ASR 9006 RPKI server in not default vrf

Serg_tsk · ‎07-11-2019

Dear colleagues, i've tried to implement rpki validation on ASR9k6 with iOS XR 6.4.2 32bit (RSP-440-se) and got fail.

All of my infra-devices and mgmt networks are placed into vrf "fake". I have RIPE rpki-validator-server in vrf fake. Can i specify rpki server option with vrf point ? I did't find how to do it. ( https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/routing/configuration/guide/b-routing-cg-asr9000-64x/b-routing-cg-asr9000-64x_chapter_010.html#task_40A84643C72641E2A09372847AA68F30 )

2nd question: all my external peers are placed into vrf "ext". Can the ASR check prefixes which were received from not default VRF ? ( https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 )

Thank you. With best regards

Sergey

decode.chr13 · ‎07-16-2019

Hi,

Did you manage to solve RPKI in a VRF issue?

Maybe this helps...?

router bgp <asn>

vrf ext

bgp origin-as validation signal ibgp

bgp bestpath origin-as use validity

bgp bestpath origin-as allow invalid

address-family ipv4 unicast

bgp origin-as validation enable

bgp origin-as validation signal ibgp

!

address-family ipv6 unicast

bgp origin-as validation enable

bgp origin-as validation signal ibgp

!

Serg_tsk · ‎07-16-2019

Thank you for your reply!

The 1st problem with rpki-server connectivity was solved by placing rpki-validator into GRT. Another trick :)

The 2nd problem: there is no bgp-option in vrf context of router bgp config

RP/0/RSP0/CPU0:crt-c9006-1(config)#router bgp my_asn
RP/0/RSP0/CPU0:crt-c9006-1(config-bgp)#vrf ext
RP/0/RSP0/CPU0:crt-c9006-1(config-bgp-vrf)#bgp ?
  auto-policy-soft-reset  Enable automatic soft peer reset on policy reconfiguration
  bestpath                Change default route selection criteria
  default                 Configure default value
  enforce-first-as        Enforce the first AS for EBGP routes
  fast-external-fallover  Immediately reset session if a link to a directly connected external peer
 goes down
  log                     Log bgp info
  multipath               Change multipath selection criteria
  redistribute-internal   Allow redistribution of iBGP into IGPs (dangerous)
  router-id               Configure Router-id
  unsafe-ebgp-policy      Make eBGP neighbors with no policy pass all routes(cisco-support)
RP/0/RSP0/CPU0:crt-c9006-1(config-bgp-vrf)#bgp bestpath ?
  aigp              AIGP attribute
  as-path           AS path length
  compare-routerid  Compare router-id for identical EBGP paths
  cost-community    Cost community
  med               MED related

RP/0/RSP0/CPU0:crt-c9006-1(config-bgp-vrf)#address-family ipv4 unicast
RP/0/RSP0/CPU0:crt-c9006-1(config-bgp-vrf-af)#bgp ?
  attribute-download  Configure attribute download for this address-family
  dampening           Enable route-flap dampening

I talked with colleagues last week and received information from them that origin-as validation works in iOS XR 6.5.1. But my RSP440-SE can't run this software. 6.4.2 - is the last supported :(

Thank you.

With best regards, Sergey.

decode.chr13 · ‎07-16-2019

Regarding: "Can i specify rpki server option with vrf point?", I think the answer is no, but you can use a trick.

rpki server <10.1.1.101> transport ssh port <999>

than configure ssh client source interface using a "fake" vrf interface:

ssh client source-interface <MgmtEth0/RP0/CPU0/0>

interface MgmtEth0/RP0/CPU0/0

vrf fake

ipv4 address 10.0.11.111 255.255.255.0

load-interval 30