This “Foundation Summary” provides a convenient review of many key concepts in this
chapter. If you are already comfortable with the topics in this chapter, this summary can help
you recall a few details. If you just read this chapter, this review should help solidify some
key facts. If you are doing your final preparation before the exam, this summary provides a
convenient way to review on the day before the exam.
Cisco Service Appliance software version 7.0 and later introduced a new way to dynamically
manipulate traffic flows. With the introduction of Modular Policy Framework, a security
administrator could manage, inspect, and set priorities on specific traffic flows instead of
applying these settings to the total traffic on the Security Appliance. A Modular Framework
Policy consists of three parts:
■ Class maps—Class maps define the traffic flow that will be managed.
■ Policy maps—Policy maps define one or more actions that will be applied to the traffic
flow.
■ Service maps—Service maps assign the policies to specific interfaces or globally to all
interfaces.
Policy maps assign actions, or domains, to traffic classes assigned by the class map. These
five actions, called feature domains, control the inspection and QoS actions that a policy map
can apply. The featured actions are as follows:
■ inspect—Inspects a traffic flow assigned to it at Layer 3 to Layer 7.
■ ips—Sends traffic to the AIP-SSM module for deep packet inspection.
■ priority—Assigns traffic flows to the low-latency queue for prioritization.
■ police—Sets a rate limit and burst limit on assigned traffic flows.
■ set-connection—Allows the limiting of TCP and UDP connections, as well as embryonic
connections.