352-001 · Question #68
352-001 Question #68: Real Exam Question with Answer & Explanation
The correct answer is D: Unicast Reverse Path Forwarding in loose mode. uRPF loose mode blocks packets with source IP addresses absent from the routing table, stopping spoofed or attacker-originated traffic while remaining compatible with the asymmetric routing present in this environment.
Question
Options
- AAccess control lists to limit sources of traffic that exits the server-facing interface of the firewall cluster
- BPoison certain subnets by adding static routes to Null0 on the server farm core switches.
- CUnicast Reverse Path Forwarding in strict mode
- DUnicast Reverse Path Forwarding in loose mode
Explanation
uRPF loose mode blocks packets with source IP addresses absent from the routing table, stopping spoofed or attacker-originated traffic while remaining compatible with the asymmetric routing present in this environment.
Common mistakes.
- A. ACLs on the firewall's server-facing interface require manual maintenance as legitimate sources change and do not dynamically prevent spoofed source addresses generated from within the network.
- B. Adding static routes to Null0 discards all traffic destined for those subnets including legitimate users, making it an overly disruptive approach that causes an outage rather than targeted security enforcement.
- C. uRPF strict mode requires that the best reverse path for the source IP exits the same interface the packet arrived on; because this network has asymmetric routing, strict mode would drop legitimate traffic and is therefore unsuitable.
Concept tested. uRPF loose mode for asymmetric routing security
Reference. https://www.cisco.com/c/en/us/support/docs/ip/unicast-reverse-path-forwarding-urpf/13116-uRPF.html
Community Discussion
No community discussion yet for this question.