Exam 300-410 topic 1 question 457 discussion

why config on eth0/1 and not both or eth0/0? Since both ISP provide Internet access and hacker can come from any ISP link?

wow one of my biggest mistakes there is just B I did not read regional datacenter there.... Wow... And also is that even the old output got uRPF. So please ignore........ ALL of this :D thank you

It's B The other commands are not right ip verify unicast source reachable-via rx (new format strict mode) ip verify unicast source reachable via any (new format loose mode) Old format => ip verify unicast reverse-path

B is corerct

"IP unicast RPF check is enabled" indicates that Unicast Reverse Path Forwarding (uRPF) is globally enabled on the device. This feature helps prevent source address spoofing by verifying that the source IP address of a packet received on an interface exists in the routing table and has a route back to the source. "Input features: uRPF" specifically indicates that uRPF is being applied as an input feature on that interface. This means that the uRPF check is actively being applied to packets received on that interface to verify their source addresses. In summary, while both statements relate to Unicast Reverse Path Forwarding, "IP unicast RPF check is enabled" is a global setting, and "input features: uRPF" specifies that uRPF is applied as an input feature on a specific interface. Hence we are not sure if e0/1 has uRPF enabled in this scenario.

look: With no ip verify on interface we see no urpf: LA#show cef int e0/0 Ethernet0/0 is up (if_number 3) Corresponding hwidb fast_if_number 3 Corresponding hwidb firstsw->if_number 3 Internet address is 10.1.1.2/24 ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is disabled IP policy routing is disabled

o9ption corerct is B, is easy beacuse: the command is: #ip verify unicast source reachable-via any allow-self-ping (its works), and I can see in 0/0 interface 0/0 "input features: uRPF". I have only one option: Option "B"

As uRPF is already enabled on both interfaces (see "ip unicast RPF check is enabled" under "show cef int"), it is hard to choose between "A" and "B".

This is a vague question. uRPF is already enabled for both WAN interfaces, as shown in the output under show cef int ... (ip unicast RPF check is enabled) "ip verify unicast reverse-path" is the old command for strict mode. The new commands are recommended. Plus, it is a multihome environemnt, where loose mode would be appropriate instead of strict. "C","D": ip unicast RPF check reachable-via any allow-default allow-self-ping => allow-default + loose mode makes no sense on the internet facing interfaces. ip unicast RPF check reachable-via any allow-self-ping => Loose mode allowing local device to ping it's own interface would be OK, but it's not an option. Probably, in real exam we can choose both "A" and "B".