While Access Control Lists filter traffic based on Layer 3 and Layer 4 information, Modular Policy Framework (MPF) augments ACLs with additional functionality such as Deep Packet Inspection (DPI), prioritizing certain traffic flows, limiting bandwidth for certain applications, etc by using Layer 5-7 policies.
Here’s the basic structure of a Service-policy and how it is created and linked with its underlying commands.
Class-maps – The which?
Here you define which traffic is to be matched.
ciscoasa# sho run class-map inspection_default ! class-map inspection_default match default-inspection-traffic
Policy-maps – The what?
This is where you define what is the action to be taken when traffic is matched against a specific class-map.
ciscoasa# show run policy-map global_policy ! policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp
Service-policy – The where?
Service-policy in MPF is what access-group is to ACL. It specifies where to apply the policy-map, i.e. globally (all interfaces) or on particular interfaces.
ciscoasa# show run service-policy ! service-policy global_policy global
By default, there is a service-policy applied on all interfaces of the ASA known as the global_policy. This policy applies (policy-maps) certain inspection to the traffic that match the (class-maps) default inspection traffic. The commands used as an example above are the default configurations for the global_policy.
You can apply only one policy-map per interface apart from the already existing global_policy.
This should cover the basics of MPF. Soon I’ll be posting a lab on this one where we’ll be digging deeper into MPF and it’s configuration.