I want to start by thanking all of you that took the time to fill out the poll. It looks as though it’s a pretty close 60/40 thing but the majority (60%) say that the CCSP is in fact worth it. With that said, I wanted to talk about the Modular Policy Framework over the next few days. It’s so important in the SNPA exam that it has its own section of exam topics. Its also something that you would use even if you are not planning on taking the SNPA test so I think there are a lot of places we can go here with this.
If you are not sure what I’m talking about, here is the list of exam topics from here.
There are, as I mentioned, a ton of topics here so let’s start with the basics:
What is the modular policy framework?
The Modular Policy Framework is similar to an IOS configuration capability known as the Modular QOS CLI. The Modular Policy Framework (MPF) makes applying policy way more flexible than simply using access-lists on interfaces. With the MPF you can apply multiple actions to traffic flows like allowing BGP authentication (TCP option 19) as well as disabling the random sequence numbering (which could break BGP authentication.
While that’s just a quick example please understand that there are far more capabilities to the MPF.
How do I configure the MPF?
To configure the MPF takes practice. Start by learning the building blocks. You will most always have the following:
Class-map
The Class-map us used to match traffic. Its really a container that will have some other option in it for matching, for example, an access-list. Here is a class-map that will match all tcp traffic:
class-map ALLTCP
match access-list 101
access-list 101 permit tcp any any
Policy-map
The Policy-map is where you apply policy action to the class of traffic that you are matching in the class-map. Here is a policy-map that match all TCP traffic and then disable the default behavior of the ASA by turning off the random-sequence-number feature:
policy-map NO_RANDOM
class ALLTCP
set connection random-sequence-number disable
Service-policy
Now to tie it all together you will need to use the service policy command. This command applies the policy we just created either to an interface or at a global level. There is however a global policy by default so if we change it some behavior that we expect may change. We will apply this to the interface as seen here:
service-policy NO_RANDOM interface inside
Well that’s a start. Now from here where do we go? If you have any questions that relate to the MPF please post them and we can work on another post to address them. Otherwise in the next post I will talk about adding application layer functionality into the MPF with class-map types and policy map types. I look forward to hearing what you have to say.
About Brandon Carroll
Brandon Carroll, a certified Cisco Systems Instructor for over 7 years, splits time between writing for Cisco Press and teaching classes for Ascolta. In the networking industry for nearly 11 years, he has worked in the areas of routing and switching as well as network security.
His publications include the areas of AAA, and CCSP certification. His most current title is CCSP SNPA Quick Reference (Digital Short Cut) (read a sneak peek from the book here).
We have 15 copies of the Digital Short Cut to give away. Go here for details on how to enter. Rate your favorite Cisco Press books.
|
|
Isn't it this
Isn't it this instead?
service-policy NO_RANDOM interface inside
Yep!
It sure is. Thats what I get for rushing through a post. Corrected and appreciated. Funny thing how much of a difference attention to detail makes!
BC:)