Hi Jan, Did you ever figure out whether Origin Validation is supported in context of a VRF?
Kind regards, Job On Wed, Apr 10, 2019 at 5:55 PM Jan Chrillesen <[email protected]> wrote: > > I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and > I'm facing two issues. The first one is that traffic is being sourced > from the outgoing interface, and it isn't possible to specify a source > interface (like a loopback interface). It's the same issue as described > here > https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html > > The second one is the lack of documentation for using RPKI validation in > VRF's - is it even supported? I made the following config > > router bgp xxxxx > rpki server 212.x.y.z > transport tcp port 3323 > refresh-time 600 > > vrf internet > [...] > bgp bestpath origin-as use validity > bgp bestpath origin-as allow invalid > address-family ipv4 unicast > [...] > bgp origin-as validation signal ibgp > > > Connection to the validator (Routinator 3000 seems fine): > > #sh bgp rpki summary > Wed Apr 10 19:39:46.294 CEST > > RPKI cache-servers configured: 1 > RPKI database > Total IPv4 net/path: 64091/68179 > Total IPv6 net/path: 11324/12344 > > If I check the validity of a route received from a peer on the router I > get: > > #sh bgp vrf internet x.y.0.0/19 > [...] > Origin-AS validity: (disabled) > > I would expect the validity to be valid, invalid or not found > > Also updated the ingress route-map of the peer to check for > validation-state but I would expect that the route should have a > validity even if I don't do anything with it in the route map > > Found this old post > https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 > but it didn't provide any hints to wheter validation is even supported > in VRF's on XR > > (To those who might suggest I run my peers in GRT - it's not currently > an option) > > - Jan > -- > RPKI mailing list > [email protected] > https://www.nlnetlabs.nl/mailman/listinfo/rpki -- RPKI mailing list [email protected] https://www.nlnetlabs.nl/mailman/listinfo/rpki
