Which of the following statements is correct regarding the traffic types that can be matched in a class map on a
Cisco ASA? (Select the best answer.)
A.
A class map can match traffic by TCP port number but not by UDP port number.
B.
A class map can match traffic by UDP port number but not by IP precedence.
C.
A class map can match traffic by TCP port number but not by IP precedence.
D.
A class map can match traffic by UDP port number but not by TCP port number.
E.
A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.
Explanation:
A class map can match traffic by Transmission Control Protocol (TCP) port number, by User Datagram
Protocol (UDP) port number, and by IP precedence on a Cisco Adaptive Security Appliance (ASA). A class map
is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies
are the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security
policies on an interface. A class map identifies a specific flow of traffic, a policy map determines the action that
will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class
map can contain only a single match statement, and a packet can match only a single class map within the
policy map of a particular feature type. For example, if a packet matched a class map for File Transfer Protocol
(FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to the
packet. However, if a packet matched a class map for FTP inspection and a second, different class map that
included FTP inspection, the ASA would apply only the actions of the first matching policy map.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respectivecharacteristics. The match command supports the following key words: accesslist, port, defaultinspectiontraffic,
dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that identifies
traffic using TCP port 25:
asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 25
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A
policy map typically contains references to one or more class maps and defines actions that should be
performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different
actions within a policy map-for instance, if traffic matches a class map for application inspection as well as a
class map for priority queuing-the actions of both class maps will be applied to the traffic. To continue the
example from above, you could issue the following commands to configure a policy map named POLICYMAP
that matches traffic specified by the class map named CLASSMAP and then processes the traffic with the
Hypertext Transfer Protocol (HTTP) inspection engine:
asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service
policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the
appliance? alternatively, a service policy can be applied to a single interface, which will apply application
inspection to traffic entering and exiting the interface. An interface service policy overrides a global service
policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to
that particular traffic flow. To complete the example, you could issue the following commands to apply the
POLICYMAP policy map to the inside interface:
asa(config)#servicepolicy POLICYMAP interface insideCisco: Service Policy Using the Modular Policy Framework: Feature Matching Within a Service Policy