Unanswered Question
Jul 25th, 2007

Hi folks

I'm preparing to implement a CS-MARS device into my network and need some advice how to handle two Catalyst6500 switches configured with HSRP. These two switches run VTP and has the same number of SVIs for the same VLANs. On each VLAN each switch has a dedicated IP and a standby HSRP IP with preemt.

How do I report this to CS-MARS? I recon only the HSRP master switch is acting as the layer 3 device for the subnets while the standby switch only acts as a layer 2 device. But do I use the HSRP IPs for the different VLANs as management IP and the SVI IPs as management IP? How will this differ betwen the master switch and the standby?


Fredrik Hofgren

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
PAUL TRIVINO Mon, 07/30/2007 - 15:55

Short answer: use the "physical" IPs of BOTH boxes and add BOTH - they syslog to MARS individually so MARS will get more traffic from one or the other (the one active in HSRP), but each should be added separately.



hoffa2000 Mon, 07/30/2007 - 22:13


The 6500 switches both run native IOS and doesn't have physical IPs as such, only SVIs for different VLANS.

The thing is that I've doing some tests with this process already. I've added the switches using the SVI IP for the VLAN used for network management and MARS seems to treat the switches different depending on the order in which they are added. Regardless if I'm adding the HSRP master switch first or last it treats the first added switch as the main router and draws up the network layout with this switch in the middle even though the added switch is only acting as HSRP slave. To me it seems like such a setup would produce wrong information.

I've not used the HSRP IP yet and wanted to check if anyone has worked on this already since the manual isn't to clear on this regarding the usage of layer 3 switches.



PAUL TRIVINO Tue, 07/31/2007 - 06:15

Well, this is just me, but I would not predicate anything I do with MARS based on the diagrams it produces. The Attack Map perhaps, but I much more concern myself with the Incidents etc. which are based on the sending unit.



rsalinas Thu, 08/02/2007 - 11:49

Maybe using loopbacks. Then add each loopback address to MARS.

An idea.

darius.liepuonis Fri, 08/03/2007 - 07:18

I agree with RSalinas, i think the best way is to use loopback's for management and for originating all messages from device (tacacs, snmp, syslog etc.) Loopbacks will never go down.


This Discussion