[j-nsp] Origin Validation on MX80
Brad Fleming
bdflemin at gmail.com
Wed Aug 17 10:46:37 EDT 2016
Hello all,
We’ve been playing around a bit with BGP origin validation on a lab MX80.
While everything seems to work CPU load is pretty high. We’ve observed this
elevated CPU with both 14.3R<something> and 16.1R1.7. Just wondering if
anyone else experienced similar or whether we’ve configured something
sideways and caused a problem.
lab-mx80> show version
Junos: 16.1R1.7
lab-mx80> show validation session
Session State Flaps Uptime
#IPv4/IPv6 records
<cache ip> Up 0 00:31:03 24360/3555
lab-mx80> show bgp summary
<bgp peer ip> <peer asn> 97906 66 0 0
29:44 615844/615844/615844/0 0/0/0/0
lab-mx80> show chassis routing-engine
Load averages: 1 minute 5 minute 15 minute
0.94 1.00 0.92
lab-mx80> show system processes summary
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
2016 root 3 76 0 476M 385M RUN 29:23 93.99% rpd
set policy-options policy-statement rpki-validation term valid from
protocol bgp
set policy-options policy-statement rpki-validation term valid from
validation-database valid
set policy-options policy-statement rpki-validation term valid then
validation-state valid
set policy-options policy-statement rpki-validation term valid then
community set valid
set policy-options policy-statement rpki-validation term valid then accept
set policy-options policy-statement rpki-validation term invalid from
protocol bgp
set policy-options policy-statement rpki-validation term invalid from
validation-database invalid
set policy-options policy-statement rpki-validation term invalid then
validation-state invalid
set policy-options policy-statement rpki-validation term invalid then
community set invalid
set policy-options policy-statement rpki-validation term invalid then accept
set policy-options policy-statement rpki-validation term else then
community set unknown
set policy-options policy-statement rpki-validation term else then accept
We don’t have a bigger MX chassis spare so MX240-480-960 boxes might have
enough horsepower to get through this. Anyone else tried playing with
origin validation on Juniper gear yet? If so, did you get similar results?
More information about the juniper-nsp
mailing list