11-12-2008 08:59 AM
We are about to put MARS into production. My senior network analyst is questioning why we should monitor switches. Most of the time they don't even log changes unless we config ACL on them. Any one could help us here and explain why or why not we should monitor switches please? Many thanks.
Solved! Go to Solution.
11-14-2008 10:27 AM
Hi Cedar Lee,
Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.
Hope this helps.
Best,
Paul
11-13-2008 03:47 PM
It's all up to you. If you use port-security or just for fun ("if your network will be under attack, MARS will drow you whole picture including snapshot from MAC addres table from these switches"). So, if you will be "attacked", at list you'll have something to get fun.
11-14-2008 07:30 AM
And from the document, it says MARS can monitor the L2, including Spanning-Tree.
Beside the two possible reasons you mentioned, I think it's related to human resource vs work load as well. Let's say if your network had thousands of switches, I bet you would take more time to think over it before picking the side.
In the real world, I am so curious to know, what's the choice MARS Pro took, monitor switches or not, and what the reasons behind the choice.
11-14-2008 10:27 AM
Hi Cedar Lee,
Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.
Hope this helps.
Best,
Paul
11-14-2008 10:40 AM
Hi Paul,
It was a great point. You must have lots of experience with MARS. Nice to have you here.
Thanks,
Cedar
11-14-2008 06:14 AM
Hello,
Monitor them. you can monitor the resources like cpu and memory. With one view you can see the cpu/memory usage of all the devices in Mars.
11-14-2008 07:54 AM
Good point. Thanks.
Anyone else?
11-14-2008 08:28 AM
I lost my post, ??
Well, writing again, in short form this time :).. L2 switches are configured to make MARS present to you the ACL to be configured (or does it on its own if the mitigation feature is on) on an L2 switch in case of any particular incident. This way, source of incident can be blocked at the most nearest network location from the source.
11-14-2008 08:42 AM
Sounds good. Thanks.
11-14-2008 11:48 PM
If you have Ciscoworks you can import all your switches into Cisco MARS within a minute. You can also do a bulk import using a MARS CSV file AFAIK.
Adding the switches gives you a better view of the topology (as others have pointed out), it also lets you mitigate the attack on the layer 2 switch, however this does not always work and requires specific version of software on the switches (which is not documented properly anywhere). And when I asked this question in the last Ask the expert session here on netpro, the Cisco guy ignored my question.
Regards
Farrukh
11-15-2008 08:56 AM
I agree that this mitigation part doesn't always work.
And i always wonder why only l2, why can't we use the existing edge/distri switches for the same purpose?
11-17-2008 08:45 AM
Excellent! Thanks, Farrukh.
11-20-2008 03:44 PM
I suggest considering that the value of monitoring them via MARS is also dependent on how you have your switches configured. For instance, if you don't suppress the interface link-status logs, you will certainly see a LOT of events.
Also, consider the entirety of your architecture and what services are used or available. Do you use ACS, or some other AAA server? If not, the info on logins directly from the switches could be useful, and not available anywhere else.
Personally, I chose to add my switches, which totaled about 150. It did require a good bit of extra work for tuning, but I found it to be worth it.
11-21-2008 08:30 AM
Very good point.
Thanks Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide