Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Estimated Events Per Second for MARS

How do we estimate the events per second when ordering a MARS unit? We are looking at the CS-MARS-50-K9 that can handle 1000 EVS. But what if our network generates more then 1000 EVS? How do we estimate the EVS?

4 REPLIES
Gold

Re: Estimated Events Per Second for MARS

This is a great resource for MARS questions:

http://groups.google.com/group/cs-mars-ug

You'll find a Python script for doing just that. I've never used it, but Chris Durkin, who is active in the group, talks about it on his MARS blog here (another good resource):

http://ciscomars.blogspot.com/

If you have questions about the script, ask the group.

New Member

Re: Estimated Events Per Second for MARS

We currently don't have any syslog events being sent to a syslog server...so this script will not work for us.

We have 4 firewalls, 4 routers, 2 Cisco

6510 core switches with about 20 VLANS and about 200 servers (Windows

and Unix), a Cisco 4060 IPS which I want to pull events from. We also

want to use NetFlow from these devices as well as from about 100 Cisco

switches. In addition, we are growing and will need to double these

numbers in about 1 year.

Gold

Re: Estimated Events Per Second for MARS

First of all, take the theoretical EPS limit stated by Cisco as being supported and reduce it by 20%. Then take the EPS you think you need and double it;-) We would just be guessing based on the information you provided. How noisy a device is depends on the device, the traffic and the configuration. For example, given the same traffic load a Checkpoint firewall is usually extremely noisy, an IOS based firewall is usually relatively quiet(partly because it will give up on logging pretty quickly if it gets busy...but that's a whole other issue).

If you really want to find out before now, you could certainly turn on syslog now and start monitoring. Don't worry about the netflow for now, supposedly that is a separate metric.

New Member

Re: Estimated Events Per Second for MARS

Thanks for the input. As you suggested, I'm finding that there are performance issues with the original MARS hardware models. We have decided to go with the Second Generation CS-MARS-110R over the First Generation CS-MARS-100. This way we get the updated hardware, more storage space, and with the "R" model, we will have the option to purchase the upgrade license should we need additional functionality in the future. Below is a great link I found on the Cisco Web site about the second generation MARS boxes:

http://www.cisco.com/en/US/products/ps6241/products_installation_guide_book09186a008083b016.html

581
Views
10
Helpful
4
Replies
CreatePlease to create content