This chapter provides information about Cisco Prime Network Analysis Module Software 5.1. It describes new features and how to navigate the interface, and provides general information about how the Cisco NAM functions.
This chapter contains the following sections:
•Cisco Prime Network Analysis Module
•Overview of the NAM Platforms
•Navigating the User Interface
•Understanding How the NAM Works
–Understanding How the NAM Uses SPAN
–Understanding How the NAM Uses VACLs
–Understanding How the NAM Uses NDE
–Understanding How the NAM Uses WAAS
•Network Performance Management Lifecycle
•Places in the Network Where NAMs Are Deployed
–Choice of Hardware and Software Platforms for a Given Place in the Network
Cisco Prime Network Analysis Module
The Cisco Prime Network Analysis Module software empowers network managers with an easy to use traffic analysis toolset to optimize network resources, troubleshoot network performance issues, and ensure a consistent end-user experience.
The Cisco Prime portfolio of enterprise and service provider management offerings supports integrated lifecycle management of Cisco architectures and technologies based on a service-centric framework. Built on an intuitive workflow-oriented user experience, Cisco Prime products help increase IT productivity and reduce operations costs through innovative management solutions for the network services, infrastructure, and endpoints.
Network administrators need multifaceted visibility into the network and application to help ensure consistent and cost-effective delivery of service to end users. Knowing how traffic over the network is being used and how it is performing is essential for managing and improving the delivery of your business-critical applications. It is the foundation for establishing and verifying quality of service (QoS) policies, undertaking WAN-optimization projects, and rolling out voice over IP (VoIP). It is also the foundation for recognizing when a configuration change has unintentionally degraded application performance or for providing proof points that it is the application and not the network that is causing one of your business planning systems to perform poorly, so that the appropriate actions can then be taken.
New Features in Cisco Prime Network Analysis Module Software 5.1
Addition of NAM SRE Platform
The Cisco® Services Ready Engine (SRE) modules are router blades for the Cisco Integrated Services Routers Generation 2 that provide the capability to host Cisco, third-party, and custom applications. The modules have their own processors, storage, network interfaces, and memory that operate independently of the host router resources, helping to ensure maximum concurrent routing and application performance while reducing physical footprint, lowering power consumption, and simplifying administration.
Cisco Prime Network Analysis Module 5.1 introduces the Cisco Prime Network Analysis Module (NAM) software for the ISR G2 SRE platform. Benefits include higher performance levels as a result of the superior processing power and throughput capabilities of the Service Module Service Ready Engine, and greater mass storage capabilities on the Cisco Prime NAM for ISR G2 SRE.
Performance Agent Aggregation
The Performance Agent (PA) can monitor interface traffic and collect, analyze, aggregate, and export key performance analytics to a Cisco Network Analysis Module for further processing and GUI visualization. PA integration with Cisco NAM 5.1 enables you to have a cost effective way to gain visibility into Application Response Time and traffic statistics at a remote branch.
It is supported on the Cisco ISR 880, ISR 890, and ISR G2 platforms. Deployed with WAAS Express, this feature allows an end-to-end view into the WAN-optimized network, delivering a cost-effective and scalable solution. It correlates PA data sources (WAAS Express) and FA data sources (WAE).
The NAM will perform automatic detection of PA-exporting devices.
WAAS Central Manager Integration with NAM
The Cisco WAAS is centrally managed by a scalable, secure, and simple function called the Cisco WAAS Central Manager, which runs on Cisco WAE Appliances. The Cisco WAAS Central Manager provides a centralized mechanism for configuring features, reporting, and monitoring, and can manage a topology containing thousands of Cisco WAE nodes.
Starting with Cisco WAAS Central Manager 4.4.1, the Cisco Prime Network Analysis Module Software 5.1 is accessible from within the WAAS Central Manager interface. The Cisco NAM integration with WAAS Central Manager provides for easier viewing of NAM reports that are directly associated with Application Response Time measurements through the WAN, in both WAAS optimized and non-optimized environments.
New Features in Cisco NAM 5.0
The following sections highlight the main features introduced in Cisco NAM 5.0, which included a redesigned interface and improvements from the NAM 4.x releases.
The Cisco NAM 5.0 software introduced a redesigned interface and user experience, with intuitive workflows and interactive reporting capabilities. The dashboard-style layouts show multiple charts in one window, thereby giving you the ability to view a lot of information at once.
There are two types of dashboards in NAM 5.x releases: One type is the "summary" view found under the Monitor menu, and the other type is the "over time" view found under the Analyze menu. The Monitor dashboards allow you to view network traffic, application performance, site performance, and alarms at a glance. From there, you can isolate one area, for example an application with response time issues, and then drill-down to the Analyze dashboard for further investigation.
