Home > Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding

August 20th, 2015 in ROUTE 300-101 Go to comments

Question 1

Explanation

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF enables the administrator to drop packets that lack a verifiable source IP address at the router.

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

Question 2

Explanation

When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface.

Question 3

Explanation

First we need to understand the “allow-default” keyword here:

Normally, uRPF will not allow traffic that only matches the default route. The “allow-default” keyword will override this behavior and uRPF will allow traffic matched the default route to pass through.

In answer A, The “ip verify unicast source reachable-via rx allow-default” command under interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24 network (and any traffic) can go through this interface except the 10.0.0.0/8 network because this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT router from Fa0/1, thus “limiting spoofed 10.0.0.0/8 hosts that could enter router”.

Question 4

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via
the interface on which the packet was received.
You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option
The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option.
Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110
Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check.
The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.
Comments
  1. Patty
    August 15th, 2016

    Hey, that’s polrfeuw. Thanks for the news.

  2. Warning!
    September 22nd, 2016

    For 9tut Team:

    Do you know why the PDF document Rout_Sept_2015 doesn’t have few questions of different topics? In this case in the document doesn’t appear questions 3 and 4!

    I will appreciate your feedback!

  3. worood naif
    September 27th, 2016

    Thanks Digital tut!

  4. team player
    October 4th, 2016

    I failed today with a 640. The ‘300-101: Implementing Cisco IP Routing’ exam is completely different then what is on this site. Not even close. There are maybe 10 questions that are the same… What happened???

  5. Warning!
    October 4th, 2016

    Hello Team Player…

    I really appreciate your feedback, I was thinking to take my exam next month and I was studying for this site…

    Do you study by the PDF document: Route Apr 2016 or an old one??

    Your notice Is something to be worried…

  6. Burned
    October 4th, 2016

    Yup same experience today, exam was very different, but the laboratory were similar to those found on this page.
    Forget the 146 and 149 dumps they are basically copies of the questions in the April dump

  7. Warning!
    October 5th, 2016

    Burned, How are you? Thanks for the feedback, the only thing is waiting for updates I think…seem like the exam is changing right now, but, last year the exam changed…!?
    Please, any updates will be welcome!!!!

  8. Devastated
    October 5th, 2016

    @Warning!,
    yes I used the Route Apr 2016, and it is no longer valid. Wait for a new dump before you go for your exam

  9. Team Player
    October 5th, 2016

    Route Apr 2016 is no longer valid

  10. k
    October 14th, 2016

    ;;;m;lm;knon

  11. tagwa tagelsir
    November 1st, 2016
  12. Flash
    November 7th, 2016

    Hi tagwa tagelsir, is that valid dumps? those are updated questions?? Can you please confirm?

  13. QQ
    November 14th, 2016

    Everything you require to get ready and quickly pass the tough Cisco Certified Design Professional 300-101exam with 100% valid questions answers & pass guarantee in first attempt. http://www.grades4sure.com/300-101-exam-questions.html

  14. R
    December 26th, 2016

    tagwa taglesir how long the dumps will be valid

  15. Anonymous
    February 18th, 2017
  16. Messi
    May 14th, 2017

    What’s uRPF checking first when the packet enters the interface? or when unicast reverse path forwarding is configured on an interface.The answer should be, it is checking for a route in the table for the source.
    What if both ACL and a URPF command are present on the interface, then what would it go by first, would it drop the packet if a deny ACL is matched even if the URPF check is successfull? Is this even possible? I just ran test commands on a router, the router accepted both ingress ACL (access-group) as well as the URPF command. Any body can help ?

  17. zzz
    May 16th, 2017

    @Messi
    I have been looking into this also and this I the best info I have found.

    http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf.html

    When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:

    Step 1 Input ACLs configured on the inbound interface are checked.
    Step 2 Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.
    Step 3 CEF table (FIB) lookup is carried out for packet forwarding.
    Step 4 Output ACLs are checked on the outbound interface.
    Step 5 The packet is forwarded.

  18. zzz
    May 16th, 2017

    Access Control Lists and Logging
    If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
    If no ACL is specified in the Unicast RPF command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
    Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast RPF command. Using the log information, administrators can see what source addresses are being used in the attack, the time the packets arrived at the interface, and so on.

  19. AnyMaster
    July 9th, 2017

    What is not supported by Unicast Reverse Path Forwarding interface?
    Right Answer: Searchable both.

    Expl.: the answer ‘searchable both’, maybe, is trying to say ‘rx’ and ‘any’ that are the two possible ways uRPF works (strict and loose). You can only choose one! The other answers are supported (ping-to self , default-route, ACL).

    Let’s see the command:
    interface FastEthernet 0/0
    ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]

    *the only thing you MUST choose just one is {rx OR any}!

  20. AnyMaster
    July 9th, 2017

    completing my previous post… dump is saying ACL because just router 12000 cannot use that! it’s completely insane that Cisco will get to this specifics in all questions, this way it would be impossible to pass. Dump tries to find googling the easy way to find for an answer.

  21. Anonymous
    July 18th, 2017

    I have the latest dump for 300-101 route – email me at iastate80 at yahoo dot com.

  22. Dash
    July 19th, 2017

    For latest dumps with continuous update, contact me at darshendash @ gmail . com

  1. No trackbacks yet.