How to Create
or Modify a Rule

Traffic Classification rules allow you to assign a class of service and/or access control (VLAN membership) to network traffic, depending on the traffic's classification type. Classification types are based on layers 2, 3, and 4 of the OSI model, and traffic is classified according to specific layer 2/3/4 information contained in each frame. For more information, see Traffic Classification Rules.

A rule has two main parts: Traffic Description and Actions. The Traffic Description identifies the type of traffic to which the rule will pertain. Actions specify whether that traffic will be assigned class of service, access control, or both.

There are two ways to create a rule:

Using the Classification Rule Wizard: The Classification Rule Wizard is a series of windows that leads you through all the steps required to create a rule, including defining the traffic description and the actions that will apply to it.
Using the Rule Tabs: Creating a rule manually consists of creating a name for the rule using the Create Classification Rule menu option, then using the rule's right panel tabs to specify its characteristics. Creating a rule using this method accomplishes the same things as the Classification Rule Wizard, but enables you to do only those parts of the procedure you want to do, when you want to do them. You can also use the right-panel tabs to modify an existing rule.

In order to create a rule, you must first create a service with which to associate it.

Instructions on:

Using the Classification Rule Wizard
Using the Rule Tabs
Modifying a Rule
Disabling/Enabling a Rule
Deleting a Rule

Using the Classification Rule Wizard

The Classification Rule Wizard is a series of windows that lead you through all the steps required to create a new rule.

In the Policy Manager left panel, select the Services tab.
Expand either the Service Groups or Services folder and select the service for which you want to create a rule.
From the menu bar, select Tools > Classification Rule Wizard. You can also right-click on the service and select the option from the menu. The Rule Wizard opens.
In the Name window, enter a name for the rule and click Next.
In the Rule Status window, you can elect to disable the rule at this time. If you disable the rule, it is temporarily unavailable for use by the current service, but it can be re-enabled at any time or copied to other services and enabled. See Disabling a Rule for more information. Click Next to continue.
In the Rule Type window, specify the type of devices to which you wish this rule to apply when enforced. See Rule Type for more information on the consequences of your choice. Click Next to continue.
In the Traffic Classification Layer window, select a Traffic Classification Layer and click Next. Each layer has multiple Classification Types. See Classification Types and their Parameters for a description of classification layers and types.
In the Traffic Classification Type window for your previous selection, choose the desired Classification Type and click Next.
Each Traffic Classification Type requires certain parameters and/or values. See Classification Types and their Parameters for parameter information. Select and/or enter the required parameters and click Next.
In the Traffic Description Summary window, review the summary of the traffic description you have added to the rule.
- If you are satisfied with the description, click Next.
- To change the description, select it, then click Remove and Add. This returns you to the Traffic Classification Layer window. Repeat steps 6-8.
Note: If you modify an enabled rule's traffic descriptions, Policy Manager checks for conflicts with other rules in the services and roles with which the newly modified rule is associated. See Conflict Checking for more information.
In the Actions window, define the actions to apply to the rule, the click Next to continue.
- CoS: To assign a class of service to the traffic, select the CoS checkbox. This opens the Classes of Service Selection View, where you can select a class of service for the traffic. Click OK to return to the Actions window.
- Access Control: To assign access control (a VLAN), select the Access Control checkbox and choose one of the following options (see Access Control for more information):
  - Permit Traffic: If you want to allow traffic to be forwarded with the port's assigned VID, select this option.
  - Deny Traffic:
    - If you want to deny traffic and one discard VLAN exists: Select this option (the discard VLAN is already selected).
    - If you want to deny traffic and no Discard VLAN exists: Select this option, then click New to create a new discard VLAN, then select it from the list.
    - If you want to deny traffic and there is more than one Discard VLAN, or you want to contain traffic for this rule, select this option and choose the appropriate VLAN from the list.
  - Contain to VLAN: If you want to contain traffic for this rule, select this option, then select the appropriate VLAN from the list.
  Note: If you modify an enabled rule's actions, Policy Manager checks for conflicts with other rules in the services and roles with which the newly modified rule is associated. See Conflict Checking for more information.
In the Rule Usage window, you can specify actions to take place when a rule is used. When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. This window lets you specify actions to take place when a "rule hit" is reported. If the rule type does not include any devices that support rule accounting, these options will be grayed out.
- Generate System Log on Rule Hit - A syslog message is generated when the rule is used.
- Generate Audit Trail on Rule Hit - An audit trap is generated when the rule is used.
- Disable Port on Rule Hit - Any port reported as using this rule will be disabled.
Click Finish.
Enforce to write the new information to the devices.

Using the Rule Tabs

When you create a rule using the rule tabs, you first create and name the rule using the Create Classification Rule menu option, then define its characteristics in the right panel rule tabs.