Figure 1-1 shows an example of one of the Monitoring dashboards.
Figure 1-1 Dashboard in NAM 5.x
The Analyze dashboards allow you to zoom or pan to reselect the range. As you change the range, the related graphs at the bottom will update.
Each chart in the dashboards can be extracted as a PNG (Portable Network Graphics) image. You can also create a Scheduled Export to have the dashboards extracted regularly and sent to you in CSV or HTML format (see Scheduled Exports, page 2-60).
Cisco NAM 5.0 introduced the capability for users to define a site, with which you can aggregate and organize performance statistics. A site is a collection of hosts (network endpoints) partitioned into views that help you monitor traffic and troubleshoot problems. A site can be defined as a set of subnets specified by an address prefix and mask, or using other criteria such as a remote device data source (for example, remote WAE device and segment information). If you want to limit the view of your network analysis data to a specific city, a specific building, or even a specific floor of a building, you can use the sites function.
You can also include multiple types of data sources in the site definition, and you can then get an aggregated view of all network traffic.
The predefined "Unassigned Site" makes it easy to bring up a NAM without having to configure user-defined sites. Hosts that do not belong to any user-defined site will automatically belong to the Unassigned Site.
Figure 1-2 shows an example of how a network may be configured using sites.
Figure 1-2 Site Level Aggregation
For information about defining and editing a site, see Sites, page 2-65.
New Application Classification Architecture
In NAM releases prior to 5.x, the RMON-2 protocol directory infrastructure was used to identify applications and network protocols. In NAM 5.0, the application classification scheme was changed to align with the methodology used by Cisco with technologies such as NBAR (Network-Based Application Recognition) and SCL (Simplified Common Logic). It also accepts standardized application identifiers exported by Cisco platforms with NDE (NetFlow Data Export).
This allows you to gain application visibility with consistent and unique application identifiers across the network. For example, you can view applications using a global unique identifier, as compared with multiple classification engines using different applications identifiers.
For information about set up, see Classification, page 2-73.
NBI (Northbound Interface), also referred to as API (Application Programming Interface) enables partners and customers to provision the NAM and extract performance data. Previous releases of NAM were limited to SNMPs, and direct-URL knowledge for access to some data, including the method by which CSV-formatted data is retrieved.
With NAM 5.0, the NBI was expanded to include a Representational State Transfer (REST) web service for configuration, and retrieval of data pertaining to sites. Also introduced is the capability to export high-volume performance data in the form of Netflow v9 (see the next section, "NetFlow v9 Data Export").
Note REST does not support retrieval of performance data for sites.
REST is a set of guidelines for doing web services over HTTP. It takes advantage of the HTTP method (GET, POST, UPDATE, DELETE) as part of the request.
The REST request/response messages using the REST web service will contain XML data in the body content of the HTTP request. An XML schema will describe the message content format. All REST request/response messages are handled in XML format. Then the REST web service consumer can use any HTTP client to communitate with the REST server. To use the REST web service via HTTPS, the NAM crypto patch needs to be installed on the NAM.
The NBI web service will provide an external API interface for provisioning and retrieving performance data. For application developers who want to use the NAM APIs to provision network services and leverage data, see the Cisco Prime Network Analysis Module API Programmer's Guide, 5.1. This guide is available on the Cisco NAM Technology Center. This guide describes how to use Cisco NAM APIs. The developers who use the APIs should have an understanding of a high-level programming language such as Java or an equivalent.
The Cisco NAM Technology Center is an online resource for additional downloadable Cisco NAM support content, including help for developers who use Cisco NAM application programming interfaces (APIs). The website provides information, guidance, and examples to help you integrate your applications with Cisco NAM. It also provides a platform for you to interact with subject matter experts. To view the information on the Cisco NAM Technology Center website, you must have a Cisco.com account with partner level access, or you must be a Cisco NAM licensee. You can access the Cisco NAM Technology Center at: http://developer.cisco.com/web/nam/home.
Note Contact your Cisco account representative if you need to refer to the Cisco Prime Network Analysis Module API Programmer's Guide, 5.1.
NetFlow v9 Data Export
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the configured set of descriptors or queries of the data attributes in NAM. The NAM as a producer of NDE (NetFlow Data Export) packets was a new feature for NAM 5.0.
NetFlow collects traffic statistics by monitoring packets that flow through the device and storing the statistics in the NetFlow table. NDE converts the NetFlow table statistics into records, and exports the records to an external device, which is called a NetFlow collector.
The NDE Descriptor is a permanent definition of the NAM aggregated data query of aggregated NAM data, which must be exported to designated destinations across the network using the industry-wide standard of NetFlow v9 instead of the standard UDP transport.
