Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

MARS & Netflow

I am going to implement MARS to monitor my network and i want to monitor the internet traffic but i have some questions:

_is it enough to configure SNMP & Syslog in all devices to report to MARS or i need to send netflow traffic also?

_if i need Netflow which devices will be the best devices to report Netflow to MARS?

i have internet router access,distribution and core switches and some security devices.

Everyone's tags (3)
1 REPLY
Cisco Employee

Re: MARS & Netflow

Mohammed;

  CS-MARS primarliy makes use of syslog, SNMP traps and IPS events for incident generation.  By confgiuring your various security devices (firewalls, IPS devices, AAA servers, Windows domain controllers, etc) CS-MARS can effectively inform you of potential security incidents within your network.

  By adding netflow data to the CS-MARS it is now possible for CS-MARS to provide anomaly-based incidents that can alert you to changes in traffic patterns on your network.  In most instances, you do not need netflow being sent from every netflow-capable device in your network.  By configuring devices in locations that have the best "view" into the traffic on your network, the CS-MARS should be able to successfully detect these anomalous changes.  You can read more in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wpmkr180414

Scott

942
Views
0
Helpful
1
Replies
CreatePlease to create content