CS-MARS and layer 2 mitigation

hoffa2000 · ‎08-20-2007

Hi all

I have two layer 3 switches and two PIXes defined and active in MARS. This setup represents our backbone with several 35xx and 36xx switches as layer 2 access switches. VLAN switching takes place in the backbone switches and is visible in MARS where mitigating is also suggested using access lists on the layer 3 switches. This does however not work when the traffic doesn't leave the VLAN, for example when a user on an access switch is accessing a server on the user VLAN. As I understand from the manual this is because MARS need a full NACaware system to be able to suggest mitigation commands on the access switches. One other problem is that the access switches never report connecting MAC addresses to the MARS/syslog.

Is it possible to have MARS suggest mitigation points and commands on the access switches? Have I missed some logging command that would enable this information to reach MARS?

Regards

Fredrik Hofgren

carenas123 · ‎08-24-2007

I think you should check if you have given the enable password for the devices in MARS. For mitigation following link may help you

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008072f396.html

hoffa2000 · ‎08-24-2007

That I have configured already. My problem is however that the layer 2 devices don't, and as I have understood never can, report the traffic to MARS. Thus layer 2 mitigation would be available only if you have 802.1x enabled recording the exact ports where the offending computers are connected.

Please correct me if I'm wrong here