11.11 uRPF (protecting against spoofing)
I have looked at a past thread, but I am not really clear about what the final verdict is for this solution -- on R4's F0/0 interface.
Why does the SG Solution say to use "loose-mode" for f0/0 ? As others have already commented, this completely defeats the first requirement of the exercise, as it will now accept internal addresses.
SG: "Ensure that R4 does not accept packets with IP addresses of the internal subnets on its connection to the ISP."
After searching through the forum on this task , I found another thread that helped me understand the use of the optional ACL. So now, my question is, wouldn't the optional ACL ensure that we filter out "internal subnets". Maybe something like the following:
! this ACL is ONLY for F0/0 to the ISP, while using "Strict Mode".
ip access-list extended 150
10 deny ip 18.104.22.168 0.0.255.255 any log
15 deny ip 22.214.171.124 0.0.255.255 any log
20 permit ip any any log
This way we are fulfilling the primary requirement (above), as well as the logging.
I hope someone can clear this up for me. I am reaching the point that I need to stop just skipping over exercises like this.
Any help is much appreciated. Thanks.