Loading...
Cisco Network Analysis Module
(NAM) Traffic Analyzer User Guide, 5.0
January 2011
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive
San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-22617-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco Network Analysis Module (NAM) Traffic Analyzer User Guide, 5.0
© 2011 Cisco Systems, Inc. All rights reserved.
|
|
|
C O N T E N T S |
|
About This Guide |
xi |
|
|
Overview 1-1 |
|
|
C H A P T E R 1 |
|
|
|
|
Introducing NAM Traffic Analyzer 5.0 1-1 |
||
|
Dashboards |
1-2 |
|
|
Logical Site |
1-2 |
|
|
New Application Classification Architecture 1-3 |
||
|
Standards-Based NBI |
1-3 |
|
|
NetFlow v9 Data Export |
1-4 |
|
|
Historical Analysis 1-4 |
|
|
SNMP v3 Support -- NAM to Router/Switch Support 1-5
|
Overview of the NAM Platforms |
1-5 |
|
|
|
|
|
|||
|
Logging In 1-6 |
|
|
|
|
|
|
|
|
|
|
Navigating the User Interface 1-6 |
|
|
|
|
|
||||
|
Common Navigation and Control Elements |
1-6 |
|
|
|
|||||
|
Menu Bar |
1-6 |
|
|
|
|
|
|
|
|
|
Detailed Views |
|
1-7 |
|
|
|
|
|
|
|
|
Context Menus |
|
1-8 |
|
|
|
|
|
|
|
|
Quick Capture |
1-8 |
|
|
|
|
|
|
||
|
Interactive Report |
1-9 |
|
|
|
|
|
|
||
|
Chart View / Grid View |
1-9 |
|
|
|
|
|
|||
|
Mouse-Over for Details |
1-10 |
|
|
|
|
|
|||
|
Zoom/Pan Charts |
1-10 |
|
|
|
|
|
|
||
|
Sort Grid |
1-11 |
|
|
|
|
|
|
|
|
|
Bytes / Packets |
|
1-11 |
|
|
|
|
|
|
|
|
Statistics |
1-11 |
|
|
|
|
|
|
|
|
|
Context-Sensitive Online Help |
1-12 |
|
|
|
|
||||
|
Understanding How the NAM Works |
1-12 |
|
|
|
|
||||
|
Understanding How the NAM Uses SPAN |
1-14 |
|
|
|
|||||
|
Understanding How the NAM Uses VACLs |
1-14 |
|
|
|
|||||
|
Understanding How the NAM Uses NDE |
1-15 |
|
|
|
|||||
|
Understanding How the NAM Uses WAAS |
1-16 |
|
|
|
|||||
|
Configuration Overview |
1-17 |
|
|
|
|
|
|
||
|
Configuring and Viewing Data |
1-19 |
|
|
|
|
||||
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
||||
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
iii |
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
|
|
|
Cisco WAAS NAM Virtual Service Blade |
1-20 |
|
||||||||
|
|
Setting Up The NAM Traffic Analyzer |
|
|
|
|
|||||||||
C H A P T E R 2 |
|
2-1 |
|
|
|
||||||||||
|
|
|
|
|
Default Functions |
|
2-1 |
|
|
|
|
|
|
||
|
|
|
|
|
Traffic Analysis 2-1 |
|
|
|
|
|
|
||||
|
|
|
|
|
Application Response Time Metrics |
2-2 |
|
|
|||||||
|
|
|
|
|
Voice Signaling/RTP Stream Monitoring |
2-2 |
|
||||||||
|
|
|
|
|
Traffic Usage Statistics 2-3 |
|
|
|
|
|
|||||
|
|
|
|
|
Traffic |
2-3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SPAN |
2-3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
About SPAN Sessions |
2-3 |
|
|
|
|
||||
|
|
|
|
|
|
Creating a SPAN Session |
2-6 |
|
|
|
|||||
|
|
|
|
|
|
Editing a SPAN Session |
2-8 |
|
|
|
|
||||
|
|
|
|
|
|
Deleting a SPAN Session |
2-9 |
|
|
|
|||||
|
|
|
|
|
Data Sources |
2-9 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
SPAN |
2-10 |
|
|
|
|
|
|
||
|
|
|
|
|
|
ERSPAN |
|
2-10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
VACL |
2-17 |
|
|
|
|
|
|
||
|
|
|
|
|
|
NetFlow |
|
2-18 |
|
|
|
|
|
|
|
|
|
|
|
|
WAAS |
2-29 |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Understanding WAAS |
2-29 |
|
|
|
|
||||
|
|
|
|
|
|
Response Time Monitoring from WAAS Data Sources 2-30 |
|||||||||
|
|
|
|
|
|
Managing WAAS Devices |
2-32 |
|
|
|
|||||
|
|
|
|
|
|
Adding Data Sources for New WAAS Device 2-33 |
|||||||||
|
|
|
|
|
|
Editing WAAS Data Sources |
2-34 |
|
|
||||||
|
|
|
|
|
|
Deleting a WAAS Data Source |
2-34 |
|
|
||||||
|
|
|
|
|
|
Auto Create of New WAAS Devices |
2-35 |
|
|||||||
|
|
|
|
|
Hardware Deduplication |
2-35 |
|
|
|
|
|||||
|
|
|
|
|
Alarms |
2-36 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Alarm Actions |
2-36 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
Alarm Action Configuration |
2-37 |
|
|
||||||
|
|
|
|
|
|
Editing Alarm Actions |
2-38 |
|
|
|
|
||||
|
|
|
|
|
|
Deleting Alarm Actions |
2-38 |
|
|
|
|
||||
|
|
|
|
|
Thresholds |
|
2-39 |
|
|
|
|
|
|
||
|
|
|
|
|
|
Setting Host Thresholds |
2-40 |
|
|
|
|||||
|
|
|
|
|
|
Setting Conversation Thresholds |
2-41 |
|
|||||||
|
|
|
|
|
|
Setting Application Thresholds |
2-42 |
|
|
||||||
|
|
|
|
|
|
Setting Response Time Thresholds |
2-43 |
|
|||||||
|
|
|
|
|
|
Setting DSCP Thresholds |
2-44 |
|
|
|
|||||
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|||||||||||
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
iv |
|
|
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Setting RTP Stream Thresholds |
2-45 |
|
|
|
|
|||||||
|
Setting Voice Signaling Thresholds |
2-46 |
|
|
|
||||||||
|
Setting NDE Interface Thresholds 2-47 |
||||||||||||
|
Editing an Alarm Threshold |
2-48 |
|
|
|
|
|||||||
|
Deleting a NAM Threshold |
2-48 |
|
|
|
|
|||||||
|
User Scenario |
2-49 |
|
|
|
|
|
|
|
|
|
||
|
Data Export |
|
2-49 |
|
|
|
|
|
|
|
|
|
|
|
NetFlow |
2-49 |
|
|
|
|
|
|
|
|
|
|
|
|
Viewing Configured NetFlow Exports |
2-50 |
|
|
|
||||||||
|
Configuring NetFlow Data Export |
2-51 |
|
|
|
||||||||
|
Editing NetFlow Data Export |
2-53 |
|
|
|
|
|||||||
|
Scheduled Exports |
2-53 |
|
|
|
|
|
|
|
|
|||
|
Editing a Scheduled Export |
2-54 |
|
|
|
|
|||||||
|
Deleting a Scheduled Export |
2-54 |
|
|
|
|
|||||||
|
Custom Export |
2-55 |
|
|
|
|
|
|
|
|
|||
|
Managed Device |
2-55 |
|
|
|
|
|
|
|
|
|
||
|
Device Information |
2-55 |
|
|
|
|
|
|
|
|
|||
|
NBAR Protocol Discovery |
|
2-57 |
|
|
|
|
|
|
||||
|
Network |
2-58 |
|
|
|
|
|
|
|
|
|
|
|
|
Sites |
2-58 |
|
|
|
|
|
|
|
|
|
|
|
|
Definition Rules |
2-59 |
|
|
|
|
|
|
|
||||
|
Viewing Defined Sites |
2-60 |
|
|
|
|
|
|
|||||
|
Defining a Site |
2-61 |
|
|
|
|
|
|
|
|
|||
|
Editing a Site |
2-63 |
|
|
|
|
|
|
|
|
|||
|
NDE Interface Capacity |
2-63 |
|
|
|
|
|
|
|||||
|
Creating an NDE Interface |
2-63 |
|
|
|
|
|
||||||
|
DSCP Groups |
2-64 |
|
|
|
|
|
|
|
|
|
||
|
Creating a DSCP Group |
2-64 |
|
|
|
|
|
||||||
|
Editing a DSCP Group |
|
2-66 |
|
|
|
|
|
|
||||
|
Deleting a DSCP Group |
2-66 |
|
|
|
|
|
||||||
|
Classification |
2-66 |
|
|
|
|
|
|
|
|
|
||
|
Applications |
2-67 |
|
|
|
|
|
|
|
|
|
||
|
Creating a New Application |
2-68 |
|
|
|
|
|||||||
|
Editing an Application |
2-69 |
|
|
|
|
|
|
|||||
|
Deleting a Protocol |
2-70 |
|
|
|
|
|
|
|||||
|
Application Groups |
2-70 |
|
|
|
|
|
|
|
|
|||
|
Creating an Application Group |
2-70 |
|
|
|
|
|||||||
|
Editing an Application Group |
2-70 |
|
|
|
|
|||||||
|
Deleting an Application Group |
2-70 |
|
|
|
|
|||||||
|
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|||||
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
|
|
v |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
|
|
|
URL-based Applications |
2-71 |
|
|
|
||||
|
|
|
|
|
Example |
2-72 |
|
|
|
|
|||
|
|
|
|
|
Editing a URL-Based Application 2-73 |
||||||||
|
|
|
|
|
Deleting a URL-based Application |
2-73 |
|
||||||
|
|
|
|
|
Encapsulations |
2-73 |
|
|
|
|
|||
|
|
|
|
|
Monitoring |
2-74 |
|
|
|
|
|
|
|
|
|
|
|
|
Aggregation Intervals |
2-74 |
|
|
|
||||
|
|
|
|
|
Response Time |
2-76 |
|
|
|
|
|||
|
|
|
|
|
Voice |
2-76 |
|
|
|
|
|
|
|
|
|
|
|
|
RTP Filter |
2-78 |
|
|
|
|
|
||
|
|
|
|
|
URL |
2-78 |
|
|
|
|
|
|
|
|
|
|
|
|
Enabling a URL Collection |
2-78 |
|
|
|||||
|
|
|
|
|
Changing a URL Collection |
2-80 |
|
|
|||||
|
|
|
|
|
Disabling a URL Collection |
2-80 |
|
|
|||||
|
|
|
|
|
WAAS Monitored Servers 2-80 |
|
|
||||||
|
|
|
|
|
Adding a WAAS Monitored Server |
2-81 |
|
||||||
|
|
|
|
|
Deleting a WAAS Monitored Server |
2-81 |
|
||||||
|
|
Monitoring and Analysis |
|
|
|
|
|
||||||
C H A P T E R 3 |
|
3-1 |
|
|
|
|
|||||||
|
|
|
|
|
Navigation |
3-2 |
|
|
|
|
|
|
|
|
|
|
|
|
Context Menus |
3-2 |
|
|
|
||||
|
|
|
|
|
Interactive Report |
3-2 |
|
|
|
|
|||
|
|
|
|
|
Saving Filter Parameters |
3-3 |
|
|
|||||
|
|
|
|
|
Traffic Summary |
3-4 |
|
|
|
|
|
||
|
|
|
|
|
Response Time Summary |
3-5 |
|
|
|
||||
|
|
|
|
|
Site Summary |
3-6 |
|
|
|
|
|
|
|
|
|
|
|
|
Alarm Summary |
3-6 |
|
|
|
|
|
||
|
|
|
|
|
Analyzing Traffic |
|
3-8 |
|
|
|
|
|
|
|
|
|
|
|
Application |
3-9 |
|
|
|
|
|
||
|
|
|
|
|
Hosts Detail |
3-9 |
|
|
|
|
|||
|
|
|
|
|
Host |
3-10 |
|
|
|
|
|
|
|
|
|
|
|
|
Applications Detail |
3-10 |
|
|
|
||||
|
|
|
|
|
NDE Interface Traffic Analysis |
3-11 |
|
|
|||||
|
|
|
|
|
Viewing Interface Details |
3-12 |
|
|
|||||
|
|
|
|
|
DSCP Detail |
3-12 |
|
|
|
|
|||
|
|
|
|
|
DSCP |
3-12 |
|
|
|
|
|
|
|
|
|
|
|
|
Application Groups Detail |
3-13 |
|
|
|||||
|
|
|
|
|
URL Hits 3-14 |
|
|
|
|
|
|||
|
|
|
|
|
Viewing Collected URLs |
3-14 |
|
|
|||||
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|||||||||
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vi |
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Filtering a URL Collection List |
3-14 |
|
|
|
|
|||||
|
Host Conversations |
3-15 |
|
|
|
|
|
|
|||
|
Network Conversation |
3-15 |
|
|
|
|
|
|
|||
|
Top Application Traffic |
3-15 |
|
|
|
|
|
|
|||
|
Application Traffic By Host |
3-17 |
|
|
|
|
|
||||
|
WAN Optimization |
3-17 |
|
|
|
|
|
|
|
||
|
Top Talkers Detail |
3-17 |
|
|
|
|
|
|
|||
|
Application Performance Analysis |
3-18 |
|
|
|
|
|||||
|
Transaction Time (Client Experience) |
3-18 |
|
|
|
||||||
|
Traffic Volume and Compression Ratio |
3-18 |
|
|
|
||||||
|
Average Concurrent Connections (Optimized vs. Passthru) 3-18 |
||||||||||
|
Multi-Segment Network Time (Client LAN - WAN - Server LAN) 3-18 |
||||||||||
|
Conversation Multi-Segments |
3-18 |
|
|
|
|
|
||||
|
Response Time 3-19 |
|
|
|
|
|
|
|
|
||
|
Application Response Time |
3-22 |
|
|
|
|
|
||||
|
Network Response Time |
3-22 |
|
|
|
|
|
||||
|
Server Response Time |
3-23 |
|
|
|
|
|
|
|||
|
Client Response Time |
3-23 |
|
|
|
|
|
|
|||
|
Client-Server Response Time |
3-23 |
|
|
|
|
|
||||
|
Server Application Responses |
3-23 |
|
|
|
|
|
||||
|
Server Application Transactions 3-24 |
|
|
|
|
||||||
|
Server Network Responses |
3-25 |
|
|
|
|
|
||||
|
Client-Server Application Responses |
3-26 |
|
|
|
|
|||||
|
Client-Server Application Transactions 3-27 |
||||||||||
|
Client-Server Network Responses |
3-28 |
|
|
|
|
|||||
|
Managed Device |
3-29 |
|
|
|
|
|
|
|
|
|
|
Interface |
3-30 |
|
|
|
|
|
|
|
|
|
|
Interfaces Stats Table 3-30 |
|
|
|
|
|
|||||
|
Interface Statistics Over Time |
3-31 |
|
|
|
|
|||||
|
Health |
3-31 |
|
|
|
|
|
|
|
|
|
|
Switch Health |
3-31 |
|
|
|
|
|
|
|||
|
Router Health |
3-35 |
|
|
|
|
|
|
|||
|
NBAR |
3-37 |
|
|
|
|
|
|
|
|
|
|
Media 3-37 |
|
|
|
|
|
|
|
|
|
|
|
RTP Streams |
3-38 |
|
|
|
|
|
|
|
|
|
|
Purpose |
3-38 |
|
|
|
|
|
|
|
|
|
|
Monitoring RTP Streams |
3-39 |
|
|
|
|
|
||||
|
Voice Call Statistics |
3-39 |
|
|
|
|
|
|
|||
|
Calls Table |
3-40 |
|
|
|
|
|
|
|
|
|
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
||||
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
vii |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
RTP Conversation |
3-42 |
|
|
|
|
Capturing and Decoding Packet Data |
|
|||
C H A P T E R 4 |
4-1 |
||||
|
Sessions 4-2 |
|
|
|
|
|
Viewing Capture Sessions |
4-3 |
|
||
|
Configuring Capture Sessions |
4-4 |
|||
|
Software Filters |
4-7 |
|
|
|
|
Creating a Software Filter |
4-8 |
|||
|
Editing a Software Capture Filter 4-11 |
||||
|
Hardware Assisted Filters |
|
4-12 |
||
|
Configuring a Hardware Filter 4-12 |
||||
|
Files 4-15 |
|
|
|
|
|
Analyzing Capture Files |
4-17 |
|
||
|
Error Scan |
4-17 |
|
|
|
|
Downloading Capture Files |
4-18 |
|||
|
Deleting a Capture File |
4-19 |
|
||
|
Deleting Multiple Files |
4-19 |
|
||
|
|
|
|
|
Viewing Packet Decode Information |
4-20 |
|
|
|
|||
|
|
|
|
|
Browsing Packets in the Packet Decoder |
4-21 |
|
|
||||
|
|
|
|
|
Filtering Packets Displayed in the Packet Decoder 4-21 |
|||||||
|
|
|
|
|
Viewing Detailed Protocol Decode Information |
4-22 |
|
|||||
|
|
|
|
|
Using Alarm-Triggered Captures |
4-23 |
|
|
|
|||
|
|
|
|
|
Custom Display Filters |
4-23 |
|
|
|
|
|
|
|
|
|
|
|
Creating Custom Display Filters |
4-23 |
|
|
|
|||
|
|
|
|
|
Editing Custom Display Filters |
4-26 |
|
|
|
|||
|
|
|
|
|
Deleting Custom Display Filters |
4-27 |
|
|
|
|||
|
|
User and System Administration 5-1 |
|
|
|
|
|
|||||
C H A P T E R 5 |
|
|
|
|
|
|
||||||
|
|
|
|
|
System Administration 5-1 |
|
|
|
|
|
||
|
|
|
|
|
Resources 5-2 |
|
|
|
|
|
|
|
|
|
|
|
|
Network Parameters |
5-2 |
|
|
|
|
|
|
|
|
|
|
|
SNMP Agent |
5-3 |
|
|
|
|
|
|
|
|
|
|
|
Working with NAM Community Strings |
5-4 |
|
|
||||
|
|
|
|
|
System Time |
5-5 |
|
|
|
|
|
|
|
|
|
|
|
Synchronizing the NAM System Time with the Switch or Router 5-6 |
|||||||
|
|
|
|
|
Synchronizing the NAM System Time Locally |
5-6 |
|
|||||
|
|
|
|
|
Configuring the NAM System Time with an NTP Server 5-7 |
|||||||
|
|
|
|
|
E-Mail Setting |
5-7 |
|
|
|
|
|
|
|
|
|
|
|
Web Data Publication |
5-8 |
|
|
|
|
|
|
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|||||
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
viii |
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
Capture Data Storage |
5-8 |
|
|
Creating NFS Storage Locations |
5-9 |
||
Editing NFS Storage Locations 5-10 |
|||
Creating iSCSI Storage Locations |
5-11 |
||
Editing iSCSI Storage Locations |
5-11 |
||
Syslog Setting |
5-12 |
|
|
SNMP Trap Setting |
5-12 |
|
|
Creating a NAM Trap Destination |
5-12 |
||
Editing a NAM Trap Destination |
5-13 |
||
Deleting a NAM Trap Destination |
5-13 |
||
Preferences |
5-13 |
|
|
Diagnostics 5-14 |
|
|
|
System Alerts |
5-14 |
|
|
Audit Trail 5-14 |
|
|
|
Tech Support |
5-15 |
|
|
|
|
User Administration |
5-16 |
|
|
|
|
|
|
|
|
|
|
|
Local Database |
5-16 |
|
|
|
|
|
|
|
|
|
|
|
Recovering Passwords |
5-16 |
|
|
|
|
|
|
|||
|
|
Changing Predefined NAM User Accounts on the Switch or Router 5-17 |
||||||||||
|
|
Creating a New User 5-17 |
|
|
|
|
|
|
||||
|
|
Editing a User |
5-18 |
|
|
|
|
|
|
|
||
|
|
Deleting a User |
5-18 |
|
|
|
|
|
|
|
||
|
|
Establishing TACACS+ Authentication and Authorization 5-19 |
||||||||||
|
|
Configuring a TACACS+ Server to Support NAM Authentication and Authorization 5-20 |
||||||||||
|
|
Configuring a Cisco ACS TACACS+ Server |
5-20 |
|
|
|
||||||
|
|
Current User Sessions |
5-22 |
|
|
|
|
|
|
|
||
|
NAM Traffic Analyzer 5.0 Usage Scenarios |
|
|
|
|
|
||||||
C H A P T E R 6 |
6-1 |
|
|
|
|
|||||||
|
|
Deployment |
6-2 |
|
|
|
|
|
|
|
|
|
|
|
Deploying NAMs in the Branch 6-2 |
|
|
|
|
|
|
||||
|
|
Deploying NAMs for Voice/Video applications |
6-2 |
|
|
|
||||||
|
|
Deploying NAMs for WAN Optimization |
6-2 |
|
|
|
|
|||||
|
|
Deploying Multi-NAM Consolidation |
6-2 |
|
|
|
|
|||||
|
|
Autodiscovery Capabilities of NAM |
6-3 |
|
|
|
|
|
||||
|
|
Creating Custom Applications |
6-3 |
|
|
|
|
|
|
|||
|
|
Utilizing Sites to Create a Geographically Familiar Deployment 6-3 |
||||||||||
|
|
Integrating NAM with Third Party Reporting Tools 6-3 |
||||||||||
|
|
Integrating NAM with LMS |
6-4 |
|
|
|
|
|
|
|||
|
|
Monitoring |
6-4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|||||
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OL-22617-01 |
|
|
|
|
|
|
|
|
|
ix |
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
Understanding Traffic Patterns at the Network Layer 6-4 |
||||
|
|
Understanding Traffic patterns for DiffServ-Enabled Networks 6-4 |
||||
|
|
Using NAM to Evaluate Application-Level Performance Monitoring for TCP-Interactive |
||||
|
|
Applications |
6-4 |
|
|
|
|
|
Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime |
||||
|
|
Applications |
6-5 |
|
|
|
|
|
Using NAM to Evaluate Potential Impact of WAN Optimization Prior to Deployment 6-5 |
||||
|
|
Troubleshooting |
|
6-5 |
|
|
|
|
Using NAM for Problem Isolation |
6-5 |
|||
|
|
Using NAM for SmartGrid Visibility |
6-6 |
|||
|
|
Troubleshooting |
|
|
|
|
A P P E N D I X |
A |
A-1 |
|
|
||
|
|
General NAM Issues |
A-1 |
|
||
|
|
Error Messages |
|
A-2 |
|
|
|
|
Packet Drops |
A-2 |
|
|
|
|
|
NAM Not Responding |
A-2 |
|
||
|
|
NAM Behavior |
|
A-3 |
|
|
|
|
WAAS Troubleshooting |
A-3 |
|
||
|
|
Supported MIB Objects |
|
|
||
A P P E N D I X |
B |
B-1 |
|
|||
|
|
Supported MIBs |
|
B-1 |
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
x |
OL-22617-01 |
|
|
|
About This Guide
This guide describes how to use Cisco Network Analysis Module Traffic Analyzer 5.0 (NAM 5.0) software. This preface has the following sections:
•Chapter Overview, page xi
•Audience, page xii
•Conventions, page xii
•Notices, page xii
•Obtaining Documentation and Submitting a Service Request, page xiii
For a list of the platforms that Cisco NAM 5.0 supports, see Overview of the NAM Platforms, page 1-5.
Chapter Overview
This guide contains the following chapters:
•Chapter 1, “Overview” provides an overview of the NAM Traffic Analyzer, discusses new features in this release, describes the new GUI, and provides information about how to use various components of the NAM Traffic Analyzer.
•Chapter 2, “Setting Up The NAM Traffic Analyzer,” provides information about the first steps users should take after booting up the NAM and setting up the NAM Traffic Analyzer applications.
•Chapter 3, “Monitoring and Analysis” provides information about options for viewing and monitoring various types data.
•Chapter 4, “Capturing and Decoding Packet Data” provides information about setting up multiple sessions for capturing, filtering, and decoding packet data, managing the data in a file control system, and displaying the contents of the packets.
•Chapter 5, “User and System Administration” provides information about performing user and system administration tasks and generating diagnostic information for obtaining technical assistance.
•Chapter 6, “NAM Traffic Analyzer 5.0 Usage Scenarios” provides scenarios for NAM deployment and the details you may need to know about them.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
xi |
|
About This Guide
Audience
This guide is designed for network administrators who are responsible for setting up and configuring Network Analysis Modules (NAMs) to monitor traffic and diagnose emerging problems on network segments. As a network administrator, you should be familiar with:
•Basic concepts and terminology used in internetworking.
•Network topology and protocols.
•Basic UNIX commands or basic Windows operations.
