Home > Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding

August 20th, 2015 in ROUTE 300-101 Go to comments

Question 1

Explanation

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF enables the administrator to drop packets that lack a verifiable source IP address at the router.

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

Question 2

Explanation

When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface.

Question 3

Explanation

First we need to understand the “allow-default” keyword here:

Normally, uRPF will not allow traffic that only matches the default route. The “allow-default” keyword will override this behavior and uRPF will allow traffic matched the default route to pass through.

In answer A, The “ip verify unicast source reachable-via rx allow-default” command under interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24 network (and any traffic) can go through this interface except the 10.0.0.0/8 network because this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT router from Fa0/1, thus “limiting spoofed 10.0.0.0/8 hosts that could enter router”.

Question 4

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via
the interface on which the packet was received.
You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option
The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option.
Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110
Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check.
The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.
Comments
  1. william
    February 25th, 2015

    Thanks Digital tut!

  2. bangash
    March 12th, 2015

    thanks

  3. DOTTRAM
    April 15th, 2015

    Please someone send me the latest dump!)

  4. DOTTRAM
    April 15th, 2015
  5. digitaltut
    July 24th, 2015

    @all: Because of copyrighted issue, we had to remove all the questions and answers. We can only keep the explanations. You can download all the questions and answers at: https://mega.co.nz/#!0pUxSZoJ!s293gEdQu4xLndoA7zZTq5ldia3gdZlrZqNxc_AgpFc
    or
    http://www.4shared.com/office/-GBRNxjKce/ROUTE_July_2015.html

  6. Vesuvius
    September 10th, 2015

    I thought urpf the 3rd mode was Feasible mode?

    In feasible mode, the FIB maintains alternate routes to a given ip address. If the incoming interface matches with any of the routes associated with the ip address, then the packet is forwarded. Otherwise the packet is dropped.

    what is correct? google indicates its feasible mode

  7. Jacobakerblogg
    September 28th, 2015

    Unicast RPF does not use the routingtable but the FIB table

  8. Patty
    August 15th, 2016

    Hey, that’s polrfeuw. Thanks for the news.

  9. Warning!
    September 22nd, 2016

    For 9tut Team:

    Do you know why the PDF document Rout_Sept_2015 doesn’t have few questions of different topics? In this case in the document doesn’t appear questions 3 and 4!

    I will appreciate your feedback!

  10. worood naif
    September 27th, 2016

    Thanks Digital tut!

  11. team player
    October 4th, 2016

    I failed today with a 640. The ‘300-101: Implementing Cisco IP Routing’ exam is completely different then what is on this site. Not even close. There are maybe 10 questions that are the same… What happened???

  12. Warning!
    October 4th, 2016

    Hello Team Player…

    I really appreciate your feedback, I was thinking to take my exam next month and I was studying for this site…

    Do you study by the PDF document: Route Apr 2016 or an old one??

    Your notice Is something to be worried…

  13. Burned
    October 4th, 2016

    Yup same experience today, exam was very different, but the laboratory were similar to those found on this page.
    Forget the 146 and 149 dumps they are basically copies of the questions in the April dump

  14. Warning!
    October 5th, 2016

    Burned, How are you? Thanks for the feedback, the only thing is waiting for updates I think…seem like the exam is changing right now, but, last year the exam changed…!?
    Please, any updates will be welcome!!!!

  15. Devastated
    October 5th, 2016

    @Warning!,
    yes I used the Route Apr 2016, and it is no longer valid. Wait for a new dump before you go for your exam

  16. Team Player
    October 5th, 2016

    Route Apr 2016 is no longer valid

  17. k
    October 14th, 2016

    ;;;m;lm;knon

  18. tagwa tagelsir
    November 1st, 2016
  19. Flash
    November 7th, 2016

    Hi tagwa tagelsir, is that valid dumps? those are updated questions?? Can you please confirm?

  20. QQ
    November 14th, 2016

    Everything you require to get ready and quickly pass the tough Cisco Certified Design Professional 300-101exam with 100% valid questions answers & pass guarantee in first attempt. http://www.grades4sure.com/300-101-exam-questions.html

  21. R
    December 26th, 2016

    tagwa taglesir how long the dumps will be valid

  22. Anonymous
    February 18th, 2017
  1. No trackbacks yet.