Unicast RPF Mode for Guaranteeing Same Interface Subnet

A.

Unicast Reverse Path Forwarding (uRPF) is a security feature used to mitigate IP spoofing attacks in the network. It checks the source IP address of the incoming packets against the routing table and verifies whether the packet arrives on the expected interface based on the routing information. There are three modes of uRPF: strict, loose, and VRF.

In strict mode, the router checks that the source IP address of the packet matches the routing table entry and verifies that the packet arrives on the same interface that the routing table specifies for that IP address. If the packet arrives on a different interface, it is dropped. Strict mode provides the highest level of security but can cause issues in networks with asymmetric routing paths.

In loose mode, the router only checks that the source IP address of the packet matches the routing table entry, but it does not check that the packet arrives on the expected interface. Loose mode is more flexible than strict mode and can handle asymmetric routing paths, but it is less secure.

In VRF mode, uRPF operates on a per-VRF basis. It checks that the source IP address of the packet matches the routing table entry and verifies that the packet arrives on the same interface that the VRF specifies for that IP address. VRF mode provides additional security for multi-tenant networks.

In this scenario, the network administrator wants to ensure that all packets arriving on the router interfaces are assigned to the same interface subnet. This requirement suggests that the network is not expected to have asymmetric routing paths, and security is a higher priority than flexibility. Therefore, strict mode would be the best option for this design.

RPF feasible mode is not a valid option for uRPF as it is a feature used in multicast routing.