Should switches be monitored by MARS?

Answered Question
Nov 12th, 2008

We are about to put MARS into production. My senior network analyst is questioning why we should monitor switches. Most of the time they don't even log changes unless we config ACL on them. Any one could help us here and explain why or why not we should monitor switches please? Many thanks.

I have this problem too.
0 votes
Correct Answer by pmccubbin about 8 years 2 months ago

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (7 ratings)
Loading.
zarathushtra Thu, 11/13/2008 - 15:47

It's all up to you. If you use port-security or just for fun ("if your network will be under attack, MARS will drow you whole picture including snapshot from MAC addres table from these switches"). So, if you will be "attacked", at list you'll have something to get fun.

cedar_lee Fri, 11/14/2008 - 07:30

And from the document, it says MARS can monitor the L2, including Spanning-Tree.

Beside the two possible reasons you mentioned, I think it's related to human resource vs work load as well. Let's say if your network had thousands of switches, I bet you would take more time to think over it before picking the side.

In the real world, I am so curious to know, what's the choice MARS Pro took, monitor switches or not, and what the reasons behind the choice.

Correct Answer
pmccubbin Fri, 11/14/2008 - 10:27

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

cedar_lee Fri, 11/14/2008 - 10:40

Hi Paul,

It was a great point. You must have lots of experience with MARS. Nice to have you here.

Thanks,

Cedar

auke.boers Fri, 11/14/2008 - 06:14

Hello,

Monitor them. you can monitor the resources like cpu and memory. With one view you can see the cpu/memory usage of all the devices in Mars.

I lost my post, ??

Well, writing again, in short form this time :).. L2 switches are configured to make MARS present to you the ACL to be configured (or does it on its own if the mitigation feature is on) on an L2 switch in case of any particular incident. This way, source of incident can be blocked at the most nearest network location from the source.

Farrukh Haroon Fri, 11/14/2008 - 23:48

If you have Ciscoworks you can import all your switches into Cisco MARS within a minute. You can also do a bulk import using a MARS CSV file AFAIK.

Adding the switches gives you a better view of the topology (as others have pointed out), it also lets you mitigate the attack on the layer 2 switch, however this does not always work and requires specific version of software on the switches (which is not documented properly anywhere). And when I asked this question in the last Ask the expert session here on netpro, the Cisco guy ignored my question.

Regards

Farrukh

mikecrowe4ics Thu, 11/20/2008 - 15:44

I suggest considering that the value of monitoring them via MARS is also dependent on how you have your switches configured. For instance, if you don't suppress the interface link-status logs, you will certainly see a LOT of events.

Also, consider the entirety of your architecture and what services are used or available. Do you use ACS, or some other AAA server? If not, the info on logins directly from the switches could be useful, and not available anywhere else.

Personally, I chose to add my switches, which totaled about 150. It did require a good bit of extra work for tuning, but I found it to be worth it.

Actions

This Discussion