How to Create a Service

Services are sets of rules that define how network traffic for a particular network service or application should be handled by a network access device. A service might consist of only one rule governing, for example, email priority, or it might consist of a complex set of rules combining class of service, filtering, rate limiting, and access control (VLAN) assignment.

There are two types of services in Policy Manager:

• Manual Service  - This service consists of one or more traffic classification rules that you create based on your requirements. Manual services are good for applying customized sets of rules to roles.
• Automated Service  - This service automatically creates a Layer 3 IP address rule with a specified action (class of service and/or access control), for each device in a particular network resource group. You create a network resource group using a list of IP addresses or an IP subnet, and then associate the group with the Automated service (see How to Create a Network Resource Group for more information). You cannot create manual rules for an Automated service, and IP address is the only rule type available for Automated services.

There are two ways to create a service:

• Using the Service Wizard: The Service Wizard is a series of windows that leads you through all the steps required to create either type of service, including defining the traffic classification rules that will apply to a Manual service. The first two Service Wizard windows ask you to provide a name for the service and specify whether it is a Manual or Automated service. The subsequent windows depend on whether or not the service is Manual or Automated. If it is Manual, they are similar to the Rule Wizard windows, except that you can create as many rules as you need without leaving the wizard. Use the Service Wizard if you want to create all the rules for a service at once.
• Using the Service Tabs: Creating a service using the service tabs consists of creating a name for the service using the Create Service menu option, and defining the service using the service General tab. If you are creating a Manual service, you can then use the Classification Rule Wizard (or the Create Rule menu option and the tabs for the rule) to define the rules for the service. Creating a service this way accomplishes the same things as the Service Wizard, but enables you to do only those parts of the procedure you want to do, when you want to do them. You can also use the service tabs and rule tabs to modify an existing service and its rules.

Once you've created a service, you can apply it to any number of roles in Policy Manager. A role may utilize both Manual and Automated services.

Instructions on:

• Using the Service Wizard
• Using the Service Tabs
• Modifying a Service
• Saving Services to a .pmd File
• Deleting a Service

Using the Service Wizard

	NOTE:	The Service Wizard is accessed from the Role Wizard if you elect to create a new service while creating the role. The Service Wizard opens, then returns you to the Role Wizard after the service has been created. If you have accessed the Service Wizard from the Role Wizard, you can skip the first two steps of the procedure below.

1. In the Policy Manager left panel, select the Services tab.
2. Right-click on the Services folder and select Service Wizard.
3. In the Name window, type a name for the service. (The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names.) Click Next.
4. In the Service Type window, select either Manual or Automated, and click Next. The subsequent windows depend on which type of service you are creating.
   
   For a Manual service:
   1. In the rule Name window, type a name for the first rule you want to apply to this service, and click Next. You will now be creating the rule. For more information on what you will encounter in the following windows, see Traffic Classification Rules and/or How to Create or Modify a Rule.
   2. In the Rule Status window, you can elect to disable the rule at this time.  If you disable the rule, it is temporarily unavailable for use by the current service, but it can still be copied to other services and enabled, or re-enabled at another time for the current service. Click Next to continue.
   3. In the Rule Type window, specify the type of device the rule will apply to when enforced. The recommended selection is All Devices, unless there is a specific need for a device-specific rule, such as when support for a traffic description and/or action is not available on all managed devices. In that case, you can create a rule specific to a certain device type.
   4. In the Traffic Classification Layer window, select a Traffic Classification Layer and click Next. Each layer has multiple Classification Types. See Classification Types and their Parameters for a description of classification layers and types.
   5. Select the desired Classification Type and click Next.
   6. Each Classification Type requires certain parameters and/or values. See Classification Types and their Parameters for parameter information. Select and/or enter the required parameters and click Next.
   7. In the Traffic Description Summary window, review the summary of the traffic description you have added to the rule.
      • If you are satisfied with the description, click Next.
      • To change the description, select it, then click Remove and Add. This returns you to the Traffic Classification Layer window. Repeat steps d through g.
   8. In the Actions window, define the actions to apply to the rule:
      • CoS: To assign a class of service to the traffic, select the CoS checkbox. This opens the Classes of Service Selection View, where you can select a class of service for the traffic. (See How to Create a Class of Service for more information.) Click OK to return to the Actions window.
      • Access Control: To assign access control (a VLAN), select the Access Control checkbox and choose one of the following options (see Access Control for more information):
        • Permit Traffic: If you want to allow traffic to be forwarded with the port's assigned VID, select this option and click Next.
        • Deny Traffic:
          • If you want to deny traffic and one Discard VLAN exists: Select this option (the Discard VLAN is already selected), then click Next.
          • If you want to deny traffic and no Discard VLAN exists: Select this option, then click New to create a new Discard VLAN, then select it from the list and click Next.
          • If you want to deny traffic and more than one Discard VLAN exists: Select this option and choose the appropriate VLAN from the list, then click Next.
        • Contain to VLAN: If you want to contain traffic for this rule, select this option, then select the appropriate VLAN from the list, and click Next.
   9. In the Rule Usage window, specify the rule usage actions that you want enabled for the rule. When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. This window allows you to specify certain rule usage actions to take place when a "rule hit" is reported.
      • Generate System Log on Rule Hit - When this checkbox is selected, a syslog message is generated when the rule is used.
      • Generate Audit Trail on Rule Hit - When this checkbox is selected, an audit trap is generated when the rule is used.
      • Disable Port on Rule Hit - When this checkbox is selected, any port reported as using this rule will be disabled.
   10. In the Classification Rule Summary window, view the rule(s) for the service. 
       • To remove a rule from the service, select it, then click Remove.
       • To add another rule to the service, click Add. This returns you to the rule Name window. Repeat steps a through i.
         Note: When you add more than one rule to a service, Policy Manager checks for conflicts with other rules in the service. See Conflict Checking for more information.
   11. In the Service Role window, you can select the role(s) to which the service will apply. If you want to create a new role to add to the list before selecting, click New.
   12. If you are satisfied with the rule(s) for the service, click Finish and go on to step 5.
       Note: If you came to the Service Wizard via the Role Wizard, you will return to the Role Wizard when you click Finish.
   
