Config Router

You are here: Home / Cisco / CCNP Security FAQ : Modular Policy Framework

CCNP Security FAQ : Modular Policy Framework

by

CCNP Security FAQ : Modular Policy Framework

Q1. What part of the Modular Policy Framework assigns a Traffic Class?
A. Service map
B. Priority map
C. Class map
D. Policy map

Answer: 1.c

Q2. Which match command will match a specific TCP port?
A. match flow
B. match rtp
C. match tunnel-group
D. match dscp
E. None of these answers are correct

Answer: E

Q3. Which are the five feature domains on a policy map? (Choose four.)
A. set-connection
B. inspect
C. TCP normalization
D. priority
E. policy
F. IPS
G. Police

Answer: B, C, D, F, and G

Q4. What is the name of the global policy map?
A. world_policy
B. default_policy
C. asa_global_fw_policy
D. Base_policy
E. None of these answers are correct

Answer: C

Q5. How many policies can be assigned to an interface?
A. 3
B. 6
C. 2
D. 4
E. 1

Answer: E

Q6. Which feature action works with bidirectional traffic flows on a single interface?
A. IPS
B. QoS policing
C. Global interface
D. QoS priority queuing

Answer: A

Q7. If an AIP-SSM module fails while using an IPS policy, what command allows traffic to continue to transmit during the failure?
A. pass-thru
B. fail-close
C. cross-connect
D. fail-open

Answer: D

Q8. The global policy affects which specific interface or interfaces on a Security Appliance?
A. Inside
B. Outside
C. Global
D. DMZ
E. None of these answers are correct
F. All these answers are correct

Answer: F

Q9. What differentiates Modular Policy Framework from classic policy maps?

Answer: A Modular Policy Framework (MPF) gives the security administrator the tools to segment traffic flows into traffic classes and to assign one or more actions to each traffic class. Traditional policy maps only allowed actions to be assigned to the total traffic flow on the Security Appliance, whereas with an MPF, HTTP traffic can have a policy separate from H.323 or ICMP.

Q10. What are the three parts to an MPF and what do they do?

Answer:

  • A class map to create traffic classes.
  • A policy map to assign one or more actions to the traffic classes.
  • A service policy to assign the policy to an interface.

Q11. How many matches are allowed in a class map?

Answer: Multiple. Though the standard class map allows for only a single match, class maps that support tunnel groups and default-inspection statements allow multiple match criteria.

Q12. What is an embryonic connection?

Answer: An embryonic connection is a half-open TCP connection.

Q13. Which actions are available in the IPS policy configuration?

Answer: You can set how the traffic flows to the AIP-SSM sensor through two different modes: promiscuous mode and inline mode.

Q14. What are the feature domains and what do they do?

Answer:

  • The inspect domain inspects traffic flow assigned to it.
  • The IPS domain sends traffic to the AIP-SSM sensor for deep packet inspection.
  • The priority domain assigns traffic flows to the low-latency queue for prioritization.
  • The police domain sets rate limits and burst limits on assigned traffic flows.
  • The TCP normalization domain allows the limiting of TCP and UDP connections, as well as embryonic connections.

Q15. How does the IPS policy handle hardware failure?

Answer: The IPS policy can handle failure in two ways. You can set the IPS to allow all traffic through the firewall that would normally be assigned to the IPS sensor through the fail-open command. You can also drop all traffic assigned to the IPS sensor through the fail-close command.

Q16. How many policy maps can be assigned to an interface?

Answer: There is no limit to the amount of policy maps that can be assigned to a single service map. Only one service map may be assigned to an interface.

Q17. Are policy maps directional, and if so, what feature groups access which directions?

Answer: Yes, and the directions for each group are as follows
ccnp-security-faq-modular-policy-framework

Q18. What does the default policy map do, and how is it applied?

Answer: The default policy map applies the default class map to predefined inspection actions:

policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp

More Resources