Specifications
CHAPTER
18-1
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
18
Using Modular Policy Framework
This chapter describes how to use Modular Policy Framework to create security policies for TCP and
general connection settings, inspection, and QoS.
The following sections include:
• Overview, page 18-1
• Identifying Traffic Using a Class Map, page 18-2
• Defining Actions Using a Policy Map, page 18-4
• Applying a Policy to an Interface Using a Service Policy, page 18-10
• Direction Policies When Applying a Service Policy, page 18-10
Overview
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. For example, you can use Modular Policy
Framework to include IP Precedence as one of the criteria to identify traffic for rate-limiting. You can
also create a timeout configuration that is specific to a particular TCP application, as opposed to one that
applies to all TCP applications.
To configure a security feature using Modular Policy Framework, use the class-map, policy-map, and
service-policy global configuration commands.
Modular Policy Framework is supported with these features:
• TCP and general connection settings
• Inspection
• Intrusion Prevention Services
• QoS
Configuring Modular Policy Framework consists of three tasks:
1. Identify a traffic class using the class-map global configuration command.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic
with a port value of 23 may be classified as a Telnet traffic class.
2. Create a policy map by associating the traffic class with one or more actions using the policy-map
global configuration command.
An action protects information or resources, or performs a QoS function.