This chapter provides information about Cisco Prime Network Analysis Module Software. It describes new features and how to navigate the interface, and provides general information about how the Cisco NAM functions.
This chapter contains the following sections:
•Cisco Prime Network Analysis Module
•Overview of the NAM Platforms
•Navigating the User Interface
•Understanding How the NAM Works
–Understanding How the NAM Uses SPAN
–Understanding How the NAM Uses VACLs
–Understanding How the NAM Uses NDE
–Understanding How the NAM Uses WAAS
Cisco Prime Network Analysis Module
The Cisco Prime Network Analysis Module software empowers network managers with an easy to use traffic analysis toolset to optimize network resources, troubleshoot network performance issues, and ensure a consistent end-user experience.
The Cisco Prime™ portfolio of enterprise and service provider management offerings supports integrated lifecycle management of Cisco architectures and technologies based on a service-centric framework. Built on an intuitive workflow-oriented user experience, Cisco Prime products help increase IT productivity and reduce operations costs through innovative management solutions for the network services, infrastructure, and endpoints.
The Cisco Prime Network Analysis Module (NAM) combines flow-based and packet-based analysis into one solution. The NAM can be used for traffic analysis of applications, hosts, and conversations, performance-based measurements on application, server, and network latency, quality of experience metrics for network-based services such as Voice over IP (VoIP) and video, and problem analysis using deep, insightful packet captures. The NAM includes an embedded, web-based GUI that provides quick access to the configuration menus and presents easy-to-read performance monitoring and analysis on web, voice, and video traffic.
For additional details on how to deploy NAM in your network, see NAM Deployment.
New Features in Cisco Prime Network Analysis Module Software
Addition of Cisco Catalyst 6500 Series NAM Module
Cisco Prime Network Analysis Module Software now supports the high performance Cisco Catalyst 6500 Series Network Analysis Module (WS-SVC-NAM3-6G-K9). This release offers integrated, high performance application visibility and troubleshooting in high speed, high density Catalyst 6500 Campus Backbone and Data Center environments. This release was previously supported only in 5.0(1T).
This release increases visibility into both physical and virtual switch environments, and enhances Catalyst 6500 operational manageability in physical and VSS switching environments.
Other supported features include:
•Supports ERSPAN data for voice and RTP monitoring
•Supports up to 60 K RTP streams and 30k calls monitoring
•Consolidates WebEx-relevant sessions into one call
•PTP time sync option (Switch and NTP were the existing options)
•Supports external storage for capture (SAS and FCoE storage protocols). This includes a new storage user interface page under the Capture menu and CLI commands for remote-storage.
•Added hardware capture filters like in the 22XX appliances, but much more powerful and complex.
•Added TelePresence codec support for monitoring.
Changes to Storage Support
•Storage support for NFS is removed from all platforms. All Admin/Setup pages have been removed.
•iSCSI support is reintroduced for all platforms and integrated into a new capture storage page.
•Updates have been made to the command line interface (CLI) for iSCSI. Sub-menus no longer exist. The CLI now closely mirrors the SAS and FCoE interfaces.
Overview of the NAM Platforms
The following models differ in memory, performance, disk size, and other capabilities. Therefore, some allow for more features and capabilities (for example, the amount of memory allocated for capture).
Throughout this User Guide, there will be Notes explaining that some features apply only to specific platforms. If there is no Note, then that feature or aspect applies to all NAM platforms.
See Choice of Hardware and Software Platforms for a Given Place in the Network for more information about where you may choose to deploy certain platforms.
Cisco NAM 5.1(2) software supports the following NAM models (SKU):
•Cisco NAM 2204 Appliances
•Cisco NAM 2220 Appliance
•Cisco 6500 Series Switches and Cisco 7600 Series Routers
•Cisco Branch Routers
•Cisco SRE NAM
•Cisco WAAS NAM Virtual Service Blade
•Cisco Nexus 1010 NAM Virtual Blade
Log in to the NAM by using the username and password that the NAM administrator provided you, and click the Login button. If you are having problems logging in:
•Make sure you are using a browser that is currently supported for use with NAM:
English Firefox 3.6+ or Microsoft Internet Explorer 8+ (Microsoft Internet Explorer 7 is not supported)
•Make sure you are using a platform that is currently supported for use with NAM:
Microsoft Windows XP or Microsoft Windows 7. The Macintosh platform is not supported on this release.
•Make sure you have downloaded the most recent version of Adobe Flash.
•Clear the browser cache and restart the browser (not necessarily if installing NAM for the first time).
•Make sure cookies are enabled in your browser.
•If you see the following message: "Initializing database. Please wait until initialization process finishes," you must wait until the process finishes.
•Make sure you had accepted the license agreement (WAAS VB, Nexus 1010, and SRE users only) and that the license has not expired.
