NetBoot across Subnets
Hi
I am trying to get this working and am at a complete loss. I understand there can be alot of issues in general whether using a Kbox or any other netboot server. However I have all the various aspects are in place such that it should work. I have confirmed NetBoot fucntions correctly on the same subnet and I have ensured an IP helper address is in place and TFTP is allowed.
The page here: http://www.kace.com/support/kb/index.php?action=artikel&cat=66&id=932&artlang=en
..concerns me because it states "Integrated NetBoot services can only serve the subnet that KBOX is on".
My question is probably twofold:
- Is it possible to see any NetBoot logs on the Kbox to assist with troubleshooting?
- Has anyone actually got NetBoot across subnets working with a Kbox?
If anyone else has any marvellous insights it would be most appreciated!
N.B. I have scoured the interenet and read the usual information at apple and bombich.
Many thanks for any input.
Simon
I am trying to get this working and am at a complete loss. I understand there can be alot of issues in general whether using a Kbox or any other netboot server. However I have all the various aspects are in place such that it should work. I have confirmed NetBoot fucntions correctly on the same subnet and I have ensured an IP helper address is in place and TFTP is allowed.
The page here: http://www.kace.com/support/kb/index.php?action=artikel&cat=66&id=932&artlang=en
..concerns me because it states "Integrated NetBoot services can only serve the subnet that KBOX is on".
My question is probably twofold:
- Is it possible to see any NetBoot logs on the Kbox to assist with troubleshooting?
- Has anyone actually got NetBoot across subnets working with a Kbox?
If anyone else has any marvellous insights it would be most appreciated!
N.B. I have scoured the interenet and read the usual information at apple and bombich.
Many thanks for any input.
Simon
1 Comment
[ + ] Show comment
Answers (17)
Answer Summary:
Please log in to answer
Posted by:
ronfalkoff
12 years ago
We have several Vlans with this same config which we are able to image PCs and MACs
ip routing
vlan 6
name "Ghost" <===Name of our imaging vlan
untagged B2
ip helper-address 172.16.254.249 <====our dhcp server
ip address 172.18.254.253 255.255.0.0 <====Our Core Switch
tagged B1,B15-B17,B20-B22,E1-E4,E24,G1-G8,H4-H5,H7-H12,Trk1
ip igmp
exit
ip multicast-routing
router ospf
Hope this helps.
Ron Falkoff
ip routing
vlan 6
name "Ghost" <===Name of our imaging vlan
untagged B2
ip helper-address 172.16.254.249 <====our dhcp server
ip address 172.18.254.253 255.255.0.0 <====Our Core Switch
tagged B1,B15-B17,B20-B22,E1-E4,E24,G1-G8,H4-H5,H7-H12,Trk1
ip igmp
exit
ip multicast-routing
router ospf
Hope this helps.
Ron Falkoff
Comments:
-
ip routing
vlan 6
name "Ghost" Name of our imaging vlan
untagged B2
ip helper-address 172.16.254.249 ====our dhcp server
ip address 172.18.254.253 255.255.0.0 ====Our Core Switch
tagged B1,B15-B17,B20-B22,E1-E4,E24,G1-G8,H4-H5,H7-H12,Trk1
ip igmp
exit
ip multicast-routing
router ospf - ronfalkoff 12 years ago
Posted by:
hmoore
12 years ago
Here's Apple's answer:
https://support.apple.com/kb/HT4187?viewlocale=en_US
I quote the bootpd man page:
bootpd implements a DHCP/BOOTP server as defined in RFC951, RFC1542,
RFC2131, and RFC2132, as well as a BOOTP/DHCP relay agent. It is also a
NetBoot server implementing Apple-proprietary NetBoot 1.0 (BOOTP-based)
and NetBoot 2.0 BSDP (Boot Server Discovery Protocol). [emphasis mine -- jk] BSDP works along
with regular DHCP, using DHCP-format packets with a special vendor-class
identifier and vendor-specific options.
bootpd understands and handles requests that arrive via a DHCP/BOOTP
relay agent, allowing the server to be centrally located, and serve many
remote subnets.
