• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Zone-based Firewall SDM Simlet

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Zone-based Firewall SDM Simlet

    Instructions
    To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can click on the grey buttons below to view the different windows.
    Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar.
    The “Tab” key and most commands that use the “Control”or “Escape” keys are not supported and are not necessary to complete this simulation.
    (Note: If you don’t understand how Zone-Based-Firewall works, check out my article at http://vnpro.org/forum/showthread.ph...112#post153112

    (Notice: the access list, class-map, policy-map, zones, zone-pair… in the real exam might be different!)


    Question 1
    Which two options correctly Identify the associated interface with the correct security zone? (Choose two)
    A. FastEthernet0/1 is associated to the “out-zone” zone.
    B. FastEthernet0/0 is associated to the “in-zone” zone.
    C. FastEthernet0/0 and 0/1 are associated to the “self” zone.
    D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.
    E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.
    F. FastEthernet0/0 and 0/1 are not associated to any zone.


    Answer: A B
    Explanation
    Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 is assigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.

    (Notice: In the real exam, you might see more zones than the image above)
    Question 2
    Which statement is correct regarding the “sdm-permit” policy map?
    A. Traffic not matched by any of the class maps within that policy map will be inspected .
    B. Traffic matching the “sdm-access” traffic class will be inspected.
    C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
    D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.


    Answer: B or C
    Explanation
    A is not correct because there is a default class-map at the end of this policy map named “class-default”. This class-map will drop all the traffic that is not matched with the SDM_CA_SERVER class-map (it works in the same way as the implicit “deny all” line at the end of each access list). Therefore traffic not matched by any of the class maps within that policy map will be dropped.
    D is not correct because the policy map is applied from the source “out-zone” to the destination “self”.
    We haven’t had enough information about the correct answer yet, hope someone will describe this question clearly after taking the exam.
    Question 3
    Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)
    A. sql-net
    B. pop3
    C. 12tp
    D. ftp


    Answer: A B D
    Explanation
    Click on the C3PL\Class Map\Inspection group and click on the sdm-cls-insp-traffic line at the upper right side box to see which protocols are matched by the “sdm-cls-insp-traffic” class map.
    Question 4
    Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?
    A. inspect
    B. pass
    C. drop
    D. police


    Answer: C
    Explanation
    Under the C3PL\Policy Map\Protocol Inspection group we can see the policy maps, which class-maps and which actions are assigned to the class-maps.

    Question 5
    Which policy map is associated to the “sdm-zp-in-out” security zone pair?
    A. sdm-permit-icmpreply
    B. sdm-permit
    C. sdm-inspect
    D. sdm-insp-traffic
    Answer: C
    Explanation
    There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out” security zone pair:
    + At the “Home” tab (you might click on the to see the Firewall policies)

    + At the Zone-pair group in the Additional Tasks
    Question 6
    Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)
    A. traffic matched by ACL 105
    B. traffic matched by the nested “sdm-cls-insp-traffic” class map
    C. drop/log
    D. traffic matched by ACL 104


    Answer: A C
    Explanation
    Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 is used by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).

    Notice that the Access list number can be also seen in the C3PL\Class Map\Inspection and the Drop/log action can be seen in the C3PL\Policy Map\Protocol Inspection group.

    (Reference: http://www.cisco.com/en/US/products/...html#wp1063104)
    Last edited by phamminhtuan; 20-12-2010, 07:05 PM.
    Phạm Minh Tuấn

    Email : phamminhtuan@vnpro.org
    Yahoo : phamminhtuan_vnpro
    -----------------------------------------------------------------------------------------------
Trung Tâm Tin Học VnPro
149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
Tel : (08) 35124257 (5 lines)
Fax: (08) 35124314

Home page: http://www.vnpro.vn
Support Forum: http://www.vnpro.org
- Chuyên đào tạo quản trị mạng và hạ tầng Internet
- Phát hành sách chuyên môn
- Tư vấn và tuyển dụng nhân sự IT
- Tư vấn thiết kế và hỗ trợ kỹ thuật hệ thống mạng

Network channel: http://www.dancisco.com
Blog: http://www.vnpro.org/blog
Working...
X