A Layer 4 virtual service works at the transport layer and makes use of the Layer 4 parameters (IP address, and TCP or UDP ports) for load balancing decisions. The Layer 4 policy set provides a way to manage functionality of Layer 4 virtual services. These policies are similar to the HTTP policies used by application-level virtual services on Avi Vantage.

Layer 4 Connection Policy and Action

Layer 4 connection policies are applied when new connections to Layer 4 virtual services are set up. Rules for a Layer 4 policy are written based on the layer 3 and the layer 4 connection parameters. The configured action for the policy selects a server pool or a pool group to serve the new connection.

With Layer 4 connection policies, the selection of a pool or a pool group is made based on the Layer 3 or the Layer 4 parameters (client IP address, Layer 4 destination port, and Layer 4 protocol). Each rule can have multiple matches and a single action. If the Layer 3 or the Layer 4 fields of a new connection request meet a rule-match criterion, then the corresponding configured action is chosen. The Layer 4 policy uses an OR operation for multiple matches of a single rule. If any one of the matches is met, the rule is considered matched. Each policy rule has an index and a name. An index is a number which indicates the order in which rules of a policy are applied. A rule with a lower index is applied before the rule with the higher index. A rule when matched selects a server pool if the configured action for this match is select_pool or it selects a pool group if the configured action is select_poolgroup.

Note:

Pool selection is often referred to as pool switching.

Default Policy

The Layer 4 policy and the corresponding configured action overrides the default selection of a pool or a pool group for a virtual service. If a new connection request does not match any of the configured policy rules, then the default pool or the default pool-group configured for the virtual service is selected.

Multiple Policies

A virtual service can have multiple Layer 4 policies. When a policy is linked to a virtual service, an index is specified for that policy. The index indicates the order in which policies are applied to a new virtual service connection. When multiple policies are configured for a virtual service, they are applied in the order of their index. A policy with a lower index is applied before a policy with the higher index.

Policy Sharing

Policies are not shared among virtual services; they are defined on a per virtual service basis. A Layer 4 connection policy can be applied only to a virtual service configured with the Application Profiles set to System-L4-Application or System-DNS.

Rule Attributes

The Layer 4 policy rule has the following attributes:

Name

Name of the policy

Index

An index is a number that indicates the order in which the rule is applied. Rules in a multi-rule policy are applied in the order of their index. A rule with lower index is applied before a rule with the higher index.

Rule Matches

Rules specify values for Layer 3 or Layer 4 fields and match-criterion.

Match criterion IS_IN

This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request meet the configured criteria in the rule.

Match criterion IS_NOT_IN

This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request do not meet the configured criteria in the rule.

Match Targets

Match targets specify fields of the connection request to be evaluated for a match. Three fields can be specified for a match target which are as follows:

Client IP Address

Matches source IP address of the connection request. Currently, only IPv4 addresses can be specified. This value can be specified as specific IP addresses, IP prefixes and as pre-defined IP-groups.

Match Specification: Specific IPv4 address, IPv4 prefixes, and IPv4 groups

Layer 4 Protocol

Protocol of the connection request — TCP or UDP.

Match Specification: Multiple port numbers, port range

Layer 4 Destination Ports

If a virtual service is hosted on multiple ports, or a range of ports, then a policy rule can specify a subset of those ports as the specific ports, or the port sub-range.

Match Specification: TCP or UDP

Rule Action

A rule action specifies an action to be performed on a rule match. The same pool or the pool group can be referred in multiple rules. It specifies the type of action — select_pool or select_poolgroup and a reference to pre-configured back-end server pool, or a server pool group.

Rule Action

Action Specification

Select Pool

Name of a single pool

Select Pool Group

Name of a single pool group

Configuring Layer 4 Policy

A Layer 4 policy is configured using an NSX Advanced Load Balancer Controller shell prompt.

  • Login to the NSX Advanced Load Balancer Controller and use the configure l4policyset <policy name> command to configure the Layer 4 policies. The sample configuration shows below configures Layer 4 policies with the following rules:

Index Value

Match Target

Rule Action

3

Layer 4 destination port

1

Client IP Address

Select Pool Group

2

Layer 4 Protocol

Select Pool

admin-cntrlr: ~admin-cntrlr:~$ shell
Login: admin
Password: 

[admin-cntrlr]: > 
[admin-cntrlr]: > configure l4policyset test-l4-policy-1

[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 120
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: > configure l4policyset test-l4-policy-1
[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_poolgroup
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_group_ref test-pool-grp-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> 
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created

[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> client_ip
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.120
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.130
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> prefixes 10.100.0.0/16
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> group_refs ip-grp-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> port_ranges
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> start 100
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> end 200
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save

[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> protocol
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> match_criteria is_not_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> protocol protocol_udp
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> save
[admin-cntrlr]: l4policyset> save
+------------------------+----------------------------------------------+
| Field                  | Value                                        |                                          
+------------------------+----------------------------------------------+
| uuid                   | l4policyset-56548582-dae0-499e-9434-         |
| name                   | test-l4-policy-1                             |
| l4_connection_policy   |                                              |
|   rules[1]             |                                              |
|     name               | my-rule-3                                    |
|     index              | 3                                            |
|     enable             | True                                         |
|     match              |                                              |
|       port             |                                              |
|         match_criteria | IS_IN                                        |
|         ports[1]       | 120                                          |
|     action             |                                              |
|       select_pool      |                                              |
|         action_type    | L4_RULE_ACTION_SELECT_POOLGROUP              |
|         pool_group_ref | test-pool-grp-1                              |
|   rules[2]             |                                              |
|     name               | my-rule-1                                    |
|     index              | 1                                            |
|     enable             | True                                         |
|     match              |                                              |
|       client_ip        |                                              |
|         match_criteria | IS_IN                                        |
|         addrs[1]       | 10.140.100.120                               |
|         addrs[2]       | 10.140.100.130                               |
|         prefixes[1]    | 10.100.0.0/16                                |
|         group_refs[1]  | ip-grp-3                                     |
|       port             |                                              |
|         match_criteria | IS_IN                                        |
|         ports[1]       | 80                                           |
|         port_ranges[1] |                                              |
|           start        | 100                                          |
|           end          | 200                                          |
|     action             |                                              |
|       select_pool      |                                              |
|         action_type    | L4_RULE_ACTION_SELECT_POOL                   |
|         pool_ref       | test-pool-1                                  |
|   rules[3]             |                                              |
|     name               | my-rule-2                                    |
|     index              | 2                                            |
|     enable             | True                                         |
|     match              |                                              |
|       protocol         |                                              |
|         match_criteria | IS_NOT_IN                                    |
|         protocol       | PROTOCOL_UDP                                 |
|     action             |                                              |
|       select_pool      |                                              |
|         action_type    | L4_RULE_ACTION_SELECT_POOL                   |
|         pool_ref       | test-pool-2                                  |
| is_internal_policy     | False                                        |
| tenant_ref             | admin                                        |
+------------------------+----------------------------------------------+
  • Associate the Layer 4 policy with the virtual service.

[admin-cntrlr]: > configure virtualservice test-l4-vs-1
Updating an existing object. Currently, the object is:
+------------------------------------+----------------------------------+
| Field                              | Value                            |
+------------------------------------+----------------------------------+
| uuid                               | virtualservice-ffdd94a8-31f0-43a5|
| name                               | test-l4-vs-1                     |
| enabled                            | True                             |
| services[1]                        |                                  |
|   port                             | 80                               |
|   enable_ssl                       | False                            |
|   port_range_end                   | 80                               |
| application_profile_ref            | System-L4-Application            |
| network_profile_ref                | System-TCP-Proxy                 |
| pool_ref                           | test-l4-vs-1-pool                |
| se_group_ref                       | Default-Group                    |
| network_security_policy_ref        | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy                   |                                  |
|   full_client_logs                 |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|     all_headers                    | False                            |
|     throttle                       | 10 per_second                    |
|   client_insights                  | NO_INSIGHTS                      |
|   metrics_realtime_update          |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|   udf_log_throttle                 | 10 per_second                    |
|   significant_log_throttle         | 10 per_second                    |
|   enabled                          | True                             |
| vrf_context_ref                    | global                           |
| enable_autogw                      | True                             |
| analytics_profile_ref              | System-Analytics-Profile         |
| weight                             | 1                                |
| delay_fairness                     | False                            |
| max_cps_per_client                 | 0                                |
| limit_doser                        | False                            |
| type                               | VS_TYPE_NORMAL                   |
| cloud_type                         | CLOUD_NONE                       |
| use_bridge_ip_as_vip               | False                            |
| flow_dist                          | LOAD_AWARE                       |
| ign_pool_net_reach                 | False                            |
| ssl_sess_cache_avg_size            | 1024                             |
| remove_listening_port_on_vs_down   | False                            |
| close_client_conn_on_config_update | False                            |
| tenant_ref                         | admin                            |
| cloud_ref                          | Default-Cloud                    |
| east_west_placement                | False                            |
| scaleout_ecmp                      | False                            |
| active_standby_se_tag              | ACTIVE_STANDBY_SE_1              |
| flow_label_type                    | NO_LABEL                         |
| content_rewrite                    |                                  |
|   rewritable_content_ref           | System-Rewritable-Content-Types  |
|   request_rewrite_enabled          | False                            |
|   response_rewrite_enabled         | False                            |
| sideband_profile                   |                                  |
|   sideband_max_request_body_size   | 1024 bytes                       |
| vip[1]                             |                                  |
|   vip_id                           | 1                                |
|   ip_address                       | 10.140.121.100                   |
|   enabled                          | True                             |
|   auto_allocate_ip                 | False                            |
|   auto_allocate_floating_ip        | False                            |
|   avi_allocated_vip                | False                            |
|   avi_allocated_fip                | False                            |
| vsvip_ref                          | vsvip-test-l4-vs-1-Default-Cloud |
| use_vip_as_snat                    | False                            |
+------------------------------------+----------------------------------+

[admin:-cntrlr]: virtualservice> l4_policies 
New object being created
[admin-cntrlr]: virtualservice:l4_policies> index 15
[admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-1
[admin-cntrlr]: virtualservice:l4_policies> save
[admin-cntrlr]: virtualservice> save
+------------------------------------+----------------------------------+
| Field                              | Value                            |
+------------------------------------+----------------------------------+
| uuid                               | virtualservice-ffdd94a8-31f0-b17 |
| name                               | test-l4-vs-1                     |
| enabled                            | True                             |
| services[1]                        |                                  |
|   port                             | 80                               |
|   enable_ssl                       | False                            |
|   port_range_end                   | 80                               |
| application_profile_ref            | System-L4-Application            |
| network_profile_ref                | System-TCP-Proxy                 |
| pool_ref                           | test-l4-vs-1-pool                |
| se_group_ref                       | Default-Group                    |
| network_security_policy_ref        | vs-test-l4-vs-1-Default-Cloud-ns |        
| analytics_policy                   |                                  |                                            
|   full_client_logs                 |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|     all_headers                    | False                            |
|     throttle                       | 10 per_second                    |
|   client_insights                  | NO_INSIGHTS                      |
|   metrics_realtime_update          |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|   udf_log_throttle                 | 10 per_second                    |
|   significant_log_throttle         | 10 per_second                    |
|   enabled                          | True                             |
| vrf_context_ref                    | global                           |
| enable_autogw                      | True                             |
| analytics_profile_ref              | System-Analytics-Profile         |
| weight                             | 1                                |
| delay_fairness                     | False                            |
| max_cps_per_client                 | 0                                |
| limit_doser                        | False                            |
| type                               | VS_TYPE_NORMAL                   |
| cloud_type                         | CLOUD_NONE                       |
| use_bridge_ip_as_vip               | False                            |
| flow_dist                          | LOAD_AWARE                       |
| ign_pool_net_reach                 | False                            |
| ssl_sess_cache_avg_size            | 1024                             |
| remove_listening_port_on_vs_down   | False                            |
| close_client_conn_on_config_update | False                            |
| tenant_ref                         | admin                            |
| cloud_ref                          | Default-Cloud                    |
| east_west_placement                | False                            |
| scaleout_ecmp                      | False                            |
| active_standby_se_tag              | ACTIVE_STANDBY_SE_1              |
| flow_label_type                    | NO_LABEL                         |
| content_rewrite                    |                                  |
|   rewritable_content_ref           | System-Rewritable-Content-Types  |
|   request_rewrite_enabled          | False                            |
|   response_rewrite_enabled         | False                            |
| sideband_profile                   |                                  |
|   sideband_max_request_body_size   | 1024 bytes                       |
| vip[1]                             |                                  |
|   vip_id                           | 1                                |
|   ip_address                       | 10.140.121.100                   |
|   enabled                          | True                             |
|   auto_allocate_ip                 | False                            |
|   auto_allocate_floating_ip        | False                            |
|   avi_allocated_vip                | False                            |
|   avi_allocated_fip                | False                            |
| vsvip_ref                          | vsvip-test-l4-vs-1-Default-Cloud |                   
| use_vip_as_snat                    | False                            |
| l4_policies[1]                     |                                  |
|   index                            | 15                               |
|   l4_policy_set_ref                | test-l4-policy-1                 |
+------------------------------------+----------------------------------+
  • Use the command clear virtualservice <policy name> l4policyset stats to clear statistics data. When the rules of a policy are changed, or when an another policy is linked or unlinked from a virtual service, metrics for the Layer 4 policy are cleared for the virtual service.

[admin-cntrlr]: > clear virtualservice test-l4-vs-1 l4policyset stats 
[admin-cntrlr]: >  [1Pshow virtualservice test-l4-vs-1 l4policyset stats 
+-----------------------------+-----------------------------------------+
| Field                       | Value                                   |
+-----------------------------+-----------------------------------------+
| se_uuid                     | 10-140-4-234:se-005056bd449a            |
| proc_id                     | PROC_Aggregate                          |
| l4_policy_set_stat[1]       |                                         |
|   uuid                      | l4policyset-56548582-dae0-499e-9434-b4ec|
|   name                      | test-l4-policy-1                        |
|   l4_connection_policy_stat |                                         |
|     rule_stats[1]           |                                         |
|       index                 | 1                                       |
|       name                  | my-rule-1                               |
|       hits                  | 0                                       |
|       evaluated             | 0                                       |
|     rule_stats[2]           |                                         |
|       index                 | 2                                       |
|       name                  | my-rule-2                               |
|       hits                  | 0                                       |
|       evaluated             | 0                                       |
|     rule_stats[3]           |                                         |
|       index                 | 3                                       |
|       name                  | my-rule-3                               |
|       hits                  | 0                                       |
|       evaluated             | 0                                       |
+-----------------------------+-----------------------------------------+
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats 
+-----------------------------+-----------------------------------------+
| Field                       | Value                                   | 
+-----------------------------+-----------------------------------------+
| se_uuid                     | 10-140-4-234:se-005056bd449a            |
| proc_id                     | PROC_Aggregate                          |
| l4_policy_set_stat[1]       |                                         |
|   uuid                      | l4policyset-56548582-dae0-9434-16f37a7  |
|   name                      | test-l4-policy-1                        |
|   l4_connection_policy_stat |                                         |
|     rule_stats[1]           |                                         |
|       index                 | 1                                       |
|       name                  | my-rule-1                               |
|       hits                  | 0                                       |
|       evaluated             | 6                                       |
|     rule_stats[2]           |                                         |
|       index                 | 2                                       |
|       name                  | my-rule-2                               |
|       hits                  | 6                                       |
|       evaluated             | 6                                       |
|     rule_stats[3]           |                                         |
|       index                 | 3                                       |
|       name                  | my-rule-3                               |
|       hits                  | 0                                       |
|       evaluated             | 0                                       |
+-----------------------------+-----------------------------------------+
  • Configuration to create the second Layer 4 policy and to associate it with the virtual service used earlier (test-l4-vs-1).

[admin-cntrlr]: > configure l4policyset test-l4-policy-2
[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-21
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> save
[admin-cntrlr]: l4policyset> save
+------------------------+----------------------------------------------+
| Field                  | Value                                        |
+------------------------+----------------------------------------------+
| uuid                   | l4policyset-ff17dfef-4ad1-4453-aea1-5c5b01e  |
| name                   | test-l4-policy-2                             |
| l4_connection_policy   |                                              |
|   rules[1]             |                                              |
|     name               | my-rule-21                                   |
|     index              | 1                                            |
|     enable             | True                                         |
|     match              |                                              |
|       port             |                                              |
|         match_criteria | IS_IN                                        |
|         ports[1]       | 80                                           |
|     action             |                                              |
|       select_pool      |                                              |
|         action_type    | L4_RULE_ACTION_SELECT_POOL                   |
|         pool_ref       | test-pool-3                                  |
| is_internal_policy     | False                                        |
| tenant_ref             | admin                                        |
+------------------------+----------------------------------------------+
[admin-cntrlr]: > 
[admin-cntrlr]: > show l4policyset 
+------------------+----------------------------------------------------+
| Name             | UUID                                               |
+------------------+----------------------------------------------------+
| test-l4-policy-2 | l4policyset-ff17dfef-4ad1-4453-aea1-127f35c5b01e   |
| test-l4-policy-1 | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7   |
+------------------+----------------------------------------------------+
[admin-cntrlr]: > 
[admin-cntrlr]: > configure virtualservice test-l4-vs-1
Updating an existing object. Currently, the object is:
+------------------------------------+----------------------------------+
| Field                              | Value                            |
+------------------------------------+----------------------------------+
| uuid                               | virtualservice-ff-31f0-43a5-173  | 
| name                               | test-l4-vs-1                     |
| enabled                            | True                             |
| services[1]                        |                                  |
|   port                             | 80                               |
|   enable_ssl                       | False                            |
|   port_range_end                   | 80                               |
| application_profile_ref            | System-L4-Application            |
| network_profile_ref                | System-TCP-Proxy                 |
| pool_ref                           | test-l4-vs-1-pool                |
| se_group_ref                       | Default-Group                    |
| network_security_policy_ref        | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy                   |                                  |
|   full_client_logs                 |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|     all_headers                    | False                            |
|     throttle                       | 10 per_second                    |
|   client_insights                  | NO_INSIGHTS                      |
|   metrics_realtime_update          |                                  |
|     enabled                        | True                             |
|     duration                       | 30 min                           |
|   udf_log_throttle                 | 10 per_second                    |
|   significant_log_throttle         | 10 per_second                    |
|   enabled                          | True                             |
| vrf_context_ref                    | global                           |
| enable_autogw                      | True                             |
| analytics_profile_ref              | System-Analytics-Profile         |
| weight                             | 1                                |
| delay_fairness                     | False                            |
| max_cps_per_client                 | 0                                |
| limit_doser                        | False                            |
| type                               | VS_TYPE_NORMAL                   |
| cloud_type                         | CLOUD_NONE                       |
| use_bridge_ip_as_vip               | False                            |
| flow_dist                          | LOAD_AWARE                       |
| ign_pool_net_reach                 | False                            |
| ssl_sess_cache_avg_size            | 1024                             |
| remove_listening_port_on_vs_down   | False                            |
| close_client_conn_on_config_update | False                            |
| tenant_ref                         | admin                            |
| cloud_ref                          | Default-Cloud                    |
| east_west_placement                | False                            |
| scaleout_ecmp                      | False                            |
| active_standby_se_tag              | ACTIVE_STANDBY_SE_1              |
| flow_label_type                    | NO_LABEL                         |
| content_rewrite                    |                                  |
|   rewritable_content_ref           | System-Rewritable-Content-Types  |
|   request_rewrite_enabled          | False                            |
|   response_rewrite_enabled         | False                            |
| sideband_profile                   |                                  |
|   sideband_max_request_body_size   | 1024 bytes                       |
| vip[1]                             |                                  |
|   vip_id                           | 1                                |
|   ip_address                       | 10.140.121.100                   |
|   enabled                          | True                             |
|   auto_allocate_ip                 | False                            |
|   auto_allocate_floating_ip        | False                            |
|   avi_allocated_vip                | False                            |
|   avi_allocated_fip                | False                            |
| vsvip_ref                          | vsvip-test-l4-vs-1-Default-Cloud | 
|use_vip_as_snat                     | False                            |
| l4_policies[1]                     |                                  |
|   index                            | 15                               |
|   l4_policy_set_ref                | test-l4-policy-1                 |
+------------------------------------+----------------------------------+
[admin-cntrlr]: virtualservice> l4_policies 
New object being created
[admin-cntrlr]: virtualservice:l4_policies> index 10
[admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-2
[admin-cntrlr]: virtualservice:l4_policies> save
[admin-cntrlr]: virtualservice> save
+------------------------------------+----------------------------------+
| Field                              | Value                            |
+------------------------------------+----------------------------------+
| uuid                               | virtualservice-ff-31f0-43a5-73   |
| name                               | test-l4-vs-1                     |
| enabled                            | True                             |                           
| services[1]                        |                                  |                      
|   port                             | 80                               |                    
|   enable_ssl                       | False                            |                   
|   port_range_end                   | 80                               |                   
| application_profile_ref            | System-L4-Application            |                   
| network_profile_ref                | System-TCP-Proxy                 |                   
| pool_ref                           | test-l4-vs-1-pool                |                   
| se_group_ref                       | Default-Group                    |                   
| network_security_policy_ref        | vs-test-l4-vs-1-Default-Cloud-ns |                   
| analytics_policy                   |                                  |                   
|   full_client_logs                 |                                  |                   
|     enabled                        | True                             |                   
|     duration                       | 30 min                           |                   
|     all_headers                    | False                            |                   
|     throttle                       | 10 per_second                    |                   
|   client_insights                  | NO_INSIGHTS                      |                   
|   metrics_realtime_update          |                                  |                   
|     enabled                        | True                             |                   
|     duration                       | 30 min                           |                   
|   udf_log_throttle                 | 10 per_second                    |                   
|   significant_log_throttle         | 10 per_second                    |                   
|   enabled                          | True                             |                   
| vrf_context_ref                    | global                           |                   
| enable_autogw                      | True                             |                   
| analytics_profile_ref              | System-Analytics-Profile         |                   
| weight                             | 1                                |                   
| delay_fairness                     | False                            |                   
| max_cps_per_client                 | 0                                |                   
| limit_doser                        | False                            |                   
| type                               | VS_TYPE_NORMAL                   |                   
| cloud_type                         | CLOUD_NONE                       |                   
| use_bridge_ip_as_vip               | False                            |                   
| flow_dist                          | LOAD_AWARE                       |                   
| ign_pool_net_reach                 | False                            |                   
| ssl_sess_cache_avg_size            | 1024                             |                   
| remove_listening_port_on_vs_down   | False                            |                   
| close_client_conn_on_config_update | False                            |                   
| tenant_ref                         | admin                            |                   
| cloud_ref                          | Default-Cloud                    |                   
| east_west_placement                | False                            |             
| scaleout_ecmp                      | False                            |                   
| active_standby_se_tag              | ACTIVE_STANDBY_SE_1              |                    
| flow_label_type                    | NO_LABEL                         |                   
| content_rewrite                    |                                  |                   
|   rewritable_content_ref           | System-Rewritable-Content-Types  |                   
|   request_rewrite_enabled          | False                            |                   
|   response_rewrite_enabled         | False                            |                   
| sideband_profile                   |                                  |                   
|   sideband_max_request_body_size   | 1024 bytes                       |                   
| vip[1]                             |                                  |                   
|   vip_id                           | 1                                |                   
|   ip_address                       | 10.140.121.100                   |                   
|   enabled                          | True                             |                   
|   auto_allocate_ip                 | False                            |                   
|   auto_allocate_floating_ip        | False                            |                   
|   avi_allocated_vip                | False                            |                   
|   avi_allocated_fip                | False                            |                   
| vsvip_ref                          | vsvip-test-l4-vs-1-Default-Cloud |                   
| use_vip_as_snat                    | False                            |                   
| l4_policies[1]                     |                                  |                   
|   index                            | 15                               |                  
|   l4_policy_set_ref                | test-l4-policy-1                 |                   
| l4_policies[2]                     |                                  |                   
|   index                            | 10                               |                   
|   l4_policy_set_ref                | test-l4-policy-2                 |                   
+------------------------------------+----------------------------------+

Use the Show command to check the statistics of the Layer 4 policy after traffic is sent, which show that the rule of the policy with lower index (index 1) is applied.

[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats 
+-----------------------------+-----------------------------------------+
| Field                       | Value                                   |
+-----------------------------+-----------------------------------------+
| se_uuid                     | 10-140-4-234:se-005056bd449a            |         
| proc_id                     | PROC_Aggregate                          |        
| l4_policy_set_stat[1]       |                                         |         
|   uuid                      | l4policyset-ff17dfef-4ad1-4453-aea1-    | 
|   name                      | test-l4-policy-2                        |         
|   l4_connection_policy_stat |                                         |         
|     rule_stats[1]           |                                         |         
|       index                 | 1                                       |         
|       name                  | my-rule-21                              |         
|       hits                  | 0                                       |         
|       evaluated             | 0                                       |         
| l4_policy_set_stat[2]       |                                         |         
|   uuid                      | l4policyset-56548582-dae0-499e-9434- b4 |
|   name                      | test-l4-policy-1                        | 
|   l4_connection_policy_stat |                                         |         
|     rule_stats[1]           |                                         |         
|       index                 | 1                                       |         
|       name                  | my-rule-1                               |         
|       hits                  | 0                                       |         
|       evaluated             | 0                                       |         
|     rule_stats[2]           |                                         |         
|       index                 | 2                                       |         
|       name                  | my-rule-2                               |         
|       hits                  | 0                                       |         
|       evaluated             | 0                                       |         
|     rule_stats[3]           |                                         |         
|       index                 | 3                                       |         
|       name                  | my-rule-3                               |         
|       hits                  | 0                                       |         
|       evaluated             | 0                                       |         
+-----------------------------+-----------------------------------------+

Use the command mentioned below to check statistics for the pool after 3 new connections are made to the virtual service. Use the show pool <pool name> server internal command to check server pool statistics and to verify that the pool of the matched policy rule is used.

[admin-cntrlr]: > show pool test-pool-3 server internal  
+--------------------------------+------------------------------+ 
| Field                          | Value                        |
+--------------------------------+------------------------------+ 
| ip_addr                        | 10.140.121.39                |
| port                           | 80                           | 
| oper_status                    |                              |
|   state                        | OPER_UP                      | 
| ref_count                      | 6                            | 
| server_stats                   |                              | 
|   current_connections          | 0                            | 
|   total_connections            | 3                            | 
|   pre_closed_connections       | 0                            | 
|   bad_connections              | 0                            | 
|   inlhm_skipped                | 0                            | 
|   skipped_count                | 0                            | 
|   response_time                | 0                            | 
|   response_time_var            | 0                            | 
|   inlhm_down_duration          | 0                            | 
|   inlhm_good_ewma              | 0                            | 
|   inlhm_bad_ewma               | 0                            | 
|   no_lport                     | 0                            | 
|   inlhm_letthrough             | 0                            | 
|   current_load                 | 0                            | 
|   inlhm_skip_bypassed          | 0                            | 
|   rl_good_fb                   | 0                            | 
|   rl_bad_fb                    | 0                            | 
|   capest_rand_max_conn_skipped | 0                            | 
|   skipped_get_next_count       | 0                            | 
| se_uuid                        | 10-140-4-234:se-005056bd449a | 
| ck_prst_id                     | 1666673515                   | 
| vm_powered_on_count            | 0                            | 
| vm_powered_off_count           | 0                            | 
| vm_powered_on                  | True                         | 
| nat_ip_addr                    | 10.140.121.39                | 
| nat_port                       | 80                           | 
| nat_hostname                   | 10.140.121.39                | 
| local                          | 1                            | 
| loc_invalid                    | True                         | 
| max_conn_pc                    | 0                            | 
| current_open_conns             | 0                            | 
| negative_open_conns            | 0                            | 
+--------------------------------+------------------------------+ 
[admin-cntrlr]: >  [admin-cntrlr]: >  [admin-cntrlr]: > show pool test-l4-vs-1-pool server internal  
+--------------------------------+------------------------------+ 
| Field                          | Value                        | 
+--------------------------------+------------------------------+ 
| ip_addr                        | 10.140.123.61                | 
| port                           | 80                           | 
| oper_status                    |                              | 
|   state                        | OPER_UP                      | 
| ref_count                      | 6                            | 
| server_stats                   |                              | 
|   current_connections          | 0                            | 
|   total_connections            | 0                            | 
|   pre_closed_connections       | 0                            | 
|   bad_connections              | 0                            | 
|   inlhm_skipped                | 0                            | 
|   skipped_count                | 0                            | 
|   response_time                | 0                            | 
|   response_time_var            | 0                            | 
|   inlhm_down_duration          | 0                            | 
|   inlhm_good_ewma              | 0                            | 
|   inlhm_bad_ewma               | 0                            | 
|   no_lport                     | 0                            | 
|   inlhm_letthrough             | 0                            | 
|   current_load                 | 0                            | 
|   inlhm_skip_bypassed          | 0                            | 
|   rl_good_fb                   | 0                            | 
|   rl_bad_fb                    | 0                            | 
|   capest_rand_max_conn_skipped | 0                            | 
|   skipped_get_next_count       | 0                            | 
| se_uuid                        | 10-140-4-234:se-005056bd449a | 
| ck_prst_id                     | 1198880870                   | 
| vm_powered_on_count            | 0                            | 
| vm_powered_off_count           | 0                            | 
| vm_powered_on                  | True                         | 
| nat_ip_addr                    | 10.140.123.61                | 
| nat_port                       | 80                           | 
| nat_hostname                   | 10.140.123.61                | 
| local                          | 1                            | 
| loc_invalid                    | True                         | 
| max_conn_pc                    | 0                            | 
| current_open_conns             | 0                            | 
| negative_open_conns            | 0                            | 
+--------------------------------+------------------------------+ 
[admin-cntrlr]: >  [admin-cntrlr]: > show pool test-l4-vs-1-pool server internal  
+--------------------------------+------------------------------+ 
| Field                          | Value                        | 
+--------------------------------+------------------------------+ 
| ip_addr                        | 10.140.123.61                | 
| port                           | 80                           | 
| oper_status                    |                              | 
|   state                        | OPER_UP                      | 
| ref_count                      | 6                            | 
| server_stats                   |                              | 
|   current_connections          | 0                            | 
|   total_connections            | 0                            | 
|   pre_closed_connections       | 0                            | 
|   bad_connections              | 0                            | 
|   inlhm_skipped                | 0                            | 
|   skipped_count                | 0                            | 
|   response_time                | 0                            | 
|   response_time_var            | 0                            | 
|   inlhm_down_duration          | 0                            | 
|   inlhm_good_ewma              | 0                            | 
|   inlhm_bad_ewma               | 0                            | 
|   no_lport                     | 0                            | 
|   inlhm_letthrough             | 0                            | 
|   current_load                 | 0                            | 
|   inlhm_skip_bypassed          | 0                            | 
|   rl_good_fb                   | 0                            | 
|   rl_bad_fb                    | 0                            | 
|   capest_rand_max_conn_skipped | 0                            | 
|   skipped_get_next_count       | 0                            | 
| se_uuid                        | 10-140-4-234:se-005056bd449a | 
| ck_prst_id                     | 1198880870                   | 
| vm_powered_on_count            | 0                            | 
| vm_powered_off_count           | 0                            | 
| vm_powered_on                  | True                         | 
| nat_ip_addr                    | 10.140.123.61                | 
| nat_port                       | 80                           | 
| nat_hostname                   | 10.140.123.61                | 
| local                          | 1                            | 
| loc_invalid                    | True                         | 
| max_conn_pc                    | 0                            | 
| current_open_conns             | 0                            | 
| negative_open_conns            | 0                            | 
+--------------------------------+------------------------------+ 
[admin-cntrlr]: > exit