The NDE Descriptor defines the data query that remains in effect as long as the NDE descriptor exists in NAM's permanent storage. Having it instantiated means that the NAM will be exporting the matching aggregated data records continuously (in a specified frequency) until the NDE descriptor is deleted or updated.
For information about set up, see Data Export, NetFlow, page 2-56.
Unlike previous versions of the NAM, in which you have to configure targeted historical reports in advance, the NAM 5.x releases store short-term and long-term data that you can view using the new dashboards.
The NAM proactively collects and stores up to 72 hours of data at a granularity of 1, 5, or 10 minute intervals, and longer-term data with a granularity of 1 to 2 hours. This allows you to specify different time periods to view trends over time and identify potential problems.
For specific information about the amount of data that can be stored in the NAM database, see Table 2-38, Data Retention.
SNMP v3 Support -- NAM to Router/Switch Support
Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. The security features provided in SNMPv3 are:
•Message integrity—Ensuring that a packet has not been tampered with in-transit.
•Authentication—Determining the message is from a valid source.
•Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.
With NAM 5.0, you have the ability to manage devices with SNMPv3.
Note For the WS-SVC-NAM-1 and WS-SVC-NAM-2 platforms, SNMPv3 is not required. SNMP requests and responses are communicated over an internal interface within the chassis, and SNMPv3 is not used.
Overview of the NAM Platforms
The following models differ in memory, performance, disk size, and other capabilities. Therefore, some allow for more features and capabilities (for example, the amount of memory allocated for capture).
Throughout this User Guide, there will be Notes explaining that some features apply only to specific platforms. If there is no Note, then that feature or aspect applies to all NAM platforms.
See Choice of Hardware Platforms for a Given PIN, page 1-21 for more information about where you may choose to deploy certain platforms.
Cisco NAM 5.1 software supports the following NAM models (SKU):
•Cisco NAM 2204 Appliances
•Cisco NAM 2220 Appliance
•Cisco 6500 Series Switches and Cisco 7600 Series Routers
•Cisco Branch Routers
•Cisco SRE NAM
Cisco NAM 5.1 software also supports the following virtual blades:
•Cisco WAAS NAM Virtual Service Blade
•Cisco Nexus 1010 NAM
Log in to the NAM by using the username and password that the NAM administrator provided you, and click the Login button. If you are having problems logging in:
•Make sure you are using a browser that is currently supported for use with NAM 5.1:
English Firefox 3.6+ or Microsoft Internet Explorer 8+ (Microsoft Internet Explorer 7 is not supported)
•Make sure you are using a platform that is currently supported for use with NAM 5.1:
Microsoft Windows XP or Microsoft Windows 7. The Macintosh platform is not supported on this release.
•Make sure you have downloaded the most recent version of Adobe Flash.
•Clear the browser cache and restart the browser (not necessarily if installing NAM for the first time).
•Make sure cookies are enabled in your browser.
•If you see the following message: "Initializing database. Please wait until initialization process finishes," you must wait until the process finishes.
•Make sure you had accepted the license agreement (WAAS VB, Nexus 1010, and SRE users only) and that the license has not expired.
To view the full documentation set (including the User Guide and Release Notes) for the Cisco NAM software, go to the NAM software Technical Documentation area on Cisco.com:
Navigating the User Interface
NAM 5.0 introduced a redesigned interface and user experience, with intuitive workflows and improved operational efficiency. This section describes the improved navigation and control elements in the user interface.
Note All times in the NAM are typically displayed in 24-hour clock format. For example, 3:00 p.m. is displayed as 15:00.
Common Navigation and Control Elements
To perform the NAM functions, use the menu bar.
The selections enable you to perform the necessary tasks:
Home: Brings you to the Traffic Summary Dashboard (Monitor > Overview > Traffic Summary).
Monitor: See "summary" views that allow you to view network traffic, application performance, site performance, and alarms at a glance.
Analyze: See various "over-time" views for traffic, WAN optimization, response time, managed device, and media functions.
Capture: Configure multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets.
Setup: Perform all setup needed to run Cisco NAM 5.1.
Administration: Perform user and system administration tasks, and generate diagnostic information for obtaining technical assistance.
Under some topics in the mega-menu, the last selection is "Detailed Views." Click the small arrow to the right of the menu selections to see the submenu and the functions available.
On most charts that appear on the dashboards, you can left-click on a colored bar of data to get a context menu, with which you can get more detailed information about that item.
The example above is from the Traffic Summary Dashboard, Top N Applications chart. The description to the right of "Selected Application" in the menu shows what item you had clicked on (in this case, "snmp").
The menu items above the separator line are specific to the selected element of the Top N chart. The items below the separator line are not specific to the selected element, but apply to the Top N chart.
From the Context menu of many of the bar charts that show Applications or Hosts or VLANs. you can start a Capture. For example, when you click on an Application in a bar chart (as in the screenshot above) and choose Capture, the following is done automatically:
•A memory-based capture session is created
•A software filter is created using that application
•The capture session is started
•The decode window pops open and you can immediately see packets being captured.
Note Quick Capture does not use site definition/filter.
From both the selectors in the upper left of the dashboards and from the item the user clicks on in the barchart, the following are carried into the context for the capture session:
•Data Source (if it is a DATA PORT)
If you open up the associated Capture Session and its associated Software Filter, the above settings will be shown.
On most Monitoring and Analyze windows, you can use the Interactive Report on the left side to view and change the parameters of the information displayed in the charts. You can redefine the parameters by clicking the Filter button on the left side of the Interactive Report.
The reporting time interval selection changes depending upon the dashboard you are viewing, and the NAM platform you are using. The NAM supports up to five saved Interactive Reports.
Chart View / Grid View
Most of the data presented by the NAM can be viewed as either a Chart or a Grid. The Chart view presents an overview of the data in an integrated manner, and can show you trending information. The Grid view can be used to see more precise data. For example, to get the exact value of data in graphical view, you would need to hover over a data point in the Chart to get the data, whereas the same data is easily visible in table format using Grid view. To toggle between the two views, use the Chart and Grid icons at the bottom of the panel:
Next to that icon is the "Show as Image" icon, with which you save the chart you are viewing as a PNG file.
Mouse-Over for Details
When in Chart view, you can mouseover the chart to get more detailed information about what occurred at a specific time.
Many of the line charts in NAM are "dual-axis," meaning there is one metric shown on the left axis of the chart and another metric shown on the right axis of the chart.
For example, in the figure above, Total Bytes per second is shown on the left axis, and Total Packets per second is shown on the right axis.
For many charts, you can drag the beginning or end to change the time interval, as shown below.
The time interval change on the zoom/pan chart will affect the data presented in the charts in the bottom of the window. The zoom/pan time interval also affects the drill-down navigations; if the zoom/pan interval is modified, the context menu drill-downs from that dashboard will use the zoom/pan time interval.
Note In a bar chart which you can zoom/pan, each block represents data collected during the previous interval (the time stamp displayed at the bottom of each block is the end of the time range). Therefore, you may have to drag the zoom/pan one block further than expected to get the desired data to populate in the charts in the bottom of the window.
When looking at information in Grid view, you can sort the information by clicking the heading of any column. Click it again to sort in reverse order.
Bits / Packets
On most Analyze charts, you can use the "Bits" and "Packets" check boxes at the top to specify which information you would like the chart to display.
Note that you can choose to display either Bits or Bytes under Administration > System > Preferences.
The Statistics legend gives you the minimum, maximum, and average statistics of the data. This will display the initial data retrieved for the selector.
Above the Statistics legend is a dropdown selector, which allows you to choose which of the metrics shown in the "over-time" chart you would like reflected in the Statistics legend. For example, if the line chart has Bits or Packets in the check boxes above the line chart, the selector over the Statistics legend will show the same choices, Bits or Packets.
Context-Sensitive Online Help
The "Help" link on the top-right corner of the NAM interface will bring you to the Help page for that particular window of the GUI.
In addition to the Help link on the top-right corner of each page, some pages also have a blue "i", which provides help for that specific subject.
Understanding How the NAM Works
The Cisco NAM product family addresses the following major functional areas:
•Network layer Traffic Analysis. The NAM provides comprehensive traffic analysis to identify what applications are running over the network, how much network resources are consumed, and who is using these applications. The NAM offers a rich set of reports with which to view traffic by Hosts, Application or Conversations. See the discussions about Dashboards, starting with Traffic Summary, page 3-4.
•Application Response Time. The NAM can provide passive measurement of TCP-based applications for any given server or client, supplying a wide variety of statistics like response time, network flight time, and transaction time.
•WAN Optimization insight. The NAM can provide insight into WAN Optimization offerings that compress and optimize WAN Traffic for pre- and post-deployment scenarios. This is applicable for Optimized and Passthru traffic.
•Voice Quality Analysis. The NAM provides application performance for real time applications like Voice and Video. The NAM can compute MOS, as well as provide RTP analysis for the media stream. See Media, page 3-37.
•Advanced Troubleshooting. The NAM provides robust capture and decode capabilities for packet traces that can be triggered or terminated based on user-defined thresholds.
•Open instrumentation. The NAM is a mediation and instrumentation product offering, and hence provides a robust API that can be used by partner products as well as customers that have home grown applications. See the Cisco Prime Network Analysis Module 5.1 API Programmer's Guide (contact your Cisco account representative for this document).
The NAM delivers the above functionality by analyzing a wide variety of data sources that include:
•Port mirroring technology like SPAN and RSPAN/ERSPAN. The NAM can analyze Ethernet VLAN traffic from the following sources: Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN, RSPAN, or ERSPAN source port
•NetFlow Data Export (NDE). The NAM can analyze NetFlow Data Export (NDE) from Managed Devices (Routers/Switches)
•Performance Agent (PA)
•Network Tap Device. Applies to Cisco NAM 2200 Series appliances only.
The Cisco NAM 5.1 retains the ability to use SNMP as a southbound interface for configuration and data retrieval from switches and routers. NAM 5.0 moves away from RMON and toward web services and Netflow Data Export as the northbound interface for data objects. NAM 5.0 will continue to support baseline manageability features of SNMP such as MIB-2 and IF-TABLE, and the health status and interface statistics that can be used by external products like Fault and Configuration Management offerings (for example, CiscoWorks LMS).
For more information about SPAN, RSPAN, and ERSPAN, see the "Configuring Local SPAN, RSPAN, and ERSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.
For more general information about NDE, see this section in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
Table 1-1 summarizes the traffic sources that are used for NAM monitoring.
Table 1-1 Summary of Traffic Sources for NAM Monitoring
NetFlow Data Export NDE (local)
NetFlow Data Export NDE (remote)
The next sections describe how the NAM uses the supported data sources:
•Understanding How the NAM Uses SPAN
•Understanding How the NAM Uses VACLs
•Understanding How the NAM Uses NDE
•Understanding How the NAM Uses WAAS
•Understanding How the NAM Uses PA
Understanding How the NAM Uses SPAN
A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure up to two SPAN sessions in a Catalyst 6500 or 7600 Routers chassis. Newer Cisco IOS images may support more than two SPAN sessions. Consult the Cisco IOS document for the number of SPAN sessions supported per switch or router.
The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VLAN access control list (VACL) sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in Table 1-2.
Table 1-2 SPAN Port Names
data port 1 and data port 2
For more information about SPAN and how to configure it on the Catalyst 6500 series switches, see the Catalyst 6500 Series Switch Software Configuration Guide:
For more information about SPAN and how to configure it on the Cisco 7600 series router, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX:
Note Due to potentially very high volume of ERSPAN traffic from the source, we recommend that you do not terminate the ERSPAN session on the NAM management port. Instead, you should terminate ERSPAN on the switch, and use the switch's SPAN feature to SPAN the traffic to NAM data ports.
Understanding How the NAM Uses VACLs
A VLAN access control list can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.
There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on the switch.
A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.
A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features, such as access control (security), encryption, and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.
After a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. Each ACE is associated with an action that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
When configuring VACLs, note the following:
•VACLs and context-based access control (CBAC) cannot be configured on the same interface.
•TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
•Internet Group Management Protocol (IGMP) packets are not checked against VACLs.
Note You cannot set up VACL using the NAM interface.
For details on how to configure a VACL with Cisco IOS software, see the Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide.
For details on how to configure a VACL on a WAN interface and on a LAN VLAN, see VACL, page 2-21.
Understanding How the NAM Uses NDE
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the configured set of descriptors or queries of the data attributes in NAM. NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM; the NAM can collect NDE from local or remote switch or router for traffic analysis.
To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets. The default UDP port is 3000, but you can configure it from the NAM CLI as follows:
firstname.lastname@example.org# netflow input port ?
<port> - input NDE port number
The distinguishing feature of the NetFlow v9 format, which is the basis for an IETF standard, is that it is template-based. Templates provide an extensible design to the record format, a feature that must allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
For more detailed information about NAM and NetFlow, see NetFlow, page 2-22.
For more information on NetFlow, see http://www.cisco.com/go/netflow or the "Configuring NetFlow Data Export" chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
For specific information about creating and managing NDE queries, see the Cisco Network Analysis Module API Programmer's Guide 5.1 (contact your Cisco account representative if you need to refer to this document).
Understanding How the NAM Uses WAAS
Cisco Wide Area Application Services (WAAS) software optimizes the performance of TCP-based applications operating in a wide area network (WAN) environment and preserves and strengthens branch security. The WAAS solution consists of a set of devices called Wide Area Application Engines (WAEs) that work together to optimize WAN traffic over your network.
When client and server applications attempt to communicate with each other, the network devices intercepts and redirects this traffic to the WAEs to act on behalf of the client application and the destination server.
WAEs provide information about packet streams traversing through both LAN and WAN interfaces of WAAS WAEs. Traffic of interest can include specific servers and types of transaction being exported. NAM processes the data exported from the WAAS and performs application response time and other metrics calculations and enters the data into reports you set up.
The WAEs examine the traffic and using built-in application policies to determine whether to optimize the traffic or allow it to pass through your network not optimized.
