bestroute region-validation allow-invalid(BGP-VPN instance IPv4 address family view)

Function

The bestroute region-validation command applies regional validation results of BGP routes to route selection. If the regional validation succeeds, the route is valid and can participate in route selection. If the regional validation fails, the route is invalid and cannot participate in route selection.

The undo bestroute region-validation command restores the default configuration.

The bestroute region-validation allow-invalid command applies RPKI's regional validation results of BGP routes to BGP route selection. If regional validation fails, the BGP routes are valid and the priority of the BGP routes is reduced during route selection.

The undo bestroute region-validation allow-invalid command restores the default configuration.

By default, the regional validation results of BGP routes are not applied to BGP route selection.

Format

bestroute region-validation

bestroute region-validation allow-invalid

undo bestroute region-validation [ allow-invalid ]

Parameters

None

Views

BGP-VPN instance IPv4 address family view, BGP-VPN instance IPv6 address family view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
bgp write

Usage Guidelines

Usage Scenario

Regional validation is a solution that combines multiple trusted ASs into a region and multiple regions into a regional confederation. By checking whether the routes received from EBGP peers in external regions belong to the local region, regional validation prevents external regions from hijacking routes in the local region. To improve BGP route selection security, you can run the bestroute region-validation command to apply regional validation results of BGP routes to BGP route selection. If the regional validation succeeds, the route is valid and can participate in route selection. If the regional validation fails, the route is invalid and cannot participate in route selection. To allow the routes that fail the regional validation to participate in route selection, configure the allow-invalid parameter. After the parameter is configured, the routes that fail the regional validation are considered valid and can participate in route selection. The priority of the routes is reduced during route selection.

Example

# In the BGP-VPN instance IPv4 address family view, apply RPKI's regional validation results of BGP routes to BGP route selection. If the regional validation fails, the route is invalid and cannot participate in route selection.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpna
[*HUAWEI-vpn-instance-vpna] ipv4-family
[*HUAWEI-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*HUAWEI-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*HUAWEI-vpn-instance-vpna-af-ipv4] quit
[*HUAWEI-instance-vpna] quit
[*HUAWEI] bgp 100
[*HUAWEI-bgp] ipv4-family vpn-instance vrf1
[*HUAWEI-bgp-vrf1] region-validation confed-check strict
[*HUAWEI-bgp-vrf1] bestroute region-validation
# In the BGP-VPN instance IPv4 address family view, apply RPKI's regional validation results of BGP routes to BGP route selection. If the regional validation fails, the route is valid, but the priority is reduced during route selection.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpna
[*HUAWEI-vpn-instance-vpna] ipv4-family
[*HUAWEI-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*HUAWEI-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*HUAWEI-vpn-instance-vpna-af-ipv4] quit
[*HUAWEI-instance-vpna] quit
[*HUAWEI] bgp 100
[*HUAWEI-bgp] ipv4-family vpn-instance vrf1
[*HUAWEI-bgp-vrf1] region-validation confed-check strict
[*HUAWEI-bgp-vrf1] bestroute region-validation allow-invalid
Parent Topic: BGP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >