PrepAway - Latest Free Exam Questions & Answers

which three actions can be applied to a traffic class?

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a
traffic class? (Choose three.)

PrepAway - Latest Free Exam Questions & Answers

A.
pass

B.
police

C.
inspect

D.
drop

E.
queue

F.
shape

Explanation:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994
.shtml
Zone-Based Policy Firewall Actions
ZFW provides three actions for traffic that traverses from one zone to another:
Drop—This is the default action for all traffic, as applied by the “class class-default” that terminates
every inspect-type policy-map. Other class-maps within a policy-map can also be configured to
drop unwanted traffic.
Traffic that is handled by the drop action is “silently” dropped (i.e., no notification of the drop is
sent to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP
“host unreachable” message to the host that sent the denied traffic. Currently, there is not an
option to change the “silent drop” behavior. The log option can be added with drop for syslog
notification that traffic was dropped by the firewall.
Pass—This action allows the router to forward traffic from one zone to another. The pass action
does not track the state of connections or sessions within the traffic. Pass only allows the traffic in
one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite
direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and
other inherently secure protocols with predictable behavior. However, most application traffic is
better handled in the ZFW with the inspect action.
Inspect—The inspect action offers state-based traffic control. For example, if traffic from the
private zone to the Internet zone in the earlier example network is inspected, the router maintains

connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore,
the router permits return traffic sent from Internet-zone hosts in reply to private zone connection
requests. Also, inspect can provide application inspection and control for certain service protocols
that might carry vulnerable or sensitive application traffic.
Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration,
the data volume transferred, and source and destination addresses.


Leave a Reply