Last Updated on August 1, 2021 by Admin 1
Examine the following output of the show ip route command and the partial output of the show run command from the router R64:
What will the router do with a packet with a source address of 10.2.1.7/24 and a destination address of 10.11.11.50/ 24 that arrives on the Serial0 interface?
- forward it out the Serial0/0 interface
- forward it out the Tunnel0 interface
- drop the packet
- forward it out the Ethernet0/0 interface
It will forward the packet out the Ethernet 0/0 interface. The partial output of the show run command shows that the ip verify unicast source reachable via any command has been executed on the Serial 0/0 interface. This enables the Unicast Reverse Path Forwarding (Unicast RPF) feature. This feature prevents IP spoofing by verifying from the routing table that there is a valid return path to the source IP address. If there is not valid return path, you can assume the IP has been spoofed.
When the ip verify unicast source reachable via command ends with the key word any , it means the return path can be through any interface, not just the one where the command was executed. This is called loose mode. It also includes the parameter allow-default which removes the requirement that the network be specifically mentioned in the routing table.
Since there is a routing table entry for the source network leading to the Serial0/0 interface, the packet will be forwarded to the destination network reachable using the route via the E0/0 interface.
The router will not send the packet to either the Serial0/0 or the Tunnel0 interfaces because the destination network, 10.11.11.0/24, is not a reachable destination on those interfaces.
It will not send the packet to the Ethernet0/1 interface because that is the interface used by the default route. Because there is a route in the table to the 10.11.11.0/24 network, it would be sent to the Ethernet 0/0 interface.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features