CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Unicast Reverse Path Forwarding

Lab 6 

Unicast Reverse Path Forwarding

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how implement Unicast Reverse Path Forwarding in Cisco IOS routers.

Lab Purpose:

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.

Lab Difficulty:

This lab has a difficulty rating of 5/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 10 minutes. 

Lab Topology:

Please use the following topology to complete this lab exercise: 

Lab 6 1

NOTE:

 

The purpose of this lab is to understand the configuration commands. You are not required to test the configuration as the complexity is beyond the scope of the CCNA Security.

 

Lab 6 Configuration Tasks 

Task 1:

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.

Task 2:

Configure uRPF on R1, while adhering to the following guidelines:

  • Deny all traffic sourced from the 127.0.0.0/8 subnet. This traffic should be logged in detail.
  • Deny all traffic sourced from any RFC 1918 subnet. This traffic should be logged in detail.
  • Permit all other traffic. This traffic should not be logged.
  • Use an ACL of your liking, but do not apply the ACL to the interface.

In addition, configure R1 to allow Telnet access using a password of cisco. Ensure that users that log in are automatically assigned Level 15 access without using an enable password. 

Task 3:

Verify your uRPF configuration by using the appropriate show commands. Keep in mind that the objective of this lab is to validate your configuration knowledge. You are not expected to spoof IP addresses to test uRPF configuration as this is beyond the scope of this course.

Lab 6 Configuration and Verification

Task 1:

Router(config)#hostname R1

R1(config)#int s0/0

R1(config-if)#ip add 150.1.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#exit

R1#

 

Router(config)#hostname R2

R2(config)#int s0/0

R2(config-if)#clock rate 512000

R2(config-if)#ip address 150.1.1.2 255.255.255.252

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#exit

R2#

R2#ping 150.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Task 2:

R1(config)#ip cef

R1(config)#access-list 111 remark “This is my uRPF ACL”

R1(config)#access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input

R1(config)#access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input

R1(config)#access-list 111 deny ip 172.16.0.0 0.15.255.255 any log-input

R1(config)#access-list 111 deny ip 192.168.0.0 0.0.255.255 any log-input

R1(config)#access-list 111 permit ip any any

R1(config)#int s0/0

R1(config-if)#ip verify unicast reverse-path 111

R1(config-if)#exit

R1(config)#line vty 0 4

R1(config-line)#password cisco

R1(config-line)#login

R1(config-line)#privilege level 15

R1(config-line)#exit

R1(config)#exit

R1#

Task 3:

The show cef interface [name] command is used to verify if uRPF is configured on an interface:

R1#show cef interface serial 0/0

Serial0/0 is up (if_number 4)

Corresponding hwidb fast_if_number 4

Corresponding hwidb firstsw->if_number 4

Internet address is 150.1.1.1/24

ICMP redirects are always sent

Per packet load-sharing is disabled

IP unicast RPF check is enabled

Inbound access list is not set

Outbound access list is not set

Interface is marked as point to point interface

Hardware idb is Serial0/0

Fast switching type 4, interface type 63

IP CEF switching enabled

IP CEF Feature Fast switching turbo vector

Input fast flags 0x4000, Input fast flags2 0x0, Output fast flags 0x0, Output fast flags2 0x0

ifindex 2(2)

Slot 0 Slot unit 0 Unit 0 VC -1

Transmit limit accumulator 0x0 (0x0)

IP MTU 1500

R1#

In a production environment, if uRPF is configured, the show ip interfaces [name] command can be used to view the packets dropped by the uRPF feature in Cisco IOS software:

R1#show ip interface serial 0/0

Serial0/0 is up, line protocol is up

Internet address is 150.1.1.1/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound  access list is not set

—–[Truncated Output]—–

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

IP verify source reachable-via RX, allow default, ACL 111

  34 verification drops

  31 suppressed verification drops

Lab 6 Configurations

R1 Configuration

R1#show run

Building configuration…

 

Current configuration : 1116 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

no logging console

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

archive

log config

hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface Serial0/0

ip address 150.1.1.1 255.255.255.0

ip verify unicast reverse-path 111

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

access-list 111 deny   ip 127.0.0.0 0.255.255.255 any log-input

access-list 111 deny   ip 10.0.0.0 0.255.255.255 any log-input

access-list 111 deny   ip 172.16.0.0 0.15.255.255 any log-input

access-list 111 deny   ip 192.168.0.0 0.0.255.255 any log-input

access-list 111 permit ip any any

access-list 111 remark “This is my uRPF ACL”

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password cisco

login

!

!

end

R2 Configuration

R2#show run

Building configuration…

 

Current configuration : 774 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

!

!

archive

log config

hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface Serial0/0

ip address 150.1.1.2 255.255.255.252

clock rate 512000

!

ip forward-protocol nd

!

!

ip http server

ip http authentication local

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password cisco

login

!

!

end
content-filler