Skip Links

Network World

Brandon Carroll

Getting better Acquainted with Modular Policy

By brandon on Fri, 04/04/08 - 11:27am.

I want to start by thanking all of you that took the time to fill out the poll.  It looks as though it’s a pretty close 60/40 thing but the majority (60%) say that the CCSP is in fact worth it.  With that said, I wanted to talk about the Modular Policy Framework over the next few days.  It’s so important in the SNPA exam that it has its own section of exam topics.  Its also something that you would use even if you are not planning on taking the SNPA test so I think there are a lot of places we can go here with this.

 

If you are not sure what I’m talking about, here is the list of exam topics from here. 

There are, as I mentioned, a ton of topics here so let’s start with the basics:

 

What is the modular policy framework?

 

The Modular Policy Framework is similar to an IOS configuration capability known as the Modular QOS CLI.  The Modular Policy Framework (MPF) makes applying policy way more flexible than simply using access-lists on interfaces.  With the MPF you can apply multiple actions to traffic flows like allowing BGP authentication (TCP option 19) as well as disabling the random sequence numbering (which could break BGP authentication. 

 

While that’s just a quick example please understand that there are far more capabilities to the MPF.

 

How do I configure the MPF?

 

To configure the MPF takes practice.  Start by learning the building blocks.  You will most always have the following:

 

Class-map

The Class-map us used to match traffic.  Its really a container that will have some other option in it for matching, for example, an  access-list.  Here is a class-map that will match all tcp traffic:

 

class-map ALLTCP

match access-list 101

 

access-list 101 permit tcp any any

 

Policy-map

The Policy-map is where you apply policy action to the class of traffic that you are matching in the class-map.  Here is a policy-map that match all TCP traffic and then disable the default behavior of the ASA by turning off the random-sequence-number feature:

 

policy-map NO_RANDOM

class ALLTCP

set connection random-sequence-number disable

 

Service-policy

 

Now to tie it all together you will need to use the service policy command.  This command applies the policy we just created either to an interface or at a global level.  There is however a global policy by default so if we change it some behavior that we expect may change.  We will apply this to the interface as seen here:

 

service-policy NO_RANDOM interface inside

 

Well that’s a start.  Now from here where do we go?  If you have any questions that relate to the MPF please post them and we can work on another post to address them.  Otherwise in the next post I will talk about adding application layer functionality into the MPF with class-map types and policy map types.  I look forward to hearing what you have to say.

About Cisco Unwired

Brandon Carroll, CCIE # 23837, is a certified Cisco Systems Instructor working for Ascolta Training, based out of the Irvine, Ca. Training Center. He is published by Cisco Press/Pearson Education in the area of network security and wireless.

Brandon maintains a personal blog at GlobalConfig.net as well as a company blog at Ascolta

His most recent book is theCCNA Wireless Official Exam Certification Guide, however a new AAA Identity Management book is soon to be published, available now as a http://www.ciscopress.com/bookstore/product.asp?isbn=1587141558.

This blog is part of the Cisco Subnet blogging community.

 

Most Discussed Posts

Blog Roll
Ascolta's Cisco Study Blog
http://blog.ascolta.com
GlobalConfig.net
http://globalconfig.net
Etherealmind.com
http://etherealmind.com
PacketPushers
http://packetpushers.net
IOS Hints
http://blog.ioshints.info