ASM VE performance scalling

10Gbps is indeed the current maximum supported by VE. Your next question is thougher, it's for sure that you can deploy ASM on a separate BigIP, and route requests to it from another AFM/LTM box. What I do not know is if you can implement some sort of balancing from a single AFM/LTM appliance/cluster to multiple ASM boxes. Not even sure if it will help you remedy the effects of a DOS attack significantly. Personally, I would leave out the balancing to multiple ASM appliances since the ASM module is quite costly and the desired solution is not guaranteed, but instead look into possibilities to take down the attack on the AFM/LTM box, and if the attack is huge (i.e the on-site appliance couldn't cope), manually activate the cloud-based DOS attack mitigation (i.e pay to subscribe service from F5 Silverline or Prolexic). Just some ideas.

OK, but we are not really talking about volumetric attack saturating Internet pipe. We are talking about exhausting current ASM device resources - sure simplest solution is to buy bigger BIG-IP box but could be no way here. Customer however have quite substantial VMWare based resources so spinning few ASM VE could be an option. Piotr

Give it a go then :). I cannot confirm for sure, but I think that even if the 1st line of appliances are configured as active-standby, you should be able to deploy the 2nd line of appliances (VE ASM) in active-active mode to really widen the existing bottleneck.

Well, seems that I need to play around in lab. Anyway according to VE licensing limit for 10Gb VE license is 8 vCPU so... Piotr