Cisco Network Analysis Module (NAM) Traffic Analyzer User Guide, 5.0 January 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide CHAPTER 1 Overview xi 1-1 Introducing NAM Traffic Analyzer 5.
Contents Cisco WAAS NAM Virtual Service Blade CHAPTER 2 Setting Up The NAM Traffic Analyzer 1-20 2-1 Default Functions 2-1 Traffic Analysis 2-1 Application Response Time Metrics 2-2 Voice Signaling/RTP Stream Monitoring 2-2 Traffic Usage Statistics 2-3 Traffic 2-3 SPAN 2-3 About SPAN Sessions 2-3 Creating a SPAN Session 2-6 Editing a SPAN Session 2-8 Deleting a SPAN Session 2-9 Data Sources 2-9 SPAN 2-10 ERSPAN 2-10 VACL 2-17 NetFlow 2-18 WAAS 2-29 Understanding WAAS 2-29 Response Time Monitoring fro
Contents Setting RTP Stream Thresholds 2-45 Setting Voice Signaling Thresholds 2-46 Setting NDE Interface Thresholds 2-47 Editing an Alarm Threshold 2-48 Deleting a NAM Threshold 2-48 User Scenario 2-49 Data Export 2-49 NetFlow 2-49 Viewing Configured NetFlow Exports 2-50 Configuring NetFlow Data Export 2-51 Editing NetFlow Data Export 2-53 Scheduled Exports 2-53 Editing a Scheduled Export 2-54 Deleting a Scheduled Export 2-54 Custom Export 2-55 Managed Device 2-55 Device Information 2-55 NBAR Protocol Dis
Contents URL-based Applications 2-71 Example 2-72 Editing a URL-Based Application 2-73 Deleting a URL-based Application 2-73 Encapsulations 2-73 Monitoring 2-74 Aggregation Intervals 2-74 Response Time 2-76 Voice 2-76 RTP Filter 2-78 URL 2-78 Enabling a URL Collection 2-78 Changing a URL Collection 2-80 Disabling a URL Collection 2-80 WAAS Monitored Servers 2-80 Adding a WAAS Monitored Server 2-81 Deleting a WAAS Monitored Server 2-81 CHAPTER 3 Monitoring and Analysis 3-1 Navigation 3-2 Context Menus
Contents Filtering a URL Collection List Host Conversations 3-15 Network Conversation 3-15 Top Application Traffic 3-15 Application Traffic By Host 3-17 3-14 WAN Optimization 3-17 Top Talkers Detail 3-17 Application Performance Analysis 3-18 Transaction Time (Client Experience) 3-18 Traffic Volume and Compression Ratio 3-18 Average Concurrent Connections (Optimized vs.
Contents RTP Conversation CHAPTER 4 3-42 Capturing and Decoding Packet Data 4-1 Sessions 4-2 Viewing Capture Sessions 4-3 Configuring Capture Sessions 4-4 Software Filters 4-7 Creating a Software Filter 4-8 Editing a Software Capture Filter 4-11 Hardware Assisted Filters 4-12 Configuring a Hardware Filter 4-12 Files 4-15 Analyzing Capture Files 4-17 Error Scan 4-17 Downloading Capture Files 4-18 Deleting a Capture File 4-19 Deleting Multiple Files 4-19 Viewing Packet Decode Information 4-20 Browsing
Contents Capture Data Storage 5-8 Creating NFS Storage Locations 5-9 Editing NFS Storage Locations 5-10 Creating iSCSI Storage Locations 5-11 Editing iSCSI Storage Locations 5-11 Syslog Setting 5-12 SNMP Trap Setting 5-12 Creating a NAM Trap Destination 5-12 Editing a NAM Trap Destination 5-13 Deleting a NAM Trap Destination 5-13 Preferences 5-13 Diagnostics 5-14 System Alerts 5-14 Audit Trail 5-14 Tech Support 5-15 User Administration 5-16 Local Database 5-16 Recovering Passwords 5-16 Changing Predefined
Contents Understanding Traffic Patterns at the Network Layer 6-4 Understanding Traffic patterns for DiffServ-Enabled Networks 6-4 Using NAM to Evaluate Application-Level Performance Monitoring for TCP-Interactive Applications 6-4 Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime Applications 6-5 Using NAM to Evaluate Potential Impact of WAN Optimization Prior to Deployment 6-5 Troubleshooting 6-5 Using NAM for Problem Isolation 6-5 Using NAM for SmartGrid Visibility 6-6 APPEN
About This Guide This guide describes how to use Cisco Network Analysis Module Traffic Analyzer 5.0 (NAM 5.0) software. This preface has the following sections: • Chapter Overview, page xi • Audience, page xii • Conventions, page xii • Notices, page xii • Obtaining Documentation and Submitting a Service Request, page xiii For a list of the platforms that Cisco NAM 5.0 supports, see Overview of the NAM Platforms, page 1-5.
About This Guide Audience This guide is designed for network administrators who are responsible for setting up and configuring Network Analysis Modules (NAMs) to monitor traffic and diagnose emerging problems on network segments. As a network administrator, you should be familiar with: • Basic concepts and terminology used in internetworking. • Network topology and protocols. • Basic UNIX commands or basic Windows operations.
About This Guide Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
About This Guide User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.
CH A P T E R 1 Overview This chapter provides information about the Cisco Network Analysis Module Traffic Analyzer, Release 5.0 and describes the new features and how to navigate the interface. This chapter contains the following sections: • Introducing NAM Traffic Analyzer 5.
Chapter 1 Overview Introducing NAM Traffic Analyzer 5.0 Cisco NAM includes an embedded, web-based Traffic Analyzer GUI that provides quick access to the configuration menus and presents easy-to-read performance monitoring and analysis on web, voice, and video traffic. Dashboards The Cisco NAM Traffic Analyzer, Release 5.0 introduces a redesigned interface and user experience, with more intuitive workflows and interactive reporting capabilities.
Chapter 1 Overview Introducing NAM Traffic Analyzer 5.0 a set of subnets specified by an address prefix and mask, or using other criteria such as a remote device data source (for example, remote WAE device and segment information). If you want to limit the view of your network analysis data to a specific city, a specific building, or even a specific floor of a building, you can use the sites function.
Chapter 1 Overview Introducing NAM Traffic Analyzer 5.0 With NAM 5.0, the NBI is expanded to include a Representational State Transfer (REST) web service for configuration, and retrieval of data pertaining to sites. Also introduced is the capability to export high-volume performance data in the form of Netflow v9 (see the next section, “NetFlow v9 Data Export”). Note REST does not support retrieval of performance data for sites. REST is a set of guidelines for doing web services over HTTP.
Chapter 1 Overview Overview of the NAM Platforms SNMP v3 Support -- NAM to Router/Switch Support Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. The security features provided in SNMPv3 are: • Message integrity—Ensuring that a packet has not been tampered with in-transit. • Authentication—Determining the message is from a valid source.
Chapter 1 Overview Logging In Logging In Log into the NAM by using the username and password that the NAM installer provided you, and click the Login button. If you are having problems logging in: • Make sure you are using a browser that is currently supported for use with NAM 5.0: English Firefox 3.6+ or Microsoft Internet Explorer 8+ (Microsoft Internet Explorer 7 is not supported) • Make sure you are using a platform that is currently supported for use with NAM 5.
Chapter 1 Overview Navigating the User Interface Monitor: See “summary” views that allow you to view network traffic, application performance, site performance, and alarms at a glance. Analyze: See various “over-time” views for traffic, WAN optimization, response time, managed device, and media functions. Capture: Configure multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets.
Chapter 1 Overview Navigating the User Interface Context Menus On most charts that appear on the dashboards, you can left-click on a colored bar of data to get a context menu, with which you can get more detailed information about that item. The example above is from the Traffic Summary Dashboard, Top N Applications chart. The description to the right of “Selected Application” in the menu shows what item you had clicked on (in this case, “snmp”).
Chapter 1 Overview Navigating the User Interface Interactive Report On most Monitoring and Analyze screens, you can use the Interactive Report on the left side of the screen to view and change the parameters of the information displayed in the charts. You can redefine the parameters by clicking the Filter button on the left side of the Interactive Report. The reporting time interval selection changes depending upon the dashboard you are viewing, and the NAM platform you are using.
Chapter 1 Overview Navigating the User Interface Mouse-Over for Details When in Chart view, you can mouseover the chart to get more detailed information about what occurred at a specific time. Many of the line charts in NAM are “dual-axis,” meaning there is one metric shown on the left axis of the chart and another metric shown on the right axis of the chart. For example, in the figure above, Total Bytes per second is shown on the left axis, and Total Packets per second is shown on the right axis.
Chapter 1 Overview Navigating the User Interface Sort Grid When looking at information in Grid view, you can sort the information by clicking the heading of any column. Click it again to sort in reverse order. Bytes / Packets On most Analyze charts, you can use the “Bytes” and “Packets” check boxes at the top to specify which information you would like the chart to display. Statistics The Statistics legend gives you the minimum, maximum, and average statistics of the data.
Chapter 1 Overview Understanding How the NAM Works Above the Statistics legend is a dropdown selector, which allows you to choose which of the metrics shown in the “over-time” chart you would like reflected in the Statistics legend. For example, if the line chart has Bytes or Packets in the check boxes above the line chart, the selector over the Statistics legend will show the same choices, Bytes or Packets.
Chapter 1 Overview Understanding How the NAM Works • Advanced Troubleshooting. The NAM provides robust capture and decode capabilities for packet traces that can be triggered or terminated based on user-defined thresholds. • Open instrumentation. The NAM is a mediation and instrumentation product offering, and hence provides a robust API that can be used by partner products as well as customers that have home grown applications. See the Cisco NAM 5.0 API Programmer’s Guide.
Chapter 1 Overview Understanding How the NAM Works • Understanding How the NAM Uses NDE, page 1-15 • Understanding How the NAM Uses WAAS, page 1-16 Understanding How the NAM Uses SPAN A switched port analyzer (SPAN) session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure up to two SPAN sessions in a Catalyst 6500 or 7600 Routers chassis.
