Cisco NAM User Manual
Cisco Network Analysis Module (NAM) Traffic Analyzer User Guide, 5.0
January 2011
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-22617-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Cisco Network Analysis Module (NAM) Traffic Analyzer User Guide, 5.0
© 2011 Cisco Systems, Inc. All rights reserved.
IMPLIED, INCLUDING, WITHOUT
About This Guide xi
CONTENTS
CHAPTER
1 Overview 1-1
Introducing NAM Traffic Analyzer 5.0 1-1
Dashboards 1-2
Logical Site 1-2
New Application Classification Architecture 1-3
Standards-Based NBI 1-3
NetFlow v9 Data Export 1-4
Historical Analysis 1-4
SNMP v3 Support -- NAM to Router/Switch Support 1-5
Overview of the NAM Platforms 1-5
Logging In 1-6
Navigating the User Interface 1-6
Common Navigation and Control Elements 1-6
Menu Bar 1-6
Detailed Views 1-7
Context Menus 1-8
Quick Capture 1-8
Interactive Report 1-9
Chart View / Grid View 1-9
Mouse-Over for Details 1-10
Zoom/Pan Charts 1-10
Sort Grid 1-11
Bytes / Packets 1-11
Statistics 1-11
Context-Sensitive Online Help 1-12
OL-22617-01
Understanding How the NAM Works 1-12
Understanding How the NAM Uses SPAN 1-14
Understanding How the NAM Uses VACLs 1-14
Understanding How the NAM Uses NDE 1-15
Understanding How the NAM Uses WAAS 1-16
Configuration Overview 1-17
Configuring and Viewing Data 1-19
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
iii
Contents
Cisco WAAS NAM Virtual Service Blade 1-20
CHAPTER
2 Setting Up The NAM Traffic Analyzer 2-1
Default Functions 2-1
Traffic Analysis 2-1
Application Response Time Metrics 2-2
Voice Signaling/RTP Stream Monitoring 2-2
Traffic Usage Statistics 2-3
Traffic 2-3
SPAN 2-3
About SPAN Sessions 2-3
Creating a SPAN Session 2-6
Editing a SPAN Session 2-8
Deleting a SPAN Session 2-9
Data Sources 2-9
SPAN 2-10
ERSPAN 2-10
VACL 2-17
NetFlow 2-18
WAAS 2-29
Understanding WAAS 2-29
Response Time Monitoring from WAAS Data Sources 2-30
Managing WAAS Devices 2-32
Adding Data Sources for New WAAS Device 2-33
Editing WAAS Data Sources 2-34
Deleting a WAAS Data Source 2-34
Auto Create of New WAAS Devices 2-35
Hardware Deduplication 2-35
iv
Alarms 2-36
Alarm Actions 2-36
Alarm Action Configuration 2-37
Editing Alarm Actions 2-38
Deleting Alarm Actions 2-38
Thresholds 2-39
Setting Host Thresholds 2-40
Setting Conversation Thresholds 2-41
Setting Application Thresholds 2-42
Setting Response Time Thresholds 2-43
Setting DSCP Thresholds 2-44
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Setting RTP Stream Thresholds 2-45
Setting Voice Signaling Thresholds 2-46
Setting NDE Interface Thresholds 2-47
Editing an Alarm Threshold 2-48
Deleting a NAM Threshold 2-48
User Scenario 2-49
Data Export 2-49
NetFlow 2-49
Viewing Configured NetFlow Exports 2-50
Configuring NetFlow Data Export 2-51
Editing NetFlow Data Export 2-53
Scheduled Exports 2-53
Editing a Scheduled Export 2-54
Deleting a Scheduled Export 2-54
Custom Export 2-55
Contents
Managed Device 2-55
Device Information 2-55
NBAR Protocol Discovery 2-57
Network 2-58
Sites 2-58
Definition Rules 2-59
Viewing Defined Sites 2-60
Defining a Site 2-61
Editing a Site 2-63
NDE Interface Capacity 2-63
Creating an NDE Interface 2-63
DSCP Groups 2-64
Creating a DSCP Group 2-64
Editing a DSCP Group 2-66
Deleting a DSCP Group 2-66
Classification 2-66
Applications 2-67
Creating a New Application 2-68
Editing an Application 2-69
Deleting a Protocol 2-70
Application Groups 2-70
Creating an Application Group 2-70
Editing an Application Group 2-70
Deleting an Application Group 2-70
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
v
Contents
URL-based Applications 2-71
Example 2-72
Editing a URL-Based Application 2-73
Deleting a URL-based Application 2-73
Encapsulations 2-73
Monitoring 2-74
Aggregation Intervals 2-74
Response Time 2-76
Voice 2-76
RTP Filter 2-78
URL 2-78
Enabling a URL Collection 2-78
Changing a URL Collection 2-80
Disabling a URL Collection 2-80
WAAS Monitored Servers 2-80
Adding a WAAS Monitored Server 2-81
Deleting a WAAS Monitored Server 2-81
CHAPTER
3 Monitoring and Analysis 3-1
Navigation 3-2
Context Menus 3-2
Interactive Report 3-2
Saving Filter Parameters 3-3
Traffic Summary 3-4
Response Time Summary 3-5
Site Summary 3-6
Alarm Summary 3-6
Analyzing Traffic 3-8
Application 3-9
Hosts Detail 3-9
Host 3-10
Applications Detail 3-10
NDE Interface Traffic Analysis 3-11
Viewing Interface Details 3-12
DSCP Detail 3-12
DSCP 3-12
Application Groups Detail 3-13
URL Hits 3-14
Viewing Collected URLs 3-14
vi
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Filtering a URL Collection List 3-14
Host Conversations 3-15
Network Conversation 3-15
Top Application Traffic 3-15
Application Traffic By Host 3-17
WAN Optimization 3-17
Top Talkers Detail 3-17
Application Performance Analysis 3-18
Transaction Time (Client Experience) 3-18
Traffic Volume and Compression Ratio 3-18
Average Concurrent Connections (Optimized vs. Passthru) 3-18
Multi-Segment Network Time (Client LAN - WAN - Server LAN) 3-18
Conversation Multi-Segments 3-18
Response Time 3-19
Application Response Time 3-22
Network Response Time 3-22
Server Response Time 3-23
Client Response Time 3-23
Client-Server Response Time 3-23
Server Application Responses 3-23
Server Application Transactions 3-24
Server Network Responses 3-25
Client-Server Application Responses 3-26
Client-Server Application Transactions 3-27
Client-Server Network Responses 3-28
Contents
OL-22617-01
Managed Device 3-29
Interface 3-30
Interfaces Stats Table 3-30
Interface Statistics Over Time 3-31
Health 3-31
Switch Health 3-31
Router Health 3-35
NBAR 3-37
Media 3-37
RTP Streams 3-38
Purpose 3-38
Monitoring RTP Streams 3-39
Voice Call Statistics 3-39
Calls Table 3-40
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
vii
Contents
RTP Conversation 3-42
CHAPTER
4 Capturing and Decoding Packet Data 4-1
Sessions 4-2
Viewing Capture Sessions 4-3
Configuring Capture Sessions 4-4
Software Filters 4-7
Creating a Software Filter 4-8
Editing a Software Capture Filter 4-11
Hardware Assisted Filters 4-12
Configuring a Hardware Filter 4-12
Files 4-15
Analyzing Capture Files 4-17
Error Scan 4-17
Downloading Capture Files 4-18
Deleting a Capture File 4-19
Deleting Multiple Files 4-19
Viewing Packet Decode Information 4-20
Browsing Packets in the Packet Decoder 4-21
Filtering Packets Displayed in the Packet Decoder 4-21
Viewing Detailed Protocol Decode Information 4-22
Using Alarm-Triggered Captures 4-23
Custom Display Filters 4-23
Creating Custom Display Filters 4-23
Editing Custom Display Filters 4-26
Deleting Custom Display Filters 4-27
CHAPTER
viii
5 User and System Administration 5-1
System Administration 5-1
Resources 5-2
Network Parameters 5-2
SNMP Agent 5-3
Working with NAM Community Strings 5-4
System Time 5-5
Synchronizing the NAM System Time with the Switch or Router 5-6
Synchronizing the NAM System Time Locally 5-6
Configuring the NAM System Time with an NTP Server 5-7
E-Mail Setting 5-7
Web Data Publication 5-8
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Capture Data Storage 5-8
Creating NFS Storage Locations 5-9
Editing NFS Storage Locations 5-10
Creating iSCSI Storage Locations 5-11
Editing iSCSI Storage Locations 5-11
Syslog Setting 5-12
SNMP Trap Setting 5-12
Creating a NAM Trap Destination 5-12
Editing a NAM Trap Destination 5-13
Deleting a NAM Trap Destination 5-13
Preferences 5-13
Diagnostics 5-14
System Alerts 5-14
Audit Trail 5-14
Tech Support 5-15
Contents
CHAPTER
User Administration 5-16
Local Database 5-16
Recovering Passwords 5-16
Changing Predefined NAM User Accounts on the Switch or Router 5-17
Creating a New User 5-17
Editing a User 5-18
Deleting a User 5-18
Establishing TACACS+ Authentication and Authorization 5-19
Configuring a TACACS+ Server to Support NAM Authentication and Authorization 5-20
Configuring a Cisco ACS TACACS+ Server 5-20
Current User Sessions 5-22
6 NAM Traffic Analyzer 5.0 Usage Scenarios 6-1
Deployment 6-2
Deploying NAMs in the Branch 6-2
Deploying NAMs for Voice/Video applications 6-2
Deploying NAMs for WAN Optimization 6-2
Deploying Multi-NAM Consolidation 6-2
Autodiscovery Capabilities of NAM 6-3
Creating Custom Applications 6-3
Utilizing Sites to Create a Geographically Familiar Deployment 6-3
Integrating NAM with Third Party Reporting Tools 6-3
Integrating NAM with LMS 6-4
OL-22617-01
Monitoring 6-4
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
ix
Contents
Understanding Traffic Patterns at the Network Layer 6-4
Understanding Traffic patterns for DiffServ-Enabled Networks 6-4
Using NAM to Evaluate Application-Level Performance Monitoring for TCP-Interactive
Applications 6-4
Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime
Applications 6-5
