Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2459
Views
0
Helpful
8
Replies

Network design question on syslog

Go to solution
mahesh18
Level 6
Level 6

‎11-28-2015 11:09 PM - edited ‎03-08-2019 02:53 AM

Hi everyone,

I am seting up a new network where new syslog server will get all the logs from network devices.

Need to confirm if network devices have connectivty and routing from network deviceto the syslog but no routes back from the syslog server

to the betwork device will this setup work?

Will network device able to send all the logs to syslog as syslog is only one way communication?

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
bbb bbb
Level 1
Level 1
In response to mahesh18

‎12-01-2015 01:25 AM

Hi,

based on your setup SW1 will not be able to send traffic to syslog server

SW1 and SW5 need to have a way reaching each other

just curious..

Did you included SW5 in OSPF calculation?

if not how SW4 knows a destination to syslog server? is there a static route configured in SW4 pointing to syslog server subnet?

if there is a static route configured in SW4 pointing to syslog server subnet, we can do redistribution of static route inside the ospf domain.

regards,

bbb

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎12-01-2015 02:16 AM

I'm not really sure if I understand it right ... But "normally" you would have end-to-end routing. Routing in enterprise environments is a base-functionality and not a security function and should be treated as this.

But:

If the Syslog-Server is connected to Switch 5, then only all other devices need the routing to the syslog-server subnet. Especially Switch1 needs to know how to get to this network. But Switch 5 doesn't need to know the networks behind Switch 1. At least not for Syslog.

Again: This is not the way I would recommend to configure it. It sounds if your goal is to improve security. But in fact, a config like that could limit your security. For example with only partial routing-information as used in your scenario, you could not implement security-features like spoofing-protection with unicast reverse path forwarding (URPF).

Always choose the right tool for a specific problem. And limiting routing-information is not the tool to implement the security here.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎11-29-2015 02:14 AM

This is not a question of routing; it's access-control. The routing has to be configured end-to end, but for access-control you have a couple of options. Two of them are:

  1. Place the Syslog-server in a DMZ behind a firewall. This will give you the best control which traffic is allowed to and from the syslog-server.
  2. Place the Syslog-server in your server-vlan or a dedicated vlan, but configure ACLs on the connecting switch to filter all traffic from the server to make sure the server can't communicate to the rest of the network. This can be more challanging as the switches have less flexibility for access-control then what is available on firewalls.
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎11-30-2015 06:07 PM

Hi Karsten,

Let me give you more info and correct me if i am wrong.

This is very new and isolated network  where we want all network devices to send logs to this device.

Setup is like this

Exixting network

Switch1---------Switch2--------Switch3------switch4----

Where Sw1 and Sw4 are running ospf.

There is end to ends connectivity between Switch 4 to 1.

In other words there is routes back from sw4 to sw1.

If i add new switch 5 to existing switch4  and connect syslog server.

Sw1------sw2-----sw3-----sw4-----Sw5-----inside traffic to Syslog server

Switch 4 has route to syslog server.

As syslog traffic is only one way say subnet 10.10.10.1 wants to access syslog server there is routing

in place to syslog server.

But switch 5 where syslog server is connected does not have route back to Sw1 but Switch 4 does have route back to Sw1.

With this setup will Switch 1 able to send the syslog traffic to syslog server?

Regards

Mahesh

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎11-30-2015 06:57 PM

Hi Mahesh,

In order for switch 1 to  be able to send syslog traffic to the server connected to switch 5, the routing has to work correctly first.  If switch 5 does not have a route back to switch 1 or vice versa the syslog server will not be able to communicate and gather logs from switch 1.

Hope it is clear.

Thanks,

Reza

0 Helpful

Go to solution
bbb bbb
Level 1
Level 1
In response to mahesh18

‎12-01-2015 01:25 AM

Hi,

based on your setup SW1 will not be able to send traffic to syslog server

SW1 and SW5 need to have a way reaching each other

just curious..

Did you included SW5 in OSPF calculation?

if not how SW4 knows a destination to syslog server? is there a static route configured in SW4 pointing to syslog server subnet?

if there is a static route configured in SW4 pointing to syslog server subnet, we can do redistribution of static route inside the ospf domain.

regards,

bbb

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎12-01-2015 02:16 AM

I'm not really sure if I understand it right ... But "normally" you would have end-to-end routing. Routing in enterprise environments is a base-functionality and not a security function and should be treated as this.

But:

If the Syslog-Server is connected to Switch 5, then only all other devices need the routing to the syslog-server subnet. Especially Switch1 needs to know how to get to this network. But Switch 5 doesn't need to know the networks behind Switch 1. At least not for Syslog.

Again: This is not the way I would recommend to configure it. It sounds if your goal is to improve security. But in fact, a config like that could limit your security. For example with only partial routing-information as used in your scenario, you could not implement security-features like spoofing-protection with unicast reverse path forwarding (URPF).

Always choose the right tool for a specific problem. And limiting routing-information is not the tool to implement the security here.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎12-03-2015 09:20 AM

Hi Karsten,

I agree with you what you said we have this network design as per customer requirement.

As this server is just a log collector from some 3rd party vendor and they do not want it to communicate with other network.Thats the reason switch 5 only knows about directly connected network.Switch 1 does have the routing all the way to server.

Regards

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎12-09-2015 06:31 PM

Hi Karsten,

As per client requirement we have to setup the network this way only.

I agree with your thoughts that is not the right way to do it.

Best Regards

MAhesh

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-29-2015 07:21 AM

Hello Mahesh,

Connectivity to syslog server has to be there to send syslog message to server. As server would be having a gateway which woudl be having routing communication back to all network devices without any issue.

So if syslog server is having gateway and that subnet is routed in network then there shoudl not any issue for sending logs to syslog server.

Hope it Helps..

-GI

Rate if it Helps..

0 Helpful
Customers Also Viewed These Support Documents