Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 5357 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrate RIPE IP range to new transit network

IngoPohlschneider

Hello

we have an RIPE IP-range

Currently we have ISP-A as Sponsoring-LIR and plan to switch to ISP-B
ISP-A uses part of our range as transit network

With ISP-B I would like to use an external transit network

E.g. (all "fictional" IPs):

 

Our range might be 7.7.7.0/8
ISP-A uses 7.7.7.0/30 as transit

-> resulting in an ETHx interface with e.g. IP in the 7.7.7.1/8 and gateway 7.7.7.2  All other IPs of the 7.7.7.0/8 as additional addresses on the UTM

ISP-B should use 80.222.111.29/29 as transit to announce your range.

Is it possible to migrate here without interrupt / small window?

How would I map that?

Like this:

  • Interface ETHx keeps the IPs
  • Interface ETHy gets ISP-B
  • ISP-B gets an IP in the transit network towards us as next hop
  • ETHy gets a default-gw assigned
  • ETHx gets its default-gw removed

Thanks for any help



This thread was automatically locked due to age.
  • 0

    Ingo, how about a simple diagram showing before and after with more realistic IPs instead of 7.7.7.0/8?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi Ingo,

    Bob is right. One diagram says more than 1000 words ;-). I think, I suspect your problem. 

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • 0 in reply to ManuelAbeledo

    Hello

    I mean something like the attached graphic

    The 193-range would not have a direct next-hop to WAN
    But I guess this should not be a problem right?

    So would I just set up the ISP-B connection (80...-addresses), make that work and then remove the Gateway from the 193-range and everything would work smoothly?

  • 0 in reply to IngoPohlschneider

    Hi Ingo,

    I think you need a smooth transition from ISP-A to ISP-B without facing a downtime. To do that, simply configure ISP-B on the UTM and define it in the UPLINK Balancing feature. Refer the KBA for configuration and details.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    We currently already have multiple uplinks. That is not the question.

    It is rather: how does the UTM handle traffic to/from the 193-range if this cannot directly connect the ISP
    Basically it should be routed through the ISP and masquerading should not apply right?

  • 0 in reply to IngoPohlschneider

    So, I'm still not clear on where the 193 numbers live.  Are they Additional Addresses on eth8 or is there an Ethernet segment attached to eth8?  Will ISP A still have 192.114.251.2 on its router in your premises?

    I have a client that uses Border Gateway Protocol to manage which ISP routes traffic to a public subnet they "own" - is this what you're trying to do?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    So, I'm still not clear on wherethe 193 numbers live.  Are they Additional Addresses on eth8 or is there an Ethernet segment attached to eth8?  Will ISP A still have 192.114.251.2 on its router in your premises?

    Yes there is a segment on eth8 between the UTM and ISP-A router
    ISP-As router will go out of service after the migration

    ISP-B will have a router in the same VLAN (Layer-2 segment)

    We do not want to do BGP on the UTM as I do not intent to give me the hassle ;)
    The ISPs routers do BGP of course

    Both ISPs are allowed to route the network as defined via RIPE DB

     

    What I try to do: Migrate from one ISP to another at best without service interruption or at least with the shortest possible interruption

     

  • 0

    OK, that's exactly what I thought you wanted, Ingo, but I wasn't "seeing" the picture.  Your plan should work.

    You could use Sachin's suggestion along with appropriate Multipath rules to smooth the transition, and then delete the items no longer needed afterwards.  Also, you may need new firewall rules for traffic coming from your private LANs to the Internet.  You will definitely need one or more firewall rules for traffic from the Internet to the 193 subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for the confirmation :)

    It is basic routing to be honest, but it is better to check beforehand than to run into trouble and having to debug under timepressure

    Thanks so far

    Case closed

Unfiltered HTML