Forum Discussion
DDoS Two-Layer Architecture
I'm new to this, so I appreciate your patience.
Client traffic first passes through VM1 (AFM for L3/L4) on the VCMP-enabled VMs, then to VM2 (WAF for L7), and finally reaches the server. This process is achieved through a one-arm configuration, as shown in the screenshot. ( how to achive this , i am aware to AFM at L3 and L4)
If there's no need for inspection by VM2 (WAF), the traffic goes directly from VM1 (L3/L4) to the server.
Could you please confirm if this setup is correct?
- Dec 16, 2024
Hi ukhan20 ,
No worries brother.
I just need to understand , you want to apply the two tiers in one device "VIPRION" Chassis or what.
If you want to allocate two vCMP guests one for AFM and the other for AWAF , I believe you need at least 2 separate VLANS , you will work in One-arm deployment on each VM/Guest
For Example , I Drew this design for you:This is in case you want to split your Viprion into two Guests ( One for AFM and the other for ASM ) , you can deploy it in one arm for each Guest but you need two VLANs , as I described in the above traffic flow.
again, you can do the same deployment using only one VLAN and One ARM , but you have to use only on Guest with much resources and in this Guest you will provision ( AFM and AWAF ) and then move forward with this.
So Let me know if the above approach works with you or not
and I will discuss with you , how to configure AFM and AWAF to achieve this.
Configs aren't the hard part but the putting the proper design is the most challenging thing.
So have a look deeply in my design and Traffic flow above and discuss it with me if you wish.- ukhan20Dec 16, 2024
Altocumulus
I came across the terms 'one-arm' and 'two-arm,' and I want to align this with the solution. I'll be implementing this on the chassis.
All the steps are clear to me.
Looking at this diagram, I am creating two VMs to provide different services: AFM (L3/L4) and WAF (L7).
If the customer requires only L3/L4 services, I can route the traffic to AFM (VM guest 1). If the customer requires both services, I can route the traffic to both VMs. In this case, traffic flows from the client to the server through the AFM and WAF solution. However, I also need to ensure that traffic flows back from the server to the client (i.e., I need two-way traffic)
- Dec 16, 2024
Hello ukhan20 ,
Great that you got me.
yes you can Control easily in traffic flow by adjusting the routes on the L3 Switch ( L3 Switch maybe Router , Firewall or whatever intermediate device )
So,
If customer wants only AFM service >> you will Create for him a forwarding Virtual server (with the subnet of servers that this customer want to reach ) to inspect his traffic on L3/L4 Traffic then forward it to L3 Switch then the L3 will forward traffic directly to servers, For example:
For a Customer wants AFM only >>
Servers subnet is " 10.10.10.0/24 "1- Add route on L3 Switch says { ANY Source wants To reach to 10.10.10.0/24 use next hop AFM via VLAN x }.
2- you will create a forwarding Virtual server with destination "10.10.10.0/24" with SNAT ( Automap or SNAT Pool enabled if you have a pool of SNATs ) , this will be treated as a protected object for this customer , Then you will need to add route on AFM { to reach to 10.10.10.0/24 next hope L3 Switch through VLAN x), the Virtual server should be like this :
Again Auto Map is mandatory in this setup.
3- you must add this important route on L3 Switch:
{ From IP "AFM Self IP on VLAN x which located on AFM itself" to subnet 10.10.10.0/24 next hop servers segment }
I mean you must add a source IP address based routing because you have now 2 similar routes for "10.10.10.0/24" on L3 Switch and to differentiate between the routes you need to use Source ip based routing.
- So using this means :- any traffic comes from internet router distended to "10.10.10.0/24" will be forwarded to AFM.
- and Traffic that sourced from AFM ( After L3/L4 Inspection ) and distended to "10.10.10.0/24" will take the direction of Servers.
- So don't worry about routing loops or even the return traffic as it will take the same path in the return.
Just work with someone who has good skills and hands-on in routing.
For Customer wants AFM & ASM DoS inspection :
Assume:
a Virtual server on ASM : 20.20.20.20/32 & servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 )
you will do the following:
1- Create a forwarding Virtual server on AFM with Destination "20.20.20.20/32" , this will be treated as a protected object and add route on AFM { To reach 20.20.20.20/32 next hop L3 Switch } , so here AFM Will inspect traffic for L3/L4 DoS traffic.2- you need to add route on L3 Switch { To reach 20.20.20.20/32 use next hop ASM through VLAN y }
3- Traffic will reach to a standard Virtual server "20.20.20.20/32" on ASM , so L7 DoS processing should be done , Of course you will create a pool of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) , then after L7 DoS checking
Traffic will be directed to 192.168.1.x via VLAN y, and of course you will need to add route on ASM { To reach to 192.168.1.0/24 use Next hop L3 Switch } this will be via VLAN y.
4- L3 switch will forward traffic to one of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) based on Load balancing if used in ASM.
For Customer wants ASM L7 DoS inspection only:
Assume a standard virtual server on ASM : 30.30.30.30/32 , what will happen:
1- This is pretty easy , The customer will go directly to "30.30.30.30/32" Virtual server , which exists already only on ASM so just you need a Route on L3 Switch { To reach to 30.30.30.30/32 use next hop ASM via VLAN y }
so this will bypass AFM tier and will do only L7 DoS inspection.
___________________________________________________________________________________________________________________
I am interested in this deployment and I would like to see if this works with you or not , so please keep me posted.
and again involve someone has a good skills on routing specially on L3 Switch , as this is a crucial role.Overall I believe this scenario should work, I know it's a little bit complex but it should work.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com