When it comes to enabling PXE for distribution points in Configuration Manager I get a lot of support questions with regard to what is best practice for setting up PXE for distribution points. The main concern is should we use DHCP options or IP helpers. The real question that we are trying to answer is how is the client machine able to locate PXE boot server when it boots up using PXE. There is another question that we would also need to answer. Is the client Machine using Legacy BIOS when boots up or is it using UEFI. The difference between Legacy BIOS and UEFI is the process that the firmware uses to find the boot target, Legacy Boot is the boot process used by BIOS firmware and UEFI boot is used by UEFI firmware. UEFI is the newer standard and is more secure. In regards to imaging the major difference is the partition structure used. UEFI booted systems use a GPT (GUID Partition Table) partition structure where Legacy BIOS booted systems use a MBR (Master Boot Record) partition structure.
A lot of Production environments have systems with legacy bios and UEFI booting machines and if that is the case then our design needs to be able to support that. If you are using IP helpers then you don’t need to worry about whether or not client machine is using Legacy BIOS or UEFI when the machine boots up. On the other hand if you are using DHCP then you would need additional configurations in addition to setting Option 66 and Option 67 on the DHCP Server. This is because DHCP option 67 is for the boot file name and this file is different for the Legacy BIOS and UEFI booting machines.
What is IP Helper and how is it configured?
IP Helper address is IP address configured on VLAN interfaces or router interface that allows the device to act as relay between two devices. PXE works by using broadcast to discover any PXE servers in the same subnet as the PXE client machine. If the client machine is located on different subnet or VLAN then we would configure IP Helper address to direct the traffic towards the PXE server.
Let’s take a look at the diagram below
PC1 in VLAN 10 is in the same subnet as the DHCP server and the PXE enabled distribution point which is named “PXE_DP”. When client boots up it sends a broadcast to the 255.255.255.255 destination address. This broadcast is received by all the clients that are in the same VLAN 10 or the subnet 172.16.4.0/24. In the broadcast message is request for IP address and PXE boot server name and boot file name. The DHCP server sends DHCP offer and the client accepts the offer and PXE_DP offers replies back with Boot file name. PC1 is able to PXE boot to the advertised task sequence to the Machine collection it it a member of. One thing we need to notice here is we don’t need any IP Helper since all the DHCP broadcast gets to the DHCP server and PXE_DP. Even though you can setup your environment this way this is not always the case. In most production environments we have multiple VLANS which has multiple subnets and you don’t find the DHCP server, PXE enabled server and the client machine all in the same subnet.
PC2 on the other hand is in VLAN 30 and is in the subnet 172.16.6.0/24. The subnets 172.16.6.0/24 and 172.16.4.0/24 are part of the same boundary group. When PC2 boots up it sends broadcast to 255.255.255.255 and the broadcast only gets to the devices connected to the subnet 172.16.6.0/24. Broadcast doesn’t move passed to the other VLANs. VLANS were invented with the idea of reducing broadcasts to small groups. If we configure IP Helper on the VLAN interface VLAN30 then any broadcasts for DHCP Server and PXE server on that subnet would be directed towards that IP Helper address. In real production environments you would have IP helper address configured for the DHCP servers already since all the subnets need to be able to get an IP address. If we haven’t configured IP Helper address for the DHCP server then we would need to configure one for it so other VLANS other than it is on can reach it to request IP address. In our Demo Lab below I would only show configuration for IP Helper for the PXE enabled distribution point that we are calling “PXE_DP”. Just keep in mind that it is possible to have more than one IP helper at the interface level. If you need to configure one for your DHCP server as well in your environment then you just use the same command with different IP address.
Just to give background on what the command looks like on Live network equipment I would telnet to my home LAB cisco 3560
and configure the IP Helper address.
SWITCH CONFIGURATION BELOW
In our case the PXE_DP server IP address is at 172.16.5.10. That is all the configuration that you would need. Now since we don’t have any DHCP server in the subnet 172.16.6.0/0 I would need to have IP Helper address configured for the DHCP server as well but I have already completed that. Let’s look at the configuration of the switch to see what it looks like after the configuration is completed.
As you can see from the switch configuration above for VLAN 30 the interface is configured with two IP helper addresses , one for the DHCP server and the other for the PXE server. Any client that boots up requests IP address or PXE Server would be directed towards these IP addresses. Depending on how your environment is setup you might need one more additional command and the command is shown below.
IP forward-protocol UDP 4011 ( if you need to run this command then it needs to be run at the Global configuration prompt)
To explain this command I would demonstrate using a packet captured using Wireshark from PXE enabled distribution point.
When PXE client communicates with PXE server it uses UDP port 4011 on the server side. In the above screen shot the IP address 172.16.5.50 is the PXE server address and 172.16.6.50 is the IP address of the client machine. The source port is UDP 4011 and the destination port on the client is UDP 68. Depending on the Router and switch equipment that you use it might not be able to forward the request from the client to the server on UDP Port 4011. Routers and switches by default only forward to default defined ports. If your layer 3 switch or router is not able to forward on UDP port 4011 then you would need to run the above command to add UDP port 4011 to the list of ports it can forward to.
After completing these configurations, when all the machines in the subnet 172.16.6.0/24 boot up and send a broadcast , that broadcast would be relayed to the PXE enabled distribution point “PXE_DP”. It is ok to have multiple IP helper addresses. If you have two IP Helper addresses , one for the DHCP server and one for PXE server then the DHCP traffic would relayed to both the DHCP Server and the PXE server but the servers only respond to the traffic that pertains to them.
We would use Wireshark captured packet from client to look at the packet and investigate what the network traffic looks like when client machine PXE boots.
What is DHCP options for PXE and how do we set it up?
If you decide to use DHCP options then you would first need to configure DHCP option 66 and DHCP option 67. On windows DHCP server you have two places you can configure these options. You can set these either on the “Scope” or “Server”.
Both have an option to configure server options. If you have multiple Distribution points then you would need to configure this at the Scope level since each configuration would be pointing to different distribution point FQDN.
Option 66 – This would be FQDN of the PXE Server or IP address of the Server.
Option 67 – This option full path of the boot filename. This depends on if the client is using Legacy BIOS or UEFI.
If using Legacy BIOS, the boot file name is “SMSboot\x64\wdsnbp.com”.
If using UEFI, the boot file name is “SMSboot\x64\wdsmgfw.efi”.
Now this would present a problem because this would mean we would need to find a way to change the boot file name if we have both legacy bios and UEFI in our environment. If you only have UEFI then you don’t need to worry about this and just use the UEFI boot file name. If you have both then you can use the “vendor class identifier” which has different values for UEFI clients and Legacy bios clients and DHCP server policy to setup a condition based on “vendor class identifier” to dynamically change the boot filename based on the condition. That is beyond what I sought out to explain on this blog but if is still not difficult to setup.
In conclusion the recommended way of setting up PXE is using IP helper. If you are still not convinced that IP helper is the best option for you then DHCP options are the next option.
Recent Comments