32-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter32 Configuring a Service Policy Using the Modular Policy Framework
Default Settings
Class Map Guidelines
The maximum number of class mapsof all types is 255 in single mode or per context in multiple mode.
Class maps include the following types:
Layer 3/4 class maps (for through traffic and management traffic).
Inspection class maps
Regular expression class maps
match commands used directly underneath an inspection policy map
This limit also includes default class maps of all types, limiting user-configured class mapsto
approximately 235. See the “Default Class Maps” section on page32-8.
Policy Map Guidelines
See the following guidelines for using policy maps:
You can only assign one policy map per interface. (However you can create up to 64 policy maps in
the configuration.)
You can apply the same policy map to multiple interfaces.
You can identify up to 63 Layer 3/4 class maps in a Layer 3/4 policy map.
For each class map, you can assign multiple actions from one or more feature types, if supported.
See the “Incompatibility of Certain Feature Actions” section on page32-5.
Service Policy Guidelines
Interface service policies take precedence over the global service policy for a given feature. For
example, if you have a global policy with FTP inspection, and an interface policy with TCP
normalization, then both FTP inspection and TCP normalization are applied to the interface.
However, if you have a global policy with FTP inspection, and an interface policy with FTP
inspection, then only the interface policy FTP inspection is applied to that interface.
You can only apply one global policy. For example, you cannot create a global policy that includes
feature set 1, and a separate global policy that includes feature set 2. All features must be included
in a single policy.
Default Settings
The following topics describe the default settings for Modular Policy Framework:
Default Configuration, page32-7
Default Class Maps, page32-8
Default Configuration
By default, the configuration includes a policy that matches all default application inspection traffic and
applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled
by default. You can only apply one global policy, so if you want to alter the global policy, you need to
either edit the default policy or disable it and apply a new one. (An interface policy overrides the global
policy for a particular feature.)
The default policy includes the following application inspections: