CCNP Security FAQ : Modular Policy Framework
Q1. What part of the Modular Policy Framework assigns a Traffic Class?
A. Service map
B. Priority map
C. Class map
D. Policy map
Q2. Which match command will match a specific TCP port?
A. match flow
B. match rtp
C. match tunnel-group
D. match dscp
E. None of these answers are correct
Q3. Which are the five feature domains on a policy map? (Choose four.)
A. set-connection
B. inspect
C. TCP normalization
D. priority
E. policy
F. IPS
G. Police
Q4. What is the name of the global policy map?
A. world_policy
B. default_policy
C. asa_global_fw_policy
D. Base_policy
E. None of these answers are correct
Q5. How many policies can be assigned to an interface?
A. 3
B. 6
C. 2
D. 4
E. 1
Q6. Which feature action works with bidirectional traffic flows on a single interface?
A. IPS
B. QoS policing
C. Global interface
D. QoS priority queuing
Q7. If an AIP-SSM module fails while using an IPS policy, what command allows traffic to continue to transmit during the failure?
A. pass-thru
B. fail-close
C. cross-connect
D. fail-open
Q8. The global policy affects which specific interface or interfaces on a Security Appliance?
A. Inside
B. Outside
C. Global
D. DMZ
E. None of these answers are correct
F. All these answers are correct
Q9. What differentiates Modular Policy Framework from classic policy maps?
Q10. What are the three parts to an MPF and what do they do?
Answer:
- A class map to create traffic classes.
- A policy map to assign one or more actions to the traffic classes.
- A service policy to assign the policy to an interface.
Q11. How many matches are allowed in a class map?
Q12. What is an embryonic connection?
Q13. Which actions are available in the IPS policy configuration?
Q14. What are the feature domains and what do they do?
Answer:
- The inspect domain inspects traffic flow assigned to it.
- The IPS domain sends traffic to the AIP-SSM sensor for deep packet inspection.
- The priority domain assigns traffic flows to the low-latency queue for prioritization.
- The police domain sets rate limits and burst limits on assigned traffic flows.
- The TCP normalization domain allows the limiting of TCP and UDP connections, as well as embryonic connections.
Q15. How does the IPS policy handle hardware failure?
Q16. How many policy maps can be assigned to an interface?
Q17. Are policy maps directional, and if so, what feature groups access which directions?
Q18. What does the default policy map do, and how is it applied?
Answer: The default policy map applies the default class map to predefined inspection actions:
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
More Resources