RPKI on IOS-XR (VRF)

Load ios-xr.rpki.vrf.init.cfg

#IOS-XE (R6)
config replace flash:ios-xr.rpki.vrf.init.cfg

#IOS-XR (XR1, XR2)
configure
load bootflash:ios-xr.rpki.vrf.init.cfg
commit replace
y

BGP is already setup between XR1-R6 and XR1-XR2.

Configure RPKI on XR1 for both IPv4 and IPv6. Reject all invalid paths. XR1 is running internet in a VRF called INET.

The RPKI server is reachable in the global table at 10.100.100.1 on port 22. Use SSH as the transport with rpki/rpki.

Answer

#XR1
router bgp 1245
 rpki server 10.100.100.1
  username rpki
  password rpki
  transport ssh port 22
 !
 vrf INET
  address-family ipv4 unicast
   bgp origin-as validation enable
   bgp bestpath origin-as use validity
  !
  address-family ipv6 unicast
   bgp origin-as validation enable
   bgp bestpath origin-as use validity

Explanation

IOS-XR allows us to use RPKI origin validation in a VRF instead of just the global table. This allows us to run INET in a VRF, which is a popular option among service providers. This keeps the global table limited to just internal loopbacks and underlay transit prefixes.

Enabling RPKI for a VRF is quite simple, you just enable the configuration under the VRF AFIs instead of under the global AFIs. The RPKI server is configured the same way. Note that if you’d like, you can source the RPKI connection from an interface in a VRF using the bind-source command.

On XR1 we can see that invalid paths are being rejected for IPv4 and IPv6 routes in the INET VRF.

Note that this functionality does not appear to be available on IOS-XE. I do not see a way to enable origin-as validation within a VRF on CSR1000v.

PreviousRPKI on IOS-XR (RPKI Routes)NextRPKI iBGP Mesh (No Signaling)

Last updated 10 months ago

hashtagAnswer

hashtagExplanation

Answer

Explanation