# RPKI on IOS-XE (Validation)
Load **ios-xe.rpki.enable.init.cfg**
```
#IOS-XE (R1, R2, R3)
config replace flash:ios-xe.rpki.enable.init.cfg
```
BGP is already setup between R1-R2 and R2-R3. Configure RPKI on R2 for both IPv4 and IPv6. Reject invalid IPv4 prefixes, but allow invalid IPv6 prefixes.
The RPKI server is reachable at 10.100.100.1 on port 3323.
## Answer
```
#R2
router bgp 1245
bgp rpki server tcp 10.100.100.1 port 3323 refresh 600
!
add ipv6
bgp bestpath prefix-validate allow-invalid
```
## Explanation/Verification
In the previous lab, we enabled RPKI and disabled prefix validation using **bgp bestpath prefix-validate disable**. This lab asks us to verfiy prefix validation, but allow IPv6 invalid prefixes as part of the bestpath process. To do this, we use **bgp bestpath prefix-validate allow-invalid** under IPv6/unicast.
```
#R2
router bgp 1245
add ipv6
bgp bestpath prefix-validate allow-invalid
```
Examine the BGP ipv6/unicast table first. Notice that we see prefixes as V, I, or N. Invalid prefixes (I) are still eligible for being selected as the best path.
Examine IPv4/unicast and notice that the invalid prefixes are rejected. These are not routable at all now. Notice that the prefixes that did not have any ROAs (1.100.100.0/24) are still accepted.
