RPKI on IOS-XE (Validation)

Load ios-xe.rpki.enable.init.cfg

#IOS-XE (R1, R2, R3)
config replace flash:ios-xe.rpki.enable.init.cfg

BGP is already setup between R1-R2 and R2-R3. Configure RPKI on R2 for both IPv4 and IPv6. Reject invalid IPv4 prefixes, but allow invalid IPv6 prefixes.

The RPKI server is reachable at 10.100.100.1 on port 3323.

Answer

#R2
router bgp 1245
 bgp rpki server tcp 10.100.100.1 port 3323 refresh 600
 !
 add ipv6
  bgp bestpath prefix-validate allow-invalid

Explanation/Verification

In the previous lab, we enabled RPKI and disabled prefix validation using bgp bestpath prefix-validate disable. This lab asks us to verfiy prefix validation, but allow IPv6 invalid prefixes as part of the bestpath process. To do this, we use bgp bestpath prefix-validate allow-invalid under IPv6/unicast.

#R2
router bgp 1245
 add ipv6
  bgp bestpath prefix-validate allow-invalid

Examine the BGP ipv6/unicast table first. Notice that we see prefixes as V, I, or N. Invalid prefixes (I) are still eligible for being selected as the best path.

Examine IPv4/unicast and notice that the invalid prefixes are rejected. These are not routable at all now. Notice that the prefixes that did not have any ROAs (1.100.100.0/24) are still accepted.

PreviousRPKI on IOS-XE (Enabling the feature)NextRPKI on IOS-XR (Enabling the feature)

Last updated 4 months ago