DCNI-1 Implementing Cisco Data Centre Network Infrastructure 1 SGvol2 Ver2.0 PDF

DcNI-1I
Im plem enting C isco

D ata C enter N etw ork
Infrastructure 1
Volum e 2
Version 2.0
Student G uide
TextParlNum ber'97-2674-01
.111,1111
t l56 Q .
DISI'LAlM !!R W ARRANTY:THIS UONTENT IS BlfING PRIIVIDEi!)''AS IS.''C1SC()M AKISS AND YOU RIfCEIVEN()W ARRANTIISIN
CIINNECTII)N !.
5'ITH TH1:Q'IINTIENT PROVIDED HE:REUNDER.I(XPRESS!IM PLI1iD. STATUTORY OR 1N ANY OTHER PROV ISl()N OF
TH ISCON rI'NT (1RUO M M UNICATION BIT'E'W EIfN CISfJ()AN D YOU.CISCO SPITCIFICA LLY DISC LA1M 5ALL lM PLl!'
,D
%.
%ltRAkNl'IES.lN('LUDINIIWARRANTIl!SOF M EIRCHANTAB1LITY,N()N-INI?IlINGEMIiNT AND 17ITN IESSFOR A PARTICULAR
PtIRPOSEL,()R ARl%ING 17R(IM A (.'IIURSIfOFDEALING.USAG E(IRTRADE PRACTICE.n islrarningproductnlaycontall:carlyrclcasc
contcnt,andwhiIe('iscobcIi
evesittobcacctdratc itfallssubjccttothedisclain3erabove
Table of C ontents
V 0 Ium e 2
Describinq the C isco Blade Sw itch Fam ilv
O verview
Objectives
Introducing the Cisco Blade Switches
W here and W hyAre Blade Switches Used?
Blade Servers and Switches Benefi
ts
Comparing Cabling DesignO ptions
Managem ent
Securi
ty
QoS
HighAvailability
Confi
guring Layer2 Trunk Failover
Introducing the Cisco Blade Switch forHP Blade Servers
HP c7O00 Bladesystem Characteristics
HP c300O Bladesystem Characteristics
Network lnterconnectBays
Introducing the Cisco Blade Switches forDellBlade Seers
Cisco IOS on Cisco Blade Switches
Licenses
License Acti
vation
Replacing M al
functioning Devi
ces
Obtaining the License
Removing a License
Exam ining the License Inform ati
on
Replacing a Switch in a V i
dualBlade Sw i
tch
Standalone O peration
Introducing the Cisco Blade Switches forFCS Blade Servers
Sum mar
'y
Module Summary
References
Module Self-check
Module Self-checkAnswerKey
lm Dlem entinn FW SM fora Data CenterNetwork lnfrastructure

O verview
ModuleObjectives
Im plem entinq Traffic Flow s
Overview
Objectives
Firew allOvervi
ew
Isolated Legacy Networks
Connected Networks
Firew alllm pl
em entation
FW SM O vervi
ew
Scaling FW SM Perform ance
FW SM Ini
tialConfi
guration
W hen to Use PVLAN?
Firew allM odes
Routed M ode
TransparentM ode
Using Transparentvs.Routed M ode
Configuring IP Addresses in Routed M ode
1-433
1-433
1-433
1-434
1-434
1-434
1-435
1-436
1-436
1-436
1-437
1-438
1-440
1-440
1-440
1-441
1-445
1-452
1-452
1-452
1-453
1-454
1-454
1-454
1-457
1-457
1-459
1-461
1-462
1-463
1-466
1-472
2-1
2-1
2-1
2-3
2-3
2-3
2-4
2-4
2-4
2-6
2-11
2-11
2-21
2-34
2-35
2-35
2-35
2-36
2-37
Configuring the Translation

ldenti
ty NAT
Static ldenti
ty NAT
NAT Exempti
on
Maximum NumberofNAT Statements
Summary
Im plem entino ACLS
Overview
Objectives
Configuring Layer2 Filtering

FW SM and Layer2 Security
MAC AddressTable Attackand Remedy
Consguring MAC Address Table Custom izati
on
Configuring ARP Inspection
Configuring Ethedype Fil
tering
Confi
guring ACLS
ACL Processing
ACL Configuration
Manipulating ACLS
Time-BasedACLS
ACL Logging
ACL System Resource Utilizati
on
Summary
Im plem entinc Contexts

Overview
Objectives
FW SM Virtualization Overvi
ew
Security Contexts Ovewiew
Classifying PacketsW hen Sharing the Interface
Configuring FW SM Contexts
System Execution Space
Adm in Context
Accessing Contexts
Adm in Context
Verifying Contexts
Removing Contexts
Changing the Context
Managtng ContextResources
Configuring Resource Management
Defining Resource Limitations
Configuring Memory Parti
tions
Verifying MemoryPaditions
Sum mary
Im olem entinq Routinn
Overview
Objecti
ves
Configuring Static Routing
How to Determ ine W here to Forward the Traffic
How FW SM Makes Forwarding Decisions
DefaultRoute
Static Route Convergence
Configuration Exam ple
Ii
lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
2-41
2-48
2-48
2-49
2-51
2-57
2-85
2-85
2-85
2-86
2-86
2-88
2-88
2-90
2-92
2-93
2-94
2-95
2-95
2-99
2-100
2-104
2-106
2-107
2-107
2-1()T
2-108
2-108
2-113
2-119
2-119
2-120
2-120
2-122
2-124
2-124
2-125
2-126
2-126
2-128
2-130
2-130
2-132
2-133
2-133
2-133
2-134
2-134
2-134
2-135
2-136
2-136
@ 2008Ci
scoSystemsll
nc.
Configuring Dynam ic Routing

OSPF Limitations
Verifying OSPF Operation
BG P Lim itations
OptionalBGP Comm ands
2-137
2-138
2-140
2-144
2-146
Using RH1to lnjectTranslated IP Addresses
2-147
Using Asym metric Routing Groups to Allow Asymmetric Routing

2-148
Using Asymmetric Routing Groupswi
th AsymmetricRouting in Fai
loverwith Multiple Contexts 2-149
Summary
2-150
Im plem entinq Failover
2-151
O verview
2-151
Objecti
ves
FailoverO vew i
ew
Active-standby Failover
Active-Active Failover
FailoverLinkRequirem ents
State Link
FailoverEventwith Acti
ve-Active
FailoverO peration
Rapid Link Failure Detection w ith Cisco 1O S Autostate
Configuring Failover
Primary and SecondaryRoles
Configuration Replication
Sum m ary
Im plem entinq Deep PacketInspection

Over
Niew
2-151
2-152
2-152
2-153
2-154
2-155
2-157
2-160
2-164
2-165
2-165
2-165
2-180
2-181
2-181
Objectives
2-181
Deep Packetlnspecti
on Overvi
ew
URL Filtering O vew iew
URL Filtering O peration
Configuring W ebsense Server
Configuring Secure Computing SmartFilter
Enabling Buffering
Enabling Caching
ldentifying Traffi
c
Sum m ary
Module Sum mary
Module Self-check
Module Self-checkAnswerKey
lnm lem entinn N etw ork A nalvsis w ith Cisco NA M

Ovew i
ew
2-182
2-190
2-190
2-192
2-193
2-193
2-193
2-194
2-196
2-197
2-198
2-200
3-1
3-1
ModuleObjectives
3-1
Introducinq C isco NAM

Overvi
ew
3-3
3-3
Objecti
ves
3-3
NetworkTraffic M oni
toring O vew iew
Challenges
Benefits
NAM DeploymentDependenton Moni
toring Purposes
The Big Picture Defined
Cisco NAM Service Module
Cisco NA M Data Sources
Plan forC isco NAM Depl
oyment
Cisco Catalyst6500 Seri
es Sw itch NAM S
Sum m ary
u2008ClscoSystems,lnc.
lmplementingClscoDataCenterNetworkInfrastructure(DCNI-I)v2.0
3-4
3-4
3-4
3-9
3-11
3-16
3-33
3-40
3-43
3-48
iii
Im nlem entinq InitialConfiquration

Overview
Objectives
3-49
3-49
Cisco NAM lnstallation

NAM Hardware Installation
Verifying NAM Installati
on
3-50
3-52
3-53
Cisco NAM lnitialConfiguration
3-54
InitialIP Settings
Enabling W eb Server
VLAN Configuration
W hatAre SNMP Communi
ty Strings?
Summary
3-55
3-56
3-57
3-57
3-74
M onitorinq.View inq.and Savinq Data

Overview
Objectives
Scenario 1:Li
ve Network Moni
toring and Analysis
Problem Description
Monitoring Plan
Action 1:PortMonitoring
HistoricalReporting and Trending
Acti
on 2:Detailed PortMonitoring
Acti
on 3:Using NDE with Cisco NAM
Scenario 2:Response--rime Monitoring
Verify Ci
sco NAM Deployment
Scenario 3:URL Moni
toring
Scenario 4:Troubleshooting
Action 1:Threshold: and Alarm s
Action 2:TriggerPacketCaptures
Summary
Cisco NAM M aintenance

Overview
Objectives
Cisco NAM Software Upgrade
Nonresponding Cisco NAM
Shutting Down Cisco NAM
Cisco NAM Troubleshooting
Sum mary
Module Summary
Modul
e Self-check
Module Self-check AnswerKey
3-49
SmpsemenlingCiscoDataCenlerNetworklnfrastructure1(DCNI-I)42.
9
3-75
3-75
3-75
3-76
3-76
3-76
3-77
3-79
3-82
3-96
3-103
3-103
3-114
3-121
3-122
3-135
3-149
3-151
3-151
3-151
3-152
3-154
3-155
3-156
3-161
3-162
3-163
3-165
(I)2923 CiscoSyslems,lnc,
uesson12I
D escribing the C isco B lade

S w itch Fam ily
O verview
Objectives
Introducing the C isco B lade Sw itches

Tlhistopie dcscribcsthe Cisvo blade family switches.
Using C isco B lade Sw itches

w Data Center- blade serverenclosures
wO ptim ize rack space and high availability
Cisco Catalyst6500
>
1'
11563:
'
T.
Encl-of-Row
Access
Top-of.qackAccess
Catalyst4948
1,lslf.t?.It('/61Itf(I'ot''''i.
Ac%$l<;t
q
Clsco Blade Switch
W here and W hy A re B lade Sw itches Used?

Data centcrstypically llavenum erous scrverswhich take spacc,need cabling and m anagemcnt.
Integrated bladeswitchcsprescnta third cabling design option,in addition to end-of-row and

top-of-rack,
From a Iogicalnctwork pcrspcctive,thisdesign ism ostsim ilarto a top-of-rack design.

M ind thatthe blade switch dcsign can introducc com plications forthc spanning treedesign
bccauscthereare more access layersw itchesperrack
Blade Servers and Sw itches B enefits

I3lade serversare used to optimize serverdcploymentin data centcrs.M ultiplc serversare ptlt
ilyto oneenclostlreand tllus:
K Optim izc rack spacc usagc--bladc serversand switchcsuse less space than standalone
cotlntcrparts
w Reduce thc nccessa!y cabling from selwersto thc network cquipmcnt
. Nlorc cfticicntly usc powcrand producc lcsstherm aloutputperscrvcrunit
w Add resilicncy with rcdundantfan and powerunitsfrom theblade chassis

K M ake the solution more scalablc
1.434
lmplementingCiscoDataGenterNetworklnfrastruclure1(DCNI-I)v2.Q
(I)2Q()8CiscoSystems.lnc.
C om paring Cabling D esign O ptions
@ 2008 Ci
sco Systems,fnc. fmpementi
ng the Ci
sco Catalyst6500 Series.Cisco Catafyst4900Senes,and Bfade Switches
1-435
Cisco B lade Sw itch Features

Managem ent:
Ci
sco IOS CLI,SNMP MlBs,CiscoW orks m anagem enttool
Integration with ManagementVodule
* Integrated security:
ACL,802.1:,TACACS+/RADIUS
. High availabili
ty:
STP enhancementslUDLD,t.2 trunk failoverlIEEE 802.3ad
. Quali
tyofservice (QoS)
2= s
. I
uz
F '
'x
#'**>>' j ,.
?.
- 4. S'X '
#
'
N ' ....
.
'
..**
.u
.
w
:;
,y k
r
:
.a0)
,,,1
Al1Cisco blade switchcsofferacomplcte setofintelligcntserviccsto deliversecurity,quality
ofscrvice(QoS),and availability in thcscrvcrfarm accessenvironment.

A Cisco bladcsw itch cxtendsCisco infrastructurc scrvicesto thc scrvcredge and uscscxisting
llctwork investm cntsto help reduceoperationalexpcnscs.
M anagem ent
Thcbladc switchcsoftbralltlle Ilctwork managem elltcapabiliticsavailableon standalone
Cisco Catalystsw itchcsalong w ith bladc scrverellclosure managcmentintcgration:
w BasicaccesswiththcCisco IOS comlnand-lincinterface(CLI)

* Dcvicc lcvclacccsswith standard Sim ple Nctwork M anagcmentProtocol(SNM P)M IBS
availablcacrossCisco CatalystSericsSwitches
* Integration with blade serverm anagclnentm odulc
w CiscoW orksm anagementtool
S ecurity
Security Inechanism sincorporatc security accesscontrollistsIACLSI,IEEE 802.1x,
TACACS''/RADIUS.ctc.
Q oS
QoS l
ncclpal:ismsavailablcincludc ingressratclimitingmmarking,sllapcdround robin (SRR).
al
ld priority queuing.
1-436
lmplemenlingCiscoDalaCenterNetworkinfrastructure1(DCNI-!)v2.0
Q 2908CiscoSystems,lnc.
H1gh va1lab 1l1ty

'rllc bladc sw'itchcs incorporatc lhespanl,ing-lreecllhallcclnclttstll;llarcavailablc on Catalyst
SericsSsvitclles:
* Port.tlplink,backbollc fast
w Rootgtlard.bridgc protocoldatatll)it(13PDU )guard/filtcr
* PcrV LAN Spalllli1)g Trec Plus(PVST i)alld Pc'

r'
VLAN RapitlSpanlpillg Trec PItls
(IIVRST-I.)
* I
.J1)iDircctiollalLillk Dctcction (UD1..D)
* I-klyer2 trunk failllvcr
(
I)2008 Cisco Systems,Inc. Implementing the Cisco Catal
yst6500 Seri
es,Cisco Catal
yst4900 Series.and Blade Switches
1-437
Layer 2 Trunk Failover

. Challenge'
.Uplink pod failure should triggerIink outage to server
ports:
Serverwith NlC teaming can switch ffom prim aryto secondary
N IC
+
4' 5
link state track l
?%'A.
'
.
..'
:'.
'
' lnterface Portchannetl
-.
'
'.
'1
ltnk et*t* group 1 upstre&m
c j
'
) lnterface rlngeGlgableEtherneto/l - IQ
link stlte group l downatream
1
I
I
10 1
Server1
t..
y
'
1
' LJ
Blades j
1y
-''<.
f
f
* **
I- . - . - .
'-%.
'.w.
$-4..
)
':
1
1
l
j
I
- - - - . . - . - . . . . .1
BladesewerEnclosure
Bladc serverbladcsconnccted to a bladcsw itch havc l:o knowledge ofw'hethera switch llas
colyncctionsto thcrcstofthcnetwork.
lIpcase ofan tlplink portfailure,a scrvcrusing NIC tcalning would notsw itch ovcrfroln thc
prilnary to the sccondary NlC (ustlally connected to anotllcrswitch).
Laycr2 trunk failoverisused on the blade sw itchesto triggerlink outagcsto serverportsin
cascofa link outageon thcuplink ports.thusenabling selwerto switcllovcrto thcsccondar.y
N IC .
C onfiguring Layer2 Trunk Failover

To enable Laycr2 trunk failover.the following contigtlration stepshave to be takcn:
Step 1
Contigtlrca Layer2 trtlnk failovergrotlp w'ith lhe link state track global
contigtlration comm and.
step 2
Detincthctlplink ports asupstream with the link state group upstream intcrface
collfiguration com mand.
step 3
Dcfine theserverdownlillk portsasdowllstrcam with thclink stategroup

dow nstream interfacccontiguration com m and.
Note
1-438
ln the exam ple.the interface Porlchannel1 was configured in advance.
lmplementirtgCiscoDataCenterNetworklnfrastructure 1(DCNl-1)v20
@ 2008CiscoSyslems, Inc,
C 1sco B Iacl(.)S w 1tc1) P Iatfo rm s

HP c-class
'''
DELL
FujltsuSl
emens
s7
' '
'hx'
-px-r--'
cT z
d '
$.lr:
*F*v,.
e
..A -
z ; - ,4,
.'J
I1';*
*I
.A
I
sM
;I,
-.
Jz
.
HP pr lass
Cisco ollkrsthcse bllltlutswilches:
K Fih'c'isco bladesw'itchcsforIIP.I)cl1.and FtljitstlSienlellsbllltlescrvcrsyslcllls

K Tu'()()L.51blatlc svvilcllcsforH P alld lB51 blatlc servcrsystcllls:
Note
The OEM ctlstom swi

tches offerm anyofthe sam e features benefi
ts and value butare
designed speci
ficall
y forIBM and HP blade products.They are sold by IBM and HP only.
@ 2008Clsco Systems.lnc. fmptementing the Csco Catafyst6500Seri

es.Cisco Catal
yst4900 Series,and Blat
je Switches
1-439
Introducing the C isco B lade Sw itch for H P B lade

S ervers
Thistopic dcscribesthc Cisco blade sw itch forHP blade senrers.
H P c7000 B ladesystem O verview

Front:
8 full-height/l6 half-heightsefverbl
ades perenclosure
. Rear'
2 slotsforGigabitEthernetswitches
2 slots FC orGigabitEthernetswitches
-
.-
4 slotsforhi
gh-speed I/O (forexample InfiniBand,10Gigabit
Ethernet)
i
tr
.
.
j
;'
1
;
LAN switohof
p-wtllrxqh
)J sANswlzhor sANswi
tchor
pess.throuqh pass.throogh
'
3d
F7ront
LAN e tchor
p- thrx gh
Rear
sAN swlyctTor
pass.throuh
SAN swllch(pr
pass.tbcotlgh
SAN smtchor SAN switchchr

pass.throogb
pass.tbrough
HP c7000 B ladesystem C haracteristics

The HP c7000 Bladesystcm hasthese characteristics:
w 10 rack unit(RU)cllassis
w Ftlll-heightserverbladcswith up to cightpcrenclosure
w Half-heightserverbladeswith up to 16 perenclosure
K Half-hcightstorage bladew ith up to 15 pcrenclosure and a totalof90 drivcs pcrenclosure

.
10 GigabitEthenlet-capablebackplanc
. l/O options:1?'I0 G igabitEthernet,InfiniBand.Fibre Channel

* lntegratcd HP Bladcsystem lnsightDisplay lillked to ollboartlmanagementadlninistrator
forIocaland rem otc systeln managclnent
. Up to six hot-swappablcpowcrsuppliesconfigtlrable forN +N orN+1redundancy
H P c3000 Bladesystem C haracteristics

Thc HP c3000 Bladesystcm hasthcse characteristics:
w 6RU chassisortower
w Full-hcightsetwerbladesw ith tIp to fourperenclosure
. I'lalf-lleiglltserverbladcswith up to cightpercnclosure
w Four1/0 intercollnectbayswith eithcrEthcrnet,InfiniBandeorFibre Channcl
1-440
lmplemenlipgCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0
@ 20()8CiscoSystems, lnc.
Netw ork Interconnect Bays

The lIP 1)ladcsystcln c-classcllassisllas tbtlrpairsofintercollneclbays(using k'rtlss-eonltects
llorizolltalIy acrossll1cbays).
(()2008 Cisco System s.lnc. Implem enting the Cisco Catalysl6500 Series,Clsco Catatyst4900 Series,and Blade Switches
1-441
C isco B lade Sw itch 3020

* 8 external10/100/1000BASE-T RJ45 uplink pods:
4 shared with SFP ports - one can be active ata tim e
2 shared with internalcrossoverto paired CatalystBlade
Switch 3020
. 16 internal10/100/1000BASE-T downlinks forsewerconnecti
ons
-
PortLEDS
'
%*
S
-'
E'
,'
/ls)
k
y
:
'
.
.
7
X
?
.
T
,
f
)
'
:
jj'
/r
t
j?j
.y
r
(;L.
k
we
j
. ..
Console
'
4x SFP
Uplink Ports
.z
o
. .A
.
8x R.145
Upl
ink Ports
Tlle Cisco Blade Switch 3020 forIIP c-class Bladcsystcm providesan intcgrated switching
solution w ith Cisco rcsilicncy,advanced security.and enhanccd m anagcability to thc scrk'
cr
edgcxwllich reducescabling rcquircments.
Thc Cisco Bladc Switch 3020 shipsasa singlc tlnitand should be ordercd in quantiticsoftwo
forrcdundancy purposc.A singlc bladecan llaveup to fouroptionall000Base SX tibersmall
form-factorpluggablc(SFP)modulcs.
The Cisco Blade Switch 3020 isa Laycr2+ sw itch and suppol'
tslnany Layer3 functions,
exceptIP rotlting.Itiscompatible with the HP c-class servcrblades likc BL460c.BL480c.
BL456c.BL685c.and BL8x0c.
The following system properticspcrtain to the switch:
* l28 M B ofm eluory and 32 M B oftlash
p 48-(Jb/ssw itching fabric

. Up to 36-M p/sforwarding ratc bascd on 64-byte packets
. Up to 8l92 M AC addresses
T11e tbllow ing intcrfaccsare availablc:
*
I('
tinternal10/l00/l000BASE-T downlinksused forscrvcrconnections
* 8 1-Gb 11.145 coppcruplinks

.
w OptionalfourSFP SX m odules fortiberconllcctivity w'

hcrc eithercoppcrorSFP portis
activc
Note
Ports 17-20 are com bination ports,suppoding ei

therGxed RJ..
45 connectors orSFP
connectors lnsertion ofan SFP connectorautomatical
ly isabses the associated copper
connector
1.442
ImplementingCiscoDataCenterNetworkInfrastruclure 1(DCNI-I)v2.0
@ 2008CiscoSystems,lnc.
Note
Ports 23 and 24 uplinks can opti

onally be configured as internalcross-connects to a paired
Cisco Blade Switch 3020.
tJp to six tlplink portscanbc ptltinto aportcllanncl.providing 6-(ib/sconllcctivitjr.
C isco Blade Sw itch 3020 Features

Categofy
Features
Spanning Tree
.
*
IEEE 802.1D.802 1s.802.1w

PVST.PVST+.RapidPVST
M PeC-VLAN Rapid Spanning-Tree (PVRST+)

*
LinkAggregation
VLANS
PortFast.UplinkFast BackboneFast
. Spanning-rree RootGuard (STRG),UniDirecti

onalLlnk
Detection (UDLD)
. IEEE 802.3adwith LinkAggregationControlProtocol(LACP)
* Etherchannelusing PortAggregati
onProtocol(PAgP)
w
IEEE 801.Q and Cisco ISL tagging
. VLAN Trunking Protocol(VTP)

. DynamicTrunking Protocos(DTP)
*
Advanced QoS
. 802 1pclassofservi
ce (CoS)anddi
fferentiated sel
-vices
codepoint(DSCP)fi
eld classification
.
w
Vullicasting
1024 VLANS and 4000 VLAN lDs
Cisco QoS ACLS

SRR scheduli
ng
w Cisco Commi
tted Information Rate (CIR)
* lnternetGroup ManagemenlProtocop(IGMP)snooping vl&
v2
w Multi
castVLAN Registration (MVR)
Security
w
.
Per-portbroadcast multi
cast and unicaststorm conlrol
1000 Consgurable IGM P groups
*
.
TACACS+,RADIUS
IEEE 802.1x
. Port-based ACLS(PACLS)
Management
SSHVI& SSHVZ.Kerberos,SNMPV:S
>
.
MAC address notifi

cation
Protected por!feature
>
Cisco Discovery Prolocol
Cisco 1OS CLI.CiscoW orks
.
.
.
.
R MO N 1 and II
SNM PVI,SNMPv2c,and SNMPV:
S
SPAN,RSPAN
End-to-end Cisco so com mon userinterface and soflware
upgrade across entjre switch nelwork
@ 2008Cisco Syslems.Inc. Imptementing the Clsco Catatyst6500Seri

es.Cisco Cataf
yst4900 Series.and Bfade Switches
1-443
Sw itch A rchitecture
(.
-(
711E;(91()r'
9(.
)rt
1
l
'
1
I
l
l
l
1
32M8 *e
Flash
I TCAM *-.
I
I
I
I
X II)tL'
arqb%'ItC)t)1
In
z(
)(lrlet..,l1t?1th
pjl
E
'()f1S
?w),
(Ig(.
J$
74.
?(I ilavt1'
z3
. F(
(-
; #
ASICS
''
4SFP
12aMB
SDRA
'' TCAM
!J;.
'I1;lk.Pr.
,rlq)I
1
I
'
I
I
1
I
1
I
I
j
I
1
I
l
I
1
16 tE
qf.
'
lrvtlr1
J)owrl11(jl
'
q
po(.
ts'
I
P@rt:
Thc figure showsan ovcrvicw oftheCisco Blade Switch 3020 arcllitecttlrc. The following key
col
npollontsconstitutc tlle switch:
* Processorthathandlesthc controlplane functionality
* FlaFll,TCA M .and w'

orking memory thathold thc Cisco IO S il
nage. loaded Cisco I()S
code.and N'ariousmemot'
y structurcs
K ASICShandling packetlnanipulation
w Physical(Pl1Y)layerforbridgingbetweenASICSand physicalports
. Ports intenpal(l6 servcrdownlink ports).cxtcntal(eightRJ-45 and fotlrSFp-bascd ports)
and interswitch(two connectivityports;ifuscd.twouplinkportslesscanbeused)
1-444
bmplementingCiscoDataCenlerNetworktnfrastructure)(DCNI-!)v2.D
(
t)2008CiscoSystems, lnc.
Introducing the C isco B lade Sw itches for D ell

B lade Servers
D e1IPow erEtlge 1955 O vorv1ew

v
Front:10 seerblades perenclosure

Rear:4 slots forI/O sw itches
It): ,.*' '
...
.T
. Iu w w 'xx ;
.
k:l
...
0amxj ,Io3
'
1.
'
''
':
N.
NQ
,
'
'.
.,
..
O
..
,t>
711
X>
,..
.
,..
'
IChI
(
.
t
g .
'
:
.. ,
.
'''*'
-e=. v
j
;)
jK
-.
#w
,.
,-
,
)
:<
'.
j,
c
'
o
q
,
a
.
c
,
k
.
'
ve
dr
i
rxf,
Note
DellPokverEdge 1955 System is a DellPewerFdge 1855 System stlccessor.
$)2008 Cisce Systems,lnc. tmpfementiflg the Cisco Catalys6500Seri

es,Csco Cataf
yst4900 Series,and Blade Switches
1-445
C isco Blade Sw itch 3030

* 6 externaluplink ports:
4 SFP pods
2 R.145 10/100/1000BASE-T copperports
. 10 internal10/100/1000 Mb/s downlinks forsewerconnections
EOS:June 9,2008
-
console
4. 71i.k.'i. r - 4-- .aw.

.k.-
@#..*#>@@
.: L
r@
.- wjw:..jf,?.l( ,y/
'
:dt2x'
-lt
t1R.145
4: SFP
Uplink Ports Uplink Pods
Thc Cisco Blade Sw itch 3030 forDellPowcrEdgc l955 and 1855 Blade ServcrSystcms
providesan intcgratcd switching solution with Cisco resiliency.advanccd sccurity,and
elthanced m anagcability to thcscrvercdge which reduccscabling rcquircments.
Note
The switch reacbesen-of-sale(EOS)statusonJune 9.2118.
Tlyc Cisco Blade Switch 3030 isa Layer2+ switch and stlpportsmany Layer3 functions,
uxceptIP routing.Itiscom patible with tlw DellPowerEdge 1955 and predecessor l855 Bladc
ScrvcrEnclostlre.
Up to fourcan be installcd perchassis,w ith thc second sctoftwo requirillg Ethenletdaughtcr
cardson each serverblade.
Thc follow ing systcm propertiespcrtain to the switch:
K l28 M B ofmem ory and 32 M B offlash m emory
* 32-Gb/ssw itching fabric

* Up to 24 M p/sforwarding ratcbased on 64-byte packets
* Up to 8192 M AC addrcsscs
Thc follklwillg interfacesareavailable:
K l0 itlterlpal10/100/I000Base-T downlillksused forserverconllections(ports l-l0. portfast
cnabled)
* Two cxtcrnal10/l00/1OOOBASE-T copperports(ports l1.l2)
. FourcxternalI0/l00/1000 SFp-based copperorfiberSx-based ports(pol-ts l3-I6)

. Serialconsolew ith portredirection to DcllDM RAC
1-446
ImplementingCiscoDataCenterNetworklnfrastrudure 1(DCNI-I)v2.0
@ 2008CiscoSystems.Inc.
C isco B lade Sw itch 3030 Architecture

Console Port
C
1
l
1
I
1
I
I
1
I
I
l
3ZMB . . ' -' .#.+.;'...:

Flash
TCAu
ASIC
*e
ASIC
128 ve
SDRAM
TCAM
I
1
I
1
..
c..
4sF '
,
;
.l
p
l,
kx
.,
?.gt
,z
,Ra.s
Ports
1
1
I
1
I
I
j
I
1
'
1
I
I
1
I
I
I
1
1
1
1
1
10 ServerDownlink
Ports
'
1
1
@ 2008 Cisco Systems.Inc. trnpfementing tbe Cisco Cata

yst6500 Serl
es,Cisco Cataf
yst4900 Serfes.and Bl
ade Switches
1-44:
D ellPow erEdge M 1000e O verview

Front:16 half-serverblades perenclosure
Rear:6 slots forI/O switches
DcllPowcrEdge M 1000c Systcm Charactcristics:

.
10RU clpassis
w t!p to 16 half-servcrbladesperenclosure
w Hot-swappablcnonreduntlant(thrce)orredundant(31I.3q'3)powcrsupplics
. Six 1/()sw itch modules forthree rcdundantfabrics(can hostCisco BladeSwitch M 3032.
M 3l3()G,M 3I30X )
K Nine llot-swappable fan modules
K Threc chassiscontrollersw ith KVM switclh
Note
1.448
EthernetFlexso Swi
tches provide on-dem and stacsi
ng and uplinkscalability.
lmplementingCiscoDataCenterNetworklnlrastructure 1(DCNI-I)v2,O
C isco B lade S w itch 3032

. 8 externaluplink pods:
4 10/100/1000BASE-T R.145 copperpods
4 SFP ports(using Cisco TwinGigConverterinX2 slots)

. 16 internal10/100/1000 Mb/sdowntinks forserverconnections
o j N 111#
4x R.1
45
Uplink Ports
4x SFP
Console
Uptink Pol
'
ts
-1'1)i
J(.'isco Blade Sw itch 3032 forDellPowcredge N1ll)()()e l3ladc SenrerSystclnsprovidcs:11)
illtegratcd s'
kvitcllil'
lg soltltion '
w itl:Cisco resilicllcy-adv'
allced sectlrity.and cnllanced
lllallageabi1ity to tlle scrN'credge.urllicl'
lredtlcescablillg rcqtlirelnellts,Tl'
le-isco Bladc Sqvilcll
3()32 isa Layer3 s'k
vitch.
'I-1)etbllovvillg systcl'
llpropertiespcl
lain to tllc s'
w itch'
.
* 256 N1B ofl'
lelnor.v alld 64 N1B of'llasl)I'
lltvlllt'ry
w 4Fl-CJb/sswitching fabric
K U1
)to 36 Vlp/sfonvarding ratcbasctl01164-by1c packels
* L;1
)to 8l92 N1A(.
aaddrcsses
Tllttlbllow ing illterfacesarc availablc'
.
*
It'Iillterl:all0/I00/l000Basc-T do'
kvlllillkstlsed t'
tlrservcrctlnllections
* F()Llrcxtcnlall07100/l000BASIE-T R.145 collpcrptll

4s
* FotlrcxternalSFp-based ctlpperorfibttrpllrtstlsing'isco T'

svintiig converternltltltllc il'
l
5:2 qlots
K Serialcollsolc
m F:1st1
-,
Tlllenletl
'
nallagttnlentintcrlce colllttlctetltt,C'isco NlallagclllentConncction
(()2008 CiscoSystems,I
nc. Impl
ementi
ng the Ci
sco Catalyst6500 Series.Cisco Cataiyst4900 Serles,and Blade Swi
tches
1-449
C isco B lade Sw itch 3130G and 3130X
* 3130G:8 externa!uplink ports:

4 10/100/1000BASE-T 9.145copperports
4 SFP ports(using CiscoTwinGig Converterin X2 sl

ots)
. 3130X:6 externalupl
inkpods:
4 10/100/1000BASE-T RJ45 copperports
2 X2 10 GigabitEthernetports
w 16 internal10/100/1000 Mb/s downlinks forserverconnecti
ons
3130G
3130X
r(r
,.
'''
,.m-
r-
'.:.
,..
*@ k w w * .
1*
4: RJ45
4: SFP
Upll
nkPods Upls
nkPods
conscle
t 1:
4
Uplx
RJ
45ls Uply
xXPor
2 ts
lnk
Por
lnk
Console
'rhcC isco Bladc Sw itches313OG and 3130X forDcllPowcrEdgeM 1000e BladcServer

Systclllsprovidc an integrated sw itching solution w ith Cisco rcsilicncy. advanced security.and
cnhanccd lnanagcability to thc scrvcredge.which rcduccscablingrequircments.
Thc following systcm propertiespertaillto thc switcll:
. 256 M B ofmcm ory and 64 M B oftlash l

nemory
.
l28-G b/ssw itching fabric
. Up to 59.2 M p/sfonvarding rate bascd on 64-bytc packcts
. Up to l2.000 M AC addresses(dependson lhc telnplatc tlsed)

Tllc following intcrfacesarc available:
w l6 intcrllalI0/100/1000Basc-T downlinkstlsed forserverconncctions
* Scrialconsole
. FastEthernetm anagementinterface conncctcd to CM C
. Cisco Blade Switch 3I30G:
FourcxtenlallO/IOO/IOOOBASE-T RJ45 coppcrports
FotlrcxternalI-Gb Sll
-p-based coppcrorfibcrportstlsing Cisco TwinGig convcrtcr
module in X2 slots
* Cisco Bladc Switch 3130X :

Fourexternall0/100/lOOOBASE-T RJ45 coppcrpol'
ts
Fourcxternal10-Gb X2 bascd ports
'isco Bladc Sw itches3l30G and 3I30X supportvirtualbladc switch functionalit
'y.
1-450
smpl
ementiggCsscoDataCenterNetworklnfrastructure1(DCN-I)42.
0
'
C isco B Iade Sw itch 3130 and 3032

A rch 1tecture
16 Server
Dow nlink Ports
I
I
I
I
Console Port
10/100 Ethernet
.N
1
:
/ ..
' .
. .
#F .2;.:
I
1
I
I
I
l
I
I
ASIC
ASIC
ASIC
I
I
I
I
I
I
I
I
I
I
1
I
I
1
j
I
.
'
l
''' 4
..
.'' I
1
I
1
1
I
x..e.
4jaj
tx
oojj
.
u
o.ty,
.. ,
.
.
4 R.J45pods
XZ/SFP
XZ/SFP
Q 2008 Ci
scoSystems.lnc. Itnpi
ementingthe Cisco Catalyst6500 Series Cl
sco Catalyst4900 Series.andBfade Switches
1-451
S oftw are Licenses and Features
Same im age wi
th differentlicensesto activate feature set
Cisco Blade switches 31xO ship with IP Base image
Cisco Blade switch 3032 can run only IP Base im age
standarL2+Featureset
j ...X
IP Source Guard and DynamicARP Inspection
R1
P/St
at1
c,EI
GRP Rub
I
Pv6Manageabh
l
ity
MullicastOSPF BGP
X 1 X
j
X
s
i
x
1
X l x
1 x
J. .
.. . .
.. . .
. .
j.
..
. - --
( x -'
C isoo IO S on C isco Blade Sw itches

Cisco Blade Switches3Ix0 run a ullivcrsalCisco IOS image thatisthesam e imagcused ffar
any fcaturc sctand containsallCisco IOS featurcs.
Only thccrypto version(K9)isavailableseparatcly from theCiscosoftwarecenter.
Licenses
Thrce licellsctypesexist:IP base, IP services,and advanccd IP scrviccs.
A liccnse isrequired foreach switch. including each sw itch in a stack. and islocked to 1he
tlniqtledcviccidentit-ier(UD1)oftheswitchand doeslpotexpire
Cisco Blade Switchcs31xo ship w ith IP Base Stantlard license installcd. thusto activatcany
otherfcaturcseta licensc file hasto be changed.
Thishasno impacton Cisc.
o lOS version updatis.
Note
T'
he Ci
sco Blade Switch 3032 can only run the IP Base image.
License A ctivation
A ctlstolnerpurchascsaProductAtlthorizationKey(PAK), obtainsU Dlsforthc deviccsto
tlpgradc.and passcsthc illformation to Cisco liccnsc portal.
Licenscsare then elcctrollically scntto tllccustolncr, wllo appliesthem to thc dcviccs.
No intcrnetconncctivity from thc switch to Cisco isreqtlired.
Note
DifferentPAKS fordifferenttypes ofswitches exist, and an individualPAK can generate
multipleIicensesbefore itexpires (similartoa debitcard).

