CCNP Security Firewall Cert Guide: Configuring ASA Interfaces
- Oct 24, 2012
- "Do I Know This Already?" Quiz
- Foundation Topics
- Configuring Physical Interfaces
- Configuring VLAN Interfaces
- Configuring Interface Security Parameters
- Configuring the Interface MTU
- Verifying Interface Operation
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Command Reference to Check Your Memory
This chapter covers the following topics:
- Configuring Physical Interfaces: This section discusses Cisco ASA interfaces that can be connected to a network through physical cabling, as well as the parameters that determine how the interfaces will operate.
- Configuring VLAN Interfaces: This section covers logical interfaces that can be used to connect an ASA to VLANs over a trunk link.
- Configuring Interface Security Parameters: This section explains the parameters you can set to assign a name, an IP address, and a security level to an ASA interface.
- Configuring the Interface MTU: This section discusses the maximum transmission unit size and how it can be adjusted to set the largest possible Ethernet frame that can be transmitted on an Ethernet-based ASA interface.
- Verifying Interface Operation: This section covers the commands you can use to display information about ASA interfaces and confirm whether they are operating as expected.
A Cisco Adaptive Security Appliance (ASA) must be configured with enough information to begin accepting and forwarding traffic before it can begin doing its job of securing networks. Each of its interfaces must be configured to interoperate with other network equipment and to participate in the IP protocol suite. This chapter discusses each of these topics in detail.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 3-1. “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section
Configuring Physical Interfaces
Configuring VLAN Interfaces
Configuring Interface Security Parameters
Configuring the Interface MTU
Verifying Interface Operation
Which of the following answers describe an attribute of a redundant interface? (Choose all that apply.)
- A redundant interface load balances traffic across member interfaces.
- A redundant interface is made up of two or more physical interfaces.
- An ASA can have up to eight redundant interface pairs.
- Each member interface of a redundant interface cannot have its own security level.
- IP addresses must be applied to the member physical interfaces of a redundant interface.
- The member interfaces swap the active role when one of them fails.
What must happen for a member interface to take over the active role as part of a redundant interface?
- Three hello messages must be missed.
- The link status of the current active interface goes down.
- A member interface, which was previously active before it went down, regains its link status.
- Its member priority is higher than other member interfaces.
- A timer must expire.
Which ASA command can be used to display a list of all physical interfaces?
- how interfaces physical
- show interface list
- show hardware
- show version
- show ports
Suppose you want to double the bandwidth between an ASA’s outside interface and a neighboring switch. A single GigabitEthernet link exists today; a second link would also add redundancy. Which one of the following describes the best approach to meet the requirements?
- Bring up a second GigabitEthernet interface on the same VLAN as the first one.
- Configure the two interfaces as a redundant interface.
- Configure the two interfaces as an EtherChannel.
- Dual links are not possible on an ASA.
You have been assigned the task of configuring a VLAN interface on an ASA 5510. The interface will use VLAN 50. Which one of the following sets of commands should be entered first to accomplish the task?
interface vlan 50 no shutdown
interface ethernet0/0 no shutdown
interface ethernet0/0.5 vlan 50 no shutdown
interface ethernet0/0.50 no shutdown
Which of the following are correct attributes of an ASA interface that is configured to support VLAN interfaces? (Choose all that apply.)
- The physical interface operates as an ISL trunk.
- The physical interface operates as an 802.1Q trunk.
- The subinterface numbers of the physical interface must match the VLAN number.
- All packets sent from a subinterface are tagged for the trunk link.
- An ASA can negotiate a trunk link with a connected switch.
Which one of the following answers contains the commands that should be entered on an ASA 5505 to create an interface for VLAN 6?
- interface vlan 6
- vlan 6
- interface ethernet0/0.6
- interface ethernet0/0.6
Which of the following represent security attributes that must be assigned to an active ASA interface when the ASA is in routed firewall mode? (Choose three answers.)
- IP address
- Access list
- Interface name
- Security level
- Interface priority
- MAC address
Which one of the following interfaces should normally be assigned a security level value of 100?
- None of these answers are correct.
An ASA has two active interfaces, one with security level 0 and one with security level 100. Which one of the following statements is true?
- Traffic is permitted to be initiated from security level 0 toward security level 100.
- Traffic is permitted to be initiated from security level 100 toward security level 0.
- Traffic is not permitted in either direction.
- The interfaces must have the same security level by default before traffic can flow.
Suppose you are asked to adjust the MTU on the “inside” ASA interface Ethernet0/1 to 1460 bytes. Which one of the following answers contains the correct command(s) to enter?
- ciscoasa(config)# mtu 1460
- ciscoasa(config)# mtu inside 1460
- ciscoasa(config)# interface ethernet0/1
- ciscoasa(config-if)# mtu 1460
- None of these answers are correct; the MTU must be greater than 1500.
From the following output, which of the following statements are true about ASA interface Ethernet0/2? (Choose all that apply.)
ciscoasa# show nameif Interface Name Security Ethernet0/0 outside 0 Ethernet0/1 inside 100 Management0/0 management 100 ciscoasa# ciscoasa# show interface ethernet0/2 Interface Ethernet0/2 "", is administratively down, line protocol is down Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec Auto-Duplex, Auto-Speed Input flow control is unsupported, output flow control is unsupported Available but not configured via nameif MAC address 001a.a22d.1dde, MTU not set IP address 10.1.1.1, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 1 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops, 0 tx hangs input queue (blocks free curr/low): hardware (255/255) output queue (blocks free curr/low): hardware (255/255) ciscoasa#
- The interface is configured and is live on the network.
- The interface is not ready to use; the no shutdown command has not been issued.
- The interface is not ready to use; it doesn’t have an IP address configured.
- The interface is not ready to use; it doesn’t have a MAC address configured.
- The interface is not ready to use; it doesn’t have a security level configured.
The interface is not ready to use; it doesn’t have an interface name configured.
Answer E might also be true, but you cannot confirm that a security level has been configured from the command output given. Because an interface name has not been configured with the nameif command, neither the interface name nor the security level is shown in the output.