Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentWS-X6380-NAM= - Network Analysis Module
21222324252627282930
1-5
Catalyst 6500 Series Switch and Cisco 7600 Series Router Network Analysis Module Installation and Configuration Note
78-16413-01
Chapter 1 Overview
Once a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked
against the VACL. Packets can either enter the VLAN through a switch port or through a router port after
being routed. Unlike Cisco IOS ACLs, VACLs are not defined by direction (input or output).
A VACL contains an ordered list of access control entries (ACEs). Each ACE contains a number of fields
that are matched against the contents of a packet. Each field can have an associated bit mask to indicate
which bits are relevant. Each ACE is associated with an action that describes what the system should do
with the packet when a match occurs. The action is feature dependent. Catalyst 6000 and 6500 series
switches and Cisco 7600 series routers support three types of ACEs in the hardware: IP, IPX, and
MAC-Layer traffic. The VACLs that are applied to WAN interfaces support only IP traffic.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against
this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet
coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the
input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it
is first checked against the output ACL applied to the routed interface and, if permitted, the VACL
configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet
of that type does not match the VACL, the default action is deny.
When configuring VACLs note the following:
VACLs and context-based access control (CBAC) cannot be configured on the same interface
TCP Intercepts and Reflexive ACLs take precedence over a VACL action on the same interface.
IGMP packets are not checked against VACLs.
For details on how to configure VACL with Cisco IOS software, refer to the Network Analysis Module
for Catalyst 6500 Series and Cisco 7600 Series Command Reference. For details on how to configure
security ACLs with the Catalyst operating system, refer to the Catalyst 6500 Series Software
Configuration Guide and the Catalyst 6500 Series Command Reference.
Understanding How the NAM Uses NDE
NetFlow Data Export (NDE) is a remote device that allows you to monitor port traffic on the NAM. To
use an NDE data source for the NAM, you must configure the remote device to export the NDE packets
to UDP port 3000 on the NAM. You may need to configure the device on a per-interface basis. A screen
has been added to the web application user interface for specifying NDE devices (an NDE device is
identified by its IP address). By default, the switch’s local supervisor engine is always available as an
NDE device.
You can define additional NDE devices by specifying the IP addresses and (optionally) the community
strings. Community strings are used to upload convenient textual strings for interfaces on the remote
devices that are monitored in NetFlow records.
For more information about the NDE data sources of the NAM, go to the NAM Traffic Analyzer online
help menu and choose the Contents > Setting Up the Application > Setting Up Data Sources >
Understanding NetFlow Interfaces.
Managing the NAM
You can manage the NAM from the embedded web-based NAM Traffic Analyzer application (directing
a web browser to the NAM) or a Simple Network Management Protocol (SNMP) management
application, such as those bundled with CiscoWorks2000.