Professional Documents
Culture Documents
Student G uide
TextParlNum ber'97-2674-01
.111,1111
t l56 Q .
DISI'LAlM !!R W ARRANTY:THIS UONTENT IS BlfING PRIIVIDEi!)''AS IS.''C1SC()M AKISS AND YOU RIfCEIVEN()W ARRANTIISIN
CIINNECTII)N !.
5'ITH TH1:Q'IINTIENT PROVIDED HE:REUNDER.I(XPRESS!IM PLI1iD. STATUTORY OR 1N ANY OTHER PROV ISl()N OF
TH ISCON rI'NT (1RUO M M UNICATION BIT'E'W EIfN CISfJ()AN D YOU.CISCO SPITCIFICA LLY DISC LA1M 5ALL lM PLl!'
,D
%.
%ltRAkNl'IES.lN('LUDINIIWARRANTIl!SOF M EIRCHANTAB1LITY,N()N-INI?IlINGEMIiNT AND 17ITN IESSFOR A PARTICULAR
PtIRPOSEL,()R ARl%ING 17R(IM A (.'IIURSIfOFDEALING.USAG E(IRTRADE PRACTICE.n islrarningproductnlaycontall:carlyrclcasc
contcnt,andwhiIe('iscobcIi
evesittobcacctdratc itfallssubjccttothedisclain3erabove
Table of C ontents
V 0 Ium e 2
Describinq the C isco Blade Sw itch Fam ilv
O verview
Objectives
Introducing the Cisco Blade Switches
W here and W hyAre Blade Switches Used?
Blade Servers and Switches Benefi
ts
Comparing Cabling DesignO ptions
Managem ent
Securi
ty
QoS
HighAvailability
Confi
guring Layer2 Trunk Failover
Introducing the Cisco Blade Switch forHP Blade Servers
HP c7O00 Bladesystem Characteristics
HP c300O Bladesystem Characteristics
Network lnterconnectBays
Introducing the Cisco Blade Switches forDellBlade Seers
Cisco IOS on Cisco Blade Switches
Licenses
License Acti
vation
Replacing M al
functioning Devi
ces
Obtaining the License
Removing a License
Exam ining the License Inform ati
on
Replacing a Switch in a V i
dualBlade Sw i
tch
Standalone O peration
Introducing the Cisco Blade Switches forFCS Blade Servers
Sum mar
'y
Module Summary
References
Module Self-check
Module Self-checkAnswerKey
ModuleObjectives
Im plem entinq Traffic Flow s
Overview
Objectives
Firew allOvervi
ew
Isolated Legacy Networks
Connected Networks
Firew alllm pl
em entation
FW SM O vervi
ew
Scaling FW SM Perform ance
FW SM Ini
tialConfi
guration
W hen to Use PVLAN?
Firew allM odes
Routed M ode
TransparentM ode
Using Transparentvs.Routed M ode
Configuring IP Addresses in Routed M ode
1-433
1-433
1-433
1-434
1-434
1-434
1-435
1-436
1-436
1-436
1-437
1-438
1-440
1-440
1-440
1-441
1-445
1-452
1-452
1-452
1-453
1-454
1-454
1-454
1-457
1-457
1-459
1-461
1-462
1-463
1-466
1-472
2-1
2-1
2-1
2-3
2-3
2-3
2-4
2-4
2-4
2-6
2-11
2-11
2-21
2-34
2-35
2-35
2-35
2-36
2-37
Objectives
Objectives
FW SM Virtualization Overvi
ew
Security Contexts Ovewiew
Classifying PacketsW hen Sharing the Interface
Configuring FW SM Contexts
System Execution Space
Adm in Context
Accessing Contexts
Adm in Context
Verifying Contexts
Removing Contexts
Changing the Context
Managtng ContextResources
Configuring Resource Management
Defining Resource Limitations
Configuring Memory Parti
tions
Verifying MemoryPaditions
Sum mary
Im olem entinq Routinn
Overview
Objecti
ves
Configuring Static Routing
How to Determ ine W here to Forward the Traffic
How FW SM Makes Forwarding Decisions
DefaultRoute
Static Route Convergence
Configuration Exam ple
Ii
lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
2-41
2-48
2-48
2-49
2-51
2-57
2-85
2-85
2-85
2-86
2-86
2-88
2-88
2-90
2-92
2-93
2-94
2-95
2-95
2-99
2-100
2-104
2-106
2-107
2-107
2-1()T
2-108
2-108
2-113
2-119
2-119
2-120
2-120
2-122
2-124
2-124
2-125
2-126
2-126
2-128
2-130
2-130
2-132
2-133
2-133
2-133
2-134
2-134
2-134
2-135
2-136
2-136
@ 2008Ci
scoSystemsll
nc.
2-137
2-138
2-140
2-144
2-146
2-147
2-151
O verview
2-151
Objecti
ves
FailoverO vew i
ew
Active-standby Failover
Active-Active Failover
FailoverLinkRequirem ents
State Link
FailoverEventwith Acti
ve-Active
FailoverO peration
Rapid Link Failure Detection w ith Cisco 1O S Autostate
Configuring Failover
Primary and SecondaryRoles
Configuration Replication
Sum m ary
2-151
2-152
2-152
2-153
2-154
2-155
2-157
2-160
2-164
2-165
2-165
2-165
2-180
2-181
2-181
Objectives
2-181
Deep Packetlnspecti
on Overvi
ew
URL Filtering O vew iew
URL Filtering O peration
Configuring W ebsense Server
Configuring Secure Computing SmartFilter
Enabling Buffering
Enabling Caching
ldentifying Traffi
c
Sum m ary
Module Sum mary
Module Self-check
Module Self-checkAnswerKey
2-182
2-190
2-190
2-192
2-193
2-193
2-193
2-194
2-196
2-197
2-198
2-200
3-1
3-1
ModuleObjectives
3-1
3-3
3-3
Objecti
ves
3-3
NetworkTraffic M oni
toring O vew iew
Challenges
Benefits
NAM DeploymentDependenton Moni
toring Purposes
The Big Picture Defined
Cisco NAM Service Module
Cisco NA M Data Sources
Plan forC isco NAM Depl
oyment
Cisco Catalyst6500 Seri
es Sw itch NAM S
Sum m ary
u2008ClscoSystems,lnc.
lmplementingClscoDataCenterNetworkInfrastructure(DCNI-I)v2.0
3-4
3-4
3-4
3-9
3-11
3-16
3-33
3-40
3-43
3-48
iii
Objectives
3-49
3-49
3-50
3-52
3-53
3-54
InitialIP Settings
Enabling W eb Server
VLAN Configuration
W hatAre SNMP Communi
ty Strings?
Summary
3-55
3-56
3-57
3-57
3-74
Objectives
Scenario 1:Li
ve Network Moni
toring and Analysis
Problem Description
Monitoring Plan
Action 1:PortMonitoring
HistoricalReporting and Trending
Acti
on 2:Detailed PortMonitoring
Acti
on 3:Using NDE with Cisco NAM
Scenario 2:Response--rime Monitoring
Verify Ci
sco NAM Deployment
Scenario 3:URL Moni
toring
Scenario 4:Troubleshooting
Action 1:Threshold: and Alarm s
Action 2:TriggerPacketCaptures
Summary
Objectives
Cisco NAM Software Upgrade
Nonresponding Cisco NAM
Shutting Down Cisco NAM
Cisco NAM Troubleshooting
Sum mary
Module Summary
Modul
e Self-check
Module Self-check AnswerKey
3-49
SmpsemenlingCiscoDataCenlerNetworklnfrastructure1(DCNI-I)42.
9
3-75
3-75
3-75
3-76
3-76
3-76
3-77
3-79
3-82
3-96
3-103
3-103
3-114
3-121
3-122
3-135
3-149
3-151
3-151
3-151
3-152
3-154
3-155
3-156
3-161
3-162
3-163
3-165
(I)2923 CiscoSyslems,lnc,
uesson12I
Objectives
>
1'
11563:
'
T.
Encl-of-Row
Access
Top-of.qackAccess
Catalyst4948
1,lslf.t?.It('/61Itf(I'ot''''i.
Ac%$l<;t
q
Clsco Blade Switch
K Optim izc rack spacc usagc--bladc serversand switchcsuse less space than standalone
cotlntcrparts
w Reduce thc nccessa!y cabling from selwersto thc network cquipmcnt
. Nlorc cfticicntly usc powcrand producc lcsstherm aloutputperscrvcrunit
1.434
lmplementingCiscoDataGenterNetworklnfrastruclure1(DCNI-I)v2.Q
(I)2Q()8CiscoSystems.lnc.
@ 2008 Ci
sco Systems,fnc. fmpementi
ng the Ci
sco Catalyst6500 Series.Cisco Catafyst4900Senes,and Bfade Switches
1-435
. Quali
tyofservice (QoS)
2= s
. I
uz
F '
'x
#'**>>' j ,.
?.
- 4. S'X '
#
'
N ' ....
.
'
..**
.u
.
w
:;
,y k
r
:
.a0)
,,,1
M anagem ent
Thcbladc switchcsoftbralltlle Ilctwork managem elltcapabiliticsavailableon standalone
Cisco Catalystsw itchcsalong w ith bladc scrverellclosure managcmentintcgration:
S ecurity
Security Inechanism sincorporatc security accesscontrollistsIACLSI,IEEE 802.1x,
TACACS''/RADIUS.ctc.
Q oS
QoS l
ncclpal:ismsavailablcincludc ingressratclimitingmmarking,sllapcdround robin (SRR).
al
ld priority queuing.
1-436
lmplemenlingCiscoDalaCenterNetworkinfrastructure1(DCNI-!)v2.0
Q 2908CiscoSystems,lnc.
* Port.tlplink,backbollc fast
* I
.J1)iDircctiollalLillk Dctcction (UD1..D)
* I-klyer2 trunk failllvcr
(
I)2008 Cisco Systems,Inc. Implementing the Cisco Catal
yst6500 Seri
es,Cisco Catal
yst4900 Series.and Blade Switches
1-437
4' 5
?%'A.
'
.
..'
:'.
'
' lnterface Portchannetl
-.
'
'.
'1
c j
'
) lnterface rlngeGlgableEtherneto/l - IQ
link stlte group l downatream
1
I
I
10 1
Server1
t..
y
'
1
' LJ
Blades j
1y
-''<.
f
f
* **
I- . - . - .
'-%.
'.w.
$-4..
)
':
1
1
l
j
I
- - - - . . - . - . . . . .1
BladesewerEnclosure
Bladc serverbladcsconnccted to a bladcsw itch havc l:o knowledge ofw'hethera switch llas
colyncctionsto thcrcstofthcnetwork.
lIpcase ofan tlplink portfailure,a scrvcrusing NIC tcalning would notsw itch ovcrfroln thc
prilnary to the sccondary NlC (ustlally connected to anotllcrswitch).
Laycr2 trunk failoverisused on the blade sw itchesto triggerlink outagcsto serverportsin
cascofa link outageon thcuplink ports.thusenabling selwerto switcllovcrto thcsccondar.y
N IC .
Contigtlrca Layer2 trtlnk failovergrotlp w'ith lhe link state track global
contigtlration comm and.
step 2
Detincthctlplink ports asupstream with the link state group upstream intcrface
collfiguration com mand.
step 3
Note
1-438
lmplementirtgCiscoDataCenterNetworklnfrastructure 1(DCNl-1)v20
@ 2008CiscoSyslems, Inc,
'''
DELL
FujltsuSl
emens
s7
' '
'hx'
-px-r--'
cT z
d '
$.lr:
*F*v,.
e
..A -
z ; - ,4,
.'J
I1';*
*I
.A
I
sM
;I,
-.
Jz
.
HP pr lass
Note
1-439
.-
4 slotsforhi
gh-speed I/O (forexample InfiniBand,10Gigabit
Ethernet)
i
tr
.
.
j
;'
1
;
LAN switohof
p-wtllrxqh
)J sANswlzhor sANswi
tchor
pess.throuqh pass.throogh
'
3d
F7ront
LAN e tchor
p- thrx gh
Rear
sAN swlyctTor
pass.throuh
SAN swllch(pr
pass.tbcotlgh
pass.tbrough
w 10 rack unit(RU)cllassis
w Ftlll-heightserverbladcswith up to cightpcrenclosure
w Half-heightserverbladeswith up to 16 perenclosure
10 GigabitEthenlet-capablebackplanc
. I'lalf-lleiglltserverbladcswith up to cightpercnclosure
w Four1/0 intercollnectbayswith eithcrEthcrnet,InfiniBandeorFibre Channcl
1-440
lmplemenlipgCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0
@ 20()8CiscoSystems, lnc.
(()2008 Cisco System s.lnc. Implem enting the Cisco Catalysl6500 Series,Clsco Catatyst4900 Series,and Blade Switches
1-441
PortLEDS
'
%*
S
-'
E'
,'
/ls)
k
y
:
'
.
.
7
X
?
.
T
,
f
)
'
:
jj'
/r
t
j?j
.y
r
(;L.
k
we
j
. ..
Console
'
4x SFP
Uplink Ports
.z
o
. .A
.
8x R.145
Upl
ink Ports
Tlle Cisco Blade Switch 3020 forIIP c-class Bladcsystcm providesan intcgrated switching
solution w ith Cisco rcsilicncy,advanced security.and enhanccd m anagcability to thc scrk'
cr
edgcxwllich reducescabling rcquircments.
Thc Cisco Bladc Switch 3020 shipsasa singlc tlnitand should be ordercd in quantiticsoftwo
forrcdundancy purposc.A singlc bladecan llaveup to fouroptionall000Base SX tibersmall
form-factorpluggablc(SFP)modulcs.
The Cisco Blade Switch 3020 isa Laycr2+ sw itch and suppol'
tslnany Layer3 functions,
exceptIP rotlting.Itiscompatible with the HP c-class servcrblades likc BL460c.BL480c.
BL456c.BL685c.and BL8x0c.
The following system properticspcrtain to the switch:
* l28 M B ofm eluory and 32 M B oftlash
I('
tinternal10/l00/l000BASE-T downlinksused forscrvcrconnections
1.442
ImplementingCiscoDataCenterNetworkInfrastruclure 1(DCNI-I)v2.0
@ 2008CiscoSystems,lnc.
Note
Features
Spanning Tree
.
*
LinkAggregation
VLANS
PortFast.UplinkFast BackboneFast
Advanced QoS
. 802 1pclassofservi
ce (CoS)anddi
fferentiated sel
-vices
codepoint(DSCP)fi
eld classification
.
w
Vullicasting
w Cisco Commi
tted Information Rate (CIR)
* lnternetGroup ManagemenlProtocop(IGMP)snooping vl&
v2
w Multi
castVLAN Registration (MVR)
Security
w
.
Per-portbroadcast multi
cast and unicaststorm conlrol
1000 Consgurable IGM P groups
*
.
TACACS+,RADIUS
IEEE 802.1x
. Port-based ACLS(PACLS)
Management
SSHVI& SSHVZ.Kerberos,SNMPV:S
>
.
>
.
.
.
.
R MO N 1 and II
SNM PVI,SNMPv2c,and SNMPV:
S
SPAN,RSPAN
End-to-end Cisco so com mon userinterface and soflware
upgrade across entjre switch nelwork
1-443
Sw itch A rchitecture
(.
-(
711E;(91()r'
9(.
)rt
1
l
'
1
I
l
l
l
1
32M8 *e
Flash
I TCAM *-.
I
I
I
I
X II)tL'
arqb%'ItC)t)1
In
z(
)(lrlet..,l1t?1th
pjl
E
'()f1S
?w),
(Ig(.
J$
74.
?(I ilavt1'
z3
. F(
(-
; #
ASICS
''
4SFP
12aMB
SDRA
'' TCAM
!J;.
'I1;lk.Pr.
,rlq)I
1
I
'
I
I
1
I
1
I
I
j
I
1
I
l
I
1
16 tE
qf.
'
lrvtlr1
J)owrl11(jl
'
q
po(.
ts'
I
P@rt:
Thc figure showsan ovcrvicw oftheCisco Blade Switch 3020 arcllitecttlrc. The following key
col
npollontsconstitutc tlle switch:
* Processorthathandlesthc controlplane functionality
w Physical(Pl1Y)layerforbridgingbetweenASICSand physicalports
. Ports intenpal(l6 servcrdownlink ports).cxtcntal(eightRJ-45 and fotlrSFp-bascd ports)
and interswitch(two connectivityports;ifuscd.twouplinkportslesscanbeused)
1-444
bmplementingCiscoDataCenlerNetworktnfrastructure)(DCNI-!)v2.D
(
t)2008CiscoSystems, lnc.
...
.T
. Iu w w 'xx ;
.
k:l
...
0amxj ,Io3
'
1.
'
''
':
N.
NQ
,
'
'.
.,
..
O
..
,t>
711
X>
,..
.
,..
'
IChI
(
.
t
g .
'
:
.. ,
.
'''*'
-e=. v
j
;)
jK
-.
#w
,.
,-
,
)
:<
'.
j,
c
'
o
q
,
a
.
c
,
k
.
'
ve
dr
i
rxf,
Note
1-445
4 SFP pods
2 R.145 10/100/1000BASE-T copperports
. 10 internal10/100/1000 Mb/s downlinks forsewerconnections
EOS:June 9,2008
-
console
@#..*#>@@
.: L
r@
.- wjw:..jf,?.l( ,y/
'
:dt2x'
-lt
t1R.145
4: SFP
Uplink Ports Uplink Pods
Thc Cisco Blade Sw itch 3030 forDellPowcrEdgc l955 and 1855 Blade ServcrSystcms
providesan intcgratcd switching solution with Cisco resiliency.advanccd sccurity,and
elthanced m anagcability to thcscrvercdge which reduccscabling rcquircments.
Note
Tlyc Cisco Blade Switch 3030 isa Layer2+ switch and stlpportsmany Layer3 functions,
uxceptIP routing.Itiscom patible with tlw DellPowerEdge 1955 and predecessor l855 Bladc
ScrvcrEnclostlre.
Up to fourcan be installcd perchassis,w ith thc second sctoftwo requirillg Ethenletdaughtcr
cardson each serverblade.
Thc follow ing systcm propertiespcrtain to the switch:
K l28 M B ofmem ory and 32 M B offlash m emory
1-446
ImplementingCiscoDataCenterNetworklnfrastrudure 1(DCNI-I)v2.0
@ 2008CiscoSystems.Inc.
I
l
TCAu
ASIC
*e
ASIC
128 ve
SDRAM
TCAM
I
1
I
1
..
c..
4sF '
,
;
.l
p
l,
kx
.,
?.gt
,z
,Ra.s
Ports
1
1
I
1
I
I
j
I
1
'
1
I
I
1
I
I
I
1
1
1
1
1
10 ServerDownlink
Ports
'
1
1
1-44:
10RU clpassis
w t!p to 16 half-servcrbladesperenclosure
w Hot-swappablcnonreduntlant(thrce)orredundant(31I.3q'3)powcrsupplics
. Six 1/()sw itch modules forthree rcdundantfabrics(can hostCisco BladeSwitch M 3032.
M 3l3()G,M 3I30X )
K Nine llot-swappable fan modules
K Threc chassiscontrollersw ith KVM switclh
Note
1.448
EthernetFlexso Swi
tches provide on-dem and stacsi
ng and uplinkscalability.
lmplementingCiscoDataCenterNetworklnlrastructure 1(DCNI-I)v2,O
@ 2908CiscoSystems,lnc.
o j N 111#
4x R.1
45
Uplink Ports
4x SFP
Console
Uptink Pol
'
ts
-1'1)i
J(.'isco Blade Sw itch 3032 forDellPowcredge N1ll)()()e l3ladc SenrerSystclnsprovidcs:11)
illtegratcd s'
kvitcllil'
lg soltltion '
w itl:Cisco resilicllcy-adv'
allced sectlrity.and cnllanced
lllallageabi1ity to tlle scrN'credge.urllicl'
lredtlcescablillg rcqtlirelnellts,Tl'
le-isco Bladc Sqvilcll
3()32 isa Layer3 s'k
vitch.
'I-1)etbllovvillg systcl'
llpropertiespcl
lain to tllc s'
w itch'
.
* 256 N1B ofl'
lelnor.v alld 64 N1B of'llasl)I'
lltvlllt'ry
w 4Fl-CJb/sswitching fabric
K U1
)to 36 Vlp/sfonvarding ratcbasctl01164-by1c packels
* L;1
)to 8l92 N1A(.
aaddrcsses
Tllttlbllow ing illterfacesarc availablc'
.
*
It'Iillterl:all0/I00/l000Basc-T do'
kvlllillkstlsed t'
tlrservcrctlnllections
(()2008 CiscoSystems,I
nc. Impl
ementi
ng the Ci
sco Catalyst6500 Series.Cisco Cataiyst4900 Serles,and Blade Swi
tches
1-449
3130X
r(r
,.
'''
,.m-
r-
'.:.
,..
*@ k w w * .
1*
4: RJ45
4: SFP
Upll
nkPods Upls
nkPods
conscle
t 1:
4
Uplx
RJ
45ls Uply
xXPor
2 ts
lnk
Por
lnk
Console
1-450
smpl
ementiggCsscoDataCenterNetworklnfrastructure1(DCN-I)42.
0
Q 208CiscoSystems,lnc.
'
Console Port
10/100 Ethernet
.N
1
:
/ ..
' .
. .
#F .2;.:
I
1
I
I
I
l
I
I
ASIC
ASIC
ASIC
I
I
I
I
I
I
I
I
I
I
1
I
I
1
j
I
.
'
l
''' 4
..
.'' I
1
I
1
1
I
x..e.
4jaj
tx
oojj
.
u
o.ty,
.. ,
.
.
4 R.J45pods
XZ/SFP
XZ/SFP
Q 2008 Ci
scoSystems.lnc. Itnpi
ementingthe Cisco Catalyst6500 Series Cl
sco Catalyst4900 Series.andBfade Switches
1-451
Same im age wi
th differentlicensesto activate feature set
Cisco Blade switches 31xO ship with IP Base image
Cisco Blade switch 3032 can run only IP Base im age
standarL2+Featureset
j ...X
R1
P/St
at1
c,EI
GRP Rub
I
Pv6Manageabh
l
ity
MullicastOSPF BGP
X 1 X
j
X
s
i
x
1
X l x
1 x
J. .
.. . .
.. . .
. .
j.
..
. - --
( x -'
Licenses
Thrce licellsctypesexist:IP base, IP services,and advanccd IP scrviccs.
A liccnse isrequired foreach switch. including each sw itch in a stack. and islocked to 1he
tlniqtledcviccidentit-ier(UD1)oftheswitchand doeslpotexpire
Cisco Blade Switchcs31xo ship w ith IP Base Stantlard license installcd. thusto activatcany
otherfcaturcseta licensc file hasto be changed.
Thishasno impacton Cisc.
o lOS version updatis.
Note
T'
he Ci
sco Blade Switch 3032 can only run the IP Base image.
License A ctivation
A ctlstolnerpurchascsaProductAtlthorizationKey(PAK), obtainsU Dlsforthc deviccsto
tlpgradc.and passcsthc illformation to Cisco liccnsc portal.
Licenscsare then elcctrollically scntto tllccustolncr, wllo appliesthem to thc dcviccs.
No intcrnetconncctivity from thc switch to Cisco isreqtlired.
Note
lmplemenling Ci
sco Data CenterNetworklnfrastructure 1(DCNI-I):2.0
Thisrcqtliresa ('isco.col'
l'
llogil'
lsthe oltlU DImtllcncw U r)1.aI1(!llle servicc contractl'
ltll'
lpbcr.
No PAK isreqtlired.
.
Note
C
0 2008Cisco System s.jnc. lmplementlng lheClscoCatal
yst6500 Senes,Cisco Catalyst4900 Serles,and Blade Switches
1-453
anagl
-ng C I
'SCO I S LICPNSes
''- - ..
''
'
-.
.q
2
:
4
7
;
7
*
,
2
q
r
.
y
d
J
d
j
8
jlll
e .
.'
..
s
):
l' - ' ' ' '
.
.E
x
jg:'
..
..
-- '$
...'
''
.........
!!..
. BtlythcPAK codcfor:1spccificIiccnsc(itrepreselytsthcproofofpurchase).
* GctthcUD Iforthe switchesto bcupgraded.
w Log to tlpe Cisco Iiccnsc portala!http:''
5NNy'v'u'isc(),c()l1)'g()'liccllscs alld creatc a Iicense t5le
using the PAK and UD1.
.
* Download the license file reccived by cmailto the sw itch tlash lnemory.
% Installthe licensew ith the llcenseinstallcom mand.
>
ImplemeotingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0
Use
1
'
T
.xlllnfl'
lc 1)1e s'
kvilc'
llLl1'
)I(rkz
'
quircd foroblailling !J1e Jjtrellsc).
'
switch#show license udi switch 1
Device# PID
SN
*1
WS-CBS3I3OX -S FOC1132HZSR
UDI
WS -CBS II3OX .S :FOC II3ZH ZSR
C)2008 Cl
sco Systems.lnc. Impl
ementing the CiscoCatalyst6500 Series.Cisco Catalyst4900 Series.and Blade Switches
1-455
- *%,
3130VBS
.- ...
/+
. 7
'
..
' '
'
4.
7.
x ..
<.
t.
'
j Q
1
74
<.
XN
V''
Loca(server.server
lrafficstays within
VBS domain
.'Q
<.
.k.
xtc.
.
**
.
a
,
.'
7q
->
h7'
<
..
jy
.
s.
.7c':.
.
k.
7p
'
I
j
.
f
,,
ps
..
<'''
.
':':.y
6
L73'
I
. .
.
9SS
1
I
1
d
1
j
I
1I:a singlc virtualbladcswitch domain thcrc isonc mastcrSwitch with lIN rcsiliency for
master;thatis each m cmberisa copy ofthc Iuastcrsw itch.
N ew virtualblade switch membcrsgetCisco IOS Sohwareautomatically tlpgradcd (to the
salne Cisco IOS Software asthc lnastcrswitch has)and automatically contigured from the
m astcrswitch.
1-45:
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D
Standalone O peration
A f'atalystIlladc Srvitcl'
l3032 ora (ralalystBladeSwitcll3I30 (lpcrating iI1stalldaIone lllodc
bellavcs1ikca CatalystB Iade Swritch 3030 switcll.
1-457
single VBS
Separate VBS
CostEffective
Moreresili
ent
...
etF
J
:
Ika
jjjy;y
s. t
.
k
,''
-7.
'
'%t
w
'...71'r
ijz
=
k)r-- ypj;-:*.
'
.
.4z.
.
-
.
?,
.
x.
x'.
.<'
'.
t.
+.b.
.Y*.-
'
% '' ,
@aj
'.
jt.>.
.7eu
E
t'
'
v
pjrjky' y ..
.
<x
. ;
.- .
x
' x
.
.'Jl2
:
9.
t
11
j:
7
P
C
II
k
j;
:
:' .
.
Q..'
dh.pzw T
.
x
* FourNlC serverscenariogivesmoresclazcrballdwidth(forcxampleforVMware).
1-458
lmplemenli
ng Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)v2,0
10 dual-socketserverblades perencl
osure
5 quad-socketserverblades perenclosure
Rear:4 slotsfor1/O switches
.
l: .
'
;- .,.
r :j
.
>
(D 2008 Cl
sco Systems,lnc. Impl
ementingthe Ci
scoCatalys!6500 Sertes.Ci
sco Catalyst4900 Series,and Bl
ade Switches
1-459
Console
t,
',.
k...
?,
.
j
lj
jj
jI
-llll
;l1114.
u)v.j,
!:..
<y
t
1' 1Ql
S
t'
JX1 JJX- j.
.
2: R.345
4xSFP
Uplink Ports Uplink Ports
TheCisco BladeSwitch3040forFtl
jitsuSiemcnsPrimergy BX600 BladeServcrSystcms
provides an illtcgrated swritchillg solution with Cisco resiliency- advanccd security.and
elphanccd lnanageability to the servcrcdgc. yvllich rcducescabling rcquircjnellts.
Tl
le Cisco Bladc Sw itch 3()40 isa Laycr2+ switch and stlpportsm any Layer3 functions.
cxceptIP routing.Up to fourcan bcinstalled perchassis.
Thc fbllow ing system propcrtiespertain to thc sw itch:
>
@ Up to 8192 M AC addresscs
Tlpc following intcrfacesarc availabte:
* l0 internall0,'l00/I000Basc-T downlinksuscd forscrvcrconnections
* Two extcrnal10/lQII/IOOOBASE-T copperports
> FourcxtcnlalI0/l00/1000 SFP based copperortiberSX based ports
w Serialconsole with portredircction to DellDM RAC
1-460
ImplementingCl
scoDalaCenterNetworkInfrastructtlre1(DCNI-I)72.0
S um m ary
This topic stlmlnarizesthe key pointstllatwere disctlssed in this lesson.
Sum m ary
w Cisco blade switches are used in blade serverenclosures.
. A Cisco blade switch is equivalentto a standalone Cisco Catalyst
sw i
tch.
x Layer2 trunk failovershuts the serverporlupon corresponding
uplink failure,
1.461
M od ule S um m ary
Tllistopic stlm marizesthe key pointsthatwere discussed in this modulc.
M odule S um m ary
@To
ECNM
depl
oythsc
aer
l
aar
ble
ndesi
agegab
e
'anied.
dSOA datacenters'follow the
wi
hi
cjma
ica!
nl
appl
The Cisco Catalyst4900 Series Switch is desi
gned to deliverthe highest
reli
abil
ity and serviceabil
ity in a 1RU or2RU configurati
on.
. Mul
tiple generations ofsupervisors existforthe Ci
sco Catalyst6500
Seri
es Switches:Supewisor1,2,32.and 720.
. The Supervi
sor Engine 720 provides higher-perform ance managem ent
and forwarding functions to Catal
yst6500 geries Switches than any other
supervi
sorengine available.
. The Supew i
sorEngine 720 is designed to suppod three generations of
Iine cards.providing flexibili
ty in network design and investment
protection.
* The VSS 1440 manages redundantIi
nks,which eternall
y actas a single
po4 channel.
. Thz Catalyst6500 Series Switch with Ci
sco 1O S Software M odularity
m
inimi
down
imeeand
boos
ts
oper
ation
aleffici
es,
ncy through
evos
utizes
ona!
'
y soft
twar
infras
truc
tur
e adv
ancement
.
1-462
lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNl-1)v2,0
@ 2008CiscoSystems,Inc.
R eferences
k
ll2008 ClscoSystems.lnc. fmpf
ementlng the Cisce Catal
yst6500 Series.CiscoCatalyst4900 Serles.and BfadeSwitches
1-463
'
Cisco ()Q//f//)o'/6500SeriesWireless5'
t?/'a/t'c.j
.tvodtlleat
l)ltp:,
'/'
w'&v'
u?.cisco.colA'
1,
?'
0I1,
7U S?7
pl'ot1/co1Iatcral/lllotltlIcs.
/
'ps27()6/ps(n526/I)rt)dtlct data slhtzctog
()()kl(
.
tctl8()36434() 1)s7()8 Prodtlt-ts r)ala S11(?t'
'
rt.1)t11ll
.
A.
/l//?#??'
f?cc.
tf)rlf'
.,
4x Applicatiol'A/()J(?at
lltt1):,'.
'1.
5.urNvqcisc(.co1)1.
'cll.
't.
3S.
'))l'
tAd.
'
ct'llatcrttl'111t)dt!1cs.'
j)s551tl.
/prodtlct data sllcctot
looaeu'd
8l(1()1Xt)4'
,.
5 I)s7()8 Prodtlcts Data S1)ecl.l1tJ111
.
.....
* Form ore inform ation on lhe Catalyst6500 ScricsComm unication M ediaM odel, go to
CiscoCatalb'
v
%l6500Series(7,14/Ci.
%c()zfif'
lpSeri(
:s()-bl??l?;,/??k'
t'
?//()l'
lsiedia Jz
/otf/t?at
1)ttp:.
'.
'w'!w .cisco.coln'el/U S'
'prkxtl.
'collatcral/sw ittwlles.'l3ss7I8,'ps708?prodtlct data shei
ltot)
()()k!eet!S()(3(z42(3t'.l
At!ul
Ilttl):?'.
'$zvs,!N'.cisc(7.c()lzA/'
cl1J't-rS,
7):rs?dtIrts/
'I1:v'/
'I1)()dt1lcs/ps.
!lIslroducts data shcetog186a()()8
(1()9231
,8.lllm I
Cis(.
()C-t7/t'
?('
.
j'/6500Seriesand (7't:'
f?7600SeriesNt?/1$'
f?l'l'AnalbsisModltleat
l'
kttp:)ss.
'w'u .cistzo.
coln/en/t.
TSr
'
)7!'tbt('
rrt)l1kttet
':1l.
J'
1l4ttlttles.
')
7s27fJ(7.
Jps525.
')nrt7dt1ct tlata slhectotl
(ltlaeckl8tl4bal
ll1 1,s708 Products I'
lata Slp(?0t.lllltlI
* Forlnorc infonnation on Catalyst6500 Scrics Sw itch Allomaly Guard,go to Cisco
,
1?1t??,?t7'k'G'lal'd atT(?Jlf/t?at
11ltp: h'
!.
'y!'
ss'.elset.
h.colll'ell.I-/S.
.pl'od.collateral,Inllkltlli
lsy'
psz70f7,psb235'prodtlct (lata sllecttlt?
()():lcu'tlhl()22()a7c ps7()8 Prokltlcls Data Slleet.lltlnl
Impl
ementi
ngCiscoDataCenlerNetworkInfrastructure 1(DCN1
-1)v2.
0
@ 2008CiscoSystems,jnc.
k
ll2008 ClscoSystems,lnc. fmpf
ementi
ng the CiscoCafal
yst6500 Series,CiscoCatatyst4900 Serles,and Btade Switches
1-465
Switch DataCenterArchitecturc)
A)
Human collaboration
B)
Businesscontinuity
C')
Virtualization
D)
Agility
()2)
qrhichtwoofthefollowing Ciscodalacelpterplatformsarcsuitableforthcdatacentcr
core laycr?(Choose two.)(Source:Dcscribing the Catalyst6500 and 4900 Scries
Switch Data CenterA rchitecttlrc)
A)
B)
C)
D)
E)
Q3)
Q4)
Catalyst4900-51
Catalyst4948
Catalyst4948-I0G E
Catalyst4948-M
W hichthrcchigh-availability fcattlrcsdoCiscoCalalyst4900Scricsswitchcsoffcr?
(Chooscthrce.)(Sourcc:Dcscribing and Positioning thcCisco Catalyst6500 and 4900
ScriesSwitchesJ
A)
B)
C)
D)
E)
F)
$-466
l+ lrcdundanthot-su'
appablc powcrstlpplies
Rcdtlndantstlpcrvisorengiltcs
Rcdundantbackplanc
Rcdundant,hot-swappable fallswith variable speed
HSRP,VRRP and G LBP support
StatcfulSwitehover(SS(3)
lmpl
emenlingCiscoDataCenterNetworklnfrastructure)(DCNI-!)v2.
D
@ 20OBCiscoSystems, lnc.
A1
B)
Access laycr
Aggrcgatitllllaycr
(--)
Corc laycr
Nexus70()0
Nextls5000
'isco k'atalyst65()0 Scrics Switcll
Cisco C'atalyst49()0 ScricsSu itcll
5. f.
'isco blatlesu'itc11
C)2008Clsco Systems,1nc
1-467
()9)
W hich componclltoftheSupervisor720holdstherouteandswitchprocessors?
(Sourcc:Describing tlpe Cisco Catalyst6500 ScriesSwitch Stlpenrisors)
A)
B)
C)
D)
PFC3
M SFC3
Switch fabric
DFC3
A)
B)
C)
D)
W S-X6704-10GE
W S-X6708-l0GE
W S-X6716-10GE
W S-X6724-SFP
StatefulSwitchover
Link M anagclncntProtocol
IP BidircctionalFonvarding
Enhanced PAgP
Rolc Resolution Protocol
IP BidircctionalForwarding
Enhanced PAgP
RoleRcsolution Protocol
H SRP
1-468
lmptementingCi
scoDataCenterNelworkInfrastructure1(DCNI-I)v2.0
(()2008CiscoSystems, 1nc
'
A)
(71S('
0 BASE
13)
(-1S(*0 l.ATI-'S'F
(')
A)
I1)
(-')
I))
I()
DEST-SRL'
SR('()N I-Y
D EST ON l.Y
D IEST-SRC-IN T
Ft-lLl-
Trtle
Falsc
1.469
D)
enabIeqos
m lsqos
enablepfcqos
pfc qos
B)
()')
D)
Through a globalconfiguration
On thcincolning intertace
To a internalPFC to M SFC intcrt
-ace
To a controlplane intcrface
EvcntDctcctors
CLIApplet
C')
D)
E)
EvcntM anager
EventM allagerPolicy Engine
TclScript
Bootup diagnostics
On-demand diagnostics
IIealth m onitoring diagnostics
Schcduled diagnostics
Interface
B)
C)
D)
E)
NetFlow
VAC L
VLA N
Portchanncl
1-470
Intcrface
RSPAN VLAN
VLAN
Portc-hanncl
ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0
@ 2008Ci
scoSystems, Inc.
vruj
y
F:tIse
1-47.
4
Q2)
1-B ('
1-B
Q8)
Q9)
Q)20)
Q23)
1-472
B.D
ImplemectingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0
@ 2008Ci
scoSystems, lnc.
@ 2008ClscoSystems.fnc. Implementi
rlg the Cisco Catal
ysl6500 Series.ClscoCatalyst4900 Series.andBladeSwitches
1-47.
3
1-474
implementingCiscoDataCentefNetworki
nlrastructure)(DCNl-1)v2.
9
@ 2998CiscoSystems,lnc.
uodqle21
M odule O bjectives
2-2
ImplementlngCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0
(D2008Ci
scoSystems,lnc.
Lesson1l
Objectives
Upon completing thislesson,yotlwillbcablcto explain the basic installation and configtlration
procedtlresforconfigtlring thc Catalyst6500 SeriesFW SM .Thisability includesbeing ablc to
mecttllcseobjectives:
> Explain tlle ptlrposcand opcration offircwalls
f? /
/ h
k
e, J
, :
Telecom m uters
,
i
.
.
''
x.
o
#e
Internet
N.%
y,.
A e'
''
works
o Net
'
i
)
*N
Mobil
e Users
. .
).
'
f
.
l
i
'''
hj /..' '
<
'.
f
'
$
7
:
1
.
Headquarters
:7k=
Branch Of
fice
ill
jcctedilltothenetwork.Securityconcernsil:thisnctworkrcvolvedprimarilyaroundthe
strcl,gth ofthcatlthentication providcd by the acccssserver.M uch ofthedata security issuesin
tllcsccarly nctworkswere controlled by thc mainfram eorm id-size system s, w hich stillowncd
nlostof'thcdata,
ImplementingCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0
Q 2008Ci
scoSystems. Inc.
gcncratingIPtrafficthatisinjectedintoandrotltedbytllccorporatenetwork.Systemsfroln
wcb sclwersto lnainfralnesto workstationsare llow acccssiblc froln anywhcre in the world.
Conlprolnising onc system llasIlow bccolne al)easiertirststcp il:Inounting aI)attack on a
corporateIletwork
Thcrc are severaltechnologiesavailable to m itigatc the risksofllltcrnctcollneetivity while
I
llaintaining thc benetits.Tllesctecllnologiesincludcfircw allscrvices.
lrrlplementingFW SM foraDataCenterNetworklnfrastructure
2-5
X'- se
we
we
br
1
'-'
Intemet
- v .,..:.,.
y.
y .r
.
'
Outside
Network
Demiti
tarizedZone(DMZ)
t
x.
7e
ynside
Network
2-fh
lmplementingCiscoDataCenlerNetworklnfrastructure1tDC.Nl-1)v2.
0
Q 22*8CiscoSystems lnc.
P a cket F 1lter111g
4'-
W eb
f::
' 15;f
?r,/6,r
...
DMZ
'-
Intem et
JA<
' ''
*
h
outside
Network
,...*1
j
.k
,:;
<
Outside
Outside
DMZ
lnside
Outslde
(
t
))2008Cisco Systems,Inc.
.. l
.
pr.
'N
..
I .' *
DMZ 150
DMZ !80
Any
Any
lnsIde
loside
Network
.,
c. :
j
Yes
No
Yes
Yes
No
2-7
'
P roxy S erver
=.
w eb/Proxy
t
:
J
:
1
servers
DMZ
I.
...
.'#
Intem qt
L
'f '
-.,-
:7
.c.
:
.
'
NOutside
Otwork
:k....
. .
'
'
> *z
:t: . @
Outside
Outside
Outside
DMZ
lnslde
Outslde
W eb:80
W eb180
Proxy
Any
Any
lnslde
*:
;
Iraside
Net
work
Yes
No
Yes
Yes
Yes
No
2-8
lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I):2.0
(
I)2008CiscoSystems,lnc.
W eb
Server
x.
lnternet
-/?
.
,
Outsi
de
Netwof'k
h'
t$.
4 ) u -: *
Outside
Outside
DMZ
Inslde
Entri
esforeach activeconnecti
on:
.
'
.
Source/Desllnationaddress
Source/Desllnatlonport
sequence numbers
TCF7f
lags
tk' Outsl
de
'L
@ 2006 Ci
sco Systems.lnc.
..
se
v.
.
jr . Jl.. .*
DMZ 80
DMZ:p80
Any
Any
I
nside
Network
'.' *
Yes
No
Yes
Yes
1
nsl
de
No
Establlshed Sesslon
Yes
Impl
ementl
ng FW SM fora Data CenterNetworklnfrastructure
2-9
Policiesand management
IPaddressspacetcanb:Pusedbetweencontextq)
....
Opqrati
onalmode(routqdjyYansqarent)
.y.
<&
.
w- a
.y.<u
..
SetofVI
-AN lnte#aces
Resource usage
2-1O
lmplementlngCiscoDataCenterNetworklnlrastructure1(DCNI
-I)v2.
O
@ 2008CiscoSystems,lnc.
FW S M O verview
Tliislt/pic iderltifies rhc characlcris!ics(,rtlle Catalystf)5f)0 sericsFB/SM
FW S M H arclw are
Cisco Catalyst6500 Series Swi
tch and Cisco 7600 Series Router
firewallsystem
. Hi
gh performance firewall,5.5 Gb/s
@ M axi
m um of1 m illion simultaneous connections
. Maxi
mum of100,000 connection setupsand teardowns per
second
. 256,000 PAT and 256,000 NAT translations
p Up to fourblades perchassis
.
'
) 1
Scaling
2-11
2-12
lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)K .
0
@ 2008CiscoSystemsllnc.
FW SM K ey Features
Fabric-enabled card
Based on proven Cisco PIX firewalltechnology
> Suppodstransparentorrouted firewallmode
* Upto250 securitycontexts(virtualfirewallinstance)
Up to 256 VLANS in a single routed context
Up to 100 VLANSpereach routed contextin m ulti-contextmode
, Up to 8 pairs ofVLANS in each transparentcontext
. Up to 1000 VLANS in aI1contexts
@ 2008 Ci
sco Systems,l
nc.
lmpl
ementing FWSM fora Data CenterNetworklnfrastructure
2-13
2-14
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
0
@ 2008CiscoSystems.Inc.
Routing
Dynamic
Asymm etric
PrivateVLAN (PVLAN)support
.
'
.'
'
('
))2008 CiscoSystem s,Inc.
2-15
* Ncwork intcgration
M ixed lxayer2 and Layer3 m ode support:M ixed Laycr2 and Laycr3 modc
supportisnow pennittcd on thc sam cCatalyst6500 SericsFW SM .enabling tlcxiblc
network deploym ents.
2-16
FW S M A rchitecture O verview
g13/1
-'h,.-
g'ayz
111ld11
9,
3/4
qi
rws
L
l.
'
p
x i'l.
.pzj
r
>
/
tN.
t..
;
.
j' ,i3I6
tr
y
8%
.
,.
x
.)
$$
.
,
<,
t'
1
.( '
b
.
(-- J4,
i
t
u
Cisco
Calalyst6500
t
';
.
'
h4Jw.,
t-;
1
.
..
r
)
2 '.
..
,
3
m
..
''
>
Izw sM
2-17
Three-Layer rchitecture
verview
ControlPath
ct-t/ospF/tixups
. ....
.
' .
:.
:'
''.
$
,
.
..
''
:.j'
Jt:.
T.
/.
' '
);:
t
.)
,)
y
:. 1Gb
,
. '
-:
'i
t
:
k
.
;
y
)
;
,
.
.
j
(
'
,
't
)
'
l
k
s
)
t
'
k
$
y
t'
(f
i .'
t
)l
),
r.
q
C
;'
(
;)
k
'
,
i
tl
.
;
?(
1ip?r:z
'''
-'i
;;
,.
J1:!.s . . ;.3: ,..$
.
j,..
...
r.
.
. .
/
1(iW:.; k.
.
2
.
'
.
.
'
.
j
,.
:
.
k
,..
;j:
.E.y
k
y
t
.
y
.
;
:r
;t
.
r
l
!!
jl
jk
/l
p1
rl
pl
'1
fIld
t
l
:
l1
:,,jd
sk
.
l
::
llk
.
...,,
'
.?
.;.2
.;..
?$
y,jj
4
k
jt.
tj
-rt.
(
k::.L: lii'.
j
,
:
y
@
y
l
,
i
k
y
,
(
i
y
.
t
,J
;y
jf:r-..k
j
;
t
,
C
'
r
(
.
t
.'
j
t
l
!
'
;
t
?
I
)
t
'
t
p
r
:
)
:
r
r
k
p
t
.
)
,
t
.
.
i
.
(
,
z
.
p
t
;
:
$
'
)
!
$
y
r
.
;
.
i
r
'
t
?
'
d
'
1
t
.
r
i
k
.
'
:
.!
T
y
j
hi
jy
l
ij
.;
f.
.
p
n
'.
6
...
%
t., ,
. o
$
'
k
yt
r
,
''
:
r
t'
j
;
'
?
z
. .;
.(
;..-. ..r
. . .,
.
,- .
..gj...
t
.
jt
....f
.
.3 ....
l!
'i
t;
l
jl
t
'
t
k
l
..
'
t
z
'
;L
.(
)
@.)
i'
'
(
l
t
f
1'
&y
.
rt
'
h
lyf
tz
'
;'
.
j
yl
or
,!
r'
i,
))'q
J
C
'J
)r
lt
L
li
Lf
l'''i
'
.'
,,
t
.
. p?
,:.. FastPath
.. @
6 Gb/s Ethercharlnel
Localbus
To ClscoCatalyst6500
fabric orbus
protocoldatatoadjtlstforNAT,
Thc third Iayerofthe architccture consists ofaPC com plex thatperfonnsa11otherfixup
ftlnctiolls.aswellasroutingand thecommand-lilleillterface(CLl).
2-18
lmplementingCiscoDataCenterNetworklnfrastructure 1(DGNI-I)72.0
@ 2008CiscoSystems.lnc.
'
FW S M F 1Ie S yste m
. The FW SM includesa 128 MB Com pactFlash card
.
Sixpadi
ti
onsonthecardare used (cf:n)
Paditi
on
't yc'.
zq.
:
'
J' '
Maintenance
Networkconfi
guration
Crashdump
cf:
4
Applicalionpartition(defaul
t)
cf'5
Application partition
cf26
Contexlconsguratlons(di
skl)
2-19
'
Feature C om parison'
.FW S M vs.A SA
9 k
Performance
Typeofinterfaces
!I
.'y;'r ' . .
.
;j ,j
.
2.
'
'''d'L.C
*/*''1
1- .6.50M-b
/s..---j1
'.
-.,.. --0.-G.b
./s/2
.0Gb/s--.
,.- -...
)E.....W .8N:
VLANS
FailoverIicensing
> .
.j
'
'
I Extemalinterfaces Extemalinterfaces
IQX
:
N@
'
u .
tt
2O0
-q
VPNfun
ctionality
L'2
;'. rr.t,.Nq
...... .... ............- ..... .- :
Y,ykLk5k,x
w-.--oyk.. - k...-.......- -
Yes
IE)ig!;i(;rl!ttlrt!t;
Defaultpol
icy
..
Y(m
Yes
..
-z.
!
(
,
.
;
)
<
.!
j ,.
'.' .,,
)
u'
(
.
..!.'
J
. . ...
#k.
.
1.il
ki.
,
100(250future)
Yes
-.- ..-- -
Af'(htl
. ......-- -
....-.
----- ..hk()
Ajjtae y
s fyjxj. All
owshi
gheri
evel Al
lowshigherlevel
l
(;.
- .. .... .
l
oIowerI
eveltraffic toIowerleveltrafflc
1t
.,
2-2:
lmplementing Ct
sco DataCenterNetwork lnfraslructure 1(DCNI-))v2.
D
(
I)2908 Cisco Systems.lnc.
FW S M lnitialC onfiguration
FW S M T raffic F Iow
N
Ou
ett
w
so
idre
k
tj.
'
6t
?1:)
.
Inside
Network
G>sz
Cisco Catalyst
6500 Series
FW SM
2-21
FW S M V LA N S
DMZI
DMZI
Nebrxk
outside
Network
okdside VLAN
':
lnsideVLAN
i
(
Inside
,..Netw?fk
SM
DMZ2
.
DMZ2
Network
Cisco Catalyst6500
2-22
mpdementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0
step 3
2-23
50,52
51,52
Thc show firewallvIan-group and show firewallm odule comm andscan be used to verify the
V LAN contigtlration.
2-24
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
O
(
I)2008CiscoSystems,lnc.
A ccfassing tlle FW SM
Router#
enable
w
@ 2008 Ci
sco Systems,Inc.
lmpl
ementi
ng FW SM fora Data CenlerNetwork I
ntrastructure
2-25
Thcenable modc password ischanged with the enable password comm and.
FWsM tconfig l#enable paasword evenB3tt#rpWord l
The hostand dom ain names are used during the processthatgenerates RSA keys for
2-26
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0
@ 2008CiscoSystems.Inc.
C onfiquring Interfaces
Routerlconfigl#interface vlan l00
Routerlconfig-ifl#nameif outside
Router tconfig -ifl#security -level 0
Routerlconfigl#interface vlan l0l
Routertionfig-ifl#nameif inside
Router tconfig-ifl#security -level 100
Routerfconffgl#ineerface vlan l02
Routerlconfig-ifl#nameif dmz
Routertconfig-tfl#security-level 50
2-27
insi
de to o side
0
outsideto
30
70
100
ide
lheoutcr(daslled)circlcissecurity lcvel0.Tllet'
icldbctweentheoutcr(dashed)circleandthc
lniddle(ftlIl)circle representssecurity level30.Security level70 liesbetwecn the m iddle(full)
circlc alld thc inner(dotted)circle,and security lcvelI00 istllc illtcriorofthc inner(dotled)
circlc.
(ioing from a lowersecurity levelto a highersccurity leveltakesyou inside, while going from
a highcrto a lowersecurity leveltakesyou outsidc.W hel)dcalingw ith a firewallwith m ultiple
interraces.and each with diffcrentsecurity lcvels.this inside and outsidc directionality
dctcrlninesthe security andN AT policicsthatareapplied.
2-28
ImplementingCiscoDataCenterNetworklntrastructure 1(DCNI-!)72.
9
@ 2008CiscoSystems. lnc.
M u Itip Ie Intorf'act7
.s w ith
the S arne S ectlrity Leve.I
-4':-.:
%.71f:
Intecnet
outside Network
198 133 219 :/24
securitytevel0
W eb server
1
1
1
ovz1
192 168 10/24
, ..
'
A%'
'
Xthw
W-#tv
rau-zn
I
1
1921
GC
'
(1()r24
..
..
.
l'ns'de Network
10000/24
secuntyLevell0a
,,
..
.:
7n
t7
Apprlcatpon
sewer
2-29
rp1
192 16iI.1.0724
Inslde
192.168 255 0/24
'
At)()
ti
rI
t'
.
'I
(?b'
f'
lI'1I
'
'
r e'e-.
%
192 168 2 0/24
l'
192 168.3 0/24
5%
2-30
Note
Routermustrun Ci
sco IOS Software Release 12.2(18)SXForIater- a specialmessage is
used to com m uni
cate the PVLAN m apping to Catal
yst6500 Series FW SV
@ 2008 Ci
sco Syslems.1nc
I
m pl
ementing FW SM fora Dala CenterNetworkInfrastructure
2-31
* Promiscuous
Can comlnunicatc with hostson m apped com munity and isolated ports
Listcn to sccondary V LAN
Send traftic using primary VLAN
Note
2-32
kmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-h)v2.
0
@ 2098CiscoSystems. Inc.
,
',
s 10J(
).1o.1
VLAN1001t '
f-oodocpiz144
)0
i'
si
ttingin aPVLAN
$*
vc
Ho
01t
su
i
n
ha
et
PV
Lt
A
an
m
nt
i
c
e
be
wNeecn
F
MntVl
'
Tr
u
nWS
s
o
p
d
a
e
r
e
z
'
i
i
l'
10.
10'
10'
50
..h.
'
pomaryvtA,k
'2vuAs ,ooo
::
cisco
Ca
aly
e:
'
..
6t
50
0sty'
)
,,
.'$ f
e*
''
X p
VLAN50j.
. j. seVcIANndaslryloVLAN
.....
z , ,
tHostA
-.
l
r !
r
lsofateclPods ,-2.-.
'..#'
x#'
.
? HostB
z'
1Q.10.10.100
'!0.10.10.10f
00t)0aaaa0:00
0000 72000000
san'
leillterrace.Usillg tllisfeattlrei1)conjtlnctionwitl)PVLAN intcgration,a1lcolnlntlnications
to,froln,alld within a PVLAN can beconlrolled by tlle Catalyst6500 ScricsFSVSM .
Colnlntlllicatitln between isolatcd ports isprcvented.sincctllc Catalyst6500 ScricsFSVSM svill
notretlle packctsback otltthc interfacc tl3cy calne in froln.
Hostsin the PVLAN are protccted frol
'n each otherand f'
rotn tllcotltside world by theCatalyst
6500 ScriesFSVSM .
2-33
W hen to Use PV LA N?
A scctlrity policy inthcdatacctlteristypically created bysegregatingdevices(namcly servers)
into diffcrelltgroupsaccording to the sectlrity requirementsand type, which m eansthata
previotlsly singlc IP subnetshotlld be splitinto separatc IP subnets.
2-34
ImplemenllngCiscoDataCenterNetworkI
nfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems, Inc.
F 1rew aIIM o d es
r
1
I
I
InsideNetwerk
VLAN 20
r
1
i-- --l
#E
/
'
.
*
VLAN 40
1-------I
10001
'
outsi
deNelwork
198133.219.100
j
1
10 00 83
1
.
%'
!98 133 219 25
E'
rransparentMode i
E
!
!
Layer2
;
t
nst
desetwork ''''
i
outs,
deNetwork
VLAN 20
il000 ol241
!
;
t
-
...............
l
141
.
1
#/
10 0.0.83
VLAN 40
:1ooo.c/
24'
!................
:
(
-:#
10.0 O 100
10 00 25
R outed M ode
Transparent M ode
C)2008Clsco Systems,Inc.
Impl
ementtng FW SM fora Data CenterNetwork I
nfrastructure
2-35
N ctwork probcssdenialofsel
w ice (DoS)tloodss and S'firewalking''attacks(thatdetennine
firewallfltering policiesand revealprivate addressesbehind an address- lranslatingGrewall)
arcrcndered im potentwith transparentfirewalls. Thisprevcntsfnalicioususersfrom scoping
the network to dcrive com ponentand nctwork infonnation. making networksresilientto
attacks.
xt
2-36
Implementing Ci
sco DataCenterNetworkInfrastructure 1(DCNI-I)$/2.0
FwsM lconfigl#
no firewall transparent
7'11cdel'
atlltlnodc I
k'rthc Catalyst6500 SericsFW'SM isroutcd nlotle.
Thctirewalltransparentconllllal'
ld isuscd to placc tlle C'atalyst6500 ScricsFW SM i1,
trallsparelltlntldc
Note
Firewal
lmode is setpercontext
ode
Thcip addressclll'l
'
llllal'
1d istlsed il1rotltetll'
ll()tlc to colltigtlrc 1
.
11)IP atldl'
ess(111apartictllar
illtcrfacc.The paralllctersspccily tl'
lc IP addrcssal'
ld stlbnctnlask lo bc tlscd 1brthe illterlacc.
Bollltlltladdressalld lnask tlsc tl'
ledottcd dccilnalnotatiol'
t.'
k
vllilc tlle standby kcyw'ord alltl
addressistlsed l'
brf'
tliIover.
(()2008 Ci
sco Systems.lnc.
lnlpl
ementing FW SM fora Data CeoterNetwork lnfraslructure
2-37
Configuring IP A ddresses
in R outed M ode
FWsMlconftql#intqrfac. vlan 1O;
FWsMlconfig-ifl#nameif outaide
PWsMlconflg-lfl#necurfty-levet 0
FWsMtcontig-ifl#tp lddress 19%.133.219.15 255.255.255.1
w
'
u
b
kot websewer
.
DMz
192.166.10/24
lnternet
p
w
Outsida Network
198 133.219.0/24
:p
'e
Inside Network
100 0 0/24
2-38
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
- I)v20
* Speci
fies a m anagementIP address foreach pairofbridge-group
interfaces
Outsi
de
Outside Nelwork
10000/24
%
*
...
.
##,
.
-e'j
'W
InsldeNelWork
10 0 00/24
2-39
.AddressResolution Protocol(ARP)inspection
. Mul
ti
castpass-through
* No outsi
de shared VLAN
. One managementI
P address pertransparentfirewallcontext
. The same subnetbutdi
fferentVLANS on the inside and outside
2-40
ImplementingCi
scoDataCenterNetworklnfrastructblre1(DCNI-I)v2.0
Inside Network
1
1
1
1
OutsideNetwork
'x
.v
p;
Z
LocalAddresses
kk; >..
'
Ins,cseuocal
z#d k.
% 't ''':.m'
outsrdet-ocal '
31... .;1*..'
l Otdsl
e
Local . Insr
d
eLocal.
.. .
...
I
I
I
I
I
I
I
1
I
I
GlobalAddresses
.7&'. '
xF.
.
''
* s.'' '..
'
p lnslcieosoual . outs'deGloilal
:'2: vS
X..'J''. e
p
sldeGl
obal.C l
nsi
deGi
oba..l.
..Out
2-41
2.
.
42
lmplementingClscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
D
Q 2008ClscoSystems, lnc.
M #
Q 2008Cisco Systems.Inc.
2-43
'
#z
z:
'
#&' 7 *
( lot
)o83.
2418 .
j19:.13:$219.2s.
80l ,' l198133.21925:24181,98.133.
219.25:
*0)
I
1
1
'
..-.
y4
10.0.0 83
lnsldeNetwork
I
j
Outside Network
12.
0.00/24
1981332190/24
(
-
1
'
I
1
1o.o.().s4
''
. ..
:z. . .
198.133.
21925
1
I
1
I
i ,()
'()0
84.24:8 t198133219.2s:so1
y#
:,
. z. z .
Ilai
s.lz:$2192s.2419k1981aa.
2!9.7sim1
A typicaluse ofPAT isto provide network accessfora largc insidc network, while conserving
addresseson the oulside network.In tlliscxam plc, one address in the outside network isuscd to
prosride acccssforan inside network with a classC network ofhosts. Thc exam plc packcts
show'two diffcrentsystcm sgenerating requcststo a web scrver. Each system istlsing thesame
TCP portto send the reqtlcst.Notice thatthe insideglobaladdrcss forcach requestisthc same
IP addrcss.butthe PAT function ol)tllc firewallhas allocatcd differentportsforthe reqtlests.
2-44
ImplementingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0
l 2008 Ci
sco Systems. lnc.
C o nf'
1g u rin('
J N A T C o ntro I
. NAT controlrequires thatpackets traversing from an inside interface to
an outside interface match a NAT rule
. NAT controlisdisabled by default
FwsM (config)#
nat-control
Internet
'
Otltslde Retwork
R1
NM
i i
x'#
lnspde Network
10 0 0 0/.
24
NAT 1
ImplementingFW SM foraDataCenterNetworkInfrastructure
2-45
*.
1
DMZ
IQ 1.l0/24
NAT 1
Intemet
Outspde Nelwork
209 165 201.3-209.165.201.10
Gpobal1
!
+
''
Inside Network
10 12.0/24
NAT 1
Dynam icN AT can beused when protocolscannotuse PAT (such asG RE vcrsion 0). or
2-46
lmptementingCiscoDataGenterNetworkInfrastructure 1(DCNI-I)v2.O
>
I11atlditiol'
l.static PAT pf
zrl'
l'
li(satll
ni11istratorsto providc a sillglcadtlressto rclnotc tlscrtbr
acccssi11g F'I-P,Ill'
TI>.and SN4TP scrvcrs.cvelltllougl)tllesescrv'crs lllightbc diftbrclltstrvcrs
on thercallletwork.Forcxalllplc:
FWsM tconfigl#static (inside ,outside) tcp 209 .155.201 .3 ftp
10.1.2.27 ftp netmask 255.255.255.255
Note
Overlapping stati
c configurati
ons were allowed in initialvecsionsofCatalyst6500 Series
(t
J)2008 Cl
sco SystemsfInc.
Impl
ementing FW SM foraDataCenterNetworklnfrastructure
2-47
ypassing N
w hen
N T ontrolis Enabled
FWsMlconfigl#nae (inside) Q lQ.1.l.Q 255.255.255.9
FWsllconfkgl#static (instde,out,ide) 10.1.1.3 lQ.l.l.3 nekwask 255.255.255.255
FWsKlconfigl#erceel-liat EXEMPT permt ip l0.1.2.Q 255.255.255.0 any
FwBxlconfigl#nat (inaida) Q accesy-lt:t 'XKMPT
* Bypasses NAT
''XQ':- w eb server
tzk.
t
DMZ
10 1 2.0/24
Intemet
'
g
x.
w.z.'' '
Outslde Network
209 165.2010/24
''
Inslde Network
1Q.1.1.Q/24
StaticidentityNAT (staticcommand)
NAT excmption (nat0 access-listcom mand)
Identity NAT
Idcntity NAT issim ilarto dynam ic NAT in thatyou do notlim ittranslation fora hoston
specificintcrfaces.ldentity NAT.whcn cnabled. m ustbc used forconllectionsthrough all
ilpterfaccs.You cannotchoose to perfonn norm altranslation on realaddrcssesol1onc intcrface.
whilc tlsing identity N AT on another. l'lowever.rcgulardynam icNAT lctsyou specify a
particularinterface on which to translate the addresses. W hen using idcntity N AT, ensurcthe
rcaladdrcssesare routable on a1llletworksaccording to ACLS.
Thiscxalnplc tlses idcntity NAT forthe insidc 10. l.l.0/24 network.
FWSM (config)#nat (inside) 0 10.l .l .0 255. 2 55 .255 .0
2-48
lmplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
*=
'1'
11iscxalllple tlsesslatic itlelltity NAT fbr:111otltsidcatldress(209.l65,2()l.I5)uzl'
Ictlacccsst!d
by thtrillsidc.
FWsMtconfigl#static (outside,inside) 209.165.201.15
209 .165.201.15 netmask
Thiscxalnplccxelltptsal)il:sitlc I'
lcturork B'hcn acccssing any dcstillatiol7addrcss.
FWsM lconfigl#access-list EXEMPT permit ip 10.1 .2.0
255.255.255 .0 any
2-49
2Q90
4000
2000
7942accesscontrolentries
7272 accessconlrolentries
2-50
lmplementingCl
scoDataCenterNetworkInfrastructure1(DCNI-I)72.0
. 'i-ilcnatcolnlnalld:24)00(2k)
K Tllcglobalcolnllland:40()0 (4k)
w Tllcstaticcolnllpantl:200()(2k)
Note
L
(42008 Cisco Systems,Inc.
ln addi
tion,the Catalyst6500 Series FW SM supporls up to 3942 access controlentries in
ACLS used forpoli
cy NAT single mode,and 7272 access controlentri
esformultiple mode.
2-51
A dvanced N A T :M ultiple N A T ID s
r
2N
-
n
at (
naide)3
0.0.3
.02
55.2
55.255.0
nat
(l
inside)
41
10.0.
4.0
255.
255.255.0
lntem et
.
Lc.
.r .1
-
.2>
w
outside
192.168.1.0Q4
+
a
10 0.2 0/24
,
Inside
10.0.1 0/24
.z p. .r
'
1
'
'
10.0.3.0/24
global (outside) 1 192.166.1.11
global (outslde) : 192.168.1.12
global (outa#de) 3 l92.l68.1.1.3
lobal (outs1de) 4 :
t92.166.l.14
4
'
Q->-
!' #jj
#
12.0.4.0/24
2-52
ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008Ci
sco Systems. lnc.
P o I1cy
Extranet
<
h
Out/ide Network
h
N
#+
'
$
x/
'
Zslde Network
100.0.0/24
172 16 00/16
Policy NAT is tlsed to sclctrtthc trallslaled addrcssto bc uscd based f)l1thc critcria cxpressed iI1
a!)cxtclldcd A('L.AI1exttllldctlA(.
'L allowrs policy NAT to iIpcltlde tllcsotlrcc alld dcstillatiol)
atldresscs alld pklrtsin tlledecision-lnaking proccss.
Note
('
D2008Cisco Systems,Inc.
ACLSm uststillbe configured to allow tbe traffic flow enabled by the policy NAT
confi
guration.
lmplementlng FW SM foraDataCenterNetworklnfrastructure
2-53
Identity N T
lntemet
t
.- #
+ #.
Outside Network
198.133 219.0/24
''
lnsideNetwork
12@.107.224.0/24
OR
Btatlc (inalde.outslde) 128.107.224.0 129.107.224.0 netmask 215.255.255.0
2-54
ImpiementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.0
)'
r.
t.. ykebSeaer
...
DMZ1
10.O 10/24
Intem et
*
h
Outslde Network
198 133 219 0/24
DMZ2
10 0 20/24
..
7n9
:
Note
!
'
+
yz
- y
w .'
''
loslde Network
10 0 0.0/24
ApspeII
c
a1p
on
w er
ACLSm uststillbeconfigured to allow the trafficflow enabled bythe NAT exem ption
configurati
on.
Note
Though ituses the natcom mand NAT exemption creates a two-way translation allowing
traffic tclbe initialad from tlithersi
de ofthe srtlwall.Tbis is the only bidirectionaluse ofthe
natcom mand.
2-55
Layer2 N AT/PA T
. NAT PAT.andstaticstatementswiltum onfunctionali
ty.
. Tr
ansparentsrewallbridge pai
rcansupm rtboth NAT and non-NAT traffic.
, Fi
rewallwi
llresr ndtoARP requestforthe globaland stati
c addressesinthe
same subnet.
* ManagementIP cannotbe partofthegl
obalorstatlc pool.
w l
nspectionswillbehave asin routed mode.
R1 s .t
10 1t0/24
(lutsi
de
E1
z/
-/
lo,1'
I
oo 'j
' Fwsv :
,0'.':
' 'o11'
$ 10''
s
'
1c11z
A1
so117
B1
'Inside
Ct
wy/
D1
' -#d
L'
L.
''
e- R2 TransparentFirewap
l
t0 1'11f)
with NAT/PAT
Tllc Catalyst6500 SericsFW SM can also perforln NAT in transparentm odc from software
versiol,3.4 ollwards.
Tllcse contiguration considcrations apply lo Laycr2 NAT/PAT deployment:
* Rotltes(static)arencedetlonadjacentroutersforglobalandstaticpoolsthatarenotpartof
thc sam e subllctasFW SM bridge group.
2-56
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008 Cj
sco Systems. lnc.
S um m ary
S ulnm ary
* The Cisco Catalyst6500 Series FW SM analyzesand modifies
fields in the IP,UDP,and TCP headers.
> The Catalyst6500 Series FW SM uses statefulpacketfil
tering to
controltraffic between tw o orm ore netw orks.
w NAT and PAT modi
fy IP addresses and UDP/TCP ports as traffic
passes through the Catalyst6500 Series FW SM .
* The Catalyst6500 Series FW SM is a fabric-enabled card that
connects to the Catalyst6500 Series Sw itch through a 6-pod
Etherchannel,
* The Catalyst6500 Series FW SM offers scalability to 20 G b/s in a
single chassis.
. The Cat
alyst6500 Series FW SM uses VLANS to connectto the
restofthe network.
@ 2008 Ci
sco Systems.Inc.
(mpl
ementl
ng FW SM fora Data CenterNe
w ork lnfrastrucure
2-57
2-58
Implementing Ci
sco Data CenterNetworkInfrastructure 1(DCNI-I)v2.0
Lesson2I
Objectives
Out-of-bant management
g'
'
t?
,
'
.
'kJz
;
.
.u
.)
- -. ,- -.. -.
*'
.-.
E: .-z.
.-.
4.
-.
.Q...
-.
.CX.
.w
.-!
/...
.?.
.w-.t.
dn.
!.
o.
-4..
.
..
m
-.-.n,
.
@. .-..
.. .. .= .... ... ....- .. -
$
'z
2-60
ImpsementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
onsole
ccess
msfc#
er processor 1
..
Note
Form ultipl
e contextmode,whenyousession into theCatalyst6500 SeriesFW SM you
access the system confi
guralion.
Note
@ 2008Cisco Systems,Inc.
lmpl
ementing FW SM fora Data CenterNetworklnfrastnacture
2-61
Ollcc Ioggcd in.thcdefaultlogin password can fand should)be changed w ith the password
command.
To cllangcthcenablcd password,use thc enable passw ord command.The comm and changcs
the password forthc highcstprivilcgclevel. lflocalcom mand authorization iscontigured. the
privilcgcd passwordsforeach privilcgc levclfrom 0 to 15 can be sct.
Note
To restorc the password to thc defaultsctting,usc theno form ofthc comm and.
Thc passwordsarcsavcd in the contiguration in encrypted fonn,
2-62
Impl
ementlngCiscoDataCenterNetworklnfrastructure1(DCNI
-I):2.0
-'-
'
- '-''
--- '
.yyLss
'
Note
Note
W'l1cl)acctzssil'
lg tl'
lc Catalysl(,50()Scrics F'
W'Sh.
1tlsillg Tcllletthedcfatlltl'asssvord is('
i.
b4.
o.
@ 2008 Ci
sco Systems,lnc.
I
m pf
ementing FW SM fora Data CenterNetworkInfrastructure
2-63
Descrlptlon
telnet
source IP address mask
source-n-ferface
(Opti
onal)Setsthe Telnetsession i
dletime before the FW SM
disconnectsthesession.Thevalue canbe between 1and 1440
minuteslwith the defaudtbeing 5 m inutes.
Note
Thiscxam ple pcrm itsahoston the inside interface with an addressof 192. 168.I.2 to accessthe
Catalyst6500 SericsFW SM .and allowsTelnctto be idle form axim um of30 lninules.
fwsm (config)#telnet l92 .168.l.2 255.255.255 .255 inaide
fwsm (config )#telnet timeout 30
2-64
ImpsementingCiscoDataCenterNetworkInfrastructure 1(DCNI
-I)v2.0
S S 81 R elnote A ccess
fwsm tconfigl#
'-
'
-- ''''--- '
L:
#''
'
ssh eiaeout 5
Note
Onl
y lhe adm in contextcan have up to 15 SSH sessions concurrently.
Note
lftwo ofmgre concurrenlSSH sessitms are Opened and one ofthe sessitms is atlhe M ore
prompt.the othersessi
ons may hang untilthe M ore prom ptis dismissed.To disabl
e the
M ore prom ptand avoid this si
tuati
on.enterthe pagerIines 0 com mand.
Note
@ 2008 CiscoSystems.Inc.
2-65
Configuring SS H A ccess
To confgtlre SSH accessto the Catalyst6500 Serics FW SM ,usc the comm andsin thc order
specified in thc table.
Actlon
Notes
1'
write memory
4.
5.
ssh version (1 l 2)
before the FW SM di
sconnectsthe session.
Value can be between 1 and 60 minutes.
defaultbeing 5 m i
nutes,
(Optional)Restri
ctstheversionofSSH
FWSM acceptsbothversi
ons (SSHVIand
SSHv2).
Note
2-66
com mand
Descrlptlon
Veri
fies the SSH wi
th debugging
Impl
ementingCiscoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0
(
D 2008Cisco Systems. lnc.
Q 2008Cisco Systems.Inc.
2-67
-.
lz.
1Q.1 t
SupportforSSL mustbeenabl
ed
y& - ..-
Pop-up bl
ockersm ustbe di
sabled
I=
fwsm (config)#
''' J.j!'57
''
'
.
'r .... , ,.z..1 - ;I
..-
* All
ows HU PS through interface from source
IP addresses and enables HTTPS
...
-. r - .
yr'r
..
-i
.w
.-c-.
.g.,.
--
..,,5.
Cisco A SD M Prerequisites
The workstation used fbrCisco ASDM accessmustlnccttheseprerequisites:
w Ithasto bcinstallcd w ith supported Java vcrsions l.4.2 and 5.0 (also known as l.5).
K Itm ustbc cquippcd with web browser:
ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0
F'
$VSN1tkscsthccollllllalltlslistcd i1)tllclablc.
Description
mask souvce--in-qerface
acceptsconnecti
ons.
Tllisexalnple sllowstl
'leconfiguration witllyvl'
litlllIITTPS isallow-ed tkoll'
ll0.().4.0/24 llctyvork
colllil'
lg froln thc illside scglncllt.
http 10.0.4 .0 255.255.255.0 inside
http server enable
@ 2008 Ci
sco Systems,Inc.
I
m pl
ementi
ng FW SM fora Data CenterNetworkInfraslfucture
2-69
P N -B ased
em ote
ccess
.-,
-....----.-
'.. f
r
z. ..w .
.u
.. .
'
-'
-1
.
--'
l
'v'
1'
..
.'
WRAR
'
1.
Actlon
Notes
encrypti
onalgorithm.Multipl
elKEpolici
es
can exist.The priority is a value between 1
and 65.534,with 1 being the hi
ghestpriority.
2-70
Step
Action
2.
(l 1 2J
exchange Group1is768bits.whileGroup2
3.
Notes
i
s 1024 bilsand thus.m ore secure.
(md5 I sha)
4.
SetsthetKEauthenticationmelhodasa
6'
shared key. Al
ternati
vely.certifi
cates can be
used i
nstead ofa shared key by specifying
tbe rsa-sig option.Consul
tthe FW SM
documentation form ore i
nformation about
this method.
esp-sha-hiiacl (esp-aes-256 I
esp-aes-192 I esp-aes I espdes 1 esp-3des)
transform set.
Action
Notes
3'
Speciriesthe irlterfaceatw'
l
nicn l:e client
tunnel
s term inate.
4'
FwsM
host fw'
sm ntrerface address
oo J.- a JJr-esses mask.D
6'
7
.
Q 2008CiscoSystems,lnc.
2-F1
Note
a'
Actlon
Notes
ldenti
fiesthetrafficallowed togo ovefthe
tunnel.
4.
AssignstheaccesscontrolIist(ACL)tothe
tunnel.
a cJ. na me
s.
6,
Itransform
- set21 (...)
2-72
Speci
fies the interface where 1he tunnel
terminates.
8.
Identifi
esthe IP addressesandinterfaces
from whichthe FW SM acceptsconnections.
9.
ImplementingCiscoDataCenterNetworkjnfrastructure 1(DCNI-I)v2.0
IC M P on FW S M
w ICM P form anagem entpurpose
fwsm tconfigl#
'#
'j
:
'x
--
/ .
>.
,
,.
Otl
tsideNetworknlrl'
kQ
.
10
'
--'
0.0.0/24 -
.'1
#'
Insi
deNetwork
',h- 10.0.0.0/2zs
,
/6
,
1
'
-
Note
(I)2008Cpsco Systems.fnc.
2-73
management-only
I
T
Outside
X
. ..
'
4
.
. G
lnsi
de
...ty .
interface vlanlo
managament-only
dcfaultbchaviorfortheBridge-Group VirtuallnterfaceEBVIJintcrface).
2-74
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCN1-1)v2.0
@ 2008Ci
scoSystems. Inc.
C onfiguring A A A Services
U nderstand ing A A A
.
AAA servi
ces:
Authentication'
.W ho are you?
Authorization:W hatare youallowed to do?
Accounting'
.W hatdid you do?
Discrete percontext
AAA database'
.
-
.
.
LOCal
-
V'14
ot
ide
ori
..s. t
1R
0
0N
0e
0t
/w
24
,.,.
sew er-based:
.IRADIUS
#
2i.,u
,.>'
.TACACS+
L'l
k
Qx - - - -u--as
AAA
'if'
'
j'j
/
--#.
#
'
'
e
AAA Server
1O 0 0 1!0
Q 2008CiscoSystems.Inc.
Imptementlng FA'
SM fora Data CenterNetworklnfrastructure
2-:5
A A A Services D escription
Alllheltliczltion controlsthcaccessby validating usercrcdentials.typically a uscrname and
password.Thc Catalyst6500 SeriesFW SM can authcnticatc a1ladlninistrativc connectionsto
I
fcommand authori
zation isturned on,the TFTP sewercom mands are checked by the AAA
serverforauthorization which coul
d resul
tin delays in case manyACLS are confi
gured.
Al'coltlltil'g isused to track traftic passing throtlgh the Catalyst6500 SericsFW SM , thus
enabling tlscractivity to be rccorded.Accounting ofthe trafticcan be doncperuser, if
authcntication is used.Othcnvise.tratfic isaccountcd pcrIP address.Accounting information
includcs sessionsstartand stop tim e.uscl-nalne.num berofbytespassed forthc scssion, 1hc
scrvice uscd.and thc duratiollofeach session.
Note
lnm ul
ti
pl
e contextmode you cannotconfigure anyAAA com mands i
n thesystem
confi
guration.However i
fyou configure Telnetauthenti
cati
on in the admin context. then
authentication also appliestosessionsfrom the switchtotheCatal
yst6500Series FW SM
2-76
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0
@ 2098CiscoSyslems,Inc.
fwsm tconfigl#
fwsmlconfigl#
aaa accounting enable (privilege zeve:l server-group
A uthentication
Note
A uthorization
Caution
@ 2008CpscoSystems.Inc.
2-77
Descrlptlon
show 1 clear I
(Opti
onal)Thesekeywordsal
low youtosettheprivilegeonl
yfor
configure
mode (enable J
configure)
(Opti
onal)Ifacommandcanbeenteredinunprivi
legedor
privil
egedmode,aswellasinconfi
gurationmode,andthe
command command
Accounting
An accotlllting rcqtlestisgeneratcd w hclltlscrlogsinto and logs outofthc Catalyst6500 Series
FNVSM throtlgh Tclnet.SSH.orlITTP.
Comm and accounting issupported formanagem entsessions. Ifcom m and accounting is
cnablcd comlnandsentcred by thc userare scntto AAA serverasaccounting requests. Only
TACACS #issupportcd.
Troubleshooting A A A Services
Nvllcn trotlblcshooting AA A scrvices.the debug com lnands listcd in thc tablc can bc used
2-78
com mand
Descrlptlon
debug p ix uauth
debug radius
debug tacacs
Di
splays TACACS+ debug inform ation.
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0
@ 2008CiscoSystems,Inc.
SM
e .#
I
nsl
deNetwork
*:m
.'.
ev
!()0 0.0/24
$ *#'
'.
$?
j
.
y$
:*Sr
,...'
..
7
z.;
..
p
. ..
- - -
. .
/$$ss
f, ..t
t#t!.
''.;.,.r,.1 .)7.7.?rts;er..:',w
'
p-
f.
.
uwj z
d
y: yk
.
'
z.
a
,..
phslk/tk:5()rA/f,r
j()(j(jjj(;
ln tlle exalnple.AA A scrvicesare tlsed to authellticatethe SSII,A SDM ,and privileged EXEC
mode acccssusing tlle localdatabasc.
@ 2008 Ci
sco Systems,Inc.
Impl
ementi
rlg FW SM fora DataCenterNelwork I
nfrastructure
2-79
e
#
. .'
<;
e'
01 FITTPsu'?p
xs
.
tt
s we
1()bSer
ver
J.'
o,
().
2nc
Outsi
deNetwork
2 ,.,#.
198.133.2190/24
j,
:
'*'
l............kj
AAA S
erver
Insi
A
deNetwork
10.0.0.0/24
m ep2
step 3
A uthentication
Userscan beprom pted to aulhenticate thcmselvesto the Catalyst6500 SeriesFW SM before
gaining accessto network resources.ForFTP,HTTP, and Telncttraflic thatrcquiresuscr
authentication,the FW SM firstauthenticatesthc userand thcn passesthe traft'
ic to the
requested destination.Otherprotocolscan be configured to require userauthentication that
musttirstbeperfornwd via FTP,HTTP.orTelnetto theFW SM . This can be doneby aceessing
anetwork resource through a connection lhatrequircsauthentication orby connecting to a
virttlalservercontigured on theFW SM thatprovidesauthentication.
2-K
lmplementkngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
@ 2008CiscoSystems, Inc.
A uthorization
Note
Details on configuri
ng the TACACS+ and RADIUS servers forconnection authorization can
be found in the FW SM Configuration Guide.
A ccounting
Troubleshooting A A A Services
!V1)t?11troublcsllootillg AAA servicesathc dellug colnlnandslisted i11tllc table cal'
lbc tlsed.
Description
show uauth
Di
splaysoneoraI1currentl
yauthenticatedusers (exceptfor
managementsessions)the hostIP to whichtheyare bound.and
any cached IP and portauthorizali
on information,
show np
Displ
ays informati
on aboutthe network processors.
(iI)2008CiscoSystems,lnc
2-81
e '*6
S#
.
h: .'
L. .
.'
@ ..
out
si
deNetwork
19813a2,90/24
xt.
r websewer
--x 19'90'
2Q0
1
;
.
)
K-.
%<<>
AAA Server
6
#
.
-. .#
.
.
.#
Inslde Network
10 0 0.0/24
Thc aaa-servercomm and isused to identify the AAA serversbeing tlscd forauthentication.
whilethc aaa authentication m atch colnm and identitics thc sourcc and destination addrcsses
oftraftic thatnccdsto bc authcnticatcd.
Idcntify the AAA servers tirstby crcating the scn'ergroup, using the aaa-servercom m and.
aaa-server vver'el.u qrol
lpprotocol(kerberosjldapInt1radius1sdi1tacacs+l
aaa-serverParam eters
Param eter
Descrlptlon
server group
2-82
lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNI-I):2.0
(D2008Ci
scoSystems, Inc.
aaa-serverhostParam eters
Param eter
Description
server- group
Specifi
esthe name ofthe AM serv'
ergroup as defi
ned by the
aaa-servercomm and Each sen/ergroup is specific to one lype
ofserverzKerberos.LDAP.NT.RADIUS,SDI.orTACACS+.
(ntrea'face- name)
server ip
key
(Optional)A case-sensitive,al
phanumerickeywordofup to 127
characters.Spaces are no1perm i
tted in the key,butotherspeciaj
characters are perm i
tted.The key is used between the FW SM
and serverforencrypting data between them.
timeout seconds
(Optional)Speci
fiesthe timeoutintervalforthe request.Thi
si
s
FtlllosviI'
lg tllisconlll3and.lllc FW SN'
1takcsyotllo hostI'
ntlult
zNvhereyotlcolltigtlrcadditiollal
Ilostlnodc paraluctcrs.stlch astlle accotlntillg portand atltlpcllticatiol'
tportto bc tlsctl.
Tlli.
rsalnplc llcturork sllow 11il:ll'
lc ligtlre hasol'
lc TACAC'S#scr:cr.
(t)2008CiscoSystems,lnc.
2-83
S um m ary
Tlistopic stll
nlnarizesthc key pointsthatwcrc discussed in thislesson.
S um m ary
. The CiscoCatal
yst6500 SeriesFW SM does nothave aphysicalconsole
port.
. SSH provides secure remote terminalaccess
* The ASDM GUIusesHU PS toaccessthe Catalyst6500SeriesFW SM .
. VpNbased access can be used to encryptthe managementtraffic.
ICVP toandfrom theCatalyst6500 SeriesFW SM hastobe expli
citl
y
enabled,
* An i
nterface can be dedi
cated form anagementaccess only.
Access methods can be combined with M A services.
w M A can be used to authenti
cate users accessing servers through
FW SM ,
. AM canusea Iocaldatabase orand externalRADIUS orTACACS+
> '
server.
2-8,
4
SmpfementingCi
scoDataCenteNetworkSnfrastructure1(DCNI-I):2.
Q
(
l)2008CiscoSystems. lnc.
uesson3I
Im plem enting A C LS
O verview
Objectives
Upol)clllllpleting tllislessol).yotlu'
iIIbcablcto dcscribc al
ttlcollfigtlre ACLS011tllcCisco
tl'aralysl6500ScrieqFlk.
sM .Thfsability illcludt?sbeingabletf.
7l'
ncc!lllesctlbjectivbes.
'
K Dcscribc tllc Laycr2 liltcringoptiolls011tllc C'atalyst(A5()()SeriesF'SVSM
w Describe tllc stcpsrcqtlircd to collfigtlre M A(-addrcsslablc Inalliptlltltion
w Dcscribetllttstcpsusedtocontigtlrcandvcril(y'ACL collt
igtlratiollalld opcratioll
7.
MAC A
MAC D
'
,
ARP
.4
lr#
= za.
t,.;
.
:'
Outstde Network
10 00.0/24
,
.s
-#
zww
lpxkl
.
,
j.
-':
'
Inslde Network
10.0.0.0/24
ProtocolDataUnits(BPDUS),andpoisoningARP aresomeoftheexamples.
To protectand guard againstsuch attacksLayer2 tiltering isuscd. Laycr2 Gltering is
pcrformed upon Layer2 inform ation.such asM AC address, protocoltype.orM AC to IP
lllapping.
2-86
ImpsementngCiscoDataCenterNetworklnfrastructure1(DCNI-I)42.9
(()22*8CiscoSystems, lnc.
l
zcbe.
zlaa
< /# ooogx
z.
.-
'
005056c00001
Pw
k'w
.
Out
sl
deNetwoA C ' InsfdeNelwork
10000/24 :ZQ.
n .
1
-.
.
g#<f .
lArm$
,
.0.000/24
00097cbe2100
!
#
.. ,p.
-
xy
Z
0016.76db c084
mac.address-table
mac.addreas-eab le
mac-address-tab le
mac-learn outside
Note
@ 2008Cisco Systems.Inc.
2-87
com m and
Description
mac-addreas-table
aging-time
t7meout
: va.
lue
The defaul
tis5veminutes and canbe setbetween5and 720 (12
hours)minutes.
mac-learn
interface- name disable
Disabl
es the dynamiclearningofthe MAC addressesofentering
traffic. lfdisabled.static enlries mustbe configured,otherwise the
FW SM oes notallow trafficto pass through.
Note
2-1
%
controlARP packetsflow
Compare MACIIP and soufce intefface tO staticenlry
Perm ltordenythe packet
ARP Request
. w f ARPReqtlesl
.-
yP
'
0
t
l0o0s9
()z
sc
6bexzl()() .
c$).()Ix 1
0016 76db (:084
KK
.j
' ''
.
lnsrde Nelwork
okl
ts
e()N0e/t
wo
..
1
(r
)d
()
2
4rk k
mG$s
0.0
0.
0/24
.,...
,.:v....,..::.'u ....1
,.k
.
' #/
wg
'
Note
@ 2008Ci
sco Syslems,Inc.
2-89
C onfiguring A R P lnspection
Thccomm alldsIisted in thc table are used forARP inspcction.
Descrlptlon
Addsa stati
c ARP entry.
arp-inspection
interfacesasopposedtono-flood,whi
chresultsinthosepackets
Note
beingdropped.
To vcrify and cxam ine thc ARP inspection operation use thc show arp-inspection com mand.
Tlleoutputoftlliscomm and rorthe exalnple in thc figurc showsthatARP inspection isenabled
tbrthe outsidc ilpterface.and nonmatching ARP packctsarctlooded outallinterfaces.
fwsm#show arp-inspection
interface
arp-inspection
outside
inside
enabled
disabled
miss
flood
2-99
lmplementingCiscoDataCenterNetworklntrastrtlcture1(DCNI-I)v2,0
@ 20()8CiscoSystems. lnc.
Eitl1ertype A C L
Controlnon-lp and ARP Layer2 traffic perethertype
* Connectionless m ustbe applied to both interfaces
w
!
t) BPDU
,... .p?
./'
-x- ...-.
x
.
fby.
..
Jm
t.
#*
*
x
;
..<
.
$
''
x/
;'
t
.1pu
-.-'--.'
;p'
r
,...2. :v.
'sz,lnsldeNetwork . kw
v't.f
x
otl
tsp
deNetwoi
'
key.
i
q.l
#.
ARP(0xo806)
10 0 0 0/24
100 0 0/24
Note
()2008Cisco Systems.lnc.
Ifyou use failover.you m ustallow BPDUS on both interfaces with an ethertype ACL to avoid
bridging l
oops.
lm ptementing FW SM fora DataCenterNetwork Infrastructure
2-91
Step 1
Contsgurc thcethcrtypeACL.
Step 2
0x600.RcfcrtotheAssigned NumberssectionofRF(.'176)4)(http://tools.ietf.org/lltlnl/rfcl700)
fora listofcthertypcs.
denied O (deny-
flow-max 4096)
alert-interval
access-list ETHER; 2 elements
2-92
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!):2.0
(I)2008CiscoSystems. Inc.
C onfiguring A C LS
S tandard A C L
ldentifytraffic perdestination address only
* Cannotbe applied to interfaces fortraffic control
* Used to controlredistribution ofOSPF routes
a
fwsm lconfigl#
Note
@ 2008CiscoSystems,lnc
The ACL takes mask param eterinstead orwirdcards as on Cisco lOS routers
2-:3
Extended A C L
* Identify lraffic wi
th an entry perprotocol sotlrce and destinati
on IP
address,source and destination port.and ICMP type
. Connection-oriented
. Fi
rstm atch,loptobottom orderofprocessing
* Im pli
citdeny
fwsm lconfkg)4
access-list acceas ist name Iline z:ne numberl (extended)
A11added ACE foragiven A CL nam eis appcnded atthe end oftheACL.tllllcss itisspecified
sv'itl)tl
:t,liI7c 11tlrrlt)cr.
Extcndcd ACLSareconncction oriented.
.therefore.they do notnced to bcapplied on both
illcolning alld outgoing interfaces.
A C L P rocessing
TllcACL isprocessed untilthe firstm atch,from top to bottom . W hen the Catalyst6500 Series
FW SM isinspccting an ACL to dccide whctherto drop orfonvard apackct. the packctistcstcd
againstthc ACESin thcorderin wllich thcy arc listed. W hen an ACE matchcsa packct.the
Catalyst6500 ScriesFW SM ccascsto tcstthc ACES.Thcreforc. theordcrofACESin an ACL
isrelcvant.
AC L5llavc an im plicitdeny atthc end ofthc list.Thereforc, tlnlesstraffic iscxplicitly
pcnnittcd,itisdroppcd.
2-94
lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0
(()2008Ci
scoSystemsl lnc.
Ye
A C L Configuration
To tlcfine alld colltigurc :11)exlcnded ACL tlse tllcaccess-listextended antlaccess-group
colnlnalds.
Tllc access-listextendefltrolllllland adtls aI1ACIE to an AUL.
Param eter
Description
line .
1ne- nummber
protocc?.
l
sotsrce address
aesr a3dress mask
Datagram l
arotocot(UDPI lnternetControlMessageProtocot
(ICMP),EnhancedInteriorGalewayRouting Protocot(EIGRP).
Generi
c Route Encapsulation (GRE).OSPF.etc).
Specifysource(desti
nation)IP networkoraddress and mask.
opez-atror
Specifiestheoperatorusedtocomparethepod number(greater
than (gtl,IessthanIItJ,equal(eq),notequal(neq),orrange).
povt
cmp -type
inactive
M anipulating A C LS
Note
2-95
Inside
web/MailServer
o**
>.
1
192.!158.11
)()
DMZ
192.168 1.0/24
lac sv'rp
su'rp
Ir
verrlet
Outsrd.
'
jp jcup
...-
1*8.1:
30.
219.0/
21
lre*ss-lflo corp
acc*ss-lilt corp
acceas-ltat covp
access-ltst corp
acceal-li8t rorp
4.Network
$0.
4.
1.
:/24
2-96
lmpl
emenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D
()2D08CiscoSystems,lnc.
DMZ
192 168 10/24
W eb/MallServer
j92 168 j100
Inc ottwrlp
p
lntemet
'
'
..
Outside
198.133.219.0/24
t:,.
''...'
'
IcMP
-'lrtide Network
.. '
.
10 0 0.D/24
()2008Cisco Systems.lnc.
2-97
utside
wewvarlserver
1:21s8.!.1oo
DMZ
192 168.1.0224
SMTP Www
,CMP
eh
Intemet
''
',
k
..>..8J n'
Outsrde
1* .133,219.0/24
''.
eNetwork
10.0.0.:/24
accesa-kie: public linq 5 extend@d plrmit tep any homt 1:8.133.:19.25 eq www
aecesp-liy: public linl 10 axt*nded pqrait tcp lny hoat 19:.133.219.:5 lq lmtp
acceay-list public line 15 @xt@nded permit teap ahy wny
acceas.group public tn interflc. outsid.
2-98
lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems.Inc.
fwsmlconfig)#
time-range name
fwsm tconfig-time-rangel#
periodic days-of-the-week eme to ldays-of-rAe--eek) tme
absolute start tme date (end eme datel
.
fwsm tconfig)#
Description
time-range name
periodic days-of-frhe-
Speci
fiestherecurringtime range perweekday (Monday through
Sunday.dail
y,weekdays,weekend)and timeoftheday.
Specl
fies an absokute startand end tim e.
Appli
esthe confi
gured time range when an ACE is created The
speci
fied time-range option on ACL describes the allowed access
Iextenzed) '
tdeny i
time.
permit)...(time-range
nanlel
Note
(
l)2008Cisco Systems.lnc.
lfa time-range com mand has both an absolute and periodic values specified.the periodic
option is evaluated only after!he absolute slar'
ttime is reached and is notevaluated any
fudherafterthe absolute end lim e i
s reached
Implementl
ng FW SM fora Dala CenterNetwork Infraslructure
2-99
A C L Logging
By defaultthcCatalyst6500 SericsFW SM generatesthe systcm log lncssagc 106023 forcach
packetdenicd by the extended ACE exceptforthe implicitdcny atthe end.
tXXX-l06O23 : Deny protocol src
access-listaccess /J'
.
5'/ ?;t???7cgextendedl1deny jpermit#...Elog gg/cTv/q(interval'
tx.
.)j
disablejdefaultllgtime-rangename?
Tllctable tlcscribcsthe logging parametersofthe access-listcom mand.
Descrlptlon
2evel
knterval secs
Speci
hes 1he time inlew albelween successive 1og messages,
from 1 to 600 with 300 being the defaul
t.
disable
Di
sablesaIlIogging.
default
Note
W hen using ti
m erange and Iogging optionsinthe sameACE,thelog keyword should be
configared before tlm e-range keyword.Ifyou disable the ACE using the lnactlve keyword,
use the inactlve keyword as the Iastparameter.
K Disable a1llogging
* Rettlrn to t!
4c dcfaultlogging usilhg message 106023
2-100
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0
@ 2008CiscoSystems. Inc.
1 e
W eb/Mai!Server
192 168 1 100
DMZ
192.168 10/24
Internet
; 4.
'.
l2ck
Outslde Net
7./t4/-' rz.yJ de Network
198.133.219.0/24
10.0.0.0/24
.
-
time-rlnge weekdays
periodsc weekdays 8:00 to 17:0:
1
accesn-list outside in extended permit tcp >ny any eq www time.range weekdaya
2-101
PrlyIng
'wam#ahow @ccess-11st
Rree:s.lilt mod* auto-c --it
ecceee-list clched hCL log fowel totel 0. d*ni*d Q (deny-:lov-mlx 4Q96)
alerT.interval 300
Rccese.liat covp; 5 elemente
aceese.ltat corp ltne 1 extended deny tep any eny eq irc (hitd>tw234) ;xcf6d73fl
accees.list corp lkne 2 exTended p*rxit tcp any host 19:.16:.1.100 lq amLp
(hitcnt-lso) 0x::dal4;b
aecesy.liat corp lins 3 exeended d*ny tcp lny any eq sotp (httcnteo 0x90:9*05.
accela-tiao corp ltne 4 ext*nded permit tp @ny lay (hitcnt.34671 0x48314491
lcceas.liet corp lkne 5 ext*nded parmt: iexp any any thitcat-a3l 0x:4cbn$46
*Troubleshootthe AC LS
Descrlption
Shows detailed i
nformation ifan erroroccurs when an ACL is
updated.
Hash Output :
0x 5a4236 97
fwsm/adminlconfigl#
add acl style rule in tree
Source IP = 0.0.0 .0, Source Mask =
O.O.O.Q? Dest Mask = 0.0.0.0
Dest IP =
Source Port l
Ox0, Source Port 2
0x0 Source Port
Operand = 0
Dest Port l = 0x35, Dest Port 2 = OxO, Dest Port
Operand = 3
ACL Number = 2, Protocol = 0x6 Perm ission = l
ACL : alloc counter ; Treeld=o, Rule Type=lo; Start Index=2054;
End Index=l2686
Allocating Counter Index : 0x80b
2-192
lmplemenli
ngCiscoDataCenlerNetworkt
nfrastructure1(DCNt-!)42.9
(
I)2:()8(JscoSystems, lnc.
FW ID
ED Mask = Oxfff
Source Interface Mask
oxfff
Source IP Value = 0x0, Source IP Mask = Oxffffffff
IP Value = Ox0, Dest IP Mask = Oxffffffff
Source Port 1 = 0x0, Source Port 2 = Oxffff
Dest Port 1 = 0x35, Dest Port 2 = 0x35
Acl Number Value = 0x2 , Acl Number Mask = Oxffff
Protocol Value = 0x6 Protocol Mask = Oxff
CLS Flag Value = 0x8/ CLS Flag Mask = 0x8
CLS Flagl Valtle = Ox3, CLS Flagl Mask = Ox3
CLS Cotlnter Index = 0x80b, CLS Priority = 128849031
Signalled CLS Download Thread
add acl style rule in tree : ACL Rule Added
New flag equal to o1d one
o1d = 0x0 , new = Ox0
Compilation NOT forced by 'updateRuleFlags '
Fixing ACE Index - O1d=l, Newrl
Fixing Rule Priority - 01d=128849031, N2w=128849032
ACE line number changed from 1 to 1
Rules Download Complete : Memory Utilization :
1%
Implementl
ng FW SM fora Data CenterNetwork jnfrastructure
2-:03
Catalyst6500 Series F S
. Comm itted to NP afteradding entry
CL
peration
283
17633
125
1117
70
70
992
283
:%1
10633
42B
1417
70
70
992
293
Total
14173
14173
B33
19$3:
85O
:634
7:
70
196*
566
Peak
2
l
Limit
65535
5
D*>i*d Contexe
B bridg@
0 lyatem
UsinganobjcctgrouprcducesthenumberofACESinthecontiguration,butmaintainsthe
sam e numberin thc expanded ACES.which cotlntstowardsthc systcln lim it.
lilnitationresultsinall100ACESbeingrcjected.
Thedcfaultlim itforthe lpulnberofACESis74,188 forsingle contextand l0.633 pcrcontextin
lnultiplccontcxtmode.
To cl
lcck thcdefaultresourceallocation.use theshow resourcerule comm and. To check the
currclltresourcc tttilizatioll usctheshow resource usage com mand.
2-104
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0
@ 2008CiscoSystems. Inc.
om par1n g t13e
.
,!
L T ypc4s
#.
..; .:.;,jp.
(P trafficnelwork access
control(routedand
I
tt
raf
cdr
sap
lowed
turtless
iAI
per
ml
tf
ti
ed
by
an
ACLby
ondef
F-Waul
SM
Exlended
lransparent)
IPtrafhcnelwork access
controlperuser
xten
ded(downl
oad
IE
from
AAA
.s
erverper
l
.
user)
tdenbfyaddressesforNAT
Extended
Modularpolicy traffic
ldentlficatlon prl(rafficclass
map
szwnaoa
------Ethertm e
Noc-lp trafficnetworkaccess
control(transparent)
Ethedype
ldentlfyOSPF fotlle
redlstrlbutltm
Slandard
Q 2008 Ci
sco Systems,Inc.
naml
cACLdownl
oad$
7eruseffrom
'Dy
CRADIUS serverorusage ofpreconsgured
lbasedondsethertype
impl
ementl
ng FW SM fora Data CenterNetwork Infrastructure
2-105
S um m ary
Thistopic stlmm arizesthe key pointsthatwere disctlssed in thislesson.
S um m ary
. Layer2 filtering is used to preventMAC-and ARp-rel
ated attacks.
* Layer2 filtering can be used in transparentmode only.
w ACLS are used to identifytrafficperdifferentparam eters.
w A tim e range can be applied to ACLS to controlthe activation.
. The Ci
sco Catalyst6500 Series FW SM processesACLS in
hardware.
2-106
lmplementingCiscoDataCenterNetworklnfrastructtlre 1(DCNI-I)v2.O
@ 2008GiscoSyslems.lnc.
Lesson41
O bjectives
FW S M V irtualization O verview
Thistopicidentitiestlw virtualization ofthe Catalyst6500 Series FW SM with contexts.
Licensed feature(defaul
ttwo contextsl:
.-
Policiesand management
IPaddressspace(canbereusedbetweencontexts)
Operationalmode(routedortransparent)
e
,.
''
SetofVLAN interfaces
Resouxe usage
ctasscs(gold,silvcr.artd bronze)percotptextfordiftkrentdatacenterseglumhts.
Each individtlalscctlrity contcxthas its own security policics,interfaccs.and administrators.
Each contexthas a scparateconfiguration filethatcontainsm ostot
-the dcfnition statelnents
fbund ina standalonc Catalyst6500 SeriesFW SM configuration filc, Thisconfiguration iilc
colptrolsthc policicsforthe individtlalcontext, including item ssuch asIP addressing,Nctwork
AddressTranslation(NAT)andPortAddressTrallslatiol)(PAT)definitions,atlthentication.
atltllorization,and accounting (AAA )definitions.trafticcontrolacccsscontrollists(ACLs).
and illterfacc security levels.
2-108
lmplementlngClscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.O
()2008CiscoSystems,lnc.
Note
Intel
-faces can be dedi
cated to a si
ngl
e conlextorshared among many contexts.
Note
Keep i
n mind thatcertainfeatures,Iike Open ShodestPath Fi
rst(OSPF)and Routing
Information Pfolocol(RIP)rouling.arenotsupported inmulti
plecontextmode.
(
Q 2008Cisco Systems,lnc.
fmptementing F'
W SM fora OafaCenterNetworklnfrastructure
2-109
i< '
- .
'''
....
'*'
cam pus
. .-!.
ty.
.
.. ..
s':
'
.77
...::. .-1
<n
<
.-
.
,
.e .
E:
W eb l
,
ttm q
. Servers *'
Appli
cati
onp '
--- .
) x
'
J
sut!lt,rA/jl;
rj. .
r.
:
y
,
y
.p .
)
y..:.,, .
Servers *
7
7'
1<L;
.
'
2-110
ImplementingCiscoDataCenterNetworkl
nfraslrtlcture1(DCNI-I)v2.0
@ 2008Ci
scoSystems, lnc.
'
*
d
V'
SQ
lSP B
V2 -Q
Extranet
.->
< .
tU
.. .
'
-
27
'
:!;
.-
--
campus
; j w.
y
'''''
'-
,
*
'
!
11jl!
q
..
..
(
.
l
g
--.
y,
.
j
.
:.#'.:yz Ar ;.:zsiy
@ 2008ClscoSystems,lnc.
..
2-111
'
.
jw-
wo, ux :
'
? .q
o.. arv rs
Campus
Nell rk
-1
. ..
Appjjcatjon.
N'*
-.
.!ewe
rs '
V. '
.,
'
l .--
Database
s
l
we
Ser
vers .
>
(
k. -
Note
2-112
lmplementingCiscoDataCenterNetworkInfrastruclure1(DCNI-S)42.0
Q 2(08CiscoSystems, lnc,
IP Packet C Iassifier
. A single interface isshared am ong contexts.
. Packetcl
assification determ inesthe correctcontext.
''
p;',; 'pkl'c..
SourceVLAN e
l-
*eb .
7i
,
''
servers
-.
c
ampus
Network
Destlnatlon IP
l*
k-
Application 'l'p.
Servers
..-
1 xw--.
e'''
->..
oatabase
,. e
Servers 8'
.:
@ 2008Clsco Systems,Inc.
2-113
2-114
Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72,0
@ 2008CiscoSystems lnc,
Outslde Outside
Outspde
.;
#
nugj
'
'
t(s
Inslde
rWsMtconfigl#lhow
Context Naoe
*admin
taternell
ineernalz
(I)2008ClscoSystems,Inc.
DMZ1
...
.
'
Otltslde
''
Inslde
Insrde
ouza
Inslde
context
Class
defau't
default
lnter'aces
Vlanlo
V1anlQ5,Vlan50
Mod.
Roueed
Routed
default
Vlanl06,Vlan5l
Trlnsparent diak:/intz.cfg
URL
dtskq/adain cfq
disk:/tntl.cfg
2-115
16
256
256;divl
ded between alIcontexts
Filtering sewers
16
4 percontext
Security contexts
N/A
Sysl
og servers
16
4 percontext
'
vtAs interfaces
(
'
(
routedmode)
VL
n
esde)
(traAN
nspi
at
re
er
nfa
tc
mo
4 percontext
2s6 peroontext;
'''
-
256 jjooodj
vi
ddqetweenaI1contexts
e
.-.
8(4pairs) 1
j
. .
8(4pairs)
The table dclailsthc feature Iim itsforthc Catalyst6500 ScricsFW SM in both singlc and
m ultiplccolltextm odc.
Thc mostimportantfeaturcsare:
256intcrfaces(VLANS)pcrsccurity context
M aximum IO00 interlacespcrFW SM physicalm odule
2-1!6
(
l)2008CisooSystems,lnc.
S 1nC
Jle vs .M u Itip le C o ntext M o cle:
R cso urce L 1IM 1tatio ns
MAC addresses
(transparentmode)
Hos
th ts connecting
rough FW SM
concurrently
Inspecti
on engine
connections,
persecond
Ipsec management
connections
concurrently
ASDM m anagement
sessions
concurrently
NAT translations
(
Q 2008ClscoSystems.lnc.
65.
535
262,144
10,000
65,535divided amongaIIcontexts
262,144 divi
ded among afI
contexts
10,000 di
vided among alIcontexts
5 Percontext'
I
10 divided among aIIcontexts
5 Percontext'
,
266,144
2-117
'
SSHmanagement
FW SM term inalor
bufferpersecond
30,000
connections
System messages to
System messagesto
sy
p
es
rls
oe
gcs
oenr
dver
TcP
orUDP
connections between
o hosts
p4rsjcoqd
'
5perconteM
100 divided amongaIIcontexts
y......-..
j
I
.....,
999,900
NewTCPorUDP
c
onnte
ionsbetween
any
wct
: 7
25.000 j30,000di
vldedamongaIIcontexts
.- ...
anytwo hosts
concurrently
'
'1
100,000
1 999,900di
videdamongaII
I
1
contexts
Because PAT requiresa separate translation forcach collncction. tllc cffcctive lim itof
conncctionsusing PAT isthetranslation lim itof256.000,notthc higherconnection lim it. To
reach the conncction lim it,you nced to usc NAT.which allows multiplcconnectionsusing thc
sam e translation session.
2-118
lmplement
ingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.
O
C)2008CiscoSystems.lnc.
C onfiguring FW S M C ontexts
'1'1)istopictlescribesCatalyst6500 Scrics FW'SM colltcxtcrcatioll.
System ExecutionSpace;
'sessionslotnumbetr
*Swi
tches to anothercontext
orsystem space
RootContext
.d
'
! )31i'
:@' ''
AdminCcmtext
Remote roolaccess
Securl
tyConlexts
SSFI,Telnet.lpsec.ldTTPS
Note
@ 2008CiscoSystems.lnc.
2-119
A dm in C ontext
Theadmincontextisjustlikeany othercontcxt.exccptthatwhenauserlogsinto theadmin
colltcxtithassystem adm inistratorrightsand can accessthe systcm and allothercontexts.
Thc admin contextisnotrestricted in any way and can bcused asa rcguiarcontext. Howevcr,
bccatlse logging into thc adm in contcxtgrantsyou adm inistratorprivilcgcsoverallcontexts,
ytlum ightnccd to restrictaccess to the admin contcxtto appropriatcusers.Theadm in context
111t1strcsidc on tlash m emory.and notrelnotely.The interfaccsallocated to the adlnin context
arc tlsed by lhcCatalyst6500 SeriesFW SM forany trafficcreatcd by the FW SM . such as
syslog messages.The adm in contextcan also be used to provide rcm ote accessformanagement
orthc cntirc FW SM .
Ifyoursystcln isalready in m ultiple contextm odc.orifyou convcrtfrom singlcm ode, the
attmincontextiscreatedautomaticalty asdisb:/adtttin.fz
lk tile.Thiscontextisnamed Ssadlnin.''
If'you do notwantto useadm in,cfg asthe adlnin contcxt.you can changc the adm in context.
Note
A ccessing Contexts
Uscthc session colnlnand to connectfrom thc Cisco Catalyst6500 ScricsSwitch lO S Sotlw are
t()thcsystem execution space ofthc Catalyst6500 ScricsFW SM .
Uscrswho log in to the system exectltion spaccorwho log in to the adm in contextrem otely
cal)tlsc thc changeto com mand to accessany contextwithin thc Catalyst6500 SeriesFW SM .
Individtlalcontextscan also beaccesscd with thc stalldard managem entm cthodsofSecure
2-129
lmplemenli
ngClscoDataCenlerNetworklnfraslructure 1(DCNI-I)v2.O
(
I)2D08Cisco Systems,lnc.
Note
The ASDM does notsupportchanging m odes so you need to change m odes usi
ng the
cor
nmand-li
ne interface (CLl).
Note
The m ode m ultiple com mand sets mode inform ation thatenduresthrough reboots,
'
however,this m ode information is notstored in the system configurali
on file in flash
memory.
2-121
S stem Configuration
Configuration statem ents
'
.
lnclude,
w
Iodeaultipl.
