Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
0
Replies

RPKI Validation for neighbors in VRFs

marcus.eide
Level 1
Level 1

‎08-27-2015 01:11 AM - edited ‎03-05-2019 02:10 AM

Hi,

I'm using a few ASR9006's running IOS XR Version 5.3.1, and I'm trying to get RPKI Validation working for neighbors inside a VRF:

 

My config looks something like this:

router bgp ASN
 nsr
 bgp router-id x.x.x.x
 rpki server y.y.y.y
  transport tcp port 8282
  refresh-time 600
 !
 bgp bestpath origin-as use validity
 bgp bestpath origin-as allow invalid
 !
 vrf VRF
  rd x.x.x:100
  neighbor x.x.x.x
   remote-as xxxx
   address-family ipv4 unicast
    route-policy rpki-test in
   !

 

The RPKI Validation server is up and caching ROAs:

RP/0/RSP1/CPU0:router#show bgp rpki server summary 
Thu Aug 27 09:57:56.875 CET

Hostname/Address        Transport       State           Time            ROAs (IPv4/IPv6)
x.x.x.x              TCP:8282        ESTAB           18:55:02        14413/2123

RP/0/RSP1/CPU0:router#

 

However I cannot see any RPKI Validation states on the prefix I receive from peers:

 

RP/0/RSP1/CPU0:router#show bgp vrf VRF ipv4 unicast x.x.x.x/x
Thu Aug 27 09:59:53.474 CET
BGP routing table entry for x.x.x.x/x, Route Distinguisher: x.x.x.x:100
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker               1612        1612
    Local Label: 289992
Last Modified: Aug 26 16:24:06.528 for 17:35:46
Paths: (2 available, best #2)
  Advertised to PE peers (in unique update groups):
    x.x.x.x   
  Path #1: Received by speaker 0
  Not advertised to any peer
  XXX
    x.x.x.x from x.x.x.x (x.x.x.x)
      Origin IGP, metric 18, localpref 140, valid, external
      Received Path ID 0, Local Path ID 0, version 0
      Community: 64999:4 64999:140
      Extended community: RT:XXXX:100 
  Path #2: Received by speaker 0
  Advertised to PE peers (in unique update groups):
    x.x.x.x   
  XXXX
    x.x.x.x from x.x.x.x (x.x.x.x)
      Origin IGP, metric 17, localpref 140, valid, external, best, group-best, import-candidate
      Received Path ID 0, Local Path ID 1, version 1612
      Community: 64999:4 64999:140
      Extended community: RT:XXXX:100 
RP/0/RSP1/CPU0:router#

  

But for peers in default-vrf it works fine:

RP/0/RSP1/CPU0:router#show bgp ipv4 unicast 172.16.0.0/24
Thu Aug 27 09:46:54.486 CET
BGP routing table entry for 172.16.0.0/24
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                 85          85
Last Modified: Aug 27 09:46:42.521 for 00:00:12
Paths: (1 available, best #1)
  Advertised to peers (in unique update groups):
    x.x.x.x   
  Path #1: Received by speaker 0
  Advertised to peers (in unique update groups):
    x.x.x.x  
  65000
    10.20.201.170 from 10.20.201.170 (10.20.201.170)
      Origin IGP, localpref 100, valid, external, best, group-best, import-candidate
      Received Path ID 0, Local Path ID 1, version 85
      Origin-AS validity: not-found <<<<<<<<<<<<<<<<<<<<< Validation not-found, as expected
RP/0/RSP1/CPU0:router#

 

Am I missing something or is this just not supported?

 

3 people had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card