I really need some advise here. I have 20 sensing points. Hope to limit 1 sensing point to 100MB. What model of CSMARS would you recommend?
I am thinking about the CSMARS 100e-k9?
Thanks in advance.
How do you define "sensing points?" What would help to size one is the exact devices you will be adding to MARS. In our environment we have:
2 x IPS5.1 4215
~130 Cisco IOS 12.4 Routers
All these run on a Cisco 100e and at peak times we have about 150 events per second. Give me more details and hopefully I can get you better sizing.
If by "sensing points" you mean IDS/IPS sensors, then any of the CSMARS models will probably suffice. It's the firewall's and hosts that you have to worry about. I consider our 30 sensors to be moderately well tuned and we only see about 2 events per minute. We have a 100e and a single group of devices (certain firewall) eats up 90%+ of our theoretical event/sec limit.
Are you also considering utilizing netflow? Of all the hosts/switches/routers/firewalls/IDS, the devices utilizing netflow generate the highest volume of traffic.
Guys I want to say thank you for your advice.
I was counting a port on the 4250XL as one sensing point.However I am going more towards the idea of using the IDSM-2s on the 6506s.
Use RSPAN on the external switches to the ethernet line card on the 6506 and then VACLs to the IDSM-2s ... sound right to you?.
I was being pushed on the idea of getting the CSMARS 200 but looks like the 100e should sufficient. Will not be using netflow.. its purely for the IDS reporting.
I will 4 IDSM-2 on the 6506 and 1 48-port fabric-enabled 10/100/1000 Module. Is the fabric modules required for the IDSM-2s to work? will it improve the performance?
Thanks for all you help.
The 48 port farbic enabled module (6548) is not required to use with the IDSM-2s. The 48 port non-fabric enabled modules (6148 for example) will work fine in many cases depending on your deployment..
Things to consider when making your decision:
1) What type of supervisor are you using?
If using the old Sup1a, then the supervisor won't be able to make use of the "fabric" so a fabric enabled card is not as important.
If using an old Sup2, then are you using a Switch Farbic Module (SFM) in order to make use of the "fabric". With out an SFM a Sup2 can't make use of the "fabric" so a fabric enabled card is not as important. If an SFM IS being used, then do consider a fabric enabled 48 port line card.
If using either the new Sup32 or Sup720, then they Do make use of the fabric in the switch, and a fabric enabled 48 port line card should be considered.
2) What bandwidths will you be monitoring from your external switches? If the bandwidth is less than 100Mbps for each external switch then the non-fabric enabled cards would be OK. But if the bandwidth from the external switches could be several hundred Mbps, then the fabric enabled line card would be your better bet. The fabric enabled line card has more buffers and can handle higher bandwidths of traffic consistently.
(NOTE: Something else to keep in mind is which ports you plug the external switches in to on the 48 port line card. The buffers on the card on not specifically per port, but instead are split into 6 groups of 8 ports. So all the 8 ports in one group will share a buffer. 1-8 are in one group, 7-16 in another group, and on down the line. So when connecting up the external switches try to spread them out across these groups to get the optimal use of the buffers.)
3) Consider cost vs. planning for the future. With the future moving to faster and faster speeds the fabric enabled 48 port line card would be expected to have a much longer usefull life span because of it's ability to handle high speed better than the non-fabric enabled 48 port line cards.
However, like in most deployments the cost of the hardware is a major concern. The non-fabric enabled may be cheaper, and cost could wind up being your deciding factor.
I just looked this up, and do not remember the documentation being different when I purchased MARS. It was also presented that netflow counted towards eps.
Our 100e can't even handle 3000 eps with zero netflow and not using SNMP. I had just never seen it explicitly called out. This is as close as I got from the link you posted..notice the "OR":
"Cisco Security MARS appliances are security-hardened and optimized for receiving extremely high levels of event traffic-more than 10,000 events per second or more than 300,000 Cisco NetFlow events per second"
Of course, I don't see a model that supports "more than" either of those 2 figures. In any event, it may be semantics but in light of the above I think that perhaps the max netflows/sec and max events/sec are completely different metrics showing total potential throughput. Neither one counts towards the other, but toward a percentage of total potential throughput. So a 100e should support 50% of the max netflows/sec and 50% of the max events/sec. Perhaps that's what you meant anyway.