03-01-2011 05:16 AM
I have to move from our current ISP to a new ISP. We will get the same number of public IP’s and will be able to have both internet connections active for a while. We have a SSG 520. We are running an old version 6.0, but plan to upgrade soon. I would like some input on the procedure I plan to use – will it work, or should I do something else?
When I get the new connection I plan to add this on a free interface (call it NT2) and add this interface to the Untrust Zone, then check that default 0.0.0.0/0 route is still through our old ISP.
After that I will move a few of the least used servers on our DMZ to the new ISP. I will add a new MIP on the interface NT2, check the policy that it allows traffic and change the IP in external DNS. From what I understand this should work because MIP is before routing, so both in- and outbound traffic to/from a server with MIP on the new connection will be on the new connection. Is that correct?
When I then have moved the servers with a MIP one by one, I then only have to create a new DIP pool on interface NT2 and change the outbound policys to use this DIP pool.
I can then change the default route to the new ISP – or do I have to do this at the same time I change the DIP pool?
This way I hope that I don’t have to do a “big-bang” implementation of the new ISP. Is this the way to do it, or will I just cause problems by trying to be “too smart”? :-)
03-02-2011 04:37 PM
I don't think you can get this to work without a default route installed for your second internet connection. I've never been able to use public addresses on a secondary internet connection installed in the same v-router unless the two default routes are at the same metric and preference and both active.
You could still potentially stage this, but it might be more complicated. If you really want to be sure that all the current internet traffic only goes to the original isp then you will need to do either source routing or policy based routing to make sure that it does.
Source routing will only work if all your are doing is internet access on the segment. Source routing is evaluated first and take precedence over all other routes in the table. So this will work if your internal segment only uses the internet. Otherwise you have to configure policy based routing which is more complex.
But it may not matter. Who cares which internet service the computers use. You could just let them round robin on the dual default routes and split the traffic. You plan on controlling the servers based on policy or MIP anyway and that will all still work as configured. Then once all the servers are migrated just remove the original default route and interface configuration.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6