Forum Discussion
DDoS Two-Layer Architecture
I'm new to this, so I appreciate your patience.
Client traffic first passes through VM1 (AFM for L3/L4) on the VCMP-enabled VMs, then to VM2 (WAF for L7), and finally reaches the server. This process is achieved through a one-arm configuration, as shown in the screenshot. ( how to achive this , i am aware to AFM at L3 and L4)
If there's no need for inspection by VM2 (WAF), the traffic goes directly from VM1 (L3/L4) to the server.
Could you please confirm if this setup is correct?
Hi ukhan20 ,
No worries brother.
I just need to understand , you want to apply the two tiers in one device "VIPRION" Chassis or what.
If you want to allocate two vCMP guests one for AFM and the other for AWAF , I believe you need at least 2 separate VLANS , you will work in One-arm deployment on each VM/Guest
For Example , I Drew this design for you:
This is in case you want to split your Viprion into two Guests ( One for AFM and the other for ASM ) , you can deploy it in one arm for each Guest but you need two VLANs , as I described in the above traffic flow.
again, you can do the same deployment using only one VLAN and One ARM , but you have to use only on Guest with much resources and in this Guest you will provision ( AFM and AWAF ) and then move forward with this.
So Let me know if the above approach works with you or not
and I will discuss with you , how to configure AFM and AWAF to achieve this.
Configs aren't the hard part but the putting the proper design is the most challenging thing.
So have a look deeply in my design and Traffic flow above and discuss it with me if you wish.
- ukhan20Dec 16, 2024
Altocumulus
I came across the terms 'one-arm' and 'two-arm,' and I want to align this with the solution. I'll be implementing this on the chassis.
All the steps are clear to me.
Looking at this diagram, I am creating two VMs to provide different services: AFM (L3/L4) and WAF (L7).
If the customer requires only L3/L4 services, I can route the traffic to AFM (VM guest 1). If the customer requires both services, I can route the traffic to both VMs. In this case, traffic flows from the client to the server through the AFM and WAF solution. However, I also need to ensure that traffic flows back from the server to the client (i.e., I need two-way traffic)
- Dec 16, 2024
Hello ukhan20 ,
Great that you got me.
yes you can Control easily in traffic flow by adjusting the routes on the L3 Switch ( L3 Switch maybe Router , Firewall or whatever intermediate device )
So,
If customer wants only AFM service >> you will Create for him a forwarding Virtual server (with the subnet of servers that this customer want to reach ) to inspect his traffic on L3/L4 Traffic then forward it to L3 Switch then the L3 will forward traffic directly to servers, For example:
For a Customer wants AFM only >>
Servers subnet is " 10.10.10.0/24 "1- Add route on L3 Switch says { ANY Source wants To reach to 10.10.10.0/24 use next hop AFM via VLAN x }.
2- you will create a forwarding Virtual server with destination "10.10.10.0/24" with SNAT ( Automap or SNAT Pool enabled if you have a pool of SNATs ) , this will be treated as a protected object for this customer , Then you will need to add route on AFM { to reach to 10.10.10.0/24 next hope L3 Switch through VLAN x), the Virtual server should be like this :
Again Auto Map is mandatory in this setup.
3- you must add this important route on L3 Switch:
{ From IP "AFM Self IP on VLAN x which located on AFM itself" to subnet 10.10.10.0/24 next hop servers segment }
I mean you must add a source IP address based routing because you have now 2 similar routes for "10.10.10.0/24" on L3 Switch and to differentiate between the routes you need to use Source ip based routing.
- So using this means :- any traffic comes from internet router distended to "10.10.10.0/24" will be forwarded to AFM.
- and Traffic that sourced from AFM ( After L3/L4 Inspection ) and distended to "10.10.10.0/24" will take the direction of Servers.
- So don't worry about routing loops or even the return traffic as it will take the same path in the return.
Just work with someone who has good skills and hands-on in routing.
For Customer wants AFM & ASM DoS inspection :
Assume:
a Virtual server on ASM : 20.20.20.20/32 & servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 )
you will do the following:
1- Create a forwarding Virtual server on AFM with Destination "20.20.20.20/32" , this will be treated as a protected object and add route on AFM { To reach 20.20.20.20/32 next hop L3 Switch } , so here AFM Will inspect traffic for L3/L4 DoS traffic.2- you need to add route on L3 Switch { To reach 20.20.20.20/32 use next hop ASM through VLAN y }
3- Traffic will reach to a standard Virtual server "20.20.20.20/32" on ASM , so L7 DoS processing should be done , Of course you will create a pool of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) , then after L7 DoS checking
Traffic will be directed to 192.168.1.x via VLAN y, and of course you will need to add route on ASM { To reach to 192.168.1.0/24 use Next hop L3 Switch } this will be via VLAN y.
4- L3 switch will forward traffic to one of servers ( 192.168.1.1, 192.168.1.2, 192.168.1.3 ) based on Load balancing if used in ASM.
For Customer wants ASM L7 DoS inspection only:
Assume a standard virtual server on ASM : 30.30.30.30/32 , what will happen:
1- This is pretty easy , The customer will go directly to "30.30.30.30/32" Virtual server , which exists already only on ASM so just you need a Route on L3 Switch { To reach to 30.30.30.30/32 use next hop ASM via VLAN y }
so this will bypass AFM tier and will do only L7 DoS inspection.
___________________________________________________________________________________________________________________
I am interested in this deployment and I would like to see if this works with you or not , so please keep me posted.
and again involve someone has a good skills on routing specially on L3 Switch , as this is a crucial role.Overall I believe this scenario should work, I know it's a little bit complex but it should work.
- ukhan20Dec 17, 2024
Altocumulus
Thanks for helping me . what about the reporting what module F5 support of reporting purpose. how many attacks or anomalies where there may be something like that. how much traffic mitigated or pass through. Does F5 have good reporting feature ? or any thirty party solution we can look for.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com