   
   For an Automated service:
   1. In the Network Resources window, select the network resource group to which the service will apply. You can add a new network resource group to the selections by clicking New, filling out the Create Network Resource window, and clicking OK. Select the type of IP address rule you want to create (Bilateral, Source, or Destination) for the IP addresses in the network resource group. IP address is the only rule type available for an Automated service. Click Next.
   2. In the Actions window, define the actions to apply to the rule:
      • CoS: To assign a class of service to the traffic, select the CoS checkbox. This opens the Classes of Service Selection View, where you can select a class of service for the traffic. (See How to Create a Class of Service for more information.) Click OK to return to the Actions window.
      • Access Control: To assign access control (a VLAN), select the Access Control checkbox and choose one of the following options (see Access Control for more information):
        • Permit Traffic: If you want to allow traffic to be forwarded with the port's assigned VID, select this option and click Next.
        • Deny Traffic:
          • If you want to deny traffic and one Discard VLAN exists: Select this option (the Discard VLAN is already selected), then click Next.
          • If you want to deny traffic and no Discard VLAN exists: Select this option, then click New to create a new Discard VLAN, then select it from the list and click Next.
          • If you want to deny traffic and more than one Discard VLAN exists: Select this option and choose the appropriate VLAN from the list, then click Next.
        • Contain to VLAN: If you want to contain traffic for this rule, select this option, then select the appropriate VLAN from the list, and click Next.
   3. In the Rule Usage window, specify the rule usage actions that you want enabled for all the rules in this service. When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. This window allows you to specify certain rule usage actions to take place when a "rule hit" is reported.
      • Generate System Log on Rule Hit - When this checkbox is selected, a syslog message is generated when the rule is used.
      • Generate Audit Trail on Rule Hit - When this checkbox is selected, an audit trap is generated when the rule is used.
      • Disable Port on Rule Hit - When this checkbox is selected, any port reported as using this rule will be disabled.
   4. In the Service Role window, you can select the role(s) to which the service will apply. If you want to create a new role to add to the list before selecting, click New.
   5. Click Finish and go on to step 5.
      Note: If you came to the Service Wizard via the Role Wizard, you will return to the Role Wizard when you click Finish.
   
   
   
5. To add a detailed description for the service, select the service in the left panel and the General tab in the right panel. Type the description in the Description area.
6. Now that the service has been created, you can:
• Add the service to a role
• Add the service to a service group
7. Enforce to write the new information to the devices.

Using the Service Tabs

The following steps depend on whether you are creating a Manual or an Automated service. For an Automated service, you will create the service and select the network resource group to which the service will apply. Then you will use the General tab to define the class of service and/or access control (VLAN) for the service. For a Manual service, you will create the service and then use the Classification Rule Wizard (or the Create Rule menu option and the tabs for the rule) to define the rules for the service.

Creating an Automated Service

1. In the left panel, select the Services tab.
2. Expand the Services folder. Right-click the Automated Services folder, and select Create Service. This brings up the network resources Selection View. Select the network resource group which will be associated with the service, and click OK. You can add a new network resource group to the selections by clicking New, filling out the Create Network Resource window, and clicking OK. You can also create an Automated service in a Service Group folder, in which case the service is automatically added to the Automated Services folder as well.
3. A New Service item is created in the left panel under the Automated Services folder, in a highlighted box.
4. Type the service name in the highlighted box. The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names. Press the Enter key. If you don't do this, the name will remain "New Service."
5. In the service General tab, define the rule type, class of service and/or access control (VLAN) actions for the service, and enter a description, if desired.
6. In the Rule Usage tab, specify any actions you would like taken if the rules in this service are used on a port.
7. Enforce to write the new information to your devices.

Creating a Manual Service

1. In the left panel, select the Services tab.
2. Expand the Services folder. Right-click the Services folder or Manual Services folder, and select Create Service. This creates a New Service item in the left panel under the Manual Services folder, in a highlighted box. You can also create a Manual service in a Service Group folder, in which case the service is automatically added to the Manual Services folder as well.
3. Type the service name in the highlighted box. The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names. Press the Enter key. If you don't do this, the name will remain "New Service."
4. In the service General tab, enter a description for the service at the bottom of the tab, if desired.
5. Define rules for the service, as follows:
   • To associate an existing rule with the new service:  In the left panel Services tab, open a service you know has the rule, then drag the rule to the new service. This creates a copy of the existing rule, with all its characteristics. To give the rule another name, right-click the copy, select Rename, then type the new name in the highlighted box.
   • To create new rules for the service:  Use one of the following methods:
     • Using the Classification Rule Wizard
     • Using the Rule Tabs
   Note: When you add more than one rule to a service, Policy Manager checks for conflicts with other rules in the service. See Conflict Checking for more information.
6. Enforce to write the new information to your devices.

Modifying a Service

• Modifying a Service Description
• Modifying a Service Name
• Modifying the Roles for a Service
• Modifying the Rules for a Manual Service
• Modifying an Automated Service

Modifying a Service Description

Modifying a Service Name

1. In the left panel, select the Services tab.
2. Expand the Services folder and select the service you want to modify.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the name there will also be reflected in the Services folder.
3. Right-click the service whose name you want to change, and select Rename.
4. Type the new name in the highlighted box.
5. Click Save to save the change to the database.

Modifying the Roles for a Service

1. In the left-panel Services tab, select the service you want to modify.
2. In the right panel, select the Roles tab.

To modify the roles associated with a service, use the role Add/Remove Services window, which you can access from the service Roles tab as follows:

1. Select a role, then click View/Edit Role. This opens the left-panel Roles tab with the role selected. You can then access the Services tab in the right panel.
2. On the role Services tab, click the Add/Remove Services button. This opens the role Add/Remove Services window, where you can:
• Add the service or any other service to any role.
• Remove the service from the selected role or from any other role.
3. Enforce to write the new information to your devices.

Modifying the Rules for a Manual Service

1. In the left panel, select the Services tab and locate the service you want to modify in the Manual Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the rule there will also be reflected in the Manual Services folder.
2. Expand the service so that its rules are displayed.
3. Select the rule you want to change, then use the right-panel tabs to make your changes. See Modifying a Rule for more information.
4. Enforce to write the new information to your devices.

Modifying an Automated Service

1. In the left panel, select the Services tab and locate the service you want to modify in the Automated Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the service there will also be reflected in the Automated Services folder.
2. Select the General tab in the right panel
3. To change the Network Resources with which the service is associated, click the Network Resources Select button, select the network resource group, and click OK.
4. Modify the remaining characteristics of the Automated service as required.
5. Enforce to write the new information to your devices.

Saving Services to a .pmd File

• Special characters such as  / \ : ? " <  > | are not allowed.
• On the Windows platform, the file name is not case-sensitive; therefore, Policy Manager sees X.pmd and x.pmd as the same file name.
• On the Solaris platform, the file name is case-sensitive; therefore, Policy Manager sees X.pmd and x.pmd as two different file names.

1. In the left panel, select the Services tab.
2. Expand the Services folder.
3. Right-click the service in the left panel and select Save Service(s) As.
4. In the File name field, enter a name for the .pmd file.
5. Click Save, then click OK to clear the confirmation message.

1. In the left panel, select the Services tab.
2. Select the Services folder (or select the Service Groups folder and then a service group).
3. In the right Details View panel, hold down the Shift key (for sequential services) or Ctrl key (for non-sequential services) key and select the services.
4. Right-click the services and select Save Service(s) As.
5. In the File name field, enter a name for the .pmd file.
6. Click Save, then click OK to clear the confirmation message.

Deleting a Service

1. In the left panel, select the Services tab.
2. Expand the Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can alternatively find the service under the service group in the Service Groups folder. Deleting the service there also deletes the service wherever else it exists.
3. Right-click the service you want to delete, and select Delete.
4. Click Yes to confirm, then OK to clear the confirmation message.
5. Enforce to write the change to your devices.

Related Information

• Traffic Classification Rules

• Adding Services to Roles
• Adding Services to Service Groups
• Creating Service Groups
• How to Create a Class of Service
• How to Create a Network Resource Group
• How to Create or Modify a Rule
• How to Define a Rate Limit
• Using the Rule Wizard
• Using the Traffic Description Wizard

• Details View Tabs
• General Tab (Service)
• Roles Tab (Service)