Cisco - Cisco Branch Routers Series Network Analysis Module Deployment

The Cisco^Ž 2600/3660/3700 Series Network Analysis Module (NM-NAM) is a network module that is installed in a branch router chassis to provide integrated network monitoring services within the router. The Cisco NM-NAM collects statistics about network traffic and is used for real-time traffic analysis, performance monitoring, and troubleshooting.

The Cisco NM-NAM is an extension of the Network Analysis Module (NAM) designed for Cisco Catalyst^Ž 6500 Series switches and Cisco 7600 Series routers, generally deployed in the campus LAN, data center, or any critical points in the network that require high-performance traffic analysis. The Cisco NM-NAM extends LAN deployments by allowing installation directly on WAN devices. This network module is a smaller form factor and lower performance than the NAM for the Catalyst 6500 and Cisco 7600 series, but still provides similar features and benefits, an easy-to-deploy approach, and management from an embedded Web application.

By planning and reviewing different Cisco NM-NAM deployment scenarios, this guide helps users understand the benefits of NAMs and eases their implementation. Saving time in deployment and taking full advantage of NAM features will maximize your investment in the Cisco NM-NAM(s). The NM-NAMs are standards based and the users have open options when using the NAMs with other tools because of their adaptability. For example, external standards-based applications work with the NAMs to provide rich network-traffic information and prepare a scalable network for the future.

Cisco 2600/3660/3700 Series Network Analysis Module with Embedded NAM Traffic Analyzer

WAN Usage Monitoring at Application Level

Using Remote Monitoring (RMON), RMON 2, several extended RMON MIBs, and NetFlow, the NAM detects the applications on the network and provides detailed real-time and historical information about how these applications utilize the bandwidth, which hosts access these applications, and which client-and-server pairs generate the most traffic.

Monitoring Application Performance

The Cisco NM-NAM provides valuable information about the delays in server responses to client requests. Using the Application Response Time (ART) MIB, the NAMs can identify problems with applications or servers in critical environments such as e-commerce and IP telephony.

Fault Isolation and Troubleshooting

Using the Cisco NM-NAM, network managers can set thresholds and alarms for various network parameters such as increased utilization, severe application response delays, and voice-over-IP (VoIP) quality degradation, and be alerted to potential problems. The NAMs provide comprehensive views on applications, hosts, VoIP, quality of service (QoS), and so on, to isolate faults or malfunctions in the network. The embedded, Web-based NAM Traffic Analyzer can capture and decode packets in real time to aid troubleshooting.

VoIP and QoS Monitoring

The Cisco NM-NAM can analyze VoIP traffic flows in real time to collect valuable information, including call setup details and VoIP quality metrics. Network managers can be alerted to VoIP quality degradation and can isolate potential problems.

The NAM makes the deployment of QoS for VoIP and other critical services effective by identifying violations of QoS policies. The NAMs support the Differentiated Services Monitoring (DSMON) MIB, which monitors traffic by differentiated services code point (DSCP) allocations defined by QoS policies.

Capacity Planning and Other Extended Applications

Cisco NM-NAMs have an embedded application—the NAM Traffic Analyzer—that can be accessed through a Web browser, giving the administrator direct access to information targeting any specific area of interest in the network. The NAMs can serve as data sources for standards-based applications for a variety of purposes including capacity planning, long-term historical reporting and trending, anomaly-based threat detection, etc.

Considering the wide array of uses that NAMs offer, the deployment can vary depending on specific monitoring requirements and the placement in the network.

Getting Started

The Cisco NM-NAM can be deployed with a variety of different network topologies. This guide discusses deployment configuration and testing later, but first discusses deployment considerations and planning.

Topology

For the purpose of this discussion, Figure 1 represents a small-to-large organization deploying Cisco 2600, 3660, and 3700 series branch routers. This scenario demonstrates how a customer can deploy a NAM in multiple locations, such as at each branch location, at remote offices, and at the headquarters. Some high-capacity NAMs may already be deployed in the campus distribution layers, the data center, and WAN edge. Although Figure 1 shows the NAMs residing in most of the router chassis, it is not required that they be installed in every available device. Placement of the NAMs depends on the various business needs.

Deployment Considerations and Planning

To decide how to deploy Cisco NM-NAM in the network, first answer some questions that address the purpose and needs of the administrator and how the NAMs can provide an accurate analysis. This approach helps ensure the effective use of NAMs and minimizes the actual cost of deployment.

What business or technical problem(s) am I trying to solve with the NAM?

A clear understanding of the monitoring objectives help make appropriate deployment decisions and aid in using the NAMs to your best advantage.

Where should I place the NAM in the network?

In general, the Cisco NM-NAM can be placed wherever Cisco 2600XM, 2691, 3660, or 3700 series routers are placed, such as at the branch office(s), remote sites, and, if applicable, at or near the headquarters' headend router. At any and all locations, vital network information can be gathered:

•

Get feedback for applications such as Web, FTP, and Domain Name System [DNS], or IP telephony devices (Cisco CallManager), IP phones, and gateways where the NAM can see request-response exchanges between servers and clients and provide rich traffic analysis including the ART MIB. Network managers can use traffic data to clearly understand how application resources are used. They may then allocate such resources to best meet the needs of users.

•

If deploying VoIP, the Cisco NM-NAMs can monitor critical clients such as IP phones; for example, IP phones can be monitored for latency or for adequate response to and from Cisco CallManagers.

•

Monitor WAN interfaces by placing NM-NAM on the branch routers. Per-interface WAN statistics can be collected to provide usage statistics for links, applications (protocol distributions), hosts, and conversations, which can be useful for trending and capacity planning or network health.

•

Troubleshooting remote sites is made easier, taking full advantage of the remote accessibility and data collection of the Cisco NM-NAMs. Since all data processing is done on the network module, real-time and historical monitoring is efficiently possible from the remote user's Web browser such as Internet Explorer or Netscape.

What data sources are available with the Cisco NM-NAM?

The Cisco NM-NAM has two interfaces—external and internal—that it can use to analyze traffic. To provide Layer 2 interface statistics, the Cisco NM-NAM uses MIB-II information in the routers. In addition to the external and internal interface and the use of MIB-II, the NM-NAM can also use NetFlow to provide detailed traffic analysis for NetFlow-enabled device(s). Table 1 summarizes the data sources that can be used with the NM-NAM. Table 2 displays the use of MIB-II for interface statistics.

The Cisco NM-NAM uses the packet-monitoring feature of the Cisco IOS available in the Cisco 2600, 3660, and 3700 Series routers to analyze packets from the router interface(s). Unlike the method of Switched Port Analyzer (SPAN)/Remote Switched Port Analyzer (RSPAN) that is only available for NAM-1/NAM-2 in Cisco Catalyst 6500 Series and Cisco 7600 Series routers, when enabled on an interface, packet monitoring uses Cisco Express Forwarding to send an extra copy of an IP packet that is received or sent out of that interface to the internal interface of NAM to process.

Table 1 Data Sources Available to the Cisco NM-NAM
Data Source	Description	Advantages	Limitations
MIB-II	•Counters that can be polled for general interface statistics	•Allows for calculating the interface statistics, such as utilization, discards, and errors •In and out traffic are separately calculated	•No RMON statistics •No alarms capability
Internal interface	•Receives control and data traffic through the backplane for processing by the NAM •If internal interface is used for management traffic, it can receive NetFlow packets for processing	•Detailed packet monitoring provides Layer 3-7 analysis for LAN/WAN traffic •Can also be used for management traffic	•No Layer 2 visibility, including WAN-framing information •Traffic sent through the internal interface uses router resources such as CPU, SDRAM, and backplane Peripheral Component Interconnect (PCI) bandwidth
External interface	•Receives traffic through an external Fast Ethernet interface for processing by the NAM •If external interface is used for management traffic, it can receive NetFlow packets for processing	•Does not require router resources to copy packets to NAM •Provides Layer 3-7 analysis •Layer 2 visibility achieved through packet decodes •Can monitor LAN traffic when used in conjunction with a hub	•No WAN visibility
NetFlow	•NetFlow Data Export (NDE) efficiently provides the metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, and monitoring	•Does not require router to copy packets •Includes support for remote devices; not limited to local router statistics •Provides statistics for applications/hosts/conversions •Provides custom data sources that are specifically setup for some interfaces	•Additional configuration may be needed to enable NetFlow •Some statistics that require packet monitoring are not available, such as voice statistics, ART, and Differentiated Services (DiffServ)