The Cisco liccnscportalcan provide thc liccnse history forany device.
1-452
lmplemenling Ci
sco Data CenterNetworklnfrastructure 1(DCNI-I):2.0
@ 2008 Cisco Systems, lnc.
Replacing M alfunctioning Devices
Thisrcqtliresa ('isco.col'
l'
llogil'
lsthe oltlU DImtllcncw U r)1.aI1(!llle servicc contractl'
ltll'
lpbcr.
No PAK isreqtlired.
.
Note
A maxim um ofthree replacemenlIicenses can be generated from the originalIicense before

a TAC callis required.
Tlleotlleroptiollisto tlse spariIlg.and replace thc failcd s'

w'itch '
svilh 11likesparc.
C
0 2008Cisco System s.jnc. lmplementlng lheClscoCatal
yst6500 Senes,Cisco Catalyst4900 Serles,and Blade Switches
1-453
anagl
-ng C I
'SCO I S LICPNSes
''- - ..
''
'
-.
.q
2
:
4
7
;
7
*
,
2
q
r
.
y
d
J
d
j
8
jlll
e .
.'
..
s
):
l' - ' ' ' '
.
.E
x
jg:'
..
..
-- '$
...'
''
.........
!!..
ewttch# llcense install flash; rlfs-lps
Inltlkliag lic*nmee from *'kalhlrltl-iplm

'n@ta1lx ...#*etut*lipgew 1c**... :uecwelfutz:uppoyt*d
1/l licenpea vere succesafully inatllled
0/l licsnsea wer. extsttng licensea
0/l llcenses were fasled to inatall
switch# 19:46:56: %10: LICENSE IMAGE APPLICATION-S-LICKNSE LEV:LI
Next reboot level = lpaervlce, and Lsrenae a paervicee
O btain1ng the License

Thesearcthe options tbrobtainingthe license:
. BtlythcPAK codcfor:1spccificIiccnsc(itrepreselytsthcproofofpurchase).
* GctthcUD Iforthe switchesto bcupgraded.
w Log to tlpe Cisco Iiccnsc portala!http:''
5NNy'v'u'isc(),c()l1)'g()'liccllscs alld creatc a Iicense t5le
using the PAK and UD1.
.
* Download the license file reccived by cmailto the sw itch tlash lnemory.
% Installthe licensew ith the llcenseinstallcom mand.
>
Rem oving a L'

Icense
Ifrcquircd-a licensc can be removed with licenseclear EXEC eom m and.
switch#license clear ipaervices
Feature: ipservices
l
License Type : Permanent
License State : Active , In Use
License Addition: Exclusive
Comment:
Are you sure you want to clear? (yes/(no)): yes
Exam ining the License Inform ation

Usctlpe following colnmandsto cxam inc and vcrify the liccnse infonnatiolp:
* To display availablclicenscs.usc thc sbow license filecom mand.
. To cxalnine stattlsofindividtlally licensed tkatures. use tlleshow Iicense statusand show

licensedetailcom mantls.
. To display licensable UDls, use theshow Iicen&eudicomm and.

* To dcbtlg liccnsing,usethedebug licensecomlnand.
1-454
ImplemeotingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0
@ 2008Cisco Syslems, Inc.
Use
1
'
T
.xlllnfl'
lc 1)1e s'
kvilc'
llLl1'
)I(rkz
'
quircd foroblailling !J1e Jjtrellsc).
'
switch#show license udi switch 1
Device# PID
SN
*1
WS-CBS3I3OX -S FOC1132HZSR
UDI
WS -CBS II3OX .S :FOC II3ZH ZSR
C)2008 Cl
sco Systems.lnc. Impl
ementing the CiscoCatalyst6500 Series.Cisco Catalyst4900 Series.and Blade Switches
1-455
V irtualB Iade Sw itch

. Stack CatalystBlade Swi
tch 3130 swi
tches
Manage as one switch
* Enables active-active serverconnectivity
* Virtualportchannel- combine portsfrom differentblade switches
.
Catalyst6500
- *%,
3130VBS
.- ...
/+
. 7
'
..
' '
'
4.
7.
x ..
<.
t.
'
j Q
1
74
<.
XN
V''
Loca(server.server
lrafficstays within
VBS domain
.'Q
<.
.k.
xtc.
.
**
.
a
,
.'
7q
->
h7'
<
..
jy
.
s.
.7c':.
.
k.
7p
'
I
j
.
f
,,
ps
..
<'''
.
':':.y
6
L73'
I
. .
.
9SS
1
I
1
d
1
j
I
Villualbladc switch technology providesa higll-bandwidth intcrconnectbctw een up to eight

Cisco CatalystBladc Sw itch 3130 switchcs.ellabling thcm to bcconfigurcd and lnanagcd as
onc logicalswitch.
ThisFim pliiics managemcnt,allowsserver-servertrafficto stay within thc virtualbladc switch
dolnain instcad ofcongcsting thccorc nctwork. and can hclp significantly consolidatc exterllal
cabling.
The following pertainsto thevinualblade switch stackl
* CatalystBladc Switch 3130G and 3l30X can bc tlsed in thc same stack
m Serveractive-activeN IC team ing ispossible witl)Pol-tchannclto span multiplephysical
switclles
* M anaged asa singlc switch
* Singlcswitch in a spanning trce and Layer3 topology

* Enablesvirtualportchanneldeploylnent--colnbining ports trom diffcrentphysicalblade
Sw itchesin a stack
m Spccialstack cablescan be0.5.l, or3m eterslofg'
,they are keycd tol'dircction
1I:a singlc virtualbladcswitch domain thcrc isonc mastcrSwitch with lIN rcsiliency for
master;thatis each m cmberisa copy ofthc Iuastcrsw itch.
N ew virtualblade switch membcrsgetCisco IOS Sohwareautomatically tlpgradcd (to the
salne Cisco IOS Software asthc lnastcrswitch has)and automatically contigured from the
m astcrswitch.
1-45:
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D
@ 2008 Cisco Systems, Inc.
Replacing a Sw itch in a VirtualB lade Sw itch
Standalone O peration
A f'atalystIlladc Srvitcl'
l3032 ora (ralalystBladeSwitcll3I30 (lpcrating iI1stalldaIone lllodc
bellavcs1ikca CatalystB Iade Swritch 3030 switcll.
@ 2008Clsco Systems,Inc. Impp

ementingthe Cisco Catalyst6500 Series,Ci
sco Catalyst4900 Series.and Bl
ade Swi
tches
1-457
V B S D eploym ent S cenarios

4 NIC perserver
Moreserverbandwi
dth
single VBS
Separate VBS
CostEffective
Moreresili
ent
...
etF
J
:
Ika
jjjy;y
s. t
.
k
,''
-7.
'
'%t
w
'...71'r
ijz
=
k)r-- ypj;-:*.
'
.
.4z.
.
-
.
?,
.
x.
x'.
.<'
'.
t.
+.b.
.Y*.-
'
% '' ,
@aj
'.
jt.>.
.7eu
E
t'
'
v
pjrjky' y ..
.
<x
. ;
.- .
x
' x
.
.'Jl2
:
9.
t
11
j:
7
P
C
II
k
j;
:
:' .
.
Q..'
dh.pzw T
.
x
V irtualblade switchesean be deployed in differentscenarios,depending ofthe eustom ernceds,

assllown in thc figtlrc:
. A single virtualbladeswitch isthe costcffectivc solution and m ostcom mon.
. Separatcringsw ith separatevirtualbladeswitchesarc morc rcsilicnt.
* FourNlC serverscenariogivesmoresclazcrballdwidth(forcxampleforVMware).
1-458
lmplemenli
ng Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)v2,0
@ 2008Cisco Syslems, Inc.
Introducing the C isco B lade Sw itches for FC S

B lade Servers
Tllistopicdcscribcsthe ('isco bladc sw itcl
lcslbrFCS B latle Servcrs.
Fujitsu Sien3ens Prim ergy BX600

O verview
* Front:
10 dual-socketserverblades perencl
osure
5 quad-socketserverblades perenclosure
Rear:4 slotsfor1/O switches
.
l: .
'
;- .,.
r :j
.
>
(D 2008 Cl
sco Systems,lnc. Impl
ementingthe Ci
scoCatalys!6500 Sertes.Ci
sco Catalyst4900 Series,and Bl
ade Switches
1-459
C isco B lade S w itch 3040

. 6 externaluplink ports:
4 SFP pods
2 R.145 10/100/1000BASE-T copperports
w 10 internal10/100/1000 M b/s downlinks forserverconnections
-
Console
t,
',.
k...
?,
.
j
lj
jj
jI
-llll
;l1114.
u)v.j,
!:..
<y
t
1' 1Ql
S
t'
JX1 JJX- j.
.
2: R.345
4xSFP
Uplink Ports Uplink Ports
TheCisco BladeSwitch3040forFtl
jitsuSiemcnsPrimergy BX600 BladeServcrSystcms
provides an illtcgrated swritchillg solution with Cisco resiliency- advanccd security.and
elphanccd lnanageability to the servcrcdgc. yvllich rcducescabling rcquircjnellts.
Tl
le Cisco Bladc Sw itch 3()40 isa Laycr2+ switch and stlpportsm any Layer3 functions.
cxceptIP routing.Up to fourcan bcinstalled perchassis.
Thc fbllow ing system propcrtiespertain to thc sw itch:
>
I28 M B ofm cmory and 32 M B oftlash mem ory
@ 32-Gb/s switclling fabric

* Up lo 24 M p/sfolavarding rate based on 64-bytepackets
@ Up to 8192 M AC addresscs
Tlpc following intcrfacesarc availabte:
* l0 internall0,'l00/I000Basc-T downlinksuscd forscrvcrconnections
* Two extcrnal10/lQII/IOOOBASE-T copperports
> FourcxtcnlalI0/l00/1000 SFP based copperortiberSX based ports
w Serialconsole with portredircction to DellDM RAC
The llardware architecttlre isthe salne as forthe CBS 3030 switch.
1-460
ImplementingCl
scoDalaCenterNetworkInfrastructtlre1(DCNI-I)72.0
(()2008 Cisco Systems, Inc.
S um m ary
This topic stlmlnarizesthe key pointstllatwere disctlssed in this lesson.
Sum m ary
w Cisco blade switches are used in blade serverenclosures.
. A Cisco blade switch is equivalentto a standalone Cisco Catalyst
sw i
tch.
x Layer2 trunk failovershuts the serverporlupon corresponding
uplink failure,
*Cisco bladeswitchesareavailableforHP,Dell,and Fujitsu

Siem ens blade system s.
VBS functionality enables CatalystBlade Switch 3130 stacking.
, Cisco OEM blade switchesare available forHP and IBM blade
system s.
@
@ 2008 Cisco Systems,Inc. lmplementing the Cisco Catalyst6500 Seri

es Cisco Catal
yst4900 Series and BladeSwitches
1.461
M od ule S um m ary
Tllistopic stlm marizesthe key pointsthatwere discussed in this modulc.
M odule S um m ary
@To
ECNM
depl
oythsc
aer
l
aar
ble
ndesi
agegab
e
'anied.
dSOA datacenters'follow the
wi
hi
cjma
ica!
nl
appl
The Cisco Catalyst4900 Series Switch is desi
gned to deliverthe highest
reli
abil
ity and serviceabil
ity in a 1RU or2RU configurati
on.
. Mul
tiple generations ofsupervisors existforthe Ci
sco Catalyst6500
Seri
es Switches:Supewisor1,2,32.and 720.
. The Supervi
sor Engine 720 provides higher-perform ance managem ent
and forwarding functions to Catal
yst6500 geries Switches than any other
supervi
sorengine available.
. The Supew i
sorEngine 720 is designed to suppod three generations of
Iine cards.providing flexibili
ty in network design and investment
protection.
* The VSS 1440 manages redundantIi
nks,which eternall
y actas a single
po4 channel.
. Thz Catalyst6500 Series Switch with Ci
sco 1O S Software M odularity
m
inimi
down
imeeand
boos
ts
oper
ation
aleffici
es,
ncy through
evos
utizes
ona!
'
y soft
twar
infras
truc
tur
e adv
ancement
.
Module Sum m ary (Cont.)

.
Exported NetFlow data can be used fora variety ofpurposes,including

network m anagementand planning.enterprise accounting and
depadmentalcharge backs ISP billing,data warehousi
ng,and data
mini
ng formarketing purposes.
. To suppor
tQoS Ievels,severalfeatureshave been incorporated into the
hardware ofthe Catalyst6500 Series Swi
tch,Incl
uding the M SFC,the
PFC,andthe portASICS.
. EEM off
ers the ability to monitorevents and take inform ationalor
correcti
ve action when specific monitored eventsoccurorwhen a
threshol
d is reached.
. Hi
gh-availabilityand reliabilityfeaturesare integrated technologi
es onthe
Catal
yst6500 Series Switch,and the platform offers integralcom ponents
to deli
vermaximum uptime and faultdetection.
. SPAN.RSPAN,and ERSPAN sessi
ons allow the network adm inistrator
to monitorand analyze traffic Iocall
y orrem otely.
w Blade servers are used to optimize serverdeploymentin data centers.
1-462
lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNl-1)v2,0
@ 2008CiscoSystems,Inc.
R eferences
k
ll2008 ClscoSystems.lnc. fmpf
ementlng the Cisce Catal
yst6500 Series.CiscoCatalyst4900 Serles.and BfadeSwitches
1-463
'
* Fornlore illfonnation on the Cisco Catalyst6500 SeriesSecure SocketsLayer(SSL)

ServiccsM odule,go to SSL s'
c?a'ce.
j'A./fpJ///c #)?
'thetrW&7)'
.
5'/6500 JrCisco 7600Seriesat
.
llttp:..w u'w vcisct.co1'1.

'eI1.
'LJS.
.'
p1'
otltIcts,
'lllv.
'sw itcllcs.l)s7()8'
prodtlcts data sl1ect09l86a0080
()t24f'
e9.l1tl11I
* Formoreinformation ontheCisco ContentSwitching ModulcsgotoCiscoCalalb'

st6500
5'
cp'?
'cx Colitentl
s-u'/c/lfzig A/f.
?dlf/t?at
lltt1):,Furww ,cisctl.colll/cll'tls'
'lprtpdtlcts.
lhss'
.
f
tsvN'itclles.ps708'prodtlcts data shcctog18ba()()80
(1887t3.1141111
K Form ore inforrnation on thc Cisco Application ControlEngine,ge to Cisco Application