Conventions
This document uses the following conventions:
Item |
Convention |
|
|
Commands and keywords |
boldface font |
|
|
Variables for which you supply values |
italic font |
|
|
Displayed session and system information |
screen font |
|
|
Information you enter |
boldface screen font |
|
|
Variables you enter |
italic screen font |
|
|
Menu items and button names |
boldface font |
|
|
Selecting a menu item in paragraphs |
Option > Network Preferences |
|
|
Selecting a menu item in tables |
Option > Network Preferences |
|
|
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Notices
The Third Party and Open Source Copyright Notices for the Cisco Network Analysis Module, Release 5.0 contains the licenses and notices for open source software used in NAM Traffic Analyzer 5.0. NAM 5.0 includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This document is available on www.cisco.com with the NAM Traffic Analyzer technical documentation.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
xii |
OL-22617-01 |
|
|
|
About This Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
xiii |
|
About This Guide
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
xiv |
OL-22617-01 |
|
|
|
C H A P T E R 1
Overview
This chapter provides information about the Cisco Network Analysis Module Traffic Analyzer, Release 5.0 and describes the new features and how to navigate the interface.
This chapter contains the following sections:
•Introducing NAM Traffic Analyzer 5.0, page 1-1
–Dashboards, page 1-2
–Logical Site, page 1-2
–New Application Classification Architecture, page 1-3
–Standards-Based NBI, page 1-3
–NetFlow v9 Data Export, page 1-4
–Historical Analysis, page 1-4
–SNMP v3 Support -- NAM to Router/Switch Support, page 1-5
•Overview of the NAM Platforms, page 1-5
•Logging In, page 1-6
•Navigating the User Interface, page 1-6
•Understanding How the NAM Works, page 1-12
–Understanding How the NAM Uses SPAN, page 1-14
–Understanding How the NAM Uses VACLs, page 1-14
–Understanding How the NAM Uses NDE, page 1-15
–Understanding How the NAM Uses WAAS, page 1-16
•Configuration Overview, page 1-17
Introducing NAM Traffic Analyzer 5.0
The Cisco Network Analysis Module (NAM) Traffic Analyzer software enables network managers to understand, manage, and improve how applications and services are delivered to end users.
The NAM combines flow-based and packet-based analysis into one solution. The NAM can be used for traffic analysis of applications, hosts, and conversations, performance-based measurements on application, server, and network latency, quality of experience metrics for network-based services such as Voice over IP (VoIP) and video, and problem analysis using deep, insightful packet captures. The
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
1-1 |
|
|
|
Chapter 1 Overview
Introducing NAM Traffic Analyzer 5.0
Cisco NAM includes an embedded, web-based Traffic Analyzer GUI that provides quick access to the configuration menus and presents easy-to-read performance monitoring and analysis on web, voice, and video traffic.
Dashboards
The Cisco NAM Traffic Analyzer, Release 5.0 introduces a redesigned interface and user experience, with more intuitive workflows and interactive reporting capabilities. The dashboard-style layouts show multiple charts in one window, thereby giving you the ability to view a lot of information at once.
There are two types of dashboards in NAM 5.0: One type is the “summary” views found under the Monitor menu, and the other type is the “over time” views found under the Analyze menu. The Monitor dashboards allow you to view network traffic, application performance, site performance, and alarms at a glance. From there, you can isolate one area, for example an application with response time issues, and then drill-down to the Analyze dashboard for further investigation.
Figure 1-1 shows an example of one of the Monitoring dashboards in the NAM 5.0 release.
Figure 1-1 Dashboard in NAM 5.0
The Analyze dashboards allow you to zoom or pan to reselect the range. As you change the range, the related graphs at the bottom will update.
The dashboards can be extracted as a PNG. You can also create a Scheduled Export to have the dashboards extracted regularly and sent to you in CSV or HTML format (see Scheduled Exports, page 2-53).
Logical Site
Cisco NAM Traffic Analyzer 5.0 introduces the capability for users to define a site, with which you can aggregate and organize performance statistics. A site is a collection of hosts (network endpoints) partitioned into views that help you monitor traffic and troubleshoot problems. A site can be defined as
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-2 |
OL-22617-01 |
|
|
Chapter 1 Overview
Introducing NAM Traffic Analyzer 5.0
a set of subnets specified by an address prefix and mask, or using other criteria such as a remote device data source (for example, remote WAE device and segment information). If you want to limit the view of your network analysis data to a specific city, a specific building, or even a specific floor of a building, you can use the sites function.
You can also include multiple types of data sources in the site definition, and you can then get an aggregated view of all network traffic.
The pre-defined “Unassigned Site” makes it easy to bring up a NAM without having to configure user-defined sites. Hosts that do not belong to any user-defined site will automatically belong to the Unassigned Site.
Figure 1-2 shows an example of how a network may be configured using sites.
Figure 1-2 |
Site Level Aggregation |
|
|
|
San Jose |
|
|
|
|
Campus |
NAM |
|
|
|
San Jose |
|
|
|
|
|
|
|
|
|
|
Site San |
Site New |
|
New York |
|
Jose |
York |
Netflow |
|
|
|
|||
|
|
|
|
|
|
|
|
|
NYC |
|
|
|
|
Building 1 |
|
Datacenter |
|
FX |
NYC |
|
|
Building 2 |
||
|
San Jose |
|
|
197645 |
|
|
|
|
For information about defining and editing a site, see Sites, page 2-58.
New Application Classification Architecture
In previous releases of NAM, the RMON-2 protocol directory infrastructure was used to identify applications and network protocols. In NAM Traffic Analyzer Release 5.0, the application classification scheme is changed to align with the methodology used by Cisco with technologies such as NBAR (Network-Based Application Recognition) and SCL. It also accepts standardized application identifiers exported by Cisco platforms with NDE (NetFlow Data Export).
This allows you to gain application visibility with consistent and unique application identifiers across the network. For example, you can view applications using a global unique identifier, as compared with multiple classification engines using different applications identifiers.
For information about set up, see Classification, page 2-66.
Standards-Based NBI
NBI (Northbound Interface), also referred to as API (Application Programming Interface) enables partners and customers to provision the NAM and extract performance data. Previous releases of NAM were limited to SNMP s, and direct-URL knowledge for access to some data, including the method by which CSV-formatted data is retrieved.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
1-3 |
|
|
|
Chapter 1 Overview
Introducing NAM Traffic Analyzer 5.0
With NAM 5.0, the NBI is expanded to include a Representational State Transfer (REST) web service for configuration, and retrieval of data pertaining to sites. Also introduced is the capability to export high-volume performance data in the form of Netflow v9 (see the next section, “NetFlow v9 Data Export”).
Note REST does not support retrieval of performance data for sites.
REST is a set of guidelines for doing web services over HTTP. It takes advantage of the HTTP method (GET, POST, UPDATE, DELETE) as part of the request.
The REST request/response messages using the REST web service will contain XML data in the body content of the HTTP request. An XML schema will describe the message content format. All REST request/response messages are handled in XML format. Then the REST web service consumer can use any HTTP client to communitate with the REST server. To use the REST web service via HTTPS, the NAM crypto patch needs to be installed on the NAM.
The NBI web service will provide an external API interface for provisioning and retrieving performance data. For application developers who want to use the NAM APIs to provision network services and leverage data, see the Cisco Network Analysis Module 5.0 API Programmer’s Guide. The developers who use the APIs should have an understanding of a high-level programming language such as Java or an equivalent.
NetFlow v9 Data Export
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the configured set of descriptors or queries of the data attributes in NAM. The NAM as a producer of NDE (NetFlow Data Export) packets is a new feature for NAM Traffic Analyzer 5.0. The NAM's new functionality of NDE is part of its new NBI.
NetFlow collects traffic statistics by monitoring packets that flow through the device and storing the statistics in the NetFlow table. NDE converts the NetFlow table statistics into records, and exports the records to an external device, which is called a NetFlow collector.
The NDE Descriptor is a permanent definition of the NAM aggregated data query of aggregated NAM data, which must be exported to designated destinations across the network using the industry-wide standard of NetFlow v9 instead of the standard UDP transport.
The NDE Descriptor defines the data query that remains in effect as long as the NDE descriptor exists in NAM’s permanent storage. Having it instantiated means that the NAM will be exporting the matching aggregated data records continuously (in a specified frequency) until the NDE descriptor is deleted or updated.
For information about set up, see Data Export, NetFlow, page 2-49.
Historical Analysis
Unlike previous versions of the NAM, in which you have to configure targeted historical reports in advance, the NAM Traffic Analyzer 5.0 stores short-term and long-term data that you can view using the new dashboards.
The NAM proactively collects and stores up to 72 hours of data at a granularity of 1, 5, or 10 minute intervals, and longer-term data with a granularity of 1 to 2 hours, This allows you to specify different time periods to view trends over time and identify potential problems.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-4 |
OL-22617-01 |
|
|
Chapter 1 Overview
Overview of the NAM Platforms
SNMP v3 Support -- NAM to Router/Switch Support
Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. The security features provided in SNMPv3 are:
•Message integrity—Ensuring that a packet has not been tampered with in-transit.
•Authentication—Determining the message is from a valid source.
•Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.
With NAM 5.0, you have the ability to manage devices with SNMPv3.
Note For the WS-SVC-NAM-1 and WS-SVC-NAM-2 platforms, SNMPv3 is not required. SNMP requests and responses are communicated over an internal interface within the chassis, and SNMPv3 is not used.
Overview of the NAM Platforms
The following models differ in memory, performance, disk size, and other capabilities. Therefore, some allow for more features and capabilities (for example, the amount of memory allocated for capture).
Throughout this User Guide, there will be Notes explaining that some features apply only to specific platforms. If there is no Note, then that feature or aspect applies to all NAM platforms.
NAM 5.0 software supports the following NAM models (SKU):
•Cisco NAM 2204 Appliances
–NAM2204-RJ45
–NAM2204-SFP
•Cisco NAM 2220 Appliance
–NAM2220
•Cisco 6500 Series Switches and Cisco 7600 Series Routers
–WS-SVC-NAM-1
–WS-SVC-NAM-1-250S
–WS-SVC-NAM-2
–WS-SVC-NAM-2-250S
•Cisco Branch Routers
–NME-NAM-80S
–NME-NAM-120S
NAM 5.0 virtual blade software also supports the following virtual blade:
• Cisco WAAS NAM Virtual Service Blade
Note The Cisco Nexus 1010 Virtual Services Appliance is not supported with NAM Traffic Analyzer Release 5.0. The suggested upgrade path for Nexus 1010 NAM 4.2 users is from NAM 4.2 to 4.2.1N, and then to NAM 5.1 (when available).
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
1-5 |
|
|
|
Chapter 1 Overview
Logging In
Logging In
Log into the NAM by using the username and password that the NAM installer provided you, and click the Login button. If you are having problems logging in:
•Make sure you are using a browser that is currently supported for use with NAM 5.0: English Firefox 3.6+ or Microsoft Internet Explorer 8+ (Microsoft Internet Explorer 7 is not supported)
•Make sure you are using a platform that is currently supported for use with NAM 5.0:
Microsoft Windows XP or Microsoft Windows 7. The Macintosh platform is not supported on this release.
•Make sure you have JavaScript enabled.
•Clear the browser cache and restart the browser (not necessarily if installing NAM for the first time).
•Make sure cookies are enabled in your browser.
•If you see the following message: “Initializing database. Please wait until initialization process finishes,” you must wait until the process finishes.
•Make sure you had accepted the license agreement (WAAS VSB users only) and that the license has not expired
To view the full documentation set (including the User Guide and Release Notes) for the Cisco NAM Traffic Analyzer 5.0, go to the NAM Technical Documentation area on Cisco.com:
http://www.cisco.com/en/US/products/sw/cscowork/ps5401/ tsd_products_support_series_home.html
Navigating the User Interface
NAM 5.0 introduces a redesigned interface and user experience, with more intuitive workflows and improved operational efficiency. This section describes the improved navigation and control elements in the user interface.
Note All times in the Traffic Analyzer are typically displayed in 24-hour clock format. For example, 3:00 p.m. is displayed as 15:00.
Common Navigation and Control Elements
Menu Bar
To perform the NAM functions, use the menu bar.
The selections enable you to perform the necessary tasks:
Home: Brings you to the Traffic Summary Dashboard (Monitor > Overview > Traffic Summary).
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-6 |
OL-22617-01 |
|
|
Chapter 1 Overview
Navigating the User Interface
Monitor: See “summary” views that allow you to view network traffic, application performance, site performance, and alarms at a glance.
Analyze: See various “over-time” views for traffic, WAN optimization, response time, managed device, and media functions.
Capture: Configure multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets.
