Modular Policy Framework – The basics

While Access Control Lists filter traffic based on Layer 3 and Layer 4 information, Modular Policy Framework (MPF) augments ACLs with additional functionality such as Deep Packet Inspection (DPI), prioritizing certain traffic flows, limiting bandwidth for certain applications, etc by using Layer 5-7 policies.

Here’s the basic structure of a Service-policy and how it is created and linked with its underlying commands.

Class-maps – The which?

Here you define which traffic is to be matched.

ciscoasa# sho run class-map inspection_default 
class-map inspection_default match default-inspection-traffic

Policy-maps – The what?

This is where you define what is the action to be taken when traffic is matched against a specific class-map.

ciscoasa# show run policy-map global_policy
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp

Service-policy – The where?

Service-policy in MPF is what access-group is to ACL. It specifies where to apply the policy-map, i.e. globally (all interfaces) or on particular interfaces.

ciscoasa# show run service-policy
service-policy global_policy global

By default, there is a service-policy applied on all interfaces of the ASA known as the global_policy. This policy applies (policy-maps) certain inspection to the traffic that match the (class-maps) default inspection traffic. The commands used as an example above  are the default configurations for the global_policy.

You can apply only one policy-map per interface apart from the already existing global_policy.

This should cover the basics of MPF. Soon I’ll be posting a lab on this one where we’ll be digging deeper into MPF and it’s configuration.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s