Anycast - BlueCat Integrity - 9.5.0

VM Installation Guide

Locale
English
Product name
BlueCat Integrity
Version
9.5.0

Anycast is a routing scheme that provides faster response times by routing requests to the nearest server in a group.

It's especially useful for large distributed DNS applications that handle a high volume of requests. For example, DNS root servers use Anycast to distribute their service throughout the world. Although most root servers are nominally located in the United States and share a U.S. IP address, most of the physical machines are located elsewhere.

Anycast assigns one IP address to multiple servers that provide the same service. A client asking for that specific IP address is directed to the geographically closest server using Border Gateway Protocol (BGP), Open Shorter Path First (OSPF), or Routing Information Protocol (RIP). BlueCat DNS/DHCP Servers use Quagga to participate in Anycast routing for DNS using one of the aforementioned protocols. For more information about Quagga, refer to Quagga documentation at http://www.quagga.net/docs.php.

You can enable/disable Anycast service and configure BGP, OSPF, or RIP on DNS/DHCP Server appliances from the Address Manager user interface.
Attention: Before you proceed to configure Anycast service, you must have DNS service configured and running on the DNS/DHCP Server that will be configured with the Anycast service.

Anycast BGP

Example

#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.0.0",
            "services": {
                "anycast": {
                    "configurations": [
                        {
                            "anycastConfiguration": {
                                "enable": true,
                                "bgp: {
                                    "localAsn": 64999,
                                    "ip": "127.0.0.1",
                                    "enableBgpCli": true,
                                    "bgpCliPassword": "bgp",
                                    "keepAlive": 60,
                                    "holdTime": 180,
                                    "remoteAsnInIp4": 1,
                                    "ip4BgpPeer": "10.0.0.1",
                                    "ip4HopLimit": 1,
                                    "md5AuthPasswordInIp4": "md5Password",
                                    "announceNextHopSelfToIp4Peer": true,
                                    "remoteAsnInIp6": 1,
                                    "ip6BgpPeer": "FC00::01",
                                    "ip6HopLimit": 5,
                                    "getMd5AuthPasswordInIp6": "md5Password",
                                    "announceNextHopSelfToIp6Peer": true,
                                    "filters: [
                                        {
                                            "name": "INPUTv4",
                                            "action": "permit",
                                            "subnetIpWithCidr": "10.0.0.0/24"
                                        },
                                        {
                                            "name": "INPUTv6",
                                            "action": "deny",
                                            "subnetIpWithCidr": "FC00::/64"
                                        }
                                    ]
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • enable—set to true to enable BGP anycast service; set to false to disable BGP anycast service.
  • bgp—enter the BGP configuration information.
    • localAsn—enter the local Autonomous System Number allocated for the Autonomous System to which the DNS server belongs.
    • ip—enter a new IPv4 or IPv6 address (without netmask) for the Virtual Loopback interface.
    • enableBgpCli—set to true to configure additional BGP parameters via the Telnet BGP CLI.
    • bgpCliPassword—enter the Telnet password to access the BGP command line interface.
    • keepAlive—enter the frequency in seconds (from 0 to 65535) that keepalive notifications are sent to the BGP peer.
    • holdTime—enter the interval in seconds (from 0 to 65535) after not receiving a keepalive notification that a BGP peer is declared dead.
    • remoteAsnInIp4—enter the ASN of the remote network containing the IPv4 BGP peer (from 1—65534).
    • ip4BgpPeer—enter the IPv4 address of the BGP router peering with the Anycast DNS server.
      Note: Ensure IPv4 communication can be established between this address and the IPv4 address of the Service interface (eth0) configured on the DNS Server. The IPv4 address of the BGP Peer should be on the same subnet or routed to the IPv4 gateway on the DNS Server.
    • ip4HopLimit—enter the number of hops (from 1 to 255) permitted from the Anycast DNS server and its closest peer via IPv4.
    • md5AuthPasswordInIp4—(OPTIONAL) enter the alphanumeric password to enable MD5 authentication in BGP communication with neighboring IPv4 routers.
      Attention: MD5 authentication password requirements

      MD5 authentication requires a case-sensitive alphanumeric password of up to a maximum of 25 characters; no spaces. The following special characters are permitted: @ - . : _ [ ] .

      MD5 authentication with Anycast BGP

      If MD5 authentication passwords are configured incorrectly, the DNS Server won't be able to establish the BGP peering session. BlueCat recommends verifying that the BGP peering session is established after configuring MD5 authentication.

    • announceNextHopSelfToIp4Peer—(Reserved for future-use) if set to true, enables the DNS server to advertise its IPv4 peering address to the BGP peer as the next hop for all IPv4 routes distributed by the DNS server.
      Attention: Announce Next-Hop parameters reserved for future-use

      The current Anycast BGP implementation supports only a single BGP peer per address family (IPv4 and IPv6). As such, enabling the Announce Next-Hop parameter will have no effect on the behavior of the DNS server.

    • remoteAsnInIp6—enter the ASN of the remote network containing the IPv6 BGP peer (from 1—65534).
    • ip6BgpPeer—enter the IPv6 address of the BGP router peering with the Anycast DNS server.
      Note: Ensure IPv6 communication can be established between this address and the IPv6 address of the Service interface (eth0) configured on the DNS Server. The IPv6 address of the BGP Peer should be on the same subnet or routed to the IPv6 gateway on the DNS Server.
    • ip6HopLimit—enter the number of hops (from 1 to 255) permitted from the Anycast DNS server and its closest peer via IPv6.
    • getMd5AuthPasswordInIp6—(OPTIONAL) enter the alphanumeric password to enable MD5 authentication in BGP communication with neighboring IPv6 routers.
      Attention: MD5 authentication password requirements

      MD5 authentication requires a case-sensitive alphanumeric password of up to a maximum of 25 characters; no spaces. The following special characters are permitted: @ - . : _ [ ] .

      MD5 authentication with Anycast BGP

      If MD5 authentication passwords are configured incorrectly, the DNS Server won't be able to establish the BGP peering session. BlueCat recommends verifying that the BGP peering session is established after configuring MD5 authentication.

    • announceNextHopSelfToIp6Peer—(Reserved for future-use) if set to true, enables the DNS server to advertise its IPv6 peering address to the BGP peer as the next hop for all IPv6 routes distributed by the DNS server.
      Attention: Announce Next-Hop parameters reserved for future-use

      The current Anycast BGP implementation supports only a single BGP peer per address family (IPv4 and IPv6). As such, enabling the Announce Next-Hop parameter will have no effect on the behavior of the DNS server.

    • filters—enter the configuration information for Anycast BGP Prefix lists.
      • name—enter the name of the filter. The name must be either INPUTv4, OUTPUTv4, INPUTv6, or OUTPUTv6.
      • action—enter the action of the filter. The action must be either permit or deny.
      • subnetIpWithCidr—enter the IPv4/IPv6 address and netmask <IPv4/IPv6address/netmask> to be filtered.

Anycast OSPF

Example

#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.0.0",
            "services": {
                "anycast": {
                    "configurations": [
                        {
                            "anycastConfiguration": {
                                "enable": true,
                                "ospf: {
                                    "authenticationKey": "authKey",
                                    "ip4": 10.0.0.1,
                                    "authenticate": true,
                                    "password": "authPassword",
                                    "deadInterval": 60,
                                    "helloInterval": 30,
                                    "areaId": 0.0.0.1,
                                    "stub": true
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • enable—set to true to enable OSPF anycast service; set to false to disable OSPF anycast service.
  • ospf—enter the OSPF configuration information.
    • authenticationKey—enter an authentication key used to encrypt OSPF routing information. The authentication key is used to compute the MD5 hash that is used to authenticate OSPF packets. The authentication key is cleartext and can be a maximum of 16 characters.
    • ip4—enter the IPv4 address (without netmask).
    • authenticate—set to true to enable authentication; set to false to disable authentication. If set to true, you must enter a password.
    • password—enter a password for authentication.
    • deadInterval—enter the length of time (in seconds) that the peer/neighbor router will maintain a route to the primary router in the absence of hello messages.
    • helloInterval—enter the length of time (in seconds) that the primary router contacts its peer/neighbor to indicate it's still active.
    • areaId—enter the value of the OSPF area as either a 32-bit unsigned integer, or a 32-bit dotted decimal. For example, 1, 0.0.0.1 (default), or 192.168.1.1.
    • stub—set to true to specify use of an OSPF subnet.

Anycast RIP

Example

#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.0.0",
            "services": {
                "anycast": {
                    "configurations": [
                        {
                            "anycastConfiguration": {
                                "enable": true,
                                "rip: {
                                    "ip4": 64999,
                                    "authenticate": "127.0.0.1",
                                    "password": true
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • enable—set to true to enable RIP anycast service; set to false to disable RIP anycast service.
  • rip—enter the RIP configuration information.
    • ip4—enter the IPv4 address of the Anycast DNS server.
    • authenticate—set to true to enable authentication; set to false to disable authentication. If set to true, you must enter a password.
    • password—enter a password for authentication.