InformationiPXE allows a NX-OS device to boot from the network, usually using HTTP.
This method allows the switch bootup image to be controlled centrally, often using DHCP services.
The risks of using this boot method are obvious. First, DHCP is a broadcast request, so any host (including a malicious host) can provide the DHCP response - the first response 'wins'. This means that a malicious actor can control operating system being booted on the switch. In addition, the HTTP protocol is clear-text, so is susceptible to modification in transit by an attacker. This is a less likely attack however, as the NX-OS boot sequence has multiple checks in place to verify the validity of the OS, and all most succeed for the boot sequence to proceed.
SolutionSetting the boot order explicity to 'bootflash' will remediate a PXE configured device.
switch(config)# boot order bootflash
You can also 'no' the current boot order line to revert to the default setting. For instance, to remove the configuration line 'boot order pxe bootflash' command, use
switch(config)# no boot order pxe bootflash
By default the boot order is 'bootflash' only. This default configuration will not show in the configuration.
However, entering any valid 'boot order' in the configuration will result it that order being explicit in the configuration, so entering 'boot order bootflash' will result in that showing in the configuration.