Lab 6
Unicast Reverse Path Forwarding
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement Unicast Reverse Path Forwarding in Cisco IOS routers.
Lab Purpose:
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.
Lab Difficulty:
This lab has a difficulty rating of 5/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 10 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
NOTE:
The purpose of this lab is to understand the configuration commands. You are not required to test the configuration as the complexity is beyond the scope of the CCNA Security.
|
Lab 6 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
Configure uRPF on R1, while adhering to the following guidelines:
- Deny all traffic sourced from the 127.0.0.0/8 subnet. This traffic should be logged in detail.
- Deny all traffic sourced from any RFC 1918 subnet. This traffic should be logged in detail.
- Permit all other traffic. This traffic should not be logged.
- Use an ACL of your liking, but do not apply the ACL to the interface.
In addition, configure R1 to allow Telnet access using a password of cisco. Ensure that users that log in are automatically assigned Level 15 access without using an enable password.
Task 3:
Verify your uRPF configuration by using the appropriate show commands. Keep in mind that the objective of this lab is to validate your configuration knowledge. You are not expected to spoof IP addresses to test uRPF configuration as this is beyond the scope of this course.
Lab 6 Configuration and Verification
Task 1:
Router(config)#hostname R1
R1(config)#int s0/0 R1(config-if)#ip add 150.1.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#exit R1# |
Router(config)#hostname R2
R2(config)#int s0/0 R2(config-if)#clock rate 512000 R2(config-if)#ip address 150.1.1.2 255.255.255.252 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#exit R2# R2#ping 150.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms |
Task 2:
R1(config)#ip cef
R1(config)#access-list 111 remark “This is my uRPF ACL” R1(config)#access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input R1(config)#access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input R1(config)#access-list 111 deny ip 172.16.0.0 0.15.255.255 any log-input R1(config)#access-list 111 deny ip 192.168.0.0 0.0.255.255 any log-input R1(config)#access-list 111 permit ip any any R1(config)#int s0/0 R1(config-if)#ip verify unicast reverse-path 111 R1(config-if)#exit R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#privilege level 15 R1(config-line)#exit R1(config)#exit R1# |
Task 3:
The show cef interface [name] command is used to verify if uRPF is configured on an interface:
R1#show cef interface serial 0/0
Serial0/0 is up (if_number 4) Corresponding hwidb fast_if_number 4 Corresponding hwidb firstsw->if_number 4 Internet address is 150.1.1.1/24 ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is not set Outbound access list is not set Interface is marked as point to point interface Hardware idb is Serial0/0 Fast switching type 4, interface type 63 IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x4000, Input fast flags2 0x0, Output fast flags 0x0, Output fast flags2 0x0 ifindex 2(2) Slot 0 Slot unit 0 Unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500 R1# |
In a production environment, if uRPF is configured, the show ip interfaces [name] command can be used to view the packets dropped by the uRPF feature in Cisco IOS software:
R1#show ip interface serial 0/0
Serial0/0 is up, line protocol is up Internet address is 150.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set —–[Truncated Output]—– WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled IP verify source reachable-via RX, allow default, ACL 111 34 verification drops 31 suppressed verification drops |
Lab 6 Configurations
R1 Configuration
R1#show run
Building configuration…
Current configuration : 1116 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! logging buffered 4096 no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 150.1.1.1 255.255.255.0 ip verify unicast reverse-path 111 ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 111 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 111 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 111 permit ip any any access-list 111 remark “This is my uRPF ACL” ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 password cisco login ! ! end |
R2 Configuration
R2#show run
Building configuration…
Current configuration : 774 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 150.1.1.2 255.255.255.252 clock rate 512000 ! ip forward-protocol nd ! ! ip http server ip http authentication local no ip http secure-server ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 password cisco login ! ! end |