Unicast Reverse Path Forwarding

Question 1

What are the three modes of Unicast Reverse Path Forwarding?

A. strict mode, loose mode, and VRF mode
B. strict mode, loose mode, and broadcast mode
C. strict mode, broadcast mode, and VRF mode
D. broadcast mode, loose mode, and VRF mode

Answer: A

Explanation

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF enables the administrator to drop packets that lack a verifiable source IP address at the router.

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

Question 2

Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet against the routing table?

A. source address
B. destination address
C. router interface
D. default gateway

Answer: A

Explanation

When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface.

Question 3

Refer to the exhibit.

Which option represents the minimal configuration that allows inbound traffic from the 172.16.1.0/24 network to successfully enter router TUT, while also limiting spoofed 10.0.0.0/8 hosts that could enter router TUT?

A. (config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx allow-default
B. (config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx
C. (config)#no ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx
D. (config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via any

Answer: A

Explanation

First we need to understand the “allow-default” keyword here:

Normally, uRPF will not allow traffic that only matches the default route. The “allow-default” keyword will override this behavior and uRPF will allow traffic matched the default route to pass through.

In answer A, The “ip verify unicast source reachable-via rx allow-default” command under interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24 network (and any traffic) can go through this interface except the 10.0.0.0/8 network because this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT router from Fa0/1, thus “limiting spoofed 10.0.0.0/8 hosts that could enter router”.

Question 4

Which option is invalid when configuring Unicast Reverse Path Forwarding?

A. allow self ping to router
B. allow default route
C. allow based on ACL match
D. source reachable via both

Answer: D

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]

The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface.

The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via the interface on which the packet was received.

You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option

The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option.

Reference: http://www.cisco.com/c/en/us/td/docs/routers/10000/10008/configuration/guides/broadband/bba/urpf.pdf

Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:

Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110

Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check.

The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.

Question 5

Which mode of uRPF causes a router interface to accept a packet, if the network to which the packet’s source IP address belongs is found in the router’s FIB?

A. Strict mode
B. Loose mode
C. Auto mode
D. Desirable mode

Answer: B

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

This question only mentioned about “the network to which the packet’s source IP address belongs is found in the router’s FIB” so surely loose mode will accept this packet.

Question 6

When Unicast Reverse Path Forwarding is configured on an interface, which action does the interface take first when it receives a packet?

A. It checks the ingress access list
B. It checks the egress access list
C. It verifies a reverse path via the FIB to the source
D. It verifies that the source has a valid CEF adjacency

Answer: A

Explanation

When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:
Step 1: Input ACLs configured on the inbound interface are checked.
Step 2: Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.
Step 3: CEF table (FIB) lookup is carried out for packet forwarding.
Step 4: Output ACLs are checked on the outbound interface.
Step 5: The packet is forwarded.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.html

Question 7

Which command sequence can you enter on a router to configure Unicast Reverse Path Forwarding in loose mode?

A. interface GigabitEthernet0/0
ip verify unicast source reachable-via all

B. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose

C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any

D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx

Answer: C

Question 8

What option can be used for uRPF in loose mode on the command “ip verify unicast source reachable-via”?

A. rx
B. any
C. allow-default

Answer: B

Explanation

The command “ip verify unicast source reachable-via any” enables uRFP in loose mode, which only checks if the router has a matching entry for the source in the routing table.

Question 9

Which command sequence can you enter a router to configure Unicast Reverse Path Forwarding in loose mode?

A. interface GigabitEthernet0/0
ip verify unicast source reachable-via loose.

B. interface GigabitEthernet0/0
ip verify unicast source reachable-via all.

C. interface GigabitEthernet0/0
ip verify unicast source reachable-via any.

D. interface GigabitEthernet0/0
ip verify unicast source reachable-via rx.

Answer: C

Question 10

What from the following can cause an issue for uRPF?

A. Asymetric routing
B. CEF not enabled
C. uRPF not applied to the traffic source
D. if it is used as ingress filtering

Answer: A