Chapter 1 Overview Understanding How the NAM Works A VACL can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with Release 12.1(13)E or later releases, a WAN interface. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, the VACLs apply to all packets and can be applied to any VLAN or WAN interface. The VACLs are processed in the hardware.
Chapter 1 Overview Understanding How the NAM Works To use an NDE data source for the NAM, you must configure the remote device to export the NDE packets. The default UDP port is 3000, but you can configure it from the NAM CLI as follows: root@nam2x-61.cisco.com# netflow input port ? - input NDE port number The distinguishing feature of the NetFlow v9 format, which is the basis for an IETF standard, is that it is template-based.
Chapter 1 Overview Configuration Overview Configuration Overview Table 1-3. “Configuration Overview” leads you through the basic configuration steps you can follow for the NAM Traffic Analyzer 5.0. These are not necessarily in the order in which you need to perform them, and many are optional features. Table 1-3 Configuration Overview Action Description GUI Location User Guide Location Install the NAM -- -- Platform-specific Installation and Configuration Guides (http://www.cisco.
Chapter 1 Overview Configuration Overview Table 1-3 Configuration Overview (continued) Action Description GUI Location User Guide Location Verify that Voice/RTP Stream Traffic is being gathered After the NAM Traffic Analyzer is started, Voice/RTP stream traffic will automatically start being monitored. The NAM enables you to monitor all RTP stream traffic among all SPANed traffic, without having to know the signalling traffic used in negotiating the RTP channels.
Chapter 1 Overview Configuration Overview Table 1-3 Configuration Overview (continued) Action Description GUI Location Configure Capture Capture allows you to set up up to Capture > Packet ten sessions for capturing, filtering, Capture/Decode and decoding packet data, manage the data in a file control system, and display the contents of the packets.
Chapter 1 Overview Configuration Overview Cisco WAAS NAM Virtual Service Blade To set up the NAM Traffic Analyzer, Release 5.0 on a Cisco WAAS NAM Virtual Service Blade, you need to follow these steps: Step 1 Confirm that you have completed the steps in Chapter 4, “Configuring NAM-WAAS Integration” of the Cisco WAAS NAM Virtual Service Blade Installation and Configuration Guide, specifically for “Configuring WAAS to Send Flow Information to NAM VSB” and “Configuring WAAS Data Source in NAM.
CH A P T E R 2 Setting Up The NAM Traffic Analyzer This chapter provides information about functions that will begin automatically, and other setup tasks you will need to perform for NAM Traffic Analyzer Release 5.0.
Chapter 2 Setting Up The NAM Traffic Analyzer Default Functions Application Response Time Metrics The NAM Traffic Analyzer software provides response time measurements and various user-experience-related metrics, which are computed by monitoring and time-stamping packets sent from the user to the server providing services. These Application Response Time Metrics are available to view under the menu Analyze > Response Time. You can view response times for applications, networks, servers, and clients.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Traffic Usage Statistics The NAM Traffic Analyzer provides traffic statistics broken out by application, host, conversation, VLAN, and DSCP code point. Summary dashboards show Top N charts broken out by these attributes, as well as detailed views in tabular form.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Before you can monitor data, you must direct specific traffic flowing through a switch to the NAM for monitoring purposes. Use the methods described in Table 2-1, Methods of Directing Traffic. Table 2-1 Methods of Directing Traffic Method Usage Notes Switch SPAN You can direct a set of physical ports, a set of VLANs, or a set of EtherChannels to the NAM.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Table 2-3, Active SPAN Sessions Dialog, describes the fields on the SPAN Sessions screen. Table 2-3 Active SPAN Sessions Dialog Column Description Session ID Monitor session ID of the SPAN. Note For switches running Cisco IOS software only. Type Type of SPAN source Source Source of the SPAN session. When creating a SPAN session, you can select all ports regardless of their state.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Note Deleting or editing a SPAN session that has multiple SPAN destinations will affect all SPAN destinations. Table 2-4 lists the possible SPAN states. The SPAN state displays in parenthesis in the Source - Direction column.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 2 Click the Create button. The Create SPAN Session Dialog displays (the fields are described in Table 2-5, Create SPAN Session Dialog). Switch Port is the default for the SPAN Type. Step 3 Select the appropriate information. Table 2-5 Create SPAN Session Dialog Field Description Monitor Session Monitor session of the SPAN.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Editing a SPAN Session You can only edit SPAN sessions that have been directed to the NAM. Note This section applies to WS-SVC-NAM-1 and WS-SVC-NAM-2 devices, and the NAM 2220 and 2204 appliances. Note Editing an existing SPAN session that has multiple SPAN destinations will affect all destinations. To edit a SPAN session: Step 1 Choose Setup > Traffic > SPAN Sessions. The Active SPAN Sessions dialog box displays.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Deleting a SPAN Session Note This section does not apply to NME-NAM devices. Note Deleting a SPAN session that has multiple SPAN destinations will affect all destinations. To delete a SPAN session, select it from the Active SPAN Session dialog box, then click Delete. Data Sources Data sources are the source of traffic for the NAM Traffic Analyzer.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic The fields are explained in Table 2-7, NAM Data Sources. Table 2-7 NAM Data Sources Field Description Device DATA PORT if it is a local physical port, or the IP address of the learned device. Type The source of traffic for the NAM. DATA PORT if it is a local physical port. WAAS, ERSPAN, or NETFLOW if a data stream exported from the router or switch or WAE device. Activity Shows the most recent activity. Status ACTIVE or INACTIVE.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic • Deleting ERSPAN Data Sources Using the Web GUI, page 2-14 • Deleting ERSPAN Data Sources Using the CLI, page 2-15 • Configuring ERSPAN on Devices, page 2-16 Enabling Auto-Creation of ERSPAN Data Sources Using the Web GUI There is a convenient “auto-create” feature for data sources, which is enabled by default.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic The NAM will now automatically create a ERSPAN data source for each device that sends ERSPAN packets to it. The data source will have the specific Session ID that is populated by the device in the ERSPAN packets sent to the NAM. If the same device happens to send ERSPAN packets to the NAM with different Session ID values, a separate data source will be created for each unique Session ID sent from the device.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Creating ERSPAN Data Sources Using the CLI To manually configure a ERSPAN data source on the NAM using the CLI (for example if the auto-creation feature is turned off), use the following steps. Note that when using the CLI, there are two separate phases involved: First, you must create a “device” entry on the NAM and remember the device ID, and then you must create a data source entry using this device ID.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 7 Enter ? to see all the command options available, as in the example below: root@172-20-104-107.cisco.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 3 Click the Delete button along the bottom of the window. Deleting ERSPAN Data Sources Using the CLI To delete a ERSPAN data source using the CLI, use the following steps. Note that when using the CLI, there are generally two separate phases involved. First you should delete the data source, then delete the device if you have no other data sources using the same device (for example with a different Engine ID value).
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 4 Use the no device command to delete the device: root@172-20-104-107.cisco.com# no device 1 Sucessfully deleted device 1 root@172-20-104-107.cisco.com# Note that if the auto-creation mode is on, and the device continues to send ERSPAN packets to the NAM, the data source (and device entry) will be recreated again automatically as soon as the next ERSPAN packet arrives.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic • aa.bb.cc.dd is the IP address defined at the destination You can now connect to the NAM to monitor and capture traffic of the Data Port 2 data source. Sending ERSPAN Data Directly to the NAM Management Interface To send the data directly to the NAM management IP address (management-port), configure the ERSPAN source session. No ERSPAN destination session configuration is required.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Cat6509(config)# vlan access-map wan 100 Cat6509(config-access-map)# match ip address 100 Cat6509(config-access-map)# action forward capture Cat6509(config-access-map)# exit Cat6509(config)# vlan filter wan interface AM6/0/0.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic As a consumer, the NAM can receive NetFlow packets on its management port from devices such as Cisco routers and switches. Those records are stored in its collection database as if that traffic had appeared on one of the NAM data ports. The NAM understands NetFlow v1, v5, v6, v7, v8, and v9. Incoming NetFlow data is parsed by the NAM, stored in its internal database, and presented in the GUI in the same way as traffic from other data sources.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Figure 2-2 Sample NetFlow Network Host A Host C a b c Router 91629 Host B Table 2-8, Reporting Flow Records lists the reported flows if NetFlow is enabled on interface a.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic For Devices Running Cisco IOS Step 1 Select the interface on which you wish to turn on routed flow cache. Prompt# configure terminal Prompt(config)# interface Prompt(config-if)# ip route-cache flow Step 2 Export routed flow cache entries to UDP port 3000 of the NAM. Prompt(config)# ip flow-export destination 3000 Note Newer Cisco IOS images support Flexible NetFlow.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 2 • protocol-port • prefix Enable the aggregation cache. Prompt(config-flow-cache)# enable Step 3 Export the flow entries in the aggregation cache to NAM UDP port 3000. Prompt(config-flow-cache)#export destination 3000 For Devices That Support NDE Export From Bridged-Flows Statistics Step 1 Enable bridged-flows statistics on the VLANs.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 4 Click the Submit button. Enabling Auto-Creation of NetFlow Data Sources Using the CLI Configuration of the auto-create feature is also possible using the NAM CLI. Remember that the auto-create feature is turned ON by default, so in most cases these steps are not necessary.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 6 (Optional) If you know the specific value of the Engine ID on the device you would like to monitor, check the “Engine” check box, and enter the value of the Engine ID.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Creating NetFlow Data Sources Using the CLI To manually configure a NetFlow data source on the NAM using the CLI, for example if the auto-creation feature is turned off, use the following steps. Note that when using the CLI, there are two separate phases involved. First you must create a “device” entry on the NAM and remember the device ID. Then you must create a data source entry using this device ID.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic V3 V3 V3 V3 V3 SECURITY LEVEL AUTHENTICATION AUTH PASSPHRASE PRIVACY PRIV PASSPHRASE : No authentication, no privacy : MD5 : : DES : root@172-20-104-107.cisco.com(sub-device-netflow)# Step 6 Type exit to come out of the subcommand mode and create the device. Remember the ID value that was assigned to the new device, you will need it to create the data source! root@172-20-104-107.cisco.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Step 13 Type exit to come out of the subcommand mode and create the data source: root@172-20-104-107.cisco.com(sub-data-source-netflow)# exit Data source created successfully, ID = 3 The data source is now created, and NDE records from the device will be received and accepted by the NAM as they arrive. Deleting NetFlow Data Sources Using the Web GUI To delete an existing NetFlow data source, use the following steps.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic root@172-20-104-107.cisco.com# Step 2 Use the no data-source command to delete the data source: root@172-20-104-107.cisco.com# no data-source 3 Successfully deleted data source 3 root@172-20-104-107.cisco.com# Step 3 Show all devices so you can find the ID of the one you want to delete: root@172-20-104-107.cisco.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Table 2-10 Device System Information Dialog Box (continued) Field Description Contact Contact information for the device. SNMP read from device SNMP read test result. For the local device only. If the device is sending NetFlow Version 9 (V9) and the NAM has received the NDE templates, then a V9 Templates button appears below the Device System Information window. Note NetFlow v9 templates do not appear in all NDE packets.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic For more information about WAAS and configuring the WAAS components, see the document: Cisco Wide Area Application Services Configuration Guide, OL-16376-01 http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v4019/configuration/guide/ waas4cfg.html Response Time Monitoring from WAAS Data Sources The NAM processes the TCP flow data exported from the WAAS and performs application response time (ART) calculations and reports.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Table 2-11 WAAS Data Collection Points (continued) Setting Description Server This setting configures the WAE device to export the original (LAN side) TCP flows from its servers to NAM for monitoring. To monitor this point, configure a Server data source. Passthrough This setting configures the WAE device to export the TCP flows that are passed through unoptimized. You can also configure a data source to use Export Passthrough data.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Deployment Scenarios Table 2-12, WAAS Data Source Configurations lists six different deployment scenarios you might consider to monitor the optimized traffic on your WAAS network. Scenario #1 is typical when using WS-SVC-NAM-1 and WS-SVC-NAM-2 blades. Scenario #2 is typical when using NME-NAM devices.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic You must then configure the WAAS segments you want to monitor as WAAS data sources: Client, Client WAN, Server WAN, and/or Server. See Editing WAAS Data Sources, page 2-34, for more detailed information. You can also use the Central Manager (CM) to centrally issue WAAS CLI commands to configure a large number of WAEs at one time.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Editing WAAS Data Sources The NAM uses WAAS data sources to monitor traffic collected from different WAAS segments: Client, Client WAN, Server WAN, and Server. Each WAAS segment is represented by a data source. You can set up the NAM to monitor and report other traffic statistics of the WAAS data sources such as application, host, and conversation information in addition to the monitored Response Time metrics.
Chapter 2 Setting Up The NAM Traffic Analyzer Traffic Auto Create of New WAAS Devices If you have numerous WAE devices, you can set up the NAM to configure newly discovered WAE devices using a predefined configuration template using the NAM Auto Config option. Note If most of your WAE devices are edge WAE, you might want to set the auto config to be that of the edge device, then manually configure the data center WAE. For example, select the Client segment for monitoring.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms The default inspects the entire packet. The second option inspects all segments except the ISL portion of the packet. The third option inspects all segments except the ISL, MAC, and VLAN portions of the packet. The fourth option inspects all segments except the ISL, MAC, and VLAN portions of the packet. The final (bottom) option inspects only the UDP/TCP and payload segments of the packet.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Note You could see two alarms for the same occurrence if both the source and the destination are in the same site. When you choose Setup > Alarms > Actions, you will see events that have been created. See Table 2-13, Alarm Configuration for descriptions of the fields. Table 2-13 Alarm Configuration Field Description Name Name given to the alarm at setup. Email If turned on, will show “Enable”. If not turned on, will show “Disable.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms To configure e-mail alarm actions: Step 1 Choose Setup > Alarms > Actions. The Alarm Action page displays any configured actions. If none of the four actions (e-mail, trap, capture, or syslog) are configured, you will see “No data available.” Step 2 Click the Create button. Step 3 Enter a Name for the action (up to 63 characters).
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Step 1 Choose Setup > Alarms > Actions. The Alarm Action table displays any configured Alarms. Step 2 Choose the alarm event you want to remove, and click the Delete button. Thresholds The NAM Traffic Analyzer will inspect incoming performance records and apply a configured set of thresholds to the most recent interval of data to detect threshold violations.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-14 Threshold Configuration Field Description Severity High or Low (user-configured classification). These alarms are displayed on the Alarm Summary dashboard (Monitor > Overview > Alarm Summary). You can choose to view High, Low, or High and Low alarms. Action Rising action and Falling action (if configured). Alarms are predefined conditions based on a rising data threshold, a falling data threshold, or both.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-15 Host Alarm Thresholds (continued) Field Description Host Choose a host from the list. You can type in the name of the host if the drop-down list does not contain the desired host. Application Choose an application from the list. You can enter the first few characters to narrow the selection in the drop-down list. DSCP Choose a DSCP value from the list.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-16 Conversation Alarm Thresholds (continued) Field Description Severity Choose High or Low. These will display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms. Source Site/Host Make a selection from the drop-down lists, or leave as “Any.” See Sites, page 2-58 for information on setting up a site.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-17 Application Alarm Thresholds (continued) Field Description Severity Choose High or Low. These will display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms. Actions From the lists, choose a Rising action and a Falling action (optional). See Alarm Actions, page 2-36 for information on setting up alarm actions.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-18 Response Time Thresholds (continued) Field Description Actions From the lists, choose a Rising action and a Falling action (optional). See Alarm Actions, page 2-36 for information on setting up alarm actions. Response Time Metrics Choose a metric from the list, and then enter a Rising threshold and a Falling threshold. For the Packets and Bytes-related metrics, the entry is per second. For the time-related metrics, the unit is ms.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Note If you leave a selection blank, it means that that parameter will not be considered. If you select “Any”, it will use any of the selections for that parameter, if encountered. Step 4 Click Submit to set the thresholds, click Reset to reset the thresholds to their default value, or click Cancel to remove any changes you might have made. Step 5 When finished, click Submit.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-20 RTP Streams Thresholds (continued) Field Description RTP Stream Metrics Choose a metric from the list: • Jitter: Variation of packet arrival time compare to expected arrival time. • Adjusted packet loss percent: Percent of packet loss which includes packets actually lost and packets that arrived beyond the NAM expected buffering capability of the endpoint.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Step 2 Click the Create button and choose Voice Signaling tab. Step 3 The Voice Signaling Alarm Threshold Configuration window displays. Fill in the fields as appropriate. Table 2-21, Voice Signaling Thresholds describes the fields available under the Voice Signaling Metrics drop-down menu. Table 2-21 Voice Signaling Thresholds Field Description Name Give the Voice Signaling Alarm Threshold a name. Severity Choose High or Low.
Chapter 2 Setting Up The NAM Traffic Analyzer Alarms Table 2-22 Field Description Direction Choose Ingress or Egress. Severity Choose High or Low. These will display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms. Actions Choose a Rising action and a Falling action from the lists (optional). See Alarm Actions, page 2-36 for information on setting up alarm actions.
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export User Scenario If you want the NAM to notify you of any violations of Response Time metrics for a particular server, and then initiate a packet capture, complete the following steps: Step 1 Step 2 Step 3 Set up the e-mail and capture settings. a. Choose Administration > System > E-Mail Setting to define the e-mail settings. a. Choose Capture > Packet Capture/Decode > Sessions and create a capture session for this particular server.
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export NetFlow collects traffic statistics by monitoring packets that flow through the device and storing the statistics in the NetFlow table. NDE converts the NetFlow table statistics into records, and exports the records to an external device, which is called a NetFlow collector. The NAM sends out NDE packets only in NDE v9 format.
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export Figure 2-6 NetFlow Exports Screen Already defined NetFlow Exports will be listed on the screen. If you hover over the “quick view” arrow icon next to the Record Type, as shown in Figure 2-4, a detailed view of the filter details of the selected NetFlow export will display. The fields are described in Table 2-23.
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export Table 2-23 NetFlow Exports Fields (continued) Field Description Export Record Type The record types supported by NAM for NetFlow are: Export Interval (min) Options (button) • Application • Host • ART Client Server Application • Application Conversations • Network Conversations • RTP Metrics Choose the desired export time interval (1, 5, 10, 15, 30, or 60 minutes).
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export Step 4 Click the Submit button to save the configuration, or click the Reset button to clear the fields, or click the Cancel button to exit the screen without configuration. Editing NetFlow Data Export Step 1 Choose Setup > Data Export > NetFlow. Step 2 Highlight the export you want to edit and click the Edit button. Step 3 Make the desired changes.
Chapter 2 Setting Up The NAM Traffic Analyzer Data Export With NAM Traffic Analyzer 5.0, you can only configure one e-mail address. Note Step 6 Choose the delivery option (HTML or CSV). Step 7 Enter the report description, which will appear at the end of the filename of the report delivered to you.
Chapter 2 Setting Up The NAM Traffic Analyzer Managed Device Custom Export You can enable Custom Export to send response time data to an external reporting console such as NetQoS SuperAgent. After you enable Custom Export, you may also want to enable the “Export Passthrough Response Time” option when creating a WAAS Data Source (Setup > NAM Data Sources > Auto Create).
Chapter 2 Setting Up The NAM Traffic Analyzer Managed Device Table 2-24 Switch Information (continued) Field Description Contact Contact name of the network administrator for the switch. SNMP read from switch SNMP read test result. SNMP write to switch SNMP write test result. Mini-RMON on switch For Cisco IOS devices, displays the status if there are any ports with Mini-RMON configured (Available) or not (Unavailable). NBAR on switch Displays if NBAR is available on the switch.
Chapter 2 Setting Up The NAM Traffic Analyzer Managed Device Table 2-25 Router/Managed Device System Information (continued) Field Description Verify String Verify the SNMP . Enable SNMP V3 Check the check box to enable SNMP Version 3 (with NAM 5.0, you have the ability to manage devices with SNMPv3). If SNMPv3 is not enabled, the community string is used. Mode: No Auth, No Priv SNMP will be used in a mode with no authentication and no privacy.
Chapter 2 Setting Up The NAM Traffic Analyzer Network If NBAR Protocol Discovery is enabled, the NBAR Interfaces window lists known interfaces by name and type. Table 2-26, NBAR Interface Details describes the fields on the screen. Table 2-26 NBAR Interface Details Field / Operation Description Enable (check box) Check indicates that NBAR is enabled. Interface Name of the interface. Depending on the IOS running on the Supervisor, port names are displayed differently.
Chapter 2 Setting Up The NAM Traffic Analyzer Network The site definition is very flexible and can accommodate various scenarios. The site definition is used not only for viewing of data, but for data export and data retention as well.
Chapter 2 Setting Up The NAM Traffic Analyzer Network Specifying a Site Using Multiple Rules You can define a site using a combination of multiple rules described above. For example, if a site has both optimized and non-optimized traffic, it can be defined using a combination of WAAS data sources and a subnet from a NDE data source.
Chapter 2 Setting Up The NAM Traffic Analyzer Network The fields on this screen are described in Table 2-27, Sites Screen. Table 2-27 Sites Screen Field Description Name Name of the site. Description Description of what the site includes. Rule Lists the first rule assigned to the selected site. If you see periods next to the site rule (...), then multiple rules were created for that site.
Chapter 2 Setting Up The NAM Traffic Analyzer Network See Figure 2-7 for an example. Figure 2-7 Site Configuration Screen The fields are defined below in Table 2-28, Site Configuration Screen Fields. Table 2-28 Site Configuration Screen Fields Field Description Name Unique text string for naming a site. Description Optional text string for describing site. Disable Site (check box) If you check this check box, the NAM will skip this site when classifying traffic.
Chapter 2 Setting Up The NAM Traffic Analyzer Network Step 4 Click the Submit button. Note The “Unassigned” site (with a description of “Unclassified hosts”) includes any that do not match any of your site configurations. Sites are classified at the time of packet processing. Subnet Detection When you click the Detect button at Setup > Network > Sites > Sites Configuration, the NAM will look for subnets detected within in the past hour.
Chapter 2 Setting Up The NAM Traffic Analyzer Network NDE Interface Capacity After you have set up NetFlow data sources (see NetFlow, page 2-18), you can go to the NDE Interface Capacity screen at Setup > Network > NDE Interface Capacity to specify the speed of each interface. This allows the NAM to calculate interface utilization on the NDE Interface Traffic Analysis screen (Analyze > Traffic > NDE Interface).
Chapter 2 Setting Up The NAM Traffic Analyzer Network These topics help you set up and manage the DSCP groups: • Creating a DSCP Group, page 2-64 • Editing a DSCP Group, page 2-66 • Deleting a DSCP Group, page 2-66 Creating a DSCP Group To create a DSCP Group: Step 1 Choose Setup > Network > DSCP Groups. The DSCP Groups table displays. Step 2 Click the Create button. The DSCP Group Configuration window displays.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification Table 2-32 Step 4 DSCP Group Label Formats (continued) DSCP Format (DSCP 0 through DSCP 63) AF/EF/CS Format Bit Field Format DSCP 18 AF21 010010 DSCP 20 AF22 010100 DSCP 22 AF23 010110 DSCP 24 CS3 011000 DSCP 26 AF31 011010 DSCP 28 AF32 011100 DSCP 30 AF33 011110 DSCP 32 CS4 100000 DSCP 34 AF41 100010 DSCP 36 AF42 100100 DSCP 38 AF43 100110 DSCP 40 CS5 101000 DSCP 46 EF 101110 DSCP 48 CS6 110000 D
Chapter 2 Setting Up The NAM Traffic Analyzer Classification The NAM enables the selection of the "better" application identifier, wherein "better" is defined as the deeper inspection to be used for application classification. You can also manually select the preferred inspection method. For example, the NBAR Application ID inspection may report a "better" classification than the NAM’s Protocol Directory, and so you may want to use the NBAR Application ID instead.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification Table 2-33, Applications describes the fields on the Applications setup page. Table 2-33 Applications Field Description Application Standard protocols, or name given by the user (if user-created). Protocol/Port Application protocol and port. The port is an arbitrary number you assign to handle the additional ports for the protocol family. This protocol number must be unique so it does not conflict with standard protocol/port assignments.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification This allows you to configure applications consistently across multiple NAMs, so that the same user-created application is exported with the same value. Step 5 Choose a protocol family from the list: • CISCO-SNAP • DCE-RPC • ETHER2 • IP • LLC • SCTP-PORT • SCTP-PPI • SUN-RPC • TCP • UDP Choose the the type of traffic you want to create the additional protocol to handle.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification To edit an application: Step 1 Choose Setup > Classification > Applications. Step 2 Select the application to edit, and click Edit. The Application Configuration window displays. Step 3 Make the desired changes (you will only be able to change the name and protocol/port/port range). Step 4 Do one of the following: • To accept the changes, click Submit. • To leave the configuration unchanged, click Cancel.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification Editing an Application Group To edit an application group: Step 1 Choose Setup > Classification > Application Groups. Step 2 Select the Application Group by clicking the radio button, then click Edit. Step 3 Make the necessary changes, then click Submit to save your changes, or click Reset to cancel. Deleting an Application Group To delete an application group, simply select the application and then click the Delete button.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification Step 1 Choose Setup > Classification > URL-based Applications. Step 2 Click Create. The Create URL-based Application window displays. Enter values in the fields according to Table 2-34, URL-Based Applications. Table 2-34 URL-Based Applications Field Description Index A unique number (1-64) of each URL-based application. You can define up to 64 URL-based applications in NAM.
Chapter 2 Setting Up The NAM Traffic Analyzer Classification See Figure 2-9 for an example of creating a URL-based application. Figure 2-9 Example of Creating a URL-Based Application Editing a URL-Based Application To edit URL-based applications: Step 1 Choose Setup > Classification > URL-based Applications. Step 2 Select a radio button and click Edit. Note When editing a URL-based application, the index can not be changed.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring Encapsulations Using Encapsulation gives you increased flexibility when trying to monitor (such as counting or grouping) different types of application traffic. The encapsulation settings affect how traffic of certain IP based tunneling protocols are treated in the NAM.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring • URL, page 2-78 • WAAS Monitored Servers, page 2-80 Aggregation Intervals The NAM Traffic Analyzer has short-term and long-term aggregation intervals (referred to as long-term reporting in NAM 4.x). In NAM Traffic Analyzer Release 5.0, the aggregated data will be displayed in the dashboards if the query is longer than one day. The purpose of gathering short term aggregation interval data is for troubleshooting.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring The aggregation intervals determine how much data can be stored in the NAM database. See Table 2-35, Data Retention for information about data retention.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring Step 5 Accept the default settings or change the settings to the values you want to monitor. Click Submit to save your changes, or click Reset to cancel. Voice After you set up the NAM to monitor voice data, you will be able to view the collected voice data under the Analyze > Media menu in the NAM. For more information on viewing the voice data, see Media, page 3-37.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring Table 2-38 Note Step 4 Maximum and Default Voice/Video and RTP Stream Parameters per Platform Field 2220 Appliance 2204 Appliance NAM-2(x) NAM-1(x) NME-NAM Known Phones 10,000 (5,000) 3,500 (1,750) 2,000 (1,000) 1,000 (500) Phone History 25,000 (12,500) 7,000 (3,500) 5,000 (2,500) 2,500 (1,250) 600 (300) 250 (125) To report jitter and packet loss for the SCCP protocol, you must enable CDR on Cisco Unified CallManager.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring • Disabling a URL Collection Enabling a URL Collection To enable a URL collection: Step 1 Choose Setup > Monitoring > URL. The URL screen displays. Figure 2-10 Step 2 Check the Enable check box to initiate URL Collection. Note Step 3 URL Collection Configuration Dialog Box The collection will not begin until you click Submit. Provide the information described in Table 2-39, URL Collection Configuration Dialog Box.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring : Table 2-39 URL Collection Configuration Dialog Box Element Description Data Source Identifies type of traffic incoming Select one of the options from the drop from the application. down box. Max Entries Maximum number of URLS to collect. Match only The application URL to match. Step 4 Check the Recycle Entries check box to recycle entries.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring Disabling a URL Collection To disable a URL collection: Step 1 Choose Setup > Monitoring > URL Collection. Step 2 Uncheck the Enable check box. Step 3 Click Submit. WAAS Monitored Servers WAAS monitored servers specify the servers from which WAAS devices export traffic flow data to the NAM monitors. To enable WAAS monitoring, you must list the servers to be monitored by the NAM using the WAAS device's flow monitoring.
Chapter 2 Setting Up The NAM Traffic Analyzer Monitoring The Add WAAS Server(s) dialog box displays. Step 4 Enter the server IP address in the Server Address field. You can paste multiple IP addresses here as well. Step 5 Click Submit. Deleting a WAAS Monitored Server To delete a WAAS monitored server data source: Step 1 Choose Setup > Monitoring > WAAS Servers. The WAAS Servers page displays any WAAS monitored servers. Step 2 Select the monitored WAAS server to delete, then click Delete.
CH A P T E R 3 Monitoring and Analysis The Cisco NAM Traffic Analyzer Release 5.0 introduces a redesigned interface and user experience, with more intuitive workflows and interactive reporting capabilities. There are two types of dashboards in NAM 5.0: One type is the “summary” views found under the Monitor menu, and the other type is the “over time” views found under the Analyze menu.
Chapter 3 Monitoring and Analysis Navigation Navigation Context Menus On most of the dashboards, you can left-click on the colored bar of data to get a context menu, with which you can get more detailed information about one particular application. The description to the right of “Selected Application” in the menu shows what item you had clicked on (in the case above, “ftp”). The menu items above the separator line are specific to the selected element of the Top N chart.
Chapter 3 Monitoring and Analysis Navigation • Maximum interval for up to 1 hour is supported for the following dashboards: RTP Streams, Voice Call Statistics, Calls Tables, RTP Conversations, Host Conversations, Conversations, and Response Time Details Views. The “From” and “To” fields are only enabled when the Time Range is set to “Custom.
