What MARS model is good for me?

Unanswered Question

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/data_sheet_c78-458671.html


Check for the models and their EPS (Events/Secs) rates, netflow events/sec (in case you want to enable netflow) and storage capability (heavily depends on question wether u want netflow data or not).


The maximum events per second for each reporting device depends on the load/traffic of your devices. Here are the indicative numbers (event/secs only)..


ref: Security Monitoring with Cisco Security MARS

Gary Halleen

Greg Kellogg ...


Cisco ASA-5520 firewall 10,000

Cisco ASA-5540 firewall 20,000

Cisco PIX 515 firewall 1500

Cisco PIX 535 firewall 15,000

Cisco Firewall Services Module 25,000

Windows XP-2000, NT OS logs 300

Snort IDS 1000

Cisco IPS 1300

Check Point FW-1 3500

Cisco IOS switch 200

Cisco IOS router (with ACLs) 300

NetScreen VPN 1000

Cisco VPN-3000 concentrator 500


Count the EPS of devices present in your network, and choose the model accordingly


Pls rate if helpful.


Mohsin

cedar_lee Fri, 11/14/2008 - 08:14

Concurred.

I read the same book and Chapter 3 CS_MARS Deployment Scenarios talks about it.

pmccubbin Fri, 11/14/2008 - 10:35

To further elaborate on Mohsin's very informative post, I would also consider the types of devices you are monitoring when considering the size. In particular, are you monitoring only servers, or do you want a broad sample of network devices? I would also consider location in your planning, is the MARS box just for a single location?


I mention both of these (type of device and location) because you might be able to use a smaller size model if you know in advance exactly what you want to monitor. If you decide to break up the network monitoring into smaller segments and use smaller model MARS boxes you could then possibly purchase a Global Controller to manage them all.


I always recommend to my customers that they begin their planning for a MARS implementation by thinking about whether or not they can save enough money by tightly defining the scope of their monitoring to help pay the cost of a Global Controller.


The numbers don't always add up for a purchase of a Global Controller but it does get people thinking about how they will use MARS and what sort of ROI they expect.


Just my 2 cents.


Paul

Farrukh Haroon Fri, 11/14/2008 - 23:56

You can get a Cisco MARS sizing document from your local Cisco account team if you work for a partner. Else let Cisco/Partner choose this for you based on your EPS/netflow requirements.


This has been discussed many times, check the archives please.


Regards


Farrukh

Actions

This Discussion