To configure BGP SIDR prefix origin validation

Purpose

To help prevent BGP prefix spoofing, you can configure validation of the AS values that are received from EBGP peers. When a BGP speaker that supports the validation function receives a route AS value, the speaker can check the associated prefix for validity. If the origin AS is not correct for the advertised prefix, the route is considered invalid and treated according to the routing policy configuration.

Steps
 

Configure an RPKI session on a routing instance; see To configure a routing instance or a VRF instance .

Configure origin validation on an EBGP peer session.

Perform the following steps:

  1. Configure the Origin Validation parameter on the Behavior tab on the Peer Group (Edit) form; see To configure peer-group-level BGP .

  2. Configure the Origin Validation parameter on the Behavior tab on the Peer, Peer Group (Create) form; see To configure peer-level BGP .

Create a policy statement entry to match IPv4 or IPv6 routes in the routing information database. Configure the Origin Validation State parameter on the Action, From Criteria, and Default Action tabs; see To configure a routing policy statement .

On a BGP site properties form, on the General tab in the Best Path Selection panel, set the Compare Origin Validation State and Origin Invalid Unusable parameters to control how the origin validation states associated with routing information database entries are used in the BGP decision process. See To configure global-level BGP .

On a Community Routing Policy, configure the Community Member parameter with the new origin validation state. See To configure a community policy .

End of steps