Seems pretty basic use case that Cisco overlooked here but let's get with it.
Trying to do RPKI validation properly on my network. Thought I was fully compliant, but with Cloudflares new testing tool, discovered I'm missing something here and not sure how to work around it.
https://i.imgur.com/tlvxG9p.png
On my ASR9001, its default table is just internet, I manage it fully with OOB interface. It has rpki servers configured to communicate out the management interface, but populates the data properly into the BGP table. I then have it signal via iBGP to the neighboring 9006.
On the 9006, internet is in its own vrf while connecting to transit and peers. It gets the iBGP signals for RPKI from the 9001. However this data appears to only apply to the 9001's routes, not the 9006's, as the 9006's routes show "not-known" for RPKI status. I will have "not-valid" or "valid" next to "not-known" on the 9006 due to this for the same netblock.
So I assume what I need is the 9006 connected and talking to my RPKI servers. However with internet in a vrf, this seems impossible as I can only configure rpki-server functions on the default table on its routes (which are all management table routes anyway for private space).
Any ideas/workarounds I can have it apply RPKI validation information to the 9006's routes?
No comments:
Post a Comment