Unicast Reverse Path Forwarding can perform all of these actions except which one?
A.
examine all packets received to make sure that the source addresses and source interfaces
appear in the routing table and match the interfaces where the packets were received
B.
check to see if any packet received at a router interface arrives on the best return path
C.
combine with a configured ACL
D.
log its events, if you specify the logging options for the ACL entries used by the unicast rpf
command
E.
inspect IP packets encapsulated in tunnels, such as GRE
Explanation:
For RPF to function, CEF must be enabled on the router. This is because the router uses the
Forwarding Information Base (FIB) of CEF to perform the lookup process, which is built from the
router’s routing table. In other words, RPF does not really look at the router’s routing table;
instead, it uses the CEF FIB to determine spoofing.
Also, RPF cannot detect all spoofed packets. For the network in this example, the perimeter router
cannot determine spoofing from packets received on the external E1 interface if they match the
default route statement. Therefore, the more routes your router has in its CEF FIB table, the more
likely the router will be capable of detecting spoofing attacks. In addition, RPF cannot detect any
spoofed packets that are encapsulated, such as packets encapsulated in GRE, IPSec, L2TP, and
other packets.
Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the
malicious traffic on an enterprise network. This security feature works by enabling a router to verify
the reachability of the source address in packets being forwarded. This capability can limit the
appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is
discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF
mode. Note that not all network devices support all three modes of operation. Unicast RPF in VRF
mode will not be covered in this document.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface
that the router would use to forward the return packet. Unicast RPF configured in strict mode may
drop legitimate traffic that is received on an interface that was not the router’s choice for sending
return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are
present in the network.
When administrators use Unicast RPF in loose mode, the source address must appear in the
routing table. Administrators can change this behavior using the allow-default option, which allows
the use of the default route in the source verification process. Additionally, a packet that contains a
source address for which the return route points to the Null 0 interface will be dropped. An access
list may also be specified that permits or denies certain source addresses in Unicast RPF loose
mode.
Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is
configured during the deployment of this feature because it can drop legitimate traffic. Although
asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode
is a scalable option for networks that contain asymmetric routing paths.
Unicast RPF in an Enterprise Network In many enterprise environments, it is necessary to use a
combination of strict mode and loose mode Unicast RPF. The choice of the Unicast RPF modethat will be used will depend on the design of the network segment connected to the interface on
which Unicast RPF is deployed.
Administrators should use Unicast RPF in strict mode on network interfaces for which all packets
received on an interface are guaranteed to originate from the subnet assigned to the interface. A
subnet composed of end stations or network resources fulfills this requirement. Such a design
would be in place for an access layer network or a branch office where there is only one path into
and out of the branch network. No other traffic originating from the subnet is allowed and no other
routes are available past the subnet. Unicast RPF loose mode can be used on an uplink network
interface that has a default route associated with it.http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html