| Exam 400-101 | Question id=1056 | Infrastructure Security |
You have enabled CEF and have issued the ip verify unicast source reachable via rx command to enable uRPF in strict mode on a router. A TCP packet with a source address of 10.11.12.1 arrives on the router's FastEthernet0/1 interface. A route to 10.11.12.1 exists in the FIB, but the path through the FastEthernet0/1 interface is not the best path to the source.
Which of the following will occur?
| A. |
The packet will be dropped. | |
| B. |
The packet will be forwarded through a valid path. | |
| C. |
The packet will be forwarded through the best path. | |
| D. |
The packet will be logged as suspicious. |
The packet will be dropped because unicast Reverse Path Forwarding (uRPF) is operating in strict mode. When you enable uRPF in strict mode, the router checks packets upon arrival at an interface to determine whether those packets arrived through the best path to the source. If a packet did not arrive from the best path, the packet is dropped. Implementing uRPF in strict mode can cause legitimate traffic to be dropped in asymmetric routing configurations.
Fo uRPF to be used in either strict or loose mode, Cisco Express Forwarding (CEF) must be enabled. The router uses the information in the Forwarding Information Base (FIB) to perform the reverse lookup. The FIB is generated by CEF. In strict mode, the router checks to see whether a path to the source exists in the FIB and whether the packet arrived on the interface with the best path to the source. In loose mode, the router checks to see whether the source exists in the FIB and is a valid forwarding entry, not just the best path.
There are two network addresses that uRPF always allows to pass even though they might not be present in the FIB: 0.0.0.0 and 255.255.255.255. Not allowing those addresses to pass would cause problems with both Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP).
The packet would not be forwarded through any path. Because you have enabled strict mode and the packet did not arrive on the best path back to the source, the packet is dropped. If the packet had arrived on the best path to the source, the best path criteria would have been met and the packet would have been forwarded.
If you had issued the ip verify unicast source reachable via any command, which enables uRPF in loose mode, the packet would have been forwarded. In loose mode, the router checks the FIB to determine whether the packet arrived on a valid path back to the source. uRPF in loose mode forwards the packet as long as the reverse path is a valid path, even if it is not the best path back to the source.
The packet will not be logged as suspicious. uRPF is a reverse path checking tool and not a logging tool for suspicious activity. However, uRPF can mitigate spoofing attacks.