Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
3
Replies

10Gig Interface needed for log server?

Go to solution
pille1234
Level 3
Level 3

‎04-27-2013 04:48 AM - edited ‎03-11-2019 06:35 PM

G'day gents,

we have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary firewalling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.

Would someone with more firewall experience share his/her opinion with me on that?

Regards

Pille

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sudheesh.pb
Level 1
Level 1

‎04-30-2013 11:38 AM

Hi,

the firewall will never generate 10G log data in any situation. Here actually wasting a 10G interface. If possible use any 1G interface or a separate managemnet interface (100 Mbps) for this purpose. The maximum log size will be even less than an Mbps. Hope this helps.

Thanks, Sudheesh

View solution in original post

0 Helpful

Go to solution
Ajay Saini
Cisco Employee
Cisco Employee

‎04-30-2013 07:59 PM

Well, if the attack actually becomes reality, then we should be more concerned about the performance of the ASA as whole rather than the logs messages. I second your opinion that syslogs getting generated and consuming a 10 gbps link is nearly impossible. ASA would itself overwhelm if that happens.

Just to make it clear, its not the capability of the interfaces that matters afterall in these situations; instead its the throughput of the device and the cpu utilization that is associated. So, if I have 10gigabit interfaces on ASA, we can not in reality saturate the physical link. If I talk about ASA 5580-20, the throughput is 5 gbps for real world traffic. So, under no situation we would see interfaces getting saturated, its the ASA which gets overwhelm and starts dropping traffic.

Considering that we have sufficient cpu cycles to process the syslogs, we should not be concerned about the interface capability to which syslog server is connected.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

So, you can safely connect your syslog server to a gigabit link

_

HTH

AJ

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sudheesh.pb
Level 1
Level 1

‎04-30-2013 11:38 AM

Hi,

the firewall will never generate 10G log data in any situation. Here actually wasting a 10G interface. If possible use any 1G interface or a separate managemnet interface (100 Mbps) for this purpose. The maximum log size will be even less than an Mbps. Hope this helps.

Thanks, Sudheesh

0 Helpful

Go to solution
Ajay Saini
Cisco Employee
Cisco Employee

‎04-30-2013 07:59 PM

Well, if the attack actually becomes reality, then we should be more concerned about the performance of the ASA as whole rather than the logs messages. I second your opinion that syslogs getting generated and consuming a 10 gbps link is nearly impossible. ASA would itself overwhelm if that happens.

Just to make it clear, its not the capability of the interfaces that matters afterall in these situations; instead its the throughput of the device and the cpu utilization that is associated. So, if I have 10gigabit interfaces on ASA, we can not in reality saturate the physical link. If I talk about ASA 5580-20, the throughput is 5 gbps for real world traffic. So, under no situation we would see interfaces getting saturated, its the ASA which gets overwhelm and starts dropping traffic.

Considering that we have sufficient cpu cycles to process the syslogs, we should not be concerned about the interface capability to which syslog server is connected.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

So, you can safely connect your syslog server to a gigabit link

_

HTH

AJ

0 Helpful

Go to solution
pille1234
Level 3
Level 3
In response to Ajay Saini

‎05-01-2013 03:06 AM

Thank you both, that is exactly what I thought.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card