Since each environment is a bit different you can take my feedback with a grain of salt.
However, we were able to allow Windows Deployment Services PXE booting that allows for legacy and UEFI BIOS to PXE boot (without using Option 66 and 67 ). This was done in an enviorment where DHCP snopping is enabled. So the use of IP Helper-Address command didn't work for us on our switches.
Hardware Being used
PA Firewall - Model: PA 3050
HP 2920-24G Switch <-- Core switch
HP 2530-48G-PoEP Switch <-- one of many POE Switches that connects back to the core switch
HP 2530-48G Switch <--- one of many none POE switches that connect back to the core switch.
DHCP Snooping is enabled
NOTE: DHCP Scope Options 66 and 67 are not officially supported by MSFT and those options will not support Legacy and UEFI bios's PXE booting... You will have to choose between legacy or UEFI support or setup two different DHCP scopes just to support both.
SO HOW DID YOU GET IT WORKING?
Take it easy - Here is the details:
- If you were running the same setup we were then you would want to first add the WDS servers IP address as a Relay DHCP server on your PA firewall for the VLAN's you want to broadcast too.
NOTE: take a look at the capture.png attached to my resply for a example of the PA relay setup.
- since DHCP snooping is enabled in the enviorment we deployed for security reasons of not allowing rouge DHCP servers you then have to run the following command on the core switch and all other access layer switches.
dhcp-snooping authorized-server "your WDS or PXE Servers Address"
dhcp-snooping authorized-server 10.10.6.12
NOTE: the IP address used in this tutorial are fictional but may look similar to other private IP address that exist in some networks. I don't sujest using my example ip address in place of your own. Enjoy!