Here's my standard answer: If Apple's configurations don't work, use an RSA to cross those boundaries
https://support.apple.com/kb/HT4187?viewlocale=en_US
I quote the bootpd man page:
bootpd implements a DHCP/BOOTP server as defined in RFC951, RFC1542,
RFC2131, and RFC2132, as well as a BOOTP/DHCP relay agent. It is also a
NetBoot server implementing Apple-proprietary NetBoot 1.0 (BOOTP-based)
and NetBoot 2.0 BSDP (Boot Server Discovery Protocol). [emphasis mine -- jk] BSDP works along
with regular DHCP, using DHCP-format packets with a special vendor-class
identifier and vendor-specific options.
bootpd understands and handles requests that arrive via a DHCP/BOOTP
relay agent, allowing the server to be centrally located, and serve many
remote subnets.
Here's my standard answer: If Apple's configurations don't work, use an RSA to cross those boundaries
Comments:
-
You can also script this through the k1000 or enter it in manually. This command that will allow it to do so on the --nextonly reboot, not each time.
This command will allow the MAC to boot to use once and worked across subnets:
sudo bless --netboot --server bsdp://##.##.##.### --nextonly
The documentation covers altering the firmware to netboot to us permanently.
http://www.afp548.com/netboot/mactips/nbas.html - hmoore 12 years ago
Posted by:
shoddinott
14 years ago
Posted by:
ThomasHolbrook
14 years ago
We are looking into this problem currently.
We have Cisco 4500 switches and have included a ip helper-address into the Vlan configuration that points to our Kace box IP address, we also have one pointing to our regular mac server and our internal DHCP servers.
Netbooting from a Mac server works 100% from the VLAN however it does not from the Kace appliance.
We can confirm that the Kace recieves the BSDP List, however it is from the Vlan interface IP address.
Fri, Oct 01 2010 12:51:18 BST: BSDP LIST from 172.21.1.1:67 (MacBook2,1/i386)
Fri, Oct 01 2010 12:52:21 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:23 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:27 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:36 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:53 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
We intend to install a network TAP and investigate further, but is it possible that the Kace is responding with its unicast response to the VLAN interface IP rather than client IP address ?
We have Cisco 4500 switches and have included a ip helper-address into the Vlan configuration that points to our Kace box IP address, we also have one pointing to our regular mac server and our internal DHCP servers.
Netbooting from a Mac server works 100% from the VLAN however it does not from the Kace appliance.
We can confirm that the Kace recieves the BSDP List, however it is from the Vlan interface IP address.
Fri, Oct 01 2010 12:51:18 BST: BSDP LIST from 172.21.1.1:67 (MacBook2,1/i386)
Fri, Oct 01 2010 12:52:21 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:23 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:27 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:36 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
Fri, Oct 01 2010 12:52:53 BST: BSDP LIST from 172.21.1.1:67 (MacBookPro5,3/i386)
We intend to install a network TAP and investigate further, but is it possible that the Kace is responding with its unicast response to the VLAN interface IP rather than client IP address ?
