Configuring Anycast BGP - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

How to configure Anycast BGP.

To configure Anycast BGP on a managed BlueCat DNS Server:

  1. From the configuration drop-down menu, select a configuration.
  2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under Servers, click the name of a BDDS. The Details tab for the server opens.
  4. Click the server name menu and select Service Configuration.
  5. From the Service Type drop-down menu, select Anycast.
  6. Under General Settings, set the following parameters:
    • Enable Anycast Service—select this check box to enable Anycast service; deselect this check box to disable Anycast service.
    • Protocol—BGP service should be selected by default. If not, select BGP from the drop-down menu. Different fields become available depending on the type of protocol that you select.
    • BGP Local ASN—enter the local Autonomous System Number allocated for the Autonomous System to which the DNS server belongs (by default, 64999).
    • BGP Router ID —enter the IPv4 Address of the BGP router.
    • IPv4/IPv6 Anycast Address—enter a new IPv4 or IPv6 address (without CIDR netmask/prefix) for the Virtual Loopback interface and click Add. The IPv4/IPv6 address appears in the list.
      • Add additional IPv4/IPv6 Loopback addresses as needed.
      • To delete an IPv4/IPv6 Loopback address, select the address and click Remove.
        Note: The Service interface (eth0) serves as the source address for BGP peering on the DNS Server. Addresses assigned to the Virtual Loopback interface are announced as connected networks behind eth0. While the physical Service interface must always use a unique IP address through the network, the Virtual Loopback interface placed behind it may reuse the same IP address at any DNS Server. Reusing the same IP on multiple servers makes such an IP address an anycast. This approach also allows load balancing between DNS servers over multiple BGP paths to the same anycast IP destination.
    • Enable BGP Command Line Interface—selected by default, this option allows you to configure additional BGP parameters via the Telnet BGP CLI. If selected, the Telnet password to BGP CLI option becomes available.
    • Telnet password to BGP CLI—(available only when BGP CLI is enabled) enter the Telnet password to access the BGP command line interface (by default, bgp).
      Note: The Telnet password is case-sensitive.
  7. Configure the BGP parameters:
    • Keep alive Time—frequency in seconds (from 0 to 65535) that keepalive notifications are sent to the BGP peer (by default, 60).
    • Hold Time—interval in seconds (from 0 to 65535) after not receiving a keepalive notification that a BGP peer is declared dead (by default, 180).
    • BGP Remote ASN in IPv4—ASN of the remote network containing the IPv4 BGP peer (from 1—65534).
    • IPv4 Address of BGP Peer—IPv4 address of the BGP router peering with the Anycast DNS server.
      Note: Ensure IPv4 communication can be established between this address and the IPv4 address of the Service interface (eth0) configured on the DNS Server. The IPv4 address of the BGP Peer should be on the same subnet or routed to the IPv4 gateway on the DNS Server.
    • IPv4 Hop Limit to the BGP Peer—number of hops (from 1 to 255) permitted from the Anycast DNS server and its closest peer via IPv4 (by default, 1).
    • MD5 signature in IPv4—(OPTIONAL) alphanumeric password to enable MD5 authentication in BGP communication with neighboring IPv4 routers.
      Attention: MD5 authentication password requirements

      MD5 authentication requires a case-sensitive alphanumeric password of up to a maximum of 25 characters; no spaces. The following special characters are permitted: @ - . : _ [ ] .

      MD5 authentication with Anycast BGP

      If MD5 authentication passwords are configured incorrectly, the DNS Server won't be able to establish the BGP peering session. BlueCat recommends verifying that the BGP peering session is established after configuring MD5 authentication.

    • Announce Next-Hop-Self to IPv4 BGP Peer—(Reserved for future-use) if selected, enables the DNS server to advertise its IPv4 peering address to the BGP peer as the next hop for all IPv4 routes distributed by the DNS server.
      Attention: Announce Next-Hop parameters reserved for future-use

      The current Anycast BGP implementation supports only a single BGP peer per address family (IPv4 and IPv6). As such, enabling the Announce Next-Hop parameter will have no effect on the behavior of the DNS server.

    • BGP Remote ASN in IPv6—ASN of the remote network containing the IPv6 BGP peer (from 1—65534).
    • IPv6 Address of BGP Peer—(OPTIONAL) IPv6 address of the BGP router peering with the Anycast DNS server.
      Note: Ensure IPv6 communication can be established between this address and the IPv6 address of the Service interface (eth0) configured on the DNS Server. The IPv6 address of the BGP Peer should be on the same subnet or routed to the IPv6 gateway on the DNS Server.
    • IPv6 Hop Limit to BGP Peer—(OPTIONAL) number of hops (from 1 to 255) permitted from the Anycast DNS server and its closest peer via IPv6 (by default, 1).
    • Announce Next-Hop-Self to IPv6 BGP Peer—(Reserved for future-use) if selected, enables the DNS server to advertise its IPv6 peering address to the BGP peer as the next hop for all IPv6 routes distributed by the DNS server.
      Attention: Announce Next-Hop parameters reserved for future-use

      The current Anycast BGP implementation supports only a single BGP peer per address family (IPv4 and IPv6). As such, enabling the Announce Next-Hop parameter will have no effect on the behavior of the DNS server.

    • MD5 signature in IPv6—(OPTIONAL) alphanumeric password to enable MD5 authentication in BGP communication with neighboring IPv6 routers.
      Attention: MD5 authentication password requirements

      MD5 authentication requires a case-sensitive alphanumeric password of up to a maximum of 25 characters; no spaces. The following special characters are permitted: @ - . : _ [ ] .

      MD5 authentication with Anycast BGP

      If MD5 authentication passwords are configured incorrectly, the DNS Server won't be able to establish the BGP peering session. BlueCat recommends verifying that the BGP peering session is established after configuring MD5 authentication.

  8. OPTIONAL: Set Anycast BGP Prefix lists:
    • From the Name drop-down menu, select either INPUTv4, OUTPUTv4, INPUTv6, or OUTPUTv6.
    • From the Action drop-down menu, select either permit or deny.
    • In the text field, enter the IPv4/IPv6 address and netmask/prefix <IPv4/IPv6 address/CIDR> and click Add. The prefix list appears in the list.
    • To change the list order, select a prefix list item and click Move Up or Move Down. To delete a prefix list, select a prefix list item and click Remove.
    Note: Two prefix lists can be defined in Address Manager for each IPv4 or IPv6 BGP peer:
    • one prefix list to filter INPUT IPv4 routing information
    • one prefix list to filter OUTPUT IPv4 routing information
    • one prefix list to filter INPUT IPv6 routing information
    • one prefix list to filter OUTPUT IPv6 routing information
  9. Click Update.