We are about to put MARS into production. My senior network analyst is questioning why we should monitor switches. Most of the time they don't even log changes unless we config ACL on them. Any one could help us here and explain why or why not we should monitor switches please? Many thanks.
Hi Cedar Lee,
Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.
Hope this helps.