cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1493
Views
0
Helpful
4
Replies

IOS XR - RPKI erros

Hi, 

 

We would like to setup RPKI but we are facing to these errors when we try top setup and commit a route-policy to check RPKI validation state on IPs.

 

 

route-policy RP_RPKI in
!!% Could not find entry in list: Policy [RP_RPKI] uses the 'validation-state' attribute. There is no 'validation-state' attribute at the bgp neighbor-out-dflt attach point.
   route-policy RP_RPKI out
!!% Could not find entry in list: Policy [RP_RPKI] uses the 'validation-state' attribute. There is no 'validation-state' attribute at the bgp neighbor-out-dflt attach point.
  !

 

The route policy configuration is : 

 

route-policy RP_RPKI1
if validation-state is invalid then
set community ($OWNASN:30) additive
drop
elseif validation-state is not-found then
set community ($OWNASN:20)
else
set community ($OWNASN:10)
endif
end-policy

 

Our IOS XR version is 6.4.2 on RSP 440.

 

Many thanks !

 

1 Accepted Solution

Accepted Solutions

askoglund
Level 1
Level 1

It seems it complains on the fact that you are trying to apply it on the outgoing policy to check validation state which should be done in the incoming policy (which you also have applied). Are you trying to apply this to an iBGP neighbor ?

Also, have you enabled validation for the AF? (bgp origin-as validation enable)

View solution in original post

4 Replies 4

Hello,

 

looking at what you have posted, the name of the route policy is:

 

route-policy RP_RPKI1

 

What you are attaching to your neighbor is:

 

route-policy RP_RPKI in

 

Make sure that you do not simply have a typo...

Hi,

 

Thanks for the reply, I made a wrong copy paste because I created two RPKI route-policy , the correct route policy is : 

route-policy RP_RPKI
if validation-state is invalid then
set community ($OWNASN:30) additive
drop
elseif validation-state is not-found then
set community ($OWNASN:20)
else
set community ($OWNASN:10)
endif
end-policy 

Do you have any idea ? 

 

Thanks,

That would have been too easy I guess..:)

 

I'll look further.

askoglund
Level 1
Level 1

It seems it complains on the fact that you are trying to apply it on the outgoing policy to check validation state which should be done in the incoming policy (which you also have applied). Are you trying to apply this to an iBGP neighbor ?

Also, have you enabled validation for the AF? (bgp origin-as validation enable)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco