Manualshelf

Specifications

ManualsBrandsCisco ManualsHome building and DecorNetwork Analysis Module 6000
221222223224225226227228229230
© 2006 Cisco Systems, Inc.
All rights reserved.
Scenarios 3-14
NAM / Traffic Analyzer v3.5 Tutorial
© 2006 Cisco Systems, Inc. All rights reserved.
Scenarios 3-14
NAM / Traffic Analyzer v3.5 Tutorial
Scenario 1
Traffic Overview VLAN 130
Scenario 1
Traffic Overview VLAN 130
Who is playing
games across the
link?
Who is playing
games across the
link?
High percentage
hosts, suspects of
game playing
High percentage
hosts, suspects of
game playing
Traffic Overview VLAN 130
Dean uses the traffic overview feature of the NAM to get a quick look at what is happening on VLAN 130.
Step 1. Click Monitor > Overview. The Overview data screen is displayed.
Step 2. Select VLAN 130 from the Data Source pull-down menu to display an overview of VLAN 130
traffic. Notice that the only data sources that are available in the list are the VLANs that Dean
enabled monitoring for. If Dean had enabled monitoring for VLANs that are not present in his
SPAN source, they will be listed here because he enabled monitoring for them, but no data will
be displayed because they do not exist in the SPAN source.
Dean immediately notices suspicious activity. First, he observes that the second most active application on
his SPAN source is Doom. Then he looks at the most active hosts to determine who might be playing Doom.
He identifies two potential suspects and determines that he needs to investigate further. But Dean also
notices a lot of “other” traffic (traffic using TCP or User Datagram Protocol [UDP] ports that are not well
known – grouped as “other” after the configured number of auto-discovered unknown apps are found). He
decides that he must deal with the gamers first, but he also makes a note of this other traffic because he
knows that he can configure the NAM to identify and collect statistics for this other traffic.
Note: Dean would have also seen the Doom traffic by looking at the overview of ALLSPAN traffic because
VLAN 130 is a subset of ALLSPAN. But by looking just at VLAN 130 statistics, Dean is able to localize the
traffic. This could be useful if a certain application is allowed on one VLAN but not another. Then the
application traffic would be seen at the ALLSPAN level, but hopefully not at the VLAN level it is prohibited on.