1.8.2 Disable iPXE (Pre-boot eXecution Environment)

Information

iPXE allows a NX-OS device to boot from the network, usually using HTTP.

Rationale:

This method allows the switch bootup image to be controlled centrally, often using DHCP services.

Impact:

The risks of using this boot method are obvious. First, DHCP is a broadcast request, so any host (including a malicious host) can provide the DHCP response - the first response 'wins'. This means that a malicious actor can control operating system being booted on the switch. In addition, the HTTP protocol is clear-text, so is susceptible to modification in transit by an attacker. This is a less likely attack however, as the NX-OS boot sequence has multiple checks in place to verify the validity of the OS, and all most succeed for the boot sequence to proceed.

Solution

Setting the boot order explicity to 'bootflash' will remediate a PXE configured device.

switch(config)# boot order bootflash

You can also 'no' the current boot order line to revert to the default setting. For instance, to remove the configuration line 'boot order pxe bootflash' command, use

switch(config)# no boot order pxe bootflash

Default Value:

By default the boot order is 'bootflash' only. This default configuration will not show in the configuration.

However, entering any valid 'boot order' in the configuration will result it that order being explicit in the configuration, so entering 'boot order bootflash' will result in that showing in the configuration.

See Also

https://workbench.cisecurity.org/benchmarks/6524