Which three statements about the Cisco ASA appliance are true? (Choose three.)
A.
The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1
and 99.
B.
The Cisco ASA appliance supports Active/Active or Active/Standby failover.
C.
The Cisco ASA appliance has no default MPF configurations.
D.
The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple
virtual firewalls.
E.
The Cisco ASA appliance supports user-based access control using 802.1x.
F.
An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering.
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to
level 100. The outside network connected to the Internet can be level 0. Other networks, such as a
home network can be in between. You can assign interfaces to the same security level. See the
“Allowing Communication Between VLAN Interfaces on the Same Security Level” section for more
information.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a
failed unit. When the active unit fails, it changes to the standby state while the standby unit
changes to the active state. The unit that becomes active assumes the IP addresses (or, fortransparent firewall, the management IP address) and MAC addresses of the failed unit and
begins passing traffic. The unit that is now in standby state takes over the standby IP addresses
and MAC addresses. Because network devices see no change in the MAC to IP address pairing,
no ARP entries change or time out anywhere on the network.
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover
groups. A failover group is simply a logical group of one or more security contexts. You can create
a maximum of two failover groups on the security appliance. The admin context is always a
member of failover group 1. Any unassigned security contexts are also members of failover group
1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure
monitoring, failover, and active/standby status are all attributes of a failover group rather than the
unit. When an active failover group fails, it changes to the standby state while the standby failover
group becomes active. The interfaces in the failover group that becomes active assume the MAC
and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover
group that is now in the standby state take over the standby MAC and IP addresses.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security
contexts. Each context is an independent device, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple standalone devices. Many features
are supported in multiple context mode, including routing tables, firewall features, IPS, and
management. Some features are not supported, including VPN and dynamic routing protocols.