The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Catalyst 6500 series switch, Catalyst 6000 series switch, or Cisco 7600 series router Network Analysis Module (NAM), how it operates, and how to manage it.
Note This installation and configuration note applies to users who have Catalyst operating system and Cisco_IOS software. The procedures in this note that pertain to each operating system are specified in separate sections for each operating system.
This chapter contains these sections:
•Understanding How the NAM Works
To help you get started using the NAM, refer to this roadmap:
This section describes how the Catalyst 6500 series switch, Catalyst 6000 series switch, or Cisco 7600 series router Network Analysis Module (NAM) operates. This section contains these subsections:
•Understanding How the NAM Uses SPAN
•Understanding How the NAM Uses VACLs
•Understanding How the NAM Uses NDE
The NAM monitors and analyzes network traffic using remote monitoring (RMON), RMON extensions for switched networks (SMON), and other management information bases (MIBs). For more information, see the "Supported MIB Objects" section.
The NAM monitors, analyzes, and views NetFlow on remote devices and supports these RMON groups:
•RMON groups defined in RFC 2819
•RMON2 groups defined in RFC 2021
•DSMON groups defined in RFC 3287
•High-capacity RMON groups defined in RFC 3273 (except the media Independent Group)
•SMON groups defined in RFC 2613
•All groups defined in the Application Response Time MIB
•NetFlow Version 9 records; the NetFlow listening mode now shows data sources using NetFlow Version 9
The NAM can also monitor individual Ethernet VLANs, which allows it to serve as an extension to the basic RMON support provided by the Catalyst 6500 series supervisor engine.
You can use any other IETF-compliant RMON application to access link, host, protocol, and response-time statistics for capacity planning, departmental accounting, and real-time application protocol monitoring. You also can use filters and capture buffers to troubleshoot the network.
The NAM can analyze Ethernet VLAN traffic from the following sources:
•Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN or RSPAN source port.
For more information about SPAN and RSPAN, refer to the "Configuring SPAN and RSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.
•NetFlow Data Export (NDE).
For more information about NDE, refer to the Catalyst 6500 Series Switch Software Configuration Guide.
Table 1-1 summarizes the traffic sources that are used for NAM monitoring.
A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a switched network.
The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VACL sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in Table 1-2.
|
|
|
---|---|---|
NAM-1 |
data-port 1 |
module number:3 |
NAM-2 |
data-port 1 and data-port 2 |
module number:7 or module number:8 |
Each of these ports is independent. You may create data-port collections that are populated by only the traffic from one of the ports by traffic from both ports. You can still create VLAN-based collections with packets from either port that match the specified VLAN populating such collections.
For more information about SPAN and how to configure it on the Catalyst 6000 and 6500 series switches, use this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sy/swcg/span.htm#1032978
For more information about SPAN and how to configure it on the Cisco 7600 series router, use this URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/software/122sx/swcg/span.htm
The NAM supports Encapsulated Remote SPAN (ERSPAN) traffic on the management port and uses that traffic as a data source. All collection types are supported on the ERSPAN traffic.
ERSPAN is an extension of SPAN where packets are encapsulated in a generic routing encapsulation (GRE) packet and sent to an ERSPAN destination. The ERSPAN sources and destinations are usually Supervisor Engine 720 with a PFC5 or later releases. Because the ERSPAN traffic uses IP or GRE to encapsulate the packets sent across the routers, the deencapsulated traffic can then be sent to the NAM data ports.
A VLAN access control list (VACL) can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.
There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on the switch.
A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.
A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features, such as access control (security), encryption, and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.
Once a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. Each ACE is associated with an action that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6000 and 6500 series switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
When configuring VACLs, note the following:
•VACLs and context-based access control (CBAC) cannot be configured on the same interface.
•TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
•IGMP packets are not checked against VACLs.
For details on how to configure a VACL with Cisco IOS software, refer to the Network Analysis Module for Catalyst 6500 Series and Cisco 7600 Series Command Reference. For details on how to configure security ACLs with the Catalyst operating system, refer to the Catalyst 6500 Series Software Configuration Guide and the Catalyst 6500 Series Command Reference.
NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM. To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets to UDP port 3000 on the NAM. You may need to configure the device on a per-interface basis. A screen has been added to the web application user interface for specifying NDE devices (an NDE device is identified by its IP address). By default, the switch's local supervisor engine is always available as an NDE device.
You can define additional NDE devices by specifying the IP addresses and (optionally) the community strings. Community strings are used to upload convenient textual strings for interfaces on the remote devices that are monitored in NetFlow records.
For more information about the NDE data sources of the NAM, go to the NAM Traffic Analyzer online help menu and choose the Contents > Setting Up the Application > Setting Up Data Sources > Understanding NetFlow Interfaces.
You can manage the NAM from the embedded web-based NAM Traffic Analyzer application (directing a web browser to the NAM) or a Simple Network Management Protocol (SNMP) management application, such as those bundled with CiscoWorks2000.
NAM Traffic Analyzer provides access to the management and monitoring features for NAM data and voice traffic through a web browser. To use NAM Traffic Analyzer, you need to do some basic configuration tasks on the NAM using the CLI. You then can start NAM Traffic Analyzer with a single command.
With NAM Traffic Analyzer, you can do the following tasks:
•Configure and view historical reports about various traffic statistics
•Configure SPAN resources
•Configure collections
•Monitor statistics
•Capture and decode packets
•Set and view alarms
For added security, you can use NAM Traffic Analyzer to configure the NAM to use a remote TACACS+ server. A TACACS+ server provides authentication and authorization for your web-based users. You also can use a local database on the NAM for security.
You also can manage the NAM using an SNMP management application such as the Cisco NetScout nGenius Real-Time Monitor (RTM), which is a component of CiscoWorks2000 LAN management solutions (NMS). For more information about using RTM, refer to the CiscoWorks documentation or this URL:
http://www.Cisco.com/univercd/cc/td/doc/product/lan/cat6000/fam_mod/rel2_1_2/ol_2428.htm
To use RMON and SNMP agent support, you configure the NAM using the CLI.
If you have a NAM that is already configured and running in the switch, and you are familiar with the NAM, you can begin using NAM Traffic Analyzer by entering the ip http server enable CLI command and then starting NAM Traffic Analyzer in your browser.
Refer to the User Guide for the Network Analysis Module Traffic Analyzer Release 3.3 for more information about using NAM Traffic Analyzer.
The NAM front panel (see Figure 1-1) includes a STATUS LED and SHUTDOWN button.
Figure 1-1 Network Analysis Module
The STATUS LED indicates the operating states of the NAM. Table 1-3 describes the LED operation.
To avoid corrupting the NAM hard disk, you must correctly shut down the NAM before you remove it from the chassis or disconnect the power. This shutdown procedure is normally initiated by commands entered at the supervisor engine CLI prompt or the NAM CLI prompt.
Note If disk corruption occurs, you can recover the disk by reupgrading the application image with the --install option. See the "Upgrading the NAM Application Software with Catalyst Operating System Software" section on page 4-17.
If the NAM fails to respond to these commands properly, press the SHUTDOWN button on the front panel to initiate the shutdown procedure.
The shutdown procedure may require several minutes. The STATUS LED turns off when the NAM shuts down.
Table 1-4 describes the specifications for the NAM.