Modular Policy Framework (MPF) Objective
There is a growing need to provide greater granularity and flexibility in configuring network policies. For example, it is extremely important to have the ability to include a destination IP address as one of the criteria to identify traffic for Network Address Translation, or the ability to create a timeout configuration that is specific to a particular TCP application, as opposed to the current timeout scheme, which applies a timeout value to all TCP applications, and so on. MPF provides the tools to meet these and other needs.
MPF features are derived from quality of service (QoS) as implemented in IOS. Not all features have been carried across. MPF is built on three related CLI commands:
-
class-map This command identifies the traffic that needs a specific type of control. Class-maps have specific names, which tie them into the policy-map. This just selects the traffic.
-
policy-map This command describes the actions to be taken on the traffic described in the class-map. Class-maps are listed by name under the appropriate policy-map. Policy-maps have specific names too, which tie them into the service-policy. They specify what action needs to be taken.
-
service-policy This command describes where the traffic should be intercepted for control. Only one service-policy can exist per interface. An additional service-policy, global-service-policy, is defined for traffic and general policy application. This policy applies to traffic on all interfaces. The command applies the policy. You can have only one service policy per interface.
PIX 7.0 has the following restrictions for match/policy and class statements.
-
Number of Policy-map: 64.
-
Number of Class-map: 255.
-
Number of Classes in a policy-map: 63.
-
Number of match statements in a class-map: 1. For match tunnel-group and default-inspect, allow two statements.