32-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter32 Configuring a Service Policy Using the Modular Policy Framework
Task Flows for Configuring Service Policies
policy, this class ensures that the correct inspection is applied to each packet, based on the destination
port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the
TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in
this case only, you can configure multiple inspections for the same class map. Normally, the ASA does
not use the port number to determine which inspection to apply, thus giving you the flexibility to apply
inspections to non-standard ports, for example.
class-map inspection_default
match default-inspection-traffic
Another class map that exists in the default configuration is called class-default, and it matches all
traffic. This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to
not perform any actions on all other traffic. You can use the class-default class if desired, rather than
making your own match any class map. In fact, some features are only available for class-default, such
as QoS traffic shaping.
class-map class-default
match any
Task Flows for Configuring Service Policies
This section includes the following topics:
Task Flow for Using the Modular Policy Framework, page32-9
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping, page32-11

Task Flow for Using the Modular Policy Framework

To configure Modular Policy Framework, perform the following steps:
Step1 Identify the traffic—Identify the traffic on which you want to perform Modular Policy Framework
actions by creating Layer 3/4 class maps.
For example, you might want to perform actions on all traffic that passes through the ASA; or you might
only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.
See the “Identifying Traffic (Layer 3/4 Class Maps)” section on page32-12.
Step2 Perform additional actions on some inspection traffic—If one of the actions you want to perform is
application inspection, and you want to perform additional actions on some inspection traffic, then create
an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it.
For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes.
Layer 3/4 Class MapLayer 3/4 Class Map
241506