In the Policy Manager left panel, select the Services tab.
Expand either the Service Groups or Services folder and click on the service for which you want to create a rule.
Right-click on the service and select Create Classification Rule.
In the left panel, type the name of the rule in the highlighted box, and press Enter.
Fill out the Create Classification Rule window and click OK. You can now use the associated right-panel tabs to define the rule.
In the rule's General tab, you can enter a description of the rule in the Description area or modify the status and device types for the rule.
In the Traffic Description tab, define the traffic description for the rule.
1. Click Add to open the Traffic Description Wizard.
2. In the Traffic Classification Layer window, select a Traffic Classification Layer and click Next. Each layer has multiple Classification Types. See Classification Types and their Parameters for a description of classification layers and types.
3. In the Traffic Classification Type window, select the desired Classification Type and click Next.
4. Each Classification Type requires certain parameters and/or values. See Classification Types and their Parameters for parameter information. Select and/or enter the required parameters and click Finish.
In the Actions tab, select class of service and access control (VLAN assignment) actions that will apply to the rule, if applicable.
In the Rule Usage tab, specify any actions you would like taken if the rule is used on a port.
Enforce to write the new information to the devices.

Modifying a Rule

Once you've created a rule, you can change its characteristics by selecting the rule in the Policy Manager's left panel and using the associated tabs in the right panel.

Modifying General Rule Characteristics
Modifying Rule Traffic Descriptions
Modifying Rule Actions

Modifying General Rule Characteristics

The rule General tab allows you to create or modify a description for the rule.

In the Policy Manager left panel, select the Services tab.
Expand either the Service Groups or Services folder.
Expand the Service and click on the rule you want to modify, and make sure the General tab is selected in the right panel.
Modify the rule's properties as desired.
Enforce to write the new information to the devices.

Modifying Rule Traffic Descriptions

The rule Traffic Description tab displays the classification type and values for the selected rule. You can change the classification type or edit the values using the steps in this section. When you modify an enabled rule's traffic description, Policy Manager checks for conflicts with other rules in the services and roles with which the newly modified rule is associated. See Conflict Checking for more information.

In the Policy Manager left panel, select the Services tab.
Expand either the Service Groups or Services folder.
Expand the Service and click on the rule you want to modify.
Click on the Traffic Description tab and select the traffic description in the right panel.
To change the classification type or edit the values:
1. Click Edit to open the Edit Rule window.
2. Select or enter the desired parameters and/or values. See Classification Types and their Parameters for parameter information. Click OK.
Enforce to write the new information to the devices.

Modifying Rule Actions

The rule Actions tab displays the actions defined for the selected rule. You can edit the actions using the steps in this section. When you modify an enabled rule's actions, Policy Manager checks for conflicts with other rules in the services and roles with which the newly modified rule is associated. See Conflict Checking for more information.

In the Policy Manager left panel, select the Services tab.
Expand either the Service Groups or Services folder.
Expand the Service and click on the rule you want to modify. Its associated tabs appear in the right panel, with the General tab open.
Click on the Actions tab and change the class of service and/or access control actions for the rule, as required (see Actions tab for more information).
Enforce to write the new information to the devices.

Disabling/Enabling a Rule

In Policy Manager, you can disable and enable individual or multiple rules. You can also disable and enable all the rules associated with a service, or all the rules for all the services in a service group. The rule icon in the left panel displays a red X if the rule is disabled.

Disabling a rule is an alternative to deleting and recreating it. If you disable a rule, it is temporarily unavailable for use by the service with which it is associated. However, the rule can be copied to another service and enabled for that service.

Disabling/Enabling an Individual Rule
These are the instructions for disabling and enabling rules using the rule's General tab. You can also disable/enable rules in the Rule Status window of the Service Wizard or Classification Rule Wizard, or by right-clicking on the rule and selecting Disable Rule(s) or Enable Rule(s).

In the Policy Manager left panel, select the Services tab.
Expand the Services folder and the service, to locate the rule you want to disable or enable. (If the rule is part of a service that is also a member of a service group, you can expand the Service Groups folder to find the rule.)
Select the rule you want to disable or enable, and select the General tab in the right panel.
In the Status area, select Enable or Disable to enable or disable the rule. Disabling the rule turns on the red X on the rule icon in the left panel, and re-enabling it turns it off.
Enforce to write the new information to the devices.

Disabling/Enabling Multiple Rules
These are instructions for disabling and enabling multiple rules in a single operation.

In the Policy Manager left panel, select the Services tab.
Expand the Services or Service Group folder and select the service containing the rules you want to disable or enable.
In the right-panel Details View, multi-select the desired rules. Right-click and select Disable Rule(s) or Enable Rule(s).
Click Yes to confirm the change.
Enforce to write the new information to the devices.

Disabling/Enabling the Rules for a Service or Service Group
If a service is associated with more than one service group, disabling or enabling the rules for the service in one service group will disable/enable the rules for the service in the other service groups of which the service is a part.

In the Policy Manager left panel, select the Services tab.
Expand the Services or Service Group folder.
Right-click the service or service group containing the rules you want to disable or enable and select Disable Rule(s) or Enable Rule(s).
Click Yes to confirm the change.
Enforce to write the new information to the devices.

Deleting a Rule

Deleting a rule removes the rule from a service. If the service is also part of a service group, the rule is deleted there as well, so be sure the rule is not needed before you delete it.

In the Policy Manager left panel, click the Services tab.
Expand the Services folder and the service to locate the rule you want to delete. (If the rule is part of a service that is also a member of a service group, you can expand the Service Groups folder to find the rule.)
Right-click the rule you want to delete, and select Delete.
Click Yes to confirm, then OK to clear the confirmation message. The rule is deleted wherever it exists.
Enforce to write the new information to the devices.

Related Information

For information on related concepts:

Traffic Classification Rules

For information on related windows: