I want to start by thanking all of you that took the time to fill out the poll.  It looks as though it’s a pretty close 60/40 thing but the majority (60%) say that the CCSP is in fact worth it.  With that said, I wanted to talk about the Modular Policy Framework over the next few days.  It’s so important in the SNPA exam that it has its own section of exam topics.  Its also something that you would use even if you are not planning on taking the SNPA test so I think there are a lot of places we can go here with this.

If you are not sure what I’m talking about, here is the list of exam topics from here. 

There are, as I mentioned, a ton of topics here so let’s start with the basics:

What is the modular policy framework?

The Modular Policy Framework is similar to an IOS configuration capability known as the Modular QOS CLI.  The Modular Policy Framework (MPF) makes applying policy way more flexible than simply using access-lists on interfaces.  With the MPF you can apply multiple actions to traffic flows like allowing BGP authentication (TCP option 19) as well as disabling the random sequence numbering (which could break BGP authentication. 

While that’s just a quick example please understand that there are far more capabilities to the MPF.

How do I configure the MPF?

To configure the MPF takes practice.  Start by learning the building blocks.  You will most always have the following:

Class-map

The Class-map us used to match traffic.  Its really a container that will have some other option in it for matching, for example, an  access-list.  Here is a class-map that will match all tcp traffic:

class-map ALLTCP

match access-list 101

access-list 101 permit tcp any any

Policy-map

The Policy-map is where you apply policy action to the class of traffic that you are matching in the class-map.  Here is a policy-map that match all TCP traffic and then disable the default behavior of the ASA by turning off the random-sequence-number feature:

policy-map NO_RANDOM

class ALLTCP

set connection random-sequence-number disable

Service-policy

Now to tie it all together you will need to use the service policy command.  This command applies the policy we just created either to an interface or at a global level.  There is however a global policy by default so if we change it some behavior that we expect may change.  We will apply this to the interface as seen here:

service-policy NO_RANDOM interface inside

Well that’s a start.  Now from here where do we go?  If you have any questions that relate to the MPF please post them and we can work on another post to address them.  Otherwise in the next post I will talk about adding application layer functionality into the MPF with class-map types and policy map types.  I look forward to hearing what you have to say.