BGP.guru

BGP.guru

Nerd blog.

14 Oct 2022

exabgp 4.x, anycast, and healthchecks

This is a fifth in a blog series about DNS, specifically to address changes in exabgp 4.x, and how its built in healthcheck works.

Getting Started

I guess the easiest way to begin is to lay out a sample config.

This is going to have 100.64.100.64 advertised from 192.0.2.135/2001:db8::135. Extrapolate this out sideways to meet your needs.

/etc/dnsdist/dns-lb-1

This config sets up a healthcheck on 100.64.100.64, and advertises it with the next-hop of 192.0.2.135. It checks every 5 seconds, and when states are changing it changes that to checking every 1 second. We need 5 checks to succeed to consider up, and 2 to fail to consider down. The reason I’m specififying the next-hop is because this is a IPv4/IPv6 multi address-family BGP session (which makes IPv6 next-hops just work better). We’re also specifying withdraw-on-down which pulls the IP from BGP vs lowering metric.

silent
name = dns-lb-1
ip = 100.64.100.64/32
next-hop = 192.0.2.135
command = dig @100.64.100.64 a.root-servers.net. a +short
disable = /etc/exabgp/healthcheck_dns-lb-1.disable
withdraw-on-down
interval = 5
fast-interval = 1
rise = 5
fall = 2

Additional Options

python3 -m exabgp healthcheck --help

Running this shows all of the additional options. Production use will likely need use of up-metric and perhaps community or large-community.

These options can be specified in the configuration file or on the CLI (IE: --up-metric or --community). We’re using the config here.

exabgp.conf

process dns-lb-1 {
  run python3 -m exabgp healthcheck --config /etc/exabgp/dns-lb-1;
  encoder text;
}

neighbor 2001:db8::1 {
  description "Will announce anycasted DNS service routes";

  router-id 192.0.2.135;
  local-address 2001:db8::135;
  local-as 65053;
  peer-as 65000;
  hold-time 30;

 family {
    ipv4 unicast;
    ipv6 unicast;
  }
  api services {
#    processes [ dns-lb-1, dns-lb-2, dns-lb-3, dns-lb-4 ];
    processes [ dns-lb-1 ];
  }
}

Disabling BGP advertisements is as simple as touching the file listed in the disable option. This can be handy before reboots to take down BGP gracefully and fail over to other servers gracefully. Routes are pulled almost immediately.

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.