Table 2 Cisco NM-NAM Displaying L2 Interface Statistics Using the MIB-II Object
Interface	In Packets	Out Packets	In Bytes		Out Bytes	In Non- Unicast	Out Non- Unicast	Out Discards
Fa0/0	2414546	268134	1293908310	99%	30286510	49325	806	0
Se0/0	220707	2307134	16714392	1%	1198105492	0	0	73454
An2/0	15791	0	663704	<1%	949266	4	15814	2570989
Fa0/1	0	0	0	<1%	0	0	0	0

When do I use the internal versus external interface of the Cisco NM-NAM?

In the simplest configuration, the internal interface can be used for both monitoring and management. This method requires more resources from the router, and management traffic is mixed with monitored traffic.

Another method is to use the internal interface for WAN monitoring via packet monitoring, and use the external interface to handle management traffic such as HTTP, Simple Network Management Protocol (SNMP), Telnet, and Secure Shell (SSH) Protocol. In addition, the external interface is ideal for monitoring the LAN traffic of the network, as shown in Figure 2.

Note: When using the internal interface for WAN monitoring, packet monitoring must be enabled on each WAN interface to be monitored. The external interface can be attached to a nearby switch, and SPAN could be issued on that switch to analyze traffic on a wholly different device.

Cisco NM-NAM Uses Internal and External Interfaces to Monitor WAN and LAN Traffic

How can I collect NetFlow data from remote routers?

In addition to providing comprehensive traffic analysis for WAN/LAN interfaces on the local router, the NAM can also provide detailed traffic analysis for interfaces on a remote device by enabling NDE on those devices. The following are configuration examples for enabling NetFlow on Cisco IOS^Ž routers.

Note: It is recommended that the remote NetFlow devices be within near-network proximity of the NAMs. Additionally, limit NetFlow traffic across the WAN.

NetFlow Configurations

Step 3.

Export the routed flow cache entries to the NAM User Datagram Protocol (UDP) port 3000.

When you configure a NAM module as a NetFlow collection destination, you should use the IP address of the NAM (set up by sessioning into the NAM module).

This example shows how to set up a basic NetFlow configuration to monitor traffic on Serial0/1, with NAM destination IP address 172.20.104.74 on UDP 3000:

Enabling Additional NetFlow Data Sources

Use the NAM Traffic Analyzer to enable additional NetFlow monitoring devices. Within Setup > Data Sources > NetFlow >Listening Mode, click on "Start." This allows the NAM to listen to any NetFlow packets being sent to it (Figure 3). When you see the IP address or addresses, select and add the device(s), and provide the SNMP read community string. Clicking on "Details" will display the interfaces reported in NDE packets, as shown in Figure 4; this most useful when creating custom data sources to differentiate traffic from interfaces and direction, etc.

Test for connectivity and SNMP community string from the Setup > Data Sources > NetFlow Devices. Click on "Test;" if successful, SNMP read will show an "OK" status.

What types of statistics should I collect?

The statistics you may want to gather depend on your goals. To optimize the monitoring capacity of the NAM, enable statistics collections only for areas of interest rather than enabling all collections at once. Core collections are enabled by default; additional collections are available and can be enabled as needed for monitoring:

•

MIB-II and RMON 2—Enabled by default, this set of collections provides statistics on applications, hosts, and conversations and their protocol distributions (Figure 5), as well as interface statistics, port utilization, etc. (Figure 6). This is most valuable for determining bandwidth usage of links, hosts, applications, and conversations.

•

DSMON—Provides QoS monitoring using DSCP values. This is useful when validating traffic based on DSCP values, such as traffic, applications, or hosts statistics broken down by DSCP values. It is also very helpful for evaluating QoS policies or troubleshooting traffic marked incorrectly, whether by mistake or by deliberate intent.

•

ART (data and VoIP)—Provides valuable data regarding the response time between network connections, such as client to servers, IP phone to IP phone, Cisco CallManager to IP phone(s), etc. With this collection enabled, the user can also get direct response time of specific applications, and not just by addresses.

•

VoIP protocols (Skinny Client Control Protocol [SCCP], H.323, and Media Gateway Control Protocol [MGCP])—Provides some of the most important variables in determining the quality of VoIP calls, namely jitter and loss statistics. With SCCP and/or H.323 statistics enabled, the NAM can "sniff" packets that are VoIP-related, such as caller name, IP phone type, IP address, and especially quality statistics sent to Cisco CallManagers by IP phones after a call is finished. These statistics are then compiled into a quality report such as worst jitter, worst loss, average jitter, average loss, etc., to monitor and troubleshoot VoIP quality.

How can I enable collections for the additional NetFlow devices that I have added?

Similar to enabling the core collections, once the NetFlow-enabled devices are added, the data-source list will provide new NetFlow sources (Figure 6). Here is where you can enable collections to be made for each source. (To provide the greatest capacity for the NAMs, it is recommended that you only enable collections on data sources that you want.)

What are some of the performance considerations while deploying Cisco NM-NAM?

By enabling the NAM packet-monitoring feature, any traffic sent to the internal interface uses router resources such as CPU, SDRAM, and backplane PCI bandwidth. To minimize the effects on performance, it is recommended that packet monitoring be enabled only on the WAN interface and not the LAN interface(s); LAN interface(s) should be monitored using a hub connected to the NAM external interface.

Note: The Cisco NM-NAM provides Fast Ethernet class monitoring performance. While using internal monitoring interface, it is recommended to monitor up to 10 Mbps traffic on Cisco 2600XM and 2691 routers, and up to 45 Mbps on Cisco 3660 and 3700 series routers; external monitoring interface can be used for higher capacity monitoring.

Using NetFlow will also provide benefits when the packet monitoring functionality is not required. Inversely, if using NetFlow, it is important to consider the resource recommendation of various Cisco platforms. Additionally, it is recommended the remote NetFlow devices be within near-network proximity of the NAMs, and that you limit NetFlow traffic across the WAN.

Another performance factor to consider is DNS. If name resolution is not used, or is unimportant, disabling this feature on the NAM may enhance NAM HTTP performance. Name lookups rely on name servers. If unresolved host entries exist, Web response delays might occur when a NAM is trying to resolve unresolvable IP hosts. In general, resolving addresses to names requires more resources for processing; processing thousands of hosts on the NAM may also yield slower responses. Use DNS resolution only as needed.

It is not necessary to create "max" collections, and/or unlimited entries in the NAM. This consideration will improve Web response time and allows for better packet processing.

What are the limitations and advantages of monitoring traffic with the Cisco NM-NAM?

By using Cisco IOS packet monitoring to monitor WAN interface(s), monitored traffic will be affected by filters such as access control lists (ACLs) that are configured on the router. Traffic that is blocked (discarded) by ACLs applied on monitored interfaces will not be available; only traffic that is permitted (forwarded) will be able to be copied and received by the Cisco NM-NAM for analysis. This does not apply to the LAN monitoring using the NAM external interface.

One of the advantages of the Cisco NM-NAM is its ability to provide visibility into VPN traffic. Since IP packets are encrypted at one peer router's outbound interface and decrypted at the other peer router's inbound interface, the packets can be sent to the NM-NAM after decryption and before encryption. In addition to getting top hosts/conversations/apps utilization information in real time, the NAM can provide capture/decodes, ART, and QoS, as well as alarms and historical trending information about the traffic. To provide insight into encrypted traffic, the Cisco NM-NAM must be in a router in which encryption tunnel terminates.

Another advantage is the ease of deployment—the overall, simplified steps required to deploy Cisco NM-NAMs in the network. Network administrators will find that configuring the NAM to monitor the network will take little time; the experience will be similar to deploying NAMs for Catalyst 6500 Series switches and Cisco 7600 Series routers. The embedded NAM Traffic Analyzer also shares the same design regardless of the platforms used.

How can I use the NAM for historical reporting and trends?

The NAM can display, store, and retrieve short- and medium-term historical statistics on network traffic for reporting (see Figure 7). In the NAM Traffic Analyzer, various reports can be easily combined and viewed; users can also change settings such as period and granularity, and select from a variety of styles. The NAM will store these reports on the module's hard drive for up to 100 days each. These reports can also be exported to .CSV files for external analysis, using Excel, for example.

How can the NAM solution be made more secure?

•

Enable Secure Sockets Layer (SSL) on the NAM for secure, encrypted HTTP sessions. Get K9 Crypto patch from Cisco.com if enabling Triple Data Encryption Standard (3DES) https.

•

Disable remote CLI (Telnet and SSH), allowing only session access within the router.

•

Use authentication, authorization, and accounting (AAA) on router to control access to NAM CLI via session.

•

Enable TACACS+ for authentication and authorization. The NAMs also provide support for multiple TACACS+ servers.

•

If more than one NAM Web user, use different authorization levels as appropriate.

Configuration Steps

Once the planning for the NAM deployment is finished, you need to configure the NAM(s). This section describes the basic configuration for assigning an IP address to the Cisco NM-NAM and assumes that the router network configuration has already been configured. Please check your documentation for help with the setup of the router and appropriate configuration of internal and external interface.

After the Cisco NM-NAM is assigned an IP address, the next step is to enable NAM packet monitoring on the WAN interface(s) to be monitored.

Log into the Web application, enable data collection such as applications, hosts, and conversations

Testing Deployment Scenarios

After completing the deployment planning and configuration for the Cisco NM-NAMs, you are ready to test their monitoring and troubleshooting capabilities. The following scenarios will demonstrate these capabilities and highlight the primary areas of interest for network management.

Scenario 1: Real-Time and Historical Traffic Analysis

When RMON collections are enabled within the embedded NAM Traffic Analyzer, the Cisco NM-NAM can provide real-time traffic analysis of the network, including information about applications, hosts, and conversations. The NAM Traffic Analyzer can also be configured to trigger alarms when thresholds are reached. In addition to reporting on the top talkers and conversations, organized by protocol or application, the NAMs can filter and capture the raw packets for further troubleshooting. Some questions that can be answered in this scenario:

•

Who is the top talker, with whom is the host conversing, and which protocol is being used for each conversation?

From the Monitoring panel on the main screen, tab to each given option (applications, hosts, and so on); verify that you are seeing the appropriate data. Select a different data source, and verify that the data correlates with that particular source (e.g., LAN versus WAN). If you see hosts and conversations, try clicking into their details and verify that you are seeing details about the hosts, conversations, protocol distributions, and so on.

Figure 8 shows that, by analyzing the internal data source (WAN traffic), you can determine the top talkers and conversations, and the protocols or applications that are being generated on the WAN interface(s).

The NAM Traffic Analyzer also provides in-depth monitoring and troubleshooting (Figure 9) of each of the hosts, related conversations, and applications statistics, and can display a real-time graph (Figure 10) of a host, conversation, or application.

Besides serving as real-time data and VoIP analyzer tool, the Cisco NM-NAMs also provide reporting and trending capabilities for capacity planning within the NAM Traffic Analyzer for up to 100 days (Figure 11).

Scenario 2: Application Performance Management

With ART MIB monitoring enabled, the Cisco NM-NAM can give information about the response-time distributions per server or per server-to-client session. Based on a set of defined intervals, the NAM can report potential problems found with server responses. This is useful in troubleshooting the performance of a network because an administrator can isolate any business-critical servers that are providing slow response time to critical clients. This information is helpful in determining whether the problem is with the network or with the servers themselves. For example, when client phones complain of a large delay to dial tone, the NAM can be used to look at the Cisco CallManager response time distributions. If the Cisco CallManager response time is low, the problem is with the network and not with the Cisco CallManager.

If critical clients have problems accessing applications on the Web or database servers, the Cisco NM-NAM can isolate the problem to the server, network, or client by providing the response-time information at different points in the network.

The response metric is measured between any sequence packet and the corresponding acknowledgement packet seen from the Cisco NM-NAM to the server. Therefore, the best use of this type of monitoring is to have two points of collection, one being deployed close to the server (think-time), and one close to the client (network delay plus think-time). This is useful in troubleshooting response time both for data and VoIP applications. Verify the different output of response time at the monitoring console on the NAM(s). Figure 12 shows an example of response-time distributions.

Scenario 3: Fault Isolation and Troubleshooting

The Cisco NM-NAM offers various tools and techniques for troubleshooting the network directly from the NAM Traffic Analyzer. For example, administrators can use the ART MIB to help troubleshoot potential problems with client and server issues. Alternatively, they can identify top applications or talkers (hosts), and also perform data captures on the source to analyze specific traffic in detail. Figure 13 shows the NAM's decoder interface that helps identify unknown applications with the objective of isolating network congestion caused by unwanted traffic.

The Cisco NM-NAM can also trigger capture from alarms created by the users. For example, an ART threshold generates an alarm to stop a data capture that is running with "Wrap when full." The user then can view the decode screen to troubleshoot the issue that is in progress.

Scenario 4: VoIP and QoS Monitoring

The Cisco NM-NAM is able to recognize IP telephony sessions in the network by decoding VoIP protocols such as SCCP. With VoIP data collection turned on, quality of calls can be extracted by decoding the VoIP control packets. Analysis is available to provide granular details about each phone session and system. Furthermore, in conjunction with using DiffServ (QoS), an administrator can verify the QoS classes associated with the VoIP traffic. In this scenario, some important questions that can be answered include:

•

What is the average jitter rate and packet loss for the phones that are monitored?

•

What Cisco Real-Time Transport Protocol (RTP) ports are being used in these calls?

•

Historical reports can be built on DiffServ aggregation, including applications or hosts per DiffServ code points, as needed.

Cisco CallManager must have call detail records (CDRs) and diagnostics features turned on for the VoIP monitoring to provide call information such as caller ID, time of call, packet loss and jitter, and so on. Voice VLANs must be analyzed to provide VoIP traffic to be seen by the NAM.

To determine the data source relating to a particular VoIP network, use either the Cisco NAM close to a Cisco CallManager or one that is close to the Cisco IP phones. Enable data collection for your SCCP, H.323, and MGCP calls. Go to the Monitoring tab. Under Voice, start making your calls by dialing from one phone to the other. Verify from the application that you can see the active calls. Then hang up the phones, verify that the call is complete, and check for quality (packet loss, jitter) information the NAM provides by intercepting messages sent by the phones to the CallManager in a SCCP implementation or through the Real Time Control Protocol (RTCP) information in H.323 and MGCP implementations.(0 is acceptable if no problem with the call is discovered).

Figure 14 illustrates details of an active call. You can see information such as extension numbers, phone owners, RTP ports, and so on.

When traffic is marked with DSCP, type of service (ToS), or IP Precedence, the NAM gives visibility into QoS and policy auditing using the DiffServ feature. The NAMs help do the following:

•

Analyze the application traffic to find how the bandwidth is being used. Help prioritize application traffic by assigning DiffServ classes.

•

Monitor application traffic by DiffServ classes or ToS after the QoS policies are enforced. For example, VoIP control traffic is assigned DSCP value 26, and the VoIP stream DSCP value 46. The Cisco NM-NAMs can track whether the VoIP traffic is flowing in the correct DiffServ classes, or ToS, and whether any other traffic is encroaching into the DiffServ class designated for VoIP or another assigned class.

To test the QoS monitoring feature of the Cisco NM-NAM, start by creating DiffServ profiles with a set of DSCP values or ToS. To make it easier, create from a template provided by the NAM Traffic Analyzer. Once the data collection is enabled for the profile you have created, go to the monitoring panel under DiffServ. If the portion of network monitored is VoIP, the NAM will provide statistics for the corresponding DSCP or ToS values in the DiffServ profile. For example, you should only see VoIP traffic flowing through a VoIP network; otherwise the user may require some reexamination of the classification trust boundaries.

Figure 15 shows VoIP traffic based on a DiffServ profile of VoIP only; this session is analyzed in a VLAN with mixed traffic (data and VoIP). The Cisco NM-NAM can easily filter VoIP-only traffic from preselected VoIP DSCP values.

Scenario 5: Using Cisco NM-NAMs for WAN Monitoring

From configuring Cisco IOS packet monitoring to copy and send traffic on WAN interfaces, to enabling NDEs to send WAN traffic to the NAM, these techniques provide extensive WAN monitoring capabilities with the Cisco NM-NAM.

If Cisco IOS packet monitoring is used to send copies WAN traffic to the Cisco NM-NAM internal interface, the user simply enables the collections on the NAM Traffic Analyzer to be reported. Similarly, with NetFlow data sources enable only what needs to be collected for effective analysis. The NAM Traffic Analyzer will present each data source for reporting, whether you select the NAM data source that is presenting the WAN traffic (internal interface), or the NetFlow data source presenting NetFlow statistics.

For the traffic sent to the Cisco NM-NAM through its internal or external interface, the Cisco NM-NAM can provide full packet capture and decode capability as well as full analysis capabilities including response time of IP traffic on the WAN. With NetFlow, the Cisco NM-NAM provides rich summary statistics for hosts, conversations, and applications; decodes, response times, and DiffServ are not available with NetFlow as they require the NAM to see actual packets.

Users can create historical reports for NetFlow and WAN data sources for the benefit of trending and capacity planning (Figure 16).

NetFlow services can be configured on the router; for remote data collection, NetFlow can also be configured on nearby NetFlow-capable devices. Once configured, the NAM will provide the NetFlow data source automatically and allows for custom-type data source; simply turn on the collections on the NAM for monitoring (applications, hosts, and response time). Figure 17 shows a sample screen of the NAM Traffic Analyzer, in which the NetFlow data source is selected, and top applications and hosts are shown based on the WAN traffic statistics.

Remote data collection with NetFlow can be very useful; for example, for monitoring specific interface(s). The user enables NetFlow on the device and flow cache is enabled on any interface(s) to the remote sites. The Cisco NM-NAM that is to be used as a central NetFlow analyzer is the destination for any NetFlow source (in this case the branch router). Once configured, the user can create custom NetFlow data sources, referencing each remote interface that is configured.

Scenario 6: Enhancing Network Security

When vulnerabilities created from exploits such as worms are defined, the Cisco NM-NAMs can help analyze network traffic security. Public announcements, such as the Cisco Security Advisory, are useful in defining security issues such as exploit, etc. For example, the worm known as Slammer performed denial-of-service attacks that were directly associated with a known Structured Query Language (SQL) application. The NAMs made it possible to generate thresholds and alarms based on application, find affected hosts via the NAM Traffic Analyzer, and research the affected host(s) for analysis (Figure 18).

The Cisco NM-NAM allows the user to configure thresholds for anomaly-based threat detection, and set triggers for alarms and capture as needed, to provide a more proactive approach to the monitoring process.

Scenario 7: Capacity Planning and Extended Applications

The Cisco NM-NAMs can serve as data sources for other standards-based applications for a variety of purposes including capacity planning, long-term historical reporting and trending, anomaly-based threat detection, etc. Concord Communications has tested support with eHealth-Traffic Accountant version 5.6.5 and Infovista has tested support with VistaView for Traffic Monitoring; VistaView for Application Monitoring version 5.0.

Expanding the Deployment

After the initial deployment(s), you may find that the Cisco NM-NAM with the embedded NAM Traffic Analyzer meets your expectations, or you may gain insight on how to better position the NAM(s) in the network. You may also decide to reevaluate the network planning itself.

Ask yourself the following questions: Is the network too congested? Is the router(s) under-resourced or not configured appropriately? You may find it necessary to upgrade to a higher-performance router, verify ACLs, etc. Then, reconfigure the router/NM-NAM(s) and retest; are new results more acceptable?

Summary

The objective of this deployment guide for the Cisco 2600/3660/3700 Series Network Analysis Module is to provide users with considerations, deployment options, and explicit configuration steps to begin operating the Cisco NM-NAM(s) quickly and efficiently. The examples used show that deployment can be fast and easy, and the Cisco NM-NAM can deliver a wide array of benefits in historical and real-time traffic monitoring and troubleshooting, presented both in the branch LAN and WAN scenarios. This guide also reviewed Cisco NM-NAM features such as the distinctive MIB-II, RMON, DiffServ, ART, and VoIP monitoring capabilities.

Table Of Contents

Deployment Guide

Cisco 2600/3660/3700 Series Network Analysis Module

Introduction