Fast ACLs

Objective

This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.

Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.

The Volterra Fast ACL consists of the following types of objects:

  • Fast ACLs - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer. A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
  • Fast ACLs for Internet VIPs - The set combines one or more Fast ACLs and is applied on a RE site.

Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.

Note: If none of the rules match, then default action is to forward the packet.


Prerequisites

The following prerequisites apply:

  • Volterra Account

  • A Volterra CE site in case of applying the fast ACLs on CE site.

    • Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
  • A fleet in case of applying the fast ACLs on CE site.

    • Note: See Create Fleet guide for instructions on creating fleet.
  • An application deployed using Volterra vK8s or served using the HTTP load balancer.


Configuration

Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

CnfSeqCE
Figure: Fast ACL Configuration Sequence For CE Site

Applying Fast ACLs for an RE site requires you to create the Fast ACLs for Internet VIPs object with the Fast ACLs objects. The following image illustrates the sequence of applying Fast ACLs to a RE site:

CnfSeqRE
Figure:Fast ACL Configuration Sequence For RE Site

Creating Fast ACLs and applying on CE site requires you to create Fast ACL object with the rules in VoltConsole and applying it in the network firewall that is associated with a fleet. The fleet label is then applied to the CE site for which you want to apply the Fast ACLs.

Note: You can create and apply fast ACLs and network firewall as part of fleet creation itself. Alternatively, you can create fast ACLs and apply them to existing network firewall that is associated with an existing fleet.


Configure Fast ACLs

Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.

In case of RE site, creating Fast ACLs and Fast ACLs for Internet VIPs is sufficient.

Note: This example assume that you have an application provisioned using a Volterra HTTP load balancer and another application deployed using Volterra vK8s.

Step 1: Start Fast ACL creation.

Log into the VoltConsole and select Security from the configuration menu. Select Firewall -> Fast ACLs in the options. Click Add Fast ACL. The Fast ACL creation form loads.

facl ce 1
Figure: Fast ACL Creation

Step 2: Configure site type.

Go to Fast ACL Type section and do the following:

  • Select an option for the Select Site Type For acl field. Select Site Type Customer Edge for CE sites and Site Type Regional Edge for RE sites.
  • Click Configure under the Site Type Customer Edge or Site Type Regional Edge field as per your site type selection. Configure the Destination section according to the site type selection. Do one of the following:
Site Type Customer Edge
  • Select inside or outside network for the Select Network field.
  • Select an option for the Select Destination IP field as per the following guidelines:

    • Select All Interface IP(s) as VIP to match all IP addresses assigned to the interfaces.
    • Select Configured VIP(s) to match configured VIPs for the destinations.
    • Select All VIP(s) to match all interface VIPs and configured VIPs.

ce dest
Figure: Site Type CE Destination Configuration

Site Type Regional Edge

Select an option for the Select VIP(s) field as per the following guidelines:

  • Select ALL Public VIP(s) to apply the fast ACL to all VIPs for the destinations.
  • Select Default Tenant VIP to apply the fast ACL to the default VIP of the tenant.

re dest 1
Figure: Site Type RE Destination Options

  • Select List of Specific VIP(s) and do the following:

    • Optionally, enable the Include Tenant VIP option.
    • Select one or more public IPs for the Select Public VIP(s) field. You can add more than one entries using the Add item option.

re dest 2
Figure: Site Type RE Destination Specific VIPs

Note: Public IPs are prerequisite for the List of specific VIP(s) option.

Step 3: Configure source rules.

Enter a name for the rule and perform the following steps:

Step 3.1: Configure an action.

Select an action for the Action field as per the following guidelines:

  • Select Simple Action and select Deny or Allow for the Simple Action field. This simply creates a rule that either rejects or allows the traffic from the configured source.
  • Select Policer Action and click Select ref to select and apply a policer. This applies rate limiting for the traffic originating from the configured source.
  • Select Protocol Policer Action and click Select ref to select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.

Note: Before applying policer or protocol policer, it is required to create them using the Policer or Protocol Policer options in the Security configuration.

Step 3.2: Set source ports.

Go to the Source Ports section and configure the Port Value Type as per the following guidelines:

  • Select All port to match all source ports.
  • Select User defined port and enter a port number in the User defined port field.
  • Select DNS port to match DNS port (53).

Note: Use Add item option to add more ports.

Step 3.3: Set a source prefix or prefix set.
  • Select Prefix or IP prefix set for the Source field. Enter an IP prefix or IP prefix set accordingly using the Prefix or Select ref options. This example adds a prefix using the Prefix option.

facl rule ce 1
Figure: Fast ACL Rule Creation

Note: Use Add item option to add more rules.

  • Click Apply to add the source rules and return to site type configuration form.
  • Click Apply to return to the fast ACL configuration form.
Step 4: Complete creating the Fast ACL.
  • Go to Fast ACL Protocol Policer section. Select a protocol policer or click Create new protocol policer for the Default Protocol Police field.

Note: If you select Create new protocol policer option, click Continue in the new protocol policer configuration page after configuring all the fields to create the policer, apply, and return to the fast ACL configuration form.

  • Click Save and Exit in the fast ACL configuration form. This creates the fast ACL object.

Note: In case of RE sites, there could be rule overlapping due to the following:

  • The ves.io tenant and non ves.io tenant create rules for same destination.
  • ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant. The conflict due to the overlapping is addressed using the following mechanism:
  • Any rule which has action DENY has highest priority irrespective of tenant.
  • If action is not DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.

Create Fast ACLs for Internet VIPs

Applying Fast ACLs for RE sites require you to create the Fast ACLs for Internet VIPs object and associate the Fast ACL objects with it. You can either attach an existing Fast ACL object for RE site or create a new Fast ACL object from within the Fast ACLs for Internet VIPs object. This example shows attaching existing Fast ACL object.

Perform the following to create and apply Fast ACLs to RE sites:

Step 1: Start Fast ACLs for Internet VIPs object creation.

Log into the VoltConsole and select Security from the configuration menu. Select Firewall -> Fast ACLs for Internet VIPs in the options. Click Select Fast ACLs for Internet VIPs.

Step 2: Attach Fast ACL objects.
  • Click Select fast ACL and select the Fast ACL objects from the displayed list. You can also click Add new option to create and attach new Fast ACLs.

facl ivips 1
Figure: Fast ACLs for Internet VIPs Configuration

Note: In case you create new Fast ACL using the Add new option, click Continue in the Fast ACL configuration form to create and attach to the Fast ACLs for Internet VIPs configuration.

  • Click Select fast ACL to attach the Fast ACL object to the Fast ACLs for Internet VIPs object configuration.

facl ivips 2
Figure: Fast ACLs for Internet VIPs Creation

Step 3: Complete creating Fast ACLs for Internet VIPs object.

Click Save and Exit to complete creating the Fast ACLs for Internet VIPs object.


Apply Fast ACLs to a CE Site

Fast ACLs created for a CE site requires you to add the Fast ACL to the network firewall associated with the fleet which includes that CE site. See Create a Fleet for information fleet creation. See Network Firewall for information on firewall creation. This example shows how to apply fast ACL to an existing firewall associated with a fleet of sites.

To enable fast ACLs for a CE site, perform the following actions:

Step 1: Navigate to the network firewall and edit its configuration.

Navigate to Security -> Firewall -> Network Firewall. Click ... -> Edit for your firewall that is part of the fleet to which your site belongs.

Step 2: Attach the fast ACLs to network firewall and save configuration.
  • Go to the fast ACL section in the firewall configuration and select Active Fast ACL(s) or Fast ACL Set(Legacy) for the Select Fast ACL Configuration field. Select a fast ACL or fast ACL set accordingly from the displayed selection field. This example selects an existing fast ACL.

nw fw facl
Figure: Apply Fast ACL to Network Firewall

  • Click Save and Exit.

Concepts


API References