Manualshelf

Specifications

ManualsBrandsCisco ManualsHome building and DecorNetwork Analysis Module 6000
41424344454647484950
© 2006 Cisco Systems, Inc.
All rights reserved.
Product Features 2-4
NAM / Traffic Analyzer v3.5 Tutorial
© 2006 Cisco Systems, Inc. All rights reserved.
Product Features 2-4
NAM / Traffic Analyzer v3.5 Tutorial
Network Monitoring Using NAMs
NAM Data Sources
Network Monitoring Using NAMs
NAM Data Sources
Data
Source
NAM Embedded Traffic Analyzer
Cisco Catalyst Switch
Cisco Catalyst Switch
Mini RMON
Mini RMON
Mini
RMON
Cisco Router
Cisco Router
NetFlow
NetFlow
NetFlow
Records
HTTP
Multicast
FTP
FTP
Multicast
HTTP
Multicast
FTP
FTP
BPDU
NBAR
NBAR
MIB
MIB
-
-
II
II
NetFlow
NetFlow
NBAR
Stats
MIB-II
Int Stats
NetFlow
Records
NM-NAM
Only
NAM-1/2
Only
Stats per Data Source
and/or per VLAN/MPLS
included in Data Source
Stats per
Port
Stats per Total
Flow or per
individual flow
Stats per Total
Flow or per
individual flow
Stats per
Interface
Stats per
Interface
NAM Data Sources
The NAM makes use of multiple data sources to provide the ultimate visibility into the network. Data sources
include: mini-RMON for per-switch port layer-two statistics, Spanning, VACLs, and Cisco Express
Forwarding (CEF) to copy actual packets traversing the switch fabric and router interfaces to the NAM for
analysis, MIB-II for per-router interface statistics, NBAR statistics for protocol information on a per interface
basis, and NetFlow to provide application, host, and conversation information from a number of remote and
local traffic flows. More details on data sources used by the different NAMs will be presented in the next
section of this chapter.
The user should keep in mind a number of factors when using the various NAM data sources. In some SPAN
configurations, multiple copies of the same source packet can be sent to the SPAN destination port. For
example, a bi-directional (both transmit and receive) SPAN session is configured for sources a1 and a2 to a
destination port d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and
outgoing packets are sent to destination port d1; both packets would be the same (if a Layer 3 rewrite
occurs, the packets are different). Similarly, for RSPAN sessions with sources distributed in multiple
switches, the destination ports might forward multiple copies of the same packet. The same is true for
VLANs, if a packet is both sent and received by two ports that are part of the same VLAN they will be
counted twice. To avoid counting packets twice with VLANs, the default direction for spanning VLANs is set
to receive only. The two data ports available with a NAM-2 can also be used effectively to monitor the receive
direction on one data port and the transmit direction on the other. Similarly, if CEF is forwarding packets from
all router interfaces then the packet will be seen twice – once on the ingress interface and once on the
egress interface. Again, we stress the importance of understanding the exact nature of data source in order
to properly interpret the Traffic Analysis reports.
Note:
The NBAR MIB has not yet been implemented within the Cisco Catalyst 6500 switch and Cisco 7600
router. When these devices include support for the NBAR MIB, the Cisco Catalyst 6500 Series and
Cisco 7600 Series NAM will support NBAR-PD on those devices as well.