Catalyst 6500 Series Switch and Cisco 7600 Series Router Network Analysis Module Installation and Configuration Note, 4.1
Downloads: This chapterpdf (PDF - 416.0 KB) The complete bookPDF (PDF - 2.13 MB) | Feedback


Table Of Contents


Understanding How the NAM Works

Understanding How the NAM Uses SPAN

Understanding How the NAM Uses VACLs

Understanding How the NAM Uses NDE

Managing the NAM

Front Panel Description





This chapter describes the Catalyst 6500 series switch or Cisco 7600 series router Network Analysis Module (NAM), how it operates, and how to manage it.

Note This installation and configuration note applies to users who have Catalyst operating system and
Cisco IOS software. The procedures in this note that pertain to each operating system are specified in separate sections for each operating system.

This chapter contains these sections:

Understanding How the NAM Works

Managing the NAM

Front Panel Description


Understanding How the NAM Works

This section describes how the Catalyst 6500 series switch or Cisco 7600 series router Network Analysis Module (NAM) operates. This section contains these subsections:

Understanding How the NAM Uses SPAN

Understanding How the NAM Uses VACLs

Understanding How the NAM Uses NDE

The NAM monitors and analyzes network traffic using remote monitoring (RMON), RMON extensions for switched networks (SMON), and other management information bases (MIBs). For more information, see the "Supported MIB Objects" section on page 5-16.

The NAM monitors, analyzes, and views NetFlow on remote devices and supports these RMON groups:

RMON groups defined in RFC 2819

RMON2 groups defined in RFC 2021

DSMON groups defined in RFC 3287

High-capacity RMON groups defined in RFC 3273 (except the media Independent Group)

SMON groups defined in RFC 2613

All groups defined in the Application Response Time MIB

NetFlow Version 9 records; the NetFlow listening mode now shows data sources using NetFlow Version 9

The NAM can also monitor individual Ethernet VLANs, which allows it to serve as an extension to the basic RMON support provided by the Catalyst 6500 series supervisor engine.

You can use any other IETF-compliant RMON application to access link, host, protocol, and response-time statistics for capacity planning, departmental accounting, and real-time application protocol monitoring. You also can use filters and capture buffers to troubleshoot the network.

The NAM can analyze Ethernet VLAN traffic from the following sources:

Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN or RSPAN source port.

For more information about SPAN and RSPAN, refer to the "Configuring SPAN, RSPAN, and the Mini Protocol Analyzer" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.

NetFlow Data Export (NDE).

For more information about NDE, refer to the Catalyst 6500 Series Switch Software Configuration Guide.

Table 1-1 summarizes the traffic sources that are used for NAM monitoring.

Table 1-1 Summary of Traffic Sources for NAM Monitoring 

Traffic Source

VACL capture





NetFlow Data Export NDE (local)





NetFlow Data Export NDE (remote)















Understanding How the NAM Uses SPAN

A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a switched network.

The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VLAN access control list (VACL) sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in Table 1-2.

Table 1-2 SPAN Port Names

Cisco IOS Software
Catalyst Operating System Software


data-port 1

module number:3


data-port 1 and data-port 2

<module number/7> or <module #/8>

Each of these ports is independent. You might create data-port collections that are populated by only the traffic from one of the ports or by traffic from both ports. You can still create VLAN-based collections with packets from either port that match the specified VLAN populating such collections.

For more information about SPAN and how to configure it on the Catalyst 6500 series switches, use this URL:

For more information about SPAN and how to configure it on the Cisco 7600 series router, use this URL:

The NAM supports Encapsulated Remote SPAN (ERSPAN) traffic on the management port and uses that traffic as a data source. All collection types are supported on the ERSPAN traffic.

ERSPAN is an extension of SPAN where packets are encapsulated in a generic routing encapsulation (GRE) packet and sent to an ERSPAN destination. The ERSPAN sources and destinations are usually Supervisor Engine 720 with a PFC5 or later releases. Because the ERSPAN traffic uses IP or GRE to encapsulate the packets sent across the routers, the de encapsulated traffic can then be sent to the NAM data ports.

Understanding How the NAM Uses VACLs

A VLAN access control list can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.

There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on the switch.

A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.

A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features, such as access control (security), encryption, and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.

Once a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).

A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. Each ACE is associated with an action that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.

When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.

When configuring VACLs, note the following:

VACLs and context-based access control (CBAC) cannot be configured on the same interface.

TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.

Internet Group Management Protocol (IGMP) packets are not checked against VACLs.

For details on how to configure a VACL with Cisco IOS software, refer to the Network Analysis Module for Catalyst 6500 Series and Cisco 7600 Series Command Reference. For details on how to configure security ACLs with the Catalyst operating system, refer to the Catalyst 6500 Series Software Configuration Guide and the Catalyst 6500 Series Command Reference.

Understanding How the NAM Uses NDE

NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM. To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets to UDP port 3000 on the NAM. You may need to configure the device on a per-interface basis. A screen has been added to the web application user interface for specifying NDE devices (an NDE device is identified by its IP address). By default, the switch's local supervisor engine is always available as an NDE device.

You can define additional NDE devices by specifying the IP addresses and (optionally) the community strings. Community strings are used to upload convenient textual strings for interfaces on the remote devices that are monitored in NetFlow records.

For more information about the NDE data sources of the NAM, go to the NAM Traffic Analyzer online help menu and choose the Setup > Data Sources > NetFlow Devices.

Managing the NAM

You can manage the NAM from the embedded web-based NAM Traffic Analyzer application (directing a web browser to the NAM) or a Simple Network Management Protocol (SNMP) management application, such as those bundled with CiscoWorks2000.

The NAM Traffic Analyzer provides access to the management and monitoring features for NAM data and voice traffic through a web browser. To use NAM Traffic Analyzer, you need to do some basic configuration tasks on the NAM using the CLI. You then can start NAM Traffic Analyzer with a single command.

With NAM Traffic Analyzer, you can do the following tasks:

Configure and view historical reports about various traffic statistics

Configure SPAN resources

Configure collections

Monitor statistics

Capture and decode packets

Set and view alarms

For added security, you can configure the NAM to use a remote TACACS+ server. A TACACS+ server provides authentication and authorization for your web-based users. You also can use a local database on the NAM for security.

NAM can be managed using standards-based SNMP applications. To use RMON and SNMP agent support, you configure the NAM using the CLI.

If you have a NAM that is already configured and running in the switch, and you are familiar with the NAM, you can begin using NAM Traffic Analyzer by entering the ip http server enable CLI command and then starting NAM Traffic Analyzer in your browser.

Refer to the User Guide for the Network Analysis Module Traffic Analyzer Release 4.1 for more information about using NAM Traffic Analyzer:

Front Panel Description

The NAM front panel (see Figure 1-1) includes a STATUS LED and SHUTDOWN button.

Figure 1-1 NAM Front Panel


The STATUS LED indicates the operating states of the NAM. Table 1-3 describes the LED operation.

Table 1-3 STATUS LED Description 



All diagnostic tests pass. The NAM is operational.


A diagnostic other than an individual port test failed.


Indicates one of three conditions:

The NAM is running through its boot and self-test diagnostic sequence.

The NAM is disabled.

The NAM is in the shutdown state.


The NAM power is off.


Caution Do not remove the NAM from the switch until the NAM has shut down completely and the STATUS LED is orange. You risk disk corruption if you remove the NAM from the switch before the NAM completely shuts down.

To avoid corrupting the NAM hard disk, you must correctly shut down the NAM before you remove it from the chassis or disconnect the power. This shutdown procedure is normally initiated by commands entered at the supervisor engine CLI prompt or the NAM CLI prompt.

Note If disk corruption occurs, you can recover the disk by upgrading the application image again with the --install option. See the "Upgrading the NAM Application Software with Catalyst Operating System Software" section on page 17.

If the NAM fails to respond to these commands properly, press the SHUTDOWN button on the front panel to initiate the shutdown procedure.

The shutdown procedure may require several minutes. The STATUS LED turns off when the NAM shuts down.


Table 1-4 describes the specifications for the NAM. These specifications apply to the following modules:





Table 1-4 Network Analysis Module Specifications 


Dimensions (H x W x D)

1.2 x 14.4 x 16 in. (3.0 x 35.6 x 40.6 cm)


Minimum: 3 lb (1.36 kg)

Maximum: 5 lb (2.27 kg)

Environmental conditions:

Operating temperature

Nonoperating temperature


(Noncondensing) Nonoperating and Storage


32 to 104×F (0 to 40×C)

-40 to 158×F (-40 to 70×C)

10 to 90%, noncondensing

5 to 95%

Sea level to 10,000 ft (3050 m)