Staged Transition Network Migration – A simple low-impact method for renumbering IP nets and changing out a firewall in stages

At my company, we sometimes take on new customers where we want to replace their existing firewalling, in order to bring them into our standard operating environment, which involves fitting into a certain IP addressing plan (making it possible for us to deliver services from our datacenter without IP conflicts.

This usually involves changing IP addresses at the new company, as well as changing out their firewalling. Sometimes, an on/off migration isn’t practical, because there’s a lot of systems that have to be renumbered, while maintaining functionality.

For example, in a current ongoing migration project, the customer has laptops that connect through a “road warrior” VPN to the existing box, and we want to be able to provide both methods for connecting during a transition period, to eliminate any disruption.

What I’m describing in this post is a method I like to use to acheive what I like to call a staged transition network migration. I’m not going to go in deep on the specifics on how to operate a specific product, because it really is impossible to do, because every vendor does things differently. This method general enough that it should work no matter what equipment you’re moving from or to. I can’t really take credit for this method, though, because even though I came up with it independently, it’s basic and simple enough that I’m sure many other people have independently come up with and used the exact same technique in the past.

It looks like this at the Layer 3 level:

                    +------------+
                    | ISP Router |
                    +-----+------+
                          | .1
..........................:.........................
: Outside internet-accessible network 192.0.2.0/29 :
:..................................................:
      | .2        .................          | .3
+-----+------+    . Transition    .    +-----+-----+
| Old creaky |____: interconnect  :____| New shiny |
| firewall   | .2 : 10.99.14.0/24 : .1 | firewall  |
+------+-----+    :...............:    +------+----+
       | .1                                   | .1
.......:.........                  ...........:.....
:    Old LAN    :                  :    New LAN    :
: 172.16.0.0/24 :                  : 10.99.14.0/24 :
:...............:                  :...............:

In the diagram above, I’m only showing one LAN attached to the old creaky firewall and the new shiny firewall. This is to simplify the diagram, the general design works just fine for multiple networks on either side. These extra networks might be DMZ’s, or VPN client networks. I’m also not showing the VPN to the datacenter.

Physically, this operation consists of putting a layer 2 switch in-line between the ISP CPE (Internet Service Provider Customer Premise Equipment) and the old firewall. This causes a short disruption to the internet connection (a matter of seconds if you work quickly). For this to work, you need spare IP addresses with their ISP. It may also be a completely separate internet connection if you’re transitioning that as well.

A layer 2 connection is brought up between the firewalls. Typically, this will be an Ethernet cable (cross-over if you don’t have Auto-MDIX) between a free interface on the old firewall and an interface on the new firewall, but it might also be a VLAN.

I will typically create a new VLAN for the “New LAN” in their existing switches, and hook the new firewall’s LAN port up to that.

After that, you just add routes on each firewall, so that they know to send traffic that is destined for the other firewall’s lan through the other firewall.

After that, you just have to make sure the firewall policies on both sides will permit traffic to pass, and just like that, you have two networks that can talk to each other.

Now, it’s just a matter of moving boxes from one VLAN to the other. That’s easy to do by just logging into the switches and changing the VLANs on a port-by-port basis. For devices that are DHCP-configured, I like to disable the switchport and re-enable it to trigger a DHCP renew on the end device. Otherwise, it might not realise that it’s on a new VLAN and linger with the old IP.

Then, once you don’t have anything still connecting through the old networks, you can just take it down with no special ceremony. You might remove the in-line switch that you installed to enable both firewalls to be connected at the same time, to eliminate a potential point of failure, if it is no longer neccessary.