https://live.paloaltonetworks.com/t5/general-topics/dhcp-redundancy-ha-solution-with-the-pa-200-possible/m-p/9304#M6811 <HTML><HEAD></HEAD><BODY><P>We are a very centralized company with a lots of decentralized business units.</P><P>All these decentralized locations are connected to the HQ, but can run their primary business process withouth this connection.</P><P>This is also a principle we use, so the "primary" proces must always run, even when the connection to the HQ is down.</P><P></P><P>Now we're looking for a DDI (DHCP, DNS, IPAM) solution, in all the solutions we have now, the DHCP server is located at the HQ.</P><P>This means that when the connection fails and people are rebooting (makes sense when something doesn't work), that they won't gain an IP address.</P><P></P><P>At the branch locations we have almost always one system, which perfectly can run DHCP (and/or DNS), but it won't register the releases in the IPAM and it also makes management worse.</P><P>Also on all the branch locations we have a PA-200.</P><P></P><P>The idea was to make use of the PA as a DHCP relay, this relay would point to two addresses, one central and one local.</P><P>For the local address we make a PBF rule, which points to "NULL" and checks if the central DHCP server is reachable.</P><P>So when the connection fails, the PBF rule would be disabled and the DHCP requests will reach the local server.</P><P>If the connection is up again, the PBF rule would redirect all the local requests to NULL, so all the requests would only reach the central DHCP server.</P><P></P><P>Unfortunately the sequence in which the PA handles this relay, wouldn't hit the PBF rule. (at least we didn't get this working).</P><P></P><P>I was wondering if anyone here has an idea if this problem can be solved by using a Palo Alto, cause this is the constant factor which is available on every location.</P></BODY></HTML> Tue, 26 Mar 2013 08:18:27 GMT BlackBurn 2013-03-26T08:18:27Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-redundancy-ha-solution-with-the-pa-200-possible/m-p/9304#M6811 <HTML><HEAD></HEAD><BODY><P>We are a very centralized company with a lots of decentralized business units.</P><P>All these decentralized locations are connected to the HQ, but can run their primary business process withouth this connection.</P><P>This is also a principle we use, so the "primary" proces must always run, even when the connection to the HQ is down.</P><P></P><P>Now we're looking for a DDI (DHCP, DNS, IPAM) solution, in all the solutions we have now, the DHCP server is located at the HQ.</P><P>This means that when the connection fails and people are rebooting (makes sense when something doesn't work), that they won't gain an IP address.</P><P></P><P>At the branch locations we have almost always one system, which perfectly can run DHCP (and/or DNS), but it won't register the releases in the IPAM and it also makes management worse.</P><P>Also on all the branch locations we have a PA-200.</P><P></P><P>The idea was to make use of the PA as a DHCP relay, this relay would point to two addresses, one central and one local.</P><P>For the local address we make a PBF rule, which points to "NULL" and checks if the central DHCP server is reachable.</P><P>So when the connection fails, the PBF rule would be disabled and the DHCP requests will reach the local server.</P><P>If the connection is up again, the PBF rule would redirect all the local requests to NULL, so all the requests would only reach the central DHCP server.</P><P></P><P>Unfortunately the sequence in which the PA handles this relay, wouldn't hit the PBF rule. (at least we didn't get this working).</P><P></P><P>I was wondering if anyone here has an idea if this problem can be solved by using a Palo Alto, cause this is the constant factor which is available on every location.</P></BODY></HTML> Tue, 26 Mar 2013 08:18:27 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-redundancy-ha-solution-with-the-pa-200-possible/m-p/9304#M6811 BlackBurn 2013-03-26T08:18:27Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-redundancy-ha-solution-with-the-pa-200-possible/m-p/9305#M6812 <HTML><HEAD></HEAD><BODY><P>What if you bring each site their own dedicated iprange?</P><P></P><P>This way you can ignore the use of a centralized DHCP server - just make sure you get the logs from each site (like through the PA into a Panorama box on your central location).</P><P></P><P>For example something like this:</P><P></P><P>Each site gets 10.0.x.0/24 (or whatever size) as range. This is maintained by the PA device.</P><P></P><P>In the switches you configure option82, dhcpsnooping and dhcprelay. This way when a client sends a dhcp request the switch will intercept this traffic, add physical location (normally switch name and interface the request arrived at as Option82) and then as a unicast send this request towards the ip for dhcp server (ip of PA at this site).</P><P></P><P>The PA will log this request and bring the client an ipadress to use.</P><P></P><P>The option82/dhcpsnooping/dhcprelay stuff can also be configured so only the ip (srcip) as the dhcpserver assigned for this client will be allowed on this physical interface on the switch.</P><P></P><P>The good thing with above, except for logging and a local solution in case uplink is down, is that this is similar to how ip addresses are handled when using IPv6.</P><P></P><P>With IPv6 you can use either a dhcp server or let the network equipment (by ND - Network Discovery) let the client know which ip adress to use. The later is more autonomous than having to trust a dhcp server to always be available.</P></BODY></HTML> Wed, 27 Mar 2013 09:00:58 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-redundancy-ha-solution-with-the-pa-200-possible/m-p/9305#M6812 mikand 2013-03-27T09:00:58Z