Chapter 3 Monitoring and Analysis Traffic Summary Traffic Summary The Traffic Summary Dashboard allows you to view the Top N Applications, Top N Application Groups, Top N Hosts (In and Out), IP Distribution by Bytes, Top N DSCP, and Top N VLAN being monitored on your network. It provides auto-monitoring of traffic from all potential data sources (for example, SPAN, NDE, and WAAS). You can get to the Traffic Summary Dashboard by going to Monitor > Overview > Traffic Summary.
Chapter 3 Monitoring and Analysis Response Time Summary To see a chart in table format, use the “View as Chart / View as Grid” toggle button on the bottom right corner of the chart. You can also click the “View as Image” button to view the image and save it as a PNG file. When viewing the data as a Grid, the numbers will be formatted according to what you have configured in Administration > System > Preferences. On that page, you can also configure the number of Top N entries you would like to display.
Chapter 3 Monitoring and Analysis Site Summary Note To change from bytes to bits, choose Administration > System > Preferences and change the “Data displayed in” selection. Site Summary The Site Summary Dashboard (accessed by choosing Monitor > Overview > Site Summary) will show you information about the sites in your network. You can use the Interactive Report on the left side of the screen to change the information displayed. For more information about sites, see Sites, page 2-58.
Chapter 3 Monitoring and Analysis Alarm Summary Note You could see a count of two alarms for the same occurrence if: - both the source and the destination are in the same site in the Top N Site - Host Pair chart. - both the source and the destination are in the same site in the Top N Site chart. - both the source and the destination are in the same site using the same application in the Top N Site Application Pair chart.
Chapter 3 Monitoring and Analysis Analyzing Traffic Table 3-1 Field Description Site This contain site or source and destination sites (source - destination) of the network traffic that generated the alarm message. Alarm Triggered By Details information of the network traffic that generated the alarm message.
Chapter 3 Monitoring and Analysis Analyzing Traffic You can use the Zoom/Pan feature, in which you can drag the beginning or end to change the time interval, as shown below. The time interval change on the zoom/pan chart will affect the data presented in the charts in the bottom of the window. The zoom/pan time interval also affects the drill-down navigations; if the zoom/pan interval is modified, the context menu drill-downs from that dashboard will use the zoom/pan time interval.
Chapter 3 Monitoring and Analysis Analyzing Traffic Table 3-2 Host Detail Field Description Host Host address Application Application type In Bytes/sec Number of bytes per second incoming In Packets/sec Number of packets per second incoming Out Bytes/sec Number of bytes per second outgoing Out Packets/sec Number of packets per second outgoing Host The Host Traffic Analysis Screen will show you at a quick glance the input and output of a particular host over time.
Chapter 3 Monitoring and Analysis Analyzing Traffic Table 3-3 Applications Detail Field Description Application Application type Application Group The application group (set of applications that can be monitored as a whole).
Chapter 3 Monitoring and Analysis Analyzing Traffic • Top N Applications - Egress • Top N Hosts - Ingress • Top N Hosts - Egress • Top N DSCP Aggr - Ingress • Top N DSCP Aggr - Egress The interface speed can be entered manually through the Interface capacity table, or it can be auto configured if the SNMP settings for the NDE device are entered in data source table.
Chapter 3 Monitoring and Analysis Analyzing Traffic Figure 3-5 DSCP Group Traffic Over Time On this screen, you will see: • Traffic volume over time for the selected DSCP group • Top N applications and application groups using that DSCP group • Top N hosts transmitting and receiving traffic on that DSCP group Application Groups Detail On the “Top N Application Groups” chart, you can left-click a colored bar to get the context menu, and choose “Applications Groups Detail” to see the All Application
Chapter 3 Monitoring and Analysis Analyzing Traffic URL Hits You can analyze the URLs collected by the NAM (for setup, see URL, page 2-78). This section contains the following procedures: • Viewing Collected URLs • Filtering a URL Collection List Viewing Collected URLs To view collected URLs: Step 1 Choose Analyze > Traffic > URL. The URLs Window displays with the collected URLs. The columns are described in Table 3-6.
Chapter 3 Monitoring and Analysis Analyzing Traffic Host Conversations If you choose Analyze > Traffic > Detailed Views > Host Conversations, and click on “Host” in the host coversation tables, you can see detailed lists of all the conversations for a particular host: • Table of hosts which are sending packets to the selected host, along with application, vlan, and traffic rate information.
Chapter 3 Monitoring and Analysis Analyzing Traffic Applications Over Time, as shown in Figure 3-7, will show you all of the applications that have been running for the time period interval. The color-coded legend shows you what the applications are running. Figure 3-7 Top Application Traffic If you place your cursor over any of the data points, you will get more details about the exact values for each of the applications that are running, as shown in Figure 3-8.
Chapter 3 Monitoring and Analysis WAN Optimization Application Traffic By Host When you choose Analyze > Traffic > Detailed Views > Application Traffic By Hosts, you will see the traffic for a given application broken out by individual hosts using the application (see Figure 3-9). You may specify the time period to view, as well as the application, site (optional), data source (optional), and VLAN (optional).
Chapter 3 Monitoring and Analysis WAN Optimization Application Performance Analysis To analyze the WAAS traffic, choose Analyze > WAN Optimization > Application Performance Analysis. The charts available on this page are: • Transaction Time (Client Experience) • Traffic Volume and Compression Ratio • Average Concurrent Connections (Optimized vs.
Chapter 3 Monitoring and Analysis Response Time Response Time The NAM Traffic Analyzer monitors TCP packet flow between client and server, and measures response time data to provide more visibility into application response times (ART) and network latency. NAM 5.0 response time monitoring provides end-to-end response times to help you locate possible network and application delays. Note NAM 5.0 does not support IPv6 for response time monitoring.
Chapter 3 Monitoring and Analysis Response Time Transaction Time versus Response Time Measurements Client request Packet 1 Packet 2 Server response Packet N Application response time Packet 1 Packet 2 Packet N 210305 Figure 3-11 Total transaction time Table 3-7 lists and describes the ART metrics measured by NAM 5.0.
Chapter 3 Monitoring and Analysis Response Time Table 3-7 Application Response Time Metrics (continued) Metric Description Number of unresponsive connections Number of TCP connection requests (SYN) that are not responded during the monitoring interval Number of refused connections Number of TCP connection requests (SYN) that are refused during the monitoring interval Average Connection duration Average duration of TCP connections during the monitoring interval Average Server Response Time Server
Chapter 3 Monitoring and Analysis Response Time Table 3-7 Application Response Time Metrics (continued) Metric Description Client ACK Round Trip Time Average network time for the client to acknowledge (ACK) a server data packet as observed at NAM probing point Number of Client ACK Round Trips Number of client ACK RTs observered during the monitoring interval Application Response Time Metrics are available on the response Response Time Summary Dashboard (Monitor > Response Time Summary), which all
Chapter 3 Monitoring and Analysis Response Time Note If you do not specify any application, the chart will show the network time instead of transaction time. The Other Metrics chart allows you to see information about the network link between sites, after you have selected the desired metrics from the “Metric1” and “Metric2” drop-down. The Top Clients and Top Servers charts will show you the top clients and servers that are communicating through the network link (in bytes).
Chapter 3 Monitoring and Analysis Response Time Table 3-8, Server Application Responses Metrics, provides definitions of each field of the Server Application Responses window. Table 3-8 Server Application Responses Metrics Field Description Client Site Name of the client site. Server Site Name of the server site.
Chapter 3 Monitoring and Analysis Response Time Note NAM uses the TCP three-way handshake to calculate network delay. If there are no new TCP connections during the polling interval, the NAM GUI displays a dash (-) for the delay value indicating there is no delay data for that interval. Table 3-9, Server Application Transactions Metrics, provides definitions of each field of the Server Application Transactions window.
Chapter 3 Monitoring and Analysis Response Time Note NAM uses the TCP three-way handshake to calculate network delay. If there are no new TCP connections during the polling interval, the NAM GUI displays a dash (-) for the delay value indicating there is no delay data for that interval. Table 3-10, Server Network Responses Window, provides definitions of each field of the Server Network Response Times window.
Chapter 3 Monitoring and Analysis Response Time Table 3-11 Client-Server Application Responses Window Field Description Client Site Name of the client site Server Site Name of the server site Data Source Name of the data source. VLAN VLAN Server Name or IP address of the server Client Host address of the client.
Chapter 3 Monitoring and Analysis Response Time Note NAM uses the TCP three-way handshake to calculate network delay. If there are no new TCP connections during the polling interval, the NAM GUI displays a dash (-) for the delay value indicating there is no delay data for that interval. The Client-Server Application Transaction window displays when you click Analyze > Response Time > Detailed Views > Client-Server Application Transactions.
Chapter 3 Monitoring and Analysis Managed Device To view the Client-Server Network Responses window, choose Analyze > Response Time > Detailed Views > Client-Server Network Responses. NAM uses the TCP three-way handshake to calculate network delay. If there are no new TCP connections during the polling interval, the NAM GUI displays a dash (-) for the delay value indicating there is no delay data for that interval. Table 3-13 describes the fields of the Server-Client Network Response Time window.
Chapter 3 Monitoring and Analysis Managed Device • Health, page 3-31 • NBAR, page 3-37 Interface Interfaces Stats Table To view packet distribution details on the interfaces, choose Analyze > Managed Device > Interface. The Interfaces Stats table displays and shows the total packet distribution on all interfaces. Use the Interactive Report and the Filter button on the left to change the time range displayed. The Discards and Errors are measured in packets per second.
Chapter 3 Monitoring and Analysis Managed Device Interface Statistics Over Time When you select an interface in the Interface Stats Table, the statistics for that interface will be graphed in the area below, as shown in Figure 3-13. Figure 3-13 Interface Statistics Over Time There are four check boxes above the graph: Bytes, Packets, Discards, and Errors.
Chapter 3 Monitoring and Analysis Managed Device Chassis Health The Chassis Health window displays two real-time graphs: CPU usage and Backplane Utilization.
Chapter 3 Monitoring and Analysis Managed Device Table 3-16 Chassis Information (continued) Field Description UpTime The time (in hundredths of a second) since the network management portion of the system was last re-initialized. Location The physical location of this node. Contact The textual identification of the contact person for this managed node and information on how to contact this person. Modem Indicates whether the RS-232 port modem control lines are enabled.
Chapter 3 Monitoring and Analysis Managed Device Table 3-17 Crossbar Switching Fabric Information Field Description Crossbar Switching Fabric Physical and configuration information about the module: Active slot—Indicates the slot number of the active switching fabric module. A value of zero indicates that the active switching fabric module is either powered down or not present in the chassis. Backup slot—Indicates the slot number of the backup switching fabric module.
Chapter 3 Monitoring and Analysis Managed Device Table 3-18 Ternary Content Addressable Memory Information Field Description Security Acl Mask Indicates that TCAM space is allocated to store ACL masks. Security Acl Value Indicates that TCAM space is allocated to store ACL value. Dynamic Security Acl Mask Indicates that TCAM space is allocated to dynamically store ACL masks. Dynamic Security Acl Value Indicates that TCAM space is allocated to dynamically store ACL values.
Chapter 3 Monitoring and Analysis Managed Device Table 3-19 Router Health Information (continued) Field Description Temperature Status The current state of the test point being instrumented; one of the following are the states: Failures • Normal • Warning • Critical • Shutdown • Not Present • Not Functioning • Unknown The failing component of the power supply being measured: • None—No failure • inputVoltage—Input power lost in one of the power supplies • dcOutputVoltage—DC outpu
Chapter 3 Monitoring and Analysis Media Table 3-20 Router Information (continued) Field Description Up Time The time (in hundredths of a second) since the network management portion of the system was last re-initialized. Location The physical location of this node. Contact The textual identification of the contact person for this managed node and information on how to contact this person. Modem Indicates whether the RS-232 port modem control lines are enabled.
Chapter 3 Monitoring and Analysis Media RTP Streams Purpose The RTP Streams window shows you three pieces of information: RTP Stream Information • Source IP Address and Port: IP address and UDP port of the originator of the RTP stream. • Destination IP Address and Port: Ip address and UDP port of the receiver of the RTP stream. • SSRC: Synchronization source number as it appeared in the RTP header of the RTP stream. • codec: encoding decoding format of the RTP stream.
Chapter 3 Monitoring and Analysis Media RTP Stream Stats Details This table shows the per-interval stats calculated by NAM at each interval. The columns of the tables are: • Report Time: time when the stats were calculated. This is the end time of the interval. • Report Duration: the stream duration during the report interval. • Worst MOS: the lowest score of the stream among 3-second MOS score. NAM internally evaluates the MOS value of the stream every 3 seconds.
Chapter 3 Monitoring and Analysis Media • Voice Call Statistics: Number of calls per signaling protocol (SCCP, SIP, MGCP, and H.323) at each interval during the selected interval. • Top N End Points by Jitter (ms): Endpoints that have the largest average of endpoint reported jitter during the selected interval. • Top N End Points by Packet Loss (%): Endpoints that have the largest average of endpoint reported packet loss during the selected interval.
Chapter 3 Monitoring and Analysis Media Table 3-21 Calls Table (continued) Field Description Calling Host Address RTP receiving address of the calling party detected by the NAM from inspecting the call signaling protocol. Calling Port RTP receiving port of the calling party detected by NAM from inspecting call signaling protocol. Calling Alias Calling party name detected by NAM from inspecting call signaling protocol. Called Host Address IP address of the phone receiving the call.
Chapter 3 Monitoring and Analysis Media Table 3-22 RTP Streams for the Selected Call table Field Purpose Source Address IP Address of the originator of the RTP stream Source Port UDP port of the originator of the RTP stream Destination Address IP address of the receiver of the RTP stream Destination Port UDP port of the receiver of the RTP stream Codec Encoding decoding format/algorithm of the RTP stream SSRC Synchronization source number as it appear in the RTP header Duration Weighted M
Chapter 3 Monitoring and Analysis Media Table 3-23 RTP Conversations Table (continued) Field Purpose SSRC Synchronization source number as it appear in the RTP header Duration Weighted MOS NAM calculated score that takes into account of the duration of the stream User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.
Chapter 3 Monitoring and Analysis Media User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.
CH A P T E R 4 Capturing and Decoding Packet Data The Capture feature of the NAM Traffic Analyzer allows you to set up multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets. Note Capture does not apply to the NAM Virtual Service Blades.
Chapter 4 Capturing and Decoding Packet Data Sessions Figure 4-1 Quick Capture Sessions The purpose of Capture Sessions is to capture, filter, and decode packet data, manage the data in a file control system, and display the contents of the packets. The captured packets can then be decoded and analyzed on the NAM for more efficient problem isolation. As shown in Figure 4-2, network packets coming into NAM must pass at least one hardware filter in order to go on to the next step.
Chapter 4 Capturing and Decoding Packet Data Sessions Figure 4-2 NAM Capture Sessions Network Packets Session 1 Session 2 Session 3 Software Filter A Software Filter B Software Filter C Memory Files 199546 Hardware Filter 1 Hardware Filter 2 Hardware Filter 3 This section contains the following subjects: • Viewing Capture Sessions, page 4-3 • Configuring Capture Sessions, page 4-4 • Software Filters, page 4-7 Viewing Capture Sessions To access the basic operations for capturing, viewing
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-1 Capture Session Fields (continued) Operation Description Packets Number of packets State The current status of the capture: • Running—Packet capture is in progress • Stopped—Packet capture is stopped. Captured packets remain in buffer, but no new packets are captured • Full (Cisco 2200 Series appliances only)—The memory or file is full, and no new packets will be captured.
Chapter 4 Capturing and Decoding Packet Data Sessions Figure 4-3 Configure Capture Session Window Step 3 Table 4-3 Enter information in the Capture Settings Fields (Table 4-3) as appropriate. Capture Settings Fields Field Description Usage Notes Name Name of the capture Enter a capture name. Packet Slice Size (bytes) The slice size in bytes; used to limit the size of the captured packets. Enter a value of 64 or higher. Enter zero (0) to not perform slicing.
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-3 Capture Settings Fields (continued) Field Description Usage Notes Storage Type: Memory Check to store captures in memory Enter values for Memory Size for this capture. Enter a number from 1 up to your platform maximum. If system memory is low, the actual session size allocated might be less than the number specified here. See Table 4-4 for maximum session sizes for each NAM platform.
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-4 Maximum Capture Session Sizes for NAM Platforms (continued) NAM Platform Maximum Session Size WS-SVC-NAM-2 300 MB WS-SVC-NAM-2 with memory upgrade (MEM-C6KNAM-2GB) 500 MB WS-SVC-NAM-2-250S 500 MB NAM2204-RJ45 2 GB NAM2204-SFP 2 GB NAM2220 10 GB NME-NAM-80S 132 MB NME-NAM-120S 300 MB When capturing to multiple files, a suffix is added to the file name.
Chapter 4 Capturing and Decoding Packet Data Sessions Creating a Software Filter You can define a software filter to filter based on any of the following: • Source host address • Destination host address • Network encapsulation • VLAN or VLAN range • Application • Source port or port range • Destination port or port range To create a software capture filter: Step 1 Choose Capture > Packet Capture/Decode > Sessions. The Configure Capture Session dialog box is displayed.
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-5 Software Filter Dialog Box Field Description Usage Notes Name Enter a name of the new filter. Source Address / Mask Source address of the packets. • For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255. • For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format.
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-5 Software Filter Dialog Box (continued) Field Description Destination Address / Mask Destination address of the packets. Usage Notes • For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255. • For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format.
Chapter 4 Capturing and Decoding Packet Data Sessions Table 4-5 Software Filter Dialog Box (continued) Field Description Usage Notes VLAN Identifier(s) The 12-bit field specifying the Choose a VLAN Range or enter from one to four individual VLAN to which the packet belongs. VLAN IDs. For better performance, use as narrow a range as possible. The VLAN ID can range from 1-4095.
Chapter 4 Capturing and Decoding Packet Data Sessions • To cancel the changes, click Cancel. Hardware Assisted Filters Hardware Assisted Capture enables you to improve capture performance by providing hardware-specific filters to help you eliminate as much extraneous traffic as possible. The packets filtered out by hardware filters are not processed by the NAM, and therefore capture performance improves.
Chapter 4 Capturing and Decoding Packet Data Sessions The list is also shown in Figure 4-5. Figure 4-5 Hardware Filter Type Step 5 Data fields will then appear that correspond with the type of hardware filter you selected. Fill in the desired fields. See the following sections for more specific information. Step 6 Click Submit to complete the configuration of the capture session. Otherwise, click Reset to revert to the previous settings, or click Cancel to abort.
Chapter 4 Capturing and Decoding Packet Data Sessions Step 7 Click Submit. IP To configure an IP hardware filter: Step 1 Enter a Filter Name. Step 2 From the Type drop-down menu, choose IP. Step 3 Enter a Source Address / Mask (optional). Step 4 Enter a Destination Address / Mask (optional). Step 5 Choose a Layer 4 IP Protocol (optional) Step 6 Click Submit. IP and TCP/UDP To configure an IP and TCP/UDP hardware filter: Step 1 Enter a Filter Name.
Chapter 4 Capturing and Decoding Packet Data Files • Step 7 Note Step 8 Enter a Mask of up to four bytes (eight hex characters). Repeat Step 6 for up to four payload data segments. Only one payload segment (one row) is required. Be careful not to create overlapping payload segments. If overlapping segments have different values the filter will never match anything due to the inherent AND logic. Click Submit. Payload Data To configure a Payload Data hardware filter: Step 1 Enter a Filter Name.
Chapter 4 Capturing and Decoding Packet Data Files • Name: • Size: • Date: • State: • Location: If you are using a Cisco 2200 Series appliance, the NAM will create a xxx.pcap file. If you click on the download button, a xxx.pcap file will be created regardless of whether you accept the download action or cancel it (a xxx.pcap file will be created once the download button is clicked).