Posted by:
ThomasHolbrook
14 years ago
Kace to Cisco Packet - The only one that comes from the Kace box destined for the 21 VLAN
No. Time Source Destination Protocol Info
2481 69.261196 172.20.11.50 172.21.1.1 DHCP DHCP ACK - Transaction ID 0x69bee858
Frame 2481: 618 bytes on wire (4944 bits), 618 bytes captured (4944 bits)
Arrival Time: Oct 1, 2010 16:42:17.056932000 BST
Epoch Time: 1285947737.056932000 seconds
[Time delta from previous captured frame: 0.013731000 seconds]
[Time delta from previous displayed frame: 5.117668000 seconds]
[Time since reference or first frame: 69.261196000 seconds]
Frame Number: 2481
Frame Length: 618 bytes (4944 bits)
Capture Length: 618 bytes (4944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b), Dst: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Destination: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Address: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Address: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.11.50 (172.20.11.50), Dst: 172.21.1.1 (172.21.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x50b8 (20664)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xc37c [correct]
[Good: True]
[Bad: False]
Source: 172.20.11.50 (172.20.11.50)
Destination: 172.21.1.1 (172.21.1.1)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Source port: bootps (67)
Destination port: bootps (67)
Length: 584
Checksum: 0xccf0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Hardware address length: 6
Hops: 1
Transaction ID: 0x69bee858
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 172.21.20.0 (172.21.20.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 172.20.11.50 (172.20.11.50)
Relay agent IP address: 172.21.1.1 (172.21.1.1)
Client MAC address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP ACK
Option: (53) DHCP Message Type
Length: 1
Value: 05
Option: (t=60,l=9) Vendor class identifier = "AAPLBSDPC"
Option: (60) Vendor class identifier
Length: 9
Value: 4141504c4253445043
Option: (t=54,l=4) DHCP Server Identifier = 172.20.11.50
Option: (54) DHCP Server Identifier
Length: 4
Value: ac140b32
Option: (t=43,l=38) Vendor-Specific Information
Option: (43) Vendor-Specific Information
Length: 38
Value: 0101010402800007048100cc0609168100cc06114b424f58...
End Option
Padding
Posted by:
ThomasHolbrook
14 years ago
Cisco to Kace Packet - The only one that comes from the Cisco 4500 destined for the Kace Applicance.
No. Time Source Destination Protocol Info
2161 35.156964 172.21.1.1 172.20.11.50 DHCP DHCP Inform - Transaction ID 0x69bee858
Frame 2161: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits)
Ethernet II, Src: Cisco_96:9e:7f (f8:66:f2:96:9e:7f), Dst: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Internet Protocol, Src: 172.21.1.1 (172.21.1.1), Dst: 172.20.11.50 (172.20.11.50)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Source port: bootps (67)
Destination port: bootps (67)
Length: 308
Checksum: 0xf334 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 1
Transaction ID: 0x69bee858
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
Client IP address: 172.21.20.0 (172.21.20.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 172.21.1.1 (172.21.1.1)
Client MAC address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP Inform
Option: (t=55,l=2) Parameter Request List
Option: (t=57,l=2) Maximum DHCP Message Size = 1500
Option: (t=60,l=25) Vendor class identifier = "AAPLBSDPC/i386/MacBook2,1"
Option: (t=43,l=11) Vendor-Specific Information
End Option
Padding
Posted by:
ThomasHolbrook
14 years ago
Kace to same subnet client - The only one that comes from the Kace box destined for the client.
This is a fresh vanilla cisco setup, specifically for these tests so nothing out of the ordinary here.
We are only attempting discovery of netboot, and not actually net booting the client machines however a full netboot does work on the same subnet.
Could someone from Kace look over these for us ?
This is a fresh vanilla cisco setup, specifically for these tests so nothing out of the ordinary here.
We are only attempting discovery of netboot, and not actually net booting the client machines however a full netboot does work on the same subnet.
No. Time Source Destination Protocol Info
312 89.886657 172.20.11.50 172.20.6.52 DHCP DHCP ACK - Transaction ID 0x6cae902c
Frame 312: 618 bytes on wire (4944 bits), 618 bytes captured (4944 bits)
Arrival Time: Oct 1, 2010 17:04:28.694904000 GMT Daylight Time
Epoch Time: 1285949068.694904000 seconds
[Time delta from previous captured frame: 0.001185000 seconds]
[Time delta from previous displayed frame: 14.133796000 seconds]
[Time since reference or first frame: 89.886657000 seconds]
Frame Number: 312
Frame Length: 618 bytes (4944 bits)
Capture Length: 618 bytes (4944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b), Dst: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Destination: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Address: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
Address: Vmware_9c:ef:5b (00:0c:29:9c:ef:5b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.11.50 (172.20.11.50), Dst: 172.20.6.52 (172.20.6.52)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x55a5 (21925)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xb95d [correct]
[Good: True]
[Bad: False]
Source: 172.20.11.50 (172.20.11.50)
Destination: 172.20.6.52 (172.20.6.52)
User Datagram Protocol, Src Port: bootps (67), Dst Port: 843 (843)
Source port: bootps (67)
Destination port: 843 (843)
Length: 584
Checksum: 0xeacf [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x6cae902c
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 172.20.6.52 (172.20.6.52)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 172.20.11.50 (172.20.11.50)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Apple_d0:b6:ac (00:25:4b:d0:b6:ac)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP ACK
Option: (53) DHCP Message Type
Length: 1
Value: 05
Option: (t=60,l=9) Vendor class identifier = "AAPLBSDPC"
Option: (60) Vendor class identifier
Length: 9
Value: 4141504c4253445043
Option: (t=54,l=4) DHCP Server Identifier = 172.20.11.50
Option: (54) DHCP Server Identifier
Length: 4
Value: ac140b32
Option: (t=43,l=38) Vendor-Specific Information
Option: (43) Vendor-Specific Information
Length: 38
Value: 0101010402800007048100cc0609168100cc06114b424f58...
