which three actions can be applied to a traffic class?

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a
traffic class? (Choose three.)

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a
traffic class? (Choose three.)

A.
pass

B.
police

C.
inspect

D.
drop

E.
queue

F.
shape

Explanation:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc99
4.shtml
Zone-Based Policy Firewall Actions
ZFW provides three actions for traffic that traverses from one zone to another:
Drop—This is the default action for all traffic, as applied by the “class class-default” that terminates
every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop
unwanted traffic.
Traffic that is handled by the drop action is “silently” dropped (i.e., no notification of the drop is sent
to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP “host
unreachable” message to the host that sent the denied traffic. Currently, there is not an option to
change the “silent drop” behavior. The log option can be added with drop for syslog notification that
traffic was dropped by the firewall.
Pass—This action allows the router to forward traffic from one zone to another. The pass action
does not track the state of connections or sessions within the traffic. Pass only allows the traffic in
one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite
direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other

inherently secure protocols with predictable behavior. However, most application traffic is better
handled in the ZFW with the inspect action.
Inspect—The inspect action offers state-based traffic control. For example, if traffic from the private
zone to the Internet zone in the earlier example network is inspected, the router maintains
connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the
router permits return traffic sent from Internet-zone hosts in reply to private zone connection
requests. Also, inspect can provide application inspection and control for certain service protocols
that might carry vulnerable or sensitive application traffic.
Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration,
the data volume transferred, and source and destination addresses.

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *