[RPKI] RPKI on IOS-XR and VRF's
Jan Chrillesen
jan at chrillesen.dk
Wed Apr 10 17:48:40 UTC 2019
I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and
I'm facing two issues. The first one is that traffic is being sourced
from the outgoing interface, and it isn't possible to specify a source
interface (like a loopback interface). It's the same issue as described
here
https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html
The second one is the lack of documentation for using RPKI validation in
VRF's - is it even supported? I made the following config
router bgp xxxxx
rpki server 212.x.y.z
transport tcp port 3323
refresh-time 600
vrf internet
[...]
bgp bestpath origin-as use validity
bgp bestpath origin-as allow invalid
address-family ipv4 unicast
[...]
bgp origin-as validation signal ibgp
Connection to the validator (Routinator 3000 seems fine):
#sh bgp rpki summary
Wed Apr 10 19:39:46.294 CEST
RPKI cache-servers configured: 1
RPKI database
Total IPv4 net/path: 64091/68179
Total IPv6 net/path: 11324/12344
If I check the validity of a route received from a peer on the router I
get:
#sh bgp vrf internet x.y.0.0/19
[...]
Origin-AS validity: (disabled)
I would expect the validity to be valid, invalid or not found
Also updated the ingress route-map of the peer to check for
validation-state but I would expect that the route should have a
validity even if I don't do anything with it in the route map
Found this old post
https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218
but it didn't provide any hints to wheter validation is even supported
in VRF's on XR
(To those who might suggest I run my peers in GRT - it's not currently
an option)
- Jan
More information about the RPKI
mailing list