C)>r??;/?w/E':gine A,
/t)Jl//c at
1)ttp:/'.
'w'w'u.,cisct).ck)m.
.
'en.
'tJS.
.
.'
pl'()tI,'colllyteral'll'
lfltltlltlsa
/psz7()6''
pstlgll6.
'pl'odtlct data sllcctot
.
l
()()accd8()4586l1
.
7...ps708 Products Data Sheet.htlnl
. Formore information on theCatalyst6500 ScricsSwitch W irclessServicesM odule, go to
Cisco ()Q//f//)o'/6500SeriesWireless5'
t?/'a/t'c.j
.tvodtlleat
l)ltp:,
'/'
w'&v'
u?.cisco.colA'
1,
?'
0I1,
7U S?7
pl'ot1/co1Iatcral/lllotltlIcs.
/
'ps27()6/ps(n526/I)rt)dtlct data slhtzctog
()()kl(
.
tctl8()36434() 1)s7()8 Prodtlt-ts r)ala S11(?t'
'
rt.1)t11ll
.
. Forluore infonnation on Cisco M ultiproccssorW AN Application M ode.go to Cisco
A.
/l//?#??'
f?cc.
tf)rlf'
.,
4x Applicatiol'A/()J(?at
lltt1):,'.
'1.
5.urNvqcisc(.co1)1.
'cll.
't.
3S.
'))l'
tAd.
'
ct'llatcrttl'111t)dt!1cs.'
j)s551tl.
/prodtlct data sllcctot
looaeu'd
8l(1()1Xt)4'
,.
5 I)s7()8 Prodtlcts Data S1)ecl.l1tJ111
.
w Formore infonnation on Cisco ContentServicesGatcways.go to Cisco Co?olt>rl/Sen'

ices
(J'
t7?(JIt'
qJ'at
l'
lltp: '
$$'!N'N'.cisc().c()m.
'e1).'
.
LISJprtltl//
ctll1ateraI%$irclcss.
''
w irclssNv'
'ps77g.
'pl
'oduct data shcf
ltt)
t
)l8()k,(
'
)08()lab17.
5 ps708 Prodtlcls I')al:l 1
h
;l1cklt.l1ll1'
1l
.
.....
* Form ore inform ation on lhe Catalyst6500 ScricsComm unication M ediaM odel, go to
CiscoCatalb'
v
%l6500Series(7,14/Ci.
%c()zfif'
lpSeri(
:s()-bl??l?;,/??k'
t'
?//()l'
lsiedia Jz
/otf/t?at
1)ttp:.
'.
'w'!w .cisco.coln'el/U S'
'prkxtl.
'collatcral/sw ittwlles.'l3ss7I8,'ps708?prodtlct data shei
ltot)
()()k!eet!S()(3(z42(3t'.l
At!ul
. Formorcillformationon1heTl/E 1and ScrvicesModule,goto Catalb'

st6000Ffzrn/r
l'oiL'
e T1t'
??lJ Services Affpt///cat
Ilttl):?'.
'$zvs,!N'.cisc(7.c()lzA/'
cl1J't-rS,
7):rs?dtIrts/
'I1:v'/
'I1)()dt1lcs/ps.
!lIslroducts data shcetog186a()()8
(1()9231
,8.lllm I
* Formoreinforlnation onCiscoNetworkAnalysisM odulcs(NAM-landNAM -2),goto
Cis(.
()C-t7/t'
?('
.
j'/6500Seriesand (7't:'
f?7600SeriesNt?/1$'
f?l'l'AnalbsisModltleat
l'
kttp:)ss.
'w'u .cistzo.
coln/en/t.
TSr
'
)7!'tbt('
rrt)l1kttet
':1l.
J'
1l4ttlttles.
')
7s27fJ(7.
Jps525.
')nrt7dt1ct tlata slhectotl
(ltlaeckl8tl4bal
ll1 1,s708 Products I'
lata Slp(?0t.lllltlI
* Forlnorc infonnation on Catalyst6500 Scrics Sw itch Allomaly Guard,go to Cisco
,
1?1t??,?t7'k'G'lal'd atT(?Jlf/t?at
11ltp: h'
!.
'y!'
ss'.elset.
h.colll'ell.I-/S.
.pl'od.collateral,Inllkltlli
lsy'
psz70f7,psb235'prodtlct (lata sllecttlt?
()():lcu'tlhl()22()a7c ps7()8 Prokltlcls Data Slleet.lltlnl
. FormoreinformationonCiscoTrafticAnomaly Dctcctor.gotoCisco Fl'

qflczlr7tp??7t7tJ'
Dgfcctor Ar
foc/l//e at
l1tlp:.
'.u'u hv.cisckl,clllll'cn,'tlS.
'pro(l/
'coIlateral'l'lotltllcs''ps27()(>/
'I>s6236'
'pl't'(luct data shcctot
?
t4pilt:cd8()2201)6c ps708 .
13rtldt.
lcts L7:1t1
.1 S1
1et'
tt.l'
1(l111
...
w Formorcinformationondefaultqucuemappingsanddropthresholds.gotoDqjtlltD?'tl/?Thwxhold Pel'centagesand L-b5'lQ?/?fc M appingx at

llttp://ww w.cisco.cole en/us/docs/switclles/lall/catalyst6soo/ios/lz.zsx/configuration/guid
e/qos.htm l#wpl478881
1-464
Impl
ementi
ngCiscoDataCenlerNetworkInfrastructure 1(DCN1
-1)v2.
0
@ 2008CiscoSystems,jnc.
k
ll2008 ClscoSystems,lnc. fmpf
ementi
ng the CiscoCafal
yst6500 Series,CiscoCatatyst4900 Serles,and Btade Switches
1-465
M odule S elf-c heck

Usc the qtlestions here to revicw whatyou leanled in thismodule.Thecorrectallswcrsand
Folutionsarc found in theM odule Sclf-check AnswerKey.
W hich data ccnterevolution driverslowsthepowerdem and growthby incrcasing thc
utilization ofthe resources? (Source:Dcscribing theCatalyst6500 and 4900 Series
Switch DataCenterArchitecturc)
A)
Human collaboration
B)
Businesscontinuity
C')
Virtualization
D)
Agility
()2)
qrhichtwoofthefollowing Ciscodalacelpterplatformsarcsuitableforthcdatacentcr
core laycr?(Choose two.)(Source:Dcscribing the Catalyst6500 and 4900 Scries
Switch Data CenterA rchitecttlrc)
A)
B)
C)
D)
E)
Q3)
Cisco Catalyst4900 ScricsSwitches

Cisco Ncxtls 5000 ScriesSw itches
Cisco Catalyst6500 Serics Sw itclles
Cisco Nexus 7000 ScricsSw itchcs
Cisco Blade ScricsSwitchcs
W hich ofthefollowingCisco Catalyst4900 Seriesswitchismodular?tsourcc:

Dcscribing and Positioning theCisco Catalyst6500 and4900 ScriesSwitchcs)
A)
B)
C)
D)
Q4)
Catalyst4900-51
Catalyst4948
Catalyst4948-I0G E
Catalyst4948-M
W hichthrcchigh-availability fcattlrcsdoCiscoCalalyst4900Scricsswitchcsoffcr?
(Chooscthrce.)(Sourcc:Dcscribing and Positioning thcCisco Catalyst6500 and 4900
ScriesSwitchesJ
A)
B)
C)
D)
E)
F)
$-466
l+ lrcdundanthot-su'
appablc powcrstlpplies
Rcdtlndantstlpcrvisorengiltcs
Rcdundantbackplanc
Rcdundant,hot-swappable fallswith variable speed
HSRP,VRRP and G LBP support
StatcfulSwitehover(SS(3)
lmpl
emenlingCiscoDataCenterNetworklnfrastructure)(DCNI-!)v2.
D
@ 20OBCiscoSystems, lnc.
A1
B)
Access laycr
Aggrcgatitllllaycr
(--)
Corc laycr
Nexus70()0
Nextls5000
'isco k'atalyst65()0 Scrics Switcll
Cisco C'atalyst49()0 ScricsSu itcll
5. f.
'isco blatlesu'itc11
5. Distribtlted sustaillcd 48 M p/'

sperDF('3
(.)8)
NVIIicl)two slots il:(Misco Catalyst6509 Switcllchassiscal)llosta Supervistlr720

engillci
.(Choose two.l(Sotlrcc:Dcscribing thcCisco ('atalyst65()4)Scl'icsSwitch
A
Stlpervisots)
C)2008Clsco Systems,1nc
lmptementingthe Cisco Catalyst6500 Series.Ci

sco Catalyst4900 Seri
es,and Bl
ade Switches
1-467
()9)
W hich componclltoftheSupervisor720holdstherouteandswitchprocessors?
(Sourcc:Describing tlpe Cisco Catalyst6500 ScriesSwitch Stlpenrisors)
A)
B)
C)
D)
PFC3
M SFC3
Switch fabric
DFC3
Q I0) W hichtwo ofthcfollowing arebcnefitsofthcVSS?(Choosctwo.)(Source:

Describing thc Cisco Catalyst6500 SeriesSwitch Stlpervisors)
M EC
A)
V irtualdcvicc contexts
B)
Active-activc data plane
C)
Enhanced 1-2 security
D)
Redtlced sw itchovertimc
E)
Q lI) W hichofthefollowing modulescanbeuscdtodeploy theVSL?(Sotlrce:Describing

thcCisco Catalyht6500 Series Sw itch M oduleand PowerSupply Options)
A)
B)
C)
D)
W S-X6704-10GE
W S-X6708-l0GE
W S-X6716-10GE
W S-X6724-SFP
W hattwoVSL protocolsareusedto illitializeVSS'?(Choosctwo.)(Sourccz

ImplerncntingCiscoCatalyst6500VSS 1440)
A)
B)
C)
D)
E)
StatefulSwitchover
Link M anagclncntProtocol
IP BidircctionalFonvarding
Enhanced PAgP
Rolc Resolution Protocol
Q I3) W'lpich DualActive Detcctionmechanism isdeploycd overLayer3directEthcrnet

collnection'?(Sourcc:ImplemcntingCisco Catalyst6500 VSS 1440)
A)
B)
C)
D)
IP BidircctionalForwarding
Enhanced PAgP
RoleRcsolution Protocol
H SRP
Q l4) W hatisthe Iaststep ofVSS convcrsionprocess?(Source:ImplclnentingCiscoCatalyst

6500 V SS 1440)
A)
sw itch convertm ode virtualcom mand
B)
reload comlnand
C)
switch virtuallink sbilch-ntlm bel'comm and
D)
switcllacteptm ode virtualcom m and
1-468
lmptementingCi
scoDataCenterNelworkInfrastructure1(DCNI-I)v2.0
(()2008CiscoSystems, 1nc
'
A)
(71S('
0 BASE
13)
(-1S(*0 l.ATI-'S'F
(')
C1S('0 LATEST AI'TIVATE
Relllll&'c ollc lcq'clofillstalIlilcs
A)
I1)
(-')
I))
I()
DEST-SRL'
SR('()N I-Y
D EST ON l.Y
D IEST-SRC-IN T
Ft-lLl-
Trtle
Falsc
C)2008Cisco Syslems.Inc. Implementing the Cisco Calal

yst6500 Seri
es,Cisco Catal
yst4900 Series,and Bl
ade Switches
1.469
Q20) W hichofthefollowingcommandshastobeuscd inordertoenabletheQoSprocessing

on PFC?(Sourcc:ImplcmentingQoS)
A)
B)
C)
D)
enabIeqos
m lsqos
enablepfcqos
pfc qos
()2l) W hcreisaCOPP policy applicd?(Source:ImplemcntingOoS)

A)
B)
()')
D)
Through a globalconfiguration
On thcincolning intertace
To a internalPFC to M SFC intcrt
-ace
To a controlplane intcrface
Q22) W llichtwooptionsareavailabletodcfincanEEM policy?(Choosctwo.)(Sourcc:

llnplcm cnting EEM )
A)
B)
EvcntDctcctors
CLIApplet
C')
D)
E)
EvcntM anager
EventM allagerPolicy Engine
TclScript
Q23) W llattwo GOLD diagnosticscanbeuscd fortroublcshooting?(Choosetwo.)(Sourcc:

Utilizing Automatcd Diagnostics)
A)
B)
C)
D)
Bootup diagnostics
On-demand diagnostics
IIealth m onitoring diagnostics
Schcduled diagnostics
Q24) W hatisuscdto triggerthcSmartCallHometo send themessagc?(Source:Utilizing

Atltomatcd D iagnostics)
A)
Contactinformation
B)
Alcrtgroup
C)
Profilc
D)
Destination addrcss
E)
Destination transportmethod
W hatarcthethrecsupported traftic sourcesforthcSPAN source port'

?(Choose threc.)
(Sourcc:ImplcmcntingSPAN,RSPAN,andERSPAN)
A)
Interface
B)
C)
D)
E)
NetFlow
VAC L
VLA N
Portchanncl
926) W hatisthesourceofRSPAN sessiononthedcstinationswitch?(Sourcc:

Im plem cnting SPAN.RSPAN .and ERSPAN )
A)
B)
C)
D)
1-470
Intcrface
RSPAN VLAN
VLAN
Portc-hanncl
ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0
@ 2008Ci
scoSystems, Inc.
vruj
y
F:tIse
@ 2008 Cisco Systems.Inc. Impl

ementing the Cl
sco Catalyst6500Series.Cisco Calalyst4900 Series.and Blade Swftches
1-47.
4
M odule Self-c heck A nsw er Key

Q l1
Q2)
1-B ('
1-B
Q8)
Q9)
Q)20)
Q23)
1-472
B.D
ImplemectingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0
@ 2008Ci
scoSystems, lnc.
@ 2008ClscoSystems.fnc. Implementi
rlg the Cisco Catal
ysl6500 Series.ClscoCatalyst4900 Series.andBladeSwitches
1-47.
3
1-474
implementingCiscoDataCentefNetworki
nlrastructure)(DCNl-1)v2.
9
uodqle21
Im plem enting FW S M fora

D ata C enter N etw ork
Infrastructure
O verview
M odule O bjectives
2-2
ImplementlngCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0
(D2008Ci
scoSystems,lnc.
Lesson1l
Im plem qnting Tra#i FIpF q

O verview
TheC isco Catalyst6500 ScricsSwitch callbcprovisioncd Nvith Cisco scrvice lnodtllcsto
provide additionalprocessing ftlnctionsbcyolld routing and switchillg.01,eof'tllese nlodulcsis
tlte Cisco Catalyst6500 Serics FircwallScrvicesM odulc (FSVSM ),n'hich providesintegratcd
fircwallservices in the C'atalyst6500 Scries Sw itch chassis.Desiglling networksthattlse the
Catalyst6500 Scries FSVSM rcqtlircsan ullderstalpding oftirewallscrviccsalld thc FNVSM .
This lcssolldiscussesthe IP lletvvorkilpg ten'
ns and concepts relevalltto the undcrlyillg
operations ofthc Catalyst6500 SeriesFW SM .describestlpcchallengestllatlircvvallsaddress.
alld tllekey fcattlrcsand arcllitccttlre ofthe Catalyst6500 ScricsFSVSM .
Objectives
Upon completing thislesson,yotlwillbcablcto explain the basic installation and configtlration
procedtlresforconfigtlring thc Catalyst6500 SeriesFW SM .Thisability includesbeing ablc to
mecttllcseobjectives:
> Explain tlle ptlrposcand opcration offircwalls
* Describe the charactcristicsoftlle Cisco Catalyst6500 ScricsFW SM

w Describe tlle stepsnccdcd to deploy basic Catalyst6500 Scrics FSVSM colltiguratiolt
* ExplaillCatalyst6500 SeriesFW SM nctworking modcs
K Dcscribc thc stcpsneeded to contigtlrc routcd modc
* Describc the stcps ncedcd to colptigure trallsparentntodc
* Explain the Catalyst6500 Serics FW SM NAT alpd PAT
* Dcscribetlle stcpsncedcd to configurc NAT alld PAT
Firew allO verview

Thistopic describesthe fundam entalprobem sthatGrewallsarc tlcsigned to address.
C o nnected N etw orks
f? /
/ h
k
e, J
, :
Telecom m uters
,
i
.
.
''
x.
o
#e
Internet
N.%
y,.
A e'
''
works
o Net
'
i
)
*N
Mobil
e Users
. .
).
'
f
.
l
i
'''
hj /..' '
<
'.
f
'
$
7
:
1
.
Headquarters
:7k=
Branch Of
fice
Isolated Legacy N etw orks

Early corporatc datanetworksw ere builton proprictary technology and wcrcoften attachcd
directly to mainfralneorm id-size systcm s.Early IP networks in acorporate sctting replaced
proprictary lransporttechnology with Ip-based nctworkscarricd prim arily cm facilities
detlicated to the company constructing the nctwork.assllown in thc figurc.
AI1im portantattribtlte oftheseearly corporate IP nctworkswasthc amountofisolation that

cxisted betwcen thecorporate network and any othernctwork.1l)gcncral, thc isolation was
colnplctcatthe IP layerw ith no mechanismsfortraft
ic fiom unatlthorized dcvicesto be
ill
jcctedilltothenetwork.Securityconcernsil:thisnctworkrcvolvedprimarilyaroundthe
strcl,gth ofthcatlthentication providcd by the acccssserver.M uch ofthedata security issuesin
tllcsccarly nctworkswere controlled by thc mainfram eorm id-size system s, w hich stillowncd
nlostof'thcdata,
C onnected Netw orks

M odcn)corporate IP nctw orksare connected to the globalInternctand m ake use ofthe lntcrnct
forsom coralIot-theirdata transpon needs.as showl)in the figurc. Private circuitsstillexist
alld arc uscd forsecurity reasons.orm ercly to providc dedicated site-to-sitc bandwidth. The
ptlblic Intcrnetisalso tlscd forsite-to-sitc lillksand hasrcplaccd thc public switched telephone
network (PSTN )asthe prevalentmeansforconnccting remotc users. Additionally,corporations
arcproviding lnore servicesviathe lntenletto customersand btlsinesspartners.
Conllecting corporatc nctworksto 1hcptlbliclnternctoftkrsm any advantagcs. Low-cost,highspecd access to the com orate network iseasily providcd forremote uscrsw ith w idely availablc
Intcrnctaccess in hom es.hotels.rcstaurants.ail-ports,etc.Traffic Ioadscan be convergcd on
one Illtenlet-based infrastructure.resulting in cost-savingst'
t)rsite-to-sitc and company-tocolnpany connectivity.
2..
4
ImplementingCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0
Q 2008Ci
scoSystems. Inc.
Alollg with the advantagesofconnectingthe corporatcnetwork to thc globalIntcrnetcomesa

sctofnew sccurity challenges.Unknown and unauthcnticated systelnsare now capablc of
gcncratingIPtrafficthatisinjectedintoandrotltedbytllccorporatenetwork.Systemsfroln
wcb sclwersto lnainfralnesto workstationsare llow acccssiblc froln anywhcre in the world.
Conlprolnising onc system llasIlow bccolne al)easiertirststcp il:Inounting aI)attack on a
corporateIletwork
Thcrc are severaltechnologiesavailable to m itigatc the risksofllltcrnctcollneetivity while
I
llaintaining thc benetits.Tllesctecllnologiesincludcfircw allscrvices.
@ 2008 Cisco Systems,lnc.
lrrlplementingFW SM foraDataCenterNetworklnfrastructure
2-5
W hat 1s a F 1rew a II9.

. A firewallcontrols trafficflow from networkto network
X'- se
we
we
br
1
'-'
Intemet
- v .,..:.,.
y.
y .r
.
'
Outside
Network
Demiti
tarizedZone(DMZ)
t
x.
7e
ynside
Network
A tircwallcontrolsacccssam ong a collection oftwo orm ore networksorinsidea nctwork.

This isaccom plisllcd by controlling tllc traftic thatfiowsfrom an intcrfacc to an interface.
Firew allIm plem entation

In the sim plcstilnplem cntations.a fircwallconncctstwo networkstogether. One network isthe
insidenctwork.thcothcristhe otltsidenetwork.Theinside network isthccollcction ofnctwork
resourcesthatmustbcprotected from thc outsidc nctwork.
Additionalnctworkscan be added to the collcction ofnetworksthalare controlled by a
firewall.A typicaluscofthiscapability isthccreation ofadclnilitarized zone(DM Z)nctwork.

DM Z nctworksarcalso referred to aspcrilncternetworks.Resotlrcesin theDM Z network often
have Icssstrillgclltsccurity rcquirem entstlpan thoseem ployed fortlpe insidc network. Systcm s
m ightalso be placed in thc DM Z ifthey arctlscd to providcscrvices to thc generalpublic.
The t'igure sltow'san cxampleofa tirewalltleploym entin which a public web serverisplaced
into thc DM Z while corporate workstationsand internal-use-only scrversareplaced into thc
insidc nctwork.Thc outside network isused to connectthc corporatcnctwork with theIntenlct.
The Grewallin thisexample can im plem cnta policy thatthe ptlblic wcb scrverisallowed to
receive HTTP requcstsabutresourcesiI)the ilpside nctwork canllot.
2-fh
lmplementingCiscoDataCenlerNetworklnfrastructure1tDC.Nl-1)v2.
0
Q 22*8CiscoSystems lnc.
P a cket F 1lter111g
4'-
W eb
f::
' 15;f
?r,/6,r
...
DMZ
'-
Intem et
JA<
' ''
*
h
outside
Network
,...*1
j
.k
,:;
<
Outside
Outside
DMZ
lnside
Outslde
(
t
))2008Cisco Systems,Inc.
.. l
.
pr.
'N
..
I .' *
DMZ 150
DMZ !80
Any
Any
lnsIde
loside
Network
.,
c. :
j
Yes
No
Yes
Yes
No
Implementing FW SM l(7ra Data CenterNetwork I

nfrastructure
2-7
'
P roxy S erver
=.
w eb/Proxy
t
:
J
:
1
servers
DMZ
I.
...
.'#
Intem qt
L
'f '
-.,-
:7
.c.
:
.
'
NOutside
Otwork
:k....
. .
'
'
> *z
:t: . @
Outside
Outside
Outside
DMZ
lnslde
Outslde
W eb:80
W eb180
Proxy
Any
Any
lnslde
*:
;
Iraside
Net
work
Yes
No
Yes
Yes
Yes
No
Proxy scrvcrscan bc uscd to addressthc lim itationsoffirewallsthatrely on simplcpackct

Gltcring.A proxy scrverisa systcm thatacceptsconncctionsforprotccted uscrsand thcn
cstablishcsa second connection to thcrcqtlested resourcc.
Il1thc tigurc,thc policiesforpacketfiltering have becn changcd.An additionalsystem hasbccn
addcd to the DM Z and isrunning proxy selwersoftware.Traftic to thc wcb serverisstill
lilnitcd to port80.
.however,traffic from anywhere isallowed to reach thc proxy scrver.Any
illsidcsystem thatchoosesto acccssan Intcrnet-based rcsource iscontigurcd with the IP
addrcssoftheproxy scrvcr.Any conncctionsfrom the insidc nctwork go to thcproxy scrvcrto
cstablish itsown conncction withthc rcsource on thc Intcrnet.
Insidc userscan now acccssrcsourccson the Internet.However,theproxy sen'erisa systcln

thatisopen to alltraffic and necdsto be carefully sccurcd.A failure ofthcsccurity ofthe proxy
servcrwould com prom isc the protcction offered by thc tircwall.
2-8
lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I):2.0
(
I)2008CiscoSystems,lnc.
S tateftlI Packet F 1Itering

'tLt..
W eb
Server
x.
lnternet
-/?
.
,
Outsi
de
Netwof'k
h'
t$.
4 ) u -: *
Outside
Outside
DMZ
Inslde
Entri
esforeach activeconnecti
on:
.
'
.
Source/Desllnationaddress
Source/Desllnatlonport
sequence numbers
TCF7f
lags
tk' Outsl
de
'L
@ 2006 Ci
sco Systems.lnc.
..
se
v.
.
jr . Jl.. .*
DMZ 80
DMZ:p80
Any
Any
I
nside
Network
'.' *
Yes
No
Yes
Yes
1
nsl
de
No
Establlshed Sesslon
Yes
Impl
ementl
ng FW SM fora Data CenterNetworklnfrastructure
2-9
ConceptofV irtualFirew alling

. Logicalpartitioning ofa single FW SM into m ultiple
Iogicalfirewalls
pLogicalfirewall= Security context
Policiesand management
IPaddressspacetcanb:Pusedbetweencontextq)
....
Opqrati
onalmode(routqdjyYansqarent)
.y.
<&
.
w- a
.y.<u
..
SetofVI
-AN lnte#aces
Resource usage
V il-ttlalfirewallsprcscntIogicalpartitioning ofasingle physicalCatalyst6500 SeriesFW SM

illto lnultiplc logicalfirewalls.A logicaltircwalliscallcd a security context(orvirtual
f5rcwall).
Security contextsallow adm inistralorsto separatcand secure datacentersiloswhilcproviding

casy managelncntusing a singlc system .They Ioweroverallmanagem entand supportcostsby
hostilyg m ultiplc virltlaltirewalls in asinglc devicc.
2-1O
lmplementlngCiscoDataCenterNetworklnlrastructure1(DCNI
-I)v2.
O
FW S M O verview
Tliislt/pic iderltifies rhc characlcris!ics(,rtlle Catalystf)5f)0 sericsFB/SM
FW S M H arclw are
Cisco Catalyst6500 Series Swi
tch and Cisco 7600 Series Router
firewallsystem
. Hi
gh performance firewall,5.5 Gb/s
@ M axi
m um of1 m illion simultaneous connections
. Maxi
mum of100,000 connection setupsand teardowns per
second
. 256,000 PAT and 256,000 NAT translations
p Up to fourblades perchassis
.
'
) 1
Scaling
@ 2008 Cisco System s.lnc
Implementing FW SM fora Data CenterNetworkInfrastrtlcture
2-11
. Tlpcsccond solution consistsin assigning each Catalyst6500 SeriesFW SM adistinctsetof

VLAN S.Tram c istherefore associatcd to agivcn Catalyst6500 ScricsFW SM based on its
illcorning oroutgoing VLAN tag.
w The tllird solution consistsin the network adm inistratorovcrriding the dynam ic routing
proccssby Inanually assigning a specit
ic Catalyst6500 Series FW SM based on the source
ordestination ofthe traffic.
2-12
lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)K .
0
@ 2008CiscoSystemsllnc.
FW SM K ey Features
Fabric-enabled card
Based on proven Cisco PIX firewalltechnology
> Suppodstransparentorrouted firewallmode
* Upto250 securitycontexts(virtualfirewallinstance)
Up to 256 VLANS in a single routed context
Up to 100 VLANSpereach routed contextin m ulti-contextmode
, Up to 8 pairs ofVLANS in each transparentcontext
. Up to 1000 VLANS in aI1contexts
Key IkattlresoftheC'atalyst6500 SeriesFW SM incltlde thesc:

* Supportstransparentor routed firewallInode:W hcn contigured to run in rotltcd modc.
the Catalyst6500 SericsFW SM isconsidered arotlterhop in thenctwork and pcrforms
NAT bctwecn conllected nctworks.W hcn contigtlred in trallsparelltm ode.theCatalyst
6500 ScricsF'W SM acts1ike a Qsbump in thcwirc''alld is notcollsidered arotltcrllop.The
illside and otltside interll
acesare the same nctworks,btltdiffcrelltVLANS,with theC'atalyst
6500 Series FW SM providing thecon,lectivity.
* Supportsup to 250 security contexts:Tlle Catalyst6500 SeriesFW SM can bc in sillgle or
lntlltiple contextmode.In mtlltiplecolllcxtInode,up to 250 scparatc sccurity colltextscallbe
colltigtlrcd,depcncling oI1the softwarc licensebeing tlscd.M tlltiple contcxtsarcsim ilarto
havillg mtllliplestand-alonc rcwalls,convcnielltly colltaincd within a single module.
* Supportsup to 256 VIaAN Sin a single routed context:Up to 256 V LANScallbe

conligtlred in a singlc rotltcd context.
* Supports up to 100 V LANSper each routed contextin rnulticontextmode:W hcn

m tlltiplerouted contextsare tleployed,each contextcotlld have l00 VLANS.
* Supportsup to eightpairsorV LAN Sin each transparentcontext:Each transparent
contcxtcotlld bedcploycd w itlleightpairsofVLANS bridgc groups.
*
Supports up to 1000 V I-A NS acrossalIcontexts:A crossa1lcontexts.a luaxilntllu of

l000 VLANScan becontigured.
* Supports5-G b/sthroughput:ThcCatalyst6500 ScricsFW SM providcsup to 5-Gb/s

tllrotlgl'
lput.
@ 2008 Ci
sco Systems,l
nc.
lmpl
ementing FWSM fora Data CenterNetworklnfrastructure
2-13
w Supportsone m illion concurrentconnections:The Catalyst6500 ScriesFW SM supports

t1p to onc m illion concurrentconncctionsatany givelltime.
w Supports 100,000 connectionsper-second:Up to 100,000 conncctionscan be established
per-second.
* slultiple bladesare supported in onechassis:In a single Catalyst6500 SeriesSwitcll
cllassis,up to fourCatalyst6500 ScriesFW SM m odulcscan be supportcd.
2-14
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
0
FW SM Key Features (Cont.)

. High-availabilityfeatures include:
Active-acti
ve and active-slandby contexts
Pre-em ptopti
on foractive-active
lntra-orinter-chassis statefusfailover
.
Routing
Dynamic
Asymm etric
Network integration improvem ents include:

Mixed Layer2 and Layer3 mode support
PrivateVLAN (PVLAN)support
.
Perinlerface DHCP relay

Scalability
'
.'
'
Interchassisor Intrachassisfailover:Failovcrcallbcdcploycd in a singlcor

I'lultip1e cllassis.
('
))2008 CiscoSystem s,Inc.
tmplementing FW SM fora Data CenterNetworkInfrastrucltlre
2-15
* Ncwork intcgration
M ixed lxayer2 and Layer3 m ode support:M ixed Laycr2 and Laycr3 modc
supportisnow pennittcd on thc sam cCatalyst6500 SericsFW SM .enabling tlcxiblc
network deploym ents.
PrivateVLAN (PVLAN)support:ThcCatalyst6500 ScricsFW SM isnotaware

ofPV LANSconfigurcd on tlle switch supervisor, and propcrly processestraffic
com ing from a secondary VLAN thatisconfigured asa secure VLAN with IEEE
802.IQ taggingoftheprimary.thusleveraging theIogicalscparationand traffic

isolation pros'ided by PVLANS.
Per-interfaceDH CP configured per interface:Per-intcrfacc DHCP relay can now

bcconligured perinterface instead ofpcrthe cntirc colhtext, providingbcttcr
grallularity and controlofDIICP scnziccs.
* Scalability
Supportfor 250 virtualcontexts:Contextshave bccn incrcascd from l00 to 250.
Ability to apply thew'rite mcm ory com mand to aIlcontexts:Thisfeaturem akcs
cont-iguring a large ntlm berofvirtualcontextseasicr.
Increased num berofglobalstatem ents to 4000:This illcreasc ilnproves

scalability when detining apoolofglobaladdresscs.
ACL m ernory enhancem ents:An increase of20 pcrcentin totalavailable ACL
m em or.y improvesscalabilit
y.
Sessionsfor IIOn-TCP/UDP packets:Thisfeature pcrm itsthcscpackelslo be
forwarded througllthefastpath instead ofthe slow path.improving perfonnancc for
Gcneric Routing Encapsulation (GRE).Extended ServicesPlatform s(ESPs).and

mtllticasttraffic.
Supportsup to 10 DH CP relay statem ents:An increase from 4 to 10 D HCP relay

statcmclltsprovidcsscalability bcncfits.
Provides80 HTTPS sessionsfor Cisco Adaptive Securlty Device M anager
(ASDM ):Thisrepresentsan increasefrom 32to 80 HTTPS sessionsforASDM .
2-16
lmplemenlingClscoData CenlerNetworklnfrastructure 1 (DCNi-!)v2.D
Q 2D08 Clsco Systems. lnc.
FW S M A rchitecture O verview
g13/1
-'h,.-
g'ayz
111ld11
9,
3/4
qi
rws
L
l.
'
p
x i'l.
.pzj
r
>
/
tN.
t..
;
.
j' ,i3I6
tr
y
8%
.
,.
x
.)
$$
.
,
<,
t'
1
.( '
b
.
(-- J4,
i
t
u
Cisco
Calalyst6500
@ 2008 Cisco System s,Inc
t
';
.
'
h4Jw.,
t-;
1
.
..
r
)
2 '.
..
,
3
m
..
''
>
Izw sM
Implementing FW SM fora Data CenterNetworklnfrastructure
2-17
Three-Layer rchitecture
verview
ControlPath
ct-t/ospF/tixups
. ....
.
' .
:.
:'
''.
$
,
.
..
''
:.j'
Jt:.
T.
/.
' '
);:
t
.)
,)
y
:. 1Gb
,
. '
-:
'i
t
:
k
.
;
y
)
;
,
.
.
j
(
'
,
't
)
'
l
k
s
)
t
'
k
$
y
t'
(f
i .'
t
)l
),
r.
q
C
;'
(
;)
k
'
,
i
tl
.
;
?(
1ip?r:z
'''
-'i
;;
,.
J1:!.s . . ;.3: ,..$
.
j,..
...
r.
Sessitm Vanagem ent
.
. .
/
1(iW:.; k.
.
2
.
'
.
.
'
.
j
,.
:
.
k
,..
;j:
.E.y
k
y
t
.
y
.
;
:r
;t
.
r
l
!!
jl
jk
/l
p1
rl
pl
'1
fIld
t
l
:
l1
:,,jd
sk
.
l
::
llk
.
...,,
'
.?
.;.2
.;..
?$
y,jj
4
k
jt.
tj
-rt.
(
k::.L: lii'.
j
,
:
y
@
y
l
,
i
k
y
,
(
i
y
.
t
,J
;y
jf:r-..k
j
;
t
,
C
'
r
(
.
t
.'
j
t
l
!
'
;
t
?
I
)
t
'
t
p
r
:
)
:
r
r
k
p
t
.
)
,
t
.
.
i
.
(
,
z
.
p
t
;
:
$
'
)
!
$
y
r
.
;
.
i
r
'
t
?
'
d
'
1
t
.
r
i
k
.
'
:
.!
T
y
j
hi
jy
l
ij
.;
f.
.
p
n
'.
6
...
%
t., ,
. o
$
'
k
yt
r
,
''
:
r
t'
j
;
'
?
z
. .;
.(
;..-. ..r
. . .,
.
,- .
..gj...
t
.
jt
....f
.
.3 ....
l!
'i
t;
l
jl
t
'
t
k
l
..
'
t
z
'
;L
.(
)
@.)
i'
'
(
l
t
f
1'
&y
.
rt
'
h
lyf
tz
'
;'
.
j
yl
or
,!
r'
i,
))'q
J
C
'J
)r
lt
L
li
Lf
l'''i
'
.'
,,
t
.
. p?
,:.. FastPath
.. @
6 Gb/s Ethercharlnel
Localbus
To ClscoCatalyst6500
fabric orbus
The processing functionson thc Catalyst6500 SericsFW SM areprovided by a three-layer

architccture consisting ofthrce nctwork processorsand a PC com plcx.
Tllc IowestIayerofthc architecttlrc consists oftwo nctwork proccssorsthatconnectdirectly to
the Ethclf hannetPortchannclfrom the backplane oft14eCatalyst650 ScricsSwitch. Thcse
network processorsprovidc fast-path processing ofpacketsthatarc partofexisting flows.
Thc sccond layerofthe architccttlrc consistsofoncnetwork processorconnected to both
nctwork proccssorsfroln thc fast-path layer.The scssion m anagementnetwork processor
proccssesncw session rcquesls.Thc scssion lnanagem cntnctw ork proccssoralso performsthc
SimplcM ailTransferProtocol(SM TP)tixup function.Fixup functionsmodify uppcrlaycr
protocoldatatoadjtlstforNAT,
Thc third Iayerofthe architccture consists ofaPC com plex thatperfonnsa11otherfixup
ftlnctiolls.aswellasroutingand thecommand-lilleillterface(CLl).
2-18
lmplementingCiscoDataCenterNetworklnfrastructure 1(DGNI-I)72.0
@ 2008CiscoSystems.lnc.
'
FW S M F 1Ie S yste m
. The FW SM includesa 128 MB Com pactFlash card
.
Sixpadi
ti
onsonthecardare used (cf:n)
Paditi
on
't yc'.
zq.
:
'
J' '
Maintenance
Networkconfi
guration
Crashdump
(()2008 CiscoSystem s.Inc.
cf:
4
Applicalionpartition(defaul
t)
cf'5
Application partition
cf26
Contexlconsguratlons(di
skl)
lm plementing FW SM fora Data CenterNetworklnfrastruclure
2-19
'
Feature C om parison'
.FW S M vs.A SA
9 k
Performance
Typeofinterfaces
!I
.'y;'r ' . .
.
;j ,j
.
2.
'
'''d'L.C
*/*''1
1- .6.50M-b
/s..---j1
'.
-.,.. --0.-G.b
./s/2
.0Gb/s--.
,.- -...
)E.....W .8N:
VLANS
FailoverIicensing
> .
.j
'
'
I Extemalinterfaces Extemalinterfaces
IQX
:
N@
'
u .
tt
2O0
-q
VPNfun
ctionality
L'2
;'. rr.t,.Nq
...... .... ............- ..... .- :
Y,ykLk5k,x
w-.--oyk.. - k...-.......- -
Yes
IE)ig!;i(;rl!ttlrt!t;
Defaultpol
icy
..
Y(m
Yes
..
-z.
!
(
,
.
;
)
<
.!
j ,.
'.' .,,
)
u'
(
.
..!.'
J
. . ...
#k.
.
1.il
ki.
,
100(250future)
Yes
-.- ..-- -
Af'(htl
. ......-- -
....-.
----- ..hk()
Ajjtae y
s fyjxj. All
owshi
gheri
evel Al
lowshigherlevel
l
(;.
- .. .... .
l
oIowerI
eveltraffic toIowerleveltrafflc
1t
.,
Thischartliststhe key differellcesbetwcen the Catalyst6500 Serics FW SM and theCisco ASA

5580-40 Atlaptive Security Appliancc.
Catalyst6500 ScriesFW SM isablc to processmoretraftic than almostalIadaplivesecurity
appliance dcvices,cxceptthe latcstA SA 5580-20 Adaptive Security Applianceand ASA 5580-
40 Adaptivc Sectlrity Appliancc'

,howcvcr,tcrlnination ofvirtualprivatc network (VPN )
connectionstkrtratlic tlowing through tllc fircwallsenricesm odulc isnotsupported on a
Catalyst6500 Serics FW SM .The Cisco Catalyst6500 SericsSw itch providesintelligent
serviccs.stlch asintrtlsion detection.via Cisco Intrusion Detcction ServicesM odulcs(IDSM S).
and IP sccurity (IPsec)selaziceportadaptcr.

W hen designing sccurity policy fordata centers,the following isusually true:
. Therc isl1o need forIpsec V PN S.

. M any V LANSare uscd.
. H igh availability isa must.
* Powerconstlm ption isa signiticantfactor.
. Thc soltltion should scale becauscdalacentcrsevolvc.
Thus,thc Catalyst6500 SeriesFW SM isa llaturalchoicc fordata ccnterscctlrity policy;thalis.
thcnum berofVLAN intcrfacvs,failoverfunctionality,and sealability (with deploying up to

fourCatalyst6500 SericsFW SM perCatalyst6500 Series Sw itch chassis).
2-2:
lmplementing Ct
sco DataCenterNetwork lnfraslructure 1(DCNI-))v2.
D
(
I)2908 Cisco Systems.lnc.
FW S M lnitialC onfiguration
FW S M T raffic F Iow
N
Ou
ett
w
so
idre
k
tj.
'
6t
?1:)
.
Inside
Network
G>sz
Cisco Catalyst
6500 Series
FW SM
(()2008 Cisco System s.lnc.
lmplementlng FW SM fora Data CenterNetworklnfrastructure
2-21
FW S M V LA N S
DMZI
DMZI
Nebrxk
outside
Network
okdside VLAN
':
lnsideVLAN
i
(
Inside
,..Netw?fk
SM
DMZ2
.
DMZ2
Network
Cisco Catalyst6500
The figure shows how a Catalyst6500 SericsSwitch containing a Catalyst6500 SeriesFW SM

conncctsto anctwork.
In tllis typicalIletwork sccnario,thc Catalyst6500 SeriesFW SM conncctsto the network usillg

tw o VLANS:one VLAN isused fora conncction to the inside network.and theotherVLAN is
uscd foracollncction to the outsidc network.Because thc Catalyst6500 Series'

FW SM is
attached to VLAN S.any physicalorIogicalsw itch pol4can bc uscd as al7inside oroutsidcport
on the FW SM .
2-22
mpdementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0
@ 2008Cisco Systems lnc.
C ol1f1g ur1ng FW S M V LA N s on C 1sco IO S

C reate the necessary VLAN S
Group the VLANS into firewallVLAN groups
Assignthe VLAN groups to individualFW SMS
vlan 55-57.70-85,100
firewall vlan-group 50 55-57

firewall vlan-group 51 70-85
firewall vlan-group 52 l00
firewall module 5 vlan-group 50,52
firewall module 6 vlan-group 51,52
Router tconfig l#firewall vlan -group 50 55-57

Router tconfig l#firewall vlan -group 51 70-85
Router tconfig l#firewall vlan -group 52 100
step 3
A ttllc cnd.the tirevvalIVI-AN grotlpssllotlltlbc llssociatcd vvitl'

liI
ldividtlallircvvall
services m odtlles,tlsiI)g tllc'
lire'
wallrnodule collllp'
lalltl.1I1thisexalnple.tlle I
irew all
N'LAN grotlpsarc llssignetllo FS'

VS'
NIS il'
lslots5 and 8.
Router lconfig l#firewall module 5 vlan-group 50,52
Router lconfig l#firewall module 8 vlan-group 51,52
Note
@ 2008 Cisco System s.Inc.
FlrewallVLAN groups can be shared by more than one Catalyst6500 Seri

es FW SM.
Im plem enting FW SM fora Data CenkerNetwork Infrastructure
2-23
Verifying C isco IO S Setup

Router#show firewall vlan-group
Group vlans
50 55-57
51 70-85
52 l0Q
Router#ahow firewall module

Module Vlan-groupa
5
8
50,52
51,52
Thc show firewallvIan-group and show firewallm odule comm andscan be used to verify the
V LAN contigtlration.
2-24
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
O
(
I)2008CiscoSystems,lnc.
A ccfassing tlle FW SM
Router#
sension sloe 5 processor 1
p Connectsto the FW SM from Cisco IOS

Console> (enable)
seasion 5
p Connects to the FW SM from the Catalystoperating system

FwsMx
enable
w
Enters enable m ode
7'llc t'atalyst6500 ScricsF'

SVSN'
Iprolnptsfora logil)passw-ord.14.11iclldelltlltsttl('i.
%L'
().After
cntcriI1g thclogi11passu'ordsyetlrccciv'c tl:c disablellpotlcprolnpt.U sc tllc enableconuuantlttn
clltcrtllc cllablc modc.Tl'
lc dcfatlltcnablc passyvord isblaltk.and itcal'
lbcclltcrcd by pressillg
t11t
?1.
JI1lcrkcy.
@ 2008 Ci
sco Systems,Inc.
lmpl
ementi
ng FW SM fora Data CenlerNetwork I
ntrastructure
2-25
Configuring Basic Settings

Change the login and enable passwords
2. Configure hostand domain names
password highly lsecuregg
enable password evenB3tt#rpWordl
hostname bastion
domain-name exlmple.com
*
Allofthc basic scttingsareconfigurcd t'

rom the main contiguration lnode on the Catalyst6500
Scrics FW SM .
Thc login password ischanged w ith thcpassword com mand.
FWSM (config )#paaaword highly lSecureg9
Note
The password comm and can also be speci

fied as passw d.
Thcenable modc password ischanged with the enable password comm and.
FWsM tconfig l#enable paasword evenB3tt#rpWord l
Both login and enablepasswordsarc casc-sensitive and can be up to l6 charactcrslong.Thc

passwordscan contain letters.ntlm bers.and spccialcllaractcrs,except1he question mark and
space.
Thchostname ofthcCatalyst6500 ScricsFW SM dcfaultsto FI
;'
St
V and can be changcd w ith
111e hostnam ecol
nmalld.
FWsM tconfigl#hostn-me bastion
Thcpromptchangcslo retlectthc ncw hostnam e.
Thcdomain naTnc isconligured w ith tllc dom ain-nam e com m and.

bastion tconfig l#domain-nxme exxmple .com
Caution
The hostand dom ain names are used during the processthatgenerates RSA keys for
Secure Shell(SSH)and HTTPS accesstotheCatalyst6500SeriesFW SM.Thehostand

dom ain nam es shoul
d be configured before keys are generated.
2-26
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0
C onfiquring Interfaces
Routerlconfigl#interface vlan l00
Routerlconfig-ifl#nameif outside
Router tconfig -ifl#security -level 0
Routerlconfigl#interface vlan l0l
Routertionfig-ifl#nameif inside
Router tconfig-ifl#security -level 100
Routerfconffgl#ineerface vlan l02
Routerlconfig-ifl#nameif dmz
Routertconfig-tfl#security-level 50
. Specify name and securi

ty Ievelforeach interface
Beforc thc Catalyst6500 Series FW SM allowstraflic tllrough aI1illterface.thc illterl

ace nalne
mustbc dcfined witlla rclevantscctlrity level.
The nalne istlscd in othercontigtlration statclnelltsto refcrto a spccitic intcrtace,alld sllotlld
be lneaningfulto allyonc reading theconfiguratiol).The nalue can bcany textstring up to 48
charactersin lcngth,alld itisnotcase-sensitivc.
Thc security levelisanunlberfroln 0 to I00 tllatdcfinesthe secul'ity characteristicsofthe
network attached to thespccifqed interfacc.
ln thc cxalnplc.VLAN l00 isdet
ined asan illterface Slan-icd (?lf?.
5't/c with a sccurity Ievclof
zero.V LAN l0lisdctincd asan interfaccnalzled il'sidelvitlla sectlrily lcvelof I00,while
VLAN 102 istletined asa11illterface nalncd dnlz willla sectlrity levelof50.
(()2008 Cisco Systems,Inc,
(mplementingFWSM foraDataCenferNetwork Infrastructure
2-27
U nderstanding Security Levels
insi
de to o side
0
outsideto
30
70
100
ide
Each intcrfacchasasecurity levelthatisrcpresentcd byantlmberbetwecn0(lowest)and l00

(lligllcst).The Ggure showstherelationsllips implied by thcavailable security lcvcls. Outside
lheoutcr(daslled)circlcissecurity lcvel0.Tllet'
icldbctweentheoutcr(dashed)circleandthc
lniddle(ftlIl)circle representssecurity level30.Security level70 liesbetwecn the m iddle(full)
circlc alld thc inner(dotted)circle,and security lcvelI00 istllc illtcriorofthc inner(dotled)
circlc.
(ioing from a lowersecurity levelto a highersccurity leveltakesyou inside, while going from
a highcrto a lowersecurity leveltakesyou outsidc.W hel)dcalingw ith a firewallwith m ultiple
interraces.and each with diffcrentsecurity lcvels.this inside and outsidc directionality
dctcrlninesthe security andN AT policicsthatareapplied.
2-28
ImplementingCiscoDataCenterNetworklntrastructure 1(DCNI-!)72.
9
@ 2008CiscoSystems. lnc.
M u Itip Ie Intorf'act7
.s w ith
the S arne S ectlrity Leve.I
-4':-.:
%.71f:
Intecnet
outside Network
198 133 219 :/24
securitytevel0
W eb server
1
1
1
ovz1
192 168 10/24
, ..
'
A%'
'
Xthw
W-#tv
rau-zn
I
1
1921
GC
'
(1()r24
..
..
.
l'ns'de Network
10000/24
secuntyLevell0a
,,
..
.:
7n
t7
(()2008 Cisco Systems.inc
Apprlcatpon
sewer
Im plementing FW SM fora Data CenterNetwork Infrastructure
2-29
Intra-lnterface Firew allServices
rp1
192 16iI.1.0724
Inslde
192.168 255 0/24
'
At)()
ti
rI
t'
.
'I
(?b'
f'
lI'1I
'
'
r e'e-.
%
192 168 2 0/24
l'
192 168.3 0/24
5%
Tllc Catalyst6500 ScriesFW SM can becontigured asa Ssfirewallon a stickf'to controltraftic

among hostsattached to one ofthe interfaccs.
Tlle sam e-security-trarnc perm itintra-interfacecolnm and isused to allow trafficto tlow .
ACLSare cont
igured to controltllc type oftrafficthatisallowcd to tlow .Thc routcrcol
m ecting
the subnetsalso nccdsto be configurcd to send alltraftic to tllcCatalyst6500 ScricsFW SM for
proccssing.
2-30
lmplementing CiscoData CenterNetworklnfrastructure 1(DCNI-I)v2.O
@ 2(28 Cisco Systems,lnc,
Note
The supervisorengine ofthe Cisco Catal

ys!6500 Seri
es Switch and Cisco 7600 Series
Routermustrun Ci
sco IOS Software Release 12.2(18)SXForIater- a specialmessage is
used to com m uni
cate the PVLAN m apping to Catal
yst6500 Series FW SV
@ 2008 Ci
sco Syslems.1nc
I
m pl
ementing FW SM fora Dala CenterNetworkInfrastructure
2-31
* Promiscuous
Can comlnunicatc with hostson m apped com munity and isolated ports
Listcn to sccondary V LAN
Send traftic using primary VLAN
Note
TheCatalyst6500SeriesFW SM can takethe roleofPVLAN router.
2-32
kmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-h)v2.
0
@ 2098CiscoSystems. Inc.
F SM in PVLA N Environm ent

@TheFW SM regulates
MsFc V e-'C ,: ipIocal-proxy-arp
com m unication between the
,
',
s 10J(
).1o.1
outside world''and hosts
VLAN1001t '
f-oodocpiz144
)0
i'
si
ttingin aPVLAN
$*
vc
Ho
01t
su
i
n
ha
et
PV
Lt
A
an
m
nt
i
c
e
be
wNeecn
F
MntVl
'
Tr
u
nWS
s
o
p
d
a
e
r
e
z
'
i
i
l'
10.
10'
10'
50
..h.
'
pomaryvtA,k
themselves orwith tiae

Outside world via the MSFC
as permitted by the FW SM
'2vuAs ,ooo
::
cisco
Ca
aly
e:
'
..
6t
50
0sty'
)
,,
.'$ f
e*
''
X p
VLAN50j.
. j. seVcIANndaslryloVLAN
.....
z , ,
tHostA
-.
l
r !
r
lsofateclPods ,-2.-.
'..#'
x#'
.
? HostB
z'
1Q.10.10.100
'!0.10.10.10f
00t)0aaaa0:00
0000 72000000
Frlam tlle perspeclivc t)fan FMTSM .there isntptllillg particlllarabou!tlleconfiguratiollsllown i))

the figtlre.Froln tllc perspective ofa rotltcr,llle Catalyst6500 ScriesFW SM issitting on a
prom isctlousportalld seesalltraflic to and froln the PVLAN .
HostA antlhostB are on isolated portsinsidc tllc secolldal'
y VLAN 500.No comm unication
can take place bclwecn tllcll'witlloutinvolving a routcr.Bolh hostsarcconfigured lo usethe
M tlltilayerSwitch Fcaturc Card (M SFC)astheirdcfatlltgateway.TlleCatalyst6500 Scrics

FW SM isinscned between them andtlte M SFC.Tlle prinzary VLAN ofthePVLAN is 1000
and istnlnked ovcrto the Catalyst6500 SericsFSVSM .The M SFC llas I
1o knowledgeofthe
PVLAN atlcastfroln a rotlting pcrspectivc,lncalling interfacc VLAN l00lisa regtllarVLAN
interface.
I-ltlstB sclldsal1AddressRestalution Protocol(ARP)reqllestft)rIPaddress 10.l0.10.l00 of

hostA,buttlpc PVLAN doesnotlctthe ARP rcquestreach hostA dircctly.Illstead.itis
directcd on to tlle primary VLAN and hitsthcCatalyst6500 Series FW SM .whicl)bridgesit
olpto thcM SFC.Tllc M SFC isconligtlrcd with local-proxy-ARp.Itrcplicsto hoslB with its
own M Ac-addrcss,thcn sendsan ARP reqtlestforIP address l0.l0.I0.l()()ofllostA.and
rotltesstlbseqtlcntpackctsfi
'ollll0.I0.l0.I0lto I0.!0.l0.I00.
TlleCatalyst6500 SericsF'
W SM is providing intcr-isolated pol'tsccurity.lfilltcr-isolated porl
conll
ntlllication isreqtlired,thc Catalyst6500 ScricsFSVSM callcnable rotltillg back otltthc
san'
leillterrace.Usillg tllisfeattlrei1)conjtlnctionwitl)PVLAN intcgration,a1lcolnlntlnications
to,froln,alld within a PVLAN can beconlrolled by tlle Catalyst6500 ScricsFSVSM .
Colnlntlllicatitln between isolatcd ports isprcvented.sincctllc Catalyst6500 ScricsFSVSM svill
notretlle packctsback otltthc interfacc tl3cy calne in froln.
Hostsin the PVLAN are protccted frol
'n each otherand f'
rotn tllcotltside world by theCatalyst
6500 ScriesFSVSM .
()2008 Cisco Systems,Inc.
Implementing FW SM fora Data CenterNetworklnfrastructure
2-33
W hen to Use PV LA N?
A scctlrity policy inthcdatacctlteristypically created bysegregatingdevices(namcly servers)
into diffcrelltgroupsaccording to the sectlrity requirementsand type, which m eansthata
previotlsly singlc IP subnetshotlld be splitinto separatc IP subnets.
Sincesplitting ofan IP stlbnctinto two orm orc IP subnetsrequiresnotonly reconfiguration of

nctwork cquipmcnt,butalso scrverswhcrc ccrtain applicationsmightdepend on static IP
address(alld thusthiswould rcquirealso application reconfigtlration), such a solution is
typically tmdesirablc.
In such cascs.PVLANScan bc uscd to segrcgatc servcrsinto scparate scgmentswithout
changing thcircontiguration.
2-34
ImplemenllngCiscoDataCenterNetworkI
nfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems, Inc.
Firew all M odes

'I-l'
l1stop1c
F 1rew aIIM o d es
r
1
I
I
InsideNetwerk
VLAN 20
r
1
i-- --l
#E
/
'
.
*
VLAN 40
1-------I
10001
'
outsi
deNelwork
198133.219.100
j
1
10 00 83
1
.
%'
!98 133 219 25
E'
rransparentMode i
E
!
!
Layer2
;
t
nst
desetwork ''''
i
outs,
deNetwork
VLAN 20
il000 ol241
!
;
t
-
' ' '
...............
l
141
.
1
#/
10 0.0.83
VLAN 40
:1ooo.c/
24'
!................
:
(
-:#
10.0 O 100
10 00 25
R outed M ode
Transparent M ode
C)2008Clsco Systems,Inc.
Impl
ementtng FW SM fora Data CenterNetwork I
nfrastructure
2-35
N ctwork probcssdenialofsel
w ice (DoS)tloodss and S'firewalking''attacks(thatdetennine
firewallfltering policiesand revealprivate addressesbehind an address- lranslatingGrewall)
arcrcndered im potentwith transparentfirewalls. Thisprevcntsfnalicioususersfrom scoping
the network to dcrive com ponentand nctwork infonnation. making networksresilientto
attacks.
Using Transparentvs.Routed M ode

Transparentl'irewallsare mosttlsefulin colnplcx environmentsthatrequire imm ediatc ornew
t
irew alldeployments.Enterprise routing networksthatconsistofmultiplcrouting protocols.
stlch asOSPF.BGP,and high availability (HSRP, VirtualRouterRcdtlndancy Protocol
(VRRPI.andGateway Load Balancing Protocol(GLBPI)can levtragethestcalthsecurity

provided by transparcntfirewalls.
Trallsparentfircwallsare invisible to routing updatcsand can be safcly insertcd in cxisting
networksw ith 11o mandatory reutcchangcs.
xt
2-36
Implementing Ci
sco DataCenterNetworkInfrastructure 1(DCNI-I)$/2.0
(D2008 Cisco Systems.Inc.
C onfig(1ring F1rew aIIM odes

rwsMlconftgl#
firewall transparent
* Specises transparentm ode
FwsM lconfigl#
no firewall transparent
Specifies routed mode
7'11cdel'
atlltlnodc I
k'rthc Catalyst6500 SericsFW'SM isroutcd nlotle.
Thctirewalltransparentconllllal'
ld isuscd to placc tlle C'atalyst6500 ScricsFW SM i1,
trallsparelltlntldc
Note
Firewal
lmode is setpercontext
onfigllring IP ddremses in ollted
ode
Thcip addressclll'l
'
llllal'
1d istlsed il1rotltetll'
ll()tlc to colltigtlrc 1
.
11)IP atldl'
ess(111apartictllar
illtcrfacc.The paralllctersspccily tl'
lc IP addrcssal'
ld stlbnctnlask lo bc tlscd 1brthe illterlacc.
Bollltlltladdressalld lnask tlsc tl'
ledottcd dccilnalnotatiol'
t.'
k
vllilc tlle standby kcyw'ord alltl
addressistlsed l'
brf'
tliIover.
(()2008 Ci
sco Systems.lnc.
lnlpl
ementing FW SM fora Data CeoterNetwork lnfraslructure
2-37
Configuring IP A ddresses
in R outed M ode
FWsMlconftql#intqrfac. vlan 1O;
FWsMlconfig-ifl#nameif outaide
PWsMlconflg-lfl#necurfty-levet 0
FWsMtcontig-ifl#tp lddress 19%.133.219.15 255.255.255.1
w
Specifies an IP addressforeach interface
'
u
b
kot websewer
.
DMz
192.166.10/24
lnternet
p
w
Outsida Network
198 133.219.0/24
:p
'e
Inside Network
100 0 0/24
ln thisexalnplesthe outsidc interfaceparam etersarc contigurcd in VLAN 100.
2-38
ImplementingCi
- I)v20
Q 2008Clsco Systems. Inc.
C ol)f1g u rin g IP A d d resses

111 T ra nspa rer1t M od ()
-
FWsMlconflgl#interface vlan l00

FWsMtconfiq-ifl#bridge-qroup l
FWsM tconfig-tfl#namef inside
FWsM lconflg.ifl#securiey-level 1O0
FWsMtconflg.ifl#exit
FWsMteonflgl#tnterface bv# l
FWsMlconfig-tjl#ip address 10.0.0.100 255.255.255.0 standby 10.9.0.101
* Speci
fies a m anagementIP address foreach pairofbridge-group
interfaces
Outsi
de
Outside Nelwork
10000/24
@ 2008 Cisco Systems.Inc.
%
*
...
.
##,
.
-e'j
'W
InsldeNelWork
10 0 00/24
Implementing FW SM fora Data CenterNetwork Infrastructure
2-39
Transparent M ode Design

Considerations
Known as a Layer2 tirewallor''steaIth firewall'
. 250 transparentsecuritycontexts
w Up to ei
ghtpairs ofinterfaces pertransparentfirewall
* Layer2 ACLS
.AddressResolution Protocol(ARP)inspection
. Mul
ti
castpass-through
* No outsi
de shared VLAN
. One managementI
P address pertransparentfirewallcontext
. The same subnetbutdi
fferentVLANS on the inside and outside
Thc listmentionsthe lim itationsand design considerationsforthe transparentmode.
2-40
ImplementingCi
scoDataCenterNetworklnfrastructblre1(DCNI-I)v2.0
(()2008 Cisco Systems,Inc.
C onfiguring the Translation

'
7*11istopic idclltiticsthe Fb%'S5.

1 N AT and PAT tlu!1slation.
N etw ork A ddress Translation

Term inoloqy
Inside Network
1
1
1
1
OutsideNetwork
'x
.v
p;
Z
LocalAddresses
kk; >..
'
Ins,cseuocal
z#d k.
% 't ''':.m'
outsrdet-ocal '
31... .;1*..'
l Otdsl
e
Local . Insr
d
eLocal.
.. .
...
@ 2008 Cisco System s,Inc.
I
I
I
I
I
I
I
1
I
I
GlobalAddresses
.7&'. '
xF.
.
''
* s.'' '..
'
p lnslcieosoual . outs'deGloilal
:'2: vS
X..'J''. e
p
sldeGl
obal.C l
nsi
deGi
oba..l.
..Out
Im plem entirlgFW SM foraDataCenterNetwork Infrastructtlre
2-41
Thisexam plcnctwork hasan inside network of l0.0.0.0/24 and an otltside nctwork of

I98.133.2l9.0/24.
Nctwork trallslation istlsed to allow a system on a privatc network to comm tlnicatc with aweb
serverthatison lhe public Intcrnet.To perform thisfunction.the network translation onthc
tircwallisconfigured to translatethe IP addrcssofthe inside systcln toa valid addrcsson thc
outside nctwork.An addresswith thcsam e Iastoctethasbeen allocated forthispumose.
2.
.
42
lmplementingClscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
D
Q 2008ClscoSystems, lnc.
M #
Q 2008Cisco Systems.Inc.
lmplemeoting FW SM fora DataCenterNetworkInfrastructure
2-43
Port A ddress T ranslation

Mt
'
#z
z:
'
#&' 7 *
( lot
)o83.
2418 .
j19:.13:$219.2s.
80l ,' l198133.21925:24181,98.133.
219.25:
*0)
I
1
1
'
..-.
y4
10.0.0 83
lnsldeNetwork
I
j
Outside Network
12.
0.00/24
1981332190/24
(
-
1
'
I
1
1o.o.().s4
''
. ..
:z. . .
198.133.
21925
1
I
1
I
i ,()
'()0
84.24:8 t198133219.2s:so1
y#
:,
. z. z .
Ilai
s.lz:$2192s.2419k1981aa.
2!9.7sim1
PAT addsportntllnbcrsto thc translation tablc.
A typicaluse ofPAT isto provide network accessfora largc insidc network, while conserving
addresseson the oulside network.In tlliscxam plc, one address in the outside network isuscd to
prosride acccssforan inside network with a classC network ofhosts. Thc exam plc packcts
show'two diffcrentsystcm sgenerating requcststo a web scrver. Each system istlsing thesame
TCP portto send the reqtlcst.Notice thatthe insideglobaladdrcss forcach requestisthc same
IP addrcss.butthe PAT function ol)tllc firewallhas allocatcd differentportsforthe reqtlests.
2-44
ImplementingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0
l 2008 Ci
sco Systems. lnc.
C o nf'
1g u rin('
J N A T C o ntro I
. NAT controlrequires thatpackets traversing from an inside interface to
an outside interface match a NAT rule
. NAT controlisdisabled by default
FwsM (config)#
nat-control
* Enables NAT control

R'
k
: websecver
.t
DMZ
192.168 10/24
NAT 1
Internet
'
Otltslde Retwork
198 133219 0/24
@ 2008 Cssco Systems,I

nc.
R1
NM
i i
x'#
lnspde Network
10 0 0 0/.
24
NAT 1
ImplementingFW SM foraDataCenterNetworkInfrastructure
2-45
C onfiguring Dynam ic NA T and PAT

FWsMtconfigl#nat (inside) l 10.1.2.0 255.255.255.9
FWsM tconfigl#nat (dmz) 1 10.1.1.0 255.255.255.0
FWsM tconfigl#global (outstde) 1 209.165.201.3-209.165.201.10
p Identifies the realaddressesfortransl

ation
72:7. w ebsen/er
*.
1
DMZ
IQ 1.l0/24
NAT 1
Intemet
Outspde Nelwork
209 165 201.3-209.165.201.10
Gpobal1
!
+
''
Inside Network
10 12.0/24
NAT 1
Dyllam ic NAT translatesagroup ofrcaladdressesto a poolofmapped addrcssesthatare

routable on the destination nctwork.TheCatalyst6500 ScriesFW SM assignsan IP addressto
the hostyotlwantto translate whcn accessing thedestination nctwork from a mapped pool.
Thisonly happcnswhcn the realhostinitiatesthe connection. The translation relnainsin placc
only tbrthcduration ofthc connection. Afterthc conncction tim csout, thataddress isrcleased
forotherhoststo use.
The porttranslation rcmainsin place forthe duration oftheconncctions butcxpiresaftcr30

secolldsofinactivity.Thistim eoutisnotuserconfigurable.
Remote hostscan initiatc connectionsto atranslated hostifperm ittcd by the ACL, butaftcrthe
translation hasbccn tim ed out,the rem ote connectionsare droppcd. regardlessofthe ACL
statem cnt.
Dynam icN AT can beused when protocolscannotuse PAT (such asG RE vcrsion 0). or
applicatiollswith adata stream and controlpath on diftkrcntportsand are notopcn standard

(such as multimcdiaapplicatiotls).
ln theexam plc.tllc natcomm and idcntificswhich interfaceshave hoststo be trallslated whcn

traversing the Grewallto an interface configtlred w ith theglobalcotnmand.
Note
2-46
Use differenlNAT IDswhen i

dentifylng differentsetsofrealaddressestohavedifferent
m appedaddresses.
lmptementingCiscoDataGenterNetworkInfrastructure 1(DCNI-I)v2.O
(I)2008 CiscoSystem sl lnc.
>
I11atlditiol'
l.static PAT pf
zrl'
l'
li(satll
ni11istratorsto providc a sillglcadtlressto rclnotc tlscrtbr
acccssi11g F'I-P,Ill'
TI>.and SN4TP scrvcrs.cvelltllougl)tllesescrv'crs lllightbc diftbrclltstrvcrs
on thercallletwork.Forcxalllplc:
FWsM tconfigl#static (inside ,outside) tcp 209 .155.201 .3 ftp
10.1.2.27 ftp netmask 255.255.255.255
FWsMlconfigl#static (insideyoutside) tcp 209.165.201.3 http

10.1.2.28 http netmask 255.255.255 .255
FWsM tconfiglkatatic (inside,outsidej tcp 209.165.201.3 smtp

10.1.2.29 smtp netmask 255 .255.255.255
Note
Overlapping stati
c configurati
ons were allowed in initialvecsionsofCatalyst6500 Series
FW SM (version .x)butwere(aterdisallowed.In Catalyst6500 Seri

es FW SM k'
ersilm ,
3.1.
overlapping configuralionsare supported again.
(t
J)2008 Cl
sco SystemsfInc.
Impl
ementing FW SM foraDataCenterNetworklnfrastructure
2-47
ypassing N
w hen
N T ontrolis Enabled
FWsMlconfigl#nae (inside) Q lQ.1.l.Q 255.255.255.9
FWsllconfkgl#static (instde,out,ide) 10.1.1.3 lQ.l.l.3 nekwask 255.255.255.255
FWsKlconfigl#erceel-liat EXEMPT permt ip l0.1.2.Q 255.255.255.0 any
FwBxlconfigl#nat (inaida) Q accesy-lt:t 'XKMPT
* Bypasses NAT
''XQ':- w eb server
tzk.
t
DMZ
10 1 2.0/24
Intemet
'
g
x.
w.z.'' '
Outslde Network
209 165.2010/24
''
Inslde Network
1Q.1.1.Q/24
In solne cases,forcxamplc,to use applicationsthatdo notsupportN AT, yotldo notwantto

perforln NAT translation forcertain llostswhcn NAT controlis enablcd.
lfyou do notwantto perform NAT translation fbrcertain hostswhen NAT controlisenablcd

you can colpfigtlre traf'
lic to bypassNAT in one ofthree w'ays:
Identity NAT (nat0 com lnand)
StaticidentityNAT (staticcommand)
NAT excmption (nat0 access-listcom mand)
Identity NAT
Idcntity NAT issim ilarto dynam ic NAT in thatyou do notlim ittranslation fora hoston
specificintcrfaces.ldentity NAT.whcn cnabled. m ustbc used forconllectionsthrough all
ilpterfaccs.You cannotchoose to perfonn norm altranslation on realaddrcssesol1onc intcrface.
whilc tlsing identity N AT on another. l'lowever.rcgulardynam icNAT lctsyou specify a
particularinterface on which to translate the addresses. W hen using idcntity N AT, ensurcthe
rcaladdrcssesare routable on a1llletworksaccording to ACLS.
Thiscxalnplc tlses idcntity NAT forthe insidc 10. l.l.0/24 network.
FWSM (config)#nat (inside) 0 10.l .l .0 255. 2 55 .255 .0
Static ldentity NAT

Static identity NAT Ictsyotlspccify the illtcrfacc on w'hich to allow thc realaddrcsscsto
appcar.Youcalluseidcntity NAT w hen acccssing oneinterfacc, w hilc using regulartranslation
whcn accessing another. Static idcntity NAT permitsthe use ofpolicy NAT. which identifcs
the rcaland destination addressesw hcl)deterlnining thc realaddresscsto translatc. For
cxam ple,tlsc static identity N AT fbran insidc addrcsswhen accessing an outsidc intcrface witll
a dustination serverA bu1use norm allranslation whcn acccssing outsidcServerB .
2-48
lmplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
@ 2008 Cisco Systems. Inc,
*=
'f'hisexalnple tlscsstatic idclltity NAT ftlr:11'

1illsidc IP addrcss(l0 1.I.3)'
kvl'
)ellaccesscd by tllc
otltsidc.
.
FWsM tconfiglkstatic (insideyoutside) 10.1 .1.3 10 .1.1.3 netmask

255 .255 .255.255
'1'
11iscxalllple tlsesslatic itlelltity NAT fbr:111otltsidcatldress(209.l65,2()l.I5)uzl'
Ictlacccsst!d
by thtrillsidc.
FWsMtconfigl#static (outside,inside) 209.165.201.15
209 .165.201.15 netmask
'1'1)iscxalllplc statically lnapsan clltirc subnct.

FWsMtconfigl#static (insidezdmz) 10.1.2.0 10.1.2.0 netmask
255 .255.255.0
FWsM lconfigl#access-list NETI permit ip host 10 .1.2 .27

209.165.201.0 255.255.255.224
FWsM tconfigl#access-list NeT2 permit ip host 10.1.2 .27
209.165.200.224 255.255.255.224
FWsMlconfigl#static (inside,outside) 10.1.2.27 access-list

NETI
FWsM tconfigl#static (insidezoutaide) 209.165.202.130 accesslist NET2
Thiscxalnplccxelltptsal)il:sitlc I'
lcturork B'hcn acccssing any dcstillatiol7addrcss.
FWsM lconfigl#access-list EXEMPT permit ip 10.1 .2.0
255.255.255 .0 any
FWsM tconfigl#nat (insidel 0 access-list EXEMPT
'l'lliscxalllple usesdynalnicotltsitlcN AT fora I

'
IN'IZ nctubork'alld exenptsallotherDN'
IZ
llctNvork
FWsM lconfigl#nat (dmz) l 10.1.2.0 255.255.255.0 outside dns
FWsMtconfigl#global (inside) l 10.:.1.45
FWsM tconfigl#access-list EXEMPT permit ip 10.1.3.0
255.255 .255.0 any
FWsM tconfigl#nat (dmz) 0 access-liat EXEMPT

1'11iscxamplcexcnnptsan insidc atldrcss,
$5llt?n accessing tvo tliftkrenttlcstinatiolladdresscs.
FWsM tconfigl#access-list NETI perm it ip 10.1.2.0 255.255.255.0
209.165.201.0 255.255.255 .224
FWsM tconfigl#accesa-list NETI permit 10 .1 .2.0 255.255.255.0
209.165 .200.224 255.255.255.224
FWsM tconfigl#nat (inaide) O access-list NETI
(D 2008 Cisco System s,lnc.
lmplem entingFW SM fora Data CenterNetwork Infrastructure
2-49
O rder of P rocessing and M axim um

N um ber of N A T S tatem ents
Realaddresses are matched to NAT com mands in a
specific order:
1 NAT exemption(natt)access-list)
2 StaticNAT andstaticPAT (regularand policy)(static)
:
'
$PolicydynamicNAT (nataccess-list)
RegulardynamicNAT (nat)
The natcommand
The globalcommand
Thestatlccommand
PollcyNAT forslnglemode
PolicyNA'r formultlple mode
2Q90
4000
2000
7942accesscontrolentries
7272 accessconlrolentries
The Catalyst6500 SeriesFW SM m atchesrcaladdrcssesto NAT comm andsin a spccific ordcr,

tlnti1thc firstl
natch is found:
N,
&T exem ption (nat0 access-listvom m and):In ordcr. unlilthe tirstm atch isfound.
Idcntity NAT isnolincltldcd in tlliscategory's itisincludcd in tlle rcgularstatic NAT or
rcgularNAT catcgory.Including ovcrlapping addresses inN AT exemption statcmcntsis
notrccom nlendcd.dtle to potentialtlnexpected restllts.
NtaticNAT and statlePAT.regularand policy(staticcom mand):lnordcr. untilthe first

match isfotlnd.Staticidentity NAT isincludcd in thiscategory. In thc case ofovcrlapping
addresscsin static statemcnts, awarning isdisplaycd.bu!thcy are supportcd.
Poliey dynam ic NAT (nataccess-listcom m and):In ordcr, untilthe tirstm atch isfound.
O verlapping addressesare allowed.
RegulardynamicNAT (natcommand):Bestmatch Rcgularidentity N AT isincludcd in

.
tlliscatcgory.ThcordcrofthcN AT comm andsdoesnotmatter'

hcNAT statclnentthat
.t
bcstlnatchesthe realaddrcss is uscd, Forcxampleea gencralstatementisdefined to
translatcalIaddrcsses(0.0.0.0)on an interfacc. A sccond statemcntisdefincd to translatc a
subsctof-tllenetwork (I0.l.I.1)to a diffcrcntaddrcss. W hen 10.I.I lm akesa connectioll.
the specitic Matem entfor l0.1.l.lisused because itbcslm atchcsthe realaddrcss.
Incltlding overlapping statcmentsisnotrccom mcnded. due to incrcased mem ory
rcquiremelltsand processing ovcrhead on thc Catalyst6500 SericsF'
W SM .
.
2-50
lmplementingCl
scoDataCenterNetworkInfrastructure1(DCNI-I)72.0
@ 2008 Cisco Systems, lnc.
M axim um N um berof NAT Statem ents

3-lle t'atalyslt$5i)0 Serics F-NVSM stlpponstltefolltlw illg ntllnbersol
-nat. glebal,alld static
ckllnluandsdivided betsvettn al1colptexts, ori1a siIlglc lllotlc:
. 'i-ilcnatcolnlnalld:24)00(2k)
K Tllcglobalcolnllland:40()0 (4k)
w Tllcstaticcolnllpantl:200()(2k)
Note
L
(42008 Cisco Systems,Inc.
ln addi
tion,the Catalyst6500 Series FW SM supporls up to 3942 access controlentries in
ACLS used forpoli
cy NAT single mode,and 7272 access controlentri
esformultiple mode.
Implementing FW SM fora Data CenterNetworkInfrastrtlcture
2-51
A dvanced N A T :M ultiple N A T ID s
nat (tnaide) 1 11.0.1.0 255.255.255.:

nat (lnatde) 2 10.0.2,: 255.255.255.0
r
2N
-
n
at (
naide)3
0.0.3
.02
55.2
55.255.0
nat
(l
inside)
41
10.0.
4.0
255.
255.255.0
lntem et
.
Lc.
.r .1
-
.2>
w
outside
192.168.1.0Q4
+
a
10 0.2 0/24
,
Inside
10.0.1 0/24
.z p. .r
'
1
'
'
10.0.3.0/24
global (outside) 1 192.166.1.11
global (outslde) : 192.168.1.12
global (outa#de) 3 l92.l68.1.1.3
lobal (outs1de) 4 :
t92.166.l.14
4
'
Q->-
!' #jj
#
12.0.4.0/24
M ultiple NAT IDscan be uscd to provide separate translated addressesforvarioussegmentsof

thc il3sidc nctwork.This isaccomplishcd by using multiple NAT IDs in the natand global
comm ands.lnsideaddresses thatare covered by thc IP addressand the Inask ofa spccific nat
comm and use thetranslated addressesin theglobaicom m and with tlle sam eNAT ID .
Forexample,thc network slpown in the figurc usesfotlraddresseson thecxtenlalnetwork.
Eaclladdrcss isuscd to provide accessforaparticularsubnetofthcinside nctwork.
2-52
ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008Ci
sco Systems. lnc.
P o I1cy
accesg-list partnerA permtt

access-1lst partnerB permlt
static (inetde outsidel I?2
static (instde outside) 172
ip host lD n 0 10 172 16 l 100

ip hoat 10.0. 0 10o 172 16 2 100
16 0 201 access-list partnerA
16 0 202 accegs-11st partnerB
Extranet
<
h
Out/ide Network
h
N
#+
'
$
x/
'
Zslde Network
100.0.0/24
172 16 00/16
access-l1st partnerA permtt tp hogt 10.0.0.100 172.16.1.100

accesp-lls: partnerB permlt tp bost 10.0.0.100 172.16.2.100
nat llnalde) 20l access-ltst partnerA
nat (inslde) 202 access-l1st partnerB
global toueslde) 201 172.16.0.201
global (outaide) 202 172.16.0.292
Policy NAT is tlsed to sclctrtthc trallslaled addrcssto bc uscd based f)l1thc critcria cxpressed iI1
a!)cxtclldcd A('L.AI1exttllldctlA(.
'L allowrs policy NAT to iIpcltlde tllcsotlrcc alld dcstillatiol)
atldresscs alld pklrtsin tlledecision-lnaking proccss.
Note
('
D2008Cisco Systems,Inc.
ACLSm uststillbe configured to allow tbe traffic flow enabled by the policy NAT
confi
guration.
lmplementlng FW SM foraDataCenterNetworklnfrastructure
2-53
Identity N T
lntemet
t
.- #
+ #.
Outside Network
198.133 219.0/24
''
lnsideNetwork
12@.107.224.0/24
nat (ineidm) Q 128.107.224.0 255.255.255.0
OR
Btatlc (inalde.outslde) 128.107.224.0 129.107.224.0 netmask 215.255.255.0
ldcntity N AT allow'san inside addressto beused on the outsidcnetwork.

Identity NAT isoften used when resourcesw ith publicly routcd addresscslnustbcprotected by
a tirewall,ldcntity N AT can becontigured with a statlc com m and ora natcomm alld w ith a
NAT ID of0.ldcntity NAT colpfigured with thcstaticcomm and allowsconllcclionsto be
initialed from eithersideofthe fircwall,while the nat0 com mand allowsconnectionsto bc
initiated only from within the insidc network.
Note
2-54
ACLS m uststillbe configured to all

ow the traffic flow enabled by the identi
ty NAT
confi
guration.
ImpiementingCi
-I)v2.0
@ 2008 Cisco Systemsl Inc.
N T E xem p t1o r'1

acceas-list to-daz permit 10.0.0.0 255 155 255 0 10 l 0 255 255 255 0
acceas-lst to-dmz permlt 10.0.0.0 255.255.255 0 10 0 2 0 255 255 255 0
nat (tnsde) 0 aeceas-ltnt to-dmz
)'
r.
t.. ykebSeaer
...
DMZ1
10.O 10/24
Intem et
*
h
Outslde Network
198 133 219 0/24
DMZ2
10 0 20/24
..
7n9
:
Note
!
'
+
yz
- y
w .'
''
loslde Network
10 0 0.0/24
ApspeII
c
a1p
on
w er
ACLSm uststillbeconfigured to allow the trafficflow enabled bythe NAT exem ption
configurati
on.
Note
@)2008 Cisco Systems,lnc.
Though ituses the natcom mand NAT exemption creates a two-way translation allowing
traffic tclbe initialad from tlithersi
de ofthe srtlwall.Tbis is the only bidirectionaluse ofthe
natcom mand.
ImplementingFW SM foraDataCenterNetwork Infrastrblcture
2-55
Layer2 N AT/PA T
. NAT PAT.andstaticstatementswiltum onfunctionali
ty.
. Tr
ansparentsrewallbridge pai
rcansupm rtboth NAT and non-NAT traffic.
, Fi
rewallwi
llresr ndtoARP requestforthe globaland stati
c addressesinthe
same subnet.
* ManagementIP cannotbe partofthegl
obalorstatlc pool.
w l
nspectionswillbehave asin routed mode.
R1 s .t
10 1t0/24
(lutsi
de
E1
z/
-/
lo,1'
I
oo 'j
' Fwsv :
,0'.':
' 'o11'
$ 10''
s
'
1c11z
A1
so117
B1
'Inside
Ct
wy/
D1
' -#d
L'
L.
''
e- R2 TransparentFirewap
l
t0 1'11f)
with NAT/PAT
Tllc Catalyst6500 SericsFW SM can also perforln NAT in transparentm odc from software
versiol,3.4 ollwards.
Tllcse contiguration considcrations apply lo Laycr2 NAT/PAT deployment:
* Intcrface optionsforNAT.PAT,and statitarenotsupported.
* Routes(static)are needed on FW SM foraddresscsusing NAT thatarenotpartofthc same

subnetas FW SM bridge group.
* Rotltes(static)arencedetlonadjacentroutersforglobalandstaticpoolsthatarenotpartof
thc sam e subllctasFW SM bridge group.
* Tllc aliascom mand is notsupported.
2-56
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008 Cj
sco Systems. lnc.
S um m ary
S ulnm ary
* The Cisco Catalyst6500 Series FW SM analyzesand modifies
fields in the IP,UDP,and TCP headers.
> The Catalyst6500 Series FW SM uses statefulpacketfil
tering to
controltraffic between tw o orm ore netw orks.
w NAT and PAT modi
fy IP addresses and UDP/TCP ports as traffic
passes through the Catalyst6500 Series FW SM .
* The Catalyst6500 Series FW SM is a fabric-enabled card that
connects to the Catalyst6500 Series Sw itch through a 6-pod
Etherchannel,
* The Catalyst6500 Series FW SM offers scalability to 20 G b/s in a
single chassis.
. The Cat
alyst6500 Series FW SM uses VLANS to connectto the
restofthe network.
@ 2008 Ci
sco Systems.Inc.
(mpl
ementl
ng FW SM fora Data CenterNe
w ork lnfrastrucure
2-57
2-58
Implementing Ci
sco Data CenterNetworkInfrastructure 1(DCNI-I)v2.0
(()2008 Cisco Systems. Inc.
Lesson2I
Im plem enting M anagem ent

A ccess
O verview
Objectives
C onfiguring M anagem ent A ccess

Thistopic describcsthc variousmanagclnentaccessoptionson the Catalyst6500 Serics
FW SM .how thcy areconfigured and when thcy areuscd.
M anagem ent A ccess

Managementaccess interfaces:
Console
. Remote access
Gul-basedmanagement
Out-of-bant management
g'
'
t?
,
'
.
'kJz
;
.
.u
.)
- -. ,- -.. -.
*'
.-.
E: .-z.
.-.
4.
-.
.Q...
-.
.CX.
.w
.-!
/...
.?.
.w-.t.
dn.
!.
o.
-4..
.
..
m
-.-.n,
.
@. .-..
.. .. .= .... ... ....- .. -
$
'z
Thc Catalyst6500 SericsFW SM can bem anaged usillg variousmethods:
* Accessthrough console collnection froln thc Cisco Catalyst6500 ScriesSwitch M ultilaycr

Switch Feature Card (M SFC)
K Using thcrcm ote acccss, stl
ch asTcllletorSccurcShcll(SSH)with in-band managcmcnt
* UsillgthcGul-basedCisco AdaptivcSecurity DeviceM anager(ASDM )

* Dcploying out-of-band m anagelnentto rcstrictm anagcmenttraffsc to specitic intcrfacc
2-60
ImpsementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008Cisco Systems, Inc.
onsole
ccess
msfc#
session slot moduie n
er processor 1
. Accesses FW SM from MSFC through console

mafc#session sloe e provessor l
The defeulk eseape character is Ctrlv' then x
You Cao also type 'extl at ehe remoee prompe to end the sesslon
Trytng 127.Q.0.81 ... Ppen
User Accesa Verification
Paaaword:
Type help or 1?1 for ltse of avRtlable ccpmands
fwsny enable
Password:
fwsm#confivure termlnal
fwsmlconftgl#exit
fwsm#extt
Logoff
..
tconnecton to 127.0.0.81 closed by foreign hoebl
TllcCatltlyst65()()Series FWTSM doesllotlpave any extcrnalportsoracollsole port.Tllcreforc.

tlpc ollly'optiollto accessSllc (-'ataIyst(7500 SeriesFNVSM initially istlll'
otlgh tlle M SFI-by
sessionilpg lo theCatalyst650()ScricsIJSVSN1.
.
Note
Form ultipl
e contextmode,whenyousession into theCatalyst6500 SeriesFW SM you
access the system confi
guralion.
Logging through the C onsole
Note
@ 2008Cisco Systems,Inc.
Keep in mind thatthe exitcomm and m ightneed to be entered m ul

tiple limes ifin a
configuration mode.
lmpl
ementing FW SM fora Data CenterNetworklnfrastnacture
2-61
Privileged EXEC M ode

To changc thccontiguration.you mustcntertheprivilcged EX EC modc by using theenable
colnm and.Upon entering thc privilcged EX EC comlnand,you mustentcrthe privileged
password.which by defatlltisblank;thcreforc,pressthe Enterkey to contintlc,
Froln thismodc.the globalconfiguration m odccanbc acccsscd.Thc globalconfiguration lnode
doesnotrcquirc any password to be entcrcd.
Tlle contiguration mode isentered with the conflgureterm inalcom mand.

To cxitprivileged EXEC mode.cnterthc disable colnmand.You can also entcrthe exitorlhe
quitcom mandsto cxitthccurrentaccessmode (privileged EXEC lnode.globalcontiguration
lnodc,etc.).
M anaging A ccess Passw ords

The login password isuscd forscssionsfrom thc switch,asw'ellasTelnetand SSII
conllcctions.
Ollcc Ioggcd in.thcdefaultlogin password can fand should)be changed w ith the password
command.
To cllangcthcenablcd password,use thc enable passw ord command.The comm and changcs
the password forthc highcstprivilcgclevel. lflocalcom mand authorization iscontigured. the
privilcgcd passwordsforeach privilcgc levclfrom 0 to 15 can be sct.
Note
The password is a case-sensitive string ofup to 16 alphanum eric and speci

a!characters.
You can use any characterin the password excepta question m ark ora space.
To restorc the password to thc defaultsctting,usc theno form ofthc comm and.
Thc passwordsarcsavcd in the contiguration in encrypted fonn,
2-62
Impl
ementlngCiscoDataCenterNetworklnfrastructure1(DCNI
-I):2.0
@ 2008Clsco Systems. lnc.
T elnet R em ote A ccess

fwsmtconftgl#
telnet source IP address mask source in terface
* Allows Telnetthrough interface from source IP addresses

fwsm lconfigl#
telnet tim eout mnutes
. Sets the Telnettim eout

Cleartextaccess
. Only serverside is im plem ented
v
telnet 0.0.0.0 0.0.0.0 tnside
-'-
'
- '-''
--- '
.yyLss
'
Note
Only the adm i

n contextcan have up to 15 Tel
netsessions concurrently
Note
Iftwo ormore concurrentTelnetsessionsare opened and one ofthe sessions i

s atthe
M ore prorrlpt,the othersessions may hang untilthe &ore promptis dismissed.To di
sable
the More prom ptand avoid this situation entertlle pagerlines 0 com mand
W'l1cl)acctzssil'
lg tl'
lc Catalysl(,50()Scrics F'
W'Sh.
1tlsillg Tcllletthedcfatlltl'asssvord is('
i.
b4.
o.
@ 2008 Ci
sco Systems,lnc.
I
m pf
ementing FW SM fora Data CenterNetworkInfrastructure
2-63
Configuring TelnetA ccess

To configure Telnetacccssto the Catalyst6500 SeriesFW SM ,use the comm andslisted in thc
tablc.
Configuring TelnetAccess Com m ands

Com m and
Descrlptlon
telnet
source IP address mask
Identises the IP addresses and interfaces from which the FW SM

accepts connections,Ifthere is only one interface present,Telnet
source-n-ferface
can beconfiguredtoaccessthatinte#ace.aslong asthe
intedace has a security Ievelof100.
telnet timeout mnutes
(Opti
onal)Setsthe Telnetsession i
dletime before the FW SM
disconnectsthesession.Thevalue canbe between 1and 1440
minuteslwith the defaudtbeing 5 m inutes.
Note
Tesnetaccess cannotbe configured on the lowestsecurily interface.
M ind thatFW SM should beconfigured w ith interfaces, IP addresses,and properrouting to

allow rem otcaccess.
Thisexamplc shows the configuration thatallowsTelnctfrom any source IP addresscoming
from tlle inside segnlcnt.Thc tim eoutis setto m axilnum .
fwsm (config)#telnet 0.().0.0 0.0 .0 .() inside
fwsm (config)#telnet timeout l440
Thiscxam ple pcrm itsahoston the inside interface with an addressof 192. 168.I.2 to accessthe
Catalyst6500 SericsFW SM .and allowsTelnctto be idle form axim um of30 lninules.
fwsm (config)#telnet l92 .168.l.2 255.255.255 .255 inaide
fwsm (config )#telnet timeout 30
2-64
ImpsementingCiscoDataCenterNetworkInfrastructure 1(DCNI
-I)v2.0
(I)2008 Cisco System sl Inc,
S S 81 R elnote A ccess
fwsm tconfigl#
ssh source IP addres, Dask source interface
. Allows SSH through inlerface from source IP addresses

fwsm tconfigl#
ssh tmeout mnuees
.
Sets the SSH timeout

Configurati
on steps:
- Generate RSA key
Configure SSH
'-
'
-- ''''--- '
crFpto keF generlte raa ooduAus 1024

wriee memory
!
seh 0.0.0.0 0.0.0.Q inside
L:
#''
'
ssh eiaeout 5
Note
Onl
y lhe adm in contextcan have up to 15 SSH sessions concurrently.
Note
lftwo ofmgre concurrenlSSH sessitms are Opened and one ofthe sessitms is atlhe M ore
prompt.the othersessi
ons may hang untilthe M ore prom ptis dismissed.To disabl
e the
M ore prom ptand avoid this si
tuati
on.enterthe pagerIines 0 com mand.
Note
W hen starting anSSH session adot(.)di

splaysontheCatal
yst6500SeriesFWSM
console before the SSH userauthentication prom ptappears.This does notaffectthe
functionali
ly ofSSH'itappears atthe console when generating a serverkey,orwhen
decrypling a message using privatekeysduring SSH keyexchange before user
authentication occurs.These tasks can take up to two minutesorIonger.The dotis a
prtygress indicatorthatverifies lhatthe FW SM is busy and hasnothung.
@ 2008 CiscoSystems.Inc.
Implementing FW SM fora DalaCenlerNetworkInfrastructure
2-65
Configuring SS H A ccess
To confgtlre SSH accessto the Catalyst6500 Serics FW SM ,usc the comm andsin thc order
specified in thc table.
Configuring SSH Access Procedure

Step
Actlon
Notes
1'
crw to key generate rsa

modulus modu.
lus- size
Generates an RSA key pairrequired for

SSH.The modulus is 512-,768-,1024-,or
2048-bitsl
ong.The largerthe keymodul
us
size.the Iongerittakes to generate an RSA
key.The recomm ended size is atleast1024.
write memory
ssh source JP address mask

source- n terface
Saves the RSA keysto persislentflash

mem ