Jan Chrillesen jan at chrillesen.dk
Wed Apr 10 17:48:40 UTC 2019

I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and
I'm facing two issues. The first one is that traffic is being sourced
from the outgoing interface, and it isn't possible to specify a source
interface (like a loopback interface). It's the same issue as described

The second one is the lack of documentation for using RPKI validation in
VRF's - is it even supported? I made the following config

router bgp xxxxx
 rpki server 212.x.y.z
  transport tcp port 3323
  refresh-time 600

 vrf internet
  bgp bestpath origin-as use validity
  bgp bestpath origin-as allow invalid
  address-family ipv4 unicast
   bgp origin-as validation signal ibgp

Connection to the validator (Routinator 3000 seems fine):

#sh bgp rpki summary
Wed Apr 10 19:39:46.294 CEST

RPKI cache-servers configured: 1
RPKI database
  Total IPv4 net/path: 64091/68179
  Total IPv6 net/path: 11324/12344

If I check the validity of a route received from a peer on the router I

#sh bgp vrf internet x.y.0.0/19
      Origin-AS validity: (disabled)

I would expect the validity to be valid, invalid or not found 

Also updated the ingress route-map of the peer to check for
validation-state but I would expect that the route should have a
validity even if I don't do anything with it in the route map

Found this old post
but it didn't provide any hints to wheter validation is even supported
in VRF's on XR

(To those who might suggest I run my peers in GRT - it's not currently
an option)

- Jan

More information about the RPKI mailing list