[c-nsp] RPKI extended-community RFC8097
Lukas Tribus
lukas at ltri.eu
Sat Nov 28 16:16:50 EST 2020
Hi Ben,
On Sat, 28 Nov 2020 at 01:32, Ben Maddison <benm at workonline.africa> wrote:
> > router bgp ...
> > bgp rpki server tcp [...]
> > address-family ipv4
> > bgp bestpath prefix-validate disable
> > [...]
> > route-map RM_EBGP_IN deny 10
> > match rpki invalid
> > route-map RM_EBGP_IN permit 20
> > [...]
> >
> Does the route-map 'match' still work here? Which release?
> I remember trying this workaround before our initial rollout of ROV and
> nothing matched that statement when 'prefix-validate disable' was
> configured. I forget the exact release, but that would have been
> 16.9.3-ish.
It works for me in both recent (Amsterdam, 17.03.02) and older (Fuji,
16.09.02) code.
I did not try matching NotFound or Valid, or setting different
locpref's, just denying invalid routes.
> > Vpnv[46] support and RTR via SSH is still not there.
> >
> Hahaha, don't hold your breath. Source interface selection isn't even
> available.
With SSH support we would get source interface selection for free :(
CLI helptext actually mentions SSH username and password and a
"local-port" option, but it's undocumented and unclear how it is
supposed to work...
LAB1(config-router)#$bgp rpki server tcp 1.2.3.4 port 3232 ref 600
password secret ?
username SSH Username
<cr> <cr>
LAB1(config-router)#$bgp rpki server tcp 1.2.3.4 port 3232 ref 600
password secret username user1 password secret2 ?
local-port SSH Local Port
LAB1(config-router)#$
It's probably a leftover from someone trying to get SSH support in.
Unsure why SSH support would be combined with TCP-MD5 support on the
socket (which is what the first password argument is about).
cheers,
lukas
More information about the cisco-nsp
mailing list