Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
10
Helpful
4
Replies

Estimated Events Per Second for MARS

ntwkprofbrch
Level 1
Level 1

‎08-07-2007 05:43 AM - edited ‎03-09-2019 06:32 PM

How do we estimate the events per second when ordering a MARS unit? We are looking at the CS-MARS-50-K9 that can handle 1000 EVS. But what if our network generates more then 1000 EVS? How do we estimate the EVS?

Labels:
0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎08-07-2007 06:54 AM

This is a great resource for MARS questions:

http://groups.google.com/group/cs-mars-ug

You'll find a Python script for doing just that. I've never used it, but Chris Durkin, who is active in the group, talks about it on his MARS blog here (another good resource):

http://ciscomars.blogspot.com/

If you have questions about the script, ask the group.

ntwkprof
Level 1
Level 1
In response to mhellman

‎08-07-2007 09:47 AM

We currently don't have any syslog events being sent to a syslog server...so this script will not work for us.

We have 4 firewalls, 4 routers, 2 Cisco

6510 core switches with about 20 VLANS and about 200 servers (Windows

and Unix), a Cisco 4060 IPS which I want to pull events from. We also

want to use NetFlow from these devices as well as from about 100 Cisco

switches. In addition, we are growing and will need to double these

numbers in about 1 year.

0 Helpful

mhellman
Level 7
Level 7
In response to ntwkprof

‎08-08-2007 05:24 AM

First of all, take the theoretical EPS limit stated by Cisco as being supported and reduce it by 20%. Then take the EPS you think you need and double it;-) We would just be guessing based on the information you provided. How noisy a device is depends on the device, the traffic and the configuration. For example, given the same traffic load a Checkpoint firewall is usually extremely noisy, an IOS based firewall is usually relatively quiet(partly because it will give up on logging pretty quickly if it gets busy...but that's a whole other issue).

If you really want to find out before now, you could certainly turn on syslog now and start monitoring. Don't worry about the netflow for now, supposedly that is a separate metric.

ntwkprof
Level 1
Level 1
In response to mhellman

‎08-08-2007 05:37 AM

Thanks for the input. As you suggested, I'm finding that there are performance issues with the original MARS hardware models. We have decided to go with the Second Generation CS-MARS-110R over the First Generation CS-MARS-100. This way we get the updated hardware, more storage space, and with the "R" model, we will have the option to purchase the upgrade license should we need additional functionality in the future. Below is a great link I found on the Cisco Web site about the second generation MARS boxes:

http://www.cisco.com/en/US/products/ps6241/products_installation_guide_book09186a008083b016.html

0 Helpful
Customers Also Viewed These Support Documents