Estimated Events Per Second for MARS

Unanswered Question
Aug 7th, 2007

How do we estimate the events per second when ordering a MARS unit? We are looking at the CS-MARS-50-K9 that can handle 1000 EVS. But what if our network generates more then 1000 EVS? How do we estimate the EVS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
ntwkprof Tue, 08/07/2007 - 09:47

We currently don't have any syslog events being sent to a syslog this script will not work for us.

We have 4 firewalls, 4 routers, 2 Cisco

6510 core switches with about 20 VLANS and about 200 servers (Windows

and Unix), a Cisco 4060 IPS which I want to pull events from. We also

want to use NetFlow from these devices as well as from about 100 Cisco

switches. In addition, we are growing and will need to double these

numbers in about 1 year.

mhellman Wed, 08/08/2007 - 05:24

First of all, take the theoretical EPS limit stated by Cisco as being supported and reduce it by 20%. Then take the EPS you think you need and double it;-) We would just be guessing based on the information you provided. How noisy a device is depends on the device, the traffic and the configuration. For example, given the same traffic load a Checkpoint firewall is usually extremely noisy, an IOS based firewall is usually relatively quiet(partly because it will give up on logging pretty quickly if it gets busy...but that's a whole other issue).

If you really want to find out before now, you could certainly turn on syslog now and start monitoring. Don't worry about the netflow for now, supposedly that is a separate metric.

ntwkprof Wed, 08/08/2007 - 05:37

Thanks for the input. As you suggested, I'm finding that there are performance issues with the original MARS hardware models. We have decided to go with the Second Generation CS-MARS-110R over the First Generation CS-MARS-100. This way we get the updated hardware, more storage space, and with the "R" model, we will have the option to purchase the upgrade license should we need additional functionality in the future. Below is a great link I found on the Cisco Web site about the second generation MARS boxes:


This Discussion