CCNP ROUTE 2.0 Exam Blueprint: Unicast Reverse Path Forwarding & IPv4 access control lists (standard, extended, time based)
Unicast Reverse Path Forwarding (RPF)
Unicast RPF is used to help limit the malicious traffic on a network. When configured a router verifies the reachability of the source address in the packets being forwarded. This can help in preventing spoofed IP addresses on the network.
- CEF must be running on the router in order to run Unicast RPF
- Unicast RPF is enabled on a per interface basis
3 different modes of Unicast RPF: Loose, Strict and VRF Mode
Loose Mode – the source address must appear in the routing table, you can use the option “allow-default” which would allow the use of the default route when verifying the source address. An ACL may be used to permit or deny certain source addresses. Checks FIB
Strict Mode – the packet must be received on the interface the router would use to forward the return packet. Legitimate traffic could be dropped if asymmetric routing is present. Checks the FIB and the incoming interface.
VRF Mode – Loose & Strict mode within each VRF
Configuring Unicast RPF
Loose Mode is configured on an interface using the command ” ip verify unicast source reachable-via any“
Strict Mode is configured on an interface using the command ” ip verify unicast source reachable-via rx“
Additional options that work with both Loose and Strict modes include:
- “allow-default” which allows the router to match the default route when checking the source address for routes not in the routing table.
- “allow-self-ping” allows the router to checks its own interface, not recommended by Cisco as is vulnerability (DoS attack).
- An ACL can be configured so that when a packet FAILS the Unicast RPF check the ACL can be checked to determine whether the packet can be permitted OR denied.
If no ACL is applied to the Unicast RPF command then NO logging occurs, only the counters are updated. If logging is required create an ACL and add the log command to determine the exact source address, time, date etc.
“show ip traffic” – displays global router statistics about Unicast RPF drops
“show cef interface fastethernet 0/0” – will display what Unicast RPF mode is enabled on the interface as well as the drops. In addition it will also display whether CEF is enable (a requirement for Unicast RPF).
Access Control Lists
- Access Control Lists (ACL) can be used to filter network, define traffic to be NATTED or encrypted, filtering etc.
- A packet is compared against the ACL statement until a match is found
- If no explicit match is found on any line the packet is denied via an IMPLICIT deny
- ACL applied to an interface using the command “ip access-group”
- ACL applied to VTY line using the command “access-class”
- Uses wildcard masks with ACLs.
- Wildcard of 0.0.0.0 means the address must match exactly, use “host” instead
- Wildcard of 255.255.255.255 means any address matches, use “any” instead
- A standard ACL is only concerned with the source IP address
- An Extended ACL matches source and destination IP address as well as port number
- Logging is CPU intensive, do not log everything
- Standard numbered ACL range from 1 to 99 and 1300 to 1999
- Extended numbered ACL range from 100 to 199 and 2000 to 2699
Types of ACLs include: Standard, Extended, Named, Time Based
Standard (numbered) ACL
access-list 10 deny 10.10.0.0 0.0.0.255
access-list 10 permit ip any
Extended (numbered) ACL
access-list 100 deny ip 10.10.0.0 0.0.0.255 any
access-list 100 deny tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 100 permit ip any any
A Named ACL can still be configured as either Standard or Extended ACL but allows a more meaningful name over a numbered ACL, the option “remark” is also available to describe each statement if required. You also have the ability to re-order the ACL statements without having to delete the entire ACL, compared with a Numbered ACL.
ip access-list standard BLOCK_10_SUBNET
remark BLOCKS THE 10.x.x.x SUBNET
deny 10.10.0.0 0.0.0.255
Timed Based ACL
Gives us the ability to activate an ACL during certain periods, relies on an accurate clock on the device, use NTP.
Options include: absolute – “absolute” – time and date or “periodic” – certain days of the week, daily, weekdays or weekend
periodic weekdays 08:00 to 18:00
access-list 100 permit tcp any any eq telnet time-range TIME_RANGE
line vty 0 4
access-class 100 in
Direction (where to apply the ACL)
Once configured the ACL must be applied to an Interface, VLAN or VTY line. The direction is important and is determined as follows:
Out – Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
In – Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
interface fastethernet 0/0
ip access-group BLOCK_10_SUBNET in
“show ip access-list” or “show access-list” – shows any hits against the ACL list
“show ip interface fastethernet 0/0” – will display ACL applied to outgoing/inbound
“show time-range” –shows whether time-range is inactive (whether the time is within the time range specified)