Setup: Perform all setup needed to run Cisco NAM Traffic Analyzer 5.0.
Administration: Perform user and system administration tasks, and generate diagnostic information for obtaining technical assistance.
Detailed Views
Under some topics in the mega-menu, the last selection is “Detailed Views.” Click the small arrow to the right of the menu selections to see the sub-menu and the functions available.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
1-7 |
|
|
|
Chapter 1 Overview
Navigating the User Interface
Context Menus
On most charts that appear on the dashboards, you can left-click on a colored bar of data to get a context menu, with which you can get more detailed information about that item.
The example above is from the Traffic Summary Dashboard, Top N Applications chart. The description to the right of “Selected Application” in the menu shows what item you had clicked on (in this case, “snmp”).
The menu items above the separator line are specific to the selected element of the Top N chart. The items below the separator line are not specific to the selected element, but apply to the Top N chart.
Quick Capture
From the Context menu of many of the bar charts that show Applications or Hosts or VLANs. you can start a Capture.
For example, when you click on an Application in a barchart (as in the screenshot above) and choose Capture, the following is done automatically:
•A memory-based capture session is created
•A software filter is created using that application
•The capture session is started
•The decode window pops open and you can immediately see packets being captured.
Note Quick Capture does not use site definition/filter.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
1-8 |
OL-22617-01 |
|
|
Chapter 1 Overview
Navigating the User Interface
Interactive Report
On most Monitoring and Analyze screens, you can use the Interactive Report on the left side of the screen to view and change the parameters of the information displayed in the charts. You can redefine the parameters by clicking the Filter button on the left side of the Interactive Report.
The reporting time interval selection changes depending upon the dashboard you are viewing, and the NAM platform you are using. The NAM supports up to five saved Interactive Reports.
Chart View / Grid View
Most of the data presented by the NAM can be viewed as either a Chart or a Grid. The Chart view presents an overview of the data in an integrated manner, and can show you trending information. The Grid view can be used to see more precise data. For example, to get the exact value of data in graphical view, you would need to hover over a data point in the Chart to get the data, whereas the same data is easily visible in table format using Grid view. To toggle between the two views, use the Chart and Grid icons at the bottom of the panel:
Next to that icon is the “Show as Image” icon, with which you save the chart you are viewing as a PNG file.
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
|
OL-22617-01 |
1-9 |
|
|
|
Chapter 1 Overview
Navigating the User Interface
Mouse-Over for Details
When in Chart view, you can mouseover the chart to get more detailed information about what occurred at a specific time.
Many of the line charts in NAM are “dual-axis,” meaning there is one metric shown on the left axis of the chart and another metric shown on the right axis of the chart.
For example, in the figure above, Total Bytes per second is shown on the left axis, and Total Packets per second is shown on the right axis.
Zoom/Pan Charts
For many charts, you can drag the beginning or end to change the time interval, as shown below.
The time interval change on the zoom/pan chart will affect the data presented in the charts in the bottom of the window. The zoom/pan time interval also affects the drill-down navigations; if the zoom/pan interval is modified, the context menu drill-downs from that dashboard will use the zoom/pan time interval.
Note In a bar chart which you can zoom/pan, each block represents data collected during the previous interval (the time stamp displayed at the bottom of each block is the end of the time range). Therefore, you may have to drag the zoom/pan one block further than expected to get the desired data to populate in the charts in the bottom of the window.
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
1-10 |
OL-22617-01 |
Chapter 1 Overview
Navigating the User Interface
Sort Grid
When looking at information in Grid view, you can sort the information by clicking the heading of any column. Click it again to sort in reverse order.
Bytes / Packets
On most Analyze charts, you can use the “Bytes” and “Packets” check boxes at the top to specify which information you would like the chart to display.
Statistics
The Statistics legend gives you the minimum, maximum, and average statistics of the data. This will display the initial data retrieved for the selector.
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|
|
|
|||
|
OL-22617-01 |
|
|
1-11 |
|
|
|
|
|
||
Chapter 1 Overview
Understanding How the NAM Works
Above the Statistics legend is a dropdown selector, which allows you to choose which of the metrics shown in the “over-time” chart you would like reflected in the Statistics legend. For example, if the line chart has Bytes or Packets in the check boxes above the line chart, the selector over the Statistics legend will show the same choices, Bytes or Packets.
Context-Sensitive Online Help
The “Help” link on the top-right corner of the NAM Traffic Analyzer interface will bring you to the Help page for that particular screen of the GUI..
In addition to the Help link on the top-right corner of each page, some pages also have a blue “i”, which provides help for that specific subject.
Understanding How the NAM Works
The Network Analysis Module (NAM) product family addresses the following major functional areas:
•Network layer Traffic Analysis. The NAM provides comprehensive traffic analysis to identify what applications are running over the network, how much network resources are consumed, and who is using these applications. The NAM offers a rich set of reports with which to view traffic by Hosts, Application or Conversations. See the discussions about Dashboards, starting with Traffic Summary, page 3-4.
•Application Response Time. The NAM can provide passive measurement of TCP-based applications for any given server or client, supplying a wide variety of statistics like response time, network flight time, and transaction time.
•WAN Optimization insight. The NAM can provide insight into WAN Optimization offerings that compress and optimize WAN Traffic for preand post-deployment scenarios. This is applicable for Optimized and Passthru traffic.
•Voice Quality Analysis. The NAM provides application performance for real time applications like Voice and Video. The NAM can compute MOS, as well as provide RTP analysis for the media stream. See Media, page 3-37.
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
1-12 |
OL-22617-01 |
Chapter 1 Overview
Understanding How the NAM Works
•Advanced Troubleshooting. The NAM provides robust capture and decode capabilities for packet traces that can be triggered or terminated based on user-defined thresholds.
•Open instrumentation. The NAM is a mediation and instrumentation product offering, and hence provides a robust API that can be used by partner products as well as customers that have home grown applications. See the Cisco NAM 5.0 API Programmer’s Guide.
The NAM delivers the above functionality by analyzing a wide variety of data sources that include:
•Port mirroring technology like SPAN and RSPAN/ERSPAN. The NAM can analyze Ethernet VLAN traffic from the following sources: Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN, RSPAN, or ERSPAN source port
•VACL
•NetFlow Data Export (NDE). The NAM can analyze NetFlow Data Export (NDE) from Managed Devices (Routers/Switches)
•WAAS
•SNMP
•Network Tap Device. Applies to Cisco NAM 2200 Series appliances only.
The NAM Traffic Analyzer 5.0 retains the ability to use SNMP as a southbound interface for configuration and data retrieval from switches and routers. NAM 5.0 moves away from RMON and toward web services and Netflow Data Export as the northbound interface for data objects. NAM 5.0 will continue to support baseline manageability features of SNMP such as MIB-2 and IF-TABLE, and the health status and interface statistics that can be used by external products like Fault and Configuration Management offerings (for example, CiscoWorks LMS).
For more information about SPAN, RSPAN, and ERSPAN, see the "Configuring Local SPAN, RSPAN, and ERSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/
configuration/guide/span.html
For more general information about NDE, see this section in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/
configuration/guide/nde.html
Table 1-1 summarizes the traffic sources that are used for NAM monitoring.
Table 1-1 |
Summary of Traffic Sources for NAM Monitoring |
|
|
|
|||
|
|
|
|
|
|
|
|
Traffic Source |
|
|
LAN |
|
WAN |
||
|
|
|
|
|
|
|
|
|
|
Ports |
|
VLANs |
Ports |
|
VLANs |
|
|
|
|
|
|
|
|
VACL capture |
|
Yes |
|
Yes |
Yes |
|
N/A |
|
|
|
|
|
|
|
|
NetFlow Data Export NDE (local) |
Yes |
|
Yes |
Yes |
|
Yes |
|
|
|
|
|
|
|
|
|
NetFlow Data Export NDE (remote) |
Yes |
|
Yes |
Yes |
|
Yes |
|
|
|
|
|
|
|
|
|
SPAN |
|
Yes |
|
Yes |
No |
|
No |
|
|
|
|
|
|
|
|
ERSPAN |
|
Yes |
|
Yes |
No |
|
No |
|
|
|
|
|
|
|
|
The next sections describe how the NAM uses the supported data sources:
•Understanding How the NAM Uses SPAN, page 1-14
•Understanding How the NAM Uses VACLs, page 1-14
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|
|
|
|||
|
OL-22617-01 |
|
|
1-13 |
|
|
|
|
|
||
Chapter 1 Overview
Understanding How the NAM Works
•Understanding How the NAM Uses NDE, page 1-15
•Understanding How the NAM Uses WAAS, page 1-16
Understanding How the NAM Uses SPAN
A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure up to two SPAN sessions in a Catalyst 6500 or 7600 Routers chassis. Newer Cisco IOS images may support more than two SPAN sessions. Consult the Cisco IOS document for the number of SPAN sessions supported per switch or router.
The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VLAN access control list (VACL) sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in Table 1-2.
Table 1-2 |
SPAN Port Names |
|
|
|
|
Module |
|
Cisco IOS Software |
|
|
|
WS-SVC-NAM-1 |
data port |
|
|
|
|
WS-SVC-NAM-2 |
data port 1 and data port 2 |
|
|
|
|
For more information about SPAN and how to configure it on the Catalyst 6500 series switches, see the
Catalyst 6500 Series Switch Software Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/
guide/span.html
For more information about SPAN and how to configure it on the Cisco 7600 series router, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/span.html
Note Due to potentially very high volume of ERSPAN traffic from the source, we recommend that you do not terminate the ERSPAN session on the NAM management port. Instead, you should terminate ERSPAN on the switch, and use the switch’s SPAN feature to SPAN the traffic to NAM data ports.
Understanding How the NAM Uses VACLs
A VLAN access control list can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.
There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on the switch.
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
1-14 |
OL-22617-01 |
Chapter 1 Overview
Understanding How the NAM Works
A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.
A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features, such as access control (security), encryption, and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.
After a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. Each ACE is associated with an action that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
When configuring VACLs, note the following:
•VACLs and context-based access control (CBAC) cannot be configured on the same interface.
•TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
•Internet Group Management Protocol (IGMP) packets are not checked against VACLs.
Note You cannot set up VACL using the NAM interface.
For details on how to configure a VACL with Cisco IOS software, see the Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/
guide/vacl.html
For details on how to configure a VACL on a WAN interface and on a LAN VLAN, see VACL, page 2-17.
Understanding How the NAM Uses NDE
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the configured set of descriptors or queries of the data attributes in NAM. NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM; the NAM can collect NDE from local or remote switch or router for traffic analysis.
|
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
|
|
|
|
|
|
|||
|
OL-22617-01 |
|
|
1-15 |
|
|
|
|
|
||
Chapter 1 Overview
Understanding How the NAM Works
To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets. The default UDP port is 3000, but you can configure it from the NAM CLI as follows:
root@nam2x-61.cisco.com# netflow input port ?
<port> |
- input NDE port number |
The distinguishing feature of the NetFlow v9 format, which is the basis for an IETF standard, is that it is template-based. Templates provide an extensible design to the record format, a feature that must allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
For more detailed information about NAM and NetFlow, see NetFlow, page 2-18.
For more information on NetFlow, see http://www.cisco.com/go/netflow or the “Configuring NetFlow Data Export” chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/
configuration/guide/nde.html
For specific information about creating and managing NDE queries, see the Cisco Network Analysis Module 5.0 API Programmer’s Guide.
Understanding How the NAM Uses WAAS
Cisco Wide Area Application Services (WAAS) software optimizes the performance of TCP-based applications operating in a wide area network (WAN) environment and preserves and strengthens branch security. The WAAS solution consists of a set of devices called Wide Area Application Engines (WAEs) that work together to optimize WAN traffic over your network.
When client and server applications attempt to communicate with each other, the network devices intercepts and redirects this traffic to the WAEs to act on behalf of the client application and the destination server.
WAEs provide information about packet streams traversing through both LAN and WAN interfaces of WAAS WAEs. Traffic of interest can include specific servers and types of transaction being exported. NAM processes the data exported from the WAAS and performs application response time and other metrics calculations and enters the data into reports you set up.
The WAEs examine the traffic and using built-in application policies to determine whether to optimize the traffic or allow it to pass through your network not optimized.
You can use the WAAS Central Manager GUI to centrally configure and monitor the WAEs and application policies in your network. You can also use the WAAS Central Manager GUI to create new application policies so that the WAAS system will optimize custom applications and less common applications.
For more information about WAAS data sources and managing WAAS devices, see Understanding WAAS, page 2-29.
|
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0 |
1-16 |
OL-22617-01 |
Loading...