End Option
Padding
Could someone from Kace look over these for us ?
Posted by:
ThomasHolbrook
14 years ago
It would appear that a OSX Server will respond to the request directly on the same port as the initial request, where as the KACE box will reply via the DHCP relay agent on the cisco switch resulting in the reply being delivered on the standard port 68 and not the origional request port.
The client then sends a ICMP packet back to the cisco switch with a port unavaliable.
The client then sends a ICMP packet back to the cisco switch with a port unavaliable.
No. Time Source Destination Protocol Info
2453 86.053749 172.21.20.0 172.21.1.1 ICMP Destination unreachable (Port unreachable)
Frame 2453: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Arrival Time: Oct 4, 2010 10:59:09.672659000 GMT Daylight Time
Epoch Time: 1286186349.672659000 seconds
[Time delta from previous captured frame: 0.000072000 seconds]
[Time delta from previous displayed frame: 0.000072000 seconds]
[Time since reference or first frame: 86.053749000 seconds]
Frame Number: 2453
Frame Length: 70 bytes (560 bits)
Capture Length: 70 bytes (560 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:icmp:ip:udp]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11]
Ethernet II, Src: AppleCom_35:35:4b (00:19:e3:35:35:4b), Dst: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Destination: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
Address: Cisco_96:9e:7f (f8:66:f2:96:9e:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: AppleCom_35:35:4b (00:19:e3:35:35:4b)
Address: AppleCom_35:35:4b (00:19:e3:35:35:4b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.21.20.0 (172.21.20.0), Dst: 172.21.1.1 (172.21.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 56
Identification: 0xfba1 (64417)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x11f8 [correct]
[Good: True]
[Bad: False]
Source: 172.21.20.0 (172.21.20.0)
Destination: 172.21.1.1 (172.21.1.1)
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0xfa2d [correct]
Internet Protocol, Src: 172.21.1.1 (172.21.1.1), Dst: 172.21.20.0 (172.21.20.0)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 604
Identification: 0x01ba (442)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x4aab [not all data available]
[Good: False]
[Bad: False]
Source: 172.21.1.1 (172.21.1.1)
Destination: 172.21.20.0 (172.21.20.0)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
Source port: bootps (67)
Destination port: bootpc (68)
Length: 584
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
Posted by:
errinf
14 years ago
Posted by:
shoddinott
14 years ago
Posted by:
Harold.Moore
13 years ago
Posted by:
ronfalkoff
13 years ago
Posted by:
ddevore
12 years ago
Hey Guys, I'm seeing the exact same thing. ronfalkof, what changes did you make to your DHCP scope? I tried option 68 pointing to the k2000 but am still unable to net boot on different VLANS from the KBOX (but can from XSERVE). I do have the iphelpers in place, they work for PC imaging.
Thanks!
Dennis
Thanks!
Dennis
Posted by:
ronfalkoff
12 years ago
Posted by:
ScottinOkla
12 years ago
Posted by:
tbnsd
12 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.
Please vote here: http://kace.uservoice.com/forums/82717-k2000/suggestions/1687565-mac-netbooting-across-subnets
Without the votes, it WILL NOT happen. - lkalis 11 years ago