Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Should switches be monitored by MARS?

We are about to put MARS into production. My senior network analyst is questioning why we should monitor switches. Most of the time they don't even log changes unless we config ACL on them. Any one could help us here and explain why or why not we should monitor switches please? Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Should switches be monitored by MARS?

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

13 REPLIES
New Member

Re: Should switches be monitored by MARS?

It's all up to you. If you use port-security or just for fun ("if your network will be under attack, MARS will drow you whole picture including snapshot from MAC addres table from these switches"). So, if you will be "attacked", at list you'll have something to get fun.

New Member

Re: Should switches be monitored by MARS?

And from the document, it says MARS can monitor the L2, including Spanning-Tree.

Beside the two possible reasons you mentioned, I think it's related to human resource vs work load as well. Let's say if your network had thousands of switches, I bet you would take more time to think over it before picking the side.

In the real world, I am so curious to know, what's the choice MARS Pro took, monitor switches or not, and what the reasons behind the choice.

Silver

Re: Should switches be monitored by MARS?

Hi Cedar Lee,

Thanks for the excellent question. From my experience with MARS the issue of adding switches and the amount of work involved is a legitimate concern. We have even submitted to Cisco the feedback we have received from customers for some sort of bulk add functionality for devices. As you correctly point out, if your network has thousands of switches you are going to think twice before saying these are things you want MARS to monitor. Though with that said I usually convince my customers to slowly add the switches and to do so in areas they consider strategic or highly vulnerable. The other factor we watch is the number of events the switches are currently producing. The concern being that we do not want to overwhelm the MARS box with events.

Hope this helps.

Best,

Paul

New Member

Re: Should switches be monitored by MARS?

Hi Paul,

It was a great point. You must have lots of experience with MARS. Nice to have you here.

Thanks,

Cedar

New Member

Re: Should switches be monitored by MARS?

Hello,

Monitor them. you can monitor the resources like cpu and memory. With one view you can see the cpu/memory usage of all the devices in Mars.

New Member

Re: Should switches be monitored by MARS?

Good point. Thanks.

Anyone else?

New Member

Re: Should switches be monitored by MARS?

I lost my post, ??

Well, writing again, in short form this time :).. L2 switches are configured to make MARS present to you the ACL to be configured (or does it on its own if the mitigation feature is on) on an L2 switch in case of any particular incident. This way, source of incident can be blocked at the most nearest network location from the source.

New Member

Re: Should switches be monitored by MARS?

Sounds good. Thanks.

Re: Should switches be monitored by MARS?

If you have Ciscoworks you can import all your switches into Cisco MARS within a minute. You can also do a bulk import using a MARS CSV file AFAIK.

Adding the switches gives you a better view of the topology (as others have pointed out), it also lets you mitigate the attack on the layer 2 switch, however this does not always work and requires specific version of software on the switches (which is not documented properly anywhere). And when I asked this question in the last Ask the expert session here on netpro, the Cisco guy ignored my question.

Regards

Farrukh

New Member

Re: Should switches be monitored by MARS?

I agree that this mitigation part doesn't always work.

And i always wonder why only l2, why can't we use the existing edge/distri switches for the same purpose?

New Member

Re: Should switches be monitored by MARS?

Excellent! Thanks, Farrukh.

New Member

Re: Should switches be monitored by MARS?

I suggest considering that the value of monitoring them via MARS is also dependent on how you have your switches configured. For instance, if you don't suppress the interface link-status logs, you will certainly see a LOT of events.

Also, consider the entirety of your architecture and what services are used or available. Do you use ACS, or some other AAA server? If not, the info on logins directly from the switches could be useful, and not available anywhere else.

Personally, I chose to add my switches, which totaled about 150. It did require a good bit of extra work for tuning, but I found it to be worth it.

New Member

Re: Should switches be monitored by MARS?

Very good point.

Thanks Mike.

350
Views
26
Helpful
13
Replies
CreatePlease login to create content