Think about something hard to do. Rather than simply hard, something quite painful to do. Now, imagine that think must be challenging and rewarding. Picture it in your mind. I bet you are not thinking about default gateway migration.
Still, moving the default gateway from a device to another can be quite an endeavor. Yet, it is often worth it. In this post, we see why this reckless activity can be useful, and how to not shoot yourself in the foot.
Default Gateway Migration
What is a “default gateway migration”?
The first question we want to answer is what is the default gateway? Even if this might be a simple question for IT professionals, it deserves some words.
The default gateway is a device inside a network that allows all other devices to access the rest of the connected world, including the Internet. Since the main role for this device is to allow communications of other devices, it is not a PC or a server, but a router instead. For example, in your home network, you are likely to have the router from your Internet provider.
Each device in the network knows about that default gateway. Each device knows that if it wants to communicate outside the local LAN, it must contact the gateway. This communication happens at the IP level, so all the devices in a network know the IP address of their gateway.
Now, the concept of migration is fairly simple. It means moving from a state to another. Coming to the default gateway, it can mean changing the device acting as the default gateway, changing the IP address of the default gateway, or both.
In this post, we will focus on what are the implication of replacing the device acting as the default gateway. Thus, for our considerations, the IP address of the gateway will remain the same – only on a new device.
The benefits
Before doing something, we want to know if it is something worth doing. As always in IT (and in life), it varies case by case. You need to understand potential benefits and efforts, and then draw your own conclusions.
The first benefit that comes to mind is hardware refresh. You may want to replace your switch or router with its newer version. However, this kind of migration is often simple, because core features do not change. While this still needs some thoughts, the real challenges arise when you change the
Another driver for the activity is control. You may not be in control of the device acting as the default gateway, and you want to put in the network a device that you can manage. This is the case if the WAN provider was your gateway, and you wanted more flexibility in your network.
Redundancy can be another driver. For example, you can move the gateway from a single device to a virtual IP hosted by two (or more) devices.
Yet, the most powerful force moving people to this activity is another. People undergo a default gateway migration because they want to shift the paradigm. In the past, it was common to have the gateway on a switch or router, with little to no security. Yet, cyber-security has been increasing its importance, and the current best practice is to put a firewall as default gateway. In this activity, you change technology and probably vendor, so you need to take extra care. However, you also get many benefits:
- Traffic inspection and policies between local networks
- Better debug capabilities and flow logging
- Enhanced NAT configurations
Everything comes at a cost, and now we will see what this cost is.
The challenges
A default gateway migration poses many challenges, and the more the new device differs from the old, the greater the challenges will be. Most challenges relate to the ARP protocol, which is in charge of associating IP addresses with MAC addresses. This protocol is at the foundation of networking and enables communication at the LAN level.
When you change the device acting as default gateway, the MAC address will change even if the IP remains the same. All the devices in the network will know the association IP-old MAC address and need some time to process the change and build the new entry. While they take this time, the devices won’t communicate with outside networks.
Each device needs a different time to process the change. This depends on how long it takes for the ARP table of each device to time out. As soon as it times out, the old entry will disappear and the device will create a new one. Furthermore, if the device has a static ARP table (maybe in legacy systems), you may need to manually intervene on each device.
Proxy ARP
An even bigger challenge comes from proxy ARP. If you assume all devices in the network have a correct default gateway and subnet mask configuration, you are naive. They may not, particularly if they were set up by people who are not network or system engineers. That’s the case, for example, of legacy industrial systems.
Those systems typically have a huge subnet mask (e.g. 255.0.0.0) so that the device believes every other device in the world is in the same network. Thus, instead of going through the gateway, it will try to reach it directly with ARP. If the current gateway supports proxy ARP, it will reply to the ARP request. Then, the device will believe to speak directly with its target device, when it is speaking with the default gateway instead.
If you change the device, ensure it supports proxy ARP in the same way. For example, Cisco switches have proxy ARP enabled by default, and they respond to any ARP request if they have a route for it. If the device has a default route, it will proxy ARP literally anything. Instead, firewall (of any vendor) typically do not have proxy ARP enabled by default. Some may not even support it. If they do, they may want you to statically provide the destination IP addresses to proxy-ARP.
How to do a default gateway migration
Here is some advice on how to do a default gateway migration as easy as possible.
- Have a great understanding of what devices you have in the network and what is the impact if they cannot communicate with the outside world.
- Do it in a less-impacting time window: you don’t want everyone screaming, if you do it during less congested hours you will have more time to work problems out.
- Shut down the IP address on the old device before turning it on on the new one. Otherwise, you will have IP address conflicts and you risk losing connection to both old and new devices.
- Use gratuitous ARP. This is a feature you must have on the new device, and it forces all the other devices to update their IP-MAC associations so that their downtime can be minimized to seconds. However, this requires that the other devices accept gratuitous ARP messages, and it isn’t always the case.
- If possible (and feasible), change the MAC address. If the new device supports an admin-set MAC address, set the MAC address of the old device. Before doing so, ensure it does not increase the configuration burden on the new device or limit yourself in another way. This is a great strategy if you move to a virtual IP (e.g. HSRP). Note that RFC-compliant VRRP does not support that (see RFC 3768).
- Clear the ARP table of devices that are not working anymore. If that’s not possible, reboot the devices.
- Carefully consider the proxy ARP configuration before attempting the migration.
If you consider all of that, your default gateway migration will go as smoothly as possible.
In conclusion
Undertaking a default gateway migration is painful, and there is no other way to say it. Still, if you do it properly, you will minimize the impacts and get more control over your network.
Most importantly, remember to understand what you have in the network, use gratuitous ARP and reboot early if you see a device is not behaving correctly. This can save you nights at the office. The strategy is well time-tested.
Do you have some other advice to share about default gateway migration? Let me know in the comments.
