Anycast BGP - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

BGP is a complex routing protocol used to exchange routing information between autonomous systems.

Deploying Anycast using BGP is the most common with Internet Service Providers (ISPs), but can also be used if you are a large enterprise customer needing to interconnect networks across disparate geographical or administrative locations.

Anycast BGP with DNS Servers

Deploying Anycast BGP on a managed DNS Server turns it into a fully-fledged BGP router in the network, capable of establishing connection with a BGP peer, participating in BGP routing processes, accepting and distributing dynamic routing information through BGP, and so forth.

Anycast BGP on a managed DNS Server provides functionality in both IPv4 and IPv6 address families. The DNS Server can communicate with an IPv4 BGP router and exchange IPv4 routing information, communicate with an IPv6 BGP router, and exchange IPv6 routing information. One instance of BGP on the DNS Server can run simultaneously and independent in both IPv4 and IPv6 address families.

In the diagram below, Anycast BGP is configured to route DNS service from a primary DNS Server (ASN 65001) and a secondary DNS Server (ASN 65002). ASN 64999 is the Automated System comprised on BGP Peers, routers, and switches. The “Short path” provides the fewest number of hops between the DNS client and ASN 65001. Anycast BGP routes DNS service via this “short path” to provide the most efficient service.

In the next diagram, a DNS failure has occurred at ASN 65001. Anycast BGP instantly re-routes DNS service via the “Long path” to ASN 65002 in order to maintain DNS service to the client.

MD5 authentication with Anycast BGP

OPTIONALDNS/DHCP Servers can use MD5 authentication on a TCP connection to neighboring BGP peers. You can configure MD5 authentication for IPv4 and IPv6 address families separately from the Address Manager user interface.
Attention: MD5 authentication password requirements

MD5 authentication requires a case-sensitive alphanumeric password of up to a maximum of 25 characters; no spaces. The following special characters are permitted: @ - . : _ [ ] .

MD5 authentication with Anycast BGP

If MD5 authentication passwords are configured incorrectly, the DNS Server won't be able to establish the BGP peering session. BlueCat recommends verifying that the BGP peering session is established after configuring MD5 authentication.

Prefix Lists in Anycast BGP

OPTIONAL—Configure Prefix Lists and deploy them to DNS/DHCP Servers with the Anycast BGP configuration. Two prefix lists can be defined in Address Manager for each IPv4 or IPv6 BGP peer:
  • one prefix list to filter INPUT IPv4 routing information
  • one prefix list to filter OUTPUT IPv4 routing information
  • one prefix list to filter INPUT IPv6 routing information
  • one prefix list to filter OUTPUT IPv6 routing information

These lists are independent from each other—you can have only one of them defined at a time or both. Each deployed prefix list is automatically bound to a related BGP peer.