F5 BIG-IP vcmp with guests using ltm and afm

Is this aproach possible?

 

Yes. It is just a question of correctly configuring the VLANs to handle the traffic.

 

Remember that your vlans need to link the chassis, as the active guests may swap between the chassis, and you will probably want to distribute the active guests across the two chassis.

 

How should we configure this?

 

I'm not sure what you are looking for, it would be impossible to provide a configuration guide without a comprehensive network plan and requirements document - if you need design help, talk to your F5 Account team about engaging with F5 Professional Services.

 

I'd suggest you need an External vlan facing the internet, a DMZ vlan to pass traffic to the Load-balancers, and a Poolmember vlan for the servers. The AFM guests pass traffic from the External to the DMZ/Poolmember vlans through AFM policy rulesets.

 

Does the AFM needs to have VS configure to catch traffic and filter out?

 

AFM can apply policy rulesets at various levels - Globally, Route-Domain, Self-IP, Virtual Server.

 

You can use Virtual-Servers to accept specific traffic and apply an AFM policy (firewall ruleset) to that traffic. That's how I would probably do it (for granularity and policy management), but I have seen plenty of different approaches.

 

It is up to you.