do this right.  It will save
a lot of aggravation on both sides.
- Be willing to accept that you may need to physically separate your
PXE test system so it can't talk on the normal network.
- Good switches have DHCP guard which will put the port that hears the
DHCP reply into a non-forwarding state (linked but nothing works)
- Some switches also have a MAC guard where they'll put a port that
sees multiple MAC addresses into a non-forwarding state.
- The passthrough port on a VoIP phone with passthrough can often be
disabled with a checkbox.
- They may have already set the DHCP priority
- Why not set your clients to reject the known IT servers WHILE your
server only sends replies to known clients?
- Some Acceptable Use Policies include stipulations to the effect of
disrupting network operations (which this is) and disciplinary
measures including termination
- If your network guy is extremely strict and saw one of your office
ports in DHCP guard block, he'd probably issue a warning via the
proper organization administrative channel, turn on all available
guards and consider putting all of your ports into a special group
that gets completely blocked (minus VoIP phone) if any port triggers a
guard block, effectively turning off the network in your office

> Having this feature allows me to test an alternate configuration even when the machine's
> MAC address is present in the IT network.

Use a separated network (physical, by VLAN or just a bunch of isolated VMs).

-- 
-Gene

More information about the ipxe-devel mailing list