I want to start by thanking all of you that took the time to fill out the poll. It looks as though it’s a pretty close 60/40 thing but the majority (60%) say that the CCSP is in fact worth it. With that said, I wanted to talk about the Modular Policy Framework over the next few days. It’s so important in the SNPA exam that it has its own section of exam topics. Its also something that you would use even if you are not planning on taking the SNPA test so I think there are a lot of places we can go here with this.
If you are not sure what I’m talking about, here is the list of exam topics from here.
There are, as I mentioned, a ton of topics here so let’s start with the basics:
What is the modular policy framework?
The Modular Policy Framework is similar to an IOS configuration capability known as the Modular QOS CLI. The Modular Policy Framework (MPF) makes applying policy way more flexible than simply using access-lists on interfaces. With the MPF you can apply multiple actions to traffic flows like allowing BGP authentication (TCP option 19) as well as disabling the random sequence numbering (which could break BGP authentication.
While that’s just a quick example please understand that there are far more capabilities to the MPF.
How do I configure the MPF?
To configure the MPF takes practice. Start by learning the building blocks. You will most always have the following:
Class-map
The Class-map us used to match traffic. Its really a container that will have some other option in it for matching, for example, an access-list. Here is a class-map that will match all tcp traffic:
class-map ALLTCP
match access-list 101
access-list 101 permit tcp any any
Policy-map
The Policy-map is where you apply policy action to the class of traffic that you are matching in the class-map. Here is a policy-map that match all TCP traffic and then disable the default behavior of the ASA by turning off the random-sequence-number feature:
policy-map NO_RANDOM
class ALLTCP
set connection random-sequence-number disable
Service-policy
Now to tie it all together you will need to use the service policy command. This command applies the policy we just created either to an interface or at a global level. There is however a global policy by default so if we change it some behavior that we expect may change. We will apply this to the interface as seen here:
service-policy NO_RANDOM interface inside
Well that’s a start. Now from here where do we go? If you have any questions that relate to the MPF please post them and we can work on another post to address them. Otherwise in the next post I will talk about adding application layer functionality into the MPF with class-map types and policy map types. I look forward to hearing what you have to say.
Brandon Carroll, CCIE # 23837, is a certified Cisco Systems Instructor working for Ascolta Training, based out of the Bellevue, Wa. Training Center. He is published by Cisco Press/Pearson Education in the area of network security and wireless.
His most recent book is CCNA Wireless Official Exam Certification Guide and we have 15 copies to give away. Go here for entry details and go here for a sneak peek of a chapter.
This blog is part of the Cisco Subnet blogging community.
The Leader in Network Knowledge
Isn't it this
Isn't it this instead?
service-policy NO_RANDOM interface inside
Yep!
It sure is. Thats what I get for rushing through a post. Corrected and appreciated. Funny thing how much of a difference attention to detail makes!
BC:)
Modular Policy Framework: Examples and Practical Uses
I was wondering if anyone has made practical uses of the ASA's Modular Framework Policy, especially in creating customized inspection engines via creating inspection-policy maps and matching regex expressions in the inspection-policy. How does a firewall administrator know what inspection-policy map to create and implement to keep up with the latest security threats? What resources or forums can a firewall administrator go to to find security threats that can be thwarted by creating inspection-policy maps? I see this as a very powerful tool, but where does one begin?
About the only thing that I can see that I can use immediately is applying the ICMP inspection to the default traffic class map.