Showing results for 
Search instead for 
Did you mean: 

Peer to Peer PXE with DHCP Snooping protection enabled

We have a product that runs on each Windows-based workstation and can provide a PXE boot to a peer within its same IP subnet.  The agent is bound on port 67 listening for UDP DHCP discover packets with option parameter 60 set to PXEClient.  The networking team wants to enable DHCP Snooping on the CISCO switches to increase infrastructure security.  My question, is there anyway to allow packets with option 60 set to PXEClient to be broadcasted to the local switch ports when DHCP snooping protection is enabled?

Peter Paluch
Hall of Fame Cisco Employee

Hi Gary,

In a sense, DHCP Snooping is a relatively inflexible protection technique that assumes a standard type of LAN deployment: DHCP clients do not have any server capability, and so they are not expected to send any server-type responses, nor should they listen to the DHCP communication of other clients. If the clients go beyond this assumption and in fact provide some kind of DHCP server-alike services then they're no longer common clients, and DHCP Snooping is not well-suited to accomodate them.

Unfortunately, DHCP Snooping cannot be customized in the way you would require. If it is required for each Windows workstation to provide PXE booting capabilities then the workstation is no longer in the position of a classic host, rather, it is becoming a server. Deploying DHCP Snooping in such a network would require configuring ports to all stations as trusted ports which voids the entire protection.

The question is whether all stations should truly be providing the PXE booting service. To me, it sounds like an overkill - if one single station is capable of doing that, what is the reason or advantage of having all stations acting in the same way? Perhaps this design should be re-evalued and hopefully changed.

Best regards,