Rdoi@eO/ak*xt ***:G
. Failoverconfiguration
* Resource allocation
* Adm in contextnam e
con
e.x
tltat
hnt
n fwce Vlanloo
all
pc
eint*r
Icon'tg-urldtykT/edmin.c'g
vw ntaxt a
llloclte-interzac.vzanzc
fwsmtconftgj#
ldmin-context rame
-'
llloclte-knterzac. VQlall
eonfig-url diakt/cuytl.c'g
,
.
z 4 *
;
..
)
,B.g;.
;
J
t.
*
').'
System ExecutionSpace
Tl
lcsystcln.cfg tile storesconfiguration statcmcntsthataffcctthe Catalyst6500 SeriesFW SM
asaq'
holc.
Failovcrfunctionsarc notvirtualized and,thereforc,failovercollfiguration statcm entsare
colltaillcd in system .cfg.
Tllcsystem spacchascontrolovera11contextssystcm .
K Crcatesadlnin contextGrst
* Creatcsscctlrity contexts
w Assignsinterfaccsto contexts
Thtlstlle system .cfg GIe also hasconfiguration statem cjltsthatdetine the individualcontcxts,
alld allocatcsrcsourcesto them ,
Up to 250 VLANSare assigned to a contcxt'
,physicalinterfacesare controllcd by the
MtlltilaycrSwitchFcatureCard (M SFC).
A dm in Context
You can sctany contextto be the admin context.aslong asthe colltiguration tile isstored in
thc illtcrllalflash m cmory.
A few system comm ands identify an interface nam e thatbelongs to the admin context. lfyou
2-122
lmplementi
ngCiscoDataCenterNetworklnlrastructure 1(DCNI-I):2.0
@ 2008CiscoSystems.Inc.
C reating C oIltexts
To create individualcontext'
.
Nam e the context
* Allocate interfaces
. Specify the configletUR L
p
con
textadmtn
allocate.interface Vl&nl9
cenfkg.url dak:/admin.cfg
l
fwsmfconfigl#
-.
i
i
!
E
context name
allocate -interface vlannumber
.createsthe context
'
.
ik
z.
'
. ..'t '.i .
o r .,,.a.
-
'
13
System ExecutionSpace
'l'
T
lcconfig-urlctpllllllal'
ld is tlscd to specify tl
'je IocatiolliI1'
kvllich tllc colldiguration tilc oftl'
le
colltcxtisstorcd.
Note
The contexli
s notacti
ve untilthe config-urlcommand is issued.
Caution
lfthe confi
guralion file specified in the config-urlcom mand already exi
sts,then aI1allocateinterface commands shoul
d be i
ssued priorto issuing the config-urlcomm and.
fll2008CiscoSystem s.lnc.
2-123
Verifying Contexts
From thc system cxecution spacc.you can view a listofcontcxtsincluding thename.allocatcd
intcrfaccs.and configuration tilcU RL by using thc show contextcolnmand.
Descrlptlon
detail
(Optional)Displayscontextdetail
s.
name
admin
(Opti
onal)Displaysinformati
onaboutthespecifiedcontext.
(Opti
onal)Displaysthe administratorcontext.
count
(Opti
onal)Displaysthe numberofcontextsconfigured.
fwsm#show context detail
Context ''admin t
' is ADMIN and active
Context ''bridgen
is active
Context I
'null'' is a system resource
Config URL : ... null
Heal Interfaces:
Mapped Interfaces:
Class : default, Flags: 0x00000809,
Context l'system n is a system resource
Config URL : flash :config
Real Interfaces:
Mapped Interfaces : EOBCO, GigabitEtherneto,
GigabitEthernetl, V lan90,
Vlangl, V1an92, V1an93
default, Flags : 0x0OOOO8l9/
2-j24
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.D
@ 20()8CiscoSystems, lnc.
Note
Step2
FWsM/name#configure terminal
FWsM/nametconfigl#clear configure all
Cllallgtzlt)111e systeln ttxtttrtltion space.
i;terh3
Step4
2-125
C lass H ierarchy
.
.-
Fxecutive Class
Co
ntext
CEO )'(
.
ServersClass
'Contez
natacvqjbi,
'
.L
Context
Gen- l
Li
m ited Class
):
ftntA#
t(
yvisitpe j'(
,
Conlbxt'
To tlng,.
..
2-126
implemenlingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-I)42.0
@ 2(08CiscoSystems, lnc.
'
* Limitsare appliedtospeci
ficresourceswi
lhin aclass (integeror
percentage:0 means no Iimi
t)
* Resources can be oversubscri
bed class assi
gns a maxim um of10
percentofresources btlt50 contexts are mapped to it
fwsm#
show resource types -
'' z
r.4 * ' :
.,
.;
14> 16%
:4 .
j... i!r..
..
;,
Conos
Hosts
Spsec
ASDM
SSH
ez
.' .
4.i
'
.
2jn
gz
r
J.
-
..
Connectlons
1'losts
IPSeG mgmttunoels
ASOM sesslons
SSH sessrons
Conns
CPS
xj
ates
Fjxups
Syslogs
Flxups/sec
Syslog/sec
@ 2008CpscoSystems,Inc
XLATEobject
s
2-327
o nflgurlng
esource
anage ent
fwsm tconfigl#
cllss name
l
I
'
Dq'n
t*xLexecuetv.s
wlloJlte.inLertacl vllnlol-vllnlo:
l $.,.. - . . . .v so:
j,,
con:#g-urtdtek:/lx*euttvlg.cfe
QtR
**X*Q*1VD----*--MI !
l
limit-r*lourc@ *t: lQ%
1 context relukpr guy*
1
Iz&wtt.rlsourcoal1:Q:
j 1
1
x*
l disk
l I 1con'g-ur
t/rlzullr-vuys.ezg
Tosctthelimitsforthcdcfatlltclass,enterdefallltforthcllamc.
Thc lirnit-resource com mand isthen tlsed to detinc thc individualrcsource Iim itations. The
nul
nberisan integergrcatcrthan orequalto l.Zero (0swithouta perccntsign)setsthe
resotlrces to the systcm lim it.You can assign more than l00 perccntifyou w antto
oversubscribethe dcvice.
A resourcenam ecan be m ac-addresses,conns.nxups, hosts,ipsec,asdm ,orssh,etc.
Note
2-128
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
@ 2008CiscoSystems. Inc.
C o nf1g u r1I1c
q M e ln o ry Pa rt1t1o n s
fwsm (config1#
resource acl-partition ntzmber of partit:.ions
.
fwsm tconfig-ctxl#
allocate-acl-partition partron number
w
context test
config-url ftp://userllpassword@lo.l.l.l/configlets/test.cfg
member gold
allocate-acl-partition 0
Note
Rules are used up on a hrst-come srst-served basis so one contextmightuse m ore rutes
than anothercontext.
@ 2006Cisco Systems.lnc
2-129
Traffic oss can occurbecause both units are down allhe sam e tim e.
You can assign an individualcontextto particularm emory partition with the allocate-aclpartition comm and undertllc contextconfiguration modc.
Note
Ifyou assi
gna contexttoa padi
tion thepaditi
on num beringstartswith0.So ifyouhave 12
partitions,the parti
tion numbersare 0through 11.
2-130
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008Ci
scoSystems. Inc,
itl2008Cisco Systems,Inc.
2-131
S um m ary
Thistopic sulnm arizesthc key points thatwerc discussed in thislesson.
Sum m ary
Vidualfirewallsare im plemented with multiple securi
ty contexts.
. Contexts are created within the system configuration and defined
in individualconfigurati
on files.
* Resource managementcontrols the Cisco Catalyst6500 Series
FW SM resources allocated to each security context.
.
2-132
lmpiemeningCiscoDataCenterNetworklnfTastructure1(DCNI-!)v2.
9
@ 2D98CiscoSystems. lnc.
uessonsI
dynalnicrotlting,and rotlteIlealtllinjcctioll(RHl).
Objectives
U pol)colnpleting tllislesson,yotlwillbe ablcto dcploy rotltillg on a Catalyst6500 Serics
U nderstanding R outes
W here to forward the traffic?
@ Through which interface?
. W hati
s the IP address ofthe nexthop?
el
Intecnet
(F.'
.
o 1
.
ez
2 '. 1
outside
19216810/24
'.''
..,
.
2 IF..Q.
'
Inssde
y,
7#
,
10/24
! 100.
10.0 2 0/24
. . ;.
..
lo(,2(
)/J4
esi
lcc,12
10(1.3.@24
...
<)
lth.
0d.
3
1(1()10/24
e:l
#92 16810/24
t'l
:)0()0/0
el
19216811
:$
Jy.-''
-
'
+. .##
..e
10.0.3 0/24
therotltingtablcandtrallslation tablc(whellNctworkAddressTranslationENAT)isnot
disablcd):
. Iftlle destination orstatic IP tralpslationalrcady cxists,thc cgressinterface istheone in the
translation tablc.notthc routing table.Thcrouting table isthen consulted forthe IP addrcss
ortlc ncxthop.
. lfthc dcstillation orstatic IP translationdoesnotexist.llle IP routing table isconsulted for
tllcnexlhop IP atldrcssand cgrcssintcrfacc.
2-134
lmplementingCi
sccDataCenterNetworklnfrastructure1(DCNI
-I):2.
0
@ 2008CiscoSystems!lnc.
C onfiguring Routes
fwsm tconfigl#
Intemet
elk.m eo
;7'cc'
Q .1
2*'m .1
.2 '
QL.
Q
jy j
ssj
t
j
e
Iz>.t r;4
10020/24
10012
E0
'
,
.
,.
' .
:.
y.
,
p'
--499
d,
-,r..;,
s,
t.,.-. ...
'
10.0.2.0/24
.
.q7'ZP
0
10
0.
03
1.
0?
/2
24
4
E
e0
o
O.000/O
e1
1(
).
(
).
$.t
i.
19216811
@ ,yr##
< :F
,.x .
10 0.3.0/24
r()11tt,4*
/'1?4???1:7t/(?.
$'/ il),,1:7.
:J'kf(1lc7;$'(7!'i;lg(lis'tclll'
lf1
route Param eters
Parameter
Description
if- name
dest
r ip
t
nask
gateuza.yr ip
distance
(Optional)Hopcountto be associated wi
ththe route.Ifmulti
ple
routes to a particul
ardestination exist the route with the lower
m etric is preferred.The defaultmetric is 1.FW SM supports up to
lhree equal
-costroutes to the same destination perinterface for
Ioad baiancing.Equal
-costmultipath (ECMP)Ioad shari
ng isnot
supported.
D efault R oute
A rotltcconI
igtlrcd with a (F(?.
s'J ip alld l??t'
7.
# of0.0.0.0 isea11cd a dcfatlltroute.Packcts tllatarc
notcovercd by ally otherrotlte arehandlcd by tllc dcfaultroutc.
Note
2-135
2-136
lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0
@ 2008Ci
scoSystemslI
nc.
R1P
.
2 '' >-
'
I
:
>V e.
10 02 0/24
.
1rlt(!rrlf)t
1 . X PM
'-'
zt:i
''.1 (28tItF;It1(, ., -. .
, If7s;Icl(: a-;--:
s'
?
'
.
q
.
192.1681.0/24
10130/24
.'
jjjjjl
1
..
-. jjy
o1,12
wt'
!0 0.3 0/24
O SPF
lmplementi
ng FW SM fora Data CenterNetwork Infrastructure
2-137
O S PF R outing Protocol
. Supported OSPF features include:
Metric istransm ission cost
OSPF authentication
- Two OSPF pr
ocesses
.-
Areas:
. VidualIinks
Redistribution ofstatic,connected routes,and between
processes
. Notsupported in the m ultiple contextmode
-
A Catalyst6500 SericsFW SM can be configurcd with OSPF routing protocolto dynam ically
lcan:and advcllise thc routes.
(LSAS)kcptinthcIink-statedatabase(LSDB).
Thc Catalyst6500 ScricsFW SM maintainsafullLSDB.
M ostoftheO SPF features supportcd on aCisco rotltcrarc supported on tlle Catalyst6500
Scries FW SM aswell.
O S PF Lim itations
Two OSPF processcscan be run on a differentsctofintcrfaces.
Note
OSPF in notsuppofted i
n the m ultiple contextmode.
Furtherinformati
onaboutOSPF i
s avail
able in the Catalyst6500 Seri
es FW SM
docum entation.
2-138
ImpsementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
O
@ 2008CiscoSystems.lnc.
E nab I1ng O S P F
fwsmtconftgl#
router ospf process -id
.
fwsmtconfig-routerl#
network ip address mask area area d
V Q
-
'
.
r'
19216810Q4
io1.
3.0/24
--
.-..
w.
#
y#
10 0 3 0/24
router oapf 2
network 10.9.0.0 255.0.0.0 area O
Description
pzm
ocess -J
Description
ip- address
Any inlerface wi
lh an address in the range defi
ned by thi
s and the
mask parameleri
s used bythe OSPF routing process
mask
Any interface wi
th an address in the range defined by the
i
p address and thi
s parameteris esed bythe OSPF r/uting
process.
Note
@ 2008Cisco Systems.lnc.
2-139
Param eter
Descrlptlon
area- id
Note
Y F
documentation.
2-140
lmplementing Cp
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.O
R IP R o utiI'Ig P ro toco l
. Features ofRIP supportinclude:
Metricis hop count
Each routercontains a nexthop database
.
Version 1(default)andversion2
Cleartextand M D5 authentication forRlPv2
w RI
P operation modes:
Passi
ve R 1P
Defaultroute updates
w Notsupported in the m ultiple contextmode
l'llc C'atalyst6500 Series FVSM stlpportsbotllR IP version l(RlPv I)and version 2 (RIPN'2).
tllc lirstolle bcillg tlledcl'
atllt,
Note
lmplementi
ngFW SM foraData CenterNetwork Infrastructure
2.141
E nab I1n g R lP
fwsmtconfigh#
,r
slde
192O1ut
68.1.
.
Inslde
r;. a, ,a,(
)x4
Q.Q
. .. ... ..
l '#
.g.
#
10.0.3 0/24
ri
p ke
fpassive (version (1
key
yname
d1J1
Descrlptlon
if- name
version 1 (
(Optional)TheversionoftheRlPprotocol:RIPv1orRIPv2 lfnot
,
authentication
text
recommended).
md5
keyr
key d
k p .
ri
trname default Iversion (1 1
ey'a
key id1)1
2-142
Parameter
Descriptlon
if- name
version l I 2
(Optional)Theversi
onoftheRlPprotocol:RIPv1orRlPv2 Ifnot
specifi
ed R1Pv1isused.
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1)v2.0
Param eter
Description
authentication
text
md5
Aey
key j.d
Key ientifi
cation vasoe'valid val
ues range from 1 lo 255.
Note
Furtherinformati
on aboutRlP commands i
s available in the Catalyst6500 Series FW SM
documentation
Note
(()2008 CiscoSystems.1nc.
lmpl
ementing FW SM fora Data CenterNetworklnfrastructure
2-143
BG P Stub Routing
w Features ofBGP supportinclude advertisementofstaticand
directlyconnected routesto neighbors
. Li
mitations:
-
iBG P on1y
.- No r
edistribution
m Suppoded i
nthe multiple contextm ode
. Requires a license
-
BG P stub routing processisused only to advertise theconfigured static and directly connectcd
routesto BGP neighbors.
A li
censeisrequired to deployBG P stub routing.
BG P Lim itations
BGP Stub routing islim ited to one process, oneBGP ncighbor.andonl
y intenpalBGP (iBGP),
cven ifdcploycd in m ultiple contextmodc.
2-144
Furtherinform ati
onaboutBGP isavail
ablein the Catalyst6500 SeriesFW SM
docum entation.
ImplementingCi
scoDataCepterNetworkInfrastructure1(DCNI-!):2.0
>
E nab I1ng B G P
fwsm tconfigl#
router bgp as-number
* Confi
gures BGP stub routing process
fwsm lconfig-routerl#
neighbor ip-address remote-as as-n e er
.
fwam tconftg-routerl#
network ip-address mask mask
.
uop
. .j
fk .
..
Out
sl
de
.
w
192 !68 10/24
BGP stklb rotltillg iscllabltld by collfigtlrillg rotlting proccssesw itlltllc router bgp colnlnalld:
router bgp as-nuni er
Description
as-ntimber
Theautonomoussystem (AS)numberthatidenlifiestheFW SM
to otherBG P routersandhastobethe same ason neighboring
device since only iBGP is supported.
Description
ip -address
as .
-nunl
b ez'
Q 2008Cisco Systems,Inc.
Implementing FW SM foraDataCenterNetworkInfrastructure
2-145
O ptionalB G P C om m ands
BGP on tlpeCatalyst6500 ScriesFW SM also supportsthecomlnands listcd in thetablc.
O ptionalBG P Com m ands
Com m and
Descrlptlon
bgp router-id id
Defines a BG P router1D.
neighbor ip -address
password Ernode)
theneighbor.
password
Note
To vcrify and troubleshootBG P operation.the salne setofcom mandsisuscd ason Cisco IOS
routers.
Note
Furtherinformati
onaboutBG P comm ands isavailable inthe Catalyst6500Series FW SV
docum entation.
2-146
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v20
@)2008CiscoSystems, lnc.
d
X
'
*
cisco catatyst6500
SeriesSwitch
. -. .,
' ' '' '
S
,l
njectroutesdirectlyinto
MSFC:
..
Static routes
NAT poolinform ation
,.
E
2
lt
la
El
Va
LA
N
3o
zz
p
Eoutsl
je
Elirll(ltly()()r)r)(,(ltf,(jrllt.t6,s
,
lA1(
)
a
vt
u
l)
q,
a(
st
)!
i
raltslde j
t..............
.. ..............J
.,
ur g
,
101O302
vqIs
Na3o
r1slcf
-tDcz
.
)..
o..
,o!o301
..
, Per-contextRHl
. -. ..
' ''' '
57=*
'
1010402
vl
.Ax 3ac
%
j.
-.
<..
:q..1
,
L
,
k
.
L
6
k
,
'
'
'
III
j
;
C
j
k
j,I
,F
p' .1,
-35h(
,4
'r!
cl6.
.. .. - 1 sl
..
2-14-1
.-
Differentinterface:packetreinjectedintothe system
m FailoverlStatefulm ustbe enabled
* Supported in the multiple contextm ode
Stlch dcploymentsarc com mon wllen two interfaceson a single Catalyst6500 SeriesFW SM ,
ortwo Catalyst6500 SeriesFW SM S in a failovcrpair, are connected to diffcrentScn/icc
providersand the otltboulld conncction docsnotusea NAT address.
Note
2-148
Implementi
ng Cisco Data CenterNetwork l
nfrastructure 1(DCNI-I)12.0
@ 2008 Ci
sco Systems, Inc.
>
'
13a I1n
s l'
n ln etr1c
o ut1n
fwsm tconftg-ifl#
asr-group n
er
i.
1
7terfaptlon
ce V1an
1
descri
INSIDE
aBr-group 1
1nter!!ace Vlan2
descrlption OUTSIDE
:1:1:-I17t;k
l1) 2
i
f.m '
JQ
-. !
..
f
Ig
I1
I!
.
I5
1:
ti ''.
:
yje
p:
.' ee t* *.@**@@*e
r
'
.
O
.q
'.
v. ,.:.
knsltle(DtyA
'
.'
.(- ':
- W r a-- - - 3
1
:
FW SM 1
-.,
'' <
. !; l'.z
4.a.1a.#w.@eww-.,'..
:
1
$F'
.
''
...A
FW SM 2
1'Xi.rffG*
Inside
IrlGldeCly.B
Description
ntznl
Tl'
lt.
tc('111lnalltllastt)be clttercd fllrcacl)illlcrl
-acetlq
tals.
villparticipal
.
e il'
lllleasyllltnetric
rotllillg grotlp.
Note
@ 2008C'
sco Systems.Inc.
ln the exam pl
e .statefulfailoveris deppoyed forasym metric routing to work properly.
2-149
S um m ary
Tlpistopic sum lnarizcsthe key pointsthatwerediscussed in thisIcsson.
S um m ary
. IP routing isneeded in routed mode toforward packets between
interfaces.
@ Static routes provide the m inim um CPU overhead.
. OSPF and RlP are notsuppol-ted in m ultiple contextmode.
. BGP stub routing announcesonl
y static and connected routes.
m
2-150
ImptementingCi
sco DataCenterNetworkInfrastructure1(DCNI-I)v2.
0
(
I)2008CiscoSystems, lnc.
Lesson6I
Objectives
Failover O verview
Thistopicexplainsthe failoverfunctionality on the Catalyst6500 ScricsFW SM .
#..
w,
Campus
Outsrde Network
& .
z
e#.
.
Inside Network
;j
I
'y
Standby
Thetwotlnitsinafailovercontigurationmusthavethesamemajor(firstnulnbcr)andminor
tsecondnumbcr)softwarevcrsion.l'
Iowcvcr,you canusediffcrentversionsofthesoftwarc
dtlring a!:upgradeprocess;forexample. yotlcanupgradeoneunitfrom vcrsion 3.I(1)to
version 3.1(2)and have failovcrremain active.
Note
A ctive-stand by Failover
ThcCatalysl6500 ScriesFW SM provideshigh availability tirewallscrvicesthrough an activestandby redtlndancy modcl. Tllc standby Catalyst6500 SericsFW SM monitorsthe health ofthe
active FW SM and takcsoverproviding f
irewallscrvicesifitdetectsa failurc ofthe activ
FW SM .
e
Each ofthc two C'atalyst6500 Serics FW SM Sin a rcdtlndantpairmustbe configur
cd
w ith aceessto the sam ecollection ofnetw orks.
Activc-standby failoverisavailable on unitsnlnning in cithcrsingle orm ultiple contextm ode.
2-152
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
Note
Q 2008ClscoSystems Inc.
80thfaiioverconfigurationssuppod statefulorstateless(regular)failover
2-153
Actlve
:..
campus
-
.-.
Outsi
deNetwork
I
IF
u:kI
over
i
!
i
. .!
)
r. z
.
''..
#
r-:#
jnsjd: Nejwork
ILL
Standby
* Theunitstate(activeorstandby)
w l-lcllo messages (kecpalives)
. Network link status
K M AC addresscxchallge
. Cont
iguration rcplication and synchronization
Caution
AIIinform ati
onsentoverthe failoverandstatefulfai
loverIinks i
ssentincleartext, unless
you securethe com m unl
cationwi
th afailoverkey.
2-154
ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
C atalyst 6r
a00 S eries F'W S M S tatc Link
* Dedicatedfailoverlink(VLAN)
e Used to determine the operating status ofeach uni
t
* Multiple context- resides in system execution space
Actrve
Cam
pus
outslde Nelwork
Y
I!
l
slalel:ar
lover
tl
nkjjonk
Ii
!
)
'22 D'1'1
.
'
1.,/.
/#
..
n#
'nslde setwork
I f'
'f
Slandby
State Link
Note
@ 2008 CiscoSystems,Inc.
The IP address and MAC address forthe state Iink do notchange atfailover.
lmpl
ementing FW SM fora Data CenterNetworkIlfrastructure
2-155
# .; .
c :;
>
campus
w. m,..
,
g...
7e
Outside Network
Inside Network
Actlve
2-155
SmplementingCiscoDataGenterNetworklnfraslructure1(DCNS-I)v2.
k
'
Campus
L
J
1.
1kj ':?'z:
I
#
'
< .#
x#
Oulslde Network
losldeNetwork
% -Actlve.-FalloverGrotlp 2
Standby- FailoverGroup 1
No speciatlicense i
s necessary forfai
iover
Note
t
o 2008Clsco Systems,Inc.
The failure ofa failovergroup on a unitdoes notm ean thatthe unithas fail
ed'another
failovergroup mightslii
lbe passing traffi
c through thatunit
2-157
Intra-chassis Redundancy
Cisco Catal
yst6500
Series Switch
r' '
!
!
Active
i
E
!
!
!
!
E
i
!
i
i
:
1
i
!
II
!
'
'
s
Ii
j(
i
'
'Z'
; :
''
,
'
I
.
j
i
OutsideNetwork E
1!
')!
!
E
Z
Inslde Network
.'./
!
2
Campus
.
. ..
E
2
5
E
E
j
.j
J
'
h 'l
'
standby
-:#
..
,
h
,
:
i
!
!
2-158
cl
scocatalyst65()0l
serl
esswllch1j
i
!
5
Acti
ve
h
E
2
5
Campus
.
1
E
!
i
Ej
:
.
/
.-p /
I!j
OutsldeNetwork i
!
E
i
*
2
ClscoCatalyst6500 j
:'l
, f!
!.
tf
i
2
E
E
!
!
Serl
tasSwitch25
Standby
Note
Q 2008 Ci
sco Systems,Inc.
'
,C
.
'
.
$i'
v..
IrasideNetwork
Impl
ementing FW SM fora Dala CenterNetwork lnfrastructure
2-159
Failover O peration
Thistopicdcscribesthc failoveroperation.
Active
@& c
I!
Ij
campus
SJz
ll,
1:
ju
Fi
a
ojover
1E
Outstde Network
I!
.'
!
v. z
.'
k
7
I
nsl
deNel
work
Standby
2-16*
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.0
P art1alS w 1tc13 Fa 1
-Iure
Clsco
sCatalyst6500 i
enesswptch1 !
E
!
2
E
!
:
!
.
!
clscocatalyst6500 E
serlesswltch2
, - z .>.. Cr'
'1:
'
1--
. .
@ 2008 Ci
sco Systems,Inc.
!
g
h
I
.li'j
Campus
OlltsideNetwork
Acll
ve
li
a
j!t.......,...,:
.!,
q
l
' ''1
I jf'
:
2
stafzdby
'
2
'.j
j
jw,
y
.#'
jnsjde Network
lmpl
ementi
ng FW SM fora Data CenlerNetworkInfrastructure
2-161
'
i
I
x
Acji
ve
.1:
..
j
i
:
I
j
@1
Inten7et
'
V- Z 2 :
1
1
Outsi
eNetwork
Nit..........1
!
:
.
''I
'
f
j
.
;y
.
t
l.
y
Standby
j
j
.
:
Glscs
oCatal
yst6500j
eriesSwp
tch2j
-1*
z
InsideNelwork
.
j
2-162
lmplementingCtscoDataCenterNetworkl
nfrastrudure 1(DCNI-I)v2.0
Q 2008Ci
scoSystems. Inc,
'
Illterface M onitoring
ci
scocat
alysl6500 j
f
senesswi
tc:1
@
standby
#
2
h
!
1
!
.Ii,,
j
i
i
@
I'
1i
.l
Internet
OulsldeNet
work
!
clscoCat
alyst6500 E
Serl
esSwp
tch2 j
k'7
'f
1: .t !2 .
!.
@ 2008CiscoSystems.Inc.
1
j
Ij
,
.
#
iI.............!
.
!
Acll
ve
i
j
k
.
#
.
jj
l
j
.
:
p.
InskdeNetwork
2-163
Note
An interface canbe marked asfailed (auto state down)when there are noIongerany
physicalports belonging to a VLAN thatis configured on the swi
tch forthe Catalyst6500
Seri
es FW SM .
2-164
lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2,
0
()2008CiscoSystems, lnc.
C onfiguring Failover
T11is topic describcstllcstepsreqtlired to collfsgure failovcr.
C onfiguration O verview
The prim arymodule is active ifbooted sim ultaneously
. The pr
im aryM AC address is used ifpossible
. Configuration is synchronized from acti
ve to standbyr
copy running-config startup-config
w rite standby
failoversuspend-config-sync
w
Pnmary
>
h
k
Active
.1
f
$
Standby
Note
lmpdementl
ng FWSM fora Dala CenterNetwork Infrastructt/re
2-165
Tllc active m odule sendsthe configuration in running m clnory to the standby module.On thc
standby m opule.(he configuration exists only il1running m clnory.You can optionally save the
contigtlration to tlash m emory.so thatwhen yotlrcbootthe standby modulc whcn thc activc
modtllc isunavailablc.the standby m odulc can becomc theactive module.To save the
contiguration to flash m cmory aftcrreplication,use thecopy runnlng-conflg startup-config
com m and on thc activc module.ln multiplecontextmode,thiscom mand should bc used in thc
systcm cxcctltion space,aswcllas within cach contextw hich configuration isstorcd in tlash.
W hcn tlle stalldby modulccom pletcs its initialstartup.itclcars its running configuration,
cxceptforthcfailover com mandsthatmtlstbepre-configured and are Ilotreplicatcd.and the
active Inodule scnds itscntire configuration to the standby module.Ascomm andsare cntercd
on tlle activem odtllc,thcy aresentacrossthcfailoverlink to thc standby m odulc.
Thc writestandby com lnand can be used on the activc modulcto causc thestandby modulcto
clcaritsrtlnning contiguration.aerwhich the active m odule replicatesthcentire
configuratiol).Entcring thew rite standby col
nlnalld in the system execution spacecausesall
contexts to bcrcplicated.
2-1156
lmplementingCiscoDataCenterNetworslnfrastructure 1(DCNI-I)v2.O
@ 2008Ci
scoSystems, Inc.
Action
Notes
1'
notneed an accessconlrollist(ACL),as
lmplementi
ng F'WSM fora Data CenterNetwork lnfrastcudure
2-167
Step
Actlon
3'
4'
failover interface ip
sta te j.n terface ip address
mask '
standby .ip adRress
-
s'
(vlan v'
J.an)
Notes
(Optional)Directstheactive FW SM to
repl
icate state information forHTT'
P
connections.W itboutthi
s statement, HTTP
connections are disconnected in case ofa
failover.HTTP connecti
ons are briefand
frequent,and the slate inform ation although
updated Gonstantly,mightnotincludethe
IatestHTTP statesatfailover.Forthis
reason,you m ightwantto di
sable HTTP
replication to reduce the amountoftraffi
c on
the state Ii
nk.
Note
2-168
failover
Enables fail
overoperati
ons.
'
ImppementingCl
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0
@ 2008CiscoSystems Inc.
Action
Notes
1'
2'
failover interface ip
fa.
f.
ioleez- 2:rerface ip address
mask standby ip- address
2-169
Step
Actlon
Notes
DesignatesthisFW SM asthesecondary
FW SM .
Note
failover
Enabl
es failoveroperations.
2-179
ImplemenlingCiscoDataCente!Networklnlrastqldure1(DC.Nl-1)v2.
()
@ 2008CiscoSystems, lnc.
Action
Notes
2'
a'
failover interface ip
fa 2over interface ip address
mask stanclby ip- addvess
@ 2008Cisco Systems,fnc
2-171
Step
Actlon
4'
(vlan v.
lan)
Notes
5'
failover interface ip
stat:e n rerface ip address mask
standEy ip address6
failover group l
primary
exit
failover group 2
secondary
exit
7.
join-falover-group (l 1 2)
2-172
failover
Enables fai
lover,
Enables monitoring on an i
nterface
lmplemenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008ClscoSystems. Inc.
Action
Notes
1'
Designatesthe failoverinterface.The
example uses 'VLAN 100.'forlhe failover
interface.This VLAN shouid notbe used for
any otherpurpose except,optionall
y the
state Iink,orbe assigned to afly swi
tch ports.
ThisVLAN does need to be assigned to the
FW SV bytheswitch,and lhi
s interfacedoes
notneed an ACL as fail
overtraffic is allowed
automaticar
ly anclothertraffi
ci
s deni
ed.
2'
failover interface ip
fai J.ov'
er in rez'fa ce .
p address
mask stan dby ip'- addre-ss
2.17'3
Step
Actlon
Notes
Designates thi
s FW SM as the secondary
FW SM .
Note
thesecondaryFW SM .
4,
2-174
failover
Enabl
es failoveroperations.
'
. 6$()tstk)()t8)rtlskt()I(1
E
'''
''''
''''''''''''''
!CISCO(;ajal
h''''''''''
St
an
dby
yst6soo
fe.tlover tneerface-policy 2
mon.
ieor-interfaae f.n.
qi/e
mrnitor.lntertac* outsde
lnternet
...
Outsl
deNelwerk
5
'
' fk'
(
le 1
f
E
E
!..............
pt............7
''
E
:
!
.
E
5
E
Acllve
'
' #fi
wpt
'
E
.
Inslde Network
E
!ChscoCalaiys,6500
Eserlesswltch2
2-1T5
show np (1 I 2) global-table
* Examines MAC addresses ofthe failoverand Iogicalupdate interfaces
(doesnottoggleonfail
over)
To cxam ine the statusofthc failoveroperation and configuration,usc thc com m andslistcd in
tllctable.
Descrlptlon
show failover
show np (l
table (0-2
show np (l
(
2-4096)
show np (l
t 2) fogrp- Displaysthefogrp-tabl
einformation.
1 a.
ll)
I 2) vlan
Di
splaystheVLAN informati
on.
I 2)
global-table
Displaystheglobaltableinformati
on.
2-176
Implementing Gi
sco Data CenterNetwork lnlrastructure 1(DCN1-1)v2.
0
fwsm (config)#
debug fover fail
p
fwsm (config)#
fwsm (config)#
debug fover ifc
w
Examines network i
nterface status trace
'l't'
,trotlblcshootthc failoveroperatiol'
land (
J()nligtlraliol).tlsc tlle col'
nlnandslistcd inlllc lablc.
Note
Description
Displaysfail
overswi
tching status
Displays fail
overinternalexcepti
on
Displaysfail
overmessagereceiveandmessagetransmi
t
(mpiementl
ng FW'
SM fora Data CenterNetwork lnfrasfructure
2-177
The show failovercom mand isused to display the failoverconfiguration ofthe Catalyst6500
SeriesFW SM .
The otltptltshow t:indicatesthescconditions:
K Failovcriscnablcd.
. ThisCatalyst6500 SeriesFW SM istlpedcfaultprim ary FW SM in thc redundantpair.
K Thc failovcrintcrfacc isusing VLAN 20.
w ThisCatalyst6500 SeriesFW SM iscurrcntly in standby modcbecause a failoverhas
occurrcds
'tlle otherCatalyst6500 SericsFW SM isin activcmode.
2-178
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D
(
I)2D08CiscoSystems,lnc.
(Cont.)
Stateful Pailover Loglcal Update Statlatics
Link : state Vlan 21
Stateful Obj
xmit
General
339
sys emd
33l
up time
0
RPC services
0
xlat.
0
TCP conn
Q
UDP conn
0
ARP tb1
8
RIP Tbl
0
LZBRIDGE Tb1
0
Klate Timeout 0
TCP NPa
4
UDP NPs
0
Logtcal Update Queue Information
Cur
Max
Total
Recv Q:
0
l
Xmft Q:
0
l
xerr
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
33l
33l
0
0
0
0
0
0
Q
0
0
37
0
334
341
Thisplinltluldisplaystlle relpaillder('
)flhe tltltptltfrolzzthe sllol''failever colnlnand.
lmpfementi
ng FWSM fora Data CenterNetwork lnfrastructure
2-1F9
S um m ary
Thistopicsumm alizesthe key pointsthatwere discussed in this lesson.
S um m ary
. Cisco Catalyst6500 Series FW SM failoveris provided by an
active-standby pairofm odules.
. Failovermonitoring is used to cause a failoverto the standby
Catalyst6500 Series FW SM in response to network events.
. Configuration statements in the system execution space are used
to define the failoverconfiguration.
2-1B0
lmplementlngClscoDataCenlerNetworklnfrastructure1(DCNI-I)*2.0
(
I)2008CiscoSystems, Inc.
uqsson71
M odtllc(FW SM )handlesthepacketswhereinspcctionbcyondprotocolllcadersisrequircd.
Objectives
Upon colnpletilpg thisIesson,yotlwillbeablcto tlndcrstand and implemcntdeep packet
illspectiollon tlleC'atalyst6500 ScriesF'
W SM .Tllisability incltldesbeing ablc to Ineettllese
objcctivcs:
* Describcdeep packetinspectiollon tlle Catalyst6500 ScricsF'
SVSM
* ldcntify thc com mandsuscd to contigtlrc and vcrify decp packetinspection
K DescribethcU RL tiltcring fullctionality
* ldcntify the com m andsto contigtlre and vcrify tlpe URL Gltering ftlllctiollality
bespccified inthcaccesscontrollists(ACLs)govclmingtrafficaccessthroughtheCatalyst
6500 ScriesFW SM .Secondary data connectionsare opened to otherportsthatarenotwellknown.Deep packctinspcction isused to dctectthe protocolcom mandsthatspecify the port
llumbersofthcsc sccondary connections,so tllatllow entriescan bc dynam ically added to thc
stateftllpackctinspection tables.FTP isan exalnplcofthiskind ofapplication.
Application data payload modificationsarc necessary forapplicationsthatcm bed IP addresscs
ofcithcrcndpointw ithin theprotocolpackctsthattraversc an Catalyst6500 SericsFW SM that
ispcrforming Network AddressTrallslation (N AT)orPortAddressTranslation (PAT). Data
payload m oditications arc also tlsed to provide security forsolne applications. Forcxam ple
lmplementingCiscoDataCenterNetworkInfrastructureh(DCNI-I)v2.
9
@ 2(08CiscoSystemsflnc.
Cisco IP plloncs
Cisco ColnlntlllieatorSoftplloncs
Description
Engi
ne
m isuse.
Provi
dessupportforExtended SMTP (ESMTP)protocoland
Engine
supports fil
tering potentially harmfulcomm ands.
Enhanced lnternetControl
Provi
des state tracking ofICMP packets to enable secure usage
Message Protocol(ICMP)
ofping,traceroule,etc.
lnspection Engi
ne
lmplementi
ng FWSM fora Data CenterNetwork I
nfrastructure
2-183
Inspectlon Englne
Descrlptlon
(SUnRPC)Inspection Engine
2-184
ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems,Inc.
* A po1icymap thatlillkstllcclassmap(andthusthcrclcvanttraffic)tolheinspcction
enginc.Dcfinc apolicy map w ith the policy-m ap comm alld:
Use thecolptigured classby specifying itwith thcclasscomm and.
U llderthe class,dctine which inspection engineis to bc tlsed witl)thc inspect
comlnand.You can optiol:ally append apreviously del
ined m ap.
w A servicc policy thatappliestlle policy m ap to one interfaccorto alIinterfaces.Apply tllc
policy witl)tlleservice-policy comm and.
* Optionallydcfillemapsforvariousprotocols(1ITTP,FTP,ctc.)tospccifyprotocol-or
application-rclatcd parametersto jinc-tune an inspection engille.
Note
@ 2008Cisco Systems,lnc.
2-185
2-186
lmplementingCkscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.O
@ 20()8CiscoSystems.lnc.
>
FTP Inspection
Internet
z.'
J.Z
8r '.
''..z4
.
-.
y. ...'.
/.
,
-<&''
(
0 2008 Cisco Systems.Inc,
Since the i
nspectwas configured underthe globalpolicy,itdoes nothave to be speci
ficall
y
appended to the interface.Using a defautti
nspection classdoes note require to configure
specialinspection class.
2-187
Ins ectio n
I
Jdi
s
j, K
..
' <
http-map inbound-htkp
conbent-leng*h mn l0p max 2QQ ackion rese: log
content-typ@-verificltion Match-req-rsp action reset 1og
max-header-length reqveat lQ0 lction reeet 10:
mwx-uri-length l lction reawt Iog
port-mtaus* p2p Kction drop
port-misuse im action drop
port-misuee default lctton allow
1
clRes-map http-port
mltgh por: tcp eq vvw
I
poligy-map outaide- policy
elass http-port
tnapeet http inbound-http
I
eervtee-poliey outpidl-policy interflce outside
2-1B8
step 1
step2
step3
step4
lmplementingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-!)v2.
Q
@ 2908CiscoBystems.lnc.
(mplementi
ng FW SM fora Data CenterNetwork lnfrastructure
2-169
U R L Filtering O verview
Thistopicexplainsthe U RL Gltering funetionalit'
y on Catalyst65(* SeriesFW SM .
U R L F1Itering
'
'
....
S*4 ss
rj
l
e
t(
we
9ri
rl
rp
lnternet
>
x.-, ,
t)
'
;
.
h
i;
..
6*
4j19.1'.
4.
rti
lRequestsenttoGl
teringserveranddestinati
on
1f
;
'Allowedrequestisreturnedtouser
$'
i
%
i'
Deni
edrequestisdroppedbyCatal
yst6500Seri
esFWSM
Filtering can bc applied to connection requestsoriginating froln am orc secure network to a less
secure network.
w W ebsenseEntemrise:SupportsHTTP,HTTP overSecureSocketsLayer(HTTPS),and
FTP filtcring
U RL Filtering O peration
W hcn a userissucsan HTTP,HTTPS,orFTP GET request, the Catalyst6500 SericsFW SM
sendsthe requcstto the web orFTP sen'er and to the filtering sen'
cratthe sam etime. Ifthe
filtering servcrperm itsthe connection tbrtheuser,these actionsoccurforeach requesttype:
* ForHTTP,thcCatalyst6500 SeriesFW SM allow sthe reply from thew eb serverto reach
thc userwho issued thc originalrequest.
> ForHTTPS,the Catalyst6500 SeriesFW SM allowsthecomplction ofSecure SocketLayer
2-190
lmpl
ementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
@ 2008CiscoSystems. Inc.
'
sllcL
'e.
v.
jhll.
It
-tllc tiltcring serverdeniesthc conllection.thescactiollsoccurforcach requesttype:
codc550.f)?'
!'(
.
'f.'
/t
'
??'3'not/4?//?t:
/.
* ForScctlre Conlptltillg SlnartFilter(forlnerly N2I-12,)if-yotlcnablcd uscratlthcnticaliollon
thcCatalyst6500 ScriesFW-SM forIITTP,HTTPS.orFTP,tlle FW SM also sendsthe
tlsel'llaTlle to the filtcring scrvcr.Thctiltering scrvcrcalltllclltlsc user-specific tiltcring
settings.orprovidcenhanccd rcportillg pcr-user.W ebscllse supportsfiltering by IP addrcss
ollly.
Note
Fil
tering appl
ies onl
y to outbound connecti
ons.
@ 2008 Ci
sco Systems,fnc,
lmplementing FWSM f
ora Data CenterNetworklnfrastructure
2-191
C onf1gur1ng U R L F1Itering
:.
7
w..
*
-''
.
x.
k1
Intem et
Filering
Server
1O.0.10.45
x.7
Descrlptlon
f name
server.
host ip address
timeout seconds
thenextserverinthe Iist(lfavail
able).The defaultvalueis30
seconds.
Specifi
esthatcomm unicationbetweenthe FW SM andthe
(l 1 4);
WebsenseserverusesT'CP.whichisthedefaul
tprotocol.
protocol udp
Y r
2-192
lmplementngCiscoDataCenterNet
worklnfrastructure1(DCNI-!)v2.O
@ 2008Ci
scoSystems,Inc.
Description
if naze
host ip address
port number
Specifi
es the portused to comm unicate with the N2F12 server.
The defaultis 4005 forTCP orUDP.
timeout seconds
the nextserverinthe I
ist(ifavail
able).The defaultvalue i
s30
seconds.
protocol tcp
Specifi
es thatcom munication between the FW SM and the
W ebsense serveruses TCP whi
ch is the defaul
tprotocoj.
protocol udp
Enabl1ng
'Iffering
By def
atllt u'llen a uscrisstlesa reqtlestto colpncctto a wcbsitc orFTP servcrvthe Catalyst
6500 Serics FSVSM sendstllc reqtlestto tllttvveb orFTP scrvcr.alltlto tllc fiItcring serverattllc
salnc1illlc.If'llpe tiltering selwcrdoes llotl'
espolld beforc tlpc web orFTP scl
w cr.thc rcply lirln
tlle web orFTP scrverisdnpplq
led.To avoid dropping tral'
t
ic.yotlcan colll
igtlrc tlleCatalys!
6500 Serics I''h/SN1to btll
'lrrcplies froln wcb alltlFTP sers'crs.svllen tllf
ztiltering scn'cr
cN'
cllttlally rcspollds,tlle C'alalyst6.
500 ScricsF'
SVSM can allt)w'tlle collllcctikpn.
Description
illocg
k-bl'ffer-.
1.
flzltr
Enabling C aching
2-193
Note
Descrlptlon
dst
src- dst
kby-tres
filterur1Ehttp I#(pl./g-r(?r/1(
l.
voltt'
(L'
e ip 't?lfrcc r?.
ltlk
$
;/(tlest ip dest 1??t7.$.
/(Eallow)(proxy-block)
Ilongurl-truncate1longurl-deny)(egl-truncatel
-
filterurIParam eters
Param eter
Descrlptlon
http I por:E-port:q
Speci
fiestheporttowhichtheHTTprequestissent.wi
ththe
Speci
fythesource addressandm askforrequeststhatareto be
fil
tered.Speci
fy00 foral1addresses.
ajjaddresses.
*
allow
proxy -block
longurl-truncate 1
SpecifylheprocessingforURLSthatareIongerthanthe
cgi-truncate
Confi
gures the FW SM to truncate Comm on Gateway Interface
longurl-deny
(CG1)URLSto i
ncludeonl
ytheCGIscriptIocati
onandthescript
name,butnotthe parameters.
Note
2-194
()2001$Cisco Bystems,lnc.
2-195
S um m ary
Thistopic summ arizesthc key pointsthatw ere discussed in thislcsson.
S um m ary
Deep packetinspection exam ines and modi
fies application data
payload.
* Deep packetinspection fixes applicati
onsbroken bythe Cisco
Catalyst6500 Series FW SM .
* URLfi
ltering is used in combination with an externalserver.
. Traf
ficfrom blacklisted URLS isdenied bythe Catalyst6500
Series FW SM .
.
2-196
ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008CiscoSystemsllnc.
M odule S um m ary
Tl)is topic stllnmarizesthc kcy ptaints thatvcre discussed in 1.12islnodule.
@ 2008Ci
scoSystems.lnc.
2-197
Q 1)
2
4
7
8
(Sourcc:lmplelncnting TrafficFlows)
A)
B)
C)
D)
DJ
Q4)
exem ption
NAT cxemption.static NAT and PAT.policy dynam icN AT,regulardynalnic
N AT
Policy dynam ic NAT,regtllardynamic NAT.staticNAT and PAT.N AT
exclnption
NAT exemption,policy dynam icNAT,regulardynam icN AT.static NAT and
PAT
W hatfcaturcpreventsmaliciotlstlscrsfrom impcrsonatinghostsorrotlters?(Source:
IlnplcmentingACLs)
A)
A RP inspection
B)
C)
D)
()5)
Etllertype ACLS
Extcnded ACLS
N AT exem ption
D)
2-198
SmplementipgCirmoDataCenterNetworkInfrastructu'e1(DCNI-I)42.0
Aj
B)
C)
D)
Dccp packetinspcctioll
Dynalnic PAT
SYN cookics
U R.
L l'
ilteri1)g
A)
IE
.
I)
C)
D)
Destination '
VLAN alld dcstillatiol'
iI1*
'atltlress
.
Destination VLAN and stltlrce IP adtlrcss
Source V LAN antldeslillatiolllP atltlrcss
SotlrceVLAN and sotlrcc lP atltlrcss
(
i
D 2008Cfsco Systems,fnc.
2-199
()
'
D
2-200
Mpdule31
Module Objectives
3-2
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)12.0
Lesson1I
Iptoducing C isco N A M
O verview
Objectives
'
Challenges:
Benefi
ts:
Ease deploymentofnew
technol
ogies
Im Prove utilizati
onofnetwork
resources
. Efschentplanning fornetworkgrowth
* Reduce networkdowntimeand
failures
* Gainfactstojustifyexpendituresand
ROI
* Proacti
ve moni
toring
.-. -.!
....-.
--
=- .
:
'
:-H
Z
?
k
-cr---'
::7
-E
q'y:
.2
5.
;.i:
.
1
*
.y.
,
v
.F
r.
-
uli .
..
:.
'
.
P.
-
'
tJ.
-
5
;!q
-
,.:.
,
2
. -.1 f- .,*@
*
r
a.
.
:
t*
;*
,.
.
. 'iI . . !
1 z.
1,
j,
...,
.i...
,k
.
..
.u
;
21.
4.
+
.,
S.
t#.t
r.
C hallenges
Network adm inistratorsand corporate cxccutivesundcrstand thatmanaging thc network is
im portantand vitalto businessopcrations. Itissilnply notenotlgh to know ifa deviccisdown
orthe tletwork isslow.You necd to be proactive by m onitoring thc dcvicesand thenetwork
and watehing fortrendsordeviationsfrom an established bascline.
Benefits
Cisco lnakcsmanaging thc network easy by providing visibiIity into the nctwork and btlilding
intclligcnce illto the dcvices.
3-4
nctworkgrowth
* Reduce network downtilne and failures
@ 2008 Ci
sco Systems, Inc.
I
m pl
ementi
ng NetworkAnal
ysiswith Gi
sco NAM
3-5
'
BCanp
eh
O.,
** E*ev &
z
.
,
'
Js.
vu
*;.
.
W AN .
-f -z.
- --..A.
-k,.
..
Rr
Datac.nter
(serverfarm)
'
'
;
'j
.
'
..
..
d.a..
''
Bandwidth usage
Troubleshooting
' ..
* Collectionpurm se:
Appl
ication response tlmes
. .. .
x
''
'
. .
''
.
q
x..,j ,y.j
r r
.
K Packctheadcrs(Diffserv andTypcofServiceETOSIbits)
* Nctwork-Bascd Application Rccognition (NBAR)
Port-levelorinterfacestatisticsm ay bethe tirstalarln when issuesarise. Thcsestatisticsare
available mostofthetilnc by sim ply querying thc rotltcrorsw itch. ltmay only bcneccssary to
monitorthcsc statisticsatcriticalpoints in the network and notatallacccsspoints.
Collectingstatisticsatuppcr-laycrprotocols(lletworkthroughapplication)wouldrequircthe
useofNetFlow oraRemotcMonitoring vcrsion2(RM ONZ)probeoranalyzer, such asCisco
NAM .NctFlow and Cisco NAM can providevisibility inte what(applications, hosts.
conversations)isusing valuablcW A N orLAN rcsourcesatthc core ordistribution layers and
attheW AN edge oraccesslayer.
To gathcrintbnnation aboutthc traffic travcrsing the :etwork. the packetslleed to be analyzed.
Packetson an interfaceorNetFlow statisticscan be copied, spanncd,orforwarded from other
dcvicesorinterfaccs.The information in tlpepackctheaderscan providca wcalth of
illformation on how the network isbcing uscd. (How thigoccursisdiscussed lateri
n this
lesson.)
Butthc traftic cannotbcanalyzed ifitisnotscen. Tllerctbrc wherc you gatherthc dataand
w hy you are gatherillg thc data should be abig partofCisco NAM deploym cntplanning.
Thclecation ofw'hcre you gatherthc data dependson yotlrcollcction purpose:
Bandwidtl)usage
* Troublesllooting
3-6
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0
>
ValuableforLAN aggregationlinks(building-to-buil
ding,
distribution-to-core,serverfarm-to-core)
.
W hatcollection intervals?
Shorterintervals forreal-time monitoring and troubleshooting
(5-30 seconds)
.
@ 2008Cfsco Systenls.lnc.
Longerintervalsforhistoricaltrendgng(5-15 minutes)
lrnplementi
ng NetworkArtalysiswithtlisco NAM
3-7
'
: ;;
4. *
Response Tlme
* Time el
apsed between theend ofa queryonone endof
a conversati
on pai
rand thebeginning ofa resm nse
from the otherendofa pair
m Latency'afunctlon ofresponseti
m elisany
characteristicofa networkorsystem thatlncreases the
response tlme
Reliabili
ty
* A measurementofthe consistencyofperformance of
any nete rk.system,orapplicati
on.according to i
ts
speci
fications
Deviceorlnterface
Uti
lizations
NetworkUtiti
zat
lon
*HowthenetworkIsbelngused,includingprotocolsand
Pattem s
M easuring the health ofanetwork istypically done with businesspcrfbrmance m etrics, such as
thc following:
* Response tim e:Thcelapsed tim cbctween the cnd ofa query on oneend ofaconvcrsation
pairand thcbeginning ofa response from the otllcrend ofa pair. Latency isany
charactcristic ofa nctwork orsysteln thatincreasesthc rcsponsc time.
* Reliability:A m casurem entoftheconsistcncy ofany network, system ,orapplication in
performing accordingto itsspecitications.
* Utilization:The pcrcentage oftotalbandwidth tlscd fortransporting data. Utilization is
ohcn monitorcd on an ongoing basisto evaluateusageofthe network ovcrtim cfor
capacity-planlling purposes.
Tllcse mctricscal)be uscd to evaluatchow wcllnetwork, systcm .and application resotlrccsare
pcrform ing and how these resourccsaffcctthedelivcry ofnctwork senziccs, both forprescnt
analysisantlftlture planning.
3-8
,
4
..
Campus
u
'
.
A :
j
.
.
eu swAz.
,
z
.
..
.
,'
'-.
t
ua/
'a.
'''''
v
c.
..
.
.
- .
y .r .'#
.
4
7*
Htstorical
Reportsng
'
;
i
(StaljstlcsoverTl
me)
W AN Edge
Datacenter
*
.-;
(C
Uon
ti
ll
z
alp
o
ntions
Erccr
sol
Ta
lker
s
ver
sa
Pr
ccol
s)
.
(
7
11
:
Reaul
me
jT
yji
j
zatjT
or
nafrc
J .L
< .yy
'8
>
FaugtIsolation and
Troubleshooting
(Thresholds Alarms
PacketDecode)
'4
1i d
'd
1' '
>.
,.y
'i
'
.
# y# a,
.# :
4 (x
'.o
#K-qv# ,
?.
,
$
#,
q
.
#j r),j
.....
ot
t,
tk.tt4
eerformance
M onjtorlng
jaesyj
ouseyimes.
Hea
s1
wth
'tcVoI
h/qP,
ollQoS)
ler
.
lmpl
ementing NetworkAnahystswith Cisco NAM
3-9
3-10
lmplementi
ngCiscoDataCenterNetworkIpfrastructure 1(DCNI-I)72.0
@ 2008 Ci
sco Systems, lnc.
(
l)2008 Cisco Systemsllnc.
Implementing NetworkAnalysiswith Ci
sco NAM
3-11
Interface Statistics
. lnterfaces store pedormance statistics on the traflic received and
sent:
Statistics overtim e
Can be obtained via SNM P
Can tri
ggeran eventupon threshold reached
. Typicalinterface statistics include:
.
Utilization
- Packet
s in and out
-
B/esinand out
Multicastpackets in and out
Errors
morcthanjustthesc intcrfacestatistics.
'italsoprovidelhesestatisticsand featurcs:
* Hoststatistits:Byle and packetcountslo and froln ahost(by M AC addressatthe datalink laycr,network adtlress atthe network laycr. and nctwork addressatthe application
laycr).
theapplicationlayer).
* Thresholdsand alarms:RM ON cal)sctup thrcsholdstolookforvariousconditions(for
cxample.Iinkutilizationgrcatcrthan70percentfor60 seconds)and inform amanagemellt
statiol)with an SNM P trap w hen thecondition occurs.
3-12
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.O
'
S N M P M IB s
.
u IBr
A managed objectisdescri
bed using a unique01
.
MIB extensions'
VLAN statistics'VoIP,SMO N.DSMON M lBs
'
Syst
e
mI
D
. Deqf
'nption
. xosocref
I
nl
ectaces
'
FkcltltllA(1tz!L)Ie
. Tfaf
sccauots
'
F
r
r
o
rcf
xlnts
.
6!c
RMON Iand 11
MlBs
Vendorspeci
fic.Ci
sco M IB d q)
()
!
;
1.:alrl
g6k
yq!e>'2)aI
;
ISzt
l
c!
t;
'es I hnt
edaoes
ART MIB
I
pQ
l
Intexaoes
l
!
i
j jsherf
aces
I cotp
r.
l
ers oa.l
peq 'z
ht
yl
es I.
r
ners FI
lesi
C)2008 Ci
sco Systems.lnc.
lmpl
ementing NetworkAnalysiswith Cisco NAM
3-13
R M O N M IB C ontents
. RMON l(stati
sti
cson Layers 1and2):
A Traffic rates errors,and packetsize
uIcd.RMoNcaobe
# e
l
e
dte
cn
aa
tb
al
ys
sn
wj
lh
tp
ci
:Ch
ps
oc
ro
t
s
distri
bution
+ Short-and Iong-term histofy ofstatistics
overtime
+.Thresholdconditi
onsseton statistics
+ Eventforreachingthresholds(alarms)
Hosts and conversations
Packetfil
ters and captures
p.,z's'. .'.*siaf
:
6 - -''
; L*
.
. RMON 11(statisti
cson Layers3 through7):
: '.*
source
..
'.
e'
.*'
RMON.II
sondar
d
'''.''.'
:
.
..,.....
RM
'
St
nnO
dN
ar
d'
i
RM ON 11offerscxtensiollsto the RM ON lstandard by providing statisticsbcyond the datalink layer.Statisticsare availablc o1)thc network layerthrough theapplicalion laycr. Basically,
RM ON 11looksdecpcrinto cvcry packetitanalyzcsto dctailwhich nctwork layeraddressesare
constlming the mostbandwidth,whicllnctwork layeraddressesarc talking to each othcr and
which applicatiolls-identitied by portllumbers, arcconsum ing bandwidth.
3-14
Impl
ementingGiscoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
Q 2008 Ci
sco Systems, lnc.
N etFlow Statistics
NetFlow isused to analyze packets sentthrough a NetFlowenabled device
. I
nspectsthe packetand stores statistics perflow
. Flow isdeterm ined bythe protocoland conversation information
* Statistics can be expoded via ND6 to collectors
.
*
.
; .
:;'.i' '
NetFlow Engine
;.. r'
.,
vp4t)!
tt
.
L'
*,
.y.
-------1:' .
j
I
.
'
7
2
pji
l:q
y
i
4
).;
?
J
f
/
'
d
7
r>
.'
...--.+ '. 't
j
f
v
?
4
jj.
)u
t
,
j
L,
yt
jk:$
y
.
.
)ht
i,
.
..
..:
y
x
W
,
;
i
,
r
.
.
:#y
.
,
p
h
j
,
,
y
-.
-.
.-1
w
l
;
.
k
yy
l
j
y
y
vvzs
kL
FE
55
I
(
)
l
e
65.
r$
y
J.
.
t
.
)I
j
1.
l
k
t
ql)jt
;
b
s,
q
t
.
cjj
l$
t
qj
.iy
:);
...-...
**
) 1Yl)'
.
.....j..)j
,.
'
5
'
;f
a
lr;
.X;
$t.f
rl
z
;tj112)r
@
.
h
.
.
Q 2008Clsco Systems,Inc.
'
..
,
'
......
f. . .
i .. v
.,
A c;t4
.
k
jjpjjyk
j
j
j
j
.
;3.k
.
'j .1:j
.
.
u
g
f
p
,
.
-,sj,.
.
7
.
.j:
vk ?..'
&.
;
.,
;.
-,
.
xz?
z
,
.j
'.
.,,
..
.
.-. .
..
3-15
C isco NA M Service
odule O verview
ApplcatponResponseTime
e Measeresappl
icationtransecii'
onIirnes
Plnpointsproblemstothe networkorth:application
Ofrerscrlticalinsightirdeapplscationbehavlor
voi
ceQuali
ty
Troubleshootlng
Ds
scover:actl
vecall
s
. providesinslgl:tintobothVo1Psignallngandtramc
AssessesVcIP verformancelevels
ComprehensiveRaoketrzpturecapabilitlestoplnpolntarld
resolv problems
. Trigger-basedcaptures
Remcdestorageandanalysis
lntelllgentfiptersand decodes
W'itl:Cisco NAM ,Cisco offersa soltltion thatprovidcscnd-to-cnd nctwork visibility while also
addressing nlany ofthenetwork and pcrfonnancc lnonitoring isstlesthathavc bcen raised.
By analyzing the traft
ic fonvardcd to it,Cisco NAM can analyze the sourceofthe traft
ic.its
dcstination.thcprotocol.and thc amotlntoftrafticperhost.perconversation,and pcr
application.Thetablc categorizcstllecapabilitiesofCisco NAM .Hcre are somccom mon
applicationstbrCisco NAM and related fcattlresto stlppo!lthcsem onitoring applications.
Voiccqtlality:
* Discovcrsactive calls
3-16
lmplementi
ngCiscoDataCenterNetworklpfrastructure 1(DCNl-1)v2.0
Q 2008Ci
scoSystems.Inc.
3-17
NA M -I and N A M -2 M odules
Embedded seNice m odules
w Provide dedicated hardware to deliveradvanced perform ance
analytics and end-to-end visibility
. Digerentperformance m onitoring Ievels
@ Em bedded trafficanalyzersoftware
.
Qj
j'
-. - !?-.;;
= .,
srj
,
!
-;
(1'IIL1' !
1
'' i
.
E-b
g1''- j
:q
I
= H
-
->-.rC-.
-=g w.w .r.
=..
l. . .h-L
.
..
'
..
I A z
'
!h:c
.
<.i:*=''
.
.
'
..
3-18
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0
C 1sco N A
Yes
Dtlal
CYes
'Dual
' + Accelerator
BAM
Hard Dlsk
Capture Buffer
Pedormance
Monstonng Appplcations
512 MB
20 GB
125 MB
Sub-gfgabit
FastEthemet
Low capacdyGE
1
1GB
i29 GB
6300 MB
Gigablt
Highcapacdy GE
ko 2008 Cl
sco Systems.lnc.
2
E
1
. .
ServerFarm
IDataGenter
SmallCore
lDi
sl
ri
buti
on
BranchOfEce
lV/ANEdge.
I
m pl
ementing NetworkAnalyslswlth Clsco NAM
3.19
* LAN-SPAN.RclnoteSwitched PortAnalyzer(RSPAN).VAfl--bascdcapturcs,NctFlow
(vcrsions1,5.6.7,8.and9)
. w AN-NetlJlow (versions ls5,6,7.8,and9)from localand rcmotedeviccs,VAcl--bascd
capturcsforFIeXW AN andOpticalServicesM odule(OSM )interfaces(CiscolOS
Soflwarconly)
3-20
ImplementingCi
scoDataGenterNetwork'nfrastructure1(DCNI-I)v2()
@ 2(08CiscoSystems. lnc.
Il1te 1-l1c
aI o l-n u r1icc
at1o n
I-ITTP
4
*''
rs
12
!
ujni
Rer
ulo
jj
y
t.
nt
ac
epo
..
r .
V
..
.
sjkvp
HTTPS
w eb Browser
DatnfCom
ERSPAN
NDE
Sources
'
It
W eb Sexer
<.
'
MonitorlnterfaceforNDE ...;.J
j
#
J'
Y
'
*
.
J#
i
'
/-.:.
f'
.#$')
yL
'Zt%.
;,*,
.
,.
.b
..
kK
t'
.
f)j '';.
. 'z ..
DataVACL
from S
Sparlned or
ources
't 1e
!
1
*v4'*'+*''.v'
PollProcess
RMON Prx ess
Not
e'The NAM-2 cansupporltwc)
ssmullaneousSPAN arpd VACL sessloos
3-21
'
..
* LL::-'
L-!..''
-t-
-.
x-
,
y.%
,c
=-==
.
i.
:
r
kF
F.
''i.
'r
' .m.
-.
setupnetworkparameters
j
l
k
j
a72
7
u,
i.j
Sel
ec
ionoftrafficto
I:EE
r:jk...=
moni
tt
or
-.
.
j
jjjj
,
a
g
j
*121:
-
.I
Tm es ofstatisticsto
gather
w Real-tim e and historical
reports
. Performance analytics
-
@
g
:j
jj
.
jj
'.
.
.j
E@1
:.
E1
Reports:
. VLANandswp
tchportmonl
toring
Appficatlon.hosts.and conversatlon
monit
orf
ng
swi
tchheal
thmoni
toring
QoS(D,
ffSe>)monl
toring
Reat-tlme NetFlow monitoring
* Troubleshooting
Appli
cationresponsetlmemoni
tori
ng
volp and video monitoring
URLmonitoring
Packelc-apture anddecode
Hlstorfcaltrend reportpng
3-22
Forenhanced securi
ty, theTraffi
cAnalyzersupporlsSecure SonkelsLayer(SSL)securily
with up to 168-bitencryption and offers role-based userauthorization and authentication
locall
y orusing TACACS+.
Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008 Ci
sco Systems. lnc.
Note
The Traffic Analyzersuppods Cisco NAM-I and NAM-2 and does notsuppod the first-
generati
on NAM Italso suppodsthe Cisco branch routersseri
es NAM (NM-NAM)(not
coveredin thiscourse).
Note
(D 2008Ci
scoSystems,lnc.
3-23
'
Live
$I'#1,111*:
etw ork
o n itoring :Po
tatistics
N A h1 T 1.afflc ...
k.:1t'lyR.ey'
m j
<e' #t
? &*''''*tL:
)''t'6 :ttT'1.t
Flr:ftt*
#- .-
r.)a -
' '
Viewtraffi
canderror fM T- Tpesd
crk/t
e&v e''-StatlstlcgfOra11
l
nterfaces.
' *'
c. ,. . ErlolReteg
a n!1
Selectan lnterface
and dnlldown in the
lnlerfacetoobtaln
moredetalls
sl
Jt-el1tT
*41
.
+M '''ez5 ''''''
.'
k ,
#b/i '
-z x'iiwkt'w'iu hi.
w kwxtw-q:
o 5.-5s: elw
dm
zx
l.ez
eal
Z 3 '
0X 3.<097 2B* 923
Bfo
1: etf
r,4 .!,'. .
''.r''.?;3 ,sc ..' v'
ettp w kt a
l.zr
tlql vx ()x
.q'
.
. . . .
Qal > @, .!w
;x
ntm
pn ex
'
...+.......w.....w....
m.......-..-.-.-..w--.,. Pod-l
eveistati
sti
csincltldewtil
ization.packets. 444(**- ! gt!. y.yI
errors,andcollisions.
a Can al
so monitorselected portsfor
'
' j
app
l
catl
ons1hosts.and conversations
!
le.x
.
1o M+at
4
ut
so..$
t
pe!
).1Af
.- - . . - -7
.7 -UQ
Switch m onitoring and reporting isavailable forevery porton the Cisco Catalystswitch
regardlcssoftheNAM configuration.In othcrwords, switch portmonitoring isalways
available becausc itisthe very foundation ofperformance monitoring and troublcshooting,
Thc M onitor> Switch tab providesstatisticson the hosting switcll. The PortStats> Current
Ratestablc allowsyou to view the datacollected forthe sw itch. Thc information displayed
rcprescntsthc datacollected pcrsecond ovcrthe lasttim e interval. On Cisco NAM .the miniRM ON statisticspulled froln the hostsw itch provide utilization and errorstatisticsforeach
activc port.
3-24
Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008 Ci
sco Systems, Inc.
n =r*
gee ee l
weu lsale ..
r.r.,.. lrmr/vxywkl.vh..-..
1*f1*# Ae'- * * 29* 9:*
A- St*la; tm
Cr- *txe Qe . tp
'
W 'lM ef
K ,?e.M5- e.
. ase-s,,a ew
K 547.1*3* .*
'
O
4wh
'
'*
3'Y'
''*
2.>
2.*>
1.% '
t.*
4.Nh
'
Q 2008Cisco Systems.Inc.
Impl
ementing Network Analyslswilh Clsco NAM
3-25
'
Ll
've et ork onitoring.
'
PP Iication and rotocol on ito ring
ProtocolDi
stribution
11
*xSG- &tISc/'rk +'
1'
.
'
.. .
I
!
Convef
sation Pairstatistics
..
. .
..
'
..
''
t:'#
I t5.
11 4,p
t.0'
P d*'1
I$4 a,I
v',...
'
*.5'
:
,.
* 'L ''''''''''''
''
:r3
A:)
.s.sx...l>
.-..
-..u..a,
....w
..
.. .
.. .
......
..m . .I.
-.
'
A' I
conggureddatasource
Drilldown to the protocols andobtaln
lnformationOnhost:andX nversatiorl:
e ''%+-'=''> *
inmp
Obtainvisibllltylrltotheupper-layer
*Iw'm .
>
twvxw..-
w.kwvv
!I 4
''
z $fl2
- --- -
..
protocol
sandappli
cat
lonsforthe
-
IM e*
11 *dp
(
.-*r
..
j
eup'1-,..
$-.'#' - -..
* -'' '-' -' '
'
,
qh
zn
4
1x@wue.4/.LLqpAp.*
SM COYI OL'tets *
.''
l
S
'k
.
!r r
'.
I
).**
= ;
:Q ... ..-
fN,..
c
u.- .....
.'
...*. ....-...
l> 2;
*:
.:
*:.,
.. ......
-. ,
..ue
> ''.
'
jj'?
'*=
Detai
led Hostan Conversation Statisti
cs
W hen trktftic is spanned to thc NAM -1and NAM -Z.Cisco NAM can (ook insidt the llve
packetsto gatllcrinformation from itspacketheader.Application m onitoring identificscvery
application thathasconsulncd bandwidth by how m uch and dctectsw llich hostsarcusing
wllich applications.Hostand conversation-pairmonitoring providcsbandwidth consumption
pcrhostand show syou which hostsare talking to each otheralong w ith thc amountoftraffic
cach hostisgcncrating.In addition,responsctimcspcrapplication w ithin each application
scrvcrcan bc meastlred and reported.
W hel:NctFlow statisticsare cxported to Cisco NAM , thc tlow statistics also provide
applicatiollahost,and conversation monitoring. (Servcrresponsc tilncsarc notavailable for
NetFlow data sources.)
M oniloring applications.hosts.conversations, and serverresponsetimescan htlp you
proactively spotbottlcnccksbefore yournctwork stlffersblowsto pcrform allce and availabjlity.
3-26
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-!)v2.0
'
pj'.
LL
*-1'j;
7
f.
'?
1T(
.
qjA
p4.uyl
a
pi
z
ls
'.'
)'l
rj/
ttt
;.
K1(.
'. 'a' '
..'
.
(! :
.col- 1
sz ' . '.1 .
z j.''
j;
j;
jk
v;jj
*:,
>m-
..... .. -.
e0
50
-- --
10
2(
1
0,
()t)
4
pzx- eloomw-
j
3
t)
(m.
Gf
1
4
t,
T*
4fI
'''
*
Y *e''*
>
e
Prote&*oe
1C1
@ 2008 CiscoSystems,lnc.
:1e3 (08FNk
;F (7)%:
3F036 fB7#N.
5517 tlb!T9k
?37e9
SS$;
3-27
'
):
'
z
yj:.
w
(!.
)
DeployNAMSclosest
to theapplicatpon
serversacd clients
Q
2ZQ
'
' $'
,
.*
*'#
1
R% #
. ..
V ''-
'
ServerFarm
ClientPCs
ServerResponse Time
7.27
6. 1j#1't.
--.
$:
j
.!
..
j)i
.= p;t,
'(j
! j w py.- j
:
:.
..1jt
3-28
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v20
.
@ 2008CiscoSystems. lnc.
'
Perforllla.nce A naIytics :
D 1fferent1ate d S erv1c(!
)s M o I',1to r1ng
* Validates planning assum ptions and QoS
allocati
ons
. DeteGts inGorfectly m arked Orunauthorized
traffic
-- '
--'
- '''-'.
' - ''
'
'''
l t- :
.
;z'
;
:
;.
1... k
1' .
1- -
..*..
....w
t
j.ii q
*> *
l
j
t.
,':c%.' :
't'
& .
'' c
>
,1
:..e.* i
' .
'' '
y *'
.:
& **.
1f;MP26)
(Dscp
%uAj
**-f':1
'
illtoclllsses()1
-serviccthatl'napontolllc(?()S 17()1iciestllatyotlhavciluplenacntcd.Thisenklblcs
ytltlt()l'
tllly ctlstolnizehow (-'isco NAM rcportsIlit'
lserv slatisticsso thatitl'
natchcsyotlr
cllvirolllllellt.
C)2008CiscoSystem s,Irc.
3-29
rates
C $ > el
o1 l3T
Hostand
Convorsation
StatjStjcs
Filtering ofURL by
host path and content
''9...'..1-..*0.
**...- -.
c'e-e- ...-...s,.,
.n
A URL,forcxalnple,http://host.domaill.com/intro'
?idm l23,consistsofa hostpart
(host.domain.com).apathpart(intro).alld anargumcntspart(?id=l23).Thecollectioncanbe
contigurcd to collectallpartsoritcan bc contigtlred to collectonly som eofthepartsand
igllore othcrs.
W llcn the URL statisticsarccollected.you can view the URL and the numberofhitsto it. This
URL collection list,illustrated in thc figurc.can be tiltered to Iook forany partofthe URL,
llost,patll,orargulncnt.
3-30
'
l'hc capttlrc and decode capability ofNAM provitlesdepth and insightinto data analysistlsing
triggcr-based cdpttlrcs,filtcrssdecedes,and a capture analysislclolsettlaquckly pilzpf
aintarld
resolvcprobleln areas.
CapturedpackctscanbcsavcdonarclnoteIllternetSmallComptlterSystcmsIllterf
acc(iSCSI)
drivcorNetwol'kFilcSysteln (NFS)diskto extendthedatastoragccapabilityofCiscoNAM .
NA M allalyzesand dccodcsthe capturesstored relnotcly,performs systcln administration,and
providesinform ation on available disk space.
(Q 2008Cisco SystemslInc.
3-31
'
1:@
,-.
NAD<TrarfitA**1zKer
.
..
.. ,
.. .
o .u jse...x,.
,.e.m
1r.j:..r
*.
7
1-,s .,,.,.ox j.xs
I:
!
:
..
;
okq
.,
I .1.t
j
(
ID.CY.
. ....--
(
iC
E;
T
W.
