Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

Hello. I'm having trouble seeing the forest OR the trees, and I'd appreciate some help from someone who has a better field view than myself. We're upgrading our internet connection to 200MB and management is wanting to upgrade our Packet Shaper to meet the new bandwidth. (The Packet Shaper shows top talkers, top protocols, and rate limits protocols or users.) I'm trying to make the argument that we can do this w/ existing tools (nbar, netflow, QoS policing, and MARS), at the same time I'm trying to make the argument that we need to have our supervisors (currently SUP2 MSFC2) on a 3-4 year upgrade cycle.

To get to the 12.2 IOS, I'd require a memory or sup upgrade. What I am hoping for is someone who has gone down this road who knows what I'm lacking in 12.1 code, or if in fact I can do it all here.

While it is self-evident to most in IT why we need to regularly upgrade equipment, I'm having difficulty making this argument to management with hard facts. I'm guessing they'd still be running Windows for Workgroups to save money...but that's another story.

My plan is to use Netflow and MARS to track top users and top protocols. It appears that I lose some mgt functionality w/ MARS in conjunction w/ IOS 12.1, but I am currently unclear if I lose any tracking capability. (MARS is new to us and awaiting install.)

Then, I hope to use NBAR to identify all the latest P2P traffic and police it appropriately w/ QoS tools.

Does my thinking sound solid? Will I be able to pull this off w/ 12.1? If not, what do I need that I lack in 12.1?

Thank you for your time,

Joshua

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

Hi,

First of all - you need to be clear that although MARS uses netflow data, it uses it for the purpose of identifying security issues. If you want to use netflow for reporting and/or accounting purposes MARS isn't the tool you need, try one of the following freeware netflow tools:

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml

or one of the following commercial tools:

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml

The freeware ones are generally more difficult to set up but once running are just as good as the commercial ones.

However, this means you need two netflow destinations - one for MARS and one for your netflow tool, and this feature is called "Netflow Multiple Export Destinations" and initially appeared at 12.1(3)T, but it seems to be VERY platform specific - for example, because we only run GD software on our 3660's we had to upgrade to 12.3(20) to get it.

Looking at the Feature Navigator for SUP2/MSFC2 it appears that you need at least 12.2(18)SXF6 to get this feature so that might help your case.

I'd personally keep the PacketShaper for it's reporting capability if nothing else (IOS can do the job, but not as elegantly as the PacketShaper).

HTH - plz rate if useful.

Andrew.

4 REPLIES
Silver

Re: NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

you may check the following link for information on IOS Software Release 12.1(13)E Features, hope this helps :

http://www.cisco.com/en/US/products/hw/switches/ps708/prod_bulletin09186a00801124a0.html

Re: NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

Hi,

First of all - you need to be clear that although MARS uses netflow data, it uses it for the purpose of identifying security issues. If you want to use netflow for reporting and/or accounting purposes MARS isn't the tool you need, try one of the following freeware netflow tools:

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml

or one of the following commercial tools:

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml

The freeware ones are generally more difficult to set up but once running are just as good as the commercial ones.

However, this means you need two netflow destinations - one for MARS and one for your netflow tool, and this feature is called "Netflow Multiple Export Destinations" and initially appeared at 12.1(3)T, but it seems to be VERY platform specific - for example, because we only run GD software on our 3660's we had to upgrade to 12.3(20) to get it.

Looking at the Feature Navigator for SUP2/MSFC2 it appears that you need at least 12.2(18)SXF6 to get this feature so that might help your case.

I'd personally keep the PacketShaper for it's reporting capability if nothing else (IOS can do the job, but not as elegantly as the PacketShaper).

HTH - plz rate if useful.

Andrew.

Community Member

Re: NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

Andrew,

Thanks for the info. Yes, I understand that MARS is primarily a security appliance, but our SE said that it would also identify top talkers and top protocols on the network. Is this untrue?

J

Re: NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

Hi,

It's not exactly untrue, but MARS unit of measurement is a security event (i.e. an IPS signature hit) or a netflow event (i.e. a particular sequence of netflow data that is interpreted as a security event). It also uses other sources, such as syslog, windows event logs, oracle databse logs, etc..

So MARS will give you top sources, top destinations, etc, but not from a data-volume point of view, only from a "mars event" point of view. If you want to get detailed traffic information (like you get from packeteer, for instance) then MARS isn't the right tool for the job.

HTH - plz rate if useful.

Andrew.

180
Views
4
Helpful
4
Replies
CreatePlease to create content