What is the problem? The problem that prompted me to examine this for solutions is described by Apple on their web site as of the time of this writing for the Mac OS X Net-Booting servers.

1. Only one Mac OS X Net-Booting Server may exist on a subnet at a time.
2. The sample G3 server you can buy from apple (referenced on their web site) running Mac OS X with 4 ethernet interface for this kind of purpose) is capable of servicing 24 Net Booting Macintoshes.

Though net-booting a Macintosh that does client sided computing is a very good idea, and even better since many popular mainstream titles are supported as opposed to system like NCD's NC, and the Sun Microsystems Sun Ray. It *could* be more scalable if you could have a centralized DHCP Server hand out information for hundreds of machines on a single subnet to connect to multiple different netBooting Mac OS X server that have had their BootP disabled, or if their Mac OS X NetBooting BootP server had the ability to ignore requests from clients other than the ones specified by the Mac OS X Server's System Administrator.

Too bad that only one machine is allowed per subnet...

Why is it that only one machine is used per subnet? A brief review of the technical information on Apple's Website suggests a reason.

1. The Server will give out Net-Booting information to any Net-Booting Macintosh that requests it. (Allowance to offer net booting service to any unknown client that asks for it.)
2. BootP, TFTP, and AFPFS/IP are the protocols that are referenced. Of these, BootP is the only one that is limited by a Subnet. A BootP request is usually limited to one subnet, and stopped at routers.
   I did not explain this with enough detail: If you wish a deeper understanding of this part, or want to see me do a little back-peddling and redirection for making some assumptions I should not have made, please read this indented space, otherwise continue on to the next item where this indentation ends for a faster summary...

   Shawn Barnhart swb@mercury.campbell-mithun.comWrites:

   • I'm not sure I understand your problem with bootp not crossing subnet boundaries. On most routers, it's possible to include a command that causes bootp requests to get forwarded to remote nodes. On cisco's it's ip helper-address ipaddr of bootp/dhcp server. It's also possible to have dhcp/bootp relay agents running on a subnet that will forward these requests to other subnets without modifying the router itself. I use a single dhcp/bootp server for serving my entire network, five local lans and three remote lans. (permission to print this was granted to me via e-mail.)

     To which I now respond:

   • Thanks for asking this question. You are correct! However, it is a general rule to filter BootP/DHCP at the router if you wish to stop them from being propagated across a network. I bring up the issue for bootp remaining not leaving a subnet, since I think this is the default set up on most routers, and limiting BootP/DHCP traffic per subnet is one of the strong suggestions/assumptions made by Apple when using their Mac OS X Net Booting software. Your campus as well as other have, and use a central DHCP authority/database, and because of this, they choose to propagate all BootP/DHCP traffic across all of their subnets. Thanks for the redirection and e-mail.
   • On a related note we have other examples of problems associated with propagation of BootP/DHCP acorss subnets that have Mac OS X Net Boot Servers:

     Let us assume that you do allow BootP/DHCP to repropagate themselves across network subnets at the router, or use a BootP/DHCP relay client.

     Let us also assume that you have 8 subnets in a class B network (172.17.0.0).

     You place your Main DHCP Server on the 0.0 subnet, and have 7 other subnets in use (32.0 , 64.0 , 96.0 , 128.0 , 160.0 , 192.0, and 224.0) and a subnet mask of 255.255.224.0, and a router on each subnet with last octet in IP .1.

     You place a Mac OS X Net Boot Server on Subnet 0, 1, 2, 3, 4, 5, 6, and 7.

     Now your 8 interface router (heh) allows BootP requests to come in from all interfaces, and direct them to subnet 0. We turn off the Mac OS X Server on Subnet 7. Result: Only the NetBoot Mac OS X Server on Subnet 0 and the DHCP Server on Subnet 0 can respond to the Mac NC NetBooting Clients looking for a BootP response that will give them the information they neet to get their ROMS and images. If your DHCP (without the special vendor options) responds, and the Net Booting Mac accepts the BootP/DHCP response, then the Mac Net booting client does not boot. If the Mac OS X Net Booting Server responds, then the Mac *may* boot (depending upon how, and what networking information is sent to the client.) However, No other Mac OS X Server will even see the BootP/DHCP request to be able to offer their services. This loads the Subnet 0 Mac OS X Server heavily, and causes traffic on your router to increase a great deal (imagine 24 Clients accessing their images at the same time... ...and all of this traffic is going across your router?

     Same as above, but turn on the Mac OS X NetBooting Server on Subnet 7. With the overhead of latency incurred by the router passing on the DHCP requst to the Centralized Subnet 0 DHCP Server, and then back to the client, it is much more likely that the Mac OS X Server on Subnet 7 will get a response back to the client on its own subnet first even if the Mac OS X Server is rather heavily loaded. However, it is still a gamble that the latency will be small enough to beat a loaded Mac OS X Server.

     Now imagine what would happen if the Mac OS X Net Booting server were turned off on the 7 Subnet again, and the router was configured to allow all BootP/DHCP Traffic to pass through to all and every one of the subnets. Result: Your netbooting client on Subnet 7 could get any of the 7 remaining Mac OS X Server as their boot server as long as they have free IP Addresses. Assuming you set up your network like most places, you designed your subnets for areas with different needs. Say Biology Building has subnet 1 and Chemistry has subnet 2, and subnet 7 was supposed to be art, when the client on subnet 7 finally gets a NetBoot server (since theone on their subnet was turned off), they may get an Applications Volume with Chemistry, or Biology applications, not what they want (assuming that the networking information given to the client by the Mac OS X Server is correct for the destination subnet.)

     Another one? What if a bootp request does make it from a Client on one subnet across a router to a Mac OS X Server on a different subnet? Will the Mac OS X Server offer the correct IP address for the different subnet containing the client? (IP Address, default gateway/router etc.)

     Many scenarios could exist in this to show where one methoid would work, while another would not.

     IMHO, a centralized DHCP Server that can serve the whole collection of subnets is the best choice. However, loss of the One Time Password is a serious risk for places not using fully switched networks. Is the up-front cost in hours, and loss of security worth the use of what is documented in these pages? That is up to you.

   • (End of included aside comments, we not return you to your regularly scheduled web page...)

I can tell you now, that it appears that the BootP issue appears to be the only problem limiting the inclusion of multiple NetBooting servers onthe same subnet!

Some solutions that might work?
1. If it were possible to tell the Server "I only want to you to serve to machines with these Hardware Addresses." then there would be no problem. you could populate many clients on the same subnet, and not need to worry about a random server talking to your clients.
   Suggestion from Harry Johnston on a way to do this with Mac OS X:
   • It is possible to do this, in a sense. This is because when a NetBoot Server runs out of IP addresses to hand out, it stops responding to BOOTP requests. Therefore, if you give each server exactly enough IP addresses, and boot all of the clients for each server while the other servers are down (or have no IP addresses to hand out) everything will work. Awkward, but possible.

     Harry Johnston can be reached at http://www.scms.waikato.ac.nz/~harry/ and you can see his info on multiple interface Mac OS X Server netbooting at http://www.scms.waikato.ac.nz/~harry/references/macosx/netbooting.html.

   Another suggestion for solution was recently offered by Juha Seppänen and is inserted here:
   • This really is possible but requires some working around the Netinfo Manager in Mac OS X Server.

     I did this by filling the allocated IP-address space manually in Netinfo Manager. I first booted one Mac from by first classroom to get "template" information for manual configuration and then just filled the allocated space of IP-addresses with 15 real HW Ethernet addresses and 14 IP-addresses with phony or "self-made" HW Ethernet addresses. When we need to add a Mac to that classroom we just simply change one phony HW address to real address.

     The other Mac OS X Server machine which serves the second classroom is similary configured and they do not get mixed up. This configuration has worked over 2 years now and we are happy with it. There are other problems with the OSXS but they don't concern the netbooting.

     Hope this will give assistance to someone, I know this a cheap hack.

     *- I appreciate these comments and suggestions since a cheap hack to one person may be a welcome solution to another. :) Thanks Juha!

2. If it were possible to have the bootp information sent from a centralized campus DHCP server, then that would solve the problem, since you can turn off the BootP service on the NetBoot Manager while leaving the rest of the boot manager (TFTP, and AFPFS/IP) running.
3. Another solution includes buying lots of Layer 3 switches and having servers located in labs, and then enabling blocking of bootp requests from leaving local lab networks, or coming into the local lab networks.
4. Another solution includes using 2 or more ethernet interfaces on the server, and putting one ethernet interface on the campus network in the lab, and the rest of the ethernet interfaces onto a switch or hub that only serves the lab and only turning on NetBoot on the interface(s) that serve the lab, but this will run contrary to the Network administration of most campuses, since it places a router (since the Mac OS X server would be acting as one) in a lab setting, and is yet another networking device to maintain. (Presently Mac OS X does not do NAT or IP Masquerading with the software provided in the server.) This is one of the solutions suggested by Apple on their site.
5. Another solution is to create a separate subnet for each lab by locating a router for each lab and locate the Mac OS X Server in this lab on that subnet, but this is a gross use of IP addresses: 1 for Network ID (bits off) 1 for broadcast (bits on), anther for an interface that is "wasted" on the router interface to the campus network.This is one of the solutions suggested by Apple on their site.
6. Do you have other suggestions for ways to deal with this? Drop me a line to add the idea. Let me know if it is OK to include your e-mail address and name on the site to give you credit.

   

   [Simple Network Analysis for Mac OS X Net Boot Server]
   [Protocols:]	[--TCP/IP--]	[-DHCP/BOOTP-]	[----TFTP----]	[--AFP/FS/IP--]	[Authenticate-]
   [Link-Info:]	[--Linux---]	[ DHCP v 2.0 ]	[RelatedLinks]	[Netatalk+asun]	[AppleMac-OS-X]
   [Some-RFCs:]	[IP-RFC:791]	[ICMP-RFC:792]	[TCP--RFC:792]	[UDP---RFC:768]	[DHCP-Vend.Ext]
   [Some-RFCs:]	[BootP-:OLD]	[BootP-N:1533]	[BootPEx:1542]	[SNTP-RFC:2030]	[ResrvdIP:1918]

   ---

   Main Links From Head Page:
   [NB-OS-X-]	[Problems]	[Analysis]	[Mimicry-]	[A-How-To]	[Security]

   ---

   Comments and/or suggestions?: Email me at: dugan@passwall.com(Realize that I am very busy, and may not have time to respond to all E-mail messages. If you include NETBOOT MACNC (all Caps) as beginning it is more likely to get my attention... ;-)

   DISCLAIMER:With the understandings for the use of a tool comes the responsibility in knowing how to use it without causing damage or harm. A tool can be used for good or evil, and you are responsible for your choice and the consequences of that choice in the use of any tool at your disposal.

   I do not claim this to be free of bugs or defects, and you use this at your own risk.

   I take no responsibility for any user's actions or inactions in following or not following any part or whole of any suggestions found on this page. If any user finds a loss of data, destruction of hardware, Alien Cattle mutilations, sightings of Elvis (ghost or body), loss of sanity, loss of insanity, worldly possessions, or non-worldly possessions as a result of following in part, or in whole any of the preceding or proceeding information, they assume any risks or responsibilities in whole for their decision(s). So, if you break something with one of your decisions that was in part or whole derived from information on this page, do not blame me or find me responsible or accountable for it in any way.

   There should be no charge requested from me to you for this information, and so if you decide that you want any money back for deciding later that you did not really want this information after all, you will need to take that up with the person that charged you money. I will not offer you any compensation for your purchase since I was never compensated by you.`

   It should be restated that *you* take all of the risks, and assume all of the responsibility for following, in part or in whole any information obtained from this document. I do not care if your dog continuously barks at you, or the sky becomes too blue, or nuclear war breaks out as a result of you following any of this information. It will all be your fault since you assume all of the risks, so neeener, neeener-neeeener. :-P

   (C)1999,2000,2001,2002,2003,2004 By Michael Egan extended to all works not explicitly credited to other people within these documents. Permission to duplicate content on these pages not explicitly credited to others is granted so long as you give me credit for the work I have contributed and links are provided to refer to this original site if it is still available. I cannot extend permission to you to re-re-publish quoted words from people who have submitted solutions, posed questions or added clarification. If you wish to use their content, you should contact each person for permission to re-re-publish their included comments. (I have retained their permission, but never asked to extend it for others.)

   (C)1999,2000,2001,2002,2003,2004 By respective noted authors/admins for included questions or answers. Permission to publish their comments granted to me for this website. I cannot grant permission for you to duplicate their work as I am not in control of any copyrights they may retain. (I expect, most would be fine with allowing their content to be republished, but I cannot speak for them.)

   Apple Computers is a registered trademark of Apple computers.

   Macintosh OS X, Macintosh OS 8, Mac OS X, Mac OS 8, Mac OS 9 All refer to Operating Systems created and controlled by Apple Computers. (No disk image files for net booting, or other proprietary programs legally controlled by Apple are available for download from this collection of pages made by me. No links are knowingly created on these pages that direct users to other pages that offer copyrighted software being distributed illegally. If you find a link on pages with this diclaimer that take you to a site that offers software that is illegally offered, feel free to let me know so that I may update my links to not include them.)

   Other mentioned systems and products may be owned, patented, copyrighted, trademarked, or in some way legally controlled by their respective owners.

   This information is provided with intent to inform users of protocols, procedures used in Net Booting a Macintosh Client, and solutions to the problems defined in this document.

   If you have complaint about content provided, and wish to have trademark, copyright, patent, or other legal information explicitly provided here where a product you produce is listed, or have other complaints about this that may be legal, let me know before calling your lawyer: I am flexible.