To view the full documentation set (including the User Guide and Release Notes) for the Cisco NAM software, go to the NAM software Technical Documentation area on Cisco.com:
Navigating the User Interface
NAM 5.0 introduced a redesigned interface and user experience, with intuitive workflows and improved operational efficiency. This section describes the improved navigation and control elements in the user interface.
Note All times in the NAM are typically displayed in 24-hour clock format. For example, 3:00 p.m. is displayed as 15:00.
Common Navigation and Control Elements
To perform the NAM functions, use the menu bar.
The selections enable you to perform the necessary tasks:
Home: Brings you to the Traffic Summary Dashboard (Monitor > Overview > Traffic Summary).
Monitor: See "summary" views that allow you to view network traffic, application performance, site performance, and alarms at a glance.
Analyze: See various "over-time" views for traffic, WAN optimization, response time, managed device, and media functions.
Capture: Configure multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets.
Setup: Perform all setup needed to run Cisco NAM 5.1(2).
Administration: Perform user and system administration tasks, and generate diagnostic information for obtaining technical assistance.
Under some topics in the mega-menu, the last selection is "Detailed Views." Click the small arrow to the right of the menu selections to see the submenu and the functions available.
On most charts that appear on the dashboards, you can left-click on a colored bar of data to get a context menu, with which you can get more detailed information about that item.
The example above is from the Traffic Summary Dashboard, Top N Applications chart. The description to the right of "Selected Application" in the menu shows what item you had clicked on (in this case, "snmp").
The menu items above the separator line are specific to the selected element of the Top N chart. The items below the separator line are not specific to the selected element, but apply to the Top N chart.
From the Context menu of many of the bar charts that show Applications or Hosts or VLANs. you can start a Capture. For example, when you click on an Application in a bar chart (as in the screenshot above) and choose Capture, the following is done automatically:
•A memory-based capture session is created
•A software filter is created using that application
•The capture session is started
•The decode window pops open and you can immediately see packets being captured.
Note Quick Capture does not use site definition/filter.
From both the selectors in the upper left of the dashboards and from the item the user clicks on in the barchart, the following are carried into the context for the capture session:
•Data Source (if it is a DATA PORT)
If you open up the associated Capture Session and its associated Software Filter, the above settings will be shown.
On most Monitoring and Analyze windows, you can use the Interactive Report on the left side to view and change the parameters of the information displayed in the charts. You can redefine the parameters by clicking the Filter button on the left side of the Interactive Report.
The reporting time interval selection changes depending upon the dashboard you are viewing, and the NAM platform you are using. The NAM supports up to five saved Interactive Reports.
Chart View / Grid View
Most of the data presented by the NAM can be viewed as either a Chart or a Grid. The Chart view presents an overview of the data in an integrated manner, and can show you trending information. The Grid view can be used to see more precise data. For example, to get the exact value of data in graphical view, you would need to hover over a data point in the Chart to get the data, whereas the same data is easily visible in table format using Grid view. To toggle between the two views, use the Chart and Grid icons at the bottom of the panel:
Next to that icon is the "Show as Image" icon, with which you save the chart you are viewing as a PNG file.
Mouse-Over for Details
When in Chart view, you can mouseover the chart to get more detailed information about what occurred at a specific time.
Many of the line charts in NAM are "dual-axis," meaning there is one metric shown on the left axis of the chart and another metric shown on the right axis of the chart.
For example, in the figure above, Total Bytes per second is shown on the left axis, and Total Packets per second is shown on the right axis.
For many charts, you can drag the beginning or end to change the time interval, as shown below.
The time interval change on the zoom/pan chart will affect the data presented in the charts in the bottom of the window. The zoom/pan time interval also affects the drill-down navigations; if the zoom/pan interval is modified, the context menu drill-downs from that dashboard will use the zoom/pan time interval.
Note In a bar chart which you can zoom/pan, each block represents data collected during the previous interval (the time stamp displayed at the bottom of each block is the end of the time range). Therefore, you may have to drag the zoom/pan one block further than expected to get the desired data to populate in the charts in the bottom of the window.
When looking at information in Grid view, you can sort the information by clicking the heading of any column. Click it again to sort in reverse order.
Bits / Packets
On most Analyze charts, you can use the "Bits" and "Packets" check boxes at the top to specify which information you would like the chart to display.
Note that you can choose to display either Bits or Bytes under Administration > System > Preferences.
The Statistics legend gives you the minimum, maximum, and average statistics of the data. This will display the initial data retrieved for the selector.
Above the Statistics legend is a dropdown selector, which allows you to choose which of the metrics shown in the "over-time" chart you would like reflected in the Statistics legend. For example, if the line chart has Bits or Packets in the check boxes above the line chart, the selector over the Statistics legend will show the same choices, Bits or Packets.
