Configure Fast ACLs

Objective

This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.

Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.

The Volterra Fast ACL consists of the following 3 types of objects:

  • Fast ACL Rule - A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
  • Fast ACL - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer.
  • Fast ACL Set - The set combines one or more Fast ACLs and is applied on a CE using the fleet configuration or on a RE using the fast-acl-set-regional-edge name for the set.

Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.

Note: If none of the rules matche, then default action is to forward the packet.


Prerequisites

The following prerequisites apply:

  • Volterra Account

  • A Volterra CE site in case of applying the fast ACLs on CE site.

    • Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
  • A fleet in case of applying the fast ACLs on CE site.

    • Note: See Create Fleet guide for instructions on creating fleet.
  • An application deployed using Volterra vK8s or served using the Volterra virtual host.


Configuration

Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

CnfSeqCE
Figure: Fast ACL Configuration Sequence For CE Site

Applying Fast ACLs for an RE site requires you to create the Fast ACL set with the fast-acl-set-regional-edge name. The following image illustrates the sequence of applying Fast ACLs to a RE site:

CnfSeqRE
Figure:Fast ACL Configuration Sequence For RE Site

Configuration Sequence

Creating Fast ACLs and applying on CE site requires you to perform the following sequence of actions.

Phase Description
Create Fast ACL Rule Create a rule object specifying the IP prefix, action, and optional policer.
Create Fast ACL Create a Fast ACL object with the created rule, destination, and optional policer.
Create Fast ACL Set Create a Fast ACL set with the created Fast ACL.
Create Network Firewall Create a network firewall applying the Fast ACL set.
Create Fleet Create a fleet with the network firewall.
Add Site to Fleet Update your CE site by adding it to the created fleet.

Note: You can also add Fast ACL to an existing network firewall that is associated with an existing fleet.

Creating Fast ACLs and applying on RE site requires you to perform the following sequence of actions.

Phase Description
Create Fast ACL Rule Create a rule object specifying the IP prefix, action, and optional policer.
Create Fast ACL Create a Fast ACL object with the created rule, destination, and optional policer.
Create Fast ACL Set Create a Fast ACL set with the created Fast ACL.

Configure Fast ACLs

Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.

In case of RE site, creating Fast ACL rules, Fast ACLs, and Fast ACL set is sufficient. However, the Fast ACL set name should be configured as fast-acl-set-regional-edge.

Note: This example assume that you have one application provisioned using a Volterra virtual host and another application deployed using Volterra vK8s.

Create Fast ACL Rule

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACL Rules under the Network Security in the options. Click Add fast ACL rule. The Fast ACL rule creation form loads.

Step 2: Set a name and select Prefix or IP prefix set for the Source field. Enter an IP prefix or IP prefix set accordingly using the Add prefix or Select ref options. This example adds a prefix using the Add prefix option.

FACLRule
Figure: Fast ACL Rule Creation

Step 3: Select an action for the Action field as per the following guidelines:

  • Select Simple Action and select Deny or Allow for the Simple Action field. This simply creates a rule that either rejects or allows the traffic from the configured source.
  • Select Policer Action and click Select ref to select and apply a policer. This applies rate limiting for the traffic originating from the configured source.
  • Select Protocol Policer Action and click Select ref to select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.

Note: Before applying policer or protocol policer, it is required to create them using the Policer or Protocol Policer options in the Security configuration.

Step 4: Click Add fast ACL rule to complete creating the Fast ACL rule.

RuleCfg
Figure: Fast ACL Rule Configuration

In case of RE sites, there could be rule overlapping due to the following:

  • The ves.io tenant and non ves.io tenant create rules for same destination.
  • ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant.

The conflict due to the overlapping is addressed using the following mechanism:

  1. Any rule which has action DENY has highest priority irrespective of tenant.
  2. If action is not DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.

Create Fast ACL

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACLs under the Network Security in the options. Click Add fast ACL. The Fast ACL creation form loads.

Step 2: Set a name and select a choice for the Virtual Network Type field. This example selects Site Local Network.

Note: In case of Fast ACL for RE site, only the Public Network is supported.

Step 3: Select a choice for the Ip Type field as per the following guidelines:

  • Select VIP services to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected.

Note: Selecting VIP services does not include the VIP from the interface of the service.

  • Select All services to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this and the non ves.io tenant selects all VIPs including the VIP of the service interface. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants ncluding the VIP of the service interface are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected.
  • Select Destination IP Address and specify the IP address using the Add address option. This option is supported only for the RE site and the ves.io tenant. When this option is selected, you can also specify a destination port using the Add port option.
  • Select Interface Services to set the IP address of the interface configured for the service. The ves.io tenant cannot set this on the CE site. The non ves.io tenant cannot set this on the RE site.

This example sets a destination IP address.

FACL
Figure: Fast ACL IP Type and Destination

Step 4: Click Select source rule and select the rule you created in the Create Fast ACL Rule chapter. Click Select source rule again to apply the rule.

FACLDest
Figure: Fast ACL Source Rule Addition

Step 5: Optionally, apply a protocol policer using the Select default protocol policer field. The supported protocols are TCP, UDP, ICMP, and DNS.

Step 6: Click Add fast ACL to complete creating the Fast ACL.


Create Fast ACL Set

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACL Sets under the Network Security in the options. Click Add fast ACL set. The Fast ACL set creation form loads.

Step 2: Set a name and click Select ACL list. Select the ACL created in the Create Fast ACL chapter and click Select ACL list to apply the ACL.

FACLSet
Figure: Fast ACL Set Creation

Note: Set the name as fast-acl-set-regional-edge in case of configuring Fast ACLs for RE site.

Step 3: Click Add fast ACL set to complete creating the Fast ACL set.

Note: In case of configuring Fast ACLs for the RE site, sets from all tenants are applied. However, if there is an overlap between ves.io and non ves.io tenant, action of ves.io tenant is applied.


Create Network Firewall and Fleet

Creating a network firewall with the Fast ACL set and associating it with a fleet is required only if you are configuring the Fast ACLs for a CE site.

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Network Firewall under the Network Security in the options. Click Add network firewallto open the network firewall creation form.

Step 2: Set a name and apply network policy or forward proxy service policy as per your choice.

Step 3: Click Select fast ACL set and select the Fast ACL set created in the Create Fast ACL Set chapter. Click Create Fast ACL Set to add the Fast ACL set to the network firewall configuration.

NwFwFacl
Figure: Addition of Fast ACL Set to Network Firewall

Note: You can also update an existing firewall using the ...->Edit option.

Step 4: Click Add network firewall to complete creating the network firewall.

Step 5: Create a fleet as per the instructions in the Create a Fleet of Sites the guide. Apply the network firewall created in Step 4 to the fleet.

Note: You can also update an existing fleet.


Add Site to the Fleet

Adding site to the fleet to apply Fast ACLs is required only if you are configuring Fast ACLs for a CE site.

Step 1: Log into the VoltConsole and select Sites from the configuration pane. Select Site List from the options.

Step 2: Select your site from the list of displayed sites and click ...->Edit to open the site edit form.

Step 3: Select the ves.io/fleet label in the Labels field and select your fleet label.

Step 4: Click Save changes to add your site to the fleet.

SiteFleet
Figure: Site Addition to Fleet


Concepts


API References