=1
. -...-..-.....-
--
3-32
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0
(
l)2008CiscoSystems.lnc.
&!
t
'k
'
s
Y
a
Metlqo-
x
%
<!
cz,j
'''T: M#Ii.RMON
'
I
oj 1
i
a:v
; s
.
:
=&
y.
NerFlow
NBAR
MIB.II
jm
1!isinlptrtantto l
'nanagctl'
le data sourcesstlpplying datato Cisco N AM .You 1
nt1stunderstalld
how Cisco N AM and itsdata sotlrcesarecontigtlrcd in ordcrto inlcrprctthc variousNAM
reports,Cisco NAM l'
nakcsuse ofn'
lultipledata sotlrcesto provide visibility into thelletwork.
incltldil'
lg thc follow ing:
* M ini-RM ON :Forper-switch portLayer2 statistics
* VAC IUSand Cist!o ExpressForwarding:To copy actualpackctstraversing tlle switch
fabric and routcrintcrfaccsto Cisco N AM foranalysis
*
(l)2008Cisco Systems,lnc.
3-33
7he NBAR M 1B has notyetbeen im plemented within the Cisco Catalyst6500 Series Switch
and Cisco 7600 Series router.W hen these devices include supportfor!he NBAR M IB , the
Cisco Catalyst6500 SeriesSwitchand Cisco 7600 SeriesrouterNAM willsupportNBARprotocoldiscovery on those devices as well
Note
3-34
Implementing Ci
sco DataCenterNetwork lnfrastructure 1(DCN1
-1)72.
0
@ 2008Cisco Systems.Inc.
'n'
l
l-R
N ,SP N,and RS P N
#C
Mi
npauox
j.L
f
.
$
'
.
y;
gt
f
.
/.
k
a ':
(u 2
ac:
.
k
cpscocalalyst65
j
$.1
t)
m
I
1:
senttoNAM Data
F'ort
.
X'
ED l
<
x .x.'..
.. .'
..
' '.
spanned
'
rrt
affi.
'''
-''-'
vo x,or
toNAM
EtherchannekTraffic
MrnI-RMON Traffic
collected byInternas
NAM Irlterface
.. .
Sert
esSwlt
cl'
spanoedTrafic
V:
.J
f
'
. .
Traffi
cPassesoverProducti
onLi
nks
wbenUslngRSPAN t
o Monit
or
Traffi
conaRemot
e switch
taneousSPAN/RSPANsesslons
srm uI
CisooCatalystSwitch
Note
The abili
ty to use SPAN VI-ANS allows you to achieve additionalmonitoring flexibili
ty.
Rem ote switches can be confi
gured to exportdata on a specialuser-dehned VLAN.Cisco
NAM can then span this rem ote VLAN effectivel
y spanning data from a remote switch.This
((
7 2008 Ci
sco Systems.Inc.
lmplementing NetworkAnalysiswi
thCisco NAM
3-35
Note
Note
<
3-36
lmplementingCi
sco DataCenterNetworkInfrastructure1(DCNI
-I)72.
0
()2008CiscoSystems,Inc,
E:
-
67 14
'
j
i
l
y'
.
((t
'
Use ERSPAN to
'
.o ,..,,.,
t
6
r
6o7u10
bs
l
esshj
ojx
y
ots
pj
r
y
ojj
j
bol
e
jj
m
yj
s
yay
ay
t
jyy
g
to send personnelto the
Y.
:
.. .4
'
j
'
t.
..
/'
#
)'.
j<
;.
. .
siteorhauIingarounda
rtaj)
jeana1yzer
PO
.
'
;
CPS.tXICldalyst6500
SOICYSvs
Gh
I ERSPAN
I Traffic
I
' y!lj
z.
h.tf '
.
.4
E'RSF'AN Trafric
cojjected by NAM
Management
lrltoufacp
TralficPassesoverProducti
onLi
nks
W hen Uslng ERSPAN to Monitor
TrafficonaRemoteSwltch
Packets are encapsulated In GRE
headeranddlrectedtoIPaddressof
ERSPAN destlnntlon
Cls= CataiystSwitch
Encapstllation(GRE)IPpacket.Tlliselpcapsulatedpackctcantllenbcscnltllrougl)al
ly Laycr3
nctwork asa GRE ttlnncled packet.
ERSPAN increasestlle deploylnenttlcxibility ofCisco NAM .cnablilg itto lnonitortraffic
(koln rcm otc partsofthe network.Cisco NAM tan rcccive ERSPAN traffic throtlgh thc internal
@ 2008CiscoSystems.Inc.
Implementing NetworkAnal
ysiswith Ci
sco NAM
3-37
V A C LS
Usea VACLfortrafficanalysisl
To analyzeW AN interfaces thatcanno!be spanned
I
fno more SPAN sessionsare avallabl
e foruse
To pre-filterspecifictypesoftrafficforanalysi
s
VACLtraffi
csenttotheCi
scoNAM dataportIooksjustlikeSPAN datatothe
Cisco NAM
Cisco Catalyst6500 Seri
esSe tch
s .
1!
o1!
-
#
.
VACLTraffic Sent
to NAM Data Pod
CopiedTraffic
VACLScan be used with LAN porlsand arc useftllifno more SPAN sessionsare
11vaiIab1e.
VACLS can bc used to help filterspccit
ic typcsoftraftic forfurthcranalysisby
Cisco NAM .
3-38
lmplementlngClscoDataCenterNetworklnprastructure 1(DCNI-I)v2.O
@ 2008CiscoSystems,lnc.
'
d
c ..
. ' ..
':
..
MInLRMON
. ,
cojpedtoCi
scoNAM
'
/
j
' <t'y..
'
j,
T
.'*
.
j)
j
y
O
.:l::
d
r,..
j
',p
v
ku
..
'
&t
NDE TrafficCollected by
a Sing1e InternalCksco
NAM Interface
cisco catalyst65/0
seriesswilch
NDEtrafficforenabl
edpnterfaceson
1 NDE Packets
. I
.
&j
ED 1
remot
eNetFl
ow-enabd
eddevices
passesoverproducti
onlinkstoCisco
NAM on UDPpcd 3000
NctFiow.
Enabled
Dewce
The l'
igurc showsllow the NDE feature istlsed f
brW AN lnollitoring.In addition to tllc intcnlal
illterlccsofCiseo NA M forSPAN .VACL.and IHiIIi-RM ON.tllere isalso an intcrface for
Note
@ 2008 CiscoSystems.Inc.
Implementing NetworkAnal
ysiswi
th Cl
sco NAM
3-39
4-*..
''
!. -
Proactive Alerts
ceptable
resAc
wn
set
i
mes? 'r
@
.: .x.
Acceptabln
ulillticm?
/*7*t . '.,
nqppte
da?ta
ca
ur
res
.<,-
Data Sources
:
'- .- ' .
-
j.j
0.
'
NetFlow dala
exporl
KIIB.IIinlerface
SpannedsAtch
stats
rxlrlsanciVLAN!I
.- .
E'rnai
lexpoq?
Schedule?
orasujarj.t
?yoj
Reporting
Requirem ents
supervisorrroduleVACLource
.
9!1
Thc Cisco NA M Inodule nccdsto view the network traffic to providetrafficvisibility and
analysis.Thcrefore,the network adm inistralorm ustfirstdeterm ine whatinfonnation isdesired
from thc analysissotlwarc,and whatdata mtlstbe collected to gctthedesired rcports. Properly
dctennining thc data to collectto obtain the reporting rcquirem ents isperhapsthe very crux of
nctwork m anagcment.The succcssofyourNAM implementation dcpendson a clear
tlllderstanding ofthc reporting rcquircmentsand how to obtain thedata tlsing Cisco NAM .
To gain a bcttcrundcrstanding ofthisissuc,considcrthc following questions:
. Are there bandwidth and rcsponsc time reqtlircm cntsorpoliciesthatyourcom pany
requireslnonitoring otP
application orresponse-timeprobtcm?Voiccordataqualityofscrvice(QoS)detivel'
y?
M onitoril:g forrcal-tilncorhistoricalperformance?Acuteproblemsorfaultisolation?
Somc combination ofthese?
w Nvhattypesofreportsare necdcd (utilization,hosts.convcrsations, applications protocol
usage.response time.and so 011).wllatshould the granularity ofthe databe and when
should the rcportsbe schcdulcd?
3-49
kmplementingCiscoDataCenterNetworklnlrastructure1(DCNI-!):2.
9
@ 22*8CiscoSystems.lnc.
. llow w illCisco NAM vicw thc traftic to analyze? W illtllepacketsbe spanncd to tlle
interfacc ofCisco NAM orexported by NctFlow,orcan tlle switcl)portstatisticsbe used?
3-41
This situation lnay apply to the Cisco NAM in yourenvironmentbecauseyou may w antto givc
Inany usersaccessto som c partsofCisco NAM and securc otherparts.However,giving
tlnlim itcd acccssto aIlthe Cisco NAM features could tlndennine the vcry purpose for
deployillg N AM S in tlle Grstplace.Thc problem isthis:Asdiscussed earlicr, thedatayouget
from Cisco N AM isollly asgood asyourplanlling forand contiguration ofit. So,ifyou give
configtlration accessto al1yourusers,you wilinotbe ablc to guarantecthatthe collectionsthat
you configurcd a wcck ago w illstillbc the salne when you go to review the performanceof
yournetwork.Forcxalnplc,lctussay you have configtlred Cisco NAM foralarm ing and event
notification on adata sourcc forhistoricalrcporting.Ally changesm ade to Cisco NAM may
disablcthe alarm syou rely on fornotiticatiollorthc data sourccsyou areusing formonitoring.
So.whcn plalllling forCisco NA M dcploymcnt.considcrwho should haveaccessto its
contiguration utilities at
ld who sim ply necdsacccssto the reports.Doing so witlhelp ensure
thatCisco NAM willcolltinuc lo deliverthc datayotlnccd.
342
lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.
D
()2008Cisco Systems.lnc.
Q
'
(
;
.
'.y
i,
(,
*4,# bh
l
.
-,gup::l...ep.g.....--.-.
!
)
...
. ....
:k
't
i'
i
?
.
.q
ktjlfjy,
z
J.
;
'
)'
)
i?
,
v# . **
,,
# *
,'
,.
3'f
.
.
)
(
.
( ,.
:
,;y
.
.
.
h
k
z ,,v...
.)
t
'4,/<
)
.;
.
pj.-..:zj
1s'
I
zf-'D' Deploycisco NAMSa#
#
-- 'h
tcriticaland aggregation pointsinthe data
j
center
'
'
Collecting thc datayou need is lnade casierby the tlcxibility ofCisco NAM to be placed wllcrc
itisnecded and whcrc itcan gatherdata froln eithcriocalorrcmotc switcllcsand rotltcrs.
TypicaldcploymentplacesforCisco N AM incltlde LAN aggregatiol)poilltswhere itcan
collectthemostdataascrvicepoints(serverfarlns datacentcrs,andso011)wherepcrfonnancc
iscritical-and importantaccesspoints.Acttlalplacem entdcpendsonthe problcms you arc
trying to solvcw ith Cisco NAM .Asshown in thc Ggurc,tlle Cisco Catalyst6500 SeriesSwitch
NAM can becom plemented w itllthe C'isco branch routersscriesNAM and theNM -N AM for
lllollitoring W ANS.
lnonitortraflicrunningatsub-gigabitspeeds(NAM -l)andgigabitspceds(NAM-2).Cisco
NAM scan bc dcploycd in tllefollow ing arcas:
K Distributiol:orcorc Iaycrtl
-unk polts
* Service points(forexal
npie.in tlata centcrsascrvcrfarm s.orCisco Unilietl
Colnlntlnications M allagcrcItlstersil)IP tclcpllony)wherepcrfonnancc iscritical
. CriticalaccesspoiI
lts
Placeluelltalld intcnded tlsccalldictatc the need fbrthehighcr-pcrftlrfnancc NA&f-2.
@ 2008 Ci
sco Systems.Inc.
I
m pl
ementi
ng NetworkAnalysiswi
th Cisco NAM
3-43
Identi
fythe problems orneedsyou are trying to sol
ve with Cisco NAM.
ldenti
fywhatdatacolectionandmonltori
ngneedscanhelpresolveproblems
orneeds.
Determine how manyCisco NAMSyou need to depl
oyand where youneed
to deploylhem.
Identl
fy the approprlate SPAN sources:port.VLANIorCl
sco Ethec hannel
tunnelforeach Cisco NAM.
Deflneeccesspollcl
es.datacolleciionandreKrting,andalarrnconfiguratlon
requirements foreach Cisco NAM to match needs.
Configure security,moni
toring,and alarming asdefi
ned Inthe prevlous
steps.
Revl
ewCiscoNA system resourcestoensurelhatCiscoNAMconti
nuqsto
suppod yourcollectlon and monitori
ng needs.
Vi
ew.modi
fy.andmonitortheconfi
gurationasnecessary.
Ethcrchannclttlnnel)foreach NAM .
K Dcfinc whatacccsspolicies,data collcction and reporting.oralan'n fcaturesarenecdcd for
cach N AM .
K Configtlre sccurity,m onitoring.and alarlnsto meetthe ncedsthatwcredetined.
. Rcvicw NAM system resourcesto ensurcthatNAM resoklrccsrcmain low enough to
supportyourdatacollcction and monitoring nceds.
3-44
3-45
3-46
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.
0
@ 2008CiscoSystemsllpc.
v e
(32008Cisco Systems.Inc.
3-4T
S um m ary
Tllistopic summ arizcs thc kcy pointsthatwere discusscd in this Icsson.
S um m ary
* Networktraffic should be m onitored proactively in managing the
overallnetwork.
. Real
-tim e moni
toring statistics provi
de imm ediate data onthe
currenttrafficfortroubleshooting.
w Historicalstatistics provide valuable trending and capacityplanning information fornetwork pl
anners.
. The RM ON 11M 1B provides extensive visibility into applicati
on
3.
48
l
mplementingCiscoDataCenerNetworklnfrastructure1(DCNI-!)v2.
()
()2908CiscoSyslems,tnc,
Lesson2I
Objectives
l11,
1(11)colllplcting thislessoll-yotl'
w i11btrablelt)tlcscribc tllc Cisco Catalyst6500 Serics
Ssvitcl'
lNA NIillstallation and il1itiaIcontigtlraliollstcpsTllis incltldesbcing able to Illcctthcsc
objcctivcs:
* Describe the Cisco NAYIillstallalion
w
Explai1,
1tleCisco N ANIinitialscttlp
Ilcscribevariouswaysto acccsstllcL'isco N A N1
C isco N A M Installation
This topicdcscribesCisco NAM installation.
4'
.; t .
Supewisor32
Rel
ease 12.2(14)SX1orIater
Supervisor720withPFC3A/B/BXL
Rel
ease 12.2(18)SXF orIater
hardwarcand softwarerequirementsjustdiscusscd.Howcvcr,evcry (7
.isco Catalystswitch is
capable oI-gathcring a subsetofRemotc M onitoring (RM O N)statisticson aper-portbasis
knownasmini-RMON (Layer2 statistics,history oftllosestatistics.alarlns.andevents).
Typicallyethcse statistics areused to providc generalportstatusand hcalth.To utilizethis
capability.you m tlstdetine the Sim plc Network M anagclncntProtocol(SNM P)comm unity
stringsto cllable data collection by Cisco NAM (and/orathird-party managem entapplication).
3-50
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
@ 2098CiscoSystems. lnc.
Confi
guration:
EnableJava and Javascript
AcceptaI1cookles
Checkfornewerversions ofpageseverytime itIoadsa page
M ernoryand diskcache size m tlstbe atleasl6 MB
Afthough lhe TrafffcAnalyzerdoesnolreqtlireit.aJava plug-rnmi
ghtbe required
to use a JVM
'
lnternetExplorer I
I
!
Mozlrla
Flrefox
6.0
17
MicrosogW indows2000
MicrosoftW pnclowsXP Pfofe&slonal
MlcrosoftW lndows2000
MlcrosoftW indowsXP Professional
Solaris
2RE Version 5.0 Update 6
MlcrosoftW pndows2000
MlcrosoftW pndowsXP Professional
Solacs
RedHatEnterprlse Llnux
Note
Itis always a good idea lo check the Iatestrelease notes forup-to-date information
regarding system requirements.
Note
@ 2008CiscoSystems.Inc.
3-51
Aftcryou havc identifed the appropriate locationsforCisco NAM and you have determ ined
thattlle Cisco Catalystswitch hosting Cisco NA M Inectsa11requircmcnts, you can installthe
NAM bladc and configure itforbasic m anagcmcnt(forusc with thc Traftic Analyzersoftware
thatiscm bcddcd in Cisco NAM ora third-party application)and forany additionalmonitoring,
data sourcc,oratltostartoptions.
You can installCisco NAM in any sloton the hostCisco Catalystswitch exceptslotsthatare
K serk'ed forthe supervisorm odules.
Cisco NAM isa com plex piece ofelectricalhardware and should betrealed carefully. lnstallers
sllotlld fbllow a1lsafety precautionswhen handling and installillg any elcctricalcomponcnt.
Follow alIrccolnlncndationsIisted in the installation guidc to cnsurc the bestoperating
environmcntforCisco NA M .
Cautlon
3-52
SmplementingCiscoDataGenterNetworklnfrastructure1(DCNl-1)92.0
@ 2t*8CzscoSystems, lnc.
Verifying NA M Installation
@ 2008Clsco Systems.(nc.
3-53
InitialSetup
AccessCLlofhostingdevice('
Telnetorconsoleport)
Establish console session to Cisco NAM m odule
Defaultgateway
..PA
N/WAN -'
.
s.; ...yjy v
,
DNS nameserver(ifapplicable)
..
.
5 Verify IP configurati
on
6 Mj Telnet
.. .
-y .
ConsolePort
otherdeviccs,whethcrformanagementpurposes(Tclnet)orforretrievingdata.
To contigurethe IP settings,accessthe CLIofthe hosting device with Telnetorthrough the
consolepol-t,and then session to the slotnum berwhere Cisco N AM resideswith one ofthc
+
The syntax differs slightly forCisco 1OS and Cisco CatalystOperating System Software
devi
ces.
3-54
lmptementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
O
@ 2008ClscoSystems, lnc.
IP Settings and
eb Server
Youarepromptedfocthe
Web Usornameand
password whenIoggtng
pn to the weblnlerface or
theClsco NAM
e, *#
7L
-.
HTTP or
HTTPS
-<-'
-
k '.e '
lnitialIF)i;ettirl(;s
-I'1'c tigtll'
c alltltllc tablc showrlhcsyntax antlcolnl
nalldsto con(igtlrcl11t
Jllcccssal'
y IP scttillgs.
Description
root'
'
loca lhosttlip address
ip -addz-ess subne tr-wask
rootr
loca lhost#ip broadcast Configures the IP broadcastaddress
broadcast -address
root'
aloca lhost .localdomain# Configuresthe IP hostname used in the CLlprompt show
ip host hostr-name
com mands and 1og messages
roott
a'naml .localdoma in#ip
gateway defaul:-ga rew'
a.y-
root'
a'loca lhost#ip domain
doma.
1:-nanle
z'oottc'localhost .localdomain#
ip nameserver ip-addwess
(ip -addz'essl
rtoott
f
bloca lhost .localdomain#
show ip
Note
tll2008ClscoSyslems.Inc.
The configuring ofone orm ore IP addresses as DNS nam e sewers step is optionalbut
hi
ghly recom nlended.Unexpected deiays can occurifa name serveri
s notset.
3-55
Enabling W eb Server
Aftcryou configure Cisco NAM w ith an IP address,you can com municatc with Cisco NAM
overthe network.Bcforc you can acccssCisco NAM through a web browser.you m ustcnable
tlpcN AM web Servcrusing the CLI.
To enablethew eb servcr,choosc cithcrHTTP orHTTPS asthe accessprotocol.By dcfault, the
IITTPS com mandsare disablcd.
ForIITTP.tlse the ip http serverenablecomm and.ForHTTPS,usethcip http secure server
enablecomm and.
Yotlcan also chooseto nln thc scrvcron a portotherthan TCP 80.Ifyou cllangc thcIITTP
pol1,yotllntlstrestartthe servcr.
Note
Afterentering the command to enable the sem er you are then queried fora web
admini
stration username and password.This isthe accountinform ation used to accessthe
Cisco NAM TrafficAnalyzersoftwarewitha browser.Rem em berthatthe CL1accountfor
Cisco NAV isnota webaccountand cannotbeused toaccessCi
sco NAM witha web
browser.
To cnable theHTTP sccurc scrver,installa strong crypto patch. Ifyou prcfcrto t15cSccurc
SllellProtocol(SSH)rathcrthanTclnct.youmtlstalsoinstallastrongcryptopatch.
To installa strong crypto patch.follow thcse stcps:
step 1
Download the patch from Cisco.com and ptlblish the patch on an FTP scrver.
step2
Note
3-56
V LA N and S N M P C onfiguration
6500(conftg)#
Definesthe m anagementVLAN
K Before using third-pady network managementapplications
to com m unicate with C isco NA M ,firstenable SNM P attributes:
.
e *4
-
SNMP
--
'
,e
V LA N Configuration
@ 2008ClscoSystem s.lnc.
3-57
During installation ofCisco NA M .Cisco N AM ism ade awareofthc SN M P com m unity strings
ofthehostswitch thatare already set.Forcxam ple. to configure SN M P comm unity stringson
the hostsw'itch,use the tollow ing comm ands:
root*localhost .localdomain#s= p co--unity communey -srrng rw
root@localhost.localdomain#aM p community communty-srrng ro
3-58
lmplementngClscoDataCenterNetworklnfrastructure1(DCNI-!)K .
()
(
l)2(98CiscoSystems.lnc.
'
Logq 1I'Icj In
,,
http'//<N/lM IP addtessv
:;
:;N.
t
l
:tiT:2i
48I9:I!
%(
&t
'Nogep
Ao
N'kulGo
*'
.t i ..I
NA 51 7*1.$1!fl(' AItEAI)'ze1.
....
' '.
x.ahyo!$7..,*ts '=q'.n.x'<z:J'rv-.vrzss.pwm..rvvjvjj.s.Jx.y..---m.---u.-.. c
ZeH*WWX
> ;
edmln
F*ee-@#*
***@.*
PaSSWOfd
'
1.,.
1
)I.j
Tlle figtlrc sllowsthcstcpsto acccssthc wcb scrvcrand log i1 to tlle elnbcddcd Traflic
Alllllyztlrsoftware,
Q 2008Cisco Systems,Inc.
3.59
'
S 9stem
,k11d1I1'
t l$c0
verview
s.
ksj .r1.affl(.A 11a1yze1.
'
. .,.
pAAIU F 1H l* l* tm
G
<
A1Iofyourconfiguratsonoptions
wlllaffectthe resource utilization
and performartce oflhe Cisco
NAM- penodlcalky monltorthese
slatistics
k-
-R*
c,t-
T*tM R**
:- t) am fj
fgm F!M ezl- M
1$elo f075o
3-60
Imps
ementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
@ 2008CiscoSystems.I
nc.
@ 2008 Ci
sco Systems.Inc
l
m plementi
ng NetworkAnalysiswi
thCisco NAM
3-61
Configuring isco N
CIsf@
..
.
9 ' go
>PethlhC#!X!+ :$M
.. . .
'
*
'
e...... 1:21sg1s621,
<n1E> a4
. ,
> ..I...$ .
EGXV'P*#*HZM
Fo*ewv 1821681:6J17
l*et''''- h9.37..c'e$:.nrri:
+fe *
e lx:dx
ge vv.o lAel
NetworkaccesscorisguTation
oplionstbatweredesnedduring
jrlstallatlonalthe CLIcant:e
* IP broadcast
w Stlblpetm ask
* IP gateway
. Hostand domain names
* Name servcrs
3-62
lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.9
@ 2998CiscoSystems.lnc.
Useraccountmanagement'
.
W hich users should have access to which features?
Define securi
ty polici
esthatm eetyoursecurity needsand the
functi
onalreguirements ofCisco NAM users
. Define security poli
cies to protectyourdata requirements
* Enable third-party managem entsystems to comm uni
cate with Cisco
NAM wi
th SNM P com munity slrings
UserAccountManagement
1r.
e-.d
'seteeot
e.arxm.'Ic.
f.:''(rd*II'
ho1e.' 'j
' '
..
( i
..s
.
.
j i...: .
!: .
t'
#?tI?(y
':
'
:
''*' L
-... .
.
NAM e/'
y.x
l $.
'
X'
3-63
'
reating N ew Users
.I14'1It, s'.
:.,$1 'rraffjv A ua1'vzk1.
CI5C@
1e*:*
9t- Qdee.
'
'
.
Toaccesstheuseraccount
s.
'm, -
'''*- .- - t
e e*> ..#
selecttDat
heAc
>Use
rs>Lcu l
ablarqi
sensu
bc-nc
tee.
#*17' ' 'r
' ' G tG .
''''
'
Th
tabp
dlsdNpy
s
tinWs
geus
er
ace
coun
tsean
accs
eeg
ssd
pn
ges
ClickCreate 10at18new us@r
UselheNew Userpop upb0xtoconqgtlre
tbepass- e andprivilegesoflhenew usef
'V
N*>F quee!
Ve -
C'olxeMF*
r w- cqw
f-Awowcr- - m VQ** *
;s
.,...51..x-(
w Packctcapturesand dccoding
. Alarm configuration
* Collection configuration
* Collection vicwing
Nctwork planners can be given collection configuration and view acccssprivilcgcs.You m ight
w'antto considcrassigning a1lacccssto oncpcrson w ho isrcsponsiblc foroverseeing thc
variousncedsofusersin yourorganizatiol).Itisup to you to dccidc which usersneed acccssto
each ofthe feattlresavailablc.AI1usersby defaulthave thccollcction vicw userprivilegc.
allow ing thcjn to view any rcportforthc collccted data.
3-64
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.
0
@ 2008CiscoSyslems,Inc.
3-65
hird- a y
to Isco
ccess
slng
,:1l
1,I1I, x.
ksI.
rj.arfjr
I$t@
'
Configure CisooNAM
MIe inforrretionfrom NAM
bsing SNMP SNVP v1
'
$:*$4al&: andvzare)ugported
'
li.1 ..ll
.>
ax-
...
t- aAe v- :
configurat,opfautitatesthause
bwborngh
umng itwdthother
ypilrl
rjbe
.
yne
tn
wo
rrmnagernepnar
tstys
ter
srk l
BsexistingClscoNAM.ausswBl
grs
..
ToaccesstheSNMP
c.- w.sl.m/Komrn
c
on
s
g
ur
a
t
i
o
n
g
c
c
ee
o
.
s
e
l
ec
l
l
b
e
- NIAM
Admln >System >NAM SNMP
subrr-ntj
t''--''RMONL8b
W*
l-
ofciscoNhv forengio- rs
C
l
be
lert
l
kd'
thwr
erla
di
orbru
ton
t
o
hoeptple
ftBof
ea
te
O
ead
.or
llyl
on
afhdcllckCreateloaddrydelota
communjtystrlngs
g'
,
)'
ppwjpowv
e
-
DisabloSNMPcommunlcgllonby
delebngSNMP comrxnltysnoqs
'r
j. ''I
You can define SNM P colnmunity stringsto allow accessto Cisco NAM with a network
An SNM P com munity isadomain ofoneorm ore SNM P agcntsand one orlnore SN M P
managelncntconsolcsthatshare accessinformation and conligtlration.ln othcrwords.
com mtlnity stringsaresim ilarto passwords,and they cnablc nctwork lnanagcm entagcntsand
consolcsto agrecon whatinfonnation and conliguration optionscan be shared.Forexam plc if
anetw ork m anagemcntconsole wantsto retrievc inform ation from an agcnt,theconsolem ust
be contigurcd w ith the read-only com munity string ofthatagentto read data from it.Ifthc
nctwork m anagementconsolealso wantsto setparam eterson theagent.itmustbe configured
with thcread-writecom lnunity string.
W hcn yotlconfigurcyourN AM com munity stringsas shown in the tigure yotlare configuring
colnluullity stringsthatanotherthird-party,cxternalm anagclnentconsolclnustuse to collect
informatiol:from orscnd infonnatiollto Cisco NA M .To do so.click thcC reate button and
add thc com munity stringsforread-only and rcad-write.To prcvcntany outside SNM P access
to Cisco NAM ,do notconfiguretllc SNM P stringsordelele allSNM P strilpgscurrently
contigtlrcd.
Note
The NAM suppods SNMP com munication with SNV P version 1 orversion 2.
Note
Forswi
tches running the Catalystoperating system only,ifthe IP permitIistisenabl
ed,
verify thatthe internaladdressofthe NAM i
s added to the Iist,using the setIp perm ltsnm p
com mand.
3-66
ImplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
@ 2008CiscoSystems,Inc.
'
U6l1t T rc
a1I
T
o accessllleAldltTraisscreelh'seletilllle
Ad
rrlirl>Lllaqrlosllcs>Akldp!Tf1Ilslzblierdu
t11.l11.
6I5C*
ToklscAtldllTrallyclu::*1sthrst
'tpnqSetdlp > '
enableItbyselec
Pfeferencesandc.
tlefklflHtp4flAtlfjrl
Trallfhefzkbox
x'.
I 'r:t1(fIf .4jaaIyzeI.
.
r
.
A:y!w
'J
y#
e.
'
r
s
vv:vwttot##,
l
'
gJ
.
>t
:.
lbkw
t1)
>
'
>.
4J
'' ' >; '#z# .
oA;vW;fY'G' Ii- -
Y < 1* . : '
-e%>r''fe '' * ''*
.
A.djt &l.I1
''
' -
';.:1'.
.cwy- -
AI/#JA.,
1wo.
')e..
Xkn m .I:D V *
te* .attf .0:xkle .r.
>
v..o
pyr.yikp
Audi
tTrai
lprovidesusefulinformati
on such as which userIogged in
which IP address the userIogged in from,and whatactiviti
es were
perform ed during thatsession
'
$k'I1e11you have Iillishcd collfigtlring C-isco N ANIforscctlrcand ftlllctiollalacccss,yotlcan
track criticalwcb and C1..Itlseractiviticsin :111auditlog.
. tJllatlthorized access
Add/delctetlsers
Note
3-67
'
C onf1guring C 1sco N
S ystem T1m e
To
etrtnhle
os.tNAM
isrr
ec
thes
Ad
nCl
>s
Sc
ern >s
NyAst
Mem
Syl
te
em'sTe1l
rrxlt
y
stlbfnenu
.4 iII 1
4
N A sj T j.ajrj(...$uajvzrj.
Y4eA:e#*ne *A #%r.>L.(t1.).Ntqxf.>rrWrlTe4
Kk:: $#:,*/,TIn,*
.
,
>leM.@orrnklll
,
>...
....
.. .
* >
t- - -
. .. ..
*F-
.c-
,tww-l4
-wp.
*
r- *w * m .& e 2dN
m4-
--.-u -
..
p ..
s ' , .i
. ,
k.
-
tfs
P8CAC
v
V
1
&YM - *
w o kxx
s-ehAtu-FWGY WP
u- o wx
&o eaze
s,,
r- t.Pe @*>
V ee cemf- e
->
:> M *
3-68
lmpp
ementingCiscoDataCenterNetworklntrastructure1(DCNI-!)72.0
()2008CiscoSystems.lnc.
Usc tllc Adnlin > System > E-m ailContiguration task to dctillctllc cxtcrnallnailscrvcrtpop
orcxchangc)anklc-mailatldress()ftllc recipielltto be tlscd.
@ 2008CiscoSystems,lnc.
3-69
'
ql5@
;
'
Y'
mlA - * %'1efhp'lvl'
ee;PFr?s'
ilsrvczavAe
e1* t>e.Itc*pIIgIze*,lqo
.
-m - -
. . ..
w.
,.
e p
>Y!.EQ- - ytlkfl
<P
po PG
To
on
eFTP
vern
leat
ctit
AdcmI
nfi>gtl
Sre
ystthpm
>FTsPerCo
.sgeur
ohno
subcenu
Fmw
pdlr
@****N'
Bob
M** '* t
M* ''
**:***
e
e- .
f
w .'
.
I ApI.
-
...- ;1r
d
p
1l
-e
.h
.-rl
3-70
lmpkementing(
DscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
@ 2008ClscoSystems. lnc.
'
Gte
v
d 1n 1strat1o 11: ste''n
Ott113 s
e
u 11sh 1n
e o rts
T'oconfigtllo 111(%wnl)publscatir.m seliActIlle
Adml
n>Syst
We
hi
ll
r
at
pon
seumbr>
rep
tlbPtz
j,
.r;. .> -
11..11I.':.r1'I.:1
kaIt'ze1'
.,
w .
> ..
. ...t
. . w p .?k
'.
1tL '.
I..'ien- weu a
? ..
r.- v:e>
jsom- -
,*&*14xef,gtx
( * te:
l.. e - ;v
>
.. . .
. . .
. ..
**k'SM XM
N
t.oev
feo
jvx!-Tk,eee
u w.aVW
A- e ce t>ct(* '
e
r-- pk::
:
1
acd !e;l(3rts(:ret?nSA1h()Utei('Nln
SCSS11)U1
eI(.y.
W et);)t,N1c8t1tln6a!beO;)eIl()r
FeSlflfltt?d!lS1n6)XCU3C1d/Or
pl1l)1IGat1r;nC.cld()
'
r''e:
w c- qx xt
*#Y rov!
?*q'*'ed.*'Jtr'e
P
13WKlO CW
@
lo1feT*eTwetvpttrt'et*;e519
rw'A'ewdre @
3-71
'
yste
lnlstratlon.
s
P references
11 sers
.,11,111,
tIsto
'
Tl.affl:Ajlall.zer
.
c.
Y@eA..>*:<@6<'a'*Fr5T1'mJ+A1
'e#'*'**#*:
Toc
igtl
he
uesfeer
reo
pref
eresnub
ces
thon
ef
se
tr
tze
pt
>Pr
ces
rre's
r'el
uect
Checkthls5e1dloenablerP
hostnarre resolutionforuse
ofhostnarresintablesaod
graphs
I... ' :
Usethisfietcrtocuslom ize
thedefaulknumberofrows
inatable
Usethis5e1dto cuslornize
how oflentbe CdscoNAM
fefreshesthse
fgeda
w tathatyou
e*e - - fl'1= ) 16
**'+ *'**$&M *C' B0
2***:@/wh@p:(1.1$) 10
'*'ru:R?4MNR>
AVG ''*'.*10**
SGOJAYRIAA*
rbxkm.
sv- * '
L1
Us0Iher.e5e11s
0ktfnbeFS
toforrrk'l:dataart
- t- -
Checklhisfield to
enableAudstTraij
L-J
kjsetusfieldto
..
.
.
1.'j> rkf)1qa za1,;!a rl
custorrizelhed8fault
nurnbecofbarsIca
s
w e oe
Ate Tre r6
L* - LJ
.
f
. xpp/
y
($.
cs.,1
3-72
lmplementingCiscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0
@ 2008Ci
scoSystems,Inc.
'
Or1f91n
o st
N
l@tlp
%eleet;I>'@d*,*.1*n
%........................
t
9*12/nM9Shlob:* *omhy*#(1??16:dsgl1e19>t%db(!92f6ed$911/)
j.sor pwjN.sacyv.s.pn
#+* e QvXyNe
M A- C-er/N FtUCY -
&vdeet-
43e D hxy:D*
Co MI>
p- .eo.,fyrorveta r
.v
lnformallorlalhollt1be
hostknj%wI((.j1.syjue
%- wr:gtpo+.:rcd
Cornrrltkolr'allon arld
YM Tm lwet*r* '''''
f'
ra wm-
Ste'n >
e ono A!D!$6,N:IM(mrel*'Y5
*dtmlw,vwec.
3-73
S um m ary
Thistopic summ arizesthc key pointsthatwere discussed in thislesson.
S um m ary
Cisco NAM mustbe provided with an initialIP configuration to
enable com munication wi
th otherdevices.
. Ci
sco NAM access parameters are initially configured from the
CLlto accessthe Ci
sco NAM bywayofthe network and can be
changed via the web interface.
m Use a standard web browserforclientaccess to the Cisco NAM
Traffi
c Analyzersoftware.
* SeveralI
evels ofsecuritycan be defined forCisco NAM access.
.
3-74
Implementing Cl
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.0
uepsop31
Objectives
Monitorbasicportstatistics(utilization)
Detailed analysis ofselected interfaces using SPAN feature
. Ci
sco NAM m onitoring willprovide:
Hosts,conversations,and application usage
Server-clientresponse time monitoring
.. URL moni
toring
. Packetcapt
ures
.
Problem Description
Thc network monitoring team has metto discusswaysto be morc proactive, espccially with a
large branch ofticc opening soon.
The goalisto enstlre excellentperform ance acrossthe W AN when the branch officesare
acccssing applicationshostcd atthccom orate scrvcrfarm .
M onitoring Plan
Thc action plan isto pcrfonn thc following actionsand then reportback on the results:
K M onitorswitch health
. M onitorbasic portstatistics(utilization)
<
3-75
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
()2008CiscoSystems lnc.
