cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1126
Views
26
Helpful
13
Replies

Should switches be monitored by MARS?

cedar_lee
Level 1
Level 1

We are about to put MARS into production. My senior network analyst is questioning why we should monitor switches. Most of the time they don't even log changes unless we config ACL on them. Any one could help us here and explain why or why not we should monitor switches please? Many thanks.

1 Accepted Solution

Accepted Solutions

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

View solution in original post

13 Replies 13

zarathushtra
Level 1
Level 1

It's all up to you. If you use port-security or just for fun ("if your network will be under attack, MARS will drow you whole picture including snapshot from MAC addres table from these switches"). So, if you will be "attacked", at list you'll have something to get fun.

And from the document, it says MARS can monitor the L2, including Spanning-Tree.

Beside the two possible reasons you mentioned, I think it's related to human resource vs work load as well. Let's say if your network had thousands of switches, I bet you would take more time to think over it before picking the side.

In the real world, I am so curious to know, what's the choice MARS Pro took, monitor switches or not, and what the reasons behind the choice.

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

Hi Paul,

It was a great point. You must have lots of experience with MARS. Nice to have you here.

Thanks,

Cedar

auke.boers
Level 1
Level 1

Hello,

Monitor them. you can monitor the resources like cpu and memory. With one view you can see the cpu/memory usage of all the devices in Mars.

Good point. Thanks.

Anyone else?

I lost my post, ??

Well, writing again, in short form this time :).. L2 switches are configured to make MARS present to you the ACL to be configured (or does it on its own if the mitigation feature is on) on an L2 switch in case of any particular incident. This way, source of incident can be blocked at the most nearest network location from the source.

Sounds good. Thanks.

If you have Ciscoworks you can import all your switches into Cisco MARS within a minute. You can also do a bulk import using a MARS CSV file AFAIK.

Adding the switches gives you a better view of the topology (as others have pointed out), it also lets you mitigate the attack on the layer 2 switch, however this does not always work and requires specific version of software on the switches (which is not documented properly anywhere). And when I asked this question in the last Ask the expert session here on netpro, the Cisco guy ignored my question.

Regards

Farrukh

I agree that this mitigation part doesn't always work.

And i always wonder why only l2, why can't we use the existing edge/distri switches for the same purpose?

Excellent! Thanks, Farrukh.

I suggest considering that the value of monitoring them via MARS is also dependent on how you have your switches configured. For instance, if you don't suppress the interface link-status logs, you will certainly see a LOT of events.

Also, consider the entirety of your architecture and what services are used or available. Do you use ACS, or some other AAA server? If not, the info on logins directly from the switches could be useful, and not available anywhere else.

Personally, I chose to add my switches, which totaled about 150. It did require a good bit of extra work for tuning, but I found it to be worth it.

Very good point.

Thanks Mike.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: