Which of the following MPF elements can be used to configure Application layer protocol inspection? (Select
the best answer.)
A.
a class map
B.
a policy map
C.
a service policy
D.
a global policy
E.
an extended access list
F.
a standard access list
Explanation:
A policy map can be used to configure Application layer protocol inspection. Modular Policy Framework (MPF)
is a Cisco Adaptive Security Appliance (ASA) feature that provides a flexible method of enabling security
policies on an interface. This framework consists of three basic components: class maps, policy maps, and
service policies. A class map identifies a specific flow of traffic, a policy map determines the action that will be
performed on the traffic, and a service policy ties this action to a specific interface. Application inspection is one
of the actions that can be applied to traffic with a policy map. Services that embed IP addresses in the packet or
utilize dynamically assigned ports for secondary channels require deep packet inspection, which is provided by
Application layer protocol inspection. Some traffic, such as File Transfer Protocol (FTP) traffic, might be
dropped if inspection for that protocol is not enabled. Application inspection can be configured within the global
service policy and within an interface service policy. Service policies can be applied to an individual interface or
globally to all interfaces? if traffic matches both an interface policy and a global policy, only the interface policy
will be applied to that particular traffic flow.
A class map cannot be used to configure Application layer protocol inspection. Class maps identify traffic by
matching a variable characteristic that you specify, such as traffic going to a unique IP address or traffic using a
specific port. Generally, each class map can contain only a single match statement, and a packet can match
only a single class map within the policy map of a particular feature type. For example, if a packet matched a
class map for FTP inspection and a class map for traffic policing, the ASA would apply both policy map actions
to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map
that included FTP inspection, the ASA would apply only the actions of the first matching policy map. Class
maps are assigned to a policy map, which defines the action or actions to be performed on the traffic.
A service policy cannot be used to configure Application layer protocol inspection. Service policies tie the policy
map to the interface and can be applied to an individual interface or globally to all interfaces? if traffic matches
both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow.
Service policies can be configured by using Cisco Adaptive Security Device Manager (ASDM) or by
commandline interface (CLI) configuration. Neither an extended access list nor a standard access list can be
used to configure Application layer protocol inspection. Access control lists (ACLs) can be used to filter traffic
based on a set of configured rules. You can create either standard or extended ACLs. Whereas standard ACLs
can be used to filter based only on source IP addresses, extended ACLs can be used to filter based on source
and destination IP addresses, protocols, and ports. A class map can match traffic to an extended ACL that is
specified as a parameter to the accesslist keyword in a match statement.
Cisco: Using Modular Policy Framework: Information About Inspection Policy Maps
Cisco: Getting Started With Application Layer Protocol Inspection: Configuring Application Layer Protocol
Inspection