Which three statements about the Cisco ASA appliance are true? (Choose three.)
A.
The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and
99.
B.
The Cisco ASA appliance supports Active/Active or Active/Standby failover.
C.
The Cisco ASA appliance has no default MPF configurations.
D.
The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual
firewalls.
E.
The Cisco ASA appliance supports user-based access control using 802.1x.
F.
An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering.
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to level
100. The outside network connected to the Internet can be level 0. Other networks, such as a home
network can be in between. You can assign interfaces to the same security level. See the “Allowing
Communication Between VLAN Interfaces on the Same Security Level” section for more information.http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a
failed unit. When the active unit fails, it changes to the standby state while the standby unit changes
to the active state. The unit that becomes active assumes the IP addresses (or, for transparent
firewall, the management IP address) and MAC addresses of the failed unit and begins passing
traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses.
Because network devices see no change in the MAC to IP address pairing, no ARP entries change or
time out anywhere on the network.
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover
groups. A failover group is simply a logical group of one or more security contexts. You can create a
maximum of two failover groups on the security appliance. The admin context is always a member of
failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure
monitoring, failover, and active/standby status are all attributes of a failover group rather than the
unit. When an active failover group fails, it changes to the standby state while the standby failover
group becomes active. The interfaces in the failover group that becomes active assume the MAC and
IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group
that is now in the standby state take over the standby MAC and IP addresses.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some
features are not supported, including VPN and dynamic routing protocols.