[TABS_R id=8782]
Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)
- QoS traffic shaping is not available for all class maps.
- Class maps apply specific security measures on a persession basis.
- By default, no class maps are defined on an ASA.
- Class maps must use an ACL to match traffic.
- Class maps can match traffic based on application protocols.
- Class maps identify the interface to which a policy map is applied.
Explanation:
Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is not available for all class maps on a Cisco Adaptive Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if a packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply only the actions of the first matching policy map. By default, two class maps are defined on an ASA? the classdefault and inspection_default class maps are part of the default configuration of an ASA.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective characteristics. The match command supports the following key words: accesslist, port, defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using Transmission Control Protocol (TCP) port 8080:
asa(config)#classmap CLASSMAP asa(configcmap)#match port tcp eq 8080
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actions within a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class maps will be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP that matches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:
asa(config)#policymap POLICYMAP asa(configpmap)#class CLASSMAP asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy identifies the interface to which a policy map is applied? a service policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the appliance. Alternatively, a service policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface:
asa(config)#servicepolicy POLICYMAP interface inside QoS traffic shaping is available for only the classdefault class map.
Class maps do not apply specific security measures on a persession basis? dynamic access policies (DAPs) can apply specific security measures on a persession basis. Configuring a DAP allows you to resolve complications presented by the frequently inconsistent nature of a virtual private network (VPN). For example, users might access your network from different remote locations, with each location having a different configuration, thus presenting a variety of security issues for each individual situation. With a DAP, you can apply specific security measures for each specific situation on a persession basis. Depending on the circumstances of the next connection from a remote location, a different DAP may be applied if the variables have changed.
[TABS_R id=8782]