Introduction There is confusion around exactly what class-maps, policy-maps and service-policies achieve on an ASA. When you take the time to look into and test, they are fairly easy to master and very powerful. Class Maps Class maps are used to match traffic based on a number of different options. For example access-lists, ports or tunnel groups. Depending on what you need to achieve is what and how you would configure. Policy Maps These are named maps which include any number of different class maps required. You would never have many different policy maps because of their usage in the last step. Service Policies Service Policies are used to enable a policy map on an interface or globally. This is where the restriction is, you can only have one global service policy and one service policy per interface. Examples Now down to business, because if you're anything like me you want to see examples with explanations! I say lead by example so what have I got happening on my ASA? access-list netflow-export extended permit ip any4 any4  class-map netflow-export-class match access-list netflow-export class-map DNS-Snooping match port udp eq domain class-map All-Traffic match any class-map inspection_default match default-inspection-traffic As you can see, I have four different class maps as it stands. The first is used for exporting of netflow data. That is another topic in itself which I will post about later. It matches all ipv4 traffic as per the access-list. The second is used for DNS snooping which again is another topic for later but very useful. It matches a port for all DNS queries to the web (UDP 53). The third class map is another easy one, match any = everything. The fourth and final is the default inspection which matches a number of different protocols. Hopefully this should make sense so far. The next stage is the Policy maps. policy-map global_policy class inspection_default inspect dns inspect tftp inspect http inspect ftp inspect ipv6 class netflow-export-class class class-default flow-export event-type all destination UTILITY policy-map Police_Internet-Traffic class All-Traffic police input 10000000 police output 10000000 policy-map InternetTraffic-Policy class DNS-Snooping inspect dns dynamic-filter-snoop  Policy map global_policy is the one allowed global policy I mentioned before. It matches the default inspection traffic and also the netflow class map. There is also a flow export entry which determines the netflow destination host of the policy. The next policy map is the Police_Internet-Traffic map. This map is used to match all traffic and police it. What does it mean police it. Police means allow up to your configured range then drop. I have allowed 10mbps on the map which basically means that the usage of bandwidth can never go over that on the specified interface. The Third and final policy I have configured is InternetTraffic-Policy. This is where the DNS snooping class map is in action. So how does this look in the service policies? service-policy global_policy global service-policy InternetTraffic-Policy interface outside service-policy Police_Internet-Traffic interface Guest service-policy Police_Internet-Traffic interface DMZ service-policy Police_Internet-Traffic interface Management service-policy Police_Internet-Traffic interface DMZ2 The first Service Policy is global which means it is active on every interface on the ASA. Simple. The InternetTraffic policy is added to the outside interface so it tracks or snoops on DNS queries to the web. The final Police_Internet-Traffic policy has been applied to all interfaces other than the inside to limit the bandwidth. This ensures the inside interface always gets the best of the bandwidth especially as the wife is addicted to amazon prime which eats up its fair share of bandwidth! Hope this explains it and helps someone out there! Of course there is a whole world of voice QOS configuration out there which I may go into another time and do let me know if you have some interesting inspection happening.