07-25-2007 10:51 AM - edited 03-09-2019 06:28 PM
Hi folks
I'm preparing to implement a CS-MARS device into my network and need some advice how to handle two Catalyst6500 switches configured with HSRP. These two switches run VTP and has the same number of SVIs for the same VLANs. On each VLAN each switch has a dedicated IP and a standby HSRP IP with preemt.
How do I report this to CS-MARS? I recon only the HSRP master switch is acting as the layer 3 device for the subnets while the standby switch only acts as a layer 2 device. But do I use the HSRP IPs for the different VLANs as management IP and the SVI IPs as management IP? How will this differ betwen the master switch and the standby?
Regards
Fredrik Hofgren
07-30-2007 03:55 PM
Short answer: use the "physical" IPs of BOTH boxes and add BOTH - they syslog to MARS individually so MARS will get more traffic from one or the other (the one active in HSRP), but each should be added separately.
Helps?
Paul
07-30-2007 10:13 PM
Maybe
The 6500 switches both run native IOS and doesn't have physical IPs as such, only SVIs for different VLANS.
The thing is that I've doing some tests with this process already. I've added the switches using the SVI IP for the VLAN used for network management and MARS seems to treat the switches different depending on the order in which they are added. Regardless if I'm adding the HSRP master switch first or last it treats the first added switch as the main router and draws up the network layout with this switch in the middle even though the added switch is only acting as HSRP slave. To me it seems like such a setup would produce wrong information.
I've not used the HSRP IP yet and wanted to check if anyone has worked on this already since the manual isn't to clear on this regarding the usage of layer 3 switches.
Regards
Fredrik
07-31-2007 06:15 AM
Well, this is just me, but I would not predicate anything I do with MARS based on the diagrams it produces. The Attack Map perhaps, but I much more concern myself with the Incidents etc. which are based on the sending unit.
HTH
Paul
08-02-2007 11:49 AM
Maybe using loopbacks. Then add each loopback address to MARS.
An idea.
08-03-2007 07:18 AM
I agree with RSalinas, i think the best way is to use loopback's for management and for originating all messages from device (tacacs, snmp, syslog etc.) Loopbacks will never go down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide