Modular Policy Framework

The Main or Primary Function of the Cisco Security or Any Security Appliance is to stop and protect internal host form the malicious attacks from outside network. Therefore, The security administrator manipulate and control the flow of traffic in pieces and with more flexibility. Rate limiting the traffic, deep inspection of the traffic flow, blocking the unauthorized traffic flow, are some of the important responsibility of the network security administrator.

In Cisco Security appliance MPF was included with software version 7.0. MPF stands for Modular policy framework. MPF can segment traffic flows into traffic classes and can assign 1 or more then 1 action on that class. Class segregate the network traffic flow within the network at the packet level. Each packet is identified and matched to attribute listed in the class map.

How to use MPF

Step 1:- Create a class Map

          Create a class map with a unique name. Once you give the command you will be in class map configuration mode.

           class-map class-map-name

using description command you can assign description to the class map

Step 2:- Assign the match command  

         Give the proper match command e.g

                match any: all traffic will be matched

                match access-list: to match specific access-list

                match port: match traffic based on TCP/UDP destination port

                match access-group: to match access-group

                match destination-address: unique destination address

                match dscp: match dscp

                match protocol: match protocol

you can find other by using ?

e.g        class-map http_check

                 match port tcp eq 80

Step 3:- create policy map

        Once you created a policy map you will be in the policy map configuration mode. Create a policy map it can be created same as class map

                policy-map policy-map-name

using description command you can assign description to the group

Step 4:- assign class-map to policy-map.

        With the policy map created you must assign the class-map to the policy-map. You can assign more than one class-map to 1 policy-map and 1 class-map can also be assign to more than 1 policy-map. Each class-map added in the policy map have its own configuration mode, any configuration done in this mode will only effect the class-map in that policy-map not in the other policy-map. Class-map can be assigned using class command

            class class-map-name

Step 5:- assigning the rule to the each class

                You can assign rule to each class in this policy-map (e.g bandwidth management, inspection of traffic, priority of the traffic in case of voice, etc)

e.g in security appliance ASA

          class class-map-name

               inspect http

if you want to rate limit your traffic then use police command.

Step 6:- Assign policy to an interface

           Now as we have configured policy it is time to assign it to interface. command differ from router to security appliances (ASA, PIX)

          interface interface-name
          service-policy [input/output] policy-map-name

Once the policy has been assigned it will start working and it will perform  as per your configuration.

         If you have any query then feel free to post...