[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Porting services and subnets to a new ISP

We are moving the current 3 ISP provided subnets and fiber optic WAN connections to 1 new ISP.
These are used for services such as DNS, e-mail (internally hosted Exchange 2007), several websites, VPN for 50 remote offices, etc.
What would be the fastest way to transfer all these services to new ISP with least downtime?
0
proteus-IV
Asked:
proteus-IV
  • 4
  • 3
1 Solution
 
agonza07Commented:
Do you own the IP address space? If so, will it be migrated to the new ISP? Do you have BGP enabled?

If no to the above, then good luck with that because you are going to have to do everything manually. All 50 sites and DNS changes. Keep in mind that it can take 24-72 hours for changes to replicate across the internet when you make DNS changes. So if you don't have both ISPs up and running in some kind of way, then your email and websites may be down for a certain period of time until the DNS changes are replicated.
0
 
proteus-IVAuthor Commented:
We do not own the address space, so I would have to manually reconfigure all services.
I do not have BGP enabled.
I was thinking on maybe trying to get a metro ethernet connection for the current location and the new office.
That way I could reconfigure as much as I can before the physical move.
0
 
agonza07Commented:
Are you moving offices and the equipment to the new location?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
proteus-IVAuthor Commented:
Yes, all  networking equipment, servers, workstations are being transferred to the new location.
0
 
agonza07Commented:
Do you have Cisco equipment for the firewalls and router?
0
 
proteus-IVAuthor Commented:
No, we use FortiGate.
0
 
fhmcCommented:
on the surface it seems some very basic and manageable work is in store for you...  That said, your question presents several moving parts and reads a bit short on details.  Please expand on the DNS and VPN configuration as these two concerns may range anywhere from insignificant to holy cow... DNS liabilities should be easily mitigated by defining host entries w/ your new ISP well in advance of the conversion.  If VPN connections reference DNS hosts vs. IP addy's you should be in good shape if you follow the advice in my previous sentence.

in short...

define all DNS pointers w/ new ISP before cutting over.  Do this no less than 1 week prior to the move.  perform multiple DNS lookup tests against the new ISP's server 1 or 2 days into the project.

from a windows host do the following from a cmd prompt:

c:\nslookup
>server=newispdnsserver
>nameofapublicfacinghostfromyourcompany

if the ip addresses are accurately returned, you're ready to go... that simple.

if your client's VPN connections are defined by IP  vs. DNS every client will need to be touched and updated...  (e.g. if vpn client looks for x.x.x.x vs myvpnserver.mydomain.tld)

if your firewall can manage multiple public IP address forwarders to an internal host, configure a path for both ISP's....   so, say your current MX record w/ ISP 1 is x.x.x.x and your new MX record w/ ISP2 is y.y.y.y, plug both ISPs into your firewall and forward them both to your mail server.  If this is not possible you may consider a mail forwarding option (point your MX record to a 3rd party that provides store and forward services, then point the third party's relay server to your new IP when ready... this way you can rest reasonably assured no mail will be lost, though it may be delayed.)


Finally, I don't subscribe to the mainstream assertion that public Internet DNS takes 48-72 hrs to propogate...  in my experience it's very close to immediate in most cases (though I freely concede this is not guaranteed.)  Unless a connecting host is relying on a poorly configured in house DNS server or the upstream (ISP's) DNS server cache's lookups for an unusually long time, the lookup request will be immediately directed to the authoritative server for your domain.


typical scenario:

at 9:00AM you change the DNS entry for coolserveryoureallywanttosee.com from x.x.x.x to y.y.y.y and I want to browse coolserveryoureallywanttosee.com 5 minutes later...  My computer will likely ask my home router for your domain's IP, then my router will ask my ISP's DNS server, then my ISP's server will either responed w/ a cached entry or it will seek out the SOA for your domain and immediately ask your hosting DNS server for the address (and that address will be current.)  hope that all made sense...
0
 
proteus-IVAuthor Commented:
@fhmc

Thank you for the explanation.
We will be transferring two ISP links to a single one.
Those two ISPs merged into a single company, that means we can keep
the public IP ranges used for VPN.

What we have to transfer is DNS, MX records and the second VPN to new public IP ranges.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now