Task flows for configuring service policies, Task flow for using the modular policy framework – Cisco ASA 5505 User Manual

Page 647

Advertising
background image

32-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Task Flows for Configuring Service Policies

policy, this class ensures that the correct inspection is applied to each packet, based on the destination
port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the
TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in
this case only, you can configure multiple inspections for the same class map. Normally, the ASA does
not use the port number to determine which inspection to apply, thus giving you the flexibility to apply
inspections to non-standard ports, for example.

class-map inspection_default

match default-inspection-traffic

Another class map that exists in the default configuration is called class-default, and it matches all
traffic. This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to
not perform any actions on all other traffic. You can use the class-default class if desired, rather than
making your own match any class map. In fact, some features are only available for class-default, such
as QoS traffic shaping.

class-map class-default

match any

Task Flows for Configuring Service Policies

This section includes the following topics:

Task Flow for Using the Modular Policy Framework, page 32-9

Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping, page 32-11

Task Flow for Using the Modular Policy Framework

To configure Modular Policy Framework, perform the following steps:

Step 1

Identify the traffic—Identify the traffic on which you want to perform Modular Policy Framework
actions by creating Layer 3/4 class maps.

For example, you might want to perform actions on all traffic that passes through the ASA; or you might
only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.

See the

“Identifying Traffic (Layer 3/4 Class Maps)” section on page 32-12

.

Step 2

Perform additional actions on some inspection traffic—If one of the actions you want to perform is
application inspection, and you want to perform additional actions on some inspection traffic, then create
an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it.

For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes.

Layer 3/4 Class Map

Layer 3/4 Class Map

241506

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals