Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

CS-MARS and Netflow

I'm about to begin a CS-MARS Proof-of-Concept implementation where Netflow is already running on the network.

Any suggestions as to whether the dual export of Netflow data is a good idea or not. In other words, continue to export the data to a Netflow collector and then also send it to the MARS box.

According to what I have been reading, the dual export of data has no significant impact on router CPU utilization, especially if I use Sampled Netflow.

I'd appreciate anyone's suggestions and whether or not I am framing the issue correctly.

Thanks in advance.

4 REPLIES

Re: CS-MARS and Netflow

I export to two different devices (one for managment and one for MARS) and have experienced no problems and no CPU/mem util between sending one or two flows. HTH

Silver

Re: CS-MARS and Netflow

Thanks for the response!

A follow-up question if I may. Have you ever tried to redirect from a Netflow collector to MARS?

Re: CS-MARS and Netflow

No, sorry.

New Member

Re: CS-MARS and Netflow

Just some plusses/minuses to consider in your proof of concept:

Plus: The amount of valuable information reported by Mars increases by orders of magnitude with the addition of NetFlow. Without NetFlow, all we saw was "bad stuff" (intrusion attempts, etc.) ... and not info about the network normal baseline.

Minus: In current OS versions, drop rules to tune out false positives don't work on NetFlow data. The ramifications were:

a. We had to copy/mod system rules to keep known traffic from triggering incidents. (TAC says that dropping NetFlow events is being consiederd for future versions.)

b. The false positive incidents stopped, but the queries/reports still include these events in the totals/graphs ... you have to "tune these out in your head".

The Mars has still proven to be very valuable. It has allowed us to locate and remediate infected hosts and, in some cases, unruly users :-)

110
Views
9
Helpful
4
Replies
CreatePlease login to create content