Using NAM to Evaluate Potential Impact of WAN Optimization Prior to Deployment 6-5
Troubleshooting 6-5
Using NAM for Problem Isolation 6-5
Using NAM for SmartGrid Visibility 6-6
APPENDIX
APPENDIX
A Troubleshooting A-1
General NAM Issues A-1
Error Messages A-2
Packet Drops A-2
NAM Not Responding A-2
NAM Behavior A-3
WAAS Troubleshooting A-3
B Supported MIB Objects B-1
Supported MIBs B-1
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
x
OL-22617-01
About This Guide
This guide describes how to use Cisco Network Analysis Module Traffic Analyzer 5.0 (NAM 5.0)
software. This preface has the following sections:
• Chapter Overview, page xi
• Audience, page xii
• Conventions, page xii
• Notices, page xii
• Obtaining Documentation and Submitting a Service Request, page xiii
For a list of the platforms that Cisco NAM 5.0 supports, see Overview of the NAM Platforms, page 1-5.
Chapter Overview
This guide contains the following chapters:
• Chapter 1, “Overview” provides an overview of the NAM Traffic Analyzer, discusses new features
in this release, describes the new GUI, and provides information about how to use various
components of the NAM Traffic Analyzer.
OL-22617-01
• Chapter 2, “Setting Up The NAM Traffic Analyzer,” provides information about the first steps users
should take after booting up the NAM and setting up the NAM Traffic Analyzer applications.
• Chapter 3, “Monitoring and Analysis” provides information about options for viewing and
monitoring various types data.
• Chapter 4, “Capturing and Decoding Packet Data” provides information about setting up multiple
sessions for capturing, filtering, and decoding packet data, managing the data in a file control
system, and displaying the contents of the packets.
• Chapter 5, “User and System Administration” provides information about performing user and
system administration tasks and generating diagnostic information for obtaining technical
assistance.
• Chapter 6, “NAM Traffic Analyzer 5.0 Usage Scenarios” provides scenarios for NAM deployment
and the details you may need to know about them.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
xi
Audience
This guide is designed for network administrators who are responsible for setting up and configuring
Network Analysis Modules (NAMs) to monitor traffic and diagnose emerging problems on network
segments. As a network administrator, you should be familiar with:
• Basic concepts and terminology used in internetworking.
• Network topology and protocols.
• Basic UNIX commands or basic Windows operations.
Conventions
This document uses the following conventions:
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information
Information you enter
Variables you enter
Menu items and button names boldface font
Selecting a menu item in paragraphs Option > Network Preferences
Selecting a menu item in tables Option > Network Preferences
screen font
boldface screen font
italic screen font
About This Guide
Caution Means reader be careful. In this situation, you might do something that could result in equipment
Notices
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
xii
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
damage or loss of data.
The Third Party and Open Source Copyright Notices for the Cisco Network Analysis Module, Release
5.0 contains the licenses and notices for open source software used in NAM Traffic Analyzer 5.0. NAM
5.0 includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(
http://www.openssl.org/). This document is available on www.cisco.com with the NAM Traffic
Analyzer technical documentation.
OL-22617-01
About This Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s
revised Cisco
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS
technical documentation, at:
New in Cisco Product Documentation, which also lists all new and
Ve r si o n 2.0.
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
xiii
About This Guide
xiv
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
CHAP T ER
1
Overview
This chapter provides information about the Cisco Network Analysis Module Traffic Analyzer,
Release
This chapter contains the following sections:
• Introducing NAM Traffic Analyzer 5.0, page 1-1
• Overview of the NAM Platforms, page 1-5
• Logging In, page 1-6
5.0 and describes the new features and how to navigate the interface.
–
Dashboards, page 1-2
–
Logical Site, page 1-2
–
New Application Classification Architecture, page 1-3
–
Standards-Based NBI, page 1-3
–
NetFlow v9 Data Export, page 1-4
–
Historical Analysis, page 1-4
–
SNMP v3 Support -- NAM to Router/Switch Support, page 1-5
• Navigating the User Interface, page 1-6
• Understanding How the NAM Works, page 1-12
–
Understanding How the NAM Uses SPAN, page 1-14
–
Understanding How the NAM Uses VACLs, page 1-14
–
Understanding How the NAM Uses NDE, page 1-15
–
Understanding How the NAM Uses WAAS, page 1-16
• Configuration Overview, page 1-17
Introducing NAM Traffic Analyzer 5.0
The Cisco Network Analysis Module (NAM) Traffic Analyzer software enables network managers to
understand, manage, and improve how applications and services are delivered to end users.
The NAM combines flow-based and packet-based analysis into one solution. The NAM can be used for
traffic analysis of applications, hosts, and conversations, performance-based measurements on
application, server, and network latency, quality of experience metrics for network-based services such
as Voice over IP (VoIP) and video, and problem analysis using deep, insightful packet captures. The
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
1-1
Introducing NAM Traffic Analyzer 5.0
Cisco NAM includes an embedded, web-based Traffic Analyzer GUI that provides quick access to the
configuration menus and presents easy-to-read performance monitoring and analysis on web, voice, and
video traffic.
Dashboards
The Cisco NAM Traffic Analyzer, Release 5.0 introduces a redesigned interface and user experience,
with more intuitive workflows and interactive reporting capabilities. The dashboard-style layouts show
multiple charts in one window, thereby giving you the ability to view a lot of information at once.
There are two types of dashboards in NAM 5.0: One type is the “summary” views found under the
Monitor menu, and the other type is the “over time” views found under the Analyze menu. The Monitor
dashboards allow you to view network traffic, application performance, site performance, and alarms at
a glance. From there, you can isolate one area, for example an application with response time issues, and
then drill-down to the Analyze dashboard for further investigation.
Figure 1-1 shows an example of one of the Monitoring dashboards in the NAM 5.0 release.
Figure 1-1 Dashboard in NAM 5.0
Chapter 1 Overview
Logical Site
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-2
The Analyze dashboards allow you to zoom or pan to reselect the range. As you change the range, the
related graphs at the bottom will update.
The dashboards can be extracted as a PNG. You can also create a Scheduled Export to have the
dashboards extracted regularly and sent to you in CSV or HTML format (see
page 2-53).
Cisco NAM Traffic Analyzer 5.0 introduces the capability for users to define a site, with which you can
aggregate and organize performance statistics. A site is a collection of hosts (network endpoints)
partitioned into views that help you monitor traffic and troubleshoot problems. A site can be defined as
Scheduled Exports,
OL-22617-01
Chapter 1 Overview
Introducing NAM Traffic Analyzer 5.0
a set of subnets specified by an address prefix and mask, or using other criteria such as a remote device
data source (for example, remote WAE device and segment information). If you want to limit the view
of your network analysis data to a specific city, a specific building, or even a specific floor of a building,
you can use the sites function.
You can also include multiple types of data sources in the site definition, and you can then get an
aggregated view of all network traffic.
The pre-defined “Unassigned Site” makes it easy to bring up a NAM without having to configure
user-defined sites. Hosts that do not belong to any user-defined site will automatically belong to the
Unassigned Site.
Figure 1-2 shows an example of how a network may be configured using sites.
Figure 1-2 Site Level Aggregation
San Jose
Campus
San Jose
Site San
Jose
NAM
Site New
Yo r k
Netflow
New York
NYC
Building 1
Datacenter
San Jose
For information about defining and editing a site, see Sites, page 2-58.
New Application Classification Architecture
In previous releases of NAM, the RMON-2 protocol directory infrastructure was used to identify
applications and network protocols. In NAM Traffic Analyzer Release 5.0, the application classification
scheme is changed to align with the methodology used by Cisco with technologies such as NBAR
(Network-Based Application Recognition) and SCL. It also accepts standardized application identifiers
exported by Cisco platforms with NDE (NetFlow Data Export).
This allows you to gain application visibility with consistent and unique application identifiers across
the network. For example, you can view applications using a global unique identifier, as compared with
multiple classification engines using different applications identifiers.
For information about set up, see Classification, page 2-66.
Standards-Based NBI
FX
NYC
Building 2
197645
OL-22617-01
NBI (Northbound Interface), also referred to as API (Application Programming Interface) enables
partners and customers to provision the NAM and extract performance data. Previous releases of NAM
were limited to SNMP s, and direct-URL knowledge for access to some data, including the method by
which CSV-formatted data is retrieved.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-3
Introducing NAM Traffic Analyzer 5.0
With NAM 5.0, the NBI is expanded to include a Representational State Transfer (REST) web service
for configuration, and retrieval of data pertaining to sites. Also introduced is the capability to export
high-volume performance data in the form of Netflow v9 (see the next section,
Export”).
Note REST does not support retrieval of performance data for sites.
REST is a set of guidelines for doing web services over HTTP. It takes advantage of the HTTP method
(GET, POST, UPDATE, DELETE) as part of the request.
The REST request/response messages using the REST web service will contain XML data in the body
content of the HTTP request. An XML schema will describe the message content format. All REST
request/response messages are handled in XML format. Then the REST web service consumer can use
any HTTP client to communitate with the REST server. To use the REST web service via HTTPS, the
NAM crypto patch needs to be installed on the NAM.
The NBI web service will provide an external API interface for provisioning and retrieving performance
data. For application developers who want to use the NAM APIs to provision network services and
leverage data, see the Cisco Network Analysis Module 5.0 API Programmer’s Guide. The developers
who use the APIs should have an understanding of a high-level programming language such as Java or
an equivalent.
Chapter 1 Overview
“NetFlow v9 Data
NetFlow v9 Data Export
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the
configured set of descriptors or queries of the data attributes in NAM. The NAM as a producer of NDE
(NetFlow Data Export) packets is a new feature for NAM Traffic Analyzer 5.0. The NAM's new
functionality of NDE is part of its new NBI.
NetFlow collects traffic statistics by monitoring packets that flow through the device and storing the
statistics in the NetFlow table. NDE converts the NetFlow table statistics into records, and exports the
records to an external device, which is called a NetFlow collector.
The NDE Descriptor is a permanent definition of the NAM aggregated data query of aggregated NAM
data, which must be exported to designated destinations across the network using the industry-wide
standard of NetFlow v9 instead of the standard UDP transport.
The NDE Descriptor defines the data query that remains in effect as long as the NDE descriptor exists
in NAM’s permanent storage. Having it instantiated means that the NAM will be exporting the matching
aggregated data records continuously (in a specified frequency) until the NDE descriptor is deleted or
updated.
For information about set up, see Data Export, NetFlow, page 2-49.
Historical Analysis
Unlike previous versions of the NAM, in which you have to configure targeted historical reports in
advance, the NAM Traffic Analyzer 5.0 stores short-term and long-term data that you can view using the
new dashboards.
The NAM proactively collects and stores up to 72 hours of data at a granularity of 1, 5, or 10 minute
intervals, and longer-term data with a granularity of 1 to 2 hours, This allows you to specify different
time periods to view trends over time and identify potential problems.
1-4
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
SNMP v3 Support -- NAM to Router/Switch Support
Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based
protocol for network management. The security features provided in SNMPv3 are:
• Message integrity—Ensuring that a packet has not been tampered with in-transit.
• Authentication—Determining the message is from a valid source.
• Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized
source.
With NAM 5.0, you have the ability to manage devices with SNMPv3.
Note For the WS-SVC-NAM-1 and WS-SVC-NAM-2 platforms, SNMPv3 is not required. SNMP requests
and responses are communicated over an internal interface within the chassis, and SNMPv3 is not used.
Overview of the NAM Platforms
Overview of the NAM Platforms
The following models differ in memory, performance, disk size, and other capabilities. Therefore, some
allow for more features and capabilities (for example, the amount of memory allocated for capture).
Throughout this User Guide, there will be Notes explaining that some features apply only to specific
platforms. If there is no Note, then that feature or aspect applies to all NAM platforms.
NAM 5.0 software supports the following NAM models (SKU):
• Cisco NAM 2204 Appliances
–
NAM2204-RJ45
–
NAM2204-SFP
• Cisco NAM 2220 Appliance
–
NAM2220
• Cisco 6500 Series Switches and Cisco 7600 Series Routers
–
WS-SVC-NAM-1
–
WS-SVC-NAM-1-250S
–
WS-SVC-NAM-2
–
WS-SVC-NAM-2-250S
• Cisco Branch Routers
–
NME-NAM-80S
–
NME-NAM-120S
OL-22617-01
NAM 5.0 virtual blade software also supports the following virtual blade:
• Cisco WAAS NAM Virtual Service Blade
Note The Cisco Nexus 1010 Virtual Services Appliance is not supported with NAM Traffic Analyzer
Release
5.0. The suggested upgrade path for Nexus 1010 NAM 4.2 users is from NAM 4.2 to 4.2.1N,
and then to NAM 5.1 (when available).
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-5
Logging In
Logging In
Chapter 1 Overview
Log into the NAM by using the username and password that the NAM installer provided you, and click
the Login button. If you are having problems logging in:
• Make sure you are using a browser that is currently supported for use with NAM 5.0:
English Firefox 3.6+ or Microsoft Internet Explorer 8+ (Microsoft Internet Explorer 7 is not
supported)
• Make sure you are using a platform that is currently supported for use with NAM 5.0:
Microsoft Windows XP or Microsoft Windows 7. The Macintosh platform is not supported on this
release.
• Make sure you have JavaScript enabled.
• Clear the browser cache and restart the browser (not necessarily if installing NAM for the first time).
• Make sure cookies are enabled in your browser.
• If you see the following message: “Initializing database. Please wait until initialization process
finishes,” you must wait until the process finishes.
• Make sure you had accepted the license agreement (WAAS VSB users only) and that the license has
not expired
To view the full documentation set (including the User Guide and Release Notes) for the Cisco NAM
Traffic Analyzer 5.0, go to the NAM Technical Documentation area on Cisco.com:
http://www.cisco.com/en/US/products/sw/cscowork/ps5401/
tsd_products_support_series_home.html
Navigating the User Interface
NAM 5.0 introduces a redesigned interface and user experience, with more intuitive workflows and
improved operational efficiency. This section describes the improved navigation and control elements in
the user interface.
Note All times in the Traffic Analyzer are typically displayed in 24-hour clock format. For example, 3:00 p.m.
is displayed as 15:00.
Common Navigation and Control Elements
Menu Bar
To perform the NAM functions, use the menu bar.
1-6
The selections enable you to perform the necessary tasks:
Home: Brings you to the Traffic Summary Dashboard (Monitor > Overview > Traffic Summary).
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
Detailed Views
Navigating the User Interface
Monitor: See “summary” views that allow you to view network traffic, application performance, site
performance, and alarms at a glance.
Analyze: See various “over-time” views for traffic, WAN optimization, response time, managed device,
and media functions.
Capture: Configure multiple sessions for capturing, filtering, and decoding packet data, manage the data
in a file control system, and display the contents of the packets.
Setup: Perform all setup needed to run Cisco NAM Traffic Analyzer 5.0.
Administration: Perform user and system administration tasks, and generate diagnostic information for
obtaining technical assistance.
Under some topics in the mega-menu, the last selection is “Detailed Views.” Click the small arrow to the
right of the menu selections to see the sub-menu and the functions available.
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-7
Navigating the User Interface
Context Menus
Chapter 1 Overview
On most charts that appear on the dashboards, you can left-click on a colored bar of data to get a context
menu, with which you can get more detailed information about that item.
Quick Capture
Note Quick Capture does not use site definition/filter.
The example above is from the Traffic Summary Dashboard, Top N Applications chart. The description
to the right of “Selected Application” in the menu shows what item you had clicked on (in this case,
“snmp”).
The menu items above the separator line are specific to the selected element of the Top N chart. The
items below the separator line are not specific to the selected element, but apply to the Top N chart.
From the Context menu of many of the bar charts that show Applications or Hosts or VLANs. you can
start a Capture.
For example, when you click on an Application in a barchart (as in the screenshot above) and choose
Capture, the following is done automatically:
• A memory-based capture session is created
• A software filter is created using that application
• The capture session is started
• The decode window pops open and you can immediately see packets being captured.
1-8
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
Interactive Report
Navigating the User Interface
On most Monitoring and Analyze screens, you can use the Interactive Report on the left side of the
screen to view and change the parameters of the information displayed in the charts. You can redefine
the parameters by clicking the Filter button on the left side of the Interactive Report.
The reporting time interval selection changes depending upon the dashboard you are viewing, and the
NAM platform you are using. The NAM supports up to five saved Interactive Reports.
Chart View / Grid View
Most of the data presented by the NAM can be viewed as either a Chart or a Grid. The Chart view
presents an overview of the data in an integrated manner, and can show you trending information. The
Grid view can be used to see more precise data. For example, to get the exact value of data in graphical
view, you would need to hover over a data point in the Chart to get the data, whereas the same data is
easily visible in table format using Grid view. To toggle between the two views, use the Chart and Grid
icons at the bottom of the panel:
Next to that icon is the “Show as Image” icon, with which you save the chart you are viewing as a PNG
file.
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-9
Navigating the User Interface
Mouse-Over for Details
When in Chart view, you can mouseover the chart to get more detailed information about what occurred
at a specific time.
Many of the line charts in NAM are “dual-axis,” meaning there is one metric shown on the left axis of
the chart and another metric shown on the right axis of the chart.
For example, in the figure above, Total Bytes per second is shown on the left axis, and Total Packets per
second is shown on the right axis.
Chapter 1 Overview
Zoom/Pan Charts
Note In a bar chart which you can zoom/pan, each block represents data collected during the previous interval
For many charts, you can drag the beginning or end to change the time interval, as shown below.
The time interval change on the zoom/pan chart will affect the data presented in the charts in the bottom
of the window. The zoom/pan time interval also affects the drill-down navigations; if the zoom/pan
interval is modified, the context menu drill-downs from that dashboard will use the zoom/pan time
interval.
(the time stamp displayed at the bottom of each block is the end of the time range). Therefore, you may
have to drag the zoom/pan one block further than expected to get the desired data to populate in the charts
in the bottom of the window.
1-10
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
Sort Grid
Bytes / Packets
Navigating the User Interface
When looking at information in Grid view, you can sort the information by clicking the heading of any
column. Click it again to sort in reverse order.
On most Analyze charts, you can use the “Bytes” and “Packets” check boxes at the top to specify which
information you would like the chart to display.
Statistics
OL-22617-01
The Statistics legend gives you the minimum, maximum, and average statistics of the data. This will
display the initial data retrieved for the selector.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-11
Understanding How the NAM Works
Above the Statistics legend is a dropdown selector, which allows you to choose which of the metrics
shown in the “over-time” chart you would like reflected in the Statistics legend. For example, if the line
chart has Bytes or Packets in the check boxes above the line chart, the selector over the Statistics legend
will show the same choices, Bytes or Packets.
Chapter 1 Overview
Context-Sensitive Online Help
The “Help” link on the top-right corner of the NAM Traffic Analyzer interface will bring you to the Help
page for that particular screen of the GUI..
In addition to the Help link on the top-right corner of each page, some pages also have a blue “i”, which
provides help for that specific subject.
Understanding How the NAM Works
The Network Analysis Module (NAM) product family addresses the following major functional areas:
• Network layer Traffic Analysis. The NAM provides comprehensive traffic analysis to identify what
applications are running over the network, how much network resources are consumed, and who is
using these applications. The NAM offers a rich set of reports with which to view traffic by Hosts,
Application or Conversations. See the discussions about Dashboards, starting with
page 3-4.
• Application Response Time. The NAM can provide passive measurement of TCP-based applications
for any given server or client, supplying a wide variety of statistics like response time, network flight
time, and transaction time.
• WAN Optimization insight. The NAM can provide insight into WAN Optimization offerings that
compress and optimize WAN Traffic for pre- and post-deployment scenarios. This is applicable for
Optimized and Passthru traffic.
• Voice Quality Analysis. The NAM provides application performance for real time applications like
Voice and Video. The NAM can compute MOS, as well as provide RTP analysis for the media
stream. See
Media, page 3-37.
Traffic Summary,
1-12
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
Understanding How the NAM Works
• Advanced Troubleshooting. The NAM provides robust capture and decode capabilities for packet
traces that can be triggered or terminated based on user-defined thresholds.
• Open instrumentation. The NAM is a mediation and instrumentation product offering, and hence
provides a robust API that can be used by partner products as well as customers that have home
grown applications. See the Cisco NAM 5.0 API Programmer’s Guide.
The NAM delivers the above functionality by analyzing a wide variety of data sources that include:
• Port mirroring technology like SPAN and RSPAN/ERSPAN. The NAM can analyze Ethernet VLAN
traffic from the following sources: Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast
EtherChannel SPAN, RSPAN, or ERSPAN source port
• VA C L
• NetFlow Data Export (NDE). The NAM can analyze NetFlow Data Export (NDE) from Managed
Devices (Routers/Switches)
• WAAS
• SNMP
• Network Tap Device. Applies to Cisco NAM 2200 Series appliances only.
The NAM Traffic Analyzer 5.0 retains the ability to use SNMP as a southbound interface for
configuration and data retrieval from switches and routers. NAM 5.0 moves away from RMON and
toward web services and Netflow Data Export as the northbound interface for data objects. NAM 5.0 will
continue to support baseline manageability features of SNMP such as MIB-2 and IF-TABLE, and the
health status and interface statistics that can be used by external products like Fault and Configuration
Management offerings (for example, CiscoWorks LMS).
For more information about SPAN, RSPAN, and ERSPAN, see the "Configuring Local SPAN, RSPAN,
and ERSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/
configuration/guide/span.html
For more general information about NDE, see this section in the Cisco 7600 Series Cisco IOS Software
Configuration Guide, 12.2SX.
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/
configuration/guide/nde.html
Table 1-1 summarizes the traffic sources that are used for NAM monitoring.
Ta b l e 1-1 Summary of Traffic Sources for NAM Monitoring
Traffic Source LAN WAN
Ports VLANs Ports VLANs
VACL capture Yes Yes Yes N/A
NetFlow Data Export NDE (local) Yes Yes Yes Yes
NetFlow Data Export NDE (remote) Yes Yes Yes Yes
SPAN Yes Yes No No
ERSPAN Yes Yes No No
The next sections describe how the NAM uses the supported data sources:
• Understanding How the NAM Uses SPAN, page 1-14
• Understanding How the NAM Uses VACLs, page 1-14
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-13
Understanding How the NAM Works
• Understanding How the NAM Uses NDE, page 1-15
• Understanding How the NAM Uses WAAS, page 1-16
Understanding How the NAM Uses SPAN
A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports,
configured with parameters that specify the monitored network traffic. You can configure up to two
SPAN sessions in a Catalyst 6500 or 7600 Routers chassis. Newer Cisco IOS images may support more
than two SPAN sessions. Consult the Cisco IOS document for the number of SPAN sessions supported
per switch or router.
The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The
WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VLAN access control
list (VACL) sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for
different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are
named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in
Table 1-2.
Ta b l e 1-2 SPAN Port Names
Chapter 1 Overview
Module Cisco IOS Software
WS-SVC-NAM-1 data port
WS-SVC-NAM-2 data port 1 and data port 2
For more information about SPAN and how to configure it on the Catalyst 6500 series switches, see the
Catalyst 6500 Series Switch Software Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/
guide/span.html
For more information about SPAN and how to configure it on the Cisco 7600 series router, see the Cisco
7600 Series Cisco IOS Software Configuration Guide, 12.2SX:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/span.html
Note Due to potentially very high volume of ERSPAN traffic from the source, we recommend that you do not
terminate the ERSPAN session on the NAM management port. Instead, you should terminate ERSPAN
on the switch, and use the switch’s SPAN feature to SPAN the traffic to NAM data ports.
Understanding How the NAM Uses VACLs
A VLAN access control list can forward traffic from either a WAN interface or VLANs to a data port on
the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on
Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the
MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.
There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that
captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can
only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on
the switch.
1-14
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 1 Overview
Understanding How the NAM Works
A VACL can provide access control for all packets that are bridged within a VLAN or that are routed
into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular
Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on
routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface.
The VACLs are processed in the hardware.
A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that
are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets.
Classified packets can be subject to a number of features, such as access control (security), encryption,
and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router
interfaces and applied on routed packets.
After a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked
against the VACL. Packets can either enter the VLAN through a switch port or through a router port after
being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields
that are matched against the contents of a packet. Each field can have an associated bit mask to indicate
which bits are relevant. Each ACE is associated with an action that describes what the system should do
with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches and
Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic.
The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against
this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet
coming into the VLAN is first checked against the VACL and, if permitted, is then checked against the
input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it
is first checked against the output ACL applied to the routed interface and, if permitted, the VACL
configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet
of that type does not match the VACL, the default action is deny.
When configuring VACLs, note the following:
• VACLs and context-based access control (CBAC) cannot be configured on the same interface.
• TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
• Internet Group Management Protocol (IGMP) packets are not checked against VACLs.
Note You cannot set up VACL using the NAM interface.
For details on how to configure a VACL with Cisco IOS software, see the Catalyst 6500 Release 12.2SXF
and Rebuilds Software Configuration Guide.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/
guide/vacl.html
For details on how to configure a VACL on a WAN interface and on a LAN VLAN, see VACL, page 2-17.
Understanding How the NAM Uses NDE
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the
configured set of descriptors or queries of the data attributes in NAM. NetFlow Data Export (NDE) is a
remote device that allows you to monitor port traffic on the NAM; the NAM can collect NDE from local
or remote switch or router for traffic analysis.
OL-22617-01
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-15
Understanding How the NAM Works
To use an NDE data source for the NAM, you must configure the remote device to export the NDE
packets. The default UDP port is 3000, but you can configure it from the NAM CLI as follows:
root@nam2x-61.cisco.com# netflow input port ?
<port> - input NDE port number
The distinguishing feature of the NetFlow v9 format, which is the basis for an IETF standard, is that it
is template-based. Templates provide an extensible design to the record format, a feature that must allow
future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record
format.
For more detailed information about NAM and NetFlow, see NetFlow, page 2-18.
For more information on NetFlow, see http://www.cisco.com/go/netflow or the “Configuring NetFlow
Data Export” chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/
configuration/guide/nde.html
For specific information about creating and managing NDE queries, see the Cisco Network Analysis
Module 5.0 API Programmer’s Guide.
Chapter 1 Overview
Understanding How the NAM Uses WAAS
Cisco Wide Area Application Services (WAAS) software optimizes the performance of TCP-based
applications operating in a wide area network (WAN) environment and preserves and strengthens branch
security. The WAAS solution consists of a set of devices called Wide Area Application Engines (WAEs)
that work together to optimize WAN traffic over your network.
When client and server applications attempt to communicate with each other, the network devices
intercepts and redirects this traffic to the WAEs to act on behalf of the client application and the
destination server.
WAEs provide information about packet streams traversing through both LAN and WAN interfaces of
WAAS WAEs. Traffic of interest can include specific servers and types of transaction being exported.
NAM processes the data exported from the WAAS and performs application response time and other
metrics calculations and enters the data into reports you set up.
The WAEs examine the traffic and using built-in application policies to determine whether to optimize
the traffic or allow it to pass through your network not optimized.
You can use the WAAS Central Manager GUI to centrally configure and monitor the WAEs and
application policies in your network. You can also use the WAAS Central Manager GUI to create new
application policies so that the WAAS system will optimize custom applications and less common
applications.
For more information about WAAS data sources and managing WAAS devices, see Understanding
WAAS, page 2-29.
1-16
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Loading...