Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
4
Helpful
5
Replies

CS-MARS and HSRP

hoffa2000
Level 3
Level 3

‎07-25-2007 10:51 AM - edited ‎03-09-2019 06:28 PM

Hi folks

I'm preparing to implement a CS-MARS device into my network and need some advice how to handle two Catalyst6500 switches configured with HSRP. These two switches run VTP and has the same number of SVIs for the same VLANs. On each VLAN each switch has a dedicated IP and a standby HSRP IP with preemt.

How do I report this to CS-MARS? I recon only the HSRP master switch is acting as the layer 3 device for the subnets while the standby switch only acts as a layer 2 device. But do I use the HSRP IPs for the different VLANs as management IP and the SVI IPs as management IP? How will this differ betwen the master switch and the standby?

Regards

Fredrik Hofgren

Labels:
0 Helpful
5 Replies 5

PAUL TRIVINO
Level 3
Level 3

‎07-30-2007 03:55 PM

Short answer: use the "physical" IPs of BOTH boxes and add BOTH - they syslog to MARS individually so MARS will get more traffic from one or the other (the one active in HSRP), but each should be added separately.

Helps?

Paul

0 Helpful

hoffa2000
Level 3
Level 3
In response to PAUL TRIVINO

‎07-30-2007 10:13 PM

Maybe

The 6500 switches both run native IOS and doesn't have physical IPs as such, only SVIs for different VLANS.

The thing is that I've doing some tests with this process already. I've added the switches using the SVI IP for the VLAN used for network management and MARS seems to treat the switches different depending on the order in which they are added. Regardless if I'm adding the HSRP master switch first or last it treats the first added switch as the main router and draws up the network layout with this switch in the middle even though the added switch is only acting as HSRP slave. To me it seems like such a setup would produce wrong information.

I've not used the HSRP IP yet and wanted to check if anyone has worked on this already since the manual isn't to clear on this regarding the usage of layer 3 switches.

Regards

Fredrik

0 Helpful

PAUL TRIVINO
Level 3
Level 3
In response to hoffa2000

‎07-31-2007 06:15 AM

Well, this is just me, but I would not predicate anything I do with MARS based on the diagrams it produces. The Attack Map perhaps, but I much more concern myself with the Incidents etc. which are based on the sending unit.

HTH

Paul

rsalinas
Level 1
Level 1
In response to PAUL TRIVINO

‎08-02-2007 11:49 AM

Maybe using loopbacks. Then add each loopback address to MARS.

An idea.

0 Helpful

darius.liepuonis
Level 1
Level 1
In response to rsalinas

‎08-03-2007 07:18 AM

I agree with RSalinas, i think the best way is to use loopback's for management and for originating all messages from device (tacacs, snmp, syslog etc.) Loopbacks will never go down.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents