Modular Policy Framework
Cisco Security Appliances can control traffic flows in a more granular manner than
traditional firewalls through the use of Modular Policies. Much like Cisco IOS Software QoS
CLI, Modular Policy Framework (MPF) allows the security administrator flexibility when
designing security policies. Individual traffic flows can be redirected to specific policies for
rate limiting, IP Precedence, or deep packet inspection. MPFs are divided into three sections:
■ Class-map—Identifies the type of traffic flow that the MPF will use. The flow type is
packet specific and can be any packet type, such as a VPN tunnel, voice traffic, or basic
IP traffic.
■ Policy-map—Assigns one or more actions to traffic flows specified by a class-map. For
example, all basic IP traffic entering the site would be packet inspected and rate limited
through a policy-map.
■ Service policy—Assigns one or more policy-maps to an interface.
The MPF feature is new to the Security Appliance with the introduction of Software Version
7.0. Chapter 8, “Modular Policy Framework,” covers MPFs in more detail.