RPKI on IOS-XR (Enabling the feature)
Load ios-xr.rpki.enable.init.cfg
#IOS-XE (R6)
config replace flash:ios-xr.rpki.enable.init.cfg
#IOS-XR (XR1, XR2)
configure
load bootflash:ios-xr.rpki.enable.init.cfg
commit replace
y
Note that XR1 is running XR 6.6.3. This is because version 6.5.x+ has different default rules for RPKI. (Validation is off by default).
BGP is already setup between XR5-R6 and XR5-XR2.
Configure RPKI on XR5 for both IPv4 and IPv6. Do not act on the validation status of a prefix. Only implement the feature so it can be verified.
The RPKI server is reachable at 10.100.100.1 on port 3323. Use TCP as the transport.
Answer
#XR1
router bgp 1245
rpki server 10.100.100.1
transport tcp port 3323
!
add ipv4 unicast
bgp origin-as validation enable
add ipv6 unicast
bgp origin-as validation enableExplanation/Verification
IOS-XR does not turn RPKI origin validation on by default. You must enable this on a per AFI basis. Notice that enabling the feature does not enable the use of the validation status for the BGP bestpath selection.
We can first examine the state of the connections to RPKI servers using show bgp rpki server summary
We can see the details of the TCP session with the RPKI server using show bgp rpki server ip-address
Examine the IPv4/uni and IPv6/uni tables and notice that bestpath validation is not affecting the best path. All best paths are simply the oldest path:
IOS-XR does not use V, I, N status codes for the table. From the output above we cannot tell whether origin AS validation is taking place or not. However, if we examine individual prefixes, we can see the validation status.
To get similar output to IOS-XE, we can use the command show bgp ipv4 uni origin-as validity
We can clearly see now that some prefixes have one valid announcement and one invalid announcement, yet the invalid annoucement can win the bestpath selection. This is what the lab asked for - we have enabled the feature and verified it is working without affecting bestpath selection yet.
Last updated