Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)
A.
QoS traffic shaping is not available for all class maps.
B.
Class maps apply specific security measures on a persession basis.
C.
By default, no class maps are defined on an ASA.
D.
Class maps must use an ACL to match traffic.
E.
Class maps can match traffic based on application protocols.
F.
Class maps identify the interface to which a policy map is applied.
Explanation:
Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is not
available for all class maps on a Cisco Adaptive Security Appliance (ASA). A class map is one of the threebasic components of Modular Policy Framework (MPF)? policy maps and service policies are the other two
components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an
interface. A class map identifies a specific flow of traffic, a policy map determines the action that will be
performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class map
can contain only a single match statement, and a packet can match only a single class map within the policy
map of a particular feature type. For example, if a packet matched a class map for File Transfer Protocol (FTP)
inspection and a class map for traffic policing, the ASA would apply both policy map actions to the packet.
However, if a packet matched a class map for FTP inspection and a second, different class map that included
FTP inspection, the ASA would apply only the actions of the first matching policy map. By default, two class
maps are defined on an ASA? the classdefault and inspection_default class maps are part of the default
configuration of an ASA.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective
characteristics. The match command supports the following key words: accesslist, port, defaultinspectiontraffic,
dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that identifies
traffic using Transmission Control Protocol (TCP) port 8080:
asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 8080
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A
policy map typically contains references to one or more class maps and defines actions that should be
performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different
actions within a policy map-for instance, if traffic matches a class map for application inspection as well as a
class map for priority queuing-the actions of both class maps will be applied to the traffic. To continue the
example from above, you could issue the following commands to configure a policy map named POLICYMAP
that matches traffic specified by the class map named CLASSMAP and then processes the traffic with the
Hypertext Transfer Protocol (HTTP) inspection engine:
asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service
policy identifies the interface to which a policy map is applied? a service policy can be applied globally to all
interfaces, which will apply application inspection to only traffic entering the appliance. Alternatively, a service
policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting
the interface. An interface service policy overrides a global service policy: if traffic matches both an interface
policy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the
example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface:
asa(config)#servicepolicy POLICYMAP interface inside
QoS traffic shaping is available for only the classdefault class map.
Class maps do not apply specific security measures on a persession basis? dynamic access policies (DAPs)
can apply specific security measures on a persession basis. Configuring a DAP allows you to resolve
complications presented by the frequently inconsistent nature of a virtual private network (VPN). For example,
users might access your network from different remote locations, with each location having a different
configuration, thus presenting a variety of security issues for each individual situation. With a DAP, you can
apply specific security measures for each specific situation on a persession basis. Depending on the
circumstances of the next connection from a remote location, a different DAP may be applied if the variables
have changed.Cisco: Service Policy Using the Modular Policy Framework: Task Flow for Configuring Hierarchical Policy Maps
for QoS Traffic Shaping
Cisco: Service Policy Using the Modular Policy Framework: Creating a Layer 3/4 Class Map for Through Traffic