Exam 350-501 topic 1 question 334 discussion

Answer : B •Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port. •Use the rx keyword to enable strict check mode. Reference : https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/secure.html

via any is loose mode, and command is applied at the interface level

First of all D does not make sense because the command is not configured under an interface. Second, if the internet service provider has same private prefixes as the customer in the routing table, the "any" keyword will allow private address traffic from the customer. Answer is B because if all bgp attributes are the same (not changed) then EBGP is preferred over IBGP, so each PE will see the customer public prefix from the direct connection to the CPE.

According to the link below, loose mode (reachable via any) also checks for RFC1918 addresses: https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf

I only select B because D does not specify the interface to apply the command. Global configuration does not allow the sub-commands provided in the answer. Please correct me if I am wrong.

Answer: D Sorry for previous comment saying "Answer: B". @mironto explained very claerly. If we set the strict mode, what will happen for the that is requested from CE(public prefix) to PE-ATL-1? If CE sends any request to internet through the "PE-ATL-1" and internet is returing back the response throguh the "PE-ATL-2", what will happen? Only loose mode can allow it to pass to CE.

Answer: B If the question was asked to deploy uRPF for CE, then an asymmetric path would be under consideration, hence it is "loose mode" for CE. However, the question is about the "PE" router configuration, and it has nothing to do with the asymmetric path. Hence, strict mode is best option. Therefore, the correct answer is B.

I think this question is trying to trick you by talking about asymmetric routing. It's hoping you'll see "asymmetric" and just reflexively choose D without reading the question carefully. Loose mode should be used if we were enabling URPF on the CE router's Gi2 and Gi3 interfaces. But since we're configuring this on the PE routers towards the customer, and each PE only has one connection to the CE, strict mode will not cause any problems. Loose mode is only needed when you have more than one interface that can be used to reach a certain destination. In this case, each PE only has one interface to the CE.

answer is b Strict Mode: In this mode the router verifies the source of the IP packet arrives on the same interface the router would use to reach that source address. Beware of asymmetric routing. Loose Mode: In this mode the router simply verifies the source IP can be reached via the CEF table using any interface.

loose mode is needed as traffic from CE public prefix can go CE=>PE-ATL-1=>PE-ATL-2 and with strict mode PE-ATL-2 would drop the traffic as it is not incoming through interface to CE.

By the way: line "interface GigabitEthernet 2" does not belong to option C, is an error. That entry actually belongs to option D, so: interface GigabitEthernet 2 ip verify unicast source reachable-via any Here is the difference btween "any" and "rx" any: Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode). rx: Examines incoming packets to determine whether the source address is in the FIB and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode). With this in place, for asymetric routing to occur (I have seen this when unexpected failovers) option "any" is the best. Go for option D 100%.

I also believe that B is correct. Asymmetric traffic can happen, due to routing/forwarding decision inside ISP/Internet but at the same time both PEs should still have valid routes towards CE so there is no issue to use strict mode to filter RFC1918.

I'd say answer D. "interface GigabitEthernet 2 ip verify unicast source reachable-via any" Reasoning here is, we cannot drop asymetric traffic, hence the need for 'loose mode'. RFC1918 will not be in the internet space thus will not be in the RIB and therefore dropped as per loose mode RPF check. Default-allow would cause RFC1918 to be resolved under 0/0 making these answers invalid.

B. interface GigabitEthernet 2 ip verify unicast source reachable-via rx We need to have this on that interface as requested so any traffic coming from the RFC1918 (or elsewhere) will be dropped if there is no entry in the FIB table to reach it via that same interface.

Why D? I would say B is correct.