cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
23
Helpful
6
Replies

MARS - Netflow, SNMP & Syslog

chharris41
Level 1
Level 1

I am in the beginning stages of configuring the MARS 210 that we just purchased. I have a few questions/concerns:

Netflow - I want to send netflow from approx 55 devices (remote site routers and core switches plus data center devices) to MARS. Will this overwhelm the processor/memory? I have another 200 or so 3560 series switches scattered around 40+ remote sites - is there any benefit to having them send netflow as well or would the remote site routers suffice?

Syslog - is this MARS box enough to handle pointing ALL devices logs at it?

SNMP - is the SNMP RO string enough to get accurate info from the devices or do I also need to enter login info on all the devices (which will take forever).

I have CiscoWorks LMS 3.0 - if I export all my devices can I then import them into MARS and not have to enter in all this info manually?

THanks for any and all input.

6 Replies 6

mhellman
Level 7
Level 7

"Will this overwhelm the processor/memory?"

Hard to say since we don't know how busy the network is, but probably not.

"Syslog - is this MARS box enough to handle pointing ALL devices logs at it?"

Again, hard to say without more details. Do you have any metrics for what you generate today?

"SNMP - is the SNMP RO string enough to get accurate info from the devices or do I also need to enter login info on all the devices (which will take forever)."

It is enough.

"I have CiscoWorks LMS 3.0 - if I export all my devices can I then import them into MARS and not have to enter in all this info manually?"

Possibly. The user guide discusses this:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/lcug53x.html

From that doc, the following devices are supported in the seed file:

•ASA: for Cisco ASA devices

•CiscoIDS4x: for applaince running Cisco IPS 4.x (not modules)

•CiscoIPS5x: for appliance running Cisco IPS 5.x (not modules)

•FWSM: for Cisco FWSM 2.3

•FWSM3: for Cisco FWSM 3.1

•PIX: for Cisco PIX 6.0, 6.1, 6.2, and 6.3 devices

•PIX7X: for Cisco PIX 7.0 devices

•IOS: for Cisco IOS 12.2 (default)

•SWITCH-CATOS: for Cisco Switch in Hybrid Mode

•SWITCH-IOS: for Cisco Switch in Native Mode

•EXTREME: for Extreme ExtremeWare 6.x

•NETSCREEN: for ScreenOS 4.0 and 5.0

•WINDOWS: for Window host

•Windows2000: for Windows 2000 host

•Windows2003: for Windows 2003 host

•WindowsNT: for Windows NT 4.x host.

•SOLARIS: for Solaris host

•LINUX: for Linux host

ben.gordon
Level 1
Level 1

Start with your firewalls and IPS's (if you have them) becuase they will be the devices you will have to tune the most. Then use the seed file to import all devices but configure one at a time. I did syslogs and snmp on every device and netflow on choke points, so I don't get duplicate flows and overwhelm myself. Each device you add will uncover a new problem, create a rule, or tune the reporting device.

You may want to look into doing netflow only on the link routers closest to you.

Ben and Matthew,

Excellent posts from each of you and both rate a "5" in my book. You both gave answers I would like to have given.

Ben, your gradual approach to adding devices and reminding us to begin with the firewalls and IPS devices is a sound approach which I employ myself for my customers.

Matthew, your asking for metrics is spot-on. I am often asked about sizing the MARS boxes and I always ask whether a baseline exists or whether they have any monitoring capabilities.

Keep up the good work, guys. You are making this newest Cisco forum a most worthwhile one!

Best,

Paul

Thanks all for the replies, appreciate that!

rajett
Cisco Employee
Cisco Employee

Hello,

There is a sizing document available through your Cisco account team (Sales or Channels) that will help you in determining if the appliance is big enough to handle your needs.

The MARS 210 is rated at up to 15,000 events per second and up to 300,000 NetFlow events per second, provided you are not storing the NetFlow events in the database.

The 3560 switches don't support NetFlow. The 4xxx switches with the appropriate supervisors will support NetFlow in hardware.

Login information would be preferred as that's the best way to parse configuration and other information from the device.

MARS uses the RME file format for importing devices from CiscoWorks. Either export the information from there or create the seed file manually.

That last line, which function in RME creates the correct seed file?

thanks!