[j-nsp] Origin Validation on MX80

Brad Fleming bdflemin at gmail.com
Wed Aug 17 10:46:37 EDT 2016 

Hello all,

We’ve been playing around a bit with BGP origin validation on a lab MX80.
While everything seems to work CPU load is pretty high. We’ve observed this
elevated CPU with both 14.3R<something> and 16.1R1.7. Just wondering if
anyone else experienced similar or whether we’ve configured something
sideways and caused a problem.

lab-mx80> show version
Junos: 16.1R1.7


lab-mx80> show validation session
Session                                  State   Flaps     Uptime
#IPv4/IPv6 records
<cache ip>                               Up          0   00:31:03 24360/3555


lab-mx80> show bgp summary
<bgp peer ip>        <peer asn>      97906         66       0       0
29:44 615844/615844/615844/0 0/0/0/0


lab-mx80> show chassis routing-engine
    Load averages:                 1 minute   5 minute  15 minute
                                       0.94       1.00       0.92

lab-mx80> show system processes summary
  PID USERNAME   THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
 2016 root         3  76    0   476M   385M RUN     29:23 93.99% rpd


set policy-options policy-statement rpki-validation term valid from
protocol bgp
set policy-options policy-statement rpki-validation term valid from
validation-database valid
set policy-options policy-statement rpki-validation term valid then
validation-state valid
set policy-options policy-statement rpki-validation term valid then
community set valid
set policy-options policy-statement rpki-validation term valid then accept
set policy-options policy-statement rpki-validation term invalid from
protocol bgp
set policy-options policy-statement rpki-validation term invalid from
validation-database invalid
set policy-options policy-statement rpki-validation term invalid then
validation-state invalid
set policy-options policy-statement rpki-validation term invalid then
community set invalid
set policy-options policy-statement rpki-validation term invalid then accept
set policy-options policy-statement rpki-validation term else then
community set unknown
set policy-options policy-statement rpki-validation term else then accept


We don’t have a bigger MX chassis spare so MX240-480-960 boxes might have
enough horsepower to get through this. Anyone else tried playing with
origin validation on Juniper gear yet? If so, did you get similar results?

More information about the juniper-nsp mailing list