[c-nsp] Unicast as Anycast
Gert Doering
gert at greenie.muc.de
Mon Nov 25 09:33:36 EST 2013
Hi,
On Mon, Nov 25, 2013 at 02:06:30PM +0100, JJ wrote:
> I´m looking to make some tests with anycast(for DDoS mitigation). Does
> someone tried to achieve this with unicast IPs?.
>
> You know it´s not possible to get more IP assignments from RIPE, and after
> asking RIPE for anycast assignments, they told me we still could use
> unicast for this purpose.
> It sounds a bit weird to me...but I made a try and configured a /24 being
> announced in our AS(different ASN) in Miami and Madrid(Spain), then I just
> asked my carriers to open their filters and... It doesn´t work.
>
> Have you ever tried a configuration like this? (and successful :) ) ,or,
> perhaps, am I trying the impossible?
There are no "anycast" IPs in IPv4. There is just unicast networks announced
from multiple places, and that works great :-)
The "anycast" thing in the RIPE policies is "if you plan to do anycast
deployment, and have no existing addresses you can use for that, there
was a special policy to give out /24s from a well-known block for that
particular purpose". It's still unicast IPs.
If it's not working for you, you're likely missing route: objects (so your
announcements are getting filtered), or you're trying TCP traffic with
some loadbalancing in the mix, with half the packets going to the one
site and the other half going to the other site -> TCP won't work.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131125/1d8f3da7/attachment-0001.sig>
More information about the cisco-nsp
mailing list