Selecting the Devices to Monitor
Table 2-2
Device Types and Data Available
Device Type
Data Available
Router
The device discovery protocol is the one used for
administrative access/mitigation. For example, if
SSH is used to discover the device, then SSH is
the protocol that used to pushed the mitigation
command.
The following data is pulled from routers:
•
•
•
•
•
•
•
•
•
Switch
During investigation and mitigation, the ARP
cache tables are reviewed to resolve the MAC
addresses involved in the incident. This data is
cached for 6 hours.
SNMP RO Community strings
Forwarding tables, used to map IP address to
MAC address.
Device status and resource utilization, such as
memory, CPU, and interface/port statistics.
NetFlow data
802.1x logs generated during NAC sessions
User Guide for Cisco Security MARS Local Controller
2-4
hostname
static routes
ACL rules
static NAT rules
traffic flows
SNMP RO Community strings
NetFlow data
device status and resource utilization, such as
memory, CPU, and interface/port statistics.
ARP cache table. Used to map IP address to
MAC address.
Chapter 2
Reporting and Mitigation Devices Overview
Recommended Configurations
Enable the following:
SNMP RO community strings
•
Syslog traffic
•
Device discovery via SSH or Telnet access
•
Enable the following:
•
SNMP RO community strings
•
Syslog traffic
Device discovery via SSH or Telnet access
•
Enable NetFlow data
•
Administrative access for mitigation push
•
78-17020-01