nerdexam
Exams350-001Questions#157
Cisco

350-001 · Question #157

350-001 Question #157: Real Exam Question with Answer & Explanation

The correct answer is A: It is applied only on the input interface of a router.. Unicast Reverse Path Forwarding: Is a small security feature, when configured on an interface, the router checks the incoming packet's source address with its routing table. If the incoming packet's source is reachable via the same interface it was received, the packet is allowed

Question

Which of these statements accurately identifies how Unicast Reverse Path Forwarding can be employed to prevent the use of malformed or forged IP sources addresses?

Options

  • AIt is applied only on the input interface of a router.
  • BIt is applied only on the output interface of a router.
  • CIt can be configured either on the input or output interface of a router.
  • DIt cannot be configured on a router interface.
  • EIt is configured under any routing protocol process.

Explanation

Unicast Reverse Path Forwarding: Is a small security feature, when configured on an interface, the router checks the incoming packet's source address with its routing table. If the incoming packet's source is reachable via the same interface it was received, the packet is allowed. URPF provides protection again spoofed packets with unverifiable source. Unicast RPF can be used in any "single-homed" environment where there is essentially only one access point out of the network; that is, one upstream connection. Networks having one access point offer the best example of symmetric routing, which means that the interface where a packet enters the network is also the best return path to the source of the IP packet. Unicast RPF is best used at the network perimeter for Internet, intranet, or extranet environments, or in ISP environments for customer network terminations. Feature Overview The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers (ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customer, and the rest of the Internet. When Unicast RPF is enabled on an interface, the router examines all packets received as input on that interface to make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This "look backwards" ability is available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation. Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-001 Practice