How to Create a Service

---

Services are sets of rules that define how network traffic for a particular network service or application should be handled by a network access device. A service might consist of only one rule governing, for example, email priority, or it might consist of a complex set of rules combining class of service, filtering, rate limiting, and access control (VLAN) assignment. Policy Manager allows you to create Local Services (services that are unique to the current domain) and Global Services (services that are common to all domains). Global Services let you easily create and manage services that are shared between all your domains.

Services can be one of two types: Manual Service or Automated Service.

• Manual Service  - This service consists of one or more traffic classification rules that you create based on your requirements. Manual services are good for applying customized sets of rules to roles.
• Automated Service  - This service automatically creates a rule with a specified action (class of service and/or access control), for each device in a particular network resource group or groups. You create a network resource group using a list of MAC or IP addresses, and then associate the group with the Automated service (see How to Create a Network Resource for more information). Automated rule types include Layer 2 MAC Address rules, Layer 3 IP Address and IP Socket rules, and Layer 4 IP UDP Port and IP TCP Port rules.

There are two ways to create a service:

• Using the Service Wizard: The Service Wizard is a series of windows that leads you through all the steps required to create either type of service, including defining the traffic classification rules that will apply to a Manual service. The first two Service Wizard windows ask you to provide a name for the service and specify whether it is a Manual or Automated service. The subsequent windows depend on whether or not the service is Manual or Automated. If it is Manual, they are similar to the Rule Wizard windows, except that you can create as many rules as you need without leaving the wizard. Use the Service Wizard if you want to create all the rules for a service at once.
• Using the Service Tabs: Creating a service using the service tabs consists of creating a name for the service using the Create Service menu option, and defining the service using the service General tab. If you are creating a Manual service, you can then use the Classification Rule Wizard (or the Create Rule menu option and the tabs for the rule) to define the rules for the service. Creating a service this way accomplishes the same things as the Service Wizard, but enables you to do only those parts of the procedure you want to do, when you want to do them. You can also use the service tabs and rule tabs to modify an existing service and its rules.

Once you've created a service, you can apply it to any number of roles in Policy Manager. A role may utilize both Manual and Automated services.

Instructions on:

• Using the Service Wizard
• Using the Service Tabs
• Modifying a Service
• Saving Services to a .pmd File
• Deleting a Service

Using the Service Wizard

The Service Wizard is a series of windows that leads you through all the steps required to create a service. During the creation of a service, you will be asked to decide whether the service is Manualor Automated.

	NOTE:	The Service Wizard is accessed from the Role Wizard if you elect to create a new service while creating the role. The Service Wizard opens, then returns you to the Role Wizard after the service has been created. If you have accessed the Service Wizard from the Role Wizard, you can skip the first two steps of the procedure below.

1. In the Policy Manager left panel, select the Services tab.
2. Expand either the Local Services folder or the Global Services folder depending on whether you want the service to be local (unique to the current domain) or global (shared between all your domains).
3. Right-click on the Services folder and select Service Wizard.
4. In the Service Name window, type a name for the service. (The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names.) Click Next.
5. In the Service Type window, select either Manualor Automated, and click Next. The subsequent windows depend on which type of service you are creating.
   
