Describes how BGP RPKI-based origin validations on outbound enforce prefix origin checks for routes exported to external BGP peers.
BGP Resource Public Key Infrastructure (RPKI)-based origin validation for outbound external BGP (eBGP) prefixes is a route validation feature that
-
enhances BGP route security by automatically validating the origin Autonomous System (AS) of prefixes before advertising them to external peers
-
performs validation by checking the prefix origin-AS against the local RPKI Route Origin Authorization (ROA) database, and
-
prevents propagation of prefixes with invalid ROA status to eBGP neighbors, ensuring only trusted prefixes are exported from the network
The key benefits are:
-
Automates origin-AS validation using RPKI.
-
Prevents propagation of prefixes with invalid ROA status to eBGP neighbors.
-
Improves compliance with routing security policies.
-
Reduces manual filtering and configuration errors by automatically dropping invalid prefixes.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| BGP RPKI-based origin validation for outbound eBGP prefixes |
Release 26.2.1 | Introduced in this release on: Fixed Systems (8200 [ASIC: Q200,P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]); Centralized Systems (8600 [ASIC:Q200]) ; Modular Systems (8800 [LC ASIC:Q100, Q200, P100]) You can now enhance BGP route security by automatically validating route origins with RPKI before advertisement to external peers. Routes with invalid origin status are dropped, reducing manual filtering and ensuring only trusted prefixes are exported from your network. |
Core attributes for outbound origin validations
-
Address families: Supported for IPv4 and IPv6 unicast address families, both in the Global Routing Table (GRT) and within VRF instances.
-
AS-path manipulations: Supports
replace-asandremove-private-asoperations. These manipulations are processed before the RPKI validation check, ensuring path modifications occur prior to the final permit or drop decision.