01-03-2017 05:57 PM - edited 03-05-2019 07:47 AM
I am trying to configure RPKI in Cisco ASR1001 with IOS XE, Version 03.16.03.S. I create
route-map ROUTE-VALIDATION permit 10
match rpki invalid
set local-preference 90
!
route-map ROUTE-VALIDATION permit 20
match rpki not-found
set local-preference 100
!
route-map ROUTE-VALIDATION permit 30
match rpki valid
set local-preference 110
and add it to the neighbor:
neighbor 202.125.97.254 route-map ROUTE-VALIDATION in
But router tag all prefix to Valid.
# show ip bgp
V*>i 1.0.64.0/18 202.125.97.254 0 110 0 4608 1221 4637 2516 7670 18144 i
V*>i 1.0.128.0/24 202.125.97.254 0 110 0 4608 1221 4637 3491 38040 23969 ?
V*>i 1.0.128.0/19 202.125.97.254 0 110 0 4608 1221 4637 3491 38040 9737 i
V*>i 1.0.128.0/18 202.125.97.254 0 110 0 4608 1221 4637 3491 38040 9737 i
# show ip bgp 1.0.64.0/18
BGP routing table entry for 1.0.64.0/18, version 1520530
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
4608 1221 4637 2516 7670 18144, (aggregated by 18144 219.118.225.17)
202.125.97.254 (metric 1) from 202.125.97.254 (202.125.97.254)
Origin IGP, metric 0, localpref 110, valid, internal, best
Community: 302000988
path 7FBDADCB8C78 RPKI State valid
rx pathid: 0, tx pathid: 0x0
# show bgp ipv4 unicast rpki servers
BGP SOVC neighbor is 202.125.96.50/323 connected to port 323
Any idea?
01-04-2017 12:51 AM
Hello,
do you have an address family configured ? Post the config of your router, you might have missed something...
01-04-2017 02:08 AM
Hello,
current config:
router bgp 45192
bgp rpki server tcp 202.125.96.47 port 323 refresh 120
neighbor IPv4-iBGP-AS45192 peer-group
neighbor IPv4-iBGP-AS45192 remote-as 45192
neighbor IPv4-iBGP-AS45192 update-source Loopback0
neighbor 202.125.97.254 peer-group IPv4-iBGP-AS45192
!
address-family ipv4
neighbor IPv4-iBGP-AS45192 next-hop-self
neighbor 202.125.97.254 activate
neighbor IPv4-iBGP-AS45192 route-map ROUTE-VALIDATION in
exit-address-family
!
route-map ROUTE-VALIDATION permit 10
match rpki invalid
set local-preference 90
!
route-map ROUTE-VALIDATION permit 20
match rpki not-found
set local-preference 100
!
route-map ROUTE-VALIDATION permit 30
match rpki valid
set local-preference 110
01-04-2017 04:19 AM
Hello,
the config looks good. Since it is not working however, try to add the lines in bold:
router bgp 45192
bgp rpki server tcp 202.125.96.47 port 323 refresh 120
neighbor IPv4-iBGP-AS45192 peer-group
neighbor IPv4-iBGP-AS45192 remote-as 45192
neighbor IPv4-iBGP-AS45192 update-source Loopback0
neighbor 202.125.97.254 peer-group IPv4-iBGP-AS45192
neighbor 202.125.97.254 send-community extended
neighbor 202.125.97.254 announce rpki state
01-04-2017 11:31 AM
Hello,
No luck, still same. All prefixes are Valid.
By the way "announce rpki state" is for sending RPKI state to iBGP neighbor via extended community. Not for validating the prefixes.
01-04-2017 12:02 PM
Hello Fakrul,
my bad, I thought your problem was that another iBGP neighbor doesn't get the state.
Either way, you are trying to validate the routes with an iBGP neighbor, which is not going to work, as RPKI is supposed to validate routes from eBGP neighbors (in order to prevent prefix hijacking).
So, in short, RPKI works for eBGP, not iBGP.
01-04-2017 03:39 PM
I am not sure whether Cisco has different implementation. I have separate iBGP session for the same as with GoBGP and RPKI validation works perfectly there:
fakrul@gobgp:~$ gobgp neigh
Peer AS Up/Down State |#Received Accepted
202.125.97.254 45192 1d 00:00:33 Establ | 640654 640654
2001:df2:ee01::1 45192 1d 00:00:29 Establ | 115848 115848
fakrul@gobgp:~$ gobgp global rib
N*> 37.123.24.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.25.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.26.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.27.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
ASBR router doesn't support RPKI; that's why I am trying with one iBGP router; change the localpref and influence traffic of ASBR.
I will try with eBGP session.
Thanks
Fakrul
01-04-2017 11:58 AM
it seem you are validating IBGP learnt routes rather than EBGP learnt routes. Once the ROA entries are populated in the RPKI table, EBGP paths are then validated for Origin AS against those ROA entries.
It doesnt look like you are performing the validation on the edge router which is receiving the Internet routes?
Please refer to RPKI validation and IBGP announcement in Cisco Press book on Troubleshooting BGP.
Hope this helps.
Regards
Vinit
01-04-2017 04:40 PM
Test with eBGP sessions. Looks ok. Prefixes are tagged properly.
Thanks
Farkul
01-04-2017 08:24 PM
I checked rfc6811#section-2 and it says:
When a BGP speaker receives an UPDATE from a neighbor, it SHOULD perform a lookup as described above for each of the Routes in the UPDATE message. The lookup SHOULD also be applied to routes that are redistributed into BGP from another source, such as another protocol or a locally defined static route.
So it should behave same for iBGP / eBGP. I test with Juniper & GoBGP and it's completely fine.
Thanks
Fakrul
11-17-2018 12:58 PM
Hi Fakrul
Have you got a chance to solve it with your cisco equipment?
I'm facing a similar problem and I'll be glad if you could share some of your experience.
Thanks
David
10-02-2017 10:45 AM
Hi Farkul
Please could you send me your skype to my email maile.halatuituia@tcc.to. So iwant to ask a question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide