Free Cisco 400-007 Actual Exam Questions - Question 6 Discussion

It’s C since ACLs directly control allowed sources despite routing twists.

Maybe C is better because limiting source traffic with ACLs on the server side directly blocks unwanted flows regardless of routing issues. uRPF might still drop legit traffic due to asymmetry.

Maybe D makes more sense here since loose uRPF is designed to handle some asymmetric routing by verifying that the source IP is reachable via any interface, not just the one traffic arrived on. Strict mode would likely drop legit packets because of the firewalls causing asymmetry. ACLs (C) could work but might be too static or broad compared to uRPF’s dynamic checks. Static null routes (A) feel risky since they could accidentally block legit traffic if not super carefully managed. So loose uRPF seems like a safer way to limit spoofed traffic without dropping valid flows.

B
uRPF strict mode is great for catching spoofed packets but can break due to asymmetric routing. Still, if the firewalls cause only occasional asymmetry, strict mode might enforce cleaner source verification more effectively than loose mode or ACLs.

It’s C, since ACLs directly limit bad traffic without being affected by routing asymmetry.

I’m thinking option A could be a solid choice here because poisoning certain subnets with static routes to Null0 can effectively block traffic from suspicious sources before it ever reaches the servers. It doesn’t rely on routing protocols or uRPF, which is good given the asymmetric routing situation. That way, even if a hacker tries redirecting flows, the poisoned routes act as a safety net to drop that traffic cleanly. Does anyone see potential downsides to adding those static null routes in this environment?

Makes sense to avoid strict uRPF due to asymmetric routing, so D seems better than B. But I think C is stronger because ACLs won't fail if routes bounce around unexpectedly. C feels like the safer bet here.

C imo, because using ACLs on the server-facing interfaces directly targets which sources are allowed, independent of routing behavior. Since we have asymmetric routing causing issues, relying on uRPF—even loose mode—might still cause false positives or miss some spoofed traffic. Poison routing (A) seems too broad and might disrupt legit paths. ACLs give more granular control without the risk of dropping legit asymmetric flows, so it feels like the safer bet here to limit compromised workstation traffic.

A imo, because poison routing by blackholing certain subnets can limit unwanted traffic without relying on routing checks that get confused by asymmetry. It adds a layer of protection independent of firewall or uRPF behavior.

C/D? I get that strict uRPF (B) is risky with asymmetric routes, but loose mode (D) might still help catch spoofed packets without dropping legit traffic. Still, ACLs (C) seem more precise for controlling sources directly.

It’s A because null routing can block suspicious traffic without relying on routing paths.

Actually, C makes the most sense here since ACLs can directly control which traffic is allowed onto the servers without depending on routing behavior. Given the asymmetric routing issue, relying on uRPF (B or D) could cause legit packets to be dropped. Poisoning subnets (A) might be too broad and could disrupt normal traffic patterns. ACLs offer a more precise way to block potentially malicious flows from compromised workstations without affecting legitimate access, which fits the scenario better.

D imo, because uRPF loose mode can help catch spoofed IPs even with asymmetric routing, offering a good balance without dropping legitimate traffic like strict mode might.

A imo, because poisoning subnets with static routes to Null0 could prevent unwanted traffic from reaching servers, acting as a safety net against redirected flows without relying on routing symmetry.

It’s C because ACLs on the server-facing interface can directly limit what traffic reaches the servers, regardless of routing quirks, which helps contain any compromised workstation attacks.

Option B