I've had a MARS50 online for about a month now and has never really
got layer 2 mitigation to work. We have a network built with only
Cisco equipment so the procedure should be straight forward I would
Our design is pretty basic: 5 Cat2950 access switches serving the
office along with a Cat4503 as a distribution switch. All these are
running native IOS. The 4503 is connected with a layer 2 trunk to our
co-location where the routing and firewalling takes place in a Cat6513
also running native IOS.
What I would like to see, as described in the MARS user guide, is the
port of the access switch presented in the incident graph. Today I
only see a straight line from the attacking host over the network
object and the target and have no option to mitigate the threat. All
access switches are enabled and discoverable by MARS and have snmp
selected as access method.
What am I missing here?