Mars: trouble resolving switch ports

Unanswered Question
Feb 23rd, 2008
User Badges:

Our MARS device seems to be up and running correctly. Most of our equipment seems to be correctly configured and appears in the topology. However, when an incident occurs MARS does not list the switch the device is connected to. How would I go about troubleshooting this problem?


Also, I have an unknown device reporting to MARS. Is there a report can use to find the IP address of the unknown device? I suspect I have the reporting address wrong on one of our routers and would like to be able to figure out which one it is.


Sorry, if these are "newb" questions, but I am new to MARS and there doesn't seem to be as many troubleshooting documents as compared to other cisco devices.


Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pmccubbin Sat, 02/23/2008 - 23:24
User Badges:
  • Silver, 250 points or more

Hi Tim,


No worries about asking newbie questions here.


These are my thoughts regarding your questions and hopefully some of the other Net Pros will join in.


Firstly, the amount of time that is required to tune the MARS system will vary depending on how the network is set up, and how much the single devices are tuned. In an environment with devices tuned at a medium level, it can take 8 to 12 weeks to have the MARS appliance adjusted.


You didn't mention what types of reporting you were doing but I'll assume you have NetFlow, Syslog and SNMP running on your network. With regards to Netflow, ideally NetFlow information should be collected from the distribution switches and routers. These devices, together with NetFlow from Internet-facing routers or syslog from firewalls, represent the entire network.


Just a word of caution on Netflow. You do not want nor need to turn it on for every networking device. Otherwise you will get multiple copies of the same info. Where you want to turn it on is at logical aggregation points, like your distribution layer, or WAN aggregation router.


Secondly, the term “Unknown Reporting Device” is a discrepancy between the defined IP on the MARS and the reported IP that it receives via syslog.


To determine if a device is sending information to MARS do an Inline Query of Reporting Device Ranking.


The Unknown Device Report is located by clicking on the Query / Reports pull down menu and selecting it from the System Reports.


Run an “Unknown Event Reporting” query/report, and verify that there are no devices

reporting to MARS with an “unknown reporting IP”. This means that MARS is parsing correctly

the logs from all the devices and they have been set up correctly. Repeat the same sequence for all subsets of your network that you have identified, until all devices have been added. Repeat the test periodically to make sure that all devices are configured correctly. A good idea is to set an hourly or periodic report to be e-mailed with the list of unknown reporting IPs.


When the network has been fully configured and no “unknown reporting IPs” are reported for

some time, you can then remove the report, or to change it to a longer period of time.


Hope this helps and that you keep asking questions.


Best,

Paul

Actions

This Discussion