   For a Manual service:
   1. In the Rule Name window, type a name for the first rule you want to apply to this service, and click Next. You will now be creating the rule. For more information on what you will encounter in the following windows, see Traffic Classification Rulesand/or How to Create or Modify a Rule.
   2. In the Rule Status window, you can elect to disable the rule at this time. If you disable the rule, it is temporarily unavailable for use by the current service, but it can still be copied to other services and enabled, or re-enabled at another time for the current service. Click Next to continue.
   3. In the Rule Type window, specify the type of device the rule will apply to when enforced. The recommended selection is All Devices, unless there is a specific need for a device-specific rule, such as when support for a traffic description and/or action is not available on all managed devices. In that case, you can create a rule specific to a certain device type.
   4. In the Rule TCI Overwrite window, specify the TCI Overwrite functionality for the rule:
      • Disabled - If this option is disabled the TCI Overwrite option is ignored, but lower-precedence rules and the role default actions may still specify TCI Overwrite for the data packet if there is a match.
      • Enabled - Enabling TCI Overwrite allows the VLAN (access control) and class of service characteristics defined in this rule to overwrite the VLAN or class of service (CoS) tag in a received packet, if that packet has already been tagged with VLAN or CoS information.
      • Prohibited - Do not set TCI Overwrite for this data packet, even when a lower-precedence rule or the role default actions has the TCI Overwrite option set to enabled.
   5. In the Traffic Classification Layer window, select All Layers or a specific Traffic Classification Layer and click Next. Each layer has multiple Classification Types. See Classification Types and their Parameters for a description of classification layers and types.
   6. Select the desired Classification Type and click Next.
   7. Each Classification Type requires certain parameters and/or values. See Classification Types and their Parameters for parameter information. Select and/or enter the required parameters and click Next.
   8. In the Actions window, define the actions to apply to the rule, then click Next to continue. Actions apply access control, class of service, and/or accounting and security behavior to packets matching the rule.
      • Access Control: Choose one of the following options:
        • None - No default access control specified.
        • Permit Traffic: Allows traffic to be forwarded with the port's assigned VID.
        • Deny Traffic: Traffic will be automatically discarded.
        • Contain to VLAN: If you want to contain traffic for this rule, select this option, then select the appropriate VLAN from the list.
      • Class of Service: Use the drop-down list to select a class of service for the traffic.
      • Accounting/Security: When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. Use these options to specify certain rule usage actions to take place when a "rule hit" is reported. Specifying "Prohibited" will prevent lower priority rules and the role's default actions from triggering the action.
        • System Log:
          • Enabled - If this option is enabled, a syslog message is generated when the rule is used. This option must be enabled if you are configuring Policy Rule Hit Reporting on your devices.
          • Disabled - If this option is disabled and this rule is hit, it does not generate a Syslog message, but lower-precedence rules and the role default actions may still specify a syslog message be sent for this data packet if there is a match.
          • Prohibited - If this rule is hit, no syslog message is generated for this data packet, even when a lower-precedence rule or the role default actions has the System Log action set to enabled.
        • Audit Trap:
          • Enabled - If this option is enabled, an audit trap is generated when the rule is used.
          • Disabled - If this option is disabled and this rule is hit, it does not generate an audit trap, but lower-precedence rules and the role default actions may still specify generating an audit trap for this data packet if there is a match.
          • Prohibited - If this rule is hit, no audit trap is generated for this data packet, even when a lower-precedence rule or the role default actions has the Audit Trap action set to enabled.
        • Disable Port:
          • Enabled - If this option is enabled, any port reported as using this rule will be disabled. Ports that have been disabled due to this option are displayed in the device Role/Rule tab.
          • Disabled - If this option is disabled and this rule is hit, it does not disable the port, but lower-precedence rules and the role default actions may still specify disabling the port for this data packet if there is a match.
          • Prohibited - If this rule is hit, the port is not disabled, even when a lower-precedence rule or the role default actions has the Disable Port action set to enabled.
        • Quarantine Role:
          • Select Role - Use the drop-down list to select the role that you want to assign as a Quarantine role.
          • Disabled - If this option is disabled and this rule is hit, a Quarantine role will not be assigned, but lower-precedence rules may still specify a Quarantine role for this data packet if there is a match.
          • Prohibited - If this rule is hit, a Quarantine role will not be assigned, even when a lower-precedence rule has a Quarantine role action specified.
        • Traffic Mirror:
          • Select port group(s) - Use the drop-down menu to specify the port groups where mirrored traffic is sent for monitoring and analysis.
            You will see an option below to mirror only the first (N) packets of a flow. This option is intended for use when mirroring traffic to an Application Analytics engine. The Application Analytics engine only needs the initial packets of a flow to properly identify the traffic, and setting this option will reduce network traffic overhead for the switch and engine. By default this number is set to 10, but can be changed by clicking on the Edit button . Note that the value you set is used by all mirror actions in use in the current domain.
          • Disabled - If this option is disabled and this rule is hit, traffic mirroring will not take place, but lower-precedence rules and the role default actions may still specify traffic mirroring for this data packet if there is a match.
          • Prohibited - If this rule is hit, traffic mirroring is disabled, even when a lower-precedence rule or the role default actions has the Traffic Mirror action specified.
   9. In the Classification Rule Summary window, view the rule(s) for the service. 
      • To remove a rule from the service, select it, then click Remove.
      • To add another rule to the service, click Add. This returns you to the rule Name window. Repeat steps a through h.
        Note: When you add more than one rule to a service, Policy Manager checks for conflicts with other rules in the service. See Conflict Checking for more information.
   10. In the Service Role window, you can select the role(s) to which the service will apply. If you want to create a new role to add to the list before selecting, click New.
   11. Click Finishand the service will be created under the Manual Services folder in the left-panel tree. Go on to step 6.
       Note: If you came to the Service Wizard via the Role Wizard, you will return to the Role Wizard when you click Finish.
   
   For an Automated service:
   1. In the Rule TCI Overwrite window, specify the TCI Overwrite functionality for the rule:
      • Disabled - If this option is disabled the TCI Overwrite option is ignored, but lower-precedence rules and the role default actions may still specify TCI Overwrite for the data packet if there is a match.
      • Enabled - Enabling TCI Overwrite allows the VLAN (access control) and class of service characteristics defined in this rule to overwrite the VLAN or class of service (CoS) tag in a received packet, if that packet has already been tagged with VLAN or CoS information.
      • Prohibited - Do not set TCI Overwrite for this data packet, even when a lower-precedence rule or the role default actions has the TCI Overwrite option set to enabled.
   2. In the Automated Rules window, select the network resource type (Layer 2 MAC or Layer 3 IP). This will determine the list of network resources available for selection for this service. Select the type of rule you want to create. Some rule types require that you enter certain parameters and/or values; see Classification Types and their Parameters for parameter information. Select the network resources to which the service will apply by clicking the Add button.
   3. In the Actions window, define the actions to apply to the rule, then click Next to continue. Actions apply access control, class of service, and/or accounting and security behavior to packets matching the rule.
      • Access Control: Choose one of the following options:
        • None - No default access control specified.
        • Permit Traffic: Allows traffic to be forwarded with the port's assigned VID.
        • Deny Traffic: Traffic will be automatically discarded.
        • Contain to VLAN: Contains traffic to a specific VLAN. Select the appropriate VLAN from the list. If you want to create a new VLAN to add to the list, click the menu button to the right of the VLAN field and click Add.
      • Class of Service: Select the desired class of service in the list. To create a new Class of Service to add to the list, click the menu button to the right of the field and click Add. The Create Class of Service window opens where you create a new Class of Service.
      • Accounting/Security: When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. Use these options to specify certain rule usage actions to take place when a "rule hit" is reported. Specifying "Prohibited" will prevent lower priority rules and the role's default actions from triggering the action.
        • System Log:
          • Enabled - If this option is enabled, a syslog message is generated when the rule is used. This option must be enabled if you are configuring Policy Rule Hit Reporting on your devices.
          • Disabled - If this option is disabled and this rule is hit, it does not generate a Syslog message, but lower-precedence rules and the role default actions may still specify a syslog message be sent for this data packet if there is a match.
          • Prohibited - If this rule is hit, no syslog message is generated for this data packet, even when a lower-precedence rule or the role default actions has the System Log action set to enabled.
        • Audit Trap:
          • Enabled - If this option is enabled, an audit trap is generated when the rule is used.
          • Disabled - If this option is disabled and this rule is hit, it does not generate an audit trap, but lower-precedence rules and the role default actions may still specify generating an audit trap for this data packet if there is a match.
          • Prohibited - If this rule is hit, no audit trap is generated for this data packet, even when a lower-precedence rule or the role default actions has the Audit Trap action set to enabled.
        • Disable Port:
          • Enabled - If this option is enabled, any port reported as using this rule will be disabled. Ports that have been disabled due to this option are displayed in the device Role/Rule tab.
          • Disabled - If this option is disabled and this rule is hit, it does not disable the port, but lower-precedence rules and the role default actions may still specify disabling the port for this data packet if there is a match.
          • Prohibited - If this rule is hit, the port is not disabled, even when a lower-precedence rule or the role default actions has the Disable Port action set to enabled.
        • Traffic Mirror:
          • Select port group(s) - specify port groups where mirrored traffic will be sent for monitoring and analysis.
          • Disabled - If this option is disabled and this rule is hit, traffic mirroring will not take place, but lower-precedence rules and the role default actions may still specify traffic mirroring for this data packet if there is a match.
          • Prohibited - If this rule is hit, traffic mirroring is disabled, even when a lower-precedence rule or the role default actions has the Traffic Mirror action specified.
   4. In the Service Role window, you can select the roles to which the service will apply. If you want to create a new role to add to the list before selecting, click New.
   5. Click Finish and the service will be created under the Automated Services folder in the left-panel tree. Go on to step 6.
      Note: If you came to the Service Wizard via the Role Wizard, you will return to the Role Wizard when you click Finish.
6. To add a detailed description for the service, select the service in the left panel and the General tab in the right panel. Click the Edit button to enter a description in the Description field.
7. Now that the service has been created, you can:
• Add the service to a role
• Add the service to a service group
8. Enforce to write the new information to the devices.

Using the Service Tabs

The following steps depend on whether you are creating a Manual or an Automated service. For an Automated service, you will create the service and use the General tab to define the class of service and/or access control for the service. For a Manual service, you will create the service and then use the Classification Rule Wizard (or the Create Rule menu option and the tabs for the rule) to define the rules for the service.

Creating an Automated Service

1. In the left panel, select the Services tab.
2. Expand either the Local Services folder or the Global Services folder depending on whether you want the service to be local (unique to the current domain) or global (shared between all your domains).
3. Right-click on the Services folder and select Create Automated Service. A New Service item is created in the left panel in a highlighted box.
4. Type the service name in the highlighted box. The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names. Press the Enter key. If you don't do this, the name will remain "New Service."
5. In the service General tab, define the rule's traffic description and actions, and enter a description of the service, if desired. For information on configuring the fields on this tab, see the General Tab (Service) Help topic.
6. Enforce to write the new information to your devices.

Creating a Manual Service

1. In the left panel, select the Services tab.
2. Expand either the Local Services folder or the Global Services folder depending on whether you want the service to be local (unique to the current domain) or global (shared between all your domains).
3. Right-click on the Services folder and select Create Service. A New Service item is created in the left panel in a highlighted box.
4. Type the service name in the highlighted box. The service name is case-sensitive; therefore, Policy Manager sees "Engineer" and "engineer" as two different service names. Press the Enter key. If you don't do this, the name will remain "New Service."
5. In the service General tab, enter a description for the service, if desired.
6. Define rules for the service, as follows:
   • To associate an existing rule with the new service:  In the left panel Services tab, open a service you know has the rule, then drag the rule to the new service. This creates a copy of the existing rule, with all its characteristics. To give the rule another name, right-click the copy, select Rename, then type the new name in the highlighted box.
   • To create new rules for the service:  Use one of the following methods:
     • Using the Classification Rule Wizard
     • Using the Rule General Tab
   
   
   Note: When you add more than one rule to a service, Policy Manager checks for conflicts with other rules in the service. See Conflict Checking for more information.
7. Enforce to write the new information to your devices.

Modifying a Service

Once you've created a service, you can change its characteristics by selecting the service or its rules in the left-panel Services tab and using the menu options or associated right-panel tabs.

• Modifying a Service Description
• Modifying a Service Name
• Modifying the Roles for a Service
• Modifying the Rules for a Manual Service
• Modifying an Automated Service

Modifying a Service Description

You can edit the description for the service on the service General tab. Click Save to save the change to the database.

Modifying a Service Name

1. In the left panel, select the Services tab.
2. Expand the Local or Global Services folder and then the Services folder, and select the service you want to modify.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the name there will also be reflected in the Services folder.
3. Right-click the service whose name you want to change, and select Rename.
4. Type the new name in the highlighted box.
5. Click Save to save the change to the database.

Modifying the Roles for a Service

You can see all the roles associated with a particular service in the Role/Service Usage window.

1. In the left-panel Services tab, select the service you want to modify.
2. Right-click on the service and select Role Usage from the menu. The Role/Service Usage window opens where you can view and edit the roles associated with the service.

To modify the roles associated with a service, use the role Add/Remove Services window, which you can access from the Role/Service Usage window as follows:

1. Select a role, then click View/Edit Role. This opens the left-panel Roles tab with the role selected, and the General tab in the right panel.
2. In the Services section, click the Add/Remove Servicesbutton. This opens the role Add/Remove Services window, where you can:
• Add the service or any other service to any role.
• Remove the service from the selected role or from any other role.
3. Enforce to write the new information to your devices.

Modifying the Rules for a Manual Service

1. Select the left-panel Services tab and locate the service you want to modify in the Manual Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the rule there will also be reflected in the Manual Services folder.
2. Expand the service so that its rules are displayed.
3. Select the rule you want to change, then use the right-panel tabs to make your changes.
4. Enforce to write the new information to your devices.

Modifying an Automated Service

1. Select the left-panel Services tab and locate the service you want to modify in the Automated Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can find the service under the service group in the Service Groups folder. Any change you make to the service there will also be reflected in the Automated Services folder.
2. Select the General tab in the right panel
3. To change the Network Resources with which the service is associated, use the Network Resources drop-down list to select a new network resource group.
4. Modify the remaining characteristics of the Automated service as required. For information on configuring the fields on this tab, see the General Tab (Service) Help topic.
5. Enforce to write the new information to your devices.

Saving Services to a .pmd File

Policy Manager enables you to save a service or services to a Policy Manager database (.pmd) file, allowing you to import the services into another domain. When you create a file name, keep the following in mind:

• Special characters such as  / \ : ? " <  > | are not allowed.
• On the Windows platform, the file name is not case-sensitive; therefore, Policy Manager sees X.pmd and x.pmd as the same file name.
• On the Linux platform, the file name iscase-sensitive; therefore, Policy Manager sees X.pmd and x.pmd as two different file names.

To save a single service:

1. Select the left-panel Services tab.
2. Expand the Services folder.
3. Right-click the service in the left panel and select Export Service(s) To File.
4. In the File name field, enter a name for the .pmd file.
5. Click Save, then click OK to clear the confirmation message.

To save multiple services:

1. Select the left-panel Services tab.
2. Select the Services folder (or select the Service Groups folder and then a service group).
3. In the right Details View panel, hold down the Shiftkey (for sequential services) or Ctrl key (for non-sequential services) key and select the services.
4. Right-click the services and select Export Service(s) To File.
5. In the File name field, enter a name for the .pmd file.
6. Click Save, then click OK to clear the confirmation message.

Deleting a Service

Deleting a service removes the service and its rules. If copies of the rules exist for other services, those copies are not affected by the deletion. However, deleting the service removes it from any service groups and roles with which it was associated, so be sure the service is not needed before you delete it. Deleting a Global service deletes the service from all your domains.

1. Select the left-panel Services tab.
2. Expand the Services folder.
   Note: If the service is a member of a service group and it's more convenient, you can alternatively find the service under the service group in the Service Groups folder. Deleting the service there also deletes the service wherever else it exists.
3. Right-click the service you want to delete, and select Delete.
4. Click Yes to confirm, then OK to clear the confirmation message.
5. Enforce to write the change to your devices.

---

Related Information

For information on related concepts:

• Traffic Classification Rules

For information on related tasks:

• Adding Services to Roles
• Adding Services to Service Groups
• Creating Service Groups
• How to Create a Class of Service
• How to Create a Network Resource Group
• How to Create or Modify a Rule
• How to Define a Rate Limit
• Using the Rule Wizard
• Using the Traffic Description Wizard

For information on related windows:

• Details View Tabs
• General Tab (Service)