Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6441
Views
5
Helpful
5
Replies

How to change IP of Ironport C370 ESA for move to new datacenter?

Go to solution
dakohlmeyer
Level 1
Level 1

‎01-12-2015 07:19 AM

My infrastructure team wants to move our 2 clustered Ironport C370's to new IP spaces, each at separate data centers. Something I've never done before. What pages do I need to change in the config before they physically move the boxes to the new datacenter in a new subnet? What firewall rules need to be allowed?

Thanks.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jernej Vodopivec
Level 4
Level 4

‎01-12-2015 07:48 AM

Hi,

change IP addresses for all interfaces you need to: Network > IP interfaces.

Change IP routes: Network > routes

If your mail servers (Exchange) gets new IP addresses also then you should change SMTP routes also: Network > SMTP routes

Are there new DNS servers? Network > DNS

If LDAP's IP is changed: System administration > LDAP

Syslog server if needed.

 

Firewall rules:

1. incoming mail: at least port tcp/25 in both directions (check Network > Listeners if there are any other ports configured for listeners).

2. management: usually tcp/443 for GUI and tcp/22 (CLI-ssh). If you're still using telnet then open port tcp/23 also.

3. SPAM quarantine: tcp/82 (http) and tcp/83 (https) usualy; if users are authentication via POP/IMAP then open tcp/110/143 also.

4. ftp (if needed) for file transfer (in or/and out): logs, configuration...

5. DNS (outgoing): tcp+udp/53

6. syslog if it's used (outgoing): udp/514

7. if you're using AD/LDAP integration: tcp/389 or tcp/636 (for secured connection)

8. HTTPS (outgoing) for updates

As I understand you have two C370 in cluster and you're not using SMA. If you're using SMA also then you need to open additional ports (tcp/6025 and tcp/7025).

I hope I didn't forget some :)

 

 

View solution in original post

5 Replies 5

Go to solution
Jernej Vodopivec
Level 4
Level 4

‎01-12-2015 07:48 AM

Hi,

change IP addresses for all interfaces you need to: Network > IP interfaces.

Change IP routes: Network > routes

If your mail servers (Exchange) gets new IP addresses also then you should change SMTP routes also: Network > SMTP routes

Are there new DNS servers? Network > DNS

If LDAP's IP is changed: System administration > LDAP

Syslog server if needed.

 

Firewall rules:

1. incoming mail: at least port tcp/25 in both directions (check Network > Listeners if there are any other ports configured for listeners).

2. management: usually tcp/443 for GUI and tcp/22 (CLI-ssh). If you're still using telnet then open port tcp/23 also.

3. SPAM quarantine: tcp/82 (http) and tcp/83 (https) usualy; if users are authentication via POP/IMAP then open tcp/110/143 also.

4. ftp (if needed) for file transfer (in or/and out): logs, configuration...

5. DNS (outgoing): tcp+udp/53

6. syslog if it's used (outgoing): udp/514

7. if you're using AD/LDAP integration: tcp/389 or tcp/636 (for secured connection)

8. HTTPS (outgoing) for updates

As I understand you have two C370 in cluster and you're not using SMA. If you're using SMA also then you need to open additional ports (tcp/6025 and tcp/7025).

I hope I didn't forget some :)

 

 

Go to solution
dakohlmeyer
Level 1
Level 1
In response to Jernej Vodopivec

‎01-16-2015 09:36 AM

This was a huge help.

Once I change the IP's of the Network Interfaces I assume I'll lose connectivity to the equipment right? 

So at that point I can just power them off and move to the new data center?

Thanks

0 Helpful

Go to solution
Jernej Vodopivec
Level 4
Level 4
In response to dakohlmeyer

‎01-16-2015 09:28 PM

Yes, you'll lose connectivity to the ESA after you commit changes (assuming you're changing management interface's IP address).

Shutdown gracefully the appliance if possible before unplugging the power cord (using serial interface, by plugging laptop directly to ESA with temporary assigned IP address from a scope of newly assigned subnet range...).

 

If you're using IP addresses for cluster communication you'll have to update configuration as Matthew pointed out. I'd recommend you to set communicate by hostname to avoid repeating this procedure next time you'll changing IP addresses of appliances. You'll only have to do change IP address in one place only - DNS server.

0 Helpful

Go to solution
Bob Fayne
Level 1
Level 1

‎01-15-2015 10:43 AM

You will probably need to re-establish the cluster. Both boxes are probably going to report that they can't find the cluster peer. You might be able to do it like this:

 

Machine B - tear down cluster and join to existing cluster on A

Machine A - tear down cluster and join back to B

 

That would get the cluster back up and running. However, if you don't have a tremendous amount of machine-level exceptions you might be better off just tearing down the whole cluster and starting from scratch so it will be a "clean" config.

 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Bob Fayne

‎01-15-2015 06:36 PM

You could also just follow through with the IP changes on the interface configuration as  Jernej has pointed out

 

And if the cluster decides to complain that it cannot reach the cluster peer due to network communication error (the likely error in the event IP changes) you can check the clusterconfig > communication > and update the IPs if it is not updated, this would clear the cluster peer communication problems and they'll both sync back up to normal.

 

This is to avoid breaking down the cluster :)

0 Helpful
Customers Also Viewed These Support Documents