We recently installed two LES10 Internet connections at two sites in the South East for a logistics company. Our customer hosts websites and  therefore it was important that downtime was kept to zero.

We installed two Cisco ASA units at each site as an active/standby failover pairs. These firewalls would listen on a different default gateway to the old Internet connections which were still operational. After intial testing all we had to do was to change the default gateways on the approximately 30 servers and modify the DHCP configuration which the desktop PCS would pick up after their current leased expired. One or two desktop PCs had their NICs set with a static IP address but is was easy enough to change to DHCP as users reported problems. Everything appeared to be running nicely with no disruption. We then turned off the old Internet connection making the old default gateway unobtainable.

Soon after we got a support call from the payroll department, they could not access timekeeping data from a device which few people new anything about. We did not have any login information so we called the manufacturer: all we got was a voice mail.  We left a message but no one called us back. In the meantime no one was going to get paid because there was no up to date time keeping information. The payroll department were using PCs on a different subnet to the time keeping device and therefore it could not respond because it was trying to reply through a non existent default gateway.

We needed a solution to listen for packets arriving at the old default gateway and divert them to the new default gateway. We would have liked to use  a spare port on the Cisco ASAs but they are very fussy and do not allow more than one port to listen on the same subnet. 

Luckily Linux came to the rescue! Both sites had database servers which ran on a Red Hat Linux platform.  We set up an alias for the NIC, eth0 was the primary and eth0:1 was the secondary listening on the default gateway. We then put in some simple rules in Linux's firewall built into the kernel - iptables. The iptables rules simply passed all traffic which arrived at eth0:1 to eth0. Eth0 was configured to use the new default gateway,  the timekeeping device packets were routed correctly and everybody got paid.