Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 4619 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failover DHCP service from LAN to data-center

Kobi thedog

Hi 

I am building a disaster recovery server solution for my company that will reside in a local data center, this DR server is receiving hourly replication jobs from my LAN production servers using a Veeam solution.

I am replicating some file servers and a domain controller, the domain controller has the DHCP role installed and while running within my LAN production environment it serves out IP's to my client workstations, my link from my local LAN to our chosen data center is a layer 2 connection. In the event I ever needed to fail-over my servers into the data center i would need to have my Sophos UTM9 pass DHCP requests from my LAN clients over the UTM WAN port Layer 2 connection so that the data center hosted domain controller could then accept and begin serving out DHCP requests back to my LAN clients.

Does anyone know what type of routing modification or rule I would need to create on the Sophos UTM9 gateway in order for this to occur successfully? a static route for DHCP or similar? keeping in mind that the DR site and my local LAN will be on the same subnet the only thing that essential would be changed in a fail over event would be that DHCP would be required to be available to the LAn clients via the up-link port of the UTM facing towards the data center.

Thanks in advance. 



This thread was automatically locked due to age.
Parents
  • 0

    I understand "WAN Layer 2" link to mean that this is not a VPN tunnel.

    To pass Layer 2 traffic between your inside interface and your WAN interface, you will need to configure a bridge.   Unfortunately, this has to built from unused interfaces, so you really need three inactive NICs:  1 for the bridged WAN interface, 1 for the new LAN interface, and 1 dedicated to your laptop so that you have communication with the UTM while the LAN interface is being reconfigured.  Then you need to move all of the addressing from the non-bridged NICs to the bridged NICs.   Hopefully you have not locked object definitions to a specific interface, but if so these need to be modified as well.

    Once the bridge is built, you have to configure which Ethertypes are passed through the bridge.  By default, it only passes IPv4 packets.   There is not an easy way to tell it to behave like other bridges, passing anything that might be useful based on the ethernet addresses in the forwarding table.  There is an RFC with all of the types.   I have read the RFC but do not have it right now.  You will have to find it to know the Ethertype code for DHCP.

    You might also consider network partitioning and DHCP helper addresses.  Assume your servers, including DHCP server, are in one subnet, and your DHCP clients are in a different subnet.   Your switches are configured to convert multicast DHCP requests into unicast messages for the DHCP server's IP address.   Then, in a disaster event, the servers are moved to the new location and IP routing is updated to send the server subnet traffic to the new location.   The IP Helper Address ensures that the DHCP request can find the DHCP server regardless of routing, so a bridged connection is not required.

Reply
  • 0

    I understand "WAN Layer 2" link to mean that this is not a VPN tunnel.

    To pass Layer 2 traffic between your inside interface and your WAN interface, you will need to configure a bridge.   Unfortunately, this has to built from unused interfaces, so you really need three inactive NICs:  1 for the bridged WAN interface, 1 for the new LAN interface, and 1 dedicated to your laptop so that you have communication with the UTM while the LAN interface is being reconfigured.  Then you need to move all of the addressing from the non-bridged NICs to the bridged NICs.   Hopefully you have not locked object definitions to a specific interface, but if so these need to be modified as well.

    Once the bridge is built, you have to configure which Ethertypes are passed through the bridge.  By default, it only passes IPv4 packets.   There is not an easy way to tell it to behave like other bridges, passing anything that might be useful based on the ethernet addresses in the forwarding table.  There is an RFC with all of the types.   I have read the RFC but do not have it right now.  You will have to find it to know the Ethertype code for DHCP.

    You might also consider network partitioning and DHCP helper addresses.  Assume your servers, including DHCP server, are in one subnet, and your DHCP clients are in a different subnet.   Your switches are configured to convert multicast DHCP requests into unicast messages for the DHCP server's IP address.   Then, in a disaster event, the servers are moved to the new location and IP routing is updated to send the server subnet traffic to the new location.   The IP Helper Address ensures that the DHCP request can find the DHCP server regardless of routing, so a bridged connection is not required.

Children
No Data