Introduction
There is confusion around exactly what class-maps, policy-maps and service-policies achieve on an ASA. When you take the time to look into and test, they are fairly easy to master and very powerful.
Class Maps
Class maps are used to match traffic based on a number of different options. For example access-lists, ports or tunnel groups. Depending on what you need to achieve is what and how you would configure.
Policy Maps
These are named maps which include any number of different class maps required. You would never have many different policy maps because of their usage in the last step.
Service Policies
Service Policies are used to enable a policy map on an interface or globally. This is where the restriction is, you can only have one global service policy and one service policy per interface.
Examples
Now down to business, because if you’re anything like me you want to see examples with explanations! I say lead by example so what have I got happening on my ASA?
access-list netflow-export extended permit ip any4 any4
class-map netflow-export-class
match access-list netflow-export
class-map DNS-Snooping
match port udp eq domain
class-map All-Traffic
match any
class-map inspection_default
match default-inspection-traffic
As you can see, I have four different class maps as it stands. The first is used for exporting of netflow data. That is another topic in itself which I will post about later. It matches all ipv4 traffic as per the access-list. The second is used for DNS snooping which again is another topic for later but very useful. It matches a port for all DNS queries to the web (UDP 53). The third class map is another easy one, match any = everything. The fourth and final is the default inspection which matches a number of different protocols.
Hopefully this should make sense so far. The next stage is the Policy maps.
policy-map global_policy
class inspection_default
inspect dns
inspect tftp
inspect http
inspect ftp
inspect ipv6
class netflow-export-class
class class-default
flow-export event-type all destination UTILITY
policy-map Police_Internet-Traffic
class All-Traffic
police input 10000000
police output 10000000
policy-map InternetTraffic-Policy
class DNS-Snooping
inspect dns dynamic-filter-snoop
Policy map global_policy is the one allowed global policy I mentioned before. It matches the default inspection traffic and also the netflow class map. There is also a flow export entry which determines the netflow destination host of the policy. The next policy map is the Police_Internet-Traffic map. This map is used to match all traffic and police it. What does it mean police it. Police means allow up to your configured range then drop. I have allowed 10mbps on the map which basically means that the usage of bandwidth can never go over that on the specified interface. The Third and final policy I have configured is InternetTraffic-Policy. This is where the DNS snooping class map is in action. So how does this look in the service policies?
service-policy global_policy global
service-policy InternetTraffic-Policy interface outside
service-policy Police_Internet-Traffic interface Guest
service-policy Police_Internet-Traffic interface DMZ
service-policy Police_Internet-Traffic interface Management
service-policy Police_Internet-Traffic interface DMZ2
The first Service Policy is global which means it is active on every interface on the ASA. Simple. The InternetTraffic policy is added to the outside interface so it tracks or snoops on DNS queries to the web. The final Police_Internet-Traffic policy has been applied to all interfaces other than the inside to limit the bandwidth. This ensures the inside interface always gets the best of the bandwidth especially as the wife is addicted to amazon prime which eats up its fair share of bandwidth!
Hope this explains it and helps someone out there! Of course there is a whole world of voice QOS configuration out there which I may go into another time and do let me know if you have some interesting inspection happening.