3-77
<
buttolpprovidcsarcal-timegraphforvariouspcrforlnanccstatistics(thatis.bytespersecond,
packetspcrsecond).
The rcfresh cycle can be m odified by choosing Setup > Preferences.changing the Refresh
Interval,and clicking Apply.Ifthe Auto Refresh check box is sclected on any datascreen,the
tablesand chartsw illbcrcf'
reshed as new data iscollccted.
Using these vicws-the network m anagementteam happily notcsthata1lcriticalportsarcbarely
utilizcd.Thctealn canuscthis information to confirm thebandwidth prcdictionsthatwcreused
to dcsign itsnctwork.Ifalpy abnorm ally lligh utilization orerrorconditionshad existed.the
network lnanagelnentteam could usethese viewsto help determ ine the cause.
<
3-78
Q 2008Cisco Syslems.lnc.
'
1ew P o rt tat1st1cs
tI$co
m et.
eaIT 1l'ne
..
T'd
.k
'g .P
y
CF
'
4k);va.
w'
14
17)>
'A' s......k$/', ..#,tsz..'qv'uv(6
e.
!lr6z.
- '.v' !w..Z'
..
).<. g
> .
7p.'..sir...
u.
1.r.
5b. .
'
/
Rl'
v- Ar.p- *' '&. .'..' , p. ,':''
p.>., s1a1&
.
S/1()rttern)report(Feal.tllnelllllsalf!)
avallablefrom InostItlt>llllorlagrtvilorts
< ,. ,.
>t/LMe4
'-
'
' Cl
rl- M e ''T- cCM T#%** Tree Te p* *' hFl''-'
f, --'=a 'P-
tt- .e
'
RoalblkM.
,graphthatstarts
p1ottlrt$;whcnwit,dow is
displayed.4plirltptesofdata
Iss/lf'wn
*** E*''b''1
''tG''e*
jayy
m
Fezr
9
.1*
0x00
1
>wgu(
PN%r4*l#kv xr**
= 4e
'm
Q 2008Clsqo Systems.fnc.
* *
CC4
:6*1
0%'
p
#p
z,1* vt
. ' ' ..
*'64,
'''-II
k,p..
x 1.. e,f.e
h/1
. q h
'
j -x-.2j
hl.w ).
-x.-,K
4x.n
'
SelectplrtandcbckRna!rpn:eto
vlekv(k)r.se ralemove'tlroe
Impfementing NetworkAnaf
ysiswith Ci
scoNAV
3-:9
'
onitoring
,II1,1Ii' s .
xsl'
rrafj.
l.:11alyz.1.
t I:t2o
.'
Y Ae.''''47w1.p >114z'4r''yf%mW.
twyh
er':p '
C@I* M wnlt*II#1g Fult1*rs.
>6,.1.
#..P+ 43*H
. -... !
the:- Seper
vl
rof
Z F-pe f- - l
--
Z K- pwrecs
> - <*
'
f&!
.
)$jf1
..
x
Recognition(NBAR)protocoldirectory.
Like any NAM data source,when tlle statisticsordata source issetup ordetined, no
proccssing ofstatisticstakesplaceby Cisco NAM untilmonitoring iscnabled forthc individual
data sourccs.asillustrated in the figure.
3-80
lmplementingCiscoDataCenterNelworklnfraslnacture1(DCNI-I)42,0
Q 20(3 CiscoByslems.lnc,
*
1e
1lj.jlj.
hz:sjy1
.vffix kltal)zer
..s.xwsaav
'...
. a.
'F'
.t. '.
v .; . .' z..&#L
a..
.
v '. ' v.z6.
j'z.rv''t'...pJ<2 .)w...'.'e?.
.' '..'
V2r?li'-<v'A.'
rT.77
T
cG ev-
. 0 .- t. ..
Reap.t
lmeqrajllthatstarts
piottingwelepwlldow is
4
displayed 4nynlltesofdala
rsqhnwn
>
'
loql-lqy>.m..<pv
Fllrlherdowolhescreen
vlew rryerrxlryosaqe feas
.2
(,
- 4 ''O K '
- 3w
@%
w.
- -
4* rys'x
seldl!>
- <
.f - .-.'
zsAz
- '''
3-81
:):
a1:,63(
n!1r(l6)
SPAN Session(Pod.VLAN,
-. .
. *-
Dataport
Etherchannel)
Dataport
+
VACL(WANInterfaceorLANVLAN) iatixort
NetFl
ow DataExpod(NDE)
NDEi'
atapoft
SupervisorModule(enableMVi-RMON) SNMPQuerils
VAC L.
3-82
Implementi
ngClscoDataCenterNeG orkl
nfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems,Inc.
+
Im plementpng NetworkAnalysiswithCiscoNAM
3-83
z.
*
.
.z .
t.
Datapcd-l
'
- - -.
Dataport-z
NDE
Dataport
SPAN Session#1coples
cribcalGigabitportto
.. Dataportol onthe Ctsco
NAM fodetailed
analysls
..
SPAN Session#2 coples
a VoiceVLAN to
Dataporbz onthe Clsco
jjyi
v or(sjajj
ecj
analysis
Note
The abili
tyto spanVLANSallowsthe usertoachieve additionalm oni
toring flexibility. Rem ote
switches can be configured to exportdata on a specialuser-defined VLAN . The NAM can
then span this rem ote VLAN effectively spanning data from a remote swi
tch.This capabi
li
ty
3-84
RSPAN data traverses production Iinks'so keep in m ind thatwhen using thisfeature,
RSPAN copies and forwards packets to a remote NAM foranalysis,and thus additional
traffic willbe placed on yournetwork.RSPAN and SPAN are m utually exclusive'ifusing
RSPAN then you wi
llIose the abilityto span data to thatport.Consi
derusing a NAM-2 wi
th
its second data pod to altow Cisco NAM to do both SPAN and RSPAN together.
lmplementingCiscoDataCenterNetworklnfrastructuret(DCNI-I)72.0
@ 2008CiscoSystems.Inc.
To span data to tllc NAM -Iand NAM -2 tbranalysis.firstchoosc tllc Setup > Data Sources>
SPAN task.A table willbe displayed show ing the active SPAN sessions.Thisscrccn isalso
uscfulttlrcfcrto whcn I
irstacccssing tlle NAM -1and NAM -2 t()verify w hatthccurrcntNAM land N AM -2 data sotlrccsarc,in casc they were changed since you Iasttlscd the Trafl
ic
Analyzersohwarc.
lfa SPAN scssion isalready active.anothcrone callllotbe created (tlnlessa NAM -2 isbcing
tllilized)tlntilthcctlrrcntsession hasbeen dclctcd.Anothcroptiol!isto Editthe ctlrrelltsession,
butonly iftheSPAN type isnotto beclpanged.
Note
TheActi
ve SPAN window willdi
splayaIISPAN sessionson the hostswi
tchand notjustthe
NAM-rel
ated SPAN sessi
ons.
3-85
'
Onfigure P N
.
y:
(...k#l)
(l.
?
j.
j,:
t.
bj
.
'.i:2j
.)
1(
.
g
.
;.
()
(
))
:u
...
.t
vrR
ont.
j1(
k11
41
'$$'
2)'.)(@
r)
kt
.
y
r;
1r
.)'
)1
..,.
tr
j
:
k:z
jy
;,
L
,.
j
r
(((
.
1o
'(
.!
Ilk
rr
......ovyxay j v
connourationscreenforcatioua
$- :>
s.k*e,Nqx-
* SPAN
ty
e(ept
Ethercl
aapnn
lm.VLAN
.
wAN---.-.-.-wlrf= : DV AK RT 7 .,,
C) O xx :3 a<ei
A
$- ($1271
.
raj
j
''' ''Qn..k
..
.:
ii
!
;
1
111 l.
a'
:>v: 1
'' t:-.-....-..-zznzzzz?
Spansessiooscanconsistofone
ormoreporlsorVLAN.
N butnota
mixofgort
sandVJANS
,,rt,t
svxgsession conngorableopM
tl
ons
Indude
Rspym i/uAN)
. spAxsources
4goswk
vea. j
4
)
.
jceowlx.
js:qsos
ML
step 1
step2
step3
step4
step 5
W hen done adding a1ltheportsto span,click Subm it.The SPAN session is created
on the sw itch automatically.
step 6
lfusing nativeCisco IOS Softw are,you mustthen click Save from theprevious
Active SPAN Sessionswindow to cem plete creating the SPAN session and save to
thc startup contiguration.
step 7
Repeatthese stepsto setup a second SPAN sessien forthevoice VLAN . Two active
SPAN sessionsareavailable only w ith aNAM -2 service m odule.
3-86
lmpl
ementingCiscoDataCenterNetworktnfrastructure1(DCNI-I)v2.
O
@ 2D08CiscoSystems,lnc.
Bcsitlestlle DATAPORT 1alld DATA P(.)RT2 data sotlrces,tlltlrtru'illbc othcrsto clloosc f'
roll).
asllotctlllcrc.
* AIvIZSPAN :M onitorsal1tnlfl
itrlbrwarded to the N AM -lalltlNAM -Z by lncal
lsof
spalll)illg scssionsand VACL trallic.
w DATA PIIRT X :M onitorsalIlraffic fbrwarded tt)al)iIltlividtlalNAM -2 data portby
lplttallsofspanlling sessionsClltlVACL traffic(NA M -2 optiollollly),
* %.'Ia.
A N X :M onitorsal1tral'
fic forurardcd to the N A M -1alld N AM -2 by lneallsofspallllillg
sessiollsalld VACL traflic lllatllasnlel
nbership in the VLAN sclccted.
* Encapsulated RSP.
A.
N (E RSPANI:Nl(nitorsalltntflic rcceiq'cd via ERSPAN .
w 51PI-N TajjX :M onitors:111trallic tkprwrardcd to tlyc N A 51-lalld N AM -2 by lllcallsof
spallllillg scssiollsantlVAQ'L lrill'
lic tllatl'asInelllbersllip iI)tllc NIPLS traftic tlow
selcctcd.
* NDE default:M onitorsal1NtltFltlw traffic sen!by a sillglc NctFlow'device.
*
3-87
3-88
lmplementingCi
scoDataCenlerNetworklnfrastructure1(DCNI-I)72.
9
* s'
lostActive Ilosts:Tl1isgraph slloqvstle llunlberofbytcscollcctcd persccolld forcach
addrcss.
* Stwrver RespenseTilne:Tllisgraph sllovvsthescla.t
2rrcspol3sc tilnc alld tllc prtltocoltlscd
by the servcr.
* ProtocolSuite:Thispicclla!
'1shows tllcTOPN lletwork prt'ttwols.
Tllcsc grapl'
!ssllou'theTOPN .u'
llercN by defatlltis 10,btltcan bc collfigured froln lto 15 il:
tllcglobalprcrerclpcess
'click Setup > Preferences.
@ 2008Cisco Systems,Inc.
fmpsementingNetworkAnalysfswf
thCisco NAM
3-89
'
.e I
I
.n
p jI
.CatI
.O n tatl
-Stl
*CS
.
!> .
.. ..
.'
.i
'qz
' ' #' . uf *? '.5t '
!. .
r, o
;p.$1eAt1*p*
Protoctlls8ndlmrrpntr'
etesSef!nOnthe
.'
tee UATAPORT1 *
7 '
t7
.' ''' -
: ' /* *w
cisooNAu f
orl
h.
st
w eof - .-$
v 10 *'
z.= .*'
M 46*
m .:,4
.pRejJihap'
.
-
'c> '
'.*'*'
'e'.=
111> 4FA
&15.,- N
k- e$*%v R 4**- 1
detaledanay s
1.!0eIN'@r.tl
a
.1%
.1%
#:e :$1
. .. .
Followingaresomctipsto consider(appliestootherstatisticreportsaswell):
* To rcfresh thetable.click Refresh.
<
* To sorta table variable by percentage ofthe total.click on the colum n headcr.Thc variablc
isIistcd in dcscentling ordcraccording to tlle perccntageofthc total.
* To vicw datathatisgroupcd,click the + sign in frontofthe group llamc.
* To change thereportilpg timc inten al.click Setup > Preferences.
Y
3-90
lmplementi
ngCiscoDataCenterNetworklnrastructure1(DCNI-!)v2,
0
@ 2098CiscoSystems.lnc.
@ 2008 Cl
sco Systemsllnc.
lmpl
ementlng NetworkAna4ysiswdth Chsco NAM
3-91
'
ie 1ng
.I11.lI
4.
*
CI$
,'.v..fJ41..1.
ost tatistics
+
yp&
hIT1.
arfjt.xnply:ej.
'
go
Hegtsanu curreotratesseenoot:e
DATAPORTSnledace(m lbe Cism NAM
1'x-1X
'
. .I. . '.
w xv ,ol o'as4*, o.vrv J- q'4x> .= zl
q
RenvmberSPAN wasused
.-.- .. - .- . .-. n ..... .
toforward the trafficfrom the
'
''
' '
swrlch portsaocrVLANS(o:he
'
''
DATAPORTinterfaceonthe
'
* JMm3 4R2721 510.M.5* :32.0e1F* 1% *585:
CCSC,ONAh!fOrthistypeof
* * *''* '* 'R*'
. 20 v
k. yyp:g 144Ypp. J efge j.jl
detalledanalysps
.........
=
--.- ........w.. w..
t..s- .,- - - . - ..: Selecthosland
*..
Iaunchothorreports
..j.
,.!
s.j'
ge.xy4f
;
4j
.rr
,,
I)
1:
'
'
ortools
Click M onitor> Hoststo vicw thc variousdata collccted foreach hoston the selectcd data
source.The same toolsapply to thismonitoring w indow.Forcxam ple.whcn you selccta host
and click Details.information on the hostisprovided,such asprotocolsuscd,conversations
witllthe source host,and so on.
v -
3-92
lmpdementingCtscoDataCenterNetworklnfrastructure 1(DCNl-1)v2.D
@ 2008Ci
scoSystems. lnc,
@ 2008Clsco Systems,Inc.
3-93
iew ing
L N T raffic Statistics
). . fTl
'7 x
'
.PQ7!
'
@kAKTra#tle%tall.lit.
b- .- --& a- > .$RR o G
byrNlMtatdlfil.:
(J)
(lhct- -
uonlkortrafqc
ratespervtA.N f
or
theselpcteddata
SGufce
= .. t3Te -
ALLSPM
r'
.- '- -
*
*wv'- 1..35',''''-'
'
:.7
49&n
fgl.1Q$;
Q1,
>#/4
''
p;
! lpt:
23e4
-1* )'hl
'
!I.. ,.,,
j
+
v'
3-94
lmplementlngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0
(D2008Ci
scoSystems. Inc.
'
In
r'l r'l
a IS IC S
.lI'.I1'. N .
&11'r1.affie Anal.1'zq,.
CI$C(J
':
4
z.'
<
?
(/'
L
y
'
lj
.
l
.
evs
Iv.
;lzx
)
;G7
jw3
*
;
f
.
'
Vp'
Y
Mks:..
%.sJ
.
'
j
'
'
'
;
''
.
/
%' .' .
r';'
'
;
J4'
;'''''
Jt'
:'
(
'a.
'
';
2'..
.
J. .
,.4
'v?sf .,4
$w'z4z
>
;
.
s>
obo
v
zt'
s
.
f'
yf
i
r,
Lo
4
4'
x.
.%
L
bt
.x1
;.
'
$Ji
-*
k
,
j'
.%
2'
a
=
s
,L
fv
.z
. ..
>'w
Jet.
i>'Lv .g..f
C' ***t.9.4- 4**te:frtm>S MW.fF2I.1>1*T
'
#P.!.
> 419676.
hC7i
...
.1 ca
xx- - m. Z..''
)4e oww% $'hc '' tkl>
x eRm e.M .
2L'PM
'*
px- ,.2. areet.y.y.j:#.......;.
...
........
s....j
'.'.'*<&4a::.:y..
.. ?
n. . 4f.ta)xf .
.. .
Monilortrafhcbased on
dlrferentvalutj:ofthe
802 1ppnontyfield
# e-wi- em . '. T4v*.. ..
. .. .
!c
' o ''''t'
i
,.. .'l
$86:4
l6f:1
106'?1!15
SazakEl
ges/s'e
@ 2008 Ci
sco SystemslInc.
l
m ps
ementi
ng NelworkAnalysisw'
ith Cisco NAM
3-95
Remote Device
(NetFlow-Enabled)
Datapod-l
Dataport-?
NDE
Dat
aport
.
NetFlow Data
Expod (NDE)
. .
.
gydefaultthepccal
superkcLsorEngi
neorMsFcE
s
alwaysavailableasaoNDE
delce
3-96
lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.0
@ 2008CiscoSystems.Inc.
Configuration Steps
Confi
gure NetFlow device to fo- ard to NAM-I orNAM-2 on UDP pod
3000
unee tacoo
Traffic
Fl
owdataisexportedwhen
enabli
ngsl
elrxwoothis
i
ncoml
ngr
nt
erlace
Netrpow
z.
>e
.
z:
'
..
ZporlData
OE>:
'
.
a.
u..,:
*:
'
#
' ..
O6e
,.yy)
,
j;.y
k@
()
(;'
%9
Q'
%9
Thc firststep il1tlsing NDF packetsfbrmonitoring purposes isto configtlre the Ncllrlow device
stlpcrvisorellgilleorMultilaycrSwitchFcatureCard (M SFC)isalwaysavailableasanNDE
dcvice.)
Thecollfigtlration colnm andsforNctFlow devicesto exportNDE packetsto Cisco N AM are
plattbrm alld devicespecilic.Tlle exam ple contiguratiol)comlnandsprovided hercarctlle ones
m ostcolnl
nollly found fbrdevicesrunning C'isco IOS Software:
Note
Step 1
3-97
'
f1$t*
Y* Ar:le v*514(.
1 At'#>%v..
n6ez #**l':'
#z..
'p#.kk/rteye'aY.%pr.
I;
**1FI4w t1lt@olog Mpd*
USethelisteni
> ''Op
.
ode
.a ,.,
>
ac- uu
M eranewdewce Isdetectez the
NetFlow (Ievlce Fyendin9NDE ;>3ckel:1t7
'$G e
.-
a r x w . . n pue
. oee ''-
Fotrz- atrptm':(qps!
-''- '-' - '-''-*''-
Skartsthe
lssteningnxydm
Addsselecteddevlce
loNAK!NDEtable
+
periedically update(listcning mode willautom atically stop aftcr1hour)to display the dcvices
Cisco NAM isreceiving NDE packcts from .
Highlightoneofthedcvicesand click Detailsto vicw the interfaccsrcported in thepackctsand
w llelllerornotthe dcvicc hasbccn added to theN AM NetFlow table.Ifthe device hasnotbecn
added to theNAM N etFlow tablcshighlightthe device and click the Add button. A new dialog
willquel'
y the userfortlledcvice SN M P read com munity string to retricve the textstring
intcrfaccdesignations.Adding thedcvice to thc NDE tablecrcatcsadcfaultNDE data source,
which can be used to monitorthe aggrcgatcofallenablcd tlowson the device.
Note
Remem ber to create an NDE data source the device mustbe added to the NAM NetFlow
tllt)I(,.
W hen thedcvice isadded to the NAM NetFlow devicc tablc with theassociated SNM P read
community string.the Detailsw indow willalso display thctextstrillg interface designation and
notjusttheinterfaceindcxnulnbcr.
The dcfaultNDE data sotlrce.crcated whcn a dcvice isadded to tlle NAM NetFlow table, isan
aggregateofthe data on allNetFlow cnabled interfaccsofa devicc.To focusin on a particular
onlinchclporthe IvherGllide/i)?'theNcJu'f
J?'l'Analt'
.
vi.
%A/r?:/l//e'F?Y!//'R'Analtcer,Release3.6.
.
3-98
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0
@ 2008CiscoSystems.Inc,
<
Impl
ementing NetworkAnalysiswith Cisco NAM
3-99
'
I 'rr1.
jjIj A nalvzej.
1
'
'
Y* .e*1* .* .iz':u'>*x :RtusA>.4.%-#'.!
6@T* @nI1@I1ne !;upe#l*l*
>r
s . ,
>
j?9
.e,j11
.yir
EJ - x- - ,- .)
1cp
E'
so Ctrrvelz- Re>&(-w11;+e.mI@-:) 90:
rs Tu*ptMw
--
.
3-100
Note
@ 2008CiscoSystems.Inc.
Implementing NetworkAnal
ysiswith Ci
sco NAM
3-101
'
V iew
Q l$@
.
'
,.
'
- .
. .
'z.. g.
'.
1.v..
rfft!J.
t.4
.. ' .s'.',...
.k ' .. . ''T .'t,.
1
'
: .;
f
.
k..;w
-< ktt7J
'.
'
.
'a
'''k
$14t.
zit.
. .
e
?* Are* @*.4 i p''
Datacapluresandreal.tirre graphs
ove:tirre are n0tavallable using
NDE asadatasoorcesincethe
NDESarest
atist
icsfromNet
Fl
ow
()4- - -'
()e -
andn()tpackess
a..t
L'''c ''' (
I'
rz.e.
f
'
t.1
.
w.
W P**1'4el#*
.
o ...G
;
!
*<ik.* #%- *- y - K4;M.J0 .
.w,
(7
v 1 '.' ..'
-:
'''1+ e-
NDE.19216615124$ v
All
!J. ;I43
7a
- .#.pAa 19 w
p J:4a: ,@w
J94;
e tf5$
- ezesv R 4>e*p> !
ClickDelaliGtor.ee
applpcatonprotocY tlsed
andIt9Gonversations
r
-
o
;
t,,* >/1
'''''
-
..
3-102
Configurealarmsforproacti
vemonitoring (referto the
troubleshooting scenario)
3-103
+'
3-104
ImplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
@ 2008Cisco Systems,Inc.
Step 1
From tllc Activc SPAN Scssionsw illdow,click Create.Tlle Creatc SPAN Session
window appcars.
3-105
'
et
ata ource
,1h.fIn
ont.
1.ffjr.&xalyzer
C1><@
orts
.;
j,jj
'
'''
Y4/A1+:*.*'.*: yr'ex'74r
..
-'
'FF
gj
j
.:
dF.r?
'
r
''
.
)'
k'
t.;s
z''
',.'-k
J
''
'
/$ry-'
f
;
'iil
''''''''*'''''1b
'
p:
!
;1*
'
J
qii,
i
.kld'
k
'
?
/r
'
.
/9p
v
1pt
k
,!.
?)'
.
?'
.
:5
61.:'r;
J?
.
r7
)
.i
E
.
!'
.
/
i
'
,
h
;
-J
.$
.J
,'
kj
.6
..
.I
F
J
C
;t
,L
.r
.'
..'
.. 7
.$
.t
.3:
4. s:..
MAM-2sorbice
F&)/1t'
gofh)
F41/46(poth)
... .............. F%3/4?(:0*,)
7 'hM .1
1 FeN.
*(9*)
:.
z.zvvzzz.z.::.;:.:7j
.
IF,.
')/J
4S
P
4OBkv*' '
.......''.'''''....6'
F
Fs
e3
l/
/8
g
'
i
1r, 1r
)..
,.r
.,,.
' ,q.;1
-P
ortgtObeSpanpedtot
heNAM
(()A.rAeoRw lirlterface
4SPe*y
f'
:i'
: .yogswrepoqslatef
ort
hi
str
ac.
'''
F,?/p()
Felp1
sravl?
+
.
'
thetatasourcetoselectwkllbe
DATAPORTZ
. . ..... .
!yejmvj,Njj
i
mjj
C*8*5t*
spAjjsessi
on
These stepswillcontigurethe span session,copying the packctscom ing from and going to four
step 3
step 4
Step 6
step7
W hen you are doneadding alIthe portsto span,click Subm it.The SPAN session is
created on the switch autolnatically.
step 8
lfusing nativeCisco lOS Softwarc you mustthen click on Save from the prcvious
Active SPAN Sessionswindow to colnpletecreating theSPAN session and save to
the starttlp configuration.
Note
3-106
Response--ri
m e Monitoring needs to see request-acknowl
edge pairto perform i
ts analysis.
Make sure the selected data sources are capable ofseeing both packets.
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
0
@ 2008CiscoSystemslInc.
3-107
'
e!
pw/
' x.
Cisco
, f+
!
NAu
SeFVPC
<
Ye-
or
--txet
wo,.
k
..
'2
.!
e!*4
.
'
i
'
!
i
i
Cl
i
enrNetwor
iDel
ay
s-,,e-New.rk
.
2
E
2
i
!
!
1
ServerNet
workDelay
.
:
NetworkDelay
vot
aloepay
xv
.aw
,op,
.
--t.---
!
K,E>
!
!
i
! Appt
1
lay
. De
i
!
:
!
!
3
.
!
E
i
!
.
:
*
1
!
m TransactionTime(TT):Thetotalamoulltoftilnefroln theGrstpackctofaclientreqtlest
ulltilthc clicntrcccivesthe finalresponsepackctfrom thcscrvcr.
3-108
ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI
-I):2.0
(
I)2008CiscoSystems,Inc.
'
7717:
'
7t
;'
'r .
'
-b
> .
:.
'
't
.p
#dk
1tkt:t
p,
L(;'
f
.
k
:
'
.E<';J,'a3w't'
'
@
k;
,'.t
k@.;,..
.'
.
.p
4.
'.
ibpk
.'
$:
f,
.
>'
.
4 t.
'
1
?#:
;u,
k'
Y* AeeI4w@ *
'1:r.l
silt. .J%s'
>'
.
.
'
-.
'
$
7777!.'
lr
t
f
r
Ts)
'
h
,
tr),
'
/t
'7
4p
r
$
.
t#
>*
w.
x sewerAppllcation Perserverapplicatpon
Appltcatlon depay.oetworkdelay,totaldepay
Transactlon lkrne
ServerNetwork
sewernetworkdelay
Networkdelay
Server/clioolAppppcatlon Perserverlcrlentpalr
Applpcatpon delay,network delay.totaldelay
Transactlon tlme
Server/cllenlNetwork
Cllentnetwork delay
Servernetwork delay
Networkdelay
Im plementlngNetworkAnalysiswilhClsco NAM
3-109
d
'
'
Ie ing tatlstics.
- erver p Iication
'lI'
:1l''
& Isdo
s .A!! 'r1.arflf'..tna1yzer
.v.y11
c.4
rrwk.
r
at1
'y
9'
%tA!@* @*)'>r@@ #R@6T'X'JWJ- $* +4zijg'
xrrm
r: a ;
'
$
*ev*l #p$)$i@*1i*n :@*p*o** #1m *
#u
- - *'''''- - -- - .cm .qfpxf .
Ze -
StatisNcspersen/er
applicatiorl
>Y ut&*c-
#E3A.-
Q Te cw-
- - DATAPORT2%>
Sewsl
t1F9
>+rJrl
ea'1
.
1t
@
'J
/k
Fq
'
'
#k.t1
r
'3'
*
.
='
'x'
'
z
id
i
t
'
u
jw
j;i
j
v
jj
;
.j)$
,j4
j.,
6
fg
;
l
tq><-.h
'.f..'*.'-''-'l
.
.$ %. '#)e''L
.
...'..
..'
..'.J.
.u'''.''
.<.n
.o'
.'
1*:
4'
1
z'x
...
1
; C'.
. .;
,/
.;sf;;
t
).
',
ny
p
k...=.;ma..;
.,
u.,..
1.
1
,
61
4
,
.
,j
2w
,
j.
.
pji
q
r
.
'
:
r
>,,
h
.
a
t.
.
p
t
l..
K
. >r
'#
d'
.$
2
:
,
'
bb
.
'
b
,
d',#
i
'.
t,'.
1.
y.
'
j
j
.
k
'
.
g
'
,
:
.t,
b
',
q
i
'
b',
i
@
',
p
''
6
rlg9
?%
a
r
...'
m
i
'
t
'
.
)
j
.;@
:
t
..i
.
.t
3
.@
.7
?j
r
;3
p9
4
.
j!
;
-:
,
-j
.
.
)
O ? 1r:.'D 1H.D, *Fronnthesestalistlcs yeucanjnpointthe
rocationoflhedelay
p Wasitinthedientnetwork?
$ 94
':
'*'X'*v-
'
K ts fK
* Was't(juetotheapplication?
. . -
1% 15 #g :;
>$ tF#3
j
.
'''-''*''v*v''.
-*-*.'**e'vmt*'
***',,'-*=x-'wv
..
t- ---'
To view response tim eperserverapplication,click M onitor > Response Tim e> Server
Application.
And asseen earlier,historicalreportscan easily be started from thiswindow qusing the Report
button.
+
3-110
lmpsementingCsscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
Q
@ 201)8CiscoSystemsplnc.
V1(.
)w ing Stat1st1cs:
S erver A p p I1cat1o l3 D 0.tc
a1Is
*-
- - - ''
Tl!eDlnt.rilsLxJllonM 11
prowdesprk'el.apppermtlnF.e
11r!e dIS1r1bU!1OrS
1:.*
:5.* V
D:.:1K$K.
D..*
W* >*
tz*''
6.* '
7.*
4*.
,Ke
q4'
7 -
Ae**fTr '
M re%
f!*> <5
> A w/fe tetA'
een5&!KI15
1 Rewxm eatetween15e M1
W I*T;KFr.= te
@ ONKGO -
2 p-
M wm
(w 4nyev
Seeeet:>%
olC<*
*
X** MPd*F6m*3lef#AYW*
etwcwkr)mleylrmxlfmei*ve l&xl
S-ve*fwix:!>*f(m )tetiM #xyl
Aoxr- jmn)toajweroxl
KI*xi1*
IX R M
Teeee
Fe t&*1IC*/*'PPIX;
I?2tO 1* Dd
jqv
1r*4A1
5
1$
0
%'11f*
14#tr?5
/0/1
$4yayjz;
Q!:0J2*
3-111
Ifyotlsee som cthing ofconccrn in the rcsponse-tilne tablc,you can click Capture to have a
packetcapture session starlup automalically and collectonly packctswith thesclcctcd
application and scrvcrIP address.To m anagcthe packctcaptures-use1hcCapture tab. M ore
infonnatiollon packetcapttlrcswillbcprovided in tKscenario 4.
'Troublcshooting.''
And asscel:earlier.real-tim egrapllsalld Ilistoricalrcportscan easily be started from these
windows.
3-112
lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-))v2.
D
TopN servcrs(shonrn in this f'igtlre).Each barin thc graph represcntsan application perserver.
Tllc variable graphed can beehangcd froln thedrop-down l'
nentl.asshowlliI1thetigure.
3-113
U RL M onitoring
* Problem description:
Understand and trackhow intranetweb servers are used
* Moni
toring plan:
Create data sourcesto monitorURL packets atthe core Iayer
Setup URL monitoring
View URL hitstatistics
3-114
lmplementlngCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008CiscoSystems,Inc.
Note
TllcTraffic Analyzcrsoftwarcon Cisco NAM can conligure 1he SPAN sessionson tllehostillg
device,Thctlpcom ing stepsspan orcopy tltcotltgoing traffic on thcGigabitportscollnected to
tlle W AN.Settillg tlp the SPAN scssion willallow the trafficgoing to thc lntcrllett()be
allalyzed by Cisco NAM forU RL hits.
step 1
@ 2008Ctsco Systems.Inc.
Impl
ementi
ng NetworkAnalysiswith Cisco NAM
3-115
t1:*
I*rll.4nalyzrr
q'.1.......>.Qtu'V..J.W .
GX..;tXYp
X.XX.'..
j..
,...k. .;,..
<
RANT-
. . .
.
ont.
.j.
' l
c$
spa
otNerp
or
tsscon
ect
edpeto2the
wxv
ou
ter
onnMo
du
(')o aaw,-
. . .z
A-
GM -
*- -IY t-
NAM.2servsce j
1
rrctul
ealowsf
or .
1
tw
opossi
ble i
SP
AN
4! venb'
.
4v-p.vI.,.
v..
u--
sesslons
t
kl...j: '
l .ponst
ot
hespannedtotheNAM
(DATAPORTZ)l
nt
erf
ace
- TO vleevremrtslaterforthistramc the
'
tjatasx rcetoselectwillbe
DATAPORTZ
l.
. .
Ip..?!...kl xIrp!:,
createsthe
SPAN sesslon
Step 3
Step 4
step 6
step 7
W hen done adding allthe ports to span.click Subm it.The SPAN session iscrcatcd
on (heswitch autolnatically.
step 8
It-tlsing nativc C isco IO S Sottw are.you m ustthcn click on Save froln thc previous
Active SPA N Sessionsw indow to colnplctecreating the SPAN session and save to
3-116
lmplementi
ngClscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0
@ 2008Ci
scoSystems.I
nc.
'
et
'
ollection
111,il1' x.'.
k5I T ).affi A 11nlyze1.
(;Ist o
sxv.......;.....
z.,.. . .<
,z
.. . . *
s
>:,o'b..,
.,yv.,
.
.4.:
.
/Ckk.
t
x
.
!
1$
:
;k;i
'
.
'..
,
:'
:
zp.
:
,..
;
y.r
.
y... .
'
...$'
k
f
.
;
z
)
3-'
44.J
.
;1
.z
.
tf
4o/r
1
.
;
d
.
C
'
.C<
,
s
s
Jd
.
,
7
y
x
.
'
),
y.
.
y.
s
.
t
44
>7
.4v
;
v
t
e
'vva'
v
r...k/
.
v
,
d
.
k
or
i
z
.,,
y
;.
t
7.
'
h#$&!Jk:b'''''1.b''?.J'>'rJ'''11S'fR'$
l'4'''
s . .. .,. ..f
.
The NAM.2DATAPORTQ i
nterface
E
.
s...
'
'419$.Eb!<:11:64>
Selec'!wblchpadofthe
URLshouldbeccplected
bytheCisco NAM
,)
;A$,.l (2
I>'mI1j
.
(host.dolnain.colu),apathpal'
t(illtro).and anargunacntspart(.
?id=l23).Thccollcctioncanbe
colltigured to collectal1partsorto collectonly sol'
ncoftllcpartsand ignoreotlers.
@ 2008Ci
sco Systems,Inc.
URL m oni
toring can occuron a per-data-source basis.
lmpl
ementi
ng NetworkAnalysiswithCisco NAM
3-117
'
1e
dII4',lI'
CI$*
. <,.#: d
..p. -.
1t tat1st1
-cs
N.
&Aj Traff1 ,:.llalxzej'
'
'
uv.
J. '
p.. q.qr
kk
.J
'7.
.
.(.'.;2..
71. - ''' ztpijy' .4
*..
.ej
.eir
.'x+,.
vAke
#c- - -ep--- m ztel*:1m:
D, AA attvwl
'
.
'
-'
t-.- MtA- : kK
.'
c
r
T'
r
S'nf;ehlshostaddres:hsagcptllar
G1$eto animportaotserb'ef
appllcatlc)n youcao setthe URLto
b0collecledaGanappicatlonor
protocc/ theo 11* appicahopcanbe
analyzedIlkeotherapr)s(view bosts'
conkersaoons etc)
' .a
URLSseenonthe
C'Oosgtlre Ciot8Source
$
1
1
4
#erintrzteeI)?14:/
* tqm !1*1W l
* faA7t6e1&?S46.w relo oe
- >w ,* l:z1
<h)
r 6 * eq7lq:'3!$46****,*
R g > o* '* rzzI- - - oe
I
4w-$ .(
,.j
p4p- $.f:e*qpu I
o
rye '
e
77
.
'
1
- . .. $
. qs .
jg4ooxl> : a,f
l yyj
l..
- -e - - -. ...
qoyxgu e . .
3-118
ImplementingCi
sco DataCenterNetworklnfrastructure1(DCN1-1)1
/2.
0
@ 2008CiscoSystems,Inc.
Ulll
--based applicationsareextcnsionsto thcprotocoldirectory.W hen lhc URL in an I'ITTP
(()2008Cisco Systemsllnc.
3-J19
'
Cl5t*
-
'rrRJ ft
.'l.'...tAo
'
*#.'1re #.AP#!b#-bMd.
-'
)
Fhr
olocodw
*
Enebleofdlsabiecollectlonof
statps:cs(hosls onversatpon
resxnsetirre)(m I*f,new URL.
basedapNlcatlon(M'arlyolhef
protoolulngthhsrrenu
pe- td
f :
' : . .
lra..'i....'
j
0-
x-s
1 rm
z z -
6a
! na
l >*
d' e r
e r.
3-120
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)$/20
()2008CiscoSystems,lnc.
Troubloshooting
p
Problem description:
The network managementteam wants to ensure thatthey are
proactive to any arising performance conditions atthe data
center
e Monitoring plan:
Selectwhich statisticsto alarm on
Determ ine the appropriate threshold to triggeral
arm s,and
determ ine how to alertthe team
- Conf
igure thresholds
- M oni
torand forward alarm s
Triggerpacketcaptureswhen conditionsarise
.
3-121
trap?
.
w hatdo Imoni
torand
how do ldeflnethe
threshol
ds?
:. .h
W hatisconsi
dered
normalon my network?
:
I
-l
ow do IIetothersknow
aboutfailures on my
network?
bclow dct
incd ornonnalexpectations.You tlsc thrcsholds(rising,falling,orboth)to dctine
the boundariesofyourexpectations.You sctthresholdsagainstM IB variablesand, with
CisclaN AM .you can sctthresholdsagainstRem ote M olpitoring (RM ON)variablcs.There
arc diftkrcntkindsofvariablesin M IBs.butthcm ostcom mon typc thatyou w illencountcr
ol)C'isco NAM isa countervariablc.Countcrvariableswork by increm enting thevalue in
tlpc M IB N'ariable by oneeach time itsecsa match forthcvariable.Forexamplc.ifyou use
tllc variablc broadcastpackets,thcn evel'y timcCisco NAM rekxivc:
sabroadcastpacktt,it
willincrcmenttlle counterby I.One way to tlse alannsw ith countcrvariablesisto
llleastlrcthcdiffcrence (dclta)betw een the value ofthe variablc atthestartand atthe cnd
ofthc sam pling intcrval.thusrcporting ollly the ntlm bcrot-packctsobserved during the
salnpling intcrval.Theotheroption forevaltlating thcdata isby using the absolutevalueof
tllcvariable whcn itwasread.Forexamplc,ifthe M IB variablc forbroadcastspacketshad
an absoltltc valuc of33874 whcn sam pled.thcn Cisco NAM willreport33874 broadcast
packtltssince the M lB variable waslastclearcd.
3-122
ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O
@ 2008CiscoSystems.Inc.
* Trap:A trap isan SNM P Inessagc gencratcd by tleSN M P agcntin thc device that
observetl1he cventand isselltto the managcm cntstation thathasbccn conligured to
rcccivctllcsetraps.A trap ishow Cisco NAM isalertcd to conditions;Cisco NAM can thcll
alcrtpersolllleltlsing allothertrap,asyslog m cssage,oran e-lnail.
@ 2008Ci
sco Systems,Inc.
Impl
ementi
ng NetworkAnalysiswith Csco NAM
3-123
'
NAM MIB
Thresholds
y .
NAM Voice
Enablesyouto defi
nethresholds oral
armsforpacketI
oss
Threshol
ds
andjitterforSCCP,H.
3231SIPIandMGCP
NAM RTP
Stream
Thresholds
Enablesyoutodeflnethresholds oral
armsforpacketloss
stalisticsbasedonthe RTP sequence number
Switch
Thresholds
Enabl
esyou todefinethresholds oral
armsforvarlables
sted I
n the mInI
-RMON agentoftheswltch;thisincludes
variablessuchasrx)rtutil
izallon,fcagments,jabbea
1ali
gnmenterrorsi lisi
ons1andmore
The Traftic Analyzcralarm feattlresallow you to createalarm stbra varicty ofthe variables
stored in M IBseithcron Cisco NAM oron the switch orroutcr.Thc following featuresallow
you to crealeand customizcalarm sto m eetyournecds.Rcvicw the varioustaskspriorto using
tllc softwarcto conligtlrc.
Use thege taskslo dcfinetlyresholds forlivem onitoring ofdata.voice,and video traffic:
. NAM M lB thresholds:N AM M IB tllresholdsenablc yotlto crcatealarm sand dcfinc
thresholdsbased on byle orpackctcountervariablcsby protocolfornetwork and M AC
laycrhostsand convcrsatiells.Additionally,M lB thrcsholdsalannscan also be creatcd for
serverresponse tilnc,server-clientresponsetime.Diffscrv traftic statistics,Diffserv host
statistics.and Diffscrv application statistics.
forportutilization.f'
ragmcnts.jabbers.alignmcnterrors.collisions.andmorc.
3-124
lmplementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O
@ 2008CiscoSystems lnc.
z' ;p..
NAM Sysl
og
@c.. :..'
$
.
1
)Enables youto store M1B and voice events, aswellas
!system alertsi
nei
theraIocalorremotesyslogfi
le
NAM Alarm MailJEnablesyoutodefinee-mailrecipientsthatshoul
dreceive
(noti
ficationofeventsgeneratedbytheTrafficAnalyzer
j,,
.,.,....-...........-......-.................rr......
-...,.
,.......,............ ..
...........................,.,.,....... ........-....,....,..
NAM Trap
Destinations
)
jEnablesyoutod.efinethe IPaddressandUDP portforthe
imanagementstationsthatshouldreceivenotificationof
d
1eventsgeneratedbytheTrafficAnalyzer
..
..
.. .
.. .
.. .
Use these tasksto dcfine how tllc nctwork mallagelnentteam shotlld bcalerted to thresholtls
thathave been reacllcd.
* NAS'
I syslog:Syslog colltiguratiollenablesyou to scnd alcrtsassyslog messagesto either
a Iocalorrem otcsyslog fi1e,
K NA5Ialarm nlail:NA M alarm lnailallowsyou to forward alcrtsase-mailmcssagesto a
listoftlelsncd recipicnts.
@ 2008Cisco Systemslinc.
3-125
'
onf1g urin
isco
llI1tllj.
hresholds.
'
I hresholds
NAhl'
j'1.ajfjrAnpjyz.1.
f 1SC@
.
a ' . -It..t,;'-,.At.
'
i:7
.' %-
'-2
'''1,.4-:'
.
k
:kkk;. '
:tlhI.Y e le :
, . .' ,.IJ
.
'
(
Lq
L
. ) .e e '.-
* .G
- -
!-
+
- r:
'''
.
:.......--- . ...#'
gfd
wjw,sjr,e<,j!,!
a.jd,
.w,:
.
Choosewhat$4113variable
y0uwantlo cmnitor
nBy-s
(xlavses .-
hlewols:teyercorxrerseur,s
Kthctey
.tl'fc,vl:
serxesKda.
ylmkpm Keqpon:eTdel.
Ktlkcteh'ercnrw rsetlon:
ses*!Bh.,e$
JkpgllcatonSle:sqc:
cr
lepld> es
'*'-'''''''serv*!Rvtp
onseT'nhes
Lrn#':
S;erq.qt9111p1@:
SeftfencllefdR*vponql'
Serv*!'rlfneotlt:
DLWl@ru/7'reYld9a1:
Dre ervHoll%*$:
:111r>ockte: *1
Dl#SeN'APPIICG QRStsll
!nPyles
04;BWe:
..,. .
. ..
% .u
'
Ne-co LtverHo91
V**e .
1rPtltAel'i '*
6*6** IP
's
'
c
:'- < . ' . '
'@ t
'
.
'v
,...
.)
*
c
.
'
.
step 2
Step 3
step4
Step 5
3-126
lmpiementi
ngCiscoDataCenlerNetworkl
nfrastructureh(DCNI-I)v2.0
@ 2998CiscoSystems,lnc.
on.)
Next,entcrtheparalnctcrs spcciI
ic to thc sclectcd thrcshold typc.Forexalnple,ifServcr
RespollseTilne wassclcctctl,elltcrtheIP atltlrcssofthc scrverfortlpedevice you Avantto alanu
on.Thcn.dctine the intel-val tlle lengtl)oftilne in sccondsoftllc collcction period alld a
descriptive nalnc fortllc alarln.
Forsolllevariables.notresponse tinAe,yotlnztlstalso choosc thc sanlplc typc Absoluteor
Dclta.svhcllyou aretlsillg cotlntcrs,yotlshotlld allnostalsvaysusc Delta bccausc itisused to
lncastlrc thcalzlountthatthc coullterhas illcreased dtlring a sampling interval.
Alwayssctthcva1tle l
-ortlle rising and fallillg tllrcsllolds.Klow vvhatisllornlalalld abnorlnal
by Inonitoring and trending thc variables.asseen in tlle prcviotlssccnarios.Settillg both
@ 2008CiscoSystemslInc.
lmpfementing NetworkAnal
ysiswith Ci
sco NAM
3-12T
.
3-128
Impl
ementi
ng Cisco Data CenlerNetwork I
nfrastructure 1(DCNI-I):2.0
@ 2008Cisco Systems,I
nc.
I'
nulticasts.cyclic-l'ctltllldallcy-clzcck(CRC)alignlnenterrors,undersizedfralues.ovcrsized
fral
nes.fraglnents,jabbers,andcollisions.
To contigtlre alarlns forthcscvariables,choose thept
-)rtyotlwalltto alarln on-lhe variable.
salupling interval.adescriptivc nalneasalllple type,threshold dctinitionsand valtles.alarln
evcntoraction,and thc colnlntlnity string forthe I'
nal:agem entconsolcthatwillreccive traps,if
yotlconfigtlrcd thcalarm to trap on the cvcnt.Rclnelnbcrthatyotllnustcreate a ncw alann for
every Pol
4 yotlWllntto ala17n On.
ThcSalnplc Typc isbased ol)thevariable yotlchoosc.Ifyou w'antto conlparc thcdiffcrellce
betw'een a variable atolle tinle intelw'alwith thenexttimc interval,tlpcltusethesalnplctypc
Dclta.Tllisistypicalforcotlntervariabletypes.Tlle deltavaltlcis then eolnpared to tllc
threslpold valtlc.
()2008Cisco Systems,Inc.
lmplementing NetwockAnal
ysi
swith Cisco NAM
3-129
'
C o nf1g u ring la rm s .
'
Send Iar s via Syslog
.I1',I11I N.,tsj '.r1.IjIfjc .Ajla1yze1.
1*
. , t'
)ju'.t :uca
..
.. z
-rj.;
.L
r a
kv..
'u.
o
.gI
J .z$.. '
.' .
g'
mtArq> *.T'# >'.!@''' &?'*.
uQ !#
KA* AI*4RI* $#'*l@.
,
>I1&M*$Au.
,
!'3q..<*.
V* (ikRp
'- ()kx.
$4,'.- (A1t>tw
L1R()- .
ri-' '.
p . . .....
Sendasyglogmessageto
oithprthelocalorrerrote
syslogsewerlfalarmsare
generatedzmenviolatlons
occurop MIB voice RTP
Y
:<:rw*'- k Loe.
:>Kemh*mffvi.
1,-'- *- t*
oreutm- w-
('i:.:ui
l92Ijap2(j:(j
DBCOO the
rornoteSySIOg
SOFVECShere
<-'''*f- ''--:
AINA
1*2-.
3-130
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
@ 2008CiscoSystems,lnc.
Olle l'
norc stcp isrequired to colzlplete the contiguration ofalarlnsw ithin the Traffic
Analyzcr configtlring itto forward trapsto a net:vork lnanagem cntconsole.Contigtlring traps
isalso asilnple process,A1lyotlneed to do isgathcrsom e illforlnation the IP address.thc
UDP porlnulnber,and tl,ecolnlntlnity string tbrthe lnanagelncntconsole thatyotlhave
designatcd to rcccive the traps.Noticcthatyou can colltigtlre lhcTrafl
icAnalyzcrto scnd traps
to n'ltlltiplctlestinations,allw'itlltllcsalne(ordiffcrcnt)U DPportntlluberandcolul
utlnity
strillg.
Note
Q 2008Cisco Systems.Inc.
The welf
-known SNMP trap UDP pod numberis port162.
3-131
'
onflgurl
Kng jarm s.
x
S end larm s v1a E - a1l
,
II1d111.
6 I$C*
.;w .o
N'.
k'
sj T rljff1t.'.:,1pIvz
' e1.
.
.t;)..
(j
. .
'
,.
..
.< -
- A- . !dnetyoscoxmtum:rrvmtpct&cocom
''.
(
t.,.. ., *
.b*4*.&'x**.
me
e@et,cocx
151.
1'
p Ipo..d *ldkeeMu.
>W.- .S-JM- - .EM#
.
OW*
'C* O
- -
En
ermulliplee.rrsaipaddresses
tot
rof
ce
vCi
esan
.frehlnobscation
orl
ccig
NAM alarrns
ClicktoctlnflgtlfeE.maifserver
(Admln >Systam >Emall
Configur
ation)
Asa11alternativc to notification viasyslog ortrap.Cisco NAM callbe configured to send an em ailto a Iistofrecipientswhen an alarm oceurs.To contigure,uscthe Setup > Alarm s>
NA SIAlarm M ailtask to enable thc fcaturcand cntcra com ma scparatcd listofrecipients.
3-132
ImplementingCiscoDalaCenterNetworklnfrastructure 1(DCNL-!)v2.D
@ 2008Cisco Systems,lnc.
3-133
CI5*
.,.. .i
.
. . ..
z$I''JD177
#Y :- - a:e!Ta.D + x%*)#&> DG
switch
'7)wN- .
kz1'' - ..'1,f
.G
1 51e D*
22.
7
Agoo:ldescriptiorlentpred
duringsetllpGanhelp
vinpointtheexac;tnature of
thealarm
Ifyou choose the Sw itch link,you can view thcalarlnsgcncrated by the Cisco Catalystswitch.
Thcsealarms are a resultofthesw itch threshold contiguration choiecsyou m ade under1he
Scttlp > A larm s> Switch Threshold menu.This Iog m aintainsup to 256 entries.
Al1cventis fired when the alarm threshold setism ct.Tllcevcntstoresthe tim eoftheevent.lf
tllatsamc threshold iscrossed again,a llcw cvcntisgenerated and replacesthc previousone in
tlc log.
3-134
ImplementingCi
scoDataCenterNetworkInfrastructure 1(DCNI
-I)v2.0
()2008CiscoSystems,Inc.
dId.611I
l$fQ
N A1
$I .
I',.affi AIhalyzeI.
verview
.##
.##;;.
'
..
W,
n)$.
h;
6.JZJJ.
S
.
i
.
Ap
l
#>.
?
't
J
i.<.
b6(kt
>Xq
'
w''
1%%%$
XX*i
*II
f'
f'
1
**1
e'
X./.
I
VWAV4*
'JJJVXX'
f.
%
n'
'
.'z''
&.'k.
z'
:
&%:
,..
'I'
W
Yme.* #'* 'ffth'f/
filpstlle
.
Setupaodrnanagecapturebuffers(NAM RAMI
Capluresettingsand51ters
'
Quickcapture(sia!landslop)
'
Decodlng lhecaplures
SavtngbuffersNAM harddlsk
Addtporlalrefm lediskslorage
Managtngcapturefites
'
'
'
Nvhen yotlfinish capttlring data.you callcitllcrdecode itby viewing tle capttlrc ordownload
the packctsinto a Glc fbranalysisby othcrthird-party tools,sucl)asapplication prot
iling,
luodcling tools.antltoolsthatcan rcad thc .pcap fonnat.Alternativcly,to expcditc the capttlrc
configtlration-n'
lally lnonitorrcportsallosv yotlto sclcct:1table entry alld use thecontelltsasthc
basisfora capttlrc configtlration.
3-135
'
a ture
uffers
,I1I.tII. s'.
tA1v1.af(1t.zjtal.szr1.
6I%*
ShOM aIIcapturebuffers
(NAu RAu)apdtjjejr
plul* %.:.1
*..
currentstatus
t.'.aazep,otm
''
hq.
1rt.aA
''.fp.''Ia !t..1..l.lwpfff
' fnuv'.1:t$1&1$x l1p:v;i$I
Modifyselectedcapture
buffersettings pause.
cl
ear.andrest
ar
lcaplure
CIPOZ'P0OV?
CaPtbre
Sel
eckbuff
eFand
decodepackots
kzrlAtqcjv ;A&I4:
toc.*%F 1:C<1240?.yj3$4:
tpc.sAy I0tt:;@F::344J
1e >7* L-.*#
19%:p :314, kwrAe:
10::!
0 RsnlnMql
Savebuferto5I
eonharddi
sk
use Captnre >Fllestoview
Del
et
elel
ectc
xd
orap1buKers
w Cleared:Capturcisstopped(by user)altdcapturebuffcrisclcared.
* Locked:Captureislocked (stopped)bccauscthebufferisfull.
This inftlrlnation isimportantbecause packetcapttlrc tltilizesmemory and CPU and there isno
scnsc in Icaving a bufferrttnning orallocated ifitisnotnccessary.From thisscreen theuscr
cancrcatenew buffcrs(capturesessions),cditsettingsofabtlfferincludingpausingand
starting,decode collected packcts in abuffcr.savcthc buffcrto the NAM hard drivc,and delete
tlle buffer.
3-136
ImplementingCi
scoDataCenterNetworklnfrastructuse 1(DCNI
-I)v2.0
@)2008CiscoSystems,Inc,
'
evJ a tu re ettin s
C+'ta*%edirqlw
Statusofcapture
Selectdatasource(deine
earslerfrolnlheSetop>
DataSotlrcesrrerTgl
savepackctkoeitherlhe
NJSM buffer(RAM) t)rtothe
N8M harddlskora rercole
dlsk
llefinebow theCiscoNAM
handpesrlew packetswhen
rhebufferisfahl
Capttlre.filtennqOptions
eoableyotltofilLerotitany
unwanledtraflicbyacidress
artd/orprolocolbefore11Is
Cleafbufferhrsllo
charlgesoltlngs
firfl' '*d
H <' COFW
Cv zrehfe
DATAIDCIRT2 v
P<'.e>;A5;izejeee:l$0B
'7'3t- M1*tpe ot Ylfeemze(e )10
t'
1&*'
m w- Ftl
-'
X'c- ur.pmvkt F*&re(Ae)
nFp.:
rdder*.
eo *ew-t tr)kvxxe ;'
.,exA *:*t
SJ' IP
v P'O*t*''t
S- ce'
lnfMrfr(eBp-rIUl1j
'
'rheslf'
f!e
F- ceMaek'
'Ssr
'slmetlt'
nefeemltlll)
OFRnMZn
1)e.*or.
;#
!uNet'
ea
storedinCiscoNAM
r7
n'emoryforanalysls
PI:Mrteraerx!
p.
-v::
'
;g
6
8p es nol!
'
:l
'
'ccp(esp'nuyj)
.e
Clctxtwm *t.':
Capturecootro1s.c8ptq?femtisL
beStoppedtotnhangesettlngs
.tr
t.
vr
t !j.
;
,.
,
.r
....
1!
'..kis,,.l'f...q.l
$ fj.
,.. '
.
Tlpc tirstalld nlostiInportantconl
iguration option forcapttlring data is sclcctillg yotlrdata
sourceawllich you do froln thc Capttlre Froln licld in tllcCapttlrc> Scttingsdialog.
* Capttlreto Buffer:Aslvith a11protocolallalyzers,tllere isan absoltltc Iilnitto thc ntllnber
ot
-packetsthatCisco NAS?Icallcapturc alld store in lnclnol'
y,btltitalso hasfeattlresto
optilnizcthc tlse ofNAM resotlrceswllilc nlaxilnizillg the lltllnberofpacketsstored.Thosc
lkattlrcsinclutle:
Svrap when Fu1l:TI1isoption cnablcsyotlto dctinc whataction Cisco NAM should
@ 2008 Ci
sco Systems,Inc.
Impl
ementi
ng NelwofkAnalysiswi
thCisco NAM
3-137
packetsthatmatchtheGlter(inclusive)orcxcludcallpacketsthatmatchthefilter
(exclusivc).
3-338
Note
Note
You can use address and protocolfilterstogether, butnotpod and custom filters,
lmplemenli
ngCiscoDataCenterNetworklnfraslructure !(DCNI-))v2.Q
@ 2D08CiscoSystems,lnc.
3-139
'
usto
a ture ilters
Capture>CustonnFdters>CeptureFlllers
E* ** @
L- '' - '
IlaveblankIffillerlsrxolocol
Indeperlderlt
CI
Entsryourdatastring.ycqirntlsl
erlterlhehexadecirnalvalueof
jhedatastnngyouwantt0jlter
)-.
0n
.
1
-
pxa.-:
'1
--
* * .R''
cx...
'
-
oo w
adtm
podlonsofthedatustNngare
relevantforfilteringande ich
portionscan beignored
Theoffsgt(decirrut)andbase
h*lI
Thenvsknelds(hexadeonwl)
enableyoutodenoeztich
'''
St
al
ugandst
atusI
naskseoabl
eyout
osearchforthe 1wi
qr
'
.
y1I*e.'
*.
j
stattjsolEthernetframestba!areovefsizedor
,
optionsInstructthefilterwhere in
thepackeltobeginsearchingfor
theuataslring
3-140
Implementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI
-I)v2.0
C)2008 CiscoSystems,Inc.
To view and l
'iltcrthe resultsofyourdatacapturc.selecttlle buffcrto decodc froln the Capture
> Buffersdialog.and click Decode.The tlppcrportion oftllc screellsllowsyotlstllzlmary
infbrl
uatiollforcacl)packet.Tllissection includesthe folloAving tields:
* Pkt:Thisincludcsthc sequcnccntll
nbcrassigncd by Cisco NAM asitentcred thc switch.
. Tinle:Tllis isa rclative tilncstalnp illdicating how lntlclltilue ltasclapscd since tltecapture
oftllc f'
ilwstdisplayed packettnottheGrstpackctin thc btlffcr).Yottcan also view tilne by
absoltltc tilnc.C'heck lhe C isco NAM UserGtlide l
brl
nore inforlnatioll.
. Size:Tllis (
'icld givestllcsizc ofthe packetiI)bytcs.
M Destination:Tllis f
-ield givcsthe addrcss(eitherLayer2 orLaycr3)orIP hostnanle ofthc
dcvice rcccivillg the packet.
* Protocol:Tllisfield givcs thchighcstIaycrofprotocoltllatCisco N AM recognizcs.
w lnfo:Thisficld givcsinronnation providing l'
nore detailabotltthc packet.
Tlpe colltents in thc Iowcrllalfofthe screcn provitlcyou with dctailcd inforlnation aboutlhc
packcttllatyou have highliglltcd il)thc tlpperportion ofthe scrccn.TllisdctaiIcd inforlnation
providcsyotlNvith il,form ation in tlle Gcldso1-cach protocolheaderofthepacketasw ellastlle
data ticld.Yotlcan also sec the Layer2 Etllenletlpcadcr illfbrlnation aswellasportionsofthc
Layer3 IP hcadcrinfonnation.Use thc.1/- sylnbo!sto the leftofeach hcadcrto vicw morc
(D 2008 Ci
sco Systems,lnc.
I
m pl
ementi
ng NetworkAnalysiswi
th Cisco NAM
3-141
3-142
@ 2008Cisco Systems,Inc.
An additi
onalremote externaldrive can be configured to expand the data storage
capabiliti
es ofCisco NAM .Laterin this topi
c.itwillbe discussed on how to settlp the
addi
tionalstorage.
Implementing NetworkAnal
ysi
swith Ci
sco NAM
3-143
'
f15.C*
'
..xs,
..
,
;.
$
1::
>x:Jk
)
.:4,$$1
.'
#<:
- - --''-*fe I,- m 'AeI.:!G
.k Ik
tbeciscoxAMhard(ssk
'
*oAz.ae** mz:q''ppkz'-'
c.p'tut@ &..**i@.n*
ard
1'''l'. s .
k51 'rraffi A.'itlvzel.
-.
isco
/.
eI
'
'
CrealedbyQU'rA Capture
feat
urefrom rrrnitlngwlnclow
(Caplufebutlon)
21e oee@s9
L-
l1 ,15'.r:l..
1.1*4w.-4i
n r.... f.. # .a.
53t*cm * 1kY
lee
4e
1tA:!A!,!1!d
>,
<-
Lte ed
44 l'te #
.
t'lee e4
ffu
t
1r. .
Atltoomllc CaptureiBtherapturebcler
usedzmeo
'acoohgoredalarm psNetto
lnggerapacketGapture
Tllcrcarc basically two waysto store btlftkrsto the localhard driveofCisco NAM :
w The firstm ethod isto selccta buffcrffom the Capturc > Buffers listand click Save to File.
. Thesecond m ethod isto conflgureCisco NAM to Caplure to Disk when thecapture
settingsare defincd.
3-144
lmplementsngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2,O
@ 2D()8CiscoSystems,lnc.
Fortlcxibility antlillcreased storagc.Cisco NAM can also storc thc packetscaplured oIla
rcm ote disk.
To use thcrelnotcdisk optionmcolltigtlreCisco N AM with dclailsabouttlle remotedisk,using
tlle Adrnin > System > Capture Data Storage task.
Tllcrelnotestorageselazcrcanbcofeithcrtype'
.Network FilcSystem (NFS)orlnternctSmall
ComputcrSystelnsIllterlace(iSCSI).
@ 2008CiscoSystems,lnc.
lmplementing NetworkAnal
ysi
swith Ci
sco NAM
3-145
'
*
efin 1ng
.
.uu%S
e ote
ata torage
' D.;
..
>
t.
o -ow
.z. ..k.h:.:...............
... .
Nolo TheNFS
servermuslbe
ableLogrant
accesstotbe
CdscoNAtIin
oruertowrlte to
thedlsk
.! .,..'.kk.)
'
reIrnOte'DC
10
> *e pvm.lclscoco'l,
ro
yexptjrf/nem
'
'
c:;.....-..- >
Se
vor
dir
sk
451eIoceare
tet
dhe
anre
drr
tot
hee
cjjrectofy tohckd lhe
EapturedpacketlIe
Pr*':- e
&swou(.....-.)
.-...softllmec..zulpclsw,s-3raeos-z
m-vww-wxw--mwwwma-vvov--
(usedtoseleclthedisk
v -
!'
'If
;Gp
,l
!t
I1:j
'jp#..
e.
v j!
'.
s1k.1F
NFSOptlonslodeqne
:hOUanXferpfotcfol
tjrreoutandre1
ryvaIues
'
To tlsc a1
1NFS remotedisk,click thc Create NFS button to dcfinc it.Provide aname forthe
disk (in ordcrto idcntify itin theN AM uscrintcrfacc).entcrthe hostname ofthc serverthathas
the rcmotc disk,and providethedirecto!'
y where thccapttlrcfilcsshould be located.
Note the follow ing:
w Thc NFS servermustbe contigured to grantrcad and writeaccessto Cisco NAM in order
ft'rCisco N AM to beablc to storecapturc tilcson it.Thc following cxample showshow to
3-146
Q 2008Cisco Systerns.Inc.
Cllcck tlse existing partition# Svhen tllc rclnote iSCSltargcttlisk llasalrcatly bccn forlnatted
a11d 11:.
1s:
'
1I'
)a1
'tititll'
ltable.
Note
Before Cisco NAM can recognize the configured iSCSIdevice.Cisco NAM m ustbe
reslarted so thatitcan load the device drivers.
Im plementlngNetworkAnalysisw ithCiscoNAM
3-147
'
a n a In
tlre
Capture>F'1109
Selectcaplurelleson
CiscoNAM harddisk
''-'
j
:..).ikl..:( j7 *.4:
r)
!..,
......
$>% . . ...j
.
vtqe
'
'
(jocal)orrerrotadisk
m.?jqe> .$,avj
'
)'
e***e
i
>.
$- 1-
cy
I
woe- xpww l.m l-.vm-
j -
...>
(
'
aw j pwupj
rw -> - -- ..
NurrerofFllesoption)
Likc thc btlftkrsin Cisco N AM memory.itis irnportantto beablc to m anage the capture Glcs
stored on citllcrtheCisco NA M hard drivc orany detincd cxternalstorage dcvices.Several
taskscan be perform cd on these filcsusing thcCapture> Filcstask.which w illlistal15les
found on tlle Cisco NAM hard drive.
* Decode:Selcctthcdesired t
ilcanddecodeittjustlikedecodingbuffers).
. Analyze:Providctraffic.protocol.and hostratesovertimc forthc capturc 5le.
3.148
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1):2,0
Q 2008CiscoSysyems.Inc.
S um m ary
7'11is tt'picsullllllllrizestlle kcy poillts thatvcrc disctlsscd in this lessoll.
'
yLl113l13a3-9
@ 2006Cisco Systems,lnc.
Implementi
ng NetworkAnalysi
s withCisco NAM
3-149
<
3-150
lmplemenlk
ngCscoDataCenterNetworklnfraslructure1(DCNI-I)v2.
()
Q 2908CiscoSystems.lnc.
uesson41
C isco N A M M aintenance
O verview
Objectives
To determ ine which im age Cisco NAM is using you can use the show m odule com mand or
sesslon to Cisco NAM .W hen using the application i
m age.the show module output
indicatesthe software version thatis being used by Cisco NAM .lfusi
ng the m aintenance
3-!52
lmplementingCkscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
@ 2D08CiscoSystems.lnc.
<
'
P atch InstalIatio n
Patches are increm entalupdatesto soft
w are releases thatare
installed wi
th the patch NAM CLIcomm and
. Patchesare available onlyforthe Cisco NAM application image
p
root@localhost#
Installs a patch
<- *
.E
>
NAM-I,NAM -2
Note
Before patching Cisco NAM ,make sure thatCisco NAM iscurrently booted with the
applicalion image
Im plementingNetwerkAnalysiswithCisco NAM
3-153
F .
'
'
NAv cL1
Uoreachable
-
OCt
N
M
ion3'
.PresstheShutdownbuttononCi
sco
statusLED =,.''.
''
-W'
Nonresponding C isco NA M
IfCisco NAM isnotrcsponding.take the following actions:
Step 1
step2
Check toensurethatyoucanpingoverEthernetout-of-bandchannel(EOBC),
step 3
step4
step 5
Collcctcore tiles.
step 6
step 7
3-154
step8
step9
Clearthe collfiguration.
step 1Q
Impl
ementingCi
scoOataCenterNetworkfnfrastructure1(OCNf
-1)v2.
0
@ 2008CiscoSystems.fnc.
Note
lm plemenlingNetworkAnalysiswithCisco NAM
3-155
C isco N A M Troubleshooting
ThistopicdescribesNA M troublcshooting.
'
NA SI Traffit'A 1lalyz.1.
.
- . ..
....
.,
jx
' .' . . .
'
w'
t,zk'
Y e @1'*e*:* *.+'.
rr >. lte''r > ' ee'fIF'e: v':e5
$y*:@nA Oy*4*1*#y
> '.<.1,,141I>x.siq'eu
i)j: G
:r
x e > 11Az> ,D H O UK
P AH - 1R11* 1*.111
Sol Q#--J 4:e e4#Ge: : ' '
Me-yyU/zd*n 46%
Thc NAM offcrsm uch data and many reportsthatgiveyou visibility to yotlrnetwork. You can
choose from among the data sotlrccsavailablc to youand tailortheN AM m onitoring and
reporting tunctionsto meetyourspecificneeds.
3-156
lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.O
@ 2008CiscoSystems,lnc.
'
1()rts
View fai
lures orproblem sthathave occurred
Il.$I'.
N.
51 'rl''affit .:nalvze1.
,'
Cl5CO
'
'.
*112
.1%*YNY.' L sq '
gl4'e a
- *.'rh. k
r
,
.
r
fp? s
.
'p
yi
.v ...pt
p-t
.
z
ad
p
os
u'
t'
.l
k' .
3.
#f7
17$
Fi
A
'
Y Arel* '
e * -.- : ' ' # ''' ''
To4N $../e@lt yv1+>> 81@et.
''
1$.Ic''.-- z1,.
11I #Cwpee- eaje ttv et-e xe m @@N*N
.
'.
F2f.
'l'm.u$rJJ.:
'zjAaqswtex:
,
..
1
2
3
4
5
B
?
:
q
ID
'
'Yotlcan vic'
svany tbilurcsorproblclllslllatthe ('isco N A N1Traftic Allalyzcrhasdctcclcd
dtlri1,g 1101'11)111opcratitllls,-1
-11is il'
l(klrlnatiollcal'
lbe '
$icw-ed by goil'lg to tllc Adll)i1)> l'
liagnostics
> Systcln A.1eI4sscrecn iI1tlle C isco N A N1TraI'IitrAnalyzcrsoftqvarc.
'
(D 2008ClscoSystemsllnc.
3-157
'
View acti
vitiesthathave occurred
'o+14I!..p.'tI.Yt.''1
'd1''111'
f 15<@
w
t 'Qt
NA5.I 'r1.affl4...klkalyze1.
.
'
'
'
n'p
me v
i1T- t.'' t
iklt.)J
''' iG
'
..
.77.
+
''-
.:fixmfiq$1..,.j
..;
.r'C 'k
us. kw
' ''t- e
**2*51AeedfM V
AAlKml*
vw e
t- ko
tllo k>
to k.
X e
=* ' F**
y- jex ?
K AllCLIcom lnands
K Userlogins(including failed attcmpts)
* Unauthorized accessattelnpts
* SPAN changes
. N DE data sotlrcechangcs
K Enablillg and disablillg data collcctions
* Crealing alld deletillg rcports
* Starting and stopping capturcs
. Adding and dcleting tlsers
This inforlnation can bc viewed by going to the Adm in > Diagnostics> AuditTrailscrecn in
thc Cisco NAM Traffic Analyzersoftwarc,
As illtlstraled in thc figurepeach activity includcsa datc,tlle userID.an IP address(in case ofa
remote accessl.antlanotcdescribing theactivity.The inttrnal!ogtilcsare rotated after
rcaching a certail)size lim it.
3-158
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D
@ 2008Ci
scoSystems,lnc.
'
on ito r an d C a
cptu re
1,,Il1,
.t
x.
tsl 'rraffi(' ..&,,al).ze1.
q,
J
.
V 7j.
. t..
'
. ap
d.'.i 'E''*IL2C11
-.
yNltsnwc.jo't;q.:q94t
t.''lip;l.41$g1
.
'
... . ..
'k '. s .. ..47- 9t
F9!/'
4 - mo
S &eN4
(
I)2008 Clsco Systems,l
nc.
.
t
'e
bv4ez twavk#i....
$ t'IdP'7PI9C;
1 E1N WM TX/
-
,em G ?.02
4Q5'0
rlp/aex
4*eu.4,.
Ur<*1*P
L
rlx
X e Nxsoay.
1
toce
ter4**7 R
lhery1vdm 'Ce -eQerr
t*ur- '- eRap'
l- 1
lmplementing NetworkAnal
ysiswithCi
sco NAM
3-159
'
D'
Iagnostics:Check Logged M essages
'11I*'l!'
NA51T1't
vf'
fI(!Anal).zer
C I$C@
''
- .
21)lp0t
')(Z
'L
'
L3
.u
.. ....= '
. - '.
'-
h!ethGt4:)@l!
Checkforthese words.
. Er
ror
. Fai
led
xo
*wuame- :
Fw:-exMaa z*.4
. Incorrect
tx n- m -- .-
'
. Warning
M - rh x zwo -
(- .- ,'
x.
x-vxw&7ep--.:(xa)'
wxx-.r- - -- -.eg
w*>-@z..mw.-xw:-..:
- ':
Tht
lNAM hasa tcchnicalsupporloption thatgathersdiagnostic infonnation from thcCisco
NAM hardware and opcrating systcm .Thisinform ation can be viewcd by displaying thc
Adm in > Diagnostics> Tech Supportscreen in the NAM Traffic Analyzcrsoftwareorby
entcring tlpc show tech-supportcom mand in the NAM CLI.In both cases.scrolldown to the
/
'var/log/mcssagesinfonnation (toward thcbottom )and look forkeywordsindicating problcm s
(error,failed,incorrect.warning).Thc inform ation should indicatethe sourccoftheproblcm
and provide you w ilh a starting pointforcorrecting it.
Finally.makcsurc thatyou rcview the relcasc notesforany known issuesand w'orkarounds as
welIastheCataltb
xt/65/7/.
7Seriem$'
/c7?alulC'zw 7600Sel.
iesS/&Jtv'Nettb'
olk .
,
1z2t#1'
.
$'$.
:bI()(IltIQ,/ll.
:/:7//:??/t?/?:,?;(/(?o3!(lgllt'
a(i()NXp/Ffflraklclititlnaltrout)lesht)otillgtips.
3-160
Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72.0
@ 2008Ci
scoSystems,Inc.
S um m ary
S unnlnary
Periodically,the firm ware in Cisco NAM mightneed to be
upgraded orpatchesm ightneed to be installed.
Shutdown Cisco NAM before removing itfrom its slot.
e Diagnosticsand reports are available formonitoring the overall
heal
th ofCisco NAM .
.
Implementi
ngNetworkAnalyslswi
thCisco NAM
3-161
M odule S um m ary
Thistopicsum marizcsthekey pointsthatwercdiscussed in this module.
3-062
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
O
@ 2906CiscoSystems.lnc.
V11icllofthc 10llo'
w'iI)g isa vaIid data sotllvc forC isco N A 5.
1servitre Inodt)le?(Sotlrcc.
Illtrodtlcing Cisco NAM )
A)
B)
C)
1))
SPAN
Laycr2 acccsslist
Prclix lisl
lP acccsslist
I
qi)
Policy-basctlrotlting
@ 2008 CiscoSystems.Inc.
Implemeoting NetworkAnal
ysiswith Ci
sco NAM
3-163
Q7)
Q8)
D)
Switchhcalth statisticscollection
3-164
lmplementlngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008CiscoSystems.lnc.
@ 2008CiscoSystems,Inc.
3-165
3-!66
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 20D8CiscoSystems.lnc.