Context-Sensitive Online Help
The "Help" link on the top-right corner of the NAM interface will bring you to the Help page for that particular window of the GUI.
In addition to the Help link on the top-right corner of each page, some pages also have a blue "i", which provides help for that specific subject.
Understanding How the NAM Works
The Cisco NAM product family addresses the following major functional areas:
•Network layer Traffic Analysis. The NAM provides comprehensive traffic analysis to identify what applications are running over the network, how much network resources are consumed, and who is using these applications. The NAM offers a rich set of reports with which to view traffic by Hosts, Application or Conversations. See the discussions about Dashboards, starting with Traffic Summary.
•Application Response Time. The NAM can provide passive measurement of TCP-based applications for any given server or client, supplying a wide variety of statistics like response time, network flight time, and transaction time.
•WAN Optimization insight. The NAM can provide insight into WAN Optimization offerings that compress and optimize WAN Traffic for pre- and post-deployment scenarios. This is applicable for Optimized and Passthru traffic.
•Voice Quality Analysis. The NAM provides application performance for real time applications like Voice and Video. The NAM can compute MOS, as well as provide RTP analysis for the media stream. See Media.
•Advanced Troubleshooting. The NAM provides robust capture and decode capabilities for packet traces that can be triggered or terminated based on user-defined thresholds.
•Open instrumentation. The NAM is a mediation and instrumentation product offering, and hence provides a robust API that can be used by partner products as well as customers that have home grown applications. See the Cisco Prime Network Analysis Module 5.1 API Programmer's Guide (contact your Cisco account representative for this document).
The NAM delivers the above functionality by analyzing a wide variety of data sources that include:
•Port mirroring technology like SPAN and RSPAN/ERSPAN. The NAM can analyze Ethernet VLAN traffic from the following sources: Ethernet, Fast Ethernet, Gigabit Ethernet, trunk port, or Fast EtherChannel SPAN, RSPAN, or ERSPAN source port
•NetFlow Data Export (NDE). The NAM can analyze NetFlow Data Export (NDE) from Managed Devices (Routers/Switches)
•Performance Agent (PA)
•Network Tap Device. Applies to Cisco NAM 2200 Series appliances only.
The Cisco NAM 5.1(2) retains the ability to use SNMP as a southbound interface for configuration and data retrieval from switches and routers. NAM 5.x moves away from RMON and toward web services and Netflow Data Export as the northbound interface for data objects. NAM 5.x will continue to support baseline manageability features of SNMP such as MIB-2 and IF-TABLE, and the health status and interface statistics that can be used by external products like Fault and Configuration Management offerings (for example, CiscoWorks LMS).
For more information about SPAN, RSPAN, and ERSPAN, see the "Configuring Local SPAN, RSPAN, and ERSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide.
For more general information about NDE, see this section in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
Table 1-1 summarizes the traffic sources that are used for NAM monitoring.
Table 1-1 Summary of Traffic Sources for NAM Monitoring
NetFlow Data Export NDE (local)
NetFlow Data Export NDE (remote)
The next sections describe how the NAM uses the supported data sources:
•Understanding How the NAM Uses SPAN
•Understanding How the NAM Uses VACLs
•Understanding How the NAM Uses NDE
•Understanding How the NAM Uses WAAS
•Understanding How the NAM Uses PA
Understanding How the NAM Uses SPAN
A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure up to two SPAN sessions in a Catalyst 6500 or 7600 Routers chassis. Newer Cisco IOS images may support more than two SPAN sessions. Consult the Cisco IOS document for the number of SPAN sessions supported per switch or router.
The WS-SVC-NAM-1 platform provides a single destination port for SPAN sessions. The WS-SVC-NAM-2 platform provides two possible destination ports for SPAN and VLAN access control list (VACL) sessions. Multiple SPAN sessions to the NAM are supported, but they must be destined for different ports. The NAM destination ports for use by the SPAN graphical user interface (GUI) are named DATA PORT 1 and DATA PORT 2 by default. In the CLI, SPAN ports are named as shown in Table 1-2.
Table 1-2 SPAN Port Names
data port 1 and data port 2
For more information about SPAN and how to configure it on the Catalyst 6500 series switches, see the Catalyst 6500 Series Switch Software Configuration Guide:
For more information about SPAN and how to configure it on the Cisco 7600 series router, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX:
Note Due to potentially very high volume of ERSPAN traffic from the source, we recommend that you do not terminate the ERSPAN session on the NAM management port. Instead, you should terminate ERSPAN on the switch, and use the switch's SPAN feature to SPAN the traffic to NAM data ports.
Understanding How the NAM Uses VACLs
A VLAN access control list can forward traffic from either a WAN interface or VLANs to a data port on the NAM. A VACL provides an alternative to using SPAN; a VACL can provide access control based on Layer 3 addresses for IP and IPX protocols. The unsupported protocols are access controlled through the MAC addresses. A MAC VACL cannot be used to access control IP or IPX addresses.
