NAM Traffic Analyzer 5.0 Usage Scenarios
This chapter describes usage scenarios for the Cisco Network Analysis Module Traffic Analyzer, Release 5.0.
This chapter contains the following sections:
•Deploying NAMs in the Branch
•Deploying NAMs for Voice/Video applications
•Deploying NAMs for WAN Optimization
•Deploying Multi-NAM Consolidation
•Autodiscovery Capabilities of NAM
•Creating Custom Applications
•Utilizing Sites to Create a Geographically Familiar Deployment
•Integrating NAM with Third Party Reporting Tools
•Integrating NAM with LMS
•Understanding Traffic Patterns at the Network Layer
•Understanding Traffic patterns for DiffServ-Enabled Networks
•Using NAM to Evaluate Application-Level Performance Monitoring for TCP-Interactive Applications
•Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime Applications
•Using NAM to Evaluate Potential Impact of WAN Optimization Prior to Deployment
•Using NAM for Problem Isolation
•Using NAM for SmartGrid Visibility
Deploying NAMs in the Branch
A NAM Traffic Analyzer deployed in the branch will provide a detailed view of the traffic traversing to and from the branch. The NAM can monitor and analyze the traffic locally, and troubleshoot issues related to application response time, voice degradation, and overall network performance, and you will be able to see these results by accessing the NAM web interface.
There are many advantages of this deployment. First, outside of a branch deployment, there is no ability to view response time or monitor voice. Second, deploying the NAM in the branch also eliminates the need to send RSPAN, ERSPAN or NetFlow across the WAN link (the result is less network traffic). Third, you can set up some features that you could not elsewhere, such as alerts from the NAM and packet capture. Fourth, you can more quickly troubleshoot network problems.
See related content Response Time Summary, page 3-5 and Analyze, Response Time, page 3-19.
Deploying NAMs for Voice/Video applications
The NAM Traffic Analyzer's ability to monitor voice applications provides an extra benefit. The NAM monitors and analyzes Real-time Transport Protocol (RTP) streams and alerts you when MOS, Jitter, and Packet Loss degrades below the threshold setting.
The NAM can be integrated with the Cisco Unified Communications Management Suite (CUCMS), so that NAM will report the MOS, Jitter, and Packet Loss measurements to Cisco Unified Service Monitor (SM).
See related content Analyzing Traffic, RTP Streams, page 3-38
See related content Setting Voice Signaling Thresholds, page 2-46
Deploying NAMs for WAN Optimization
If you are deploying WAN optimization and already have NAMs in the network, the WAAS from the corporate side and branch can be sent to the NAM for analysis of the traffic before and after optimization. NAM also provides a breakdown of the optimization regarding application response time. The response times are broken down into client LAN and WAN segments, and server LAN and WAN segments.
If you are deploying WAN optimization using WAVE-574 or WAE-674 and you have limited real estate in the closet, the NAM WAAS Virtual Blade can be deployed on the WAVE-574 or WAE-674 for analysis of traffic before and after optimization on the WAAS headend and branch devices.
See related content WAN Optimization, page 3-17.
Deploying Multi-NAM Consolidation
In a multiple-NAM environment, all of the NAMs can be configured to forward NetFlow v9 data to one of the NAMs, which can then be used as a NetFlow collector. Using a "central" NAM like this results in consolidated reporting and problem isolation. This functionality is limited to top hosts, conversations, and applications.
Use the IP Address and Port of the "Central NAM" on Setup > Data Export > NetFlow.
See related content Data Export, NetFlow, page 2-49.
Autodiscovery Capabilities of NAM
If you are an existing NAM 4.x user, you will not need to configure the SPAN sessions, and they will be auto-created on the NAM (not on the device). If you are a new 5.0 user, you will need to configure SPAN or NetFlow.
SPAN or NetFlow must be already configured on the device to forward traffic to NAM for auto creating the data source.
See related content Data Sources, page 2-9.
Creating Custom Applications
NAM identifies applications/protocols based on the TCP/UDP port number, so if there are applications using custom ports, the NAM can be configured to identify those applications by name instead of the port.
See related content Applications, page 2-67.
Utilizing Sites to Create a Geographically Familiar Deployment
SPAN sessions are recommended for directing traffic to the NAM. SPAN provides the data needed for NAM to analyze traffic for application response time, Real-time Transport Protocol, hosts, conversations, and more. NetFlow v9 can be directed to the same NAM from other devices for analysis on applications, hosts and conversations.
NAM 5.0 provides the ability to logically segment the network based on IP subnet, data source and VLAN by creating sites. The recommendation is creating sites based in IP subnet. As an example, a NAM is connected and monitoring traffic on a distribution switch which has traffic from San Jose, San Francisco and Sacramento traversing through it. Each site is using unique IP subnets, so in NAM 5.0 the network can be broken down into three sites (SJ, SF and Sacramento) based on the IP subnets. This allows you to view traffic per site instead of viewing all the traffic, making it harder to identify and troubleshoot issues.
See related content Sites, page 2-58.
See related content Site Definition Rules, page 2-59.
Integrating NAM with Third Party Reporting Tools
The NAM Traffic Analyzer Release 5.0 integrates with the CA NetQoS SuperAgent for the purpose of aggregating Application Response Times.
The NAM Traffic Analyzer Release 5.0 also integrates with CompuWare Vantage and InfoVista 5View for Host, Conversation, RTP, and Response Time.
See the NAM 5.0 API Programmer's Guide for configuring NAM and exporting data from the NAM.
See related content Response Time Summary, page 3-5.
Integrating NAM with LMS
The NAM Traffic Analyzer GUI can be placed on the LMS (LAN Management Suite) 4.0 dashboard and accessed thru the LMS GUI. See technical documentation for LMS on http://www.cisco.com.
Understanding Traffic Patterns at the Network Layer
The data gathered by the NAM 5.0 Traffic Analyzer is stored in a database, allowing you to examine the traffic trends for any application, host, conversation, and to analyze DSCP, RTP, voice signaling, and response time.
The values for average Application Response Times can be used to create thresholds, which will trigger alerts if those thresholds are exceeded, and you can also configure these alerts to trigger packet capture. This allows you to be proactive in identifying and troubleshooting issues in the network.
The Historical Analysis feature also allows you to see charts over time in the past, with which you can get a trending pattern for a host, critical application, or server that you're tracking. For example, using the Interactive Report window on the left, you can choose to see data for the past several days, or past several weeks. Based on that data, you can create Trigger thresholds for 20% higher. Once you have exceeded that threshold, you will get an alert, and the NAM triggers packet capture.
See Application Response Time, page 3-22.
See Alarm Actions, page 2-36.
See Thresholds, page 2-39.
Understanding Traffic patterns for DiffServ-Enabled Networks
You can analyze the traffic at Analyze > Traffic > DSCP, and use the Interactive Report window on the left to choose a particular DSCP group to focus on. After selecting it, you will see the charts populate.
See DSCP Groups, page 2-64.
Using NAM to Evaluate Application-Level Performance Monitoring for TCP-Interactive Applications
Application Performance Response Time Analysis provides up to 45 metrics. You can configure thresholds based on many of these metrics, and receive an alert when the thresholds are passed. Thresholds should be set for critical applications or servers using Average Server Response Time, or Average Transaction Time, or Average Network Time and Average Server Network Time. These thresholds will help identify where the problem lies in the application performance, and show whether the problem is a server or network issue. Depending on the alarm, you can access the NAM Traffic Analyzer to see the applications and clients accessing the server, or to check the devices in the traffic path monitoring device and interface utilization.
See Application Response Time, page 3-22.
See Thresholds, page 2-39.
Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime Applications
The NAM Traffic Analyzer monitors RTP streams: When a phone call ends, the endpoints calculate the information and send it to the Call Manager. If a NAM is along that path, it will intercept it.
The NAM monitors and analyzes RTP streams and voice calls statistics from the endpoint. The voice calls statistics from the endpoint is used in conjunction with the RTP stream to correlate the phone number with the IP address of the endpoint. Alerting is based on analysis of the RTP streams for MOS, Jitter, and Packet Loss.
See Voice Signaling/RTP Stream Monitoring, page 2-2.
See Analyzing Traffic, RTP Streams, page 3-38.
See Table 2-37, Voice Monitor Setup Window.
Using NAM to Evaluate Potential Impact of WAN Optimization Prior to Deployment
If an application that is supposed to be optimized is displayed in pass through traffic, check the WAN acceleration device (WAE) configuration.
The NAM analyzes the traffic and identifies top talkers in Analyze > WAN Optimization > Top Talkers, displaying applications and network links (Sites) that will benefit from deploying WAN optimization. After the WAN optimization devices have been deployed, the WAAS can be directed to the NAM for analysis to display the breakdown of the optimization regarding application response time. The response times are broking down into client LAN and WAN segments, and server LAN and WAN segments.
Using NAM for Problem Isolation
The alarm details (found in the NAM Traffic Analyzer Release 5.0 under Monitor > Overview > Alarm Summary) provides information you can use to drill-down on the threshold that was violated. You may also receive this alarm in e-mail (Setup > Alarms > E-mail). An example of the alarm is:
2010 SEPT 28 9:17:0:Application:Exceeded rising value(1000);packets;60653;Site(San Jose), Application(http)
After receiving this alarm, you can access the NAM GUI to view the application in site San Jose to determine why there was a spike. Click on Analyze > Traffic > Application; in the Interactive Report window on the left, change Site to "San Jose," Application to "HTTP," and Time Range to the range when the alert was received. This will display all the hosts using this protocol. You can see the Top hosts and verify there are no unauthorized hosts accessing this application. You can also access Analyze > Traffic > Host to view which conversations are chatty, and therefore causing the increase traffic for this application.
If the alarm is for an Application Response Time issue, you can access Monitor > Response Time Summary or Analyze > Response Time > Application to drill-down on what hosts are accessing the application. Identify the application server and view what other applications are hosted and all the clients accessing that server.
See Monitor: Response Time Summary, page 3-5.
See Analyze: Response Time, page 3-19.
Using NAM for SmartGrid Visibility
The NAM Traffic Analyzer will not recognize the IEC 60870 protocol out of the box (this is one of the main protocols used by power distribution companies). You will have to add a custom protocol, because it is a specific port you will be using. When you choose Setup > Classification > Application Configuration, you will see all hosts using that application. It will be identified as a Telnet application.