How to Create or Modify a Rule

---

Traffic Classification rules allow you to assign a class of service and/or access control (VLAN membership) to network traffic, depending on the traffic's classification type. Classification types are based on layers 2, 3, and 4 of the OSI model, and traffic is classified according to specific layer 2/3/4 information contained in each frame. For more information, see Traffic Classification Rules.

A rule has two main parts: Traffic Description and Actions. The Traffic Description identifies the type of traffic to which the rule will pertain. Actions specify whether that traffic will be assigned class of service, access control, or both.

There are two ways to create a rule:

• Using the Classification Rule Wizard: The Classification Rule Wizard is a series of windows that leads you through all the steps required to create a rule, including defining the traffic description and the actions that will apply to it.
  
• Using the Rule Tabs: Creating a rule manually consists of creating a name for the rule using the Create Classification Rule menu option, then using the rule's right panel General tab to specify its characteristics. Creating a rule using this method accomplishes the same things as the Classification Rule Wizard, but enables you to do only those parts of the procedure you want to do, when you want to do them. You can also use the right-panel General tab to modify an existing rule.

In order to create a rule, you must first create a service with which to associate it.

Instructions on:

• Using the Classification Rule Wizard
• Using the Rule General Tab
• Disabling/Enabling a Rule
• Deleting a Rule

Using the Classification Rule Wizard

The Classification Rule Wizard is a series of windows that lead you through all the steps required to create a new rule.

1. In the Policy Manager left panel, select the Services tab. 
2. Expand either the Service Groups or Services folder and select the service for which you want to create a rule.
3. From the menu bar, select Tools > Classification Rule Wizard. You can also right-click on the service and select the option from the menu. The Rule Wizard opens.
4. In the Name window, enter a name for the rule and click Next.
5. In the Rule Status window, you can elect to disable the rule at this time. If you disable the rule, it is temporarily unavailable for use by the current service, but it can be re-enabled at any time or copied to other services and enabled. See Disabling a Rule for more information. Click Next to continue.
6. In the Rule Type window, specify the type of devices to which you wish this rule to apply when enforced. See Rule Type for more information on the consequences of your choice. Click Next to continue.
7. In the Rule TCI Overwrite window, specify the TCI Overwrite functionality for the rule:
   • Disabled - If this option is disabled the TCI Overwrite option is ignored, but lower-precedence rules and the role default actions may still specify TCI Overwrite for the data packet if there is a match.
   • Enabled - Enabling TCI Overwrite allows the VLAN (access control) and class of service characteristics defined in this rule to overwrite the VLAN or class of service (CoS) tag in a received packet, if that packet has already been tagged with VLAN or CoS information.
   • Prohibited - Do not set TCI Overwrite for this data packet, even when a lower-precedence rule or the role default actions has the TCI Overwrite option set to enabled.
8. In the Traffic Classification Layer window, select All Layers or a specific Traffic Classification Layer and click Next. Each layer has multiple Classification Types. See Classification Types and their Parameters for a description of classification layers and types.
9. In the Traffic Types window for your previous selection, choose the desired Classification Type and click Next.
10. Each Traffic Classification Type requires certain parameters and/or values. See Classification Types and their Parameters for parameter information. Select and/or enter the required parameters and click Next.
11. In the Actions window, define the actions to apply to the rule, then click Next to continue. Actions apply class of service, access control, and/or accounting and security behavior to packets matching the rule.
    • Access Control: To assign access control (a VLAN), use the drop-down list to select one of the following options:
      • Permit Traffic: If you want to allow traffic to be forwarded with the port's assigned VID, select this option.
      • Deny Traffic: traffic will be automatically discarded.
      • Contain to VLAN: If you want to contain traffic for this rule, select this option, then select the appropriate VLAN from the list.
    • Class of Service: To assign a class of service to the traffic, use the drop-down list to select a class of service for the traffic.
    • Accounting/Security: When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. Use these options to specify certain rule usage actions to take place when a "rule hit" is reported. Specifying "Prohibited" will prevent lower priority rules and the role's default actions from triggering the action.
      • System Log:
        • Enabled - If this option is enabled, a syslog message is generated when the rule is used. This option must be enabled if you are configuring Policy Rule Hit Reporting on your devices.
        • Disabled - If this option is disabled and this rule is hit, it does not generate a syslog message, but lower-precedence rules and the role default actions may still specify a syslog message be sent for this data packet if there is a match.
        • Prohibited - If this rule is hit, no syslog message is generated for this data packet, even when a lower-precedence rule or the role default actions has the System Log action set to enabled.
      • Audit Trap:
        • Enabled - If this option is enabled, an audit trap is generated when the rule is used.
        • Disabled - If this option is disabled and this rule is hit, it does not generate an audit trap, but lower-precedence rules and the role default actions may still specify generating an audit trap for this data packet if there is a match.
        • Prohibited - If this rule is hit, no audit trap is generated for this data packet, even when a lower-precedence rule or the role default actions has the Audit Trap action set to enabled.
      • Disable Port:
        • Enabled - If this option is enabled, any port reported as using this rule will be disabled. Ports that have been disabled due to this option are displayed in the device Role/Rule tab.
        • Disabled - If this option is disabled and this rule is hit, it does not disable the port, but lower-precedence rules and the role default actions may still specify disabling the port for this data packet if there is a match.
        • Prohibited - If this rule is hit, the port is not disabled, even when a lower-precedence rule or the role default actions has the Disable Port action set to enabled.
      • Quarantine Role:
        • Select Role - Use the drop-down list to select the role that you want to assign as a Quarantine role.
        • Disabled - If this option is disabled and this rule is hit, a Quarantine role will not be assigned, but lower-precedence rules may still specify a Quarantine role for this data packet if there is a match.
        • Prohibited - If this rule is hit, a Quarantine role will not be assigned, even when a lower-precedence rule has a Quarantine role action specified.
      • Traffic Mirror:
        • Select port group(s) - Use the drop-down list to specify the port groups where mirrored traffic will be sent for monitoring and analysis.
          You will see an option below to mirror only the first (N) packets of a flow. This option is intended for use when mirroring traffic to an Application Analytics engine. The Application Analytics engine only needs the initial packets of a flow to properly identify the traffic, and setting this option will reduce network traffic overhead for the switch and engine. By default this number is set to 10, but can be changed by clicking on the Edit button . Note that the value you set is used by all mirror actions in use in the current domain.
        • Disabled - If this option is disabled and this rule is hit, traffic mirroring will not take place, but lower-precedence rules and the role default actions may still specify traffic mirroring for this data packet if there is a match.
        • Prohibited - If this rule is hit, traffic mirroring is disabled, even when a lower-precedence rule or the role default actions has the Traffic Mirror action specified.
12. Click Finish.
13. Enforce to write the new information to the devices.

Using the Rule General Tab

When you create a rule using the rule General tab, you first create and name the rule using the Create Classification Rule menu option, then define its characteristics in the General tab. You can also use the General tab to modify an exiting rule's characteristics.

1. In the Policy Manager left panel, select the Services tab.
2. Expand either the Service Groups or Services folder and click on the service for which you want to create a rule.
3. Right-click on the service and select Create Classification Rule.
4. In the Create Classification Rule window, enter a name for the rule, and select the rule status and type. Click OK. The rule is created in the left-panel tree. You can now use the associated right-panel General tab to define the rule. Refer to the General tab Help topic for information on configuring the rule.
5. Enforce to write the new information to the devices.

Disabling/Enabling a Rule

In Policy Manager, you can disable and enable individual or multiple rules. You can also disable and enable all the rules associated with a service, or all the rules for all the services in a service group. The rule icon in the left panel displays a red X if the rule is disabled.

Disabling a rule is an alternative to deleting and recreating it. If you disable a rule, it is temporarily unavailable for use by the service with which it is associated. However, the rule can be copied to another service and enabled for that service.

Disabling/Enabling an Individual Rule
These are the instructions for disabling and enabling rules using the rule's General tab. You can also disable/enable rules in the Rule Status window of the Service Wizard or Classification Rule Wizard, or by right-clicking on the rule and selecting Disable Rule(s) or Enable Rule(s).

1. In the Policy Manager left panel, select the Services tab.
2. Expand the Services folder and the service, to locate the rule you want to disable or enable. (If the rule is part of a service that is also a member of a service group, you can expand the Service Groups folder to find the rule.)
3. Select the rule you want to disable or enable, and select the General tab in the right panel.
4. In the General area, select Enable or Disable for the Rule Status. Disabling the rule turns on the red X on the rule icon in the left panel, and re-enabling it turns it off.
5. Enforce to write the new information to the devices.

Disabling/Enabling Multiple Rules
These are instructions for disabling and enabling multiple rules in a single operation.

1. In the Policy Manager left panel, select the Services tab.
2. Expand the Services or Service Group folder and select the service containing the rules you want to disable or enable.
3. In the right-panel Details View, multi-select the desired rules. Right-click and select Disable Rule(s) or Enable Rule(s).
4. Enforce to write the new information to the devices.

Disabling/Enabling the Rules for a Service or Service Group
If a service is associated with more than one service group, disabling or enabling the rules for the service in one service group will disable/enable the rules for the service in the other service groups of which the service is a part.

1. In the Policy Manager left panel, select the Services tab.
2. Expand the Services or Service Group folder.
3. Right-click the service or service group containing the rules you want to disable or enable and select Disable Rule(s) or Enable Rule(s).
4. Click Yes to confirm the change.
5. Enforce to write the new information to the devices.

Deleting a Rule

Deleting a rule removes the rule from a service. If the service is also part of a service group, the rule is deleted there as well, so be sure the rule is not needed before you delete it.

1. In the Policy Manager left panel, click the Services tab.
2. Expand the Services folder and the service to locate the rule you want to delete. (If the rule is part of a service that is also a member of a service group, you can expand the Service Groups folder to find the rule.)
3. Right-click the rule you want to delete, and select Delete.
4. Click Yes to confirm, then OK to clear the confirmation message. The rule is deleted wherever it exists.
5. Enforce to write the new information to the devices.

---

Related Information

For information on related concepts:

• Traffic Classification Rules

For information on related windows:

• Edit Rule Window
• General Tab (Rule)
• Rule Usage Tab (Rule)
• ToS/DSCP Configuration Window