Hi Ben, On XE and Classic: > 1. you can only preform validation on eBGP-received routes; > 2. any iBGP-received route will get marked "Valid" unless it has a 8097 > extcomm to the contrary; and > 2. bestpath selection will prefer "Valid" to "Unknown", at the first- > step in the selection process. >
Yes that is exactly the default dumb behaviour. And frankly these days I am not sure who to even talk in Cisco with about XE BGP :) Thus, without 8097 extcomms to mark validation status, you get a > forwarding loop for every prefix that a) you learn at two-or-more ASBRs > and b) has no covering ROA. > That's the majority of the DFZ table for any multihomed AS. > Well that one I do not think is going to be always the case. It may be if your ASBRs are also RRs or you enable best external or add-paths. In the described case I just tested this and one ASBR will use local EBGP path as best and the other one IBGP learned which pretends to be valid. So there is no forwarding loop. If it would always be one perhaps cisco regression testing would fail :) In the mean time adding the knob "announce rpki state" is the way to go. Thx, R. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
