Version 4.1 - 5.1.f MPF functionality
This is where my R/S experience and study is paying off. I'm very familiar with the Modular Policy Framework.
You start with an access list (can be optional). The class-map references the access list (matches the traffic) or specifies the traffic if an access list isn't used. Then you create a policy map - which references the class-map. Then you apply the service-policy to the interface. [In a nutshell.]
Now the variations of this and the uses of this MPF is what this section is all about. This is yet another section where I can just about guarantee there will be at least one (likely 2 or 3) questions. Some of the questions may be directly about MPF, and some will require you to know MPF to answer a question on some other topic. Also note that knowing Regex may come into play with this.
Also know that traffic may match more than one line in the configuration. I've seen questions like this. They give you a long config and you have to determine if the traffic does or doesn't do what you intend for it to do.
This should look familiar to you:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# police output 250000
hostname(config)# service-policy http_traffic_policy interface outside
Keep an eye out for match-all versus match-any >
The following example creates an HTTP class map that must match all criteria:
hostname(config-cmap)# class-map type inspect http match-all http-traffic
hostname(config-cmap)# match req-resp content-type mismatch
hostname(config-cmap)# match request body length gt 1000
hostname(config-cmap)# match not request uri regex class URLs
The following example creates an HTTP class map that can match any of the criteria:
hostname(config-cmap)# class-map type inspect http match-any monitor-http
hostname(config-cmap)# match request method get
hostname(config-cmap)# match request method put
hostname(config-cmap)# match request method post
Make sure that if it's a "match-all" that packets exist that can meet all the criteria. A packet cannot be a "match-all" to both udp and tcp at the same time. (You can do an match-any for that, but not a match-all.)
Don't forget the default inspection policy:
"By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default."
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
I've been through a lot of these type of questions and never had a problem figuring them out. After you know the material, it's a matter of ATTENTION TO DETAIL. You can't linger on the straight-forward questions so you have enough time to look at these line by line.