Preventing Packet Spoofing with uRPF


I have to say that I'm a bit disappointed with the quality of the workbook so far. A lot of questions are very generic which makes it hard to figure out what exactly the task is asking for. I don't understand the sample solution of this task because it does not do what was asked in this task.

  • Consider that R4's VLAN 146 link is an ISP connection providing Internet services.
    • Ensure that R4 does not accept packets with IP addresses of the internal subnets on its connection to the ISP.
    • Considering that there is another connection to the same ISP in the network, account for possible asymmetric routing issues on R4.
I assume that internal subnets are and, correct?

This solution does not fullfil the first requirement. I could still fake an internal address on R6 (outside) for example and send traffic to R5 (internal).

Let's assume R6 wants to spoof R5's loopback0 interface which is in the internal network address range.

R6#sh run int lo1

Building configuration...

Current configuration : 65 bytes


interface Loopback1

 ip address


R6#ping so lo1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of 


Success rate is 0 percent (0/5)

R5 receives the echo-reply packets as we can see from the debug ip icmp output:


ICMP: echo reply rcvd, src, dst, topology BASE, dscp 0 topoid 0

In my opinion this task requires a different topology with a clear separation of internal and external address space. Otherwise this task doesn't make a lot of sense.



Sign In or Register to comment.