Refer to the exhibit. The CE router is peering with both PE routers and advertising a public prefix to the internet. Routing to and from this prefix will be asymmetric under certain network conditions, but packets must not be discarded. Which configuration must an engineer apply to the two PE routers so that they validate reverse packet forwarding for packets entering their Gi2 interfaces and drop traffic from the RFC1918 space?
The correct configuration for the PE routers to validate reverse packet forwarding for packets entering their Gi2 interfaces and drop traffic from the RFC1918 space is to use uRPF in loose mode. Loose mode (reachable-via any) allows for asymmetrical routing, which is necessary because the routing to and from the public prefix can be asymmetric under certain conditions. Strict mode (reachable-via rx) would not work in this case as it would drop traffic not received on the expected interface, which could lead to packet loss in asymmetric routing scenarios. Therefore, the PE routers should use the command 'ip verify unicast source reachable-via any' to achieve the desired behavior.
I'd say answer D. "interface GigabitEthernet 2 ip verify unicast source reachable-via any" Reasoning here is, we cannot drop asymetric traffic, hence the need for 'loose mode'. RFC1918 will not be in the internet space thus will not be in the RIB and therefore dropped as per loose mode RPF check. Default-allow would cause RFC1918 to be resolved under 0/0 making these answers invalid.
Answer: D Sorry for previous comment saying "Answer: B". @mironto explained very claerly. If we set the strict mode, what will happen for the that is requested from CE(public prefix) to PE-ATL-1? If CE sends any request to internet through the "PE-ATL-1" and internet is returing back the response throguh the "PE-ATL-2", what will happen? Only loose mode can allow it to pass to CE.
Answer: B If the question was asked to deploy uRPF for CE, then an asymmetric path would be under consideration, hence it is "loose mode" for CE. However, the question is about the "PE" router configuration, and it has nothing to do with the asymmetric path. Hence, strict mode is best option. Therefore, the correct answer is B.
I think this question is trying to trick you by talking about asymmetric routing. It's hoping you'll see "asymmetric" and just reflexively choose D without reading the question carefully. Loose mode should be used if we were enabling URPF on the CE router's Gi2 and Gi3 interfaces. But since we're configuring this on the PE routers towards the customer, and each PE only has one connection to the CE, strict mode will not cause any problems. Loose mode is only needed when you have more than one interface that can be used to reach a certain destination. In this case, each PE only has one interface to the CE.
loose mode is needed as traffic from CE public prefix can go CE=>PE-ATL-1=>PE-ATL-2 and with strict mode PE-ATL-2 would drop the traffic as it is not incoming through interface to CE.
By the way: line "interface GigabitEthernet 2" does not belong to option C, is an error. That entry actually belongs to option D, so: interface GigabitEthernet 2 ip verify unicast source reachable-via any Here is the difference btween "any" and "rx" any: Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode). rx: Examines incoming packets to determine whether the source address is in the FIB and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode). With this in place, for asymetric routing to occur (I have seen this when unexpected failovers) option "any" is the best. Go for option D 100%.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html
I also believe that B is correct. Asymmetric traffic can happen, due to routing/forwarding decision inside ISP/Internet but at the same time both PEs should still have valid routes towards CE so there is no issue to use strict mode to filter RFC1918.
B. interface GigabitEthernet 2 ip verify unicast source reachable-via rx We need to have this on that interface as requested so any traffic coming from the RFC1918 (or elsewhere) will be dropped if there is no entry in the FIB table to reach it via that same interface.
Why D? I would say B is correct.
It's C https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/secure.html When configuring the Unicast RPF check mode, note the following information: •Use the rx keyword to enable strict check mode. •Use the any keyword to enable exist-only check mode. •Use the allow-default keyword to allow use of the default route for RPF verification.
I wanted to say "A https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/secure.html When configuring the Unicast RPF check mode, note the following information: •Use the rx keyword to enable strict check mode. •Use the any keyword to enable exist-only check mode. •Use the allow-default keyword to allow use of the default route for RPF verification."
Because of this statement: "Routing to and from this prefix will be asymmetric under certain network conditions, but packets must not be discarded" if traffic can be asymmetric means that traffic can arrive to an interface that is NOT the one you will forward traffic, but since you don't want to discard packets you need the "any" keyword. And since you don't want RFC1918 (private) address then you don't need the "allow-default" keyword
That is true but the public prefix is being advertised to both PEs. Hence, both PEs will have route back to the public prefix. So the "any" solution isn't needed.
I agree. ANY solution actually will be detrimental as we can spoof and routers will have ANY route to those RFC1918 addresses and will use it.
First of all D does not make sense because the command is not configured under an interface. Second, if the internet service provider has same private prefixes as the customer in the routing table, the "any" keyword will allow private address traffic from the customer. Answer is B because if all bgp attributes are the same (not changed) then EBGP is preferred over IBGP, so each PE will see the customer public prefix from the direct connection to the CPE.
According to the link below, loose mode (reachable via any) also checks for RFC1918 addresses: https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf
I only select B because D does not specify the interface to apply the command. Global configuration does not allow the sub-commands provided in the answer. Please correct me if I am wrong.
answer is b Strict Mode: In this mode the router verifies the source of the IP packet arrives on the same interface the router would use to reach that source address. Beware of asymmetric routing. Loose Mode: In this mode the router simply verifies the source IP can be reached via the CEF table using any interface.
ignore my update as it talking about asymmetric routing so it will be D as it will be asymitric routing https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec-data-urpf/17-1-1/b-sec-data-urpf-xe-17-1-asr920/b-sec-data-urpf-xe-17-1-asr920_chapter_01.html