We are a very centralized company with a lots of decentralized business units. All these decentralized locations are connected to the HQ, but can run their primary business process withouth this connection. This is also a principle we use, so the "primary" proces must always run, even when the connection to the HQ is down. Now we're looking for a DDI (DHCP, DNS, IPAM) solution, in all the solutions we have now, the DHCP server is located at the HQ. This means that when the connection fails and people are rebooting (makes sense when something doesn't work), that they won't gain an IP address. At the branch locations we have almost always one system, which perfectly can run DHCP (and/or DNS), but it won't register the releases in the IPAM and it also makes management worse. Also on all the branch locations we have a PA-200. The idea was to make use of the PA as a DHCP relay, this relay would point to two addresses, one central and one local. For the local address we make a PBF rule, which points to "NULL" and checks if the central DHCP server is reachable. So when the connection fails, the PBF rule would be disabled and the DHCP requests will reach the local server. If the connection is up again, the PBF rule would redirect all the local requests to NULL, so all the requests would only reach the central DHCP server. Unfortunately the sequence in which the PA handles this relay, wouldn't hit the PBF rule. (at least we didn't get this working). I was wondering if anyone here has an idea if this problem can be solved by using a Palo Alto, cause this is the constant factor which is available on every location.
... View more