Westez
asked on
Redundant ISP Connection Setup and Config of Routers and DNS?
We're going to be transitioning from Verizon to AT&T and we want to run them in tandem for a week or two. We're trying to avoid an interruption in service to our web and email servers. We want the Verizon link to answer up and resolve names while the AT&T dns info propagates out across the web.
I'm asking for an overview on the setup of routing and dns for
redundant ISP connections. We own the routers, Verizon and AT&T manage them.
Verizon uses a Cisco 3600, AT&T it's a Cisco and it's a later model than the 3600 not sure just yet.
We maintain the primary DNS server in house, running Bind 8.2, Verizon and AT&T maintain the secondaries. Network Solutions is our registar there is something thats setup there that points to the name servers.
Checkpoint R60 does the Nat'ing for us. I'm using Static or one to one nat.
Quesitons on DNS - Can you have both sets of secondary servers in the Allow Transfer On line in the named.conf file?
What do you do in the zone files? I currently have Verizons public ip addresses assigned to us setup as the A records in the zone files. Can I simply add the AT&T public ip addresses in the zone file?
I'm asking for an overview on the setup of routing and dns for
redundant ISP connections. We own the routers, Verizon and AT&T manage them.
Verizon uses a Cisco 3600, AT&T it's a Cisco and it's a later model than the 3600 not sure just yet.
We maintain the primary DNS server in house, running Bind 8.2, Verizon and AT&T maintain the secondaries. Network Solutions is our registar there is something thats setup there that points to the name servers.
Checkpoint R60 does the Nat'ing for us. I'm using Static or one to one nat.
Quesitons on DNS - Can you have both sets of secondary servers in the Allow Transfer On line in the named.conf file?
What do you do in the zone files? I currently have Verizons public ip addresses assigned to us setup as the A records in the zone files. Can I simply add the AT&T public ip addresses in the zone file?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just to be sure we're talking about the same thing...
You are asking about external (public) DNS, right?
You can only have one A record for any given hostname.
When you want to change your DNS records, the common trick is to do it after-hours on a Friday.
Because DNS info can take up to 48 hours to propagate, everything should be up and running on the 'new' DNS by Monday morning.
If you have an email server, ensure the ISP configures your reverse-DNS.
This can be done before-hand.
Note that you can have several MX records.
In fact at least 2 are recommended.
All of the above applies to inbound traffic (except email).
Of course, for outbound traffic, you can use as many ISPs as you choose.
If internet connectivity is critical to your business, you may want to consider keeping the second ISP.
You are asking about external (public) DNS, right?
You can only have one A record for any given hostname.
When you want to change your DNS records, the common trick is to do it after-hours on a Friday.
Because DNS info can take up to 48 hours to propagate, everything should be up and running on the 'new' DNS by Monday morning.
If you have an email server, ensure the ISP configures your reverse-DNS.
This can be done before-hand.
Note that you can have several MX records.
In fact at least 2 are recommended.
All of the above applies to inbound traffic (except email).
Of course, for outbound traffic, you can use as many ISPs as you choose.
If internet connectivity is critical to your business, you may want to consider keeping the second ISP.
Hey guys,
> You can only have one A record for any given hostname.
That's not true.
So...
> I can have two A records from two different ISP providers pointing
> back to the same host name in the zone file?
Yes, but...
The DNS Server will use Round Robin when responding to clients with those addresses.
The difficultly there is DNS isn't service aware, so if one of the IPs is unavailable it will continue to hand out the "bad" IP.
In other words, if you do that you will have to be careful to make sure the service is available on both IP addresses (and that return paths are correctly calculated).
> Because DNS info can take up to 48 hours to propagate
DNS takes the value of the TTL to Propagate, with few a exceptions mentioned previously.
Chris
ASKER
I am talking about external\public DNS. And we only want to run them in tandem long enough for the public addresses for AT&T to propagate out across the Internet.
Routing: I can't have two default gateways. Our external default gateway is defined on the firewall server. Because we're transitioning to AT&T I'm thinking I should change the default gateway from the Verizon address to the AT&T address. And add a static route on the firewall for the Verizon network. What do you guys think about doing it this way? If you alternative suggestions please let me know. And we don't manage the routers, Verizon wouldn't even give us a copy of the router config. Seeing how I plan on changing Verizon's network from being the default gateway. Would changes need to be made on the router Verizon manage's? Such as routes being added or deleted?
Routing: I can't have two default gateways. Our external default gateway is defined on the firewall server. Because we're transitioning to AT&T I'm thinking I should change the default gateway from the Verizon address to the AT&T address. And add a static route on the firewall for the Verizon network. What do you guys think about doing it this way? If you alternative suggestions please let me know. And we don't manage the routers, Verizon wouldn't even give us a copy of the router config. Seeing how I plan on changing Verizon's network from being the default gateway. Would changes need to be made on the router Verizon manage's? Such as routes being added or deleted?
As I said, you can probably handle the propagation issue by switching it over the weekend.
Note that although it may take up to 48 hours to propagate, the vast majority will be done within 12 hours.
You should be able to configure multiple default gateways on the firewall. Just make sure the second gateway has a higher metric.
I doubt that Verizon is going to allow any changes to the router config that will speed up the process of you terminating their service.
Note that although it may take up to 48 hours to propagate, the vast majority will be done within 12 hours.
You should be able to configure multiple default gateways on the firewall. Just make sure the second gateway has a higher metric.
I doubt that Verizon is going to allow any changes to the router config that will speed up the process of you terminating their service.
ASKER
As I stated the number one goal is to avoid any down time while the new addresses propagate out across the Internet. I don't have 12 to 48 hours to allow the propagation of the new addresses to take place. If I did I wouldn't have needed to post the questions.
On the firewall (Checkpoint SPLAT R60) we run, you can have one default gateway. From what I've read while researching the problem, you can have only one default gateway, and I would need to setup another static route. If you can point me towards some articles that explain how to setup two default routes then please do so.
On the firewall (Checkpoint SPLAT R60) we run, you can have one default gateway. From what I've read while researching the problem, you can have only one default gateway, and I would need to setup another static route. If you can point me towards some articles that explain how to setup two default routes then please do so.
Sorry I must have missed replying earlier.
You're right in thinking you can only have one Default Route. It is, after all, the last resort. You could have failover gateways potentially, but that's no good in this scenario (only any good for outbound traffic).
If you can't configure Routing so both lines are available then you're back in DNS. But DNS isn't as inflexible as it sounds here. The 24 - 48 hours quoted are a bit misleading. In general you can speed propagation up significantly by reducing the TTL either on individual records for for the entire zone.
Therefore, if you're swapping records around can't you just reduce the TTL to a more acceptable value? Perhaps 15 minutes (a TTL of 900)?
There are a small number of ISPs that will cause the change to lag. For instance AOL perform a lot of extra caching in DNS so you tend to find their customers are behind the times. Do they represent an important part of your customer base?
Chris
> ... records for for the ...
Should have read:
... records or for the ...
Chris
ASKER
Ok guys thanks for the feedback, we can put this one to rest for now, it's been pushed back to August.. I'm going to split the points.
ASKER
terminator.movie.edu IN A 192.249.249.3
terminator.movie.edu IN A 4.36.104.3
I ask because I have couple of different books covering DNS, this setup isn't mentioned, and it blows my mind that it works this way. It seems just too simple.