I am in the beginning stages of configuring the MARS 210 that we just purchased. I have a few questions/concerns:
Netflow - I want to send netflow from approx 55 devices (remote site routers and core switches plus data center devices) to MARS. Will this overwhelm the processor/memory? I have another 200 or so 3560 series switches scattered around 40+ remote sites - is there any benefit to having them send netflow as well or would the remote site routers suffice?
Syslog - is this MARS box enough to handle pointing ALL devices logs at it?
SNMP - is the SNMP RO string enough to get accurate info from the devices or do I also need to enter login info on all the devices (which will take forever).
I have CiscoWorks LMS 3.0 - if I export all my devices can I then import them into MARS and not have to enter in all this info manually?
Start with your firewalls and IPS's (if you have them) becuase they will be the devices you will have to tune the most. Then use the seed file to import all devices but configure one at a time. I did syslogs and snmp on every device and netflow on choke points, so I don't get duplicate flows and overwhelm myself. Each device you add will uncover a new problem, create a rule, or tune the reporting device.
You may want to look into doing netflow only on the link routers closest to you.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...