You can use the WAAS Central Manager GUI to centrally configure and monitor the WAEs and application policies in your network. You can also use the WAAS Central Manager GUI to create new application policies so that the WAAS system will optimize custom applications and less common applications. Beginning with Cisco NAM 5.1, the Cisco NAM is accessible from within the Central Manager interface. The Cisco NAM integration with WAAS Central Manager provides for easier viewing of NAM reports that are directly associated with Application Response Time measurements through the WAN, in both WAAS optimized and non-optimized environments. See WAAS Central Manager, page 2-36.
For more information about WAAS data sources and managing WAAS devices, see Understanding WAAS, page 2-32.
Understanding How the NAM Uses PA
The Performance Agent (PA) can monitor interface traffic and collect, analyze, aggregate, and export key performance analytics to a Cisco Network Analysis Module for further processing and GUI visualization. PA integration with NAM 5.1 enables you to have a lower cost way to gain visibility into Application Response Time at the branch. NAM integration with PA also reduces complexity of needing to manage a separate NAM product within the branch.
Using Cisco PA, you can gain visibility into application response time and traffic statistics at remote branches. It is supported on ISR 880, ISR 890, and ISR G2 platforms with Cisco IOS Software Release 15.1(4)T. Deployed with WAAS Express, this feature allows an end-to-end view into the WAN-optimized network, delivering a cost-effective and scalable solution.
PA has the ability to consolidate and filter information before it is exported, ensuring that only contextually-required data is exported and consumed versus all data. As an example, NetFlow Export supports a number of functions, including response time and traffic analysis. Instead of exporting multiple different flows, the PA has the intelligence to consolidate, filter, and export flow data that addresses the particular user's need. Besides consolidating and filtering information, PA's mediation capabilities also includes the ability to use key Cisco IOS-embedded functionality (for example, Embedded Event Manager, or Class-Based QoS) to enrich both PA functionality and router value.
For information about configuring PA data sources, see Managing ISR PA Devices, page 2-37.
Network Performance Management Lifecycle
In any network, the administrator must define "normal" and "abnormal" behavior patterns. Once this is accomplished, the goal is to maintain the network in its normal state and take any actions needed to prevent it from going into an abnormal state. When such an abnormal situation occurs, such as an outage, tools must be available to quickly isolate and fix the problem. See Figure 1-3. The "Operational Network" cycle that is at the center of the picture is where the network should ideally be at all times. The other two cycles indicate the process of repairing a network problem and the process of planning a change to the network. The following is a brief outline of the performance management lifecycle:
Step 1 Recognize and list your network performance goals. This includes setting expected limits for response time, expected ranges for MOS values, bandwidth usage per application, and utilization on critical WAN links. The importance of these metrics is closely related to your specific network; for example, an enterprise with a large number of branches and a small main campus might focus on WAN utilization, whereas an enterprise with one main campus and one large branch with users that use collaboration tools across the two will likely focus on application performance metrics such as response time measurements.
Step 2 Create a baseline of current network performance metrics. The NAM can help document a variety of these baseline metrics including applications, bandwidth per application, top conversations and hosts, QoS values used in the network, unrecognized protocols, and current server and end-to-end response time measurements.
These measurements might meet or exceed your expectations set in Step 1. It might be worthwhile to revisit those expectations and see whether some refinements are necessary. For example, 80 percent utilization on the WAN link may be quite acceptable, whereas the real reason behind application delays may seem to be bursts of unrecognized traffic. In this case, one might be lenient on WAN link utilization and focus more on QoS-related issues.
Step 3 Enforce policies using alarms, syslogs, traps, and other alerts. NAM can provide alerts by e-mail, FTP, and other traditional methods like syslogs and traps. These tools must be configured so that the normal functioning range of the network is demarcated. If any of the tracked metrics show values that are outside this normal range, then the NAM can be used to send alerts as appropriate. The information stored on the NAM is openly available to applications. It is recommended that any enterprise-wide network management tools and monitoring applications be configured to receive alerts from the NAM. The NAM is then able to act as a network sentinel and warn proactively about a host of issues, and also provide access to rapid troubleshooting when problems occur.
The goal is for all important network metrics to be within the normal ranges. But knowing the normal range of the network is a constant learning process, and as the network evolves and grows, it can be a moving target. Therefore, the lifecycle described above is a continuous process of fine-tuning the network and the metrics that are most important to normal behavior.
Figure 1-3 The Network Performance Management Lifecycle
Places in the Network Where NAMs Are Deployed
Because the NAM is available in various form factors, it allows significant flexibility in deployment. At the same time, the available NAMs must be deployed in locations that are most effective in helping you monitor, measure, and report on the network's health. Any location that is the ingress or egress point of a logical network boundary (aggregation layer, core, campus edge, and so on) can offer valuable insights into the network activity within that partition. Therefore, such boundary locations are usually good choices for NAM deployment. Figure 1-4 shows various possible locations at which NAMs can be deployed.
Figure 1-4 Places in the Network in Which NAMs Can Be Deployed
The access and distribution layers, the data center, WAN edge, and branch office are all valid choices, and you should make deployment decisions based on the specific issue at hand. Here is a list of common places in the network where NAMs are deployed and the information available at each place
•Data center: Over the past few years, data center consolidation has been a common theme across enterprises. The centralized data center becomes a critical hub of activity within the enterprise network and helps cut costs, focus IT efforts in one location, and offer a rich variety of services across the enterprise. Placing a NAM in such data centers offers excellent visibility into the most business-critical applications and transactions.
•Server farms: Place near server farms (web, FTP, and Domain Name System [DNS], for example), data centers, or near IP telephony devices (Cisco Unified Communications Manager), IP phones, and gateways where the Cisco NAM can monitor request-response exchanges between servers and clients and provide rich traffic analysis, including IAP.
•Campus and WAN edge: This location is very often a good choice-it offers visibility into traffic entering and exiting the campus. It provides a central point from which to measure voice quality of all streams leaving the campus and going across the WAN. The WAN is typically the smallest bandwidth link, and therefore, call metrics such as latency, jitter, and so on might require close monitoring for deterioration in quality. It is also an excellent location to measure WAN utilizations and health metrics of various branch routers using NetFlow. Place Cisco NAMs at the WAN edge to gather WAN statistics from the Optical Services Module (OSM) or FlexWAN interfaces or to collect NetFlow statistics on remote NetFlow-enabled routers. This can provide usage statistics for links, applications (protocol distributions), hosts, and conversations, which can be useful for trending data and capacity planning.
•Branch office: Place Cisco NAMs at the edge of the branch office to troubleshoot issues at remote sites. This place offers the advantage of visibility into all traffic crossing the branch boundary. Headquarters personnel can troubleshoot issues remotely through the NAM GUI.
•Distribution layer: The distribution layer is typically a convergence point for traffic from smaller networks; for example, three buildings of a company might feed into a distribution layer switch. Placing the Cisco NAMs at the distribution layer allows visibility into the application trends specific to that set of buildings. In troubleshooting situations, you might start working with an edge NAM and then log in to a distribution NAM to isolate and fix the problem. Also, it is a good location to capture RTP voice streams. If phone calls in one building in the campus need to be monitored for quality, the aggregation layer is a good choice, as the switch in this layer will typically "catch" all calls being made in that building.
•Access layer: The access layer is the layer closest to users and is not a typical location for NAMs. However, with the rapid increase in network traffic over the years, it has become somewhat common to have Cisco Catalyst 6500 Series Switches in the closet of each floor. Cisco NAMs can be very useful, especially for those access layer switches that serve critical companywide meetings or conferences and other business-critical needs. Once again, close monitoring of IP phones is a good application in this layer as well.
Choice of Hardware and Software Platforms for a Given Place in the Network
Depending on the usage scenario and the location in which the NAM will be deployed, you must make a decision on the type of NAM platform to deploy. This section provides the necessary background and details to make such deployment decisions. See Table 1-3 for a summary of NAM platforms. Refer to http://www.cisco.com/en/US/products/ps5740/Products_Sub_Category_Home.html for further information regarding the different platforms.
Table 1-3 NAM Platforms
Cisco NAM-1/-2 blade
The NAM-1/-2 blade fits into any slot on a Catalyst 6500 or Cisco 7600.
The NAM-2 blade has two data ports. These ports connect directly to the switching fabric and are not externally visible.
Each port can support one SPAN session. Therefore, the NAM-2 blades support a total of two SPAN sessions, while the NAM-1 blades support one SPAN session.
Typical PINs: Data center, core, and distribution
Note If required, currently owned NAM-1 and NAM-2 (without -250S suffix) cards can be upgraded easily using a memory upgrade kit. The kit essentially provides an upgrade to the RAM on your NAM cards and offers an easy way to meet the performance needs of NAM software while allowing continued use of the existing NAM hardware investment.
Note that the memory kit only upgrades RAM and not the hard drive.
Cisco NAM Branch module
The NAM on SM-SRE takes up a module slot on a Cisco 2900 or Cisco 3900 Integrated Services Router (ISR G2).
This module has one internal and one external port. The internal interface receives traffic forwarded from router interfaces, while the external interface can be used to connect to wire taps.
