Cisco IOS Zone Based Firewall uses a technology called as Cisco Common Classification Policy Language (C3PL), which is similar to MQC (Modular QoS Command-Line). Cisco Common Classification Policy Language (C3PL) is made of three components; class maps, policy maps and service policies. Cisco IOS Zone Based Firewall Access Policies are made using class maps, policy maps and service policies.
Class Map, Policy Map and Service Policy
Class Map: A Class map is used to identify the traffic based on some criteria, like ACLs or Protocol.
Policy Map: Policy Maps are used to apply a firewall policy to the Class map that is created previously. Policy maps can define what we want to do with the traffic identified by the class map. Three types of actions can be applied on traffic with the Policy map.
• Drop - Drop the traffic
• Inspect - Dynamically inspect the traffic ("inspect" command is used to configure stateful inspection, which will allow the matching return traffic.)
• Pass - Forward the traffic
Service Policy: Service policies define where to apply the Policy map created before. In Cisco IOS Zone Based Firewall, Service policies are finally applied to a security zone pair.