In my previous post we saw how to overcome the Cisco NAC restrictions for the Windows Deployment Services Server, as we progressed and started implementing the solution in our production environment we discovered various challenges.
In our production network we are applying various kinds of Layer 2 security at Cisco Access Layer Switches. One of the applied layer 2 security policy is IP Source guard.
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).
In all our access switches IP Source Guard is enabled by as shown below
When we enable IP source guard, the Windows Deployment Services Server failed to install Windows 7 over the network. Upon troubleshooting we discovered that there is a bug CSCts44728 per which IP Source Guard stops PXE boot, you can find more info about it here
This bug is available in 12.2(55) SE3 IOS version, however its fixed in 12.2(55) SE5 and in 15.0(2)SE IOS versions.
In order to deploy Windows 7 over the PXE using Windows Deployment Services Server we were forced to disable the IP Source Guard feature by using the Cisco IOS command “no ip verify source”.
The only way enable Ip soruce guard is to upgrade the IOS of the switch from 12.2(55) SE3 to 12.2(55)SE5 or later.