If needed, please read my previous blog post to configure your RPKI/ROA validators and sFlow visualisation with pmacct/influxDB/Grafana. It's always better to see what you are doing :)
I found several interesting documentation on the Arista website :
- Standalone BGP Origin Validation with RPKI : https://eos.arista.com/bgp-origin-validation-rpki/
- Securing Inter Domain Routing with RPKI : https://eos.arista.com/sidr-with-rpki/
- BGP Prefix Origin Validation with Resource Public Key Infrastructure (RPKI) : https://eos.arista.com/eos-4-24-0f/bgp-prefix-origin-validation-with-resource-public-key-infrastructure-rpki/
This page is a memo of the useful commands I used (and some tips) :
Enable the multi-agent ArBGP (You will have to reboot the whole box)
RPKI cache Configuration
If multiple caches are configured, the preference controls the priority. Caches which are more preferred will be connected to first, if they are not reachable then connections will be attempted to less preferred caches. If caches have the same preference value, they will all be connected to and the ROAs that are synced from them will be merged together.
Viewing RPKI client configuration
Clearing RPKI client configuration
The resyncing is done in such a way that Bgp only reacts to the changes since the last sync.
Enabling Route Origin Validation (ROV)
The validation route-map is optional. If provided, it selects routes for which validation should be skipped for all ibgp or ebgp peers. This route map can also be used to set a validity for the routes that are skipped. If the validity is not set, the skipped routes will remain in an unknown validity state.
Configuring the RPKI ROV does not have any effect on BGP behavior until policy are configured, you will only see a new column for ROV state :
Filtering routes based on the ROV status
There is a new match clause available in the route-map, here is a basic example to drop invalid routes, apply this kind of route-map on your eBGP sessions (inboud, of cours) :
Remember that this will have a very limited impact (actually none) if you have a static default-route configured and that your transit provider does not drop invalid routes.
Also note that if your customers want to advertise RTBH routes, they may announce /32 routes for IPv4 (and /128 for IPv6), that might be considered as invalid, so adjust your route-map (or
validation route-map) accordingly!