Cisco Prime NAM Software 5.1 for ISR G2 SRE
NAM on SM-SRE 700 and SM-SRE 900
Typical PINs: Campus edge, branch edge, WAN edge
Note Because the network modules have an internal and an external port, they provide the flexibility to monitor packets from a router interface or directly tap into traffic from an external device using the external Ethernet port.
The NME-NAM takes up a module slot on a Cisco 2800 or Cisco 3800 Integrated Services Router (ISR).
The NME-NAM (with adapter) takes up a module slot on a Cisco 2900 or Cisco 3900 Integrated Services Router (ISR G2).
This module has one internal and one external port. The internal interface receives traffic forwarded from router interfaces, while the external interface can be used to connect to wire taps.
Typical PINs: Campus edge, branch edge, WAN edge
Note Because the network modules have an internal and an external port, they provide the flexibility to monitor packets from a router interface or directly tap into traffic from an external device using the external Ethernet port.
Cisco NAM 2204 Appliance
The midrange appliance has four 1 Gigabit Ethernet ports, available either as copper or optical interfaces.
Appliances offer the flexibility to deploy NAMs with any Cisco device irrespective of platform. 1 rack unit.
Cisco NAM 2204 Appliance, four 1 Gb Ethernet, RJ-45
Cisco NAM 2204 Appliance, four 1 Gb Ethernet, SFP
Typical PINs: Data center, core, campus edge
Cisco NAM 2220 Appliance
The high-end appliance offers two 10 Gigabit Ethernet ports. 2 rack unit.
The 2220 appliance is NAM's high-end hardware platform and is best suited to handle the high performance required in data center and core networks.
Cisco NAM 2220 Appliance, two 10 Gb Ethernet
Cisco PRIME NAM Virtual Blade on WAAS
The NAM Virtual Blade is software residing on a Cisco WAVE-574 and WAE-674 appliances.
VB on WAAS appliance
software for WAAS 574/674
Cisco PRIME NAM Virtual Service Blade on Nexus 1010
NAM Virtual Service Blade is a software that resides in Nexus 1010 providing visibility into Nexus 1000V switch.
Cisco Prime NAM Software 5.1 for Nexus 1010
A Note on the Cisco 2200 Series Appliances
In addition to the existing platforms on which the NAM can be installed, the NAM software is also available as an appliance. The addition of the appliance to the NAM product line provides increased flexibility and higher performance. The appliances are available in two varieties. The Cisco NAM 2220 Appliance offers the best performance in the NAM product line. The product contains two 10-Gigabit Ethernet ports that are ideally suited to the high-bandwidth data center and core environments. The Cisco NAM 2204 Appliance contains four 1-Gigabit Ethernet ports, available both in copper and fiber, and allows flexible deployment in a variety of locations across the network.
The NAM appliance serves as a complement to the network module implementations of the NAM. The network modules (or cards) reside within an ISR, Catalyst 6500 Series Switch, or Cisco 7600 Series Router, and offer an integrated solution. Such integration saves rack space and power, eliminates the need for additional cabling, and efficiently monitors device traffic with no network overhead. Still, there are situations where an appliance is preferred. For example, you may wish to monitor a Catalyst 4500 Series Switch or a Nexus 7000 Series Switch that does not support NAM network modules. Or, you may wish to connect the NAM to multiple switches in parallel as you build a new segment in the network. This can be achieved easily with the Cisco 2204 Appliance, which has four ports that can each be connected to different devices. Or, you may want to monitor traffic from a couple of core routers that feed into the data center, and therefore require 10-Gigabit Ethernet ports. The Cisco 2220 Appliance might be ideally suited for this scenario. The addition of the appliances to the NAM product line provides users with additional flexibility in deploying the appropriate NAM hardware depending on the location in the network.
Enhanced performance also provides other deployment benefits. For example, the number of voice streams supported by the NAM is an important consideration while planning for voice over IP quality monitoring. Other limits include the number of NetFlow records processed per second, buffer sizes available for packet capture, number of WAE devices that send WAN optimization data to NAM, and in general, monitoring performance under load.
The appliances are not integrated into the Cisco infrastructure, but they do support some of the features that the integrated NAM modules bring. On the integrated Catalyst 6500 NAM cards, you may have used the ability to poll MIBs on the supervisor and collect statistics on important aspects such as switch CPU health, interface traffic, utilization, and so on. The appliance defines the concept of a "managed device" that achieves the same result for the device being monitored. You will need to choose one of the Cisco devices (supported platforms include Catalyst 6500, Cisco 7600, and Catalyst 4500 Series devices) being monitored by the appliance as your managed device. The NAM appliance will be able to poll MIBs on this managed device and obtain relevant performance troubleshooting information just like the NAM cards. Also available is the ability to configure SPAN sessions on the managed device through the NAM GUI on the appliance. Credentials to access the managed device need to be configured in order for these capabilities to be enabled.