There are two types of VACLs: one that captures all bridged or routed VLAN packets and another that captures a selected subset of all bridged or routed VLAN packets. Catalyst operating system VACLs can only be used to capture VLAN packets because they are initially routed or bridged into the VLAN on the switch.
A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.
A VACL uses Cisco IOS access control lists (ACLs). A VACL ignores any Cisco IOS ACL fields that are not supported in the hardware. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features, such as access control (security), encryption, and policy-based routing. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.
After a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed. Unlike Cisco IOS ACLs, the VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. Each ACE is associated with an action that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
When configuring VACLs, note the following:
•VACLs and context-based access control (CBAC) cannot be configured on the same interface.
•TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
•Internet Group Management Protocol (IGMP) packets are not checked against VACLs.
Note You cannot set up VACL using the NAM interface.
For details on how to configure a VACL with Cisco IOS software, see the Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide.
For details on how to configure a VACL on a WAN interface and on a LAN VLAN, see VACL.
Understanding How the NAM Uses NDE
The NAM uses NetFlow as a format for the ongoing streaming of aggregated data, based on the configured set of descriptors or queries of the data attributes in NAM. NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM; the NAM can collect NDE from local or remote switch or router for traffic analysis.
To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets. The default UDP port is 3000, but you can configure it from the NAM CLI as follows:
email@example.com# netflow input port ?
<port> - input NDE port number
The distinguishing feature of the NetFlow v9 format, which is the basis for an IETF standard, is that it is template-based. Templates provide an extensible design to the record format, a feature that must allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
For more detailed information about NAM and NetFlow, see NetFlow.
For more information on NetFlow, see http://www.cisco.com/go/netflow or the "Configuring NetFlow Data Export" chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX.
For specific information about creating and managing NDE queries, see the Cisco Network Analysis Module API Programmer's Guide 5.1 (contact your Cisco account representative if you need to refer to this document).
Understanding How the NAM Uses WAAS
Cisco Wide Area Application Services (WAAS) software optimizes the performance of TCP-based applications operating in a wide area network (WAN) environment and preserves and strengthens branch security. The WAAS solution consists of a set of devices called Wide Area Application Engines (WAEs) that work together to optimize WAN traffic over your network.
When client and server applications attempt to communicate with each other, the network devices intercepts and redirects this traffic to the WAEs to act on behalf of the client application and the destination server.
WAEs provide information about packet streams traversing through both LAN and WAN interfaces of WAAS WAEs. Traffic of interest can include specific servers and types of transaction being exported. NAM processes the data exported from the WAAS and performs application response time and other metrics calculations and enters the data into reports you set up.
The WAEs examine the traffic and using built-in application policies to determine whether to optimize the traffic or allow it to pass through your network not optimized.
You can use the WAAS Central Manager GUI to centrally configure and monitor the WAEs and application policies in your network. You can also use the WAAS Central Manager GUI to create new application policies so that the WAAS system will optimize custom applications and less common applications. Beginning with Cisco NAM 5.1(2), the Cisco NAM is accessible from within the Central Manager interface. The Cisco NAM integration with WAAS Central Manager provides for easier viewing of NAM reports that are directly associated with Application Response Time measurements through the WAN, in both WAAS optimized and non-optimized environments. See WAAS Central Manager.
For more information about WAAS data sources and managing WAAS devices, see Understanding WAAS.
Understanding How the NAM Uses PA
The Performance Agent (PA) can monitor interface traffic and collect, analyze, aggregate, and export key performance analytics to a Cisco Network Analysis Module for further processing and GUI visualization. PA integration with NAM enables you to have a lower cost way to gain visibility into Application Response Time at the branch. NAM integration with PA also reduces complexity of needing to manage a separate NAM product within the branch.
Using Cisco PA, you can gain visibility into application response time and traffic statistics at remote branches. It is supported on ISR 880, ISR 890, and ISR G2 platforms with Cisco IOS Software Release 15.1(4)T. Deployed with WAAS Express, this feature allows an end-to-end view into the WAN-optimized network, delivering a cost-effective and scalable solution.
PA has the ability to consolidate and filter information before it is exported, ensuring that only contextually-required data is exported and consumed versus all data. As an example, NetFlow Export supports a number of functions, including response time and traffic analysis. Instead of exporting multiple different flows, the PA has the intelligence to consolidate, filter, and export flow data that addresses the particular user's need. Besides consolidating and filtering information, PA's mediation capabilities also includes the ability to use key Cisco IOS-embedded functionality (for example, Embedded Event Manager, or Class-Based QoS) to enrich both PA functionality and router value.
For information about configuring PA data sources, see Managing ISR PA Devices.