01-21-2020 12:09 AM
Hi,
We would like to setup RPKI but we are facing to these errors when we try top setup and commit a route-policy to check RPKI validation state on IPs.
route-policy RP_RPKI in !!% Could not find entry in list: Policy [RP_RPKI] uses the 'validation-state' attribute. There is no 'validation-state' attribute at the bgp neighbor-out-dflt attach point. route-policy RP_RPKI out !!% Could not find entry in list: Policy [RP_RPKI] uses the 'validation-state' attribute. There is no 'validation-state' attribute at the bgp neighbor-out-dflt attach point. !
The route policy configuration is :
route-policy RP_RPKI1 if validation-state is invalid then set community ($OWNASN:30) additive drop elseif validation-state is not-found then set community ($OWNASN:20) else set community ($OWNASN:10) endif end-policy
Our IOS XR version is 6.4.2 on RSP 440.
Many thanks !
Solved! Go to Solution.
01-21-2020 10:52 AM
It seems it complains on the fact that you are trying to apply it on the outgoing policy to check validation state which should be done in the incoming policy (which you also have applied). Are you trying to apply this to an iBGP neighbor ?
Also, have you enabled validation for the AF? (bgp origin-as validation enable)
01-21-2020 01:26 AM
Hello,
looking at what you have posted, the name of the route policy is:
route-policy RP_RPKI1
What you are attaching to your neighbor is:
route-policy RP_RPKI in
Make sure that you do not simply have a typo...
01-21-2020 06:24 AM
Hi,
Thanks for the reply, I made a wrong copy paste because I created two RPKI route-policy , the correct route policy is :
route-policy RP_RPKI if validation-state is invalid then set community ($OWNASN:30) additive drop elseif validation-state is not-found then set community ($OWNASN:20) else set community ($OWNASN:10) endif end-policy
Do you have any idea ?
Thanks,
01-21-2020 07:00 AM
That would have been too easy I guess..:)
I'll look further.
01-21-2020 10:52 AM
It seems it complains on the fact that you are trying to apply it on the outgoing policy to check validation state which should be done in the incoming policy (which you also have applied). Are you trying to apply this to an iBGP neighbor ?
Also, have you enabled validation for the AF? (bgp origin-as validation enable)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide