mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-07 07:23:41 +00:00
doc: add rpki information for rpki per vrf commands
rpki per vrf documentation is being added. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
This commit is contained in:
Philippe Guibert
parent
9dcfdf2c4f
commit
0ba6afa5fc
@ -60,8 +60,9 @@ Enabling RPKI
|
|||||||
This command enables the RPKI configuration mode. Most commands that start
|
This command enables the RPKI configuration mode. Most commands that start
|
||||||
with *rpki* can only be used in this mode.
|
with *rpki* can only be used in this mode.
|
||||||
|
|
||||||
When it is used in a telnet session, leaving of this mode cause rpki to be
|
This command is available either in *configure node* for default *vrf* or
|
||||||
initialized.
|
in *vrf node* for specific *vrf*. When it is used in a telnet session,
|
||||||
|
leaving of this mode cause rpki to be initialized.
|
||||||
|
|
||||||
Executing this command alone does not activate prefix validation. You need
|
Executing this command alone does not activate prefix validation. You need
|
||||||
to configure at least one reachable cache server. See section
|
to configure at least one reachable cache server. See section
|
||||||
@ -91,6 +92,9 @@ Examples of the error::
|
|||||||
router(config)# rpki
|
router(config)# rpki
|
||||||
% [BGP] Unknown command: rpki
|
% [BGP] Unknown command: rpki
|
||||||
|
|
||||||
|
router(config-vrf)# rpki
|
||||||
|
% [BGP] Unknown command: rpki
|
||||||
|
|
||||||
Note that the RPKI commands will be available in vtysh when running
|
Note that the RPKI commands will be available in vtysh when running
|
||||||
``find rpki`` regardless of whether the module is loaded.
|
``find rpki`` regardless of whether the module is loaded.
|
||||||
|
|
||||||
@ -99,7 +103,14 @@ Note that the RPKI commands will be available in vtysh when running
|
|||||||
Configuring RPKI/RTR Cache Servers
|
Configuring RPKI/RTR Cache Servers
|
||||||
----------------------------------
|
----------------------------------
|
||||||
|
|
||||||
The following commands are independent of a specific cache server.
|
RPKI/RTR can be configured independently, either in configure node, or in *vrf*
|
||||||
|
sub context. If configured in configure node, the core *bgp* instance of default
|
||||||
|
*vrf* is impacted by the configuration.
|
||||||
|
|
||||||
|
Each RPKI/RTR context is mapped to a *vrf* and can be made up of a specific list
|
||||||
|
of cache-servers, and specific settings.
|
||||||
|
|
||||||
|
The following commands are available for independent of a specific cache server.
|
||||||
|
|
||||||
.. index:: rpki polling_period (1-3600)
|
.. index:: rpki polling_period (1-3600)
|
||||||
.. clicmd:: rpki polling_period (1-3600)
|
.. clicmd:: rpki polling_period (1-3600)
|
||||||
@ -200,27 +211,27 @@ Debugging
|
|||||||
Displaying RPKI
|
Displaying RPKI
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
.. index:: show rpki prefix <A.B.C.D/M|X:X::X:X/M> [(1-4294967295)]
|
.. index:: show rpki prefix <A.B.C.D/M|X:X::X:X/M> [(1-4294967295)] [vrf NAME]
|
||||||
.. clicmd:: show rpki prefix <A.B.C.D/M|X:X::X:X/M> [(1-4294967295)]
|
.. clicmd:: show rpki prefix <A.B.C.D/M|X:X::X:X/M> [(1-4294967295)] [vrf NAME]
|
||||||
|
|
||||||
Display validated prefixes received from the cache servers filtered
|
Display validated prefixes received from the cache servers filtered
|
||||||
by the specified prefix.
|
by the specified prefix.
|
||||||
|
|
||||||
.. index:: show rpki as-number ASN
|
.. index:: show rpki as-number ASN [vrf NAME]
|
||||||
.. clicmd:: show rpki as-number ASN
|
.. clicmd:: show rpki as-number ASN [vrf NAME]
|
||||||
|
|
||||||
Display validated prefixes received from the cache servers filtered
|
Display validated prefixes received from the cache servers filtered
|
||||||
by ASN.
|
by ASN.
|
||||||
|
|
||||||
.. index:: show rpki prefix-table
|
.. index:: show rpki prefix-table [vrf NAME]
|
||||||
.. clicmd:: show rpki prefix-table
|
.. clicmd:: show rpki prefix-table [vrf NAME]
|
||||||
|
|
||||||
Display all validated prefix to origin AS mappings/records which have been
|
Display all validated prefix to origin AS mappings/records which have been
|
||||||
received from the cache servers and stored in the router. Based on this data,
|
received from the cache servers and stored in the router. Based on this data,
|
||||||
the router validates BGP Updates.
|
the router validates BGP Updates.
|
||||||
|
|
||||||
.. index:: show rpki cache-connection
|
.. index:: show rpki cache-connection [vrf NAME]
|
||||||
.. clicmd:: show rpki cache-connection
|
.. clicmd:: show rpki cache-connection [vrf NAME]
|
||||||
|
|
||||||
Display all configured cache servers, whether active or not.
|
Display all configured cache servers, whether active or not.
|
||||||
|
|
||||||
@ -271,5 +282,54 @@ RPKI Configuration Example
|
|||||||
route-map rpki permit 40
|
route-map rpki permit 40
|
||||||
!
|
!
|
||||||
|
|
||||||
|
RPKI Configuration Example with VRF
|
||||||
|
-----------------------------------
|
||||||
|
|
||||||
|
.. code-block:: frr
|
||||||
|
|
||||||
|
hostname bgpd1
|
||||||
|
password zebra
|
||||||
|
! log stdout
|
||||||
|
debug bgp updates
|
||||||
|
debug bgp keepalives
|
||||||
|
debug rpki
|
||||||
|
!
|
||||||
|
vrf vrf_connect
|
||||||
|
rpki
|
||||||
|
rpki polling_period 1000
|
||||||
|
rpki timeout 10
|
||||||
|
! SSH Example:
|
||||||
|
rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1
|
||||||
|
! TCP Example:
|
||||||
|
rpki cache rpki-validator.realmv6.org 8282 preference 2
|
||||||
|
exit
|
||||||
|
!
|
||||||
|
exit-vrf
|
||||||
|
router bgp 60001 vrf vrf_connect
|
||||||
|
bgp router-id 141.22.28.223
|
||||||
|
network 192.168.0.0/16
|
||||||
|
neighbor 123.123.123.0 remote-as 60002
|
||||||
|
neighbor 123.123.123.0 route-map rpki in
|
||||||
|
!
|
||||||
|
address-family ipv6
|
||||||
|
neighbor 123.123.123.0 activate
|
||||||
|
neighbor 123.123.123.0 route-map rpki in
|
||||||
|
exit-address-family
|
||||||
|
!
|
||||||
|
route-map rpki permit 10
|
||||||
|
match rpki invalid
|
||||||
|
set local-preference 10
|
||||||
|
!
|
||||||
|
route-map rpki permit 20
|
||||||
|
match rpki notfound
|
||||||
|
set local-preference 20
|
||||||
|
!
|
||||||
|
route-map rpki permit 30
|
||||||
|
match rpki valid
|
||||||
|
set local-preference 30
|
||||||
|
!
|
||||||
|
route-map rpki permit 40
|
||||||
|
!
|
||||||
|
|
||||||
.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
|
.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
|
||||||
.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>
|
.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user