Dual IPsec with DHCP relay - best practice
I'm starting to work on the design of a company's network upgrade and I need a little help with the best solution.
2x 100D HA A-P in headquarters (200Mbps) where is a Primary Domain Controller and couple of file servers (172.16.10.0/26)
13x branch, currently Cisco ASA 5510 (172.17.x.0 / 24)
Each branch have a primary 40Mbps line and a 4Mbps backup line. BGP provides ISP, so there is only one WAN line to the ASA. The branch is connected using IPsec to the headquarters in the "0.0.0.0/0" configuration - all traffic from the branch goes to the headquarters and performs UTM and NAT to public IP addresses.
Now, the ASA will be exchanged for the FG50E, a secondary location (FG200E 1Gbps) will be deploy and Next Domain Controller will be set up (yes, for 6 years, we run a domain with only one domain controller :( )
I needed to clarify how best to ensure access to the Next Domain Controller (DNS, DHCP) and the Internet if the HQ is unavailable.
1) Create another IPsec tunnel from each branch to the secondary location
2) Configure some dynamic routing, which will make redirection of all traffic to the second location when the HQ is unavailable?
3) We use a DHCP relay at each branch to ensure that queries are passed between branch subnets and the subnet of the headquarters - allows FG to configure multiple DHCP servers in Relay settings?
Thank you very much for helpful advice!
post edited by Jirka - 2019/02/06 13:27:17