Fast ACLs-Old

Objective
Prerequisites
Configuration
Configuration Sequence
Configure Fast ACLs
Create Fast ACL Rule
Create Fast ACL
Create Fast ACL Set
Create Network Firewall and Fleet
Add Site to the Fleet
Concepts
API References

Objective

This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.

Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.

The Volterra Fast ACL consists of the following 3 types of objects:

Fast ACL Rule - A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
Fast ACL - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer.
Fast ACL Set - The set combines one or more Fast ACLs and is applied on a CE using the fleet configuration or on a RE using the fast-acl-set-regional-edge name for the set.

Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.

Note: If none of the rules match, then default action is to forward the packet.

Prerequisites

The following prerequisites apply:

Volterra Account

Note: If you do not have an account, see Create a Volterra Account.

A Volterra CE site in case of applying the fast ACLs on CE site.

Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.

A fleet in case of applying the fast ACLs on CE site.

Note: See Create Fleet guide for instructions on creating fleet.

An application deployed using Volterra vK8s or served using the HTTP load balancer.

Note: See vK8s Deployment guide to deploy your applications on Volterra network cloud or edge cloud. See Create HTTP Load Balancer for instructions on configuring load balancer.

Configuration

Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

CnfSeqCE — Figure: Fast ACL Configuration Sequence For CE Site

Applying Fast ACLs for an RE site requires you to create the Fast ACL set with the fast-acl-set-regional-edge name. The following image illustrates the sequence of applying Fast ACLs to a RE site:

CnfSeqRE — Figure:Fast ACL Configuration Sequence For RE Site

Configuration Sequence

Creating Fast ACLs and applying on CE site requires you to perform the following sequence of actions.

Phase	Description
Create Fast ACL Rule	Create a rule object specifying the IP prefix, action, and optional policer.
Create Fast ACL	Create a Fast ACL object with the created rule, destination, and optional policer.
Create Fast ACL Set	Create a Fast ACL set with the created Fast ACL.
Create Network Firewall	Create a network firewall applying the Fast ACL set.
Create Fleet	Create a fleet with the network firewall.
Add Site to Fleet	Update your CE site by adding it to the created fleet.

Note: You can also add Fast ACL to an existing network firewall that is associated with an existing fleet.

Creating Fast ACLs and applying on RE site requires you to perform the following sequence of actions.

Phase	Description
Create Fast ACL Rule	Create a rule object specifying the IP prefix, action, and optional policer.
Create Fast ACL	Create a Fast ACL object with the created rule, destination, and optional policer.
Create Fast ACL Set	Create a Fast ACL set with the created Fast ACL.

Configure Fast ACLs

Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.

In case of RE site, creating Fast ACL rules, Fast ACLs, and Fast ACL set is sufficient. However, the Fast ACL set name should be configured as fast-acl-set-regional-edge.

Note: This example assume that you have one application provisioned using a Volterra virtual host and another application deployed using Volterra vK8s.

Create Fast ACL Rule

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACL Rules under the Network Security in the options. Click Add fast ACL rule. The Fast ACL rule creation form loads.

Step 2: Set a name and select Prefix or IP prefix set for the Source field. Enter an IP prefix or IP prefix set accordingly using the Add prefix or Select ref options. This example adds a prefix using the Add prefix option.

FACLRule — Figure: Fast ACL Rule Creation

Step 3: Select an action for the Action field as per the following guidelines:

Select Simple Action and select Deny or Allow for the Simple Action field. This simply creates a rule that either rejects or allows the traffic from the configured source.
Select Policer Action and click Select ref to select and apply a policer. This applies rate limiting for the traffic originating from the configured source.
Select Protocol Policer Action and click Select ref to select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.

Note: Before applying policer or protocol policer, it is required to create them using the Policer or Protocol Policer options in the Security configuration.

Step 4: Click Add fast ACL rule to complete creating the Fast ACL rule.

RuleCfg — Figure: Fast ACL Rule Configuration

In case of RE sites, there could be rule overlapping due to the following:

The ves.io tenant and non ves.io tenant create rules for same destination.
ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant.

The conflict due to the overlapping is addressed using the following mechanism:

Any rule which has action DENY has highest priority irrespective of tenant.
If action is not DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.

Create Fast ACL

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACLs under the Network Security in the options. Click Add fast ACL. The Fast ACL creation form loads.

Step 2: Set a name and select a choice for the Virtual Network Type field. This example selects Site Local Network.

Note: In case of Fast ACL for RE site, only the Public Network is supported.

Step 3: Select a choice for the Ip Type field as per the following guidelines:

Select VIP services to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected.

Note: Selecting VIP services does not include the VIP from the interface of the service.

Select All services to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this and the non ves.io tenant selects all VIPs including the VIP of the service interface. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants including the VIP of the service interface are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected.
Select Destination IP Address and specify the IP address using the Add address option. This option is supported only for the RE site and the ves.io tenant. When this option is selected, you can also specify a destination port using the Add port option.
Select Interface Services to set the IP address of the interface configured for the service. The ves.io tenant cannot set this on the CE site. The non ves.io tenant cannot set this on the RE site.

This example sets a destination IP address.

FACL — Figure: Fast ACL IP Type and Destination

Step 4: Click Select source rule and select the rule you created in the Create Fast ACL Rule chapter. Click Select source rule again to apply the rule.

FACLDest — Figure: Fast ACL Source Rule Addition

Step 5: Optionally, apply a protocol policer using the Select default protocol policer field. The supported protocols are TCP, UDP, ICMP, and DNS.

Step 6: Click Add fast ACL to complete creating the Fast ACL.

Create Fast ACL Set

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Fast ACL Sets under the Network Security in the options. Click Add fast ACL set. The Fast ACL set creation form loads.

Step 2: Set a name and click Select ACL list. Select the ACL created in the Create Fast ACL chapter and click Select ACL list to apply the ACL.

Note: Set the name as fast-acl-set-regional-edge in case of configuring Fast ACLs for RE site.

Step 3: Click Add fast ACL set to complete creating the Fast ACL set.

Note: In case of configuring Fast ACLs for the RE site, sets from all tenants are applied. However, if there is an overlap between ves.io and non ves.io tenant, action of ves.io tenant is applied.

Create Network Firewall and Fleet

Creating a network firewall with the Fast ACL set and associating it with a fleet is required only if you are configuring the Fast ACLs for a CE site.

Step 1: Log into the VoltConsole and select Security from the configuration menu. Select Network Firewall under the Network Security in the options. Click Add network firewall to open the network firewall creation form.

Step 2: Set a name and apply network policy or forward proxy service policy as per your choice.

Step 3: Click Select fast ACL set and select the Fast ACL set created in the Create Fast ACL Set chapter. Click Create Fast ACL Set to add the Fast ACL set to the network firewall configuration.

NwFwFacl — Figure: Addition of Fast ACL Set to Network Firewall

Note: You can also update an existing firewall using the ...->Edit option.

Step 4: Click Add network firewall to complete creating the network firewall.

Step 5: Create a fleet as per the instructions in the Create a Fleet the guide. Apply the network firewall created in Step 4 to the fleet.

Note: You can also update an existing fleet.

Add Site to the Fleet

Adding site to the fleet to apply Fast ACLs is required only if you are configuring Fast ACLs for a CE site.

Step 1: Log into the VoltConsole and select Sites from the configuration pane. Select Site List from the options.

Step 2: Select your site from the list of displayed sites and click ...->Edit to open the site edit form.

Step 3: Select the ves.io/fleet label in the Labels field and select your fleet label.

Step 4: Click Save changes to add your site to the fleet.

SiteFleet — Figure: Site Addition to Fleet