cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
4
Helpful
6
Replies

ISP cuover question

boshardy1
Level 1
Level 1

I work with a client who needs to be able to run off 2 ISP's simultaneously for awhile until DNS fully converges. They are switching ISP's with new IP's but like I mentioned DNS updates take awhile and they cannot be down. On the new ISP side there will be a 2800 and ASA while on the old side a 2600 and Netscreen. If we switch the default gateway of servers to point at ASA we will end up with traffic coming in on the old ISP side and going out the new side, which won't work. Any suggestions how to do this temporarily?

6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi, the only way in my opinion, is to run nat on a single router, that has both outside connections. that requires accurate configuration however.

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

About the DNS, you mean it is currently host by ISP1 and will be host by IPS2?

Prior to migration, change the ZONE TTL to 10 minutes (don't forget to change the serial number to a higher number). If the TTL is currently 1 day, it will take maximum 1 day before all non-authoritative DNS who has a cache record of the domain to be aware of the TTL change and make the update on their cache record.

Once the ZONE TTL is now 10 minutes, any changes (i.e. A, PTR, MX) will take maximum 10 minutes to take effect on non-authoritative DNS.

On the day of migration, it will take maximum 10 minutes for non-authoritative DNS to learn of the new DNS hosting the domain and make the update on their cache record.

ISP1 should drop the ZONE on the day of migration, else it will respond as authoritative to client using it as DNS since it has the ZONE locally.

You can change back the ZONE TTL to its orignal value after migration (i.e. 1day, 1hour)

Oh, don't forget to update the Registrar of the new DNS so that the root will be aware of who's hosting the domain now.

BTW, PTR is always hosted by ISP unless they allocate minimum /24 to you. You can ask them to sub-delegate the PTR hosting to you - sometimes they can sub-delegate the PTR hosting even for a small subnet.

Regards,

Dandy

dongdongliu
Level 1
Level 1

Hi, Thomas

my suggestion are below

1/ server has private address:

respective nat server`s private to different ISP`s public address on the ASA and Netscreen. so, one domain name will be resolution two public address, one is the new ISP`s, the other is the old ISP`s. waiting about 24 hours, all the DNS learn the new IP, you can modify DNS recorde, only remain the new ISP`s ip. during this time, because DNS has Round-Robin mechanism, so user will get right access.

2/ server has old ISP`s public address

add a second NIC and set the new ISP`s address.

regards

dongdong

Even using DNS round-robin mechanism. The TTL still needs to be reduce, because when ISP1 is removed, if TTL is still 24hours (for example), user will intermittenly not able to access the hosts for a maximum of 24 hours.

Quite!

The actual solution to be used will involvea decision or two. If a few minutes unavailability is tolerable the DNS will be the prime mover. Make the new connectivity ready, but ensure outbound ruting is via old ISP. but DNS will point to old link. Shorten TTL and wait for old TTL to expire, so all usage is on 10 min ttl. Simultaneously change DNS entry and change outbound routing. Max outage should be TTL of DNS.

If no outage is tolerable, one will need to combine the DNS change with a routing solution (eg single router or source nat) to permit routing via correct route according to source address used. Obviouly one should keep the period where multiple DNS addresses are in use to a minimum to keep any troubleshooting simple.

paul.matthews
Level 5
Level 5

The suggestions about DNS are bang on, the issue is that you will have a period where two DNS entries may be used.

As has already been suggested, routing via a single router is a potential route.

You could also look at translating the source address of incoming traffic according to its point of entry, such that traffic via ISP1 will have one address *as the source" and traffic via ISP2 will have a different address as the source.

Make sure that address is routed appropriately, and traffic that comes in via one ISP will go back out that way.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco