Layer 4 Virtual Services and Policy Set
Overview
This article explains Layer 4 load balancing feature on Avi Vantage. A Layer 4 virtual service works at the Transport layer and makes use of the Layer 4 parameters (IP address, and TCP or UDP ports) for load balancing decision. The Layer 4 policy set provides a way to manage functionality of Layer 4 virtual services. These policies are similar to the HTTP policies used by application-level virtual services on Avi Vantage.
Layer 4 Connection Policy and Action
Layer 4 connection policies – These policies are applied when new connections to Layer 4 virtual services are set up. Rules for a Layer 4 policy are written based on the layer 3 and the layer 4 connection parameters. The configured action for the policy selects a server pool or a pool group to serve the new connection.
With Layer 4 connection policies, the selection of a pool or a pool group is made based on the Layer 3 or the Layer 4 parameters (client IP address, Layer 4 destination port, and Layer 4 protocol).
Each rule can have multiple matches and a single action.
If the Layer 3 or the Layer 4 fields of a new connection request meet a rule-match criterion, then the corresponding configured action is chosen.
The Layer 4 policy uses an OR operation for multiple matches of a single rule.
If any one of the matches is met, the rule is considered matched. Each policy rule has an index and a name. An index is a number which indicates the order in which rules of a policy are applied. A rule with a lower index is applied before the rule with the higher index.
A rule when matched selects a server pool if the configured action for this match is select_pool or it selects a pool group if the configured action is select_poolgroup.
Note: Pool selection is often referred to as pool switching.
Default policy
The Layer 4 policy and the corresponding configured action overrides the default selection of a pool or a pool group for a virtual service. If a new connection request does not match any of the configured policy rules, then the default pool or the default pool-group configured for the virtual service is selected.
Multiple Policies
A virtual service can have multiple Layer 4 policies. When a policy is linked to a virtual service, an index is specified for that policy. The index indicates the order in which policies are applied to a new virtual service connection. When multiple policies are configured for a virtual service, they are applied in the order of their index. A policy with a lower index is applied before a policy with the higher index.
Policy Sharing
Policies are not shared among virtual services; they are defined on a per virtual service basis. A Layer 4 connection policy can be applied only to a virtual service configured with the Application Profiles set to System-L4-Application or System-DNS. To know more about policy sharing among virtual services, refer to Pool Groups.
Rule attributes
The Layer 4 policy rule has the following attributes:
Name – Name of the policy
Index – An index is a number that indicates the order in which the rule is applied. Rules in a multi-rule policy are applied in the order of their index. A rule with lower index is applied before a rule with the higher index.
Rule-matches – Rules specify values for Layer 3 or Layer 4 fields and match-criterion.
Match criterion IS_IN – This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request meet the configured criteria in the rule.
Match criterion IS_NOT_IN – This indicates that the rule is considered matched when the Layer 3 or the Layer 4 fields of a connection request do not meet the configured criteria in the rule.
Match Targets
Match Targets specify fields of the connection request to be evaluated for a match. Three fields can be specified for a match target which are as follows:
- Client IP address – Matches source IP address of the connection request. Currently, only IPv4 addresses can be specified. This value can be specified as specific IP addresses, IP prefixes and as pre-defined IP-groups.
- Layer 4 protocol – Protocol of the connection request — TCP or UDP.
- Layer 4 destination ports – If a virtual service is hosted on multiple ports, or a range of ports, then a policy rule can specify a subset of those ports as the specific ports, or the port sub-range.
Refer to the following table for more details.
Policy Attributes | Match Specification |
---|---|
Client IP address | Specific IPv4 address, IPv4 prefixes, and IPv4 groups |
Layer 4 destination ports | Multiple port numbers, port range |
Transport or Layer 4 protocol | TCP or UDP |
Rule Action
A rule action specifies an action to be performed on a rule match. The same pool or the pool group can be referred in multiple rules. It specifies the type of action — select_pool or select_poolgroup and a reference to pre-configured back-end server pool, or a server pool group.
Rule Action | Action Specification |
---|---|
Select pool | Name of a single pool |
Select pool group | Name of a single pool group |
Configuration
A Layer 4 policy is configured using an Avi Controller shell prompt. Login to the Avi Controller and use the configure l4policyset <policy name>
command to configure the Layer 4 policies as shown below.
- The steps mentioned below configure the Layer 4 policies with the following rules:
- The index value set to 3, and the match target as the Layer 4 destination port.
- The index value set to 1, the match target as the client IP address and the rule action as select pool group.
- The index value set to 2, the match target set as the Layer 4 protocol, and the rule action set as select_pool.
admin-cntrlr: ~admin-cntrlr:~$ shell
Login: admin
Password:
[admin-cntrlr]: >
[admin-cntrlr]: > configure l4policyset test-l4-policy-1
[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 120
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: > configure l4policyset test-l4-policy-1
[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_poolgroup
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_group_ref test-pool-grp-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy>
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> client_ip
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.120
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> addrs 10.140.100.130
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> prefixes 10.100.0.0/16
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> group_refs ip-grp-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:client_ip> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> port_ranges
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> start 100
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> end 200
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port:port_ranges> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> protocol
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> match_criteria is_not_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> protocol protocol_udp
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:protocol> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-2
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> save
[admin-cntrlr]: l4policyset> save
+------------------------+--------------------------------------------------+
| Field | Value |
+------------------------+--------------------------------------------------+
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy | |
| rules[1] | |
| name | my-rule-3 |
| index | 3 |
| enable | True |
| match | |
| port | |
| match_criteria | IS_IN |
| ports[1] | 120 |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOLGROUP |
| pool_group_ref | test-pool-grp-1 |
| rules[2] | |
| name | my-rule-1 |
| index | 1 |
| enable | True |
| match | |
| client_ip | |
| match_criteria | IS_IN |
| addrs[1] | 10.140.100.120 |
| addrs[2] | 10.140.100.130 |
| prefixes[1] | 10.100.0.0/16 |
| group_refs[1] | ip-grp-3 |
| port | |
| match_criteria | IS_IN |
| ports[1] | 80 |
| port_ranges[1] | |
| start | 100 |
| end | 200 |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOL |
| pool_ref | test-pool-1 |
| rules[3] | |
| name | my-rule-2 |
| index | 2 |
| enable | True |
| match | |
| protocol | |
| match_criteria | IS_NOT_IN |
| protocol | PROTOCOL_UDP |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOL |
| pool_ref | test-pool-2 |
| is_internal_policy | False |
| tenant_ref | admin |
+------------------------+--------------------------------------------------+
- Use the
show l4policyset
command to check the configured policies.
[admin-cntrlr]: > show l4policyset
+------------------+--------------------------------------------------+
| Name | UUID |
+------------------+--------------------------------------------------+
| test-l4-policy-1 | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
+------------------+--------------------------------------------------+
[admin-cntrlr]: > show l4policyset test-l4-policy-1
+------------------------+--------------------------------------------------+
| Field | Value |
+------------------------+--------------------------------------------------+
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy | |
| rules[1] | |
| name | my-rule-3 |
| index | 3 |
| enable | True |
| match | |
| port | |
| match_criteria | IS_IN |
| ports[1] | 120 |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOLGROUP |
| pool_group_ref | test-pool-grp-1 |
| rules[2] | |
| name | my-rule-1 |
| index | 1 |
| enable | True |
| match | |
| client_ip | |
| match_criteria | IS_IN |
| addrs[1] | 10.140.100.120 |
| addrs[2] | 10.140.100.130 |
| prefixes[1] | 10.100.0.0/16 |
| group_refs[1] | ip-grp-3 |
| port | |
| match_criteria | IS_IN |
| ports[1] | 80 |
| port_ranges[1] | |
| start | 100 |
| end | 200 |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOL |
| pool_ref | test-pool-1 |
| rules[3] | |
| name | my-rule-2 |
| index | 2 |
| enable | True |
| match | |
| protocol | |
| match_criteria | IS_NOT_IN |
| protocol | PROTOCOL_UDP |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOL |
| pool_ref | test-pool-2 |
| is_internal_policy | False |
| tenant_ref | admin |
+------------------------+--------------------------------------------------+
- Configuration to associate the Layer 4 policy with the virtual service.
[admin-cntrlr]: > configure virtualservice test-l4-vs-1
Updating an existing object. Currently, the object is:
+------------------------------------+-----------------------------------------------------+
| Field | Value |
+------------------------------------+-----------------------------------------------------+
| uuid | virtualservice-ffdd94a8-31f0-43a5-b173-2b2e84e76b5e |
| name | test-l4-vs-1 |
| enabled | True |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| application_profile_ref | System-L4-Application |
| network_profile_ref | System-TCP-Proxy |
| pool_ref | test-l4-vs-1-pool |
| se_group_ref | Default-Group |
| network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy | |
| full_client_logs | |
| enabled | True |
| duration | 30 min |
| all_headers | False |
| throttle | 10 per_second |
| client_insights | NO_INSIGHTS |
| metrics_realtime_update | |
| enabled | True |
| duration | 30 min |
| udf_log_throttle | 10 per_second |
| significant_log_throttle | 10 per_second |
| enabled | True |
| vrf_context_ref | global |
| enable_autogw | True |
| analytics_profile_ref | System-Analytics-Profile |
| weight | 1 |
| delay_fairness | False |
| max_cps_per_client | 0 |
| limit_doser | False |
| type | VS_TYPE_NORMAL |
| cloud_type | CLOUD_NONE |
| use_bridge_ip_as_vip | False |
| flow_dist | LOAD_AWARE |
| ign_pool_net_reach | False |
| ssl_sess_cache_avg_size | 1024 |
| remove_listening_port_on_vs_down | False |
| close_client_conn_on_config_update | False |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
| east_west_placement | False |
| scaleout_ecmp | False |
| active_standby_se_tag | ACTIVE_STANDBY_SE_1 |
| flow_label_type | NO_LABEL |
| content_rewrite | |
| rewritable_content_ref | System-Rewritable-Content-Types |
| request_rewrite_enabled | False |
| response_rewrite_enabled | False |
| sideband_profile | |
| sideband_max_request_body_size | 1024 bytes |
| vip[1] | |
| vip_id | 1 |
| ip_address | 10.140.121.100 |
| enabled | True |
| auto_allocate_ip | False |
| auto_allocate_floating_ip | False |
| avi_allocated_vip | False |
| avi_allocated_fip | False |
| vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud |
| use_vip_as_snat | False |
+------------------------------------+-----------------------------------------------------+
[admin:-cntrlr]: virtualservice> l4_policies
New object being created
[admin-cntrlr]: virtualservice:l4_policies> index 15
[admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-1
[admin-cntrlr]: virtualservice:l4_policies> save
[admin-cntrlr]: virtualservice> save
+------------------------------------+-----------------------------------------------------+
| Field | Value |
+------------------------------------+-----------------------------------------------------+
| uuid | virtualservice-ffdd94a8-31f0-43a5-b173-2b2e84e76b5e |
| name | test-l4-vs-1 |
| enabled | True |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| application_profile_ref | System-L4-Application |
| network_profile_ref | System-TCP-Proxy |
| pool_ref | test-l4-vs-1-pool |
| se_group_ref | Default-Group |
| network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy | |
| full_client_logs | |
| enabled | True |
| duration | 30 min |
| all_headers | False |
| throttle | 10 per_second |
| client_insights | NO_INSIGHTS |
| metrics_realtime_update | |
| enabled | True |
| duration | 30 min |
| udf_log_throttle | 10 per_second |
| significant_log_throttle | 10 per_second |
| enabled | True |
| vrf_context_ref | global |
| enable_autogw | True |
| analytics_profile_ref | System-Analytics-Profile |
| weight | 1 |
| delay_fairness | False |
| max_cps_per_client | 0 |
| limit_doser | False |
| type | VS_TYPE_NORMAL |
| cloud_type | CLOUD_NONE |
| use_bridge_ip_as_vip | False |
| flow_dist | LOAD_AWARE |
| ign_pool_net_reach | False |
| ssl_sess_cache_avg_size | 1024 |
| remove_listening_port_on_vs_down | False |
| close_client_conn_on_config_update | False |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
| east_west_placement | False |
| scaleout_ecmp | False |
| active_standby_se_tag | ACTIVE_STANDBY_SE_1 |
| flow_label_type | NO_LABEL |
| content_rewrite | |
| rewritable_content_ref | System-Rewritable-Content-Types |
| request_rewrite_enabled | False |
| response_rewrite_enabled | False |
| sideband_profile | |
| sideband_max_request_body_size | 1024 bytes |
| vip[1] | |
| vip_id | 1 |
| ip_address | 10.140.121.100 |
| enabled | True |
| auto_allocate_ip | False |
| auto_allocate_floating_ip | False |
| avi_allocated_vip | False |
| avi_allocated_fip | False |
| vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud |
| use_vip_as_snat | False |
| l4_policies[1] | |
| index | 15 |
| l4_policy_set_ref | test-l4-policy-1 |
+------------------------------------+-----------------------------------------------------+
- Use the
show virtualservice <policy name> l4policyset stats
command to check the Layer 4 policy metrics or statistics for the virtual service.
[admin-cntrlr]: >
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats
+-----------------------------+--------------------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------------------+
| se_uuid | 10-140-4-234:se-005056bd449a |
| proc_id | PROC_Aggregate |
| l4_policy_set_stat[1] | |
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-1 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[2] | |
| index | 2 |
| name | my-rule-2 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[3] | |
| index | 3 |
| name | my-rule-3 |
| hits | 0 |
| evaluated | 0 |
+-----------------------------+--------------------------------------------------+
[admin-cntrlr]: >
[admin-cntrlr]: >
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats
+-----------------------------+--------------------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------------------+
| se_uuid | 10-140-4-234:se-005056bd449a |
| proc_id | PROC_Aggregate |
| l4_policy_set_stat[1] | |
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-1 |
| hits | 0 |
| evaluated | 1 |
| rule_stats[2] | |
| index | 2 |
| name | my-rule-2 |
| hits | 1 |
| evaluated | 1 |
| rule_stats[3] | |
| index | 3 |
| name | my-rule-3 |
| hits | 0 |
| evaluated | 0 |
+-----------------------------+--------------------------------------------------+
- Use the command
clear virtualservice <policy name> l4policyset stats
to clear statistics data. When the rules of a policy are changed, or when an another policy is linked or unlinked from a virtual service, metrics for the Layer 4 policy are cleared for the virtual service.
[admin-cntrlr]: > clear virtualservice test-l4-vs-1 l4policyset stats
[admin-cntrlr]: > [1Pshow virtualservice test-l4-vs-1 l4policyset stats
+-----------------------------+--------------------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------------------+
| se_uuid | 10-140-4-234:se-005056bd449a |
| proc_id | PROC_Aggregate |
| l4_policy_set_stat[1] | |
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-1 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[2] | |
| index | 2 |
| name | my-rule-2 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[3] | |
| index | 3 |
| name | my-rule-3 |
| hits | 0 |
| evaluated | 0 |
+-----------------------------+--------------------------------------------------+
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats
+-----------------------------+--------------------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------------------+
| se_uuid | 10-140-4-234:se-005056bd449a |
| proc_id | PROC_Aggregate |
| l4_policy_set_stat[1] | |
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-1 |
| hits | 0 |
| evaluated | 6 |
| rule_stats[2] | |
| index | 2 |
| name | my-rule-2 |
| hits | 6 |
| evaluated | 6 |
| rule_stats[3] | |
| index | 3 |
| name | my-rule-3 |
| hits | 0 |
| evaluated | 0 |
+-----------------------------+--------------------------------------------------+
- Configuration to create the second Layer 4 policy and to associate it with the virtual service used earlier (test-l4-vs-1).
[admin-cntrlr]: > configure l4policyset test-l4-policy-2
[admin-cntrlr]: l4policyset> l4_connection_policy
[admin-cntrlr]: l4policyset:l4_connection_policy> rules
New object being created
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> index 1
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> name my-rule-21
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> match
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> port
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> match_criteria is_in
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> ports 80
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match:port> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:match> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> action
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> action_type l4_rule_action_select_pool
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> pool_ref test-pool-3
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action:select_pool> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules:action> save
[admin-cntrlr]: l4policyset:l4_connection_policy:rules> save
[admin-cntrlr]: l4policyset:l4_connection_policy> save
[admin-cntrlr]: l4policyset> save
+------------------------+--------------------------------------------------+
| Field | Value |
+------------------------+--------------------------------------------------+
| uuid | l4policyset-ff17dfef-4ad1-4453-aea1-127f35c5b01e |
| name | test-l4-policy-2 |
| l4_connection_policy | |
| rules[1] | |
| name | my-rule-21 |
| index | 1 |
| enable | True |
| match | |
| port | |
| match_criteria | IS_IN |
| ports[1] | 80 |
| action | |
| select_pool | |
| action_type | L4_RULE_ACTION_SELECT_POOL |
| pool_ref | test-pool-3 |
| is_internal_policy | False |
| tenant_ref | admin |
+------------------------+--------------------------------------------------+
[admin-cntrlr]: >
[admin-cntrlr]: > show l4policyset
+------------------+--------------------------------------------------+
| Name | UUID |
+------------------+--------------------------------------------------+
| test-l4-policy-2 | l4policyset-ff17dfef-4ad1-4453-aea1-127f35c5b01e |
| test-l4-policy-1 | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
+------------------+--------------------------------------------------+
[admin-cntrlr]: >
[admin-cntrlr]: > configure virtualservice test-l4-vs-1
Updating an existing object. Currently, the object is:
+------------------------------------+-----------------------------------------------------+
| Field | Value |
+------------------------------------+-----------------------------------------------------+
| uuid | virtualservice-ffdd94a8-31f0-43a5-b173-2b2e84e76b5e |
| name | test-l4-vs-1 |
| enabled | True |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| application_profile_ref | System-L4-Application |
| network_profile_ref | System-TCP-Proxy |
| pool_ref | test-l4-vs-1-pool |
| se_group_ref | Default-Group |
| network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy | |
| full_client_logs | |
| enabled | True |
| duration | 30 min |
| all_headers | False |
| throttle | 10 per_second |
| client_insights | NO_INSIGHTS |
| metrics_realtime_update | |
| enabled | True |
| duration | 30 min |
| udf_log_throttle | 10 per_second |
| significant_log_throttle | 10 per_second |
| enabled | True |
| vrf_context_ref | global |
| enable_autogw | True |
| analytics_profile_ref | System-Analytics-Profile |
| weight | 1 |
| delay_fairness | False |
| max_cps_per_client | 0 |
| limit_doser | False |
| type | VS_TYPE_NORMAL |
| cloud_type | CLOUD_NONE |
| use_bridge_ip_as_vip | False |
| flow_dist | LOAD_AWARE |
| ign_pool_net_reach | False |
| ssl_sess_cache_avg_size | 1024 |
| remove_listening_port_on_vs_down | False |
| close_client_conn_on_config_update | False |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
| east_west_placement | False |
| scaleout_ecmp | False |
| active_standby_se_tag | ACTIVE_STANDBY_SE_1 |
| flow_label_type | NO_LABEL |
| content_rewrite | |
| rewritable_content_ref | System-Rewritable-Content-Types |
| request_rewrite_enabled | False |
| response_rewrite_enabled | False |
| sideband_profile | |
| sideband_max_request_body_size | 1024 bytes |
| vip[1] | |
| vip_id | 1 |
| ip_address | 10.140.121.100 |
| enabled | True |
| auto_allocate_ip | False |
| auto_allocate_floating_ip | False |
| avi_allocated_vip | False |
| avi_allocated_fip | False |
| vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud |
| use_vip_as_snat | False |
| l4_policies[1] | |
| index | 15 |
| l4_policy_set_ref | test-l4-policy-1 |
+------------------------------------+-----------------------------------------------------+
[admin-cntrlr]: virtualservice> l4_policies
New object being created
[admin-cntrlr]: virtualservice:l4_policies> index 10
[admin-cntrlr]: virtualservice:l4_policies> l4_policy_set_ref test-l4-policy-2
[admin-cntrlr]: virtualservice:l4_policies> save
[admin-cntrlr]: virtualservice> save
+------------------------------------+-----------------------------------------------------+
| Field | Value |
+------------------------------------+-----------------------------------------------------+
| uuid | virtualservice-ffdd94a8-31f0-43a5-b173-2b2e84e76b5e |
| name | test-l4-vs-1 |
| enabled | True |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| application_profile_ref | System-L4-Application |
| network_profile_ref | System-TCP-Proxy |
| pool_ref | test-l4-vs-1-pool |
| se_group_ref | Default-Group |
| network_security_policy_ref | vs-test-l4-vs-1-Default-Cloud-ns |
| analytics_policy | |
| full_client_logs | |
| enabled | True |
| duration | 30 min |
| all_headers | False |
| throttle | 10 per_second |
| client_insights | NO_INSIGHTS |
| metrics_realtime_update | |
| enabled | True |
| duration | 30 min |
| udf_log_throttle | 10 per_second |
| significant_log_throttle | 10 per_second |
| enabled | True |
| vrf_context_ref | global |
| enable_autogw | True |
| analytics_profile_ref | System-Analytics-Profile |
| weight | 1 |
| delay_fairness | False |
| max_cps_per_client | 0 |
| limit_doser | False |
| type | VS_TYPE_NORMAL |
| cloud_type | CLOUD_NONE |
| use_bridge_ip_as_vip | False |
| flow_dist | LOAD_AWARE |
| ign_pool_net_reach | False |
| ssl_sess_cache_avg_size | 1024 |
| remove_listening_port_on_vs_down | False |
| close_client_conn_on_config_update | False |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
| east_west_placement | False |
| scaleout_ecmp | False |
| active_standby_se_tag | ACTIVE_STANDBY_SE_1 |
| flow_label_type | NO_LABEL |
| content_rewrite | |
| rewritable_content_ref | System-Rewritable-Content-Types |
| request_rewrite_enabled | False |
| response_rewrite_enabled | False |
| sideband_profile | |
| sideband_max_request_body_size | 1024 bytes |
| vip[1] | |
| vip_id | 1 |
| ip_address | 10.140.121.100 |
| enabled | True |
| auto_allocate_ip | False |
| auto_allocate_floating_ip | False |
| avi_allocated_vip | False |
| avi_allocated_fip | False |
| vsvip_ref | vsvip-test-l4-vs-1-Default-Cloud |
| use_vip_as_snat | False |
| l4_policies[1] | |
| index | 15 |
| l4_policy_set_ref | test-l4-policy-1 |
| l4_policies[2] | |
| index | 10 |
| l4_policy_set_ref | test-l4-policy-2 |
+------------------------------------+-----------------------------------------------------+
- Show command to check the statistics of the Layer 4 policy after traffic is sent, which show that the rule of the policy with lower index (index 1) is applied.
[admin-cntrlr]: > show virtualservice test-l4-vs-1 l4policyset stats
+-----------------------------+--------------------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------------------+
| se_uuid | 10-140-4-234:se-005056bd449a |
| proc_id | PROC_Aggregate |
| l4_policy_set_stat[1] | |
| uuid | l4policyset-ff17dfef-4ad1-4453-aea1-127f35c5b01e |
| name | test-l4-policy-2 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-21 |
| hits | 0 |
| evaluated | 0 |
| l4_policy_set_stat[2] | |
| uuid | l4policyset-56548582-dae0-499e-9434-b4ec716f37a7 |
| name | test-l4-policy-1 |
| l4_connection_policy_stat | |
| rule_stats[1] | |
| index | 1 |
| name | my-rule-1 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[2] | |
| index | 2 |
| name | my-rule-2 |
| hits | 0 |
| evaluated | 0 |
| rule_stats[3] | |
| index | 3 |
| name | my-rule-3 |
| hits | 0 |
| evaluated | 0 |
+-----------------------------+--------------------------------------------------+
- Use the command mentioned below to check statistics for the pool after 3 new connections are made to the virtual service. Use the
show pool <pool name> server internal
command to check server pool statistics and to verify that the pool of the matched policy rule is used.
[admin-cntrlr]: > show pool test-pool-3 server internal
+--------------------------------+------------------------------+
| Field | Value |
+--------------------------------+------------------------------+
| ip_addr | 10.140.121.39 |
| port | 80 |
| oper_status | |
| state | OPER_UP |
| ref_count | 6 |
| server_stats | |
| current_connections | 0 |
| total_connections | 3 |
| pre_closed_connections | 0 |
| bad_connections | 0 |
| inlhm_skipped | 0 |
| skipped_count | 0 |
| response_time | 0 |
| response_time_var | 0 |
| inlhm_down_duration | 0 |
| inlhm_good_ewma | 0 |
| inlhm_bad_ewma | 0 |
| no_lport | 0 |
| inlhm_letthrough | 0 |
| current_load | 0 |
| inlhm_skip_bypassed | 0 |
| rl_good_fb | 0 |
| rl_bad_fb | 0 |
| capest_rand_max_conn_skipped | 0 |
| skipped_get_next_count | 0 |
| se_uuid | 10-140-4-234:se-005056bd449a |
| ck_prst_id | 1666673515 |
| vm_powered_on_count | 0 |
| vm_powered_off_count | 0 |
| vm_powered_on | True |
| nat_ip_addr | 10.140.121.39 |
| nat_port | 80 |
| nat_hostname | 10.140.121.39 |
| local | 1 |
| loc_invalid | True |
| max_conn_pc | 0 |
| current_open_conns | 0 |
| negative_open_conns | 0 |
+--------------------------------+------------------------------+
[admin-cntrlr]: >
[admin-cntrlr]: >
[admin-cntrlr]: > show pool test-l4-vs-1-pool server internal
+--------------------------------+------------------------------+
| Field | Value |
+--------------------------------+------------------------------+
| ip_addr | 10.140.123.61 |
| port | 80 |
| oper_status | |
| state | OPER_UP |
| ref_count | 6 |
| server_stats | |
| current_connections | 0 |
| total_connections | 0 |
| pre_closed_connections | 0 |
| bad_connections | 0 |
| inlhm_skipped | 0 |
| skipped_count | 0 |
| response_time | 0 |
| response_time_var | 0 |
| inlhm_down_duration | 0 |
| inlhm_good_ewma | 0 |
| inlhm_bad_ewma | 0 |
| no_lport | 0 |
| inlhm_letthrough | 0 |
| current_load | 0 |
| inlhm_skip_bypassed | 0 |
| rl_good_fb | 0 |
| rl_bad_fb | 0 |
| capest_rand_max_conn_skipped | 0 |
| skipped_get_next_count | 0 |
| se_uuid | 10-140-4-234:se-005056bd449a |
| ck_prst_id | 1198880870 |
| vm_powered_on_count | 0 |
| vm_powered_off_count | 0 |
| vm_powered_on | True |
| nat_ip_addr | 10.140.123.61 |
| nat_port | 80 |
| nat_hostname | 10.140.123.61 |
| local | 1 |
| loc_invalid | True |
| max_conn_pc | 0 |
| current_open_conns | 0 |
| negative_open_conns | 0 |
+--------------------------------+------------------------------+
[admin-cntrlr]: >
[admin-cntrlr]: > show pool test-l4-vs-1-pool server internal
+--------------------------------+------------------------------+
| Field | Value |
+--------------------------------+------------------------------+
| ip_addr | 10.140.123.61 |
| port | 80 |
| oper_status | |
| state | OPER_UP |
| ref_count | 6 |
| server_stats | |
| current_connections | 0 |
| total_connections | 0 |
| pre_closed_connections | 0 |
| bad_connections | 0 |
| inlhm_skipped | 0 |
| skipped_count | 0 |
| response_time | 0 |
| response_time_var | 0 |
| inlhm_down_duration | 0 |
| inlhm_good_ewma | 0 |
| inlhm_bad_ewma | 0 |
| no_lport | 0 |
| inlhm_letthrough | 0 |
| current_load | 0 |
| inlhm_skip_bypassed | 0 |
| rl_good_fb | 0 |
| rl_bad_fb | 0 |
| capest_rand_max_conn_skipped | 0 |
| skipped_get_next_count | 0 |
| se_uuid | 10-140-4-234:se-005056bd449a |
| ck_prst_id | 1198880870 |
| vm_powered_on_count | 0 |
| vm_powered_off_count | 0 |
| vm_powered_on | True |
| nat_ip_addr | 10.140.123.61 |
| nat_port | 80 |
| nat_hostname | 10.140.123.61 |
| local | 1 |
| loc_invalid | True |
| max_conn_pc | 0 |
| current_open_conns | 0 |
| negative_open_conns | 0 |
+--------------------------------+------------------------------+
[admin-cntrlr]: > exit