I have some questions about SRX 650 after I read DAY ONE book on SRX ( great book by the way!!)
More specifically following excerpt from the book:
"Logging behaves differently in the branch SRX platform and the high-end data center SRX devices due to their hardware architecture. Although both device platforms have data and control planes, the highend security devices make this division in hardware: given the limited resources in the control plane and the high number of entries that these devices can potentially generate, it’s an important consideration when conﬁguring security logging in the high-end platforms. The high-end
SRXs are capable of so much logging, that they can quickly overwhelm the routing engine if security logging is attempted via the control plane (out the fxp0 interface). To overcome this important aspect of logging security events, an administrator can dedicate a revenue port for logging tasks. Doing so will cause logging for security events to be sent out the SRX from the data plane, rather than the control plane, resembling the behavior of the branch SRX devices that don’t have a dedicated hardware control plane. "
SRX 650 is not congigured to send SYSLOG to syslog server, rather all logs are stored locally on the hard drive.
In above case, is generating huge syslog impact control plane? If yes, what part of Control Plane is impacted Route Engine ?
SRX 650 is configured to send syslog to SYSLOG server 18.104.22.168 out of Fxpo.
How does it impact control plane versus if we use data port( Port used by Transit traffic) to source Syslog?
Thanks and have a nice weekend!!
The SRX650 is a branch model SRX. The difficulty discussed in the paragraph is how the High End SRX handle logs due to combination of two factors mentioned volume + physical separation of control and data plane.
Neither of these is a factor for the SRX650 or any other branch SRX so there is no issue to overcome.
Thanks for your response.
This is what I understand:
1) Branch office SRX can use " revenue port" i.e the port is used by transit traffic to source SYSLOG since this port exists in data plane .
Same recommendation is made for high end SRX to use revenue port to source syslog rather than using managemnet port.
My question is: If we use MGMT port to source syslog rather than Revenue port on Branch SRX such as 650 , does it not have any impact on control plane versus when using Revenue port?
There is no adverse affect on the control plane using the mgmt port for logging on the branch devices. Because the branch devices cannot generate both the volume of logs that can be seen on the high end and there is no hardware separate path that those logs must traverse.
This is simply not an issue on the branch devices.
Because the branch devices cannot generate both the volume of logs that can be seen on the high end and there is no hardware separate path that those logs must traverse.
Does Highend SRX have separte path these logs must traverse? Actually I need to understand the architecture to fully grasp this syslog thing.
Appreciate your help , have a nice day!!
On the High End SRX the routing engine and fxp port are physically separate units. The forwarding plane and switch control boards where packets are processed live on cards in the main chassis. So to get the log data from the forwading plane out the fxp port they have to physically transit the chassis to the RE card.
With the branch series the separation of control and forwarding plane is by virtualization on the same hardware.