cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2636
Views
0
Helpful
5
Replies

MARS switch port up/down rule

There is a rule in MARS which fired when any port in the switch go down and up, every day big number of incidents happening for this rule, but it dose not show me the source IP address it show only the destination IP address.

I need to know which user connect to that port.

And why the ports go up and down.

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to look into the switch syslog itself. If the switch syslog messages are not showing you the reason, MARS will not show you the reason. MARS will only show you whatever the switch syslog shows, so if switch syslog does not show you the reason, MARS will not know the reason.

You would need to investigate the switch.

MARS just provides a central repository for all the syslog messages, and if there is something that you need to investigate, you would need to go physically to the switch to troubleshoot as per normal. MARS will not tell you information that the switch does not provide.

ok but what you think why the switch ports go up and down like this?

because every day many incident happen fro the same rule.

What does the switch port connect to? To user's PC? if that is the case, maybe users are connecting and disconnecting the switch port / they connect in the morning when they come to the office, and disconnect the cable when they left.

halijenn  is right.
All information MARS get from syslog message.
If syslog message from Switch dont contain information about what user are connected to port MARS dont help you.
If you have PC --->>>> 802.1x ---- Switch >>>> Radius Server USE logs from Radius server.
Or write custom parsers.

Ok can I see which user is connect to that port which go up/down, I mean is it possible that I can now the user IP address ???