Solved: RPKI for vrf neighbor

IBEngTeam · ‎02-14-2023

Hi all,

I want to activate Route Origin Validation, for a BGP neighbor configured in a VRF. I have configured RPKI on Cisco ASR9K using the following:

router bgp 1
!
rpki server y.y.y.y
username rpki
transport ssh port 22
refresh-time 3600
response-time 600
!
router bgp 1
!
address-family ipv4 unicast
bgp origin-as validation enable
bgp bestpath origin-as use validity
bgp bestpath origin-as allow invalid
!
address-family ipv6 unicast
bgp origin-as validation enable
bgp bestpath origin-as use validity
bgp bestpath origin-as allow invalid
!
!

But I am not able to configure validation for a BGP neighbors under VRF. How can I do that?

Thanks,

Adi.

smilstea · ‎02-15-2023

RP/0/RP0/CPU0:router#show install active summary
Wed Feb 15 11:26:00.449 PST
Active Packages: 21
ncs5500-xr-7.1.2 version=7.1.2 [Boot image]
ncs5500-mgbl-3.0.0.0-r712
ncs5500-isis-2.1.0.0-r712
ncs5500-mpls-2.1.0.0-r712
ncs5500-mpls-te-rsvp-3.1.0.0-r712
ncs5500-k9sec-3.2.0.0-r712
kernel-image-3.14.23-wr7.0.0.2-standard-3.14.p1-r0.1.r712.CSCvv99754.xr
kernel-modules-3.14.p1-r0.1.r712.CSCvv99754.xr
cisco-klm-0.1.p1-r0.0.r712.CSCvv99754.xr
bcm-klm-6.5.16.p1-r1.0.r712.CSCvv99754.xr
ncs5500-routing-5.0.0.4-r712.CSCvz64652
ncs5500-mpls-te-rsvp-3.1.0.3-r712.CSCvv43868
ncs5500-fwding-3.0.0.4-r712.CSCwa45250
ncs5500-bgp-2.0.0.7-r712.CSCvr34133
ncs5500-dpa-fwding-4.0.0.19-r712.CSCvw97862
ncs5500-os-support-4.0.0.3-r712.CSCwb18766
ncs5500-dpa-3.0.0.23-r712.CSCwa41620
ncs5500-os-6.0.0.4-r712.CSCvv11307
ncs5500-iosxr-fwding-4.1.0.14-r712.CSCvv11307
ncs5500-infra-5.0.0.28-r712.CSCwa06416
ncs5500-k9sec-3.2.0.2-r712.CSCvy24841

RP/0/RP0/CPU0:router#config t
Wed Feb 15 11:26:07.275 PST
RP/0/RP0/CPU0:router(config)#router bgp 100
RP/0/RP0/CPU0:router(config-bgp)#vrf test
RP/0/RP0/CPU0:router(config-bgp-vrf)#address-family ipv4 unicast
RP/0/RP0/CPU0:router(config-bgp-vrf-af)#bgp bestpath origin-as ?
allow BGP origin-AS knobs
use BGP origin-AS knobs

View solution in original post

smilstea · ‎02-15-2023

What code are you on, I see BGP RPKI with VRF is supported since 6.5.1/7.0.1.

Sam

smilstea · ‎02-15-2023

RP/0/RP0/CPU0:router#show install active summary
Wed Feb 15 11:26:00.449 PST
Active Packages: 21
ncs5500-xr-7.1.2 version=7.1.2 [Boot image]
ncs5500-mgbl-3.0.0.0-r712
ncs5500-isis-2.1.0.0-r712
ncs5500-mpls-2.1.0.0-r712
ncs5500-mpls-te-rsvp-3.1.0.0-r712
ncs5500-k9sec-3.2.0.0-r712
kernel-image-3.14.23-wr7.0.0.2-standard-3.14.p1-r0.1.r712.CSCvv99754.xr
kernel-modules-3.14.p1-r0.1.r712.CSCvv99754.xr
cisco-klm-0.1.p1-r0.0.r712.CSCvv99754.xr
bcm-klm-6.5.16.p1-r1.0.r712.CSCvv99754.xr
ncs5500-routing-5.0.0.4-r712.CSCvz64652
ncs5500-mpls-te-rsvp-3.1.0.3-r712.CSCvv43868
ncs5500-fwding-3.0.0.4-r712.CSCwa45250
ncs5500-bgp-2.0.0.7-r712.CSCvr34133
ncs5500-dpa-fwding-4.0.0.19-r712.CSCvw97862
ncs5500-os-support-4.0.0.3-r712.CSCwb18766
ncs5500-dpa-3.0.0.23-r712.CSCwa41620
ncs5500-os-6.0.0.4-r712.CSCvv11307
ncs5500-iosxr-fwding-4.1.0.14-r712.CSCvv11307
ncs5500-infra-5.0.0.28-r712.CSCwa06416
ncs5500-k9sec-3.2.0.2-r712.CSCvy24841

RP/0/RP0/CPU0:router#config t
Wed Feb 15 11:26:07.275 PST
RP/0/RP0/CPU0:router(config)#router bgp 100
RP/0/RP0/CPU0:router(config-bgp)#vrf test
RP/0/RP0/CPU0:router(config-bgp-vrf)#address-family ipv4 unicast
RP/0/RP0/CPU0:router(config-bgp-vrf-af)#bgp bestpath origin-as ?
allow BGP origin-AS knobs
use BGP origin-AS knobs

IBEngTeam · ‎02-15-2023

Hi,

Thanks for the reply.

I am on version 6.4.2 - will upgrade.

Thanks for all the hwlp.

Adi.