/build/static/layout/Breadcrumb_cap_w.png

NetBoot across Subnets

Hi

I am trying to get this working and am at a complete loss. I understand there can be alot of issues in general whether using a Kbox or any other netboot server. However I have all the various aspects are in place such that it should work. I have confirmed NetBoot fucntions correctly on the same subnet and I have ensured an IP helper address is in place and TFTP is allowed.

The page here: http://www.kace.com/support/kb/index.php?action=artikel&cat=66&id=932&artlang=en

..concerns me because it states "Integrated NetBoot services can only serve the subnet that KBOX is on".

My question is probably twofold:

- Is it possible to see any NetBoot logs on the Kbox to assist with troubleshooting?
- Has anyone actually got NetBoot across subnets working with a Kbox?

If anyone else has any marvellous insights it would be most appreciated!

N.B. I have scoured the interenet and read the usual information at apple and bombich.

Many thanks for any input.

Simon

1 Comment   [ + ] Show comment
  • Just spoke to the Kace Management and Developer Team. They do not fully support netbooting across subnets using iphelper. They also do NOT have it in the que for a future feature release. They believe that using an RSA on every vlan is adequate. The only way they will consider this important is based on votes. I found out we have to vote on things like this. I can't believe they consider booting outside of your imaging servers vlan as a "feature". Oh well, it's their rules, we just pay for them....

    Please vote here: http://kace.uservoice.com/forums/82717-k2000/suggestions/1687565-mac-netbooting-across-subnets

    Without the votes, it WILL NOT happen. - lkalis 11 years ago

Answers (17)

Answer Summary:
Posted by: ronfalkoff 12 years ago
Green Belt
1
We have several Vlans with this same config which we are able to image PCs and MACs


ip routing
vlan 6
name "Ghost" <===Name of our imaging vlan
untagged B2
ip helper-address 172.16.254.249 <====our dhcp server
ip address 172.18.254.253 255.255.0.0 <====Our Core Switch
tagged B1,B15-B17,B20-B22,E1-E4,E24,G1-G8,H4-H5,H7-H12,Trk1
ip igmp
exit
ip multicast-routing
router ospf

Hope this helps.

Ron Falkoff

Comments:
  • ip routing
    vlan 6
    name "Ghost" Name of our imaging vlan
    untagged B2
    ip helper-address 172.16.254.249 ====our dhcp server
    ip address 172.18.254.253 255.255.0.0 ====Our Core Switch
    tagged B1,B15-B17,B20-B22,E1-E4,E24,G1-G8,H4-H5,H7-H12,Trk1
    ip igmp
    exit
    ip multicast-routing
    router ospf - ronfalkoff 12 years ago
Posted by: hmoore 12 years ago
Second Degree Blue Belt
0
Here's Apple's answer:

https://support.apple.com/kb/HT4187?viewlocale=en_US

I quote the bootpd man page:

bootpd implements a DHCP/BOOTP server as defined in RFC951, RFC1542,
RFC2131, and RFC2132, as well as a BOOTP/DHCP relay agent. It is also a
NetBoot server implementing Apple-proprietary NetBoot 1.0 (BOOTP-based)
and NetBoot 2.0 BSDP (Boot Server Discovery Protocol). [emphasis mine -- jk] BSDP works along
with regular DHCP, using DHCP-format packets with a special vendor-class
identifier and vendor-specific options.

bootpd understands and handles requests that arrive via a DHCP/BOOTP
relay agent, allowing the server to be centrally located, and serve many
remote subnets.

Here's my standard answer: If Apple's configurations don't work, use an RSA to cross those boundaries

Comments:
  • You can also script this through the k1000 or enter it in manually. This command that will allow it to do so on the --nextonly reboot, not each time.


    This command will allow the MAC to boot to use once and worked across subnets:


    sudo bless --netboot --server bsdp://##.##.##.### --nextonly


    The documentation covers altering the firmware to netboot to us permanently.

    http://www.afp548.com/netboot/mactips/nbas.html - hmoore 12 years ago
Posted by: hmoore 12 years ago
Second Degree Blue Belt
0
The Bless command can be scripted
Posted by: shoddinott 14 years ago
Orange Belt
0
Update: Support have very kindly advised me where to get the netboot logs. They are in the tarball when you download logs.
Posted by: ThomasHolbrook 14 years ago
Senior Yellow Belt
0
We are looking into this problem currently.

We have Cisco 4500 switches and have included a ip helper-address into the Vlan configuration that points to our Kace box IP address, we also have one pointing to our regular mac server and our internal DHCP servers.

Netbooting from a Mac server works 100% from the VLAN however it does not from the Kace appliance.

We can confirm that the Kace recieves the BSDP List, however it is from the Vlan interface IP address.

Fri, Oct 01 2010 12:51:18 BST: BSDP LIST from 172.21.1.1:67 (MacBook2,1/i386)
Fri, Oct 01 2010 12:52:21 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:23 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:27 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:36 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:53 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)

We intend to install a network TAP and investigate further, but is it possible that the Kace is responding with its unicast response to the VLAN interface IP rather than client IP address ?
Posted by: ThomasHolbrook 14 years ago
Senior Yellow Belt
0
Kace to Cisco Packet - The only one that comes from the Kace box destined for the 21 VLAN

No. Time Source Destination Protocol Info
2481 69.261196 172.20.11.50 172.21.1.1 DHCP DHCP ACK - Transaction ID 0x69bee858

Frame 2481: 618 bytes on wire (4944 bits), 618 bytes captured (4944 bits)
Arrival Time: Oct 1, 2010 16:42:17.056932000 BST
Epoch Time: 1285947737.056932000 seconds
[Time delta from previous captured frame: 0.013731000 seconds]
[Time delta from previous displayed frame: 5.117668000 seconds]
[Time since reference or first frame: 69.261196000 seconds]
Frame Number: 2481
Frame Length: 618 bytes (4944 bits)
Capture Length: 618 bytes (4944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b), Dst: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Destination: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Address: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Address: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.11.50 (172.20.11.50), Dst: 172.21.1.1 (172.21.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x50b8 (20664)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xc37c [correct]
[Good: True]
[Bad: False]
Source: 172.20.11.50 (172.20.11.50)
Destination: 172.21.1.1 (172.21.1.1)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Source port: bootps (67)
Destination port: bootps (67)
Length: 584
Checksum: 0xccf0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Hardware address length: 6
Hops: 1
Transaction ID: 0x69bee858
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 172.21.20.0 (172.21.20.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 172.20.11.50 (172.20.11.50)
Relay agent IP address: 172.21.1.1 (172.21.1.1)
Client MAC address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP ACK
Option: (53) DHCP Message Type
Length: 1
Value: 05
Option: (t=60,l=9) Vendor class identifier = "AAPLBSDPC"
Option: (60) Vendor class identifier
Length: 9
Value: 4141504c4253445043
Option: (t=54,l=4) DHCP Server Identifier = 172.20.11.50
Option: (54) DHCP Server Identifier
Length: 4
Value: ac140b32
Option: (t=43,l=38) Vendor-Specific Information
Option: (43) Vendor-Specific Information
Length: 38
Value: 0101010402800007048100cc0609168100cc06114b424f58...
End Option
Padding
Posted by: ThomasHolbrook 14 years ago
Senior Yellow Belt
0
Cisco to Kace Packet - The only one that comes from the Cisco 4500 destined for the Kace Applicance.

No. Time Source Destination Protocol Info
2161 35.156964 172.21.1.1 172.20.11.50 DHCP DHCP Inform - Transaction ID 0x69bee858

Frame 2161: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits)
Ethernet II, Src: Cisco_96:9e:7f (f8:66:f2:96:9e:7f), Dst: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Internet Protocol, Src: 172.21.1.1 (172.21.1.1), Dst: 172.20.11.50 (172.20.11.50)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Source port: bootps (67)
Destination port: bootps (67)
Length: 308
Checksum: 0xf334 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 1
Transaction ID: 0x69bee858
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
Client IP address: 172.21.20.0 (172.21.20.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 172.21.1.1 (172.21.1.1)
Client MAC address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP Inform
Option: (t=55,l=2) Parameter Request List
Option: (t=57,l=2) Maximum DHCP Message Size = 1500
Option: (t=60,l=25) Vendor class identifier = "AAPLBSDPC/i386/MacBook2,1"
Option: (t=43,l=11) Vendor-Specific Information
End Option
Padding
Posted by: ThomasHolbrook 14 years ago
Senior Yellow Belt
0
Kace to same subnet client - The only one that comes from the Kace box destined for the client.

This is a fresh vanilla cisco setup, specifically for these tests so nothing out of the ordinary here.

We are only attempting discovery of netboot, and not actually net booting the client machines however a full netboot does work on the same subnet.

No. Time Source Destination Protocol Info
312 89.886657 172.20.11.50 172.20.6.52 DHCP DHCP ACK - Transaction ID 0x6cae902c

Frame 312: 618 bytes on wire (4944 bits), 618 bytes captured (4944 bits)
Arrival Time: Oct 1, 2010 17:04:28.694904000 GMT Daylight Time
Epoch Time: 1285949068.694904000 seconds
[Time delta from previous captured frame: 0.001185000 seconds]
[Time delta from previous displayed frame: 14.133796000 seconds]
[Time since reference or first frame: 89.886657000 seconds]
Frame Number: 312
Frame Length: 618 bytes (4944 bits)
Capture Length: 618 bytes (4944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b), Dst: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Destination: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Address: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Address: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.11.50 (172.20.11.50), Dst: 172.20.6.52 (172.20.6.52)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x55a5 (21925)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xb95d [correct]
[Good: True]
[Bad: False]
Source: 172.20.11.50 (172.20.11.50)
Destination: 172.20.6.52 (172.20.6.52)
User Datagram Protocol, Src Port: bootps (67), Dst Port: 843 (843)
Source port: bootps (67)
Destination port: 843 (843)
Length: 584
Checksum: 0xeacf [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x6cae902c
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 172.20.6.52 (172.20.6.52)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 172.20.11.50 (172.20.11.50)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP ACK
Option: (53) DHCP Message Type
Length: 1
Value: 05
Option: (t=60,l=9) Vendor class identifier = "AAPLBSDPC"
Option: (60) Vendor class identifier
Length: 9
Value: 4141504c4253445043
Option: (t=54,l=4) DHCP Server Identifier = 172.20.11.50
Option: (54) DHCP Server Identifier
Length: 4
Value: ac140b32
Option: (t=43,l=38) Vendor-Specific Information
Option: (43) Vendor-Specific Information
Length: 38
Value: 0101010402800007048100cc0609168100cc06114b424f58...
End Option
Padding


Could someone from Kace look over these for us ?
Posted by: ThomasHolbrook 14 years ago
Senior Yellow Belt
0
It would appear that a OSX Server will respond to the request directly on the same port as the initial request, where as the KACE box will reply via the DHCP relay agent on the cisco switch resulting in the reply being delivered on the standard port 68 and not the origional request port.

The client then sends a ICMP packet back to the cisco switch with a port unavaliable.

No. Time Source Destination Protocol Info
2453 86.053749 172.21.20.0 172.21.1.1 ICMP Destination unreachable (Port unreachable)

Frame 2453: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Arrival Time: Oct 4, 2010 10:59:09.672659000 GMT Daylight Time
Epoch Time: 1286186349.672659000 seconds
[Time delta from previous captured frame: 0.000072000 seconds]
[Time delta from previous displayed frame: 0.000072000 seconds]
[Time since reference or first frame: 86.053749000 seconds]
Frame Number: 2453
Frame Length: 70 bytes (560 bits)
Capture Length: 70 bytes (560 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:icmp:ip:udp]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11]
Ethernet II, Src: AppleCom_35:35:4b (00:19:e3:35:35:4b), Dst: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Destination: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Address: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.21.20.0 (172.21.20.0), Dst: 172.21.1.1 (172.21.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 56
Identification: 0xfba1 (64417)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x11f8 [correct]
[Good: True]
[Bad: False]
Source: 172.21.20.0 (172.21.20.0)
Destination: 172.21.1.1 (172.21.1.1)
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0xfa2d [correct]
Internet Protocol, Src: 172.21.1.1 (172.21.1.1), Dst: 172.21.20.0 (172.21.20.0)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x01ba (442)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x4aab [not all data available]
[Good: False]
[Bad: False]
Source: 172.21.1.1 (172.21.1.1)
Destination: 172.21.20.0 (172.21.20.0)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
Source port: bootps (67)
Destination port: bootpc (68)
Length: 584
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
Posted by: errinf 14 years ago
Senior Yellow Belt
0
Did you ever get an answer or a solution? I am having the same problems with netbooting Macs.
Posted by: shoddinott 14 years ago
Orange Belt
0
In short, no. It seems the Kace implementation of Netboot behaves differently to the Mac OSX implementation. At this point in time the only option I see is to script a bless command to force NetBoot as required. Obviously less than desirable operation.
Posted by: Harold.Moore 13 years ago
Yellow Belt
0
Here is the command we used.

sudo bless --netboot --server bsdp://##.##.##.### --nextonly
Posted by: ronfalkoff 13 years ago
Green Belt
0
We have netbooting across subnets working without the bless command we did add ip igmp to the vlan and added the ip helper on the switch also we added the dhcp scope options to the appropriate subnet to point back to the K2000

Hope this helps!!!
Posted by: ddevore 12 years ago
Fourth Degree Green Belt
0
Hey Guys, I'm seeing the exact same thing. ronfalkof, what changes did you make to your DHCP scope? I tried option 68 pointing to the k2000 but am still unable to net boot on different VLANS from the KBOX (but can from XSERVE). I do have the iphelpers in place, they work for PC imaging.

Thanks!
Dennis
Posted by: ronfalkoff 12 years ago
Green Belt
0
DDevore

We are using a 2003 server dor the DHCP not the K2000. I think that made the difference for us.

Let me know if this works.

Thanks,

Ron
Posted by: ScottinOkla 12 years ago
Orange Belt
0
I have not been able to get this working also. We are utilizing Cisco switches for DHCP.

We currently have in our DHCP setup:

bootfile k2000.0
option 66 ascii "ip address of K2000"

and are not able to netboot by holding down the N key. We have to run the sudo bless command to get this working.
Posted by: tbnsd 12 years ago
Senior Yellow Belt
0
I have also not been able to get this working. Utilizing dhcrelay on linux routers.
More Information: http://www.itninja.com/question/netboot-macs-across-subnets-via-dhcrelay-kace-k2000
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