DDoS Two-Layer Architecture

Hello ukhan20 , 

Great that you got me. 

yes you can Control easily in traffic flow by adjusting the routes on the L3 Switch ( L3 Switch maybe Router , Firewall or whatever intermediate device ) 

So, 
If customer wants only AFM service >> you will Create for him a forwarding Virtual server (with the subnet of  servers that this customer want to reach ) to inspect his traffic on L3/L4 Traffic then forward it to L3 Switch then the L3 will forward traffic directly to servers, For example: 

For a Customer wants AFM only >> 
Servers subnet is " 10.10.10.0/24 " 

1- Add route on L3 Switch says { ANY Source wants To reach to 10.10.10.0/24 use next hop AFM via VLAN x }.

2- you will create a forwarding Virtual server with destination "10.10.10.0/24" with SNAT ( Automap or SNAT Pool enabled if you have a pool of SNATs ) , this will be treated as a protected object for this customer , Then you will need to add route on AFM { to reach to 10.10.10.0/24 next hope L3 Switch through VLAN x), the Virtual server should be like this :

Again Auto Map is mandatory in this setup.

3- you must add this important route on L3 Switch: 
{ From IP "AFM Self IP on VLAN x which located on AFM itself" to subnet 10.10.10.0/24 next hop servers segment } 

I mean you must add a source IP address based routing because you have now 2 similar routes for "10.10.10.0/24" on L3 Switch and to differentiate between the routes you need to use Source ip based routing. 

- So using this means : 

• any traffic comes from internet router distended to  "10.10.10.0/24" will be forwarded to AFM. 
• and Traffic that sourced from AFM ( After L3/L4 Inspection ) and distended to "10.10.10.0/24" will take the direction of Servers. 
• So don't worry about routing loops or even the return traffic as it will take the same path in the return.

Just work with someone who has good skills and hands-on in routing.

For Customer wants AFM & ASM DoS inspection : 
Assume: 
a Virtual server on ASM : 20.20.20.20/32 & servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) 

you will do the following: 
1- Create a forwarding Virtual server on AFM with Destination "20.20.20.20/32" , this will be treated as a protected object and add route on AFM { To reach 20.20.20.20/32 next hop L3 Switch } , so here AFM Will inspect traffic for L3/L4 DoS traffic. 

2- you need to add route on L3 Switch { To reach 20.20.20.20/32 use next hop ASM through VLAN y }

3- Traffic will reach to a standard Virtual server "20.20.20.20/32" on ASM , so L7 DoS processing should be done , Of course you will create a pool of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) , then after L7 DoS checking 

 Traffic will be directed to 192.168.1.x via VLAN y, and of course you will need to add route on ASM { To reach to 192.168.1.0/24 use Next hop L3 Switch } this will be via VLAN y. 

4- L3 switch will forward traffic to one of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) based on Load balancing if used in ASM. 

For Customer wants ASM L7 DoS inspection only: 

Assume a standard virtual server on ASM : 30.30.30.30/32 , what will happen: 

1- This is pretty easy , The customer will go directly to "30.30.30.30/32" Virtual server , which exists already only on ASM so just you need a Route on L3 Switch { To reach to 30.30.30.30/32 use next hop ASM via VLAN y } 

so this will bypass AFM tier and will do only L7 DoS inspection.

___________________________________________________________________________________________________________________

I am interested in this deployment and I would like to see if this works with you or not , so please keep me posted. 
and again involve someone has a good skills on routing specially on L3 Switch , as this is a crucial role. 

Overall I believe this scenario should work, I know it's a little bit complex but it should work.