We have the same problem. I looked into the NetBoot process years ago because Apple's documentation pretty much nonexistent. Apple's NetBoot is not all that different from PXE. Apple now uses AFP to serve the boot image where they used tftp or NFS at one time. My recollection is that the protocols are related to the vintage of the boot rom. Unless they have changed, the response from the NetBoot server is described in RFC3121 as a DHCPINFORM. The Mac server uses the vendor code to determine that the client is a Mac NetBoot client, the offered address is 0.0.0.0 and standard DHCP options are returned. (Host name, boot image etc.) In my spare time, I figured I'd open a GTAC case and generate a C4 for this. Unfortunately, it hasn't happened in the last couple of years. It would be nice if they allowed you to specify allowed DHCP servers some how.
From: Stephen Wilson [mailto:[email protected]] Sent: Tuesday, August 09, 2011 4:58 PM To: Enterasys Customer Mailing List Subject: [enterasys] DHCP Snooping and Apple BSDP Hi all, I have an interesting problem, that at least thus far, I haven't been able to work around. I have dhcp snooping enabled on my client VLAN's and under normal circumstances it is working properly. This week our desktop imaging group tried to stand up an Apple NetBoot server to allow them to image OS X machines. As far as I can tell, NetBoot uses an Apple proprietary protocol called BSDP, which closely resembles DHCP. In fact, part of the Apple documentation says that to enable NetBoot across subnets you have to add your NetBoot server as a helper address on your router(s). I have added the server as a helper address, and the OS X clients can now see the NetBoot server but will not boot from it. If I disable DHCP snooping, the entire NetBoot process works as expected. Both the NetBoot and DHCP server are located through the same trusted interface on the switch, and the documentation states that DHCP packets received on trusted ports will always be forwarded. Is there some additional undocumented security that DHCP snooping provides to insure packets on ports 67/68 actually are DHCP packets? I have not yet done a packet capture, but my only theory is that the BSDP packets are being dropped because they aren't DHCP. Has anyone else run into this issue and found a resolution (other than disabling DHCP snooping)? Thanks in advance, Stephen Wilson Network Manager WCU Networking and Telecommunications 828-227-3215 * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
