A Layer 4 virtual service works at the transport layer and makes use of the Layer 4 parameters (IP address, and TCP or UDP ports) for load balancing decisions. The Layer 4 policy set provides a way to manage functionality of Layer 4 virtual services. These policies are similar to the HTTP policies used by application-level virtual services on Avi Vantage.
Layer 4 Connection Policy and Action
Layer 4 connection policies are applied when new connections to Layer 4 virtual services are set up. Rules for a Layer 4 policy are written based on the layer 3 and the layer 4 connection parameters. The configured action for the policy selects a server pool or a pool group to serve the new connection.
With Layer 4 connection policies, the selection of a pool or a pool group is made based on the Layer 3 or the Layer 4 parameters (client IP address, Layer 4 destination port, and Layer 4 protocol). Each rule can have multiple matches and a single action. If the Layer 3 or the Layer 4 fields of a new connection request meet a rule-match criterion, then the corresponding configured action is chosen. The Layer 4 policy uses an OR operation for multiple matches of a single rule. If any one of the matches is met, the rule is considered matched. Each policy rule has an index and a name. An index is a number which indicates the order in which rules of a policy are applied. A rule with a lower index is applied before the rule with the higher index. A rule when matched selects a server pool if the configured action for this match is select_pool or it selects a pool group if the configured action is select_poolgroup.
Note:
Pool selection is often referred to as pool switching.
Default Policy
The Layer 4 policy and the corresponding configured action overrides the default selection of a pool or a pool group for a virtual service. If a new connection request does not match any of the configured policy rules, then the default pool or the default pool-group configured for the virtual service is selected.
Multiple Policies
A virtual service can have multiple Layer 4 policies. When a policy is linked to a virtual service, an index is specified for that policy. The index indicates the order in which policies are applied to a new virtual service connection. When multiple policies are configured for a virtual service, they are applied in the order of their index. A policy with a lower index is applied before a policy with the higher index.
Policy Sharing
Policies are not shared among virtual services; they are defined on a per virtual service basis. A Layer 4 connection policy can be applied only to a virtual service configured with the Application Profiles set to System-L4-Application or System-DNS.
Rule Attributes
The Layer 4 policy rule has the following attributes:
- Name
-
Name of the policy
- Index
-
An index is a number that indicates the order in which the rule is applied. Rules in a multi-rule policy are applied in the order of their index. A rule with lower index is applied before a rule with the higher index.
- Rule Matches
-
Rules specify values for Layer 3 or Layer 4 fields and match-criterion.
- Match criterion IS_IN
-
This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request meet the configured criteria in the rule.
- Match criterion IS_NOT_IN
-
This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request do not meet the configured criteria in the rule.
Match Targets
Match targets specify fields of the connection request to be evaluated for a match. Three fields can be specified for a match target which are as follows:
- Client IP Address
-
Matches source IP address of the connection request. Currently, only IPv4 addresses can be specified. This value can be specified as specific IP addresses, IP prefixes and as pre-defined IP-groups.
- Layer 4 Protocol
-
Protocol of the connection request — TCP or UDP.
- Layer 4 Destination Ports
-
If a virtual service is hosted on multiple ports, or a range of ports, then a policy rule can specify a subset of those ports as the specific ports, or the port sub-range.
Rule Action
A rule action specifies an action to be performed on a rule match. The same pool or the pool group can be referred in multiple rules. It specifies the type of action —
select_pool or
select_poolgroup and a reference to pre-configured back-end server pool, or a server pool group.
Rule Action |
Action Specification |
|---|---|
Select Pool |
Name of a single pool |
Select Pool Group |
Name of a single pool group |
Configuring Layer 4 Policy
A Layer 4 policy is configured using an NSX Advanced Load Balancer Controller shell prompt.
Login to the NSX Advanced Load Balancer Controller and use the configure l4policyset <policy name> command to configure the Layer 4 policies. The sample configuration shows below configures Layer 4 policies with the following rules:
Index Value |
Match Target |
Rule Action |
|---|---|---|
3 |
Layer 4 destination port |
|
1 |
Client IP Address |
Select Pool Group |
2 |
Layer 4 Protocol |
Select Pool |
admin-cntrlr: ~admin-cntrlr:~$ shell Login: admin Password: [admin-cntrlr]: > [admin-cntrlr]: > configure l4policyset test-l4-policy-1 [admin-cntrlr]: l4policyset> l4_connection_policy [admin-cntrlr]: l4policyset:l4_connection_policy> rules New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 3 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-3 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> match [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 120 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save [admin-cntrlr]: > configure l4policyset test-l4-policy-1 [admin-cntrlr]: l4policyset> l4_connection_policy [admin-cntrlr]: l4policyset:l4_connection_policy> rules New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules> action [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_poolgroup [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_group_ref test-pool-grp-1 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> save [admin-cntrlr]: l4policyset:l4_connection_policy> [admin-cntrlr]: l4policyset:l4_connection_policy> rules New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-1 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> match [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> client_ip [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> match_criteria is_in [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.120 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.130 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> prefixes 10.100.0.0/16 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> group_refs ip-grp-3 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> port_ranges New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> start 100 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> end 200 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> action [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-1 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> save [admin-cntrlr]: l4policyset:l4_connection_policy> rules New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 2 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-2 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> match [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> protocol [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> match_criteria is_not_in [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> protocol protocol_udp [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> action [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-2 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> save [admin-cntrlr]: l4policyset:l4_connection_policy> save [admin-cntrlr]: l4policyset> save +------------------------+----------------------------------------------+ | Field | Value | +------------------------+----------------------------------------------+ | uuid | l4policyset-56548582-dae0-499e-9434- | | name | test-l4-policy-1 | | l4_connection_policy | | | rules[1] | | | name | my-rule-3 | | index | 3 | | enable | True | | match | | | port | | | match_criteria | IS_IN | | ports[1] | 120 | | action | | | select_pool | | | action_type | L4_RULE_ACTION_SELECT_POOLGROUP | | pool_group_ref | test-pool-grp-1 | | rules[2] | | | name | my-rule-1 | | index | 1 | | enable | True | | match | | | client_ip | | | match_criteria | IS_IN | | addrs[1] | 10.140.100.120 | | addrs[2] | 10.140.100.130 | | prefixes[1] | 10.100.0.0/16 | | group_refs[1] | ip-grp-3 | | port | | | match_criteria | IS_IN | | ports[1] | 80 | | port_ranges[1] | | | start | 100 | | end | 200 | | action | | | select_pool | | | action_type | L4_RULE_ACTION_SELECT_POOL | | pool_ref | test-pool-1 | | rules[3] | | | name | my-rule-2 | | index | 2 | | enable | True | | match | | | protocol | | | match_criteria | IS_NOT_IN | | protocol | PROTOCOL_UDP | | action | | | select_pool | | | action_type | L4_RULE_ACTION_SELECT_POOL | | pool_ref | test-pool-2 | | is_internal_policy | False | | tenant_ref | admin | +------------------------+----------------------------------------------+
Associate the Layer 4 policy with the virtual service.
[admin-cntrlr]: > configure virtualservice test-l4-vs-1 Updating an existing object. Currently, the object is: +------------------------------------+----------------------------------+ | Field | Value | +------------------------------------+----------------------------------+ | uuid | virtualservice-ffdd94a8-31f0-43a5| | name | test-l4-vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | application_profile_ref | System-L4-Application | | network_profile_ref | System-TCP-Proxy | | pool_ref | test-l4-vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns | | analytics_policy | | | full_client_logs | | | enabled | True | | duration | 30 min | | all_headers | False | | throttle | 10 per_second | | client_insights | NO_INSIGHTS | | metrics_realtime_update | | | enabled | True | | duration | 30 min | | udf_log_throttle | 10 per_second | | significant_log_throttle | 10 per_second | | enabled | True | | vrf_context_ref | global | | enable_autogw | True | | analytics_profile_ref | System-Analytics-Profile | | weight | 1 | | delay_fairness | False | | max_cps_per_client | 0 | | limit_doser | False | | type | VS_TYPE_NORMAL | | cloud_type | CLOUD_NONE | | use_bridge_ip_as_vip | False | | flow_dist | LOAD_AWARE | | ign_pool_net_reach | False | | ssl_sess_cache_avg_size | 1024 | | remove_listening_port_on_vs_down | False | | close_client_conn_on_config_update | False | | tenant_ref | admin | | cloud_ref | Default-Cloud | | east_west_placement | False | | scaleout_ecmp | False | | active_standby_se_tag | ACTIVE_STANDBY_SE_1 | | flow_label_type | NO_LABEL | | content_rewrite | | | rewritable_content_ref | System-Rewritable-Content-Types | | request_rewrite_enabled | False | | response_rewrite_enabled | False | | sideband_profile | | | sideband_max_request_body_size | 1024 bytes | | vip[1] | | | vip_id | 1 | | ip_address | 10.140.121.100 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud | | use_vip_as_snat | False | +------------------------------------+----------------------------------+ [admin:-cntrlr]: virtualservice> l4_policies New object being created [admin-cntrlr]: virtualservice:l4_policies> index 15 [admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-1 [admin-cntrlr]: virtualservice:l4_policies> save [admin-cntrlr]: virtualservice> save +------------------------------------+----------------------------------+ | Field | Value | +------------------------------------+----------------------------------+ | uuid | virtualservice-ffdd94a8-31f0-b17 | | name | test-l4-vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | application_profile_ref | System-L4-Application | | network_profile_ref | System-TCP-Proxy | | pool_ref | test-l4-vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns | | analytics_policy | | | full_client_logs | | | enabled | True | | duration | 30 min | | all_headers | False | | throttle | 10 per_second | | client_insights | NO_INSIGHTS | | metrics_realtime_update | | | enabled | True | | duration | 30 min | | udf_log_throttle | 10 per_second | | significant_log_throttle | 10 per_second | | enabled | True | | vrf_context_ref | global | | enable_autogw | True | | analytics_profile_ref | System-Analytics-Profile | | weight | 1 | | delay_fairness | False | | max_cps_per_client | 0 | | limit_doser | False | | type | VS_TYPE_NORMAL | | cloud_type | CLOUD_NONE | | use_bridge_ip_as_vip | False | | flow_dist | LOAD_AWARE | | ign_pool_net_reach | False | | ssl_sess_cache_avg_size | 1024 | | remove_listening_port_on_vs_down | False | | close_client_conn_on_config_update | False | | tenant_ref | admin | | cloud_ref | Default-Cloud | | east_west_placement | False | | scaleout_ecmp | False | | active_standby_se_tag | ACTIVE_STANDBY_SE_1 | | flow_label_type | NO_LABEL | | content_rewrite | | | rewritable_content_ref | System-Rewritable-Content-Types | | request_rewrite_enabled | False | | response_rewrite_enabled | False | | sideband_profile | | | sideband_max_request_body_size | 1024 bytes | | vip[1] | | | vip_id | 1 | | ip_address | 10.140.121.100 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud | | use_vip_as_snat | False | | l4_policies[1] | | | index | 15 | | l4_policy_set_ref | test-l4-policy-1 | +------------------------------------+----------------------------------+
Use the command clear virtualservice <policy name> l4policyset stats to clear statistics data. When the rules of a policy are changed, or when an another policy is linked or unlinked from a virtual service, metrics for the Layer 4 policy are cleared for the virtual service.
[admin-cntrlr]: > clear virtualservice test-l4-vs-1 l4policyset stats [admin-cntrlr]: > [1Pshow virtualservice test-l4-vs-1 l4policyset stats +-----------------------------+-----------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------+ | se_uuid | 10-140-4-234:se-005056bd449a | | proc_id | PROC_Aggregate | | l4_policy_set_stat[1] | | | uuid | l4policyset-56548582-dae0-499e-9434-b4ec| | name | test-l4-policy-1 | | l4_connection_policy_stat | | | rule_stats[1] | | | index | 1 | | name | my-rule-1 | | hits | 0 | | evaluated | 0 | | rule_stats[2] | | | index | 2 | | name | my-rule-2 | | hits | 0 | | evaluated | 0 | | rule_stats[3] | | | index | 3 | | name | my-rule-3 | | hits | 0 | | evaluated | 0 | +-----------------------------+-----------------------------------------+
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats +-----------------------------+-----------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------+ | se_uuid | 10-140-4-234:se-005056bd449a | | proc_id | PROC_Aggregate | | l4_policy_set_stat[1] | | | uuid | l4policyset-56548582-dae0-9434-16f37a7 | | name | test-l4-policy-1 | | l4_connection_policy_stat | | | rule_stats[1] | | | index | 1 | | name | my-rule-1 | | hits | 0 | | evaluated | 6 | | rule_stats[2] | | | index | 2 | | name | my-rule-2 | | hits | 6 | | evaluated | 6 | | rule_stats[3] | | | index | 3 | | name | my-rule-3 | | hits | 0 | | evaluated | 0 | +-----------------------------+-----------------------------------------+
Configuration to create the second Layer 4 policy and to associate it with the virtual service used earlier (test-l4-vs-1).
[admin-cntrlr]: > configure l4policyset test-l4-policy-2 [admin-cntrlr]: l4policyset> l4_connection_policy [admin-cntrlr]: l4policyset:l4_connection_policy> rules New object being created [admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-21 [admin-cntrlr]: l4policyset:l4_connection_policy:rules> match [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> action [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-3 [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save [admin-cntrlr]: l4policyset:l4_connection_policy:rules> save [admin-cntrlr]: l4policyset:l4_connection_policy> save [admin-cntrlr]: l4policyset> save +------------------------+----------------------------------------------+ | Field | Value | +------------------------+----------------------------------------------+ | uuid | l4policyset-ff17dfef-4ad1-4453-aea1-5c5b01e | | name | test-l4-policy-2 | | l4_connection_policy | | | rules[1] | | | name | my-rule-21 | | index | 1 | | enable | True | | match | | | port | | | match_criteria | IS_IN | | ports[1] | 80 | | action | | | select_pool | | | action_type | L4_RULE_ACTION_SELECT_POOL | | pool_ref | test-pool-3 | | is_internal_policy | False | | tenant_ref | admin | +------------------------+----------------------------------------------+ [admin-cntrlr]: > [admin-cntrlr]: > show l4policyset +------------------+----------------------------------------------------+ | Name | UUID | +------------------+----------------------------------------------------+ | test-l4-policy-2 | l4policyset-ff17dfef-4ad1-4453-aea1-127f35c5b01e | | test-l4-policy-1 | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 | +------------------+----------------------------------------------------+ [admin-cntrlr]: > [admin-cntrlr]: > configure virtualservice test-l4-vs-1 Updating an existing object. Currently, the object is: +------------------------------------+----------------------------------+ | Field | Value | +------------------------------------+----------------------------------+ | uuid | virtualservice-ff-31f0-43a5-173 | | name | test-l4-vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | application_profile_ref | System-L4-Application | | network_profile_ref | System-TCP-Proxy | | pool_ref | test-l4-vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns | | analytics_policy | | | full_client_logs | | | enabled | True | | duration | 30 min | | all_headers | False | | throttle | 10 per_second | | client_insights | NO_INSIGHTS | | metrics_realtime_update | | | enabled | True | | duration | 30 min | | udf_log_throttle | 10 per_second | | significant_log_throttle | 10 per_second | | enabled | True | | vrf_context_ref | global | | enable_autogw | True | | analytics_profile_ref | System-Analytics-Profile | | weight | 1 | | delay_fairness | False | | max_cps_per_client | 0 | | limit_doser | False | | type | VS_TYPE_NORMAL | | cloud_type | CLOUD_NONE | | use_bridge_ip_as_vip | False | | flow_dist | LOAD_AWARE | | ign_pool_net_reach | False | | ssl_sess_cache_avg_size | 1024 | | remove_listening_port_on_vs_down | False | | close_client_conn_on_config_update | False | | tenant_ref | admin | | cloud_ref | Default-Cloud | | east_west_placement | False | | scaleout_ecmp | False | | active_standby_se_tag | ACTIVE_STANDBY_SE_1 | | flow_label_type | NO_LABEL | | content_rewrite | | | rewritable_content_ref | System-Rewritable-Content-Types | | request_rewrite_enabled | False | | response_rewrite_enabled | False | | sideband_profile | | | sideband_max_request_body_size | 1024 bytes | | vip[1] | | | vip_id | 1 | | ip_address | 10.140.121.100 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud | |use_vip_as_snat | False | | l4_policies[1] | | | index | 15 | | l4_policy_set_ref | test-l4-policy-1 | +------------------------------------+----------------------------------+ [admin-cntrlr]: virtualservice> l4_policies New object being created [admin-cntrlr]: virtualservice:l4_policies> index 10 [admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-2 [admin-cntrlr]: virtualservice:l4_policies> save [admin-cntrlr]: virtualservice> save +------------------------------------+----------------------------------+ | Field | Value | +------------------------------------+----------------------------------+ | uuid | virtualservice-ff-31f0-43a5-73 | | name | test-l4-vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | application_profile_ref | System-L4-Application | | network_profile_ref | System-TCP-Proxy | | pool_ref | test-l4-vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns | | analytics_policy | | | full_client_logs | | | enabled | True | | duration | 30 min | | all_headers | False | | throttle | 10 per_second | | client_insights | NO_INSIGHTS | | metrics_realtime_update | | | enabled | True | | duration | 30 min | | udf_log_throttle | 10 per_second | | significant_log_throttle | 10 per_second | | enabled | True | | vrf_context_ref | global | | enable_autogw | True | | analytics_profile_ref | System-Analytics-Profile | | weight | 1 | | delay_fairness | False | | max_cps_per_client | 0 | | limit_doser | False | | type | VS_TYPE_NORMAL | | cloud_type | CLOUD_NONE | | use_bridge_ip_as_vip | False | | flow_dist | LOAD_AWARE | | ign_pool_net_reach | False | | ssl_sess_cache_avg_size | 1024 | | remove_listening_port_on_vs_down | False | | close_client_conn_on_config_update | False | | tenant_ref | admin | | cloud_ref | Default-Cloud | | east_west_placement | False | | scaleout_ecmp | False | | active_standby_se_tag | ACTIVE_STANDBY_SE_1 | | flow_label_type | NO_LABEL | | content_rewrite | | | rewritable_content_ref | System-Rewritable-Content-Types | | request_rewrite_enabled | False | | response_rewrite_enabled | False | | sideband_profile | | | sideband_max_request_body_size | 1024 bytes | | vip[1] | | | vip_id | 1 | | ip_address | 10.140.121.100 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud | | use_vip_as_snat | False | | l4_policies[1] | | | index | 15 | | l4_policy_set_ref | test-l4-policy-1 | | l4_policies[2] | | | index | 10 | | l4_policy_set_ref | test-l4-policy-2 | +------------------------------------+----------------------------------+
Use the Show command to check the statistics of the Layer 4 policy after traffic is sent, which show that the rule of the policy with lower index (index 1) is applied.
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats +-----------------------------+-----------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------+ | se_uuid | 10-140-4-234:se-005056bd449a | | proc_id | PROC_Aggregate | | l4_policy_set_stat[1] | | | uuid | l4policyset-ff17dfef-4ad1-4453-aea1- | | name | test-l4-policy-2 | | l4_connection_policy_stat | | | rule_stats[1] | | | index | 1 | | name | my-rule-21 | | hits | 0 | | evaluated | 0 | | l4_policy_set_stat[2] | | | uuid | l4policyset-56548582-dae0-499e-9434- b4 | | name | test-l4-policy-1 | | l4_connection_policy_stat | | | rule_stats[1] | | | index | 1 | | name | my-rule-1 | | hits | 0 | | evaluated | 0 | | rule_stats[2] | | | index | 2 | | name | my-rule-2 | | hits | 0 | | evaluated | 0 | | rule_stats[3] | | | index | 3 | | name | my-rule-3 | | hits | 0 | | evaluated | 0 | +-----------------------------+-----------------------------------------+
Use the command mentioned below to check statistics for the pool after 3 new connections are made to the virtual service. Use the show pool <pool name> server internal command to check server pool statistics and to verify that the pool of the matched policy rule is used.
[admin-cntrlr]: > show pool test-pool-3 server internal +--------------------------------+------------------------------+ | Field | Value | +--------------------------------+------------------------------+ | ip_addr | 10.140.121.39 | | port | 80 | | oper_status | | | state | OPER_UP | | ref_count | 6 | | server_stats | | | current_connections | 0 | | total_connections | 3 | | pre_closed_connections | 0 | | bad_connections | 0 | | inlhm_skipped | 0 | | skipped_count | 0 | | response_time | 0 | | response_time_var | 0 | | inlhm_down_duration | 0 | | inlhm_good_ewma | 0 | | inlhm_bad_ewma | 0 | | no_lport | 0 | | inlhm_letthrough | 0 | | current_load | 0 | | inlhm_skip_bypassed | 0 | | rl_good_fb | 0 | | rl_bad_fb | 0 | | capest_rand_max_conn_skipped | 0 | | skipped_get_next_count | 0 | | se_uuid | 10-140-4-234:se-005056bd449a | | ck_prst_id | 1666673515 | | vm_powered_on_count | 0 | | vm_powered_off_count | 0 | | vm_powered_on | True | | nat_ip_addr | 10.140.121.39 | | nat_port | 80 | | nat_hostname | 10.140.121.39 | | local | 1 | | loc_invalid | True | | max_conn_pc | 0 | | current_open_conns | 0 | | negative_open_conns | 0 | +--------------------------------+------------------------------+ [admin-cntrlr]: > [admin-cntrlr]: > [admin-cntrlr]: > show pool test-l4-vs-1-pool server internal +--------------------------------+------------------------------+ | Field | Value | +--------------------------------+------------------------------+ | ip_addr | 10.140.123.61 | | port | 80 | | oper_status | | | state | OPER_UP | | ref_count | 6 | | server_stats | | | current_connections | 0 | | total_connections | 0 | | pre_closed_connections | 0 | | bad_connections | 0 | | inlhm_skipped | 0 | | skipped_count | 0 | | response_time | 0 | | response_time_var | 0 | | inlhm_down_duration | 0 | | inlhm_good_ewma | 0 | | inlhm_bad_ewma | 0 | | no_lport | 0 | | inlhm_letthrough | 0 | | current_load | 0 | | inlhm_skip_bypassed | 0 | | rl_good_fb | 0 | | rl_bad_fb | 0 | | capest_rand_max_conn_skipped | 0 | | skipped_get_next_count | 0 | | se_uuid | 10-140-4-234:se-005056bd449a | | ck_prst_id | 1198880870 | | vm_powered_on_count | 0 | | vm_powered_off_count | 0 | | vm_powered_on | True | | nat_ip_addr | 10.140.123.61 | | nat_port | 80 | | nat_hostname | 10.140.123.61 | | local | 1 | | loc_invalid | True | | max_conn_pc | 0 | | current_open_conns | 0 | | negative_open_conns | 0 | +--------------------------------+------------------------------+ [admin-cntrlr]: > [admin-cntrlr]: > show pool test-l4-vs-1-pool server internal +--------------------------------+------------------------------+ | Field | Value | +--------------------------------+------------------------------+ | ip_addr | 10.140.123.61 | | port | 80 | | oper_status | | | state | OPER_UP | | ref_count | 6 | | server_stats | | | current_connections | 0 | | total_connections | 0 | | pre_closed_connections | 0 | | bad_connections | 0 | | inlhm_skipped | 0 | | skipped_count | 0 | | response_time | 0 | | response_time_var | 0 | | inlhm_down_duration | 0 | | inlhm_good_ewma | 0 | | inlhm_bad_ewma | 0 | | no_lport | 0 | | inlhm_letthrough | 0 | | current_load | 0 | | inlhm_skip_bypassed | 0 | | rl_good_fb | 0 | | rl_bad_fb | 0 | | capest_rand_max_conn_skipped | 0 | | skipped_get_next_count | 0 | | se_uuid | 10-140-4-234:se-005056bd449a | | ck_prst_id | 1198880870 | | vm_powered_on_count | 0 | | vm_powered_off_count | 0 | | vm_powered_on | True | | nat_ip_addr | 10.140.123.61 | | nat_port | 80 | | nat_hostname | 10.140.123.61 | | local | 1 | | loc_invalid | True | | max_conn_pc | 0 | | current_open_conns | 0 | | negative_open_conns | 0 | +--------------------------------+------------------------------+ [admin-cntrlr]: > exit