Chapter 4 Capturing and Decoding Packet Data Files Note Capture files on the NAM 2200 Series appliances are stored in native NAM format. You can convert the capture file format to .pcap using the Convert/Rename/Merge button on the Capture > Packet Capture/Decode > Files window.
Chapter 4 Capturing and Decoding Packet Data Files The Error Scan screen is shown in Figure 4-6. Figure 4-6 Error Scan Screen The fields are described in Table 4-8. Table 4-8 Error Scan Screen Descriptions Field Description Packet ID ID of the packet in the capture file. Protocol Protocol the packet arrived on.
Chapter 4 Capturing and Decoding Packet Data Files Step 2 Choose a capture file from the list of captures. Step 3 Click Download. A File Download dialog box displays and asks “Do you want to save this file?” Figure 4-7 Step 4 Download Capture File Dialog Box Click Save. A Save As dialog box opens and provides a way for you to rename and save the file at a location of your choice. Deleting a Capture File To delete a capture file: Step 1 Choose Capture > Packet Capture/Decode > Files.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Step 3 Click the Delete button. A dialog box displays and asks “Delete all capture file(s)?” Step 4 Click OK to delete all the files or Cancel to allow them to remain. Viewing Packet Decode Information After some packets or files have been captured, you can use the Packet Decoder to view the packet contents.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Table 4-10 describes the columns displayed in the packet browser pane. Table 4-10 Packet Browser Field Description Pkt Packet numbers, listed numerically in capture sequence. If the decode (display) filter is active, the packet numbers might not be consecutive. Time Time the packet was captured relative to the first packet displayed (not the first packet in the session).
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information – Destination allows you to specify the destination address, or leave it blank if not applicable. – Both Directions allows you to match of packets travelling in both directions. • Define a Protocol Filter. – Click Match any to display packets that match any of the protocols or fields or – Click Match all to display packets that match all of the protocols or fields. – Choose a protocol from the Protocols list.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information • To adjust the size of any of the panes, click and drag the pane frame up or down. Using Alarm-Triggered Captures You can configure multiple alarm-triggered captures that start and stop automatically by alarm events you define. To set up an alarm-triggered capture: Step 1 Create an alarm event from the Setup > Alarms > Alarm Events window. Configure an Alarm Event for the type of event for which you want to capture data.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Table 4-11 Custom Decode Filter Dialog Box Field Description Usage Notes Filter Name The name of the capture filter. Enter the name of the filter to be created. Description The description of the capture filter. Enter a description of the filter. Protocol The protocol to match with the packet. Choose a protocol from the list. (Select All to match all packets regardless of protocol.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Table 4-11 Custom Decode Filter Dialog Box (continued) Field Description Usage Notes Data Pattern The data to be matched with the packet. Enter hh hh hh ..., where hh are hexadecimal numbers from 0-9 or a-f. Leave blank if not applicable. Filter Expression An advanced feature to set up complex filter conditions. See Tips for Creating Custom Decode Filter Expressions, page 4-25.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Field Filter By Format tcp.port tcp.srcport tcp.dstport TCP port number A decimal number from 0 to 65535. udp.port udp.srcport udp.dstport UDP port number A decimal number from 0 to 65535. protocol Protocol Click the Protocol list in the Custom Decode Filter dialog box to see the list of protocols on which you can filter. protocol [offset:length] Protocol data pattern hh:hh:hh:hh...
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information Step 4 Do one of the following: • To apply the changes, click Submit. • To clear the page of your changes, click Reset. • To exit the page without applying the changes, click Cancel. Deleting Custom Display Filters To delete custom display filters: Step 1 Choose Capture > Packet Capture/Decode > Display Filters. Step 2 Choose the filter to delete, then click Delete.
Chapter 4 Capturing and Decoding Packet Data Viewing Packet Decode Information User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.
CH A P T E R 5 User and System Administration This chapter provides information about performing user and system administration tasks and generating diagnostic information for obtaining technical assistance. This chapter contains the following sections: • System Administration, page 5-1 describes menu options that enable you to perform system administrative tasks and manage the NAM Traffic Analyzer. • Diagnostics, page 5-14 describes menu options that help you diagnose and troubleshoot problems.
Chapter 5 User and System Administration System Administration Resources Choose Administration > System > Resources to view the System Overview window. Table 5-1 describes the fields of the System Overview window for a NAM Traffic Analyzer with multiple CPUs such as the Cisco NAM 2220 appliance. Table 5-1 System Overview Field Description Date Current date and time synchronized with the switch, router, or NTP server. Hostname NAM hostname. IP Address NAM IP address.
Chapter 5 User and System Administration System Administration NAM 5.0 does not support using IPv6 for the network parameter IP address. Note Table 5-2 Step 3 Network Parameters Dialog Box Field Description IP Address NAM IP address. IP Broadcast NAM broadcast address. Subnet Mask NAM subnet mask. IP Gateway NAM IP gateway address. Host Name NAM hostname. Domain name NAM domain name. Nameservers NAM nameserver address or addresses.
Chapter 5 User and System Administration System Administration To view and set the NAM SNMP Agent: Step 1 Choose Administration > System > SNMP Agent. Step 2 Enter or change the information on the NAM SNMP screen. The fields are detailed in Table 5-3. Step 3 Table 5-3 System SNMP Dialog Box Field Description Contact The name of the person responsible for the NAM. Name The name of the NAM. Location The physical location of the switch or router in which the NAM is installed.
Chapter 5 User and System Administration System Administration Deleting NAM Community Strings To delete the NAM community strings: Step 1 Choose Administration > System > SNMP Agent. At the bottom of the window, the NAM Community Strings Dialog Box displays. Step 2 Caution Select an entry, then click Delete. Deleting the NAM community strings blocks SNMP requests to the NAM from outside SNMP agents. The community string is deleted.
Chapter 5 User and System Administration System Administration • Caution Cisco 2200 Series appliances can get their time from a local CLI clock set command. Both the client computer and the NAM server must have the time set accurately for their respective time zones. If either the client or the server time is wrong, then the data shown in the GUI will be wrong. After the NAM acquires the time, you can set the local time zone using the NAM System Time configuration screen.
Chapter 5 User and System Administration System Administration Step 6 Do one of the following: • To save the changes click Submit. • To leave the configuration unchanged, choose Reset. Configuring the NAM System Time with an NTP Server To configure the NAM system time with an NTP server: Step 1 On the NAM appliance GUI, choose Administration > System > System Time. Step 2 Choose the NTP Server radio button.
Chapter 5 User and System Administration System Administration Step 7 Click Submit to save your modifications, or click Reset to clear the dialog of any characters you entered or restore the previous settings. Web Data Publication Web Data Publication allows general web users and websites to access (or link to) selected NAM monitor and report screens without a login session. Web Data Publication can be open or restricted using Access Control List (ACL) and/or publication code.
Chapter 5 User and System Administration System Administration • Creating iSCSI Storage Locations, page 5-11 • Editing iSCSI Storage Locations, page 5-11 Creating NFS Storage Locations The NFS server must be configured properly to allow NAM to write data to it. The NAM accesses the NFS directories with UID=80 (www) and UID=0 (root). The NFS directories must be fully accessible by these UIDs.
Chapter 5 User and System Administration System Administration Table 5-5 Step 4 NFS Storage Location Parameters Field Description Name Name of the remote file system entry Server DNS name of the remote file system entry Directory Pathname of the remote file system partition Basic NFS Options Each fields shows a default value. If you need to use values other than those available in the menus, use Advanced NFS Options.
Chapter 5 User and System Administration System Administration Creating iSCSI Storage Locations The following procedure describes how to create an iSCSI storage location for storing NAM capture data. Step 1 Choose Administration > System > Capture Data Storage. The Capture Data Storage window displays and lists any capture data storage locations already configured. Step 2 Click Create iSCSI. Step 3 Enter the requested parameters in the New iSCSI Storage window.
Chapter 5 User and System Administration System Administration Step 4 Note Click Submit to change the iSCSI storage location parameters. Otherwise click Reset to remove your entries or Cancel to cancel the change. Before the changes to the iSCSI storage entry take effect, you must reboot the NAM system. Syslog Setting NAM syslogs are created for alarm threshold events, voice threshold events, or system alerts.
Chapter 5 User and System Administration System Administration Step 2 Click the Create button. Step 3 In the “Community” field, enter the community string set in the NAM Thresholds. Step 4 In the “IP Address” field, enter the IP address to which the trap is sent if the alarm and trap community strings match. Step 5 In the “UDP Port” field, enter the UDP port number. Step 6 Click Submit to save your changes, or click Reset to cancel and leave the configuration unchanged.
Chapter 5 User and System Administration Diagnostics Table 5-7 Preferences (continued) Field Description Audit Trail The Audit Trail option displays a listing of recent critical activities that have been recorded in an internal syslog log file. Syslog messages can also be sent to an external log. Capture File Download Format Choose ENC (.enc) or PCAP (.pcap) format for captured files. Diagnostics The Diagnostics option of the Administration menu provides tools to aid in troubleshooting.
Chapter 5 User and System Administration Diagnostics • User ID • Time stamp • IP address (in case of remote web access) • Activity description To access the audit trail window: Step 1 Choose Administration > Diagnostics > Audit Trail. The Audit Trail Window displays. The Audit Trail window provides a way to view the user access log and filter entries based on time, user, (IP address) from or activity. The internal log files are rotated after reaching certain size limit.
Chapter 5 User and System Administration User Administration User Administration The User Administration option of the Administration menu provides the following options: • Local Database, page 5-16 • Establishing TACACS+ Authentication and Authorization, page 5-19 • Configuring a TACACS+ Server to Support NAM Authentication and Authorization, page 5-20 • Current User Sessions, page 5-22 Local Database When you first install the NAM Traffic Analyzer, you use the NAM command-line interface (CLI) t
Chapter 5 User and System Administration User Administration For information on resetting the NAM passwords on 6500 Series NAMs, see Catalyst 6500 Series Switch and Cisco 7600 Series Internet Router Network Analysis Module Installation and Configuration Note: http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_software/5.0/switch/confi guration/guide/switchcfg.
Chapter 5 User and System Administration User Administration Table 5-9 New User Dialog Box Field Description Usage Notes Name The account name Enter the user’s account name. Password Verify Password The account password Enter a password that adheres to your site security policies. Privileges Privileges associated with this account Select each privilege to grant to the user. Usernames and passwords cannot exceed 32 characters and can be alphanumeric.
Chapter 5 User and System Administration User Administration Step 2 Select the username. Step 3 Click Delete. Note If you delete user accounts while users are logged in, they remain logged in and retain their privileges. The session remains in effect until they log out. Deleting an account or changing permissions in mid-session affects only future sessions. To force off a user who is logged in, restart the NAM.
Chapter 5 User and System Administration User Administration Step 3 Tip Do one of the following: • To save the changes, click Submit. • To cancel, click Reset. If you cannot log into the NAM Traffic Analyzer with TACACS+ configured, verify that you entered the correct TACACS+ server name and secret key.
Chapter 5 User and System Administration User Administration Adding a NAM User or User Group To add a NAM user or user group: Step 1 Click User Setup. Step 2 Enter the user login name. Step 3 Click Add/Edit. Step 4 Enter the user data. Step 5 Select User Setup. Step 6 Enter a user password. Step 7 If necessary, assign a user group. Step 8 In the TACACS+ settings: a. Select Shell. b. Select IOS Command. c. Select Permit. d. Select Command. e. Enter web. f.
Chapter 5 User and System Administration User Administration Parameter Enter service shell cmd web cmd-arg One or more the following: accountmgmt system capture alarm collection view password authentication method—Password Authentication Protocol (PAP) pap Current User Sessions The Current User Sessions table is a record of the users who are logged into the application. The user session times out after 30 minutes of inactivity. After a user session times out, that row is removed from the table.
CH A P T E R 6 NAM Traffic Analyzer 5.0 Usage Scenarios This chapter describes usage scenarios for the Cisco Network Analysis Module Traffic Analyzer, Release 5.0.
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios Deployment Deployment Deploying NAMs in the Branch A NAM Traffic Analyzer deployed in the branch will provide a detailed view of the traffic traversing to and from the branch. The NAM can monitor and analyze the traffic locally, and troubleshoot issues related to application response time, voice degradation, and overall network performance, and you will be able to see these results by accessing the NAM web interface.
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios Deployment See related content Data Export, NetFlow, page 2-49. Autodiscovery Capabilities of NAM If you are an existing NAM 4.x user, you will not need to configure the SPAN sessions, and they will be auto-created on the NAM (not on the device). If you are a new 5.0 user, you will need to configure SPAN or NetFlow. SPAN or NetFlow must be already configured on the device to forward traffic to NAM for auto creating the data source.
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios Monitoring Integrating NAM with LMS The NAM Traffic Analyzer GUI can be placed on the LMS (LAN Management Suite) 4.0 dashboard and accessed thru the LMS GUI. See technical documentation for LMS on http://www.cisco.com. Monitoring Understanding Traffic Patterns at the Network Layer The data gathered by the NAM 5.
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios Troubleshooting Using NAM to Evaluate Application-Level Performance Monitoring for UDP Realtime Applications The NAM Traffic Analyzer monitors RTP streams: When a phone call ends, the endpoints calculate the information and send it to the Call Manager. If a NAM is along that path, it will intercept it. The NAM monitors and analyzes RTP streams and voice calls statistics from the endpoint.
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios Troubleshooting If the alarm is for an Application Response Time issue, you can access Monitor > Response Time Summary or Analyze > Response Time > Application to drill-down on what hosts are accessing the application. Identify the application server and view what other applications are hosted and all the clients accessing that server. See Monitor: Response Time Summary, page 3-5. See Analyze: Response Time, page 3-19.
A P P E N D I X A Troubleshooting This appendix addresses some common issues you might encounter while using NAM Traffic Analyzer 5.0. It contains the following sections: • General NAM Issues, page A-1 • Error Messages, page A-2 • Packet Drops, page A-2 • NAM Not Responding, page A-2 • NAM Behavior, page A-3 • WAAS Troubleshooting, page A-3 General NAM Issues Q. What information should I collect and what else should I do when the NAM is not responding? A.
Appendix A Troubleshooting Error Messages Error Messages Q. I’m waiting for the graphical data to populate on a dashboard. What does this red error “Request Error -- Please Try Again” mean? A. This means an internal error has occurred, or the login session may have timed out. Q. I’m waiting for the graphical data to populate on a dashboard. What does this red error “Query resulted in no data” mean? A. The NAM does not have any data for the specified time frame and specified filter.
Appendix A Troubleshooting NAM Behavior • Does a ping to NAM mgmt IP address work? • What is the module status on Sup/router? show modules CLI NAM Behavior Q. Why is the browser behaving strangely? It is displaying data for no apparent reason. A. Clear the browser cache, close the browser, and open a new session and try again. Also, make sure you are using a browser that is supported with NAM 5.0 (see the NAM Traffic Analyzer 5.0 Release Notes). Q. Why is the NAM performance lower than expected? A.
Appendix A Troubleshooting WAAS Troubleshooting User Guide for the Cisco Network Analysis Module Traffic Analyzer, 4.
A P P E N D I X B Supported MIB Objects Supported MIBs Table B-1 lists the MIB objects supported by the supervisor engine and the NAM. Table B-1 Supervisor Engine Module and NAM RMON Support Module Object Identifier (OID) and Description Source Supervisor Engine ...mib-2(1).rmon(16).statistics(1).etherStatsTable(1) ...mib-2(1).rmon(16).statistics(1).tokenRingMLStats Table(2)...mib-2(1).rmon(16).statistics(1).
Appendix B Supported MIB Objects Supported MIBs Table B-1 Supervisor Engine Module and NAM RMON Support (continued) Module Object Identifier (OID) and Description Source Supervisor Engine ...mib-2(1).rmon(16).tokenRing(10).ringStation ControlTable(1) ...mib-2(1).rmon(16).tokenRing(10).ringStation Table(2) ...mib-2(1).rmon(16).tokenRing(10).ringStation OrderTable(3) ...mib-2(1).rmon(16).tokenRing(10).ringStationConfig ControlTable(4) ...mib-2(1).rmon(16).tokenRing(10).ringStationConfig Table(5) ...
Appendix B Supported MIB Objects Supported MIBs Table B-1 Module Supervisor Engine Supervisor Engine Module and NAM RMON Support (continued) Object Identifier (OID) and Description Source ...cisco(9).workgroup(5).ciscoStackMIB(1).ciscoStatck CISCO-STACK-MIB MIBConformance(31).ciscoStaticMIBGroups(20. chassisGroup(3) Collection of objects providing information about the chassis of the device. Supervisor Engine ...ciscoMgmt(9).ciscoCat6kCrossbarMIB(217).
Appendix B Supported MIB Objects Supported MIBs User Guide for the Cisco Network Analysis Module Traffic Analyzer, 5.
INDEX custom display filters, setting up A deleting administration (see system administration) alarm thresholds, setting NAM thresholds deleting editing 4-27 4-26 packet decode information, viewing 2-39 4-20 protocol decode information, viewing 2-48 editing 5-1 4-23 4-22 cautions 2-48 regarding switch thresholds 2-49 NAM community strings, deleting syslog, setting up 5-12 switch string and read-write community string matching 5-5 ART 3-24, 3-27 Audit trail 5-5 community switch st
Index protocol directing traffic for spanning 2-68 SPAN sessions Custom captures methods (table) 2-6 custom display filters, managing 4-23 deleting 4-27 editing devices running Cisco IOS 2-20 2-21 devices supporting multi-layer switching cache 2-21 devices supporting NDE export 4-26 setting up 2-4 NetFlow, configuring on devices 4-8 creating 2-9 2-22 devices supporting NDE v8 aggregations 4-23 devices supporting vi aggregations NAMs in a device slot D 2-21 2-21 2-22 NetFlow devi
Index sending data directly to NAM External reporting console detail 2-17 IPESP 2-55 IPIP4 3-12, 3-30 2-73 2-73 IP tunnel encapsulations F Filtering audit trail IP M 5-15 Monitored servers filters 4-14 IP and Payload Data IP and TCP/UDP Payload data VLAN and IP 2-73 2-81 Monitoring 4-14 Application response times 4-14 3-27 monitoring 4-15 port traffic 4-13 Filter Response Time for all Data Sources by Monitored Servers 2-81 traffic 1-15 1-13 monitoring data voice 3-14 Multipl
Index NetFlow Refresh button configuring on devices Cisco IOS Creating SPAN session 2-20 response time 2-21 multi-layer switching cache NAMs in a device slot NDE export application 2-21 client 2-22 3-23 network 2-21 devices, managing server 3-23 3-22 3-23 response time data, viewing 2-28 exporting data 3-22 client-server 2-22 NDE v8 aggregations testing 2-7 reports 1-15 interfaces, understanding records, understanding server 2-19 RTP Stream Monitoring 2-19 NetFlow Data Exp
Index methods (table) user privileges (table) 2-4 NetFlow, configuring on devices Cisco IOS users, creating new 2-20 users, deleting 2-21 multi-layer switching cache NAMs in a device slot NDE export system resources, viewing System alerts 2-21 NetFlow devices, managing viewing deleting 2-9 editing 5-15 5-14 T 2-8 SPAN sources (table) 2-4 TAC (Technical Assistance Center) VACL, configuring (see also troubleshooting) on LAN VLANs 2-18 on WAN interfaces SPAN states 5-2 5-14 captur
Index V VACL 1-14, 2-17 VLAN access control list 1-14, 2-17 VACL, configuring on LAN VLANs 2-18 on WAN interfaces 2-17 viewing community switch strings DiffServ data 5-5 3-12 NAM SNMP system groups network parameters 5-3 5-2 response time data server 3-25 system alerts 5-14 system resources 5-2 user sessions table voice data 5-22 3-14 Viewing audit trail 5-14 Virtual Switch Software (VSS) 2-58 VLAN access control list VACL 1-14, 2-17 voice data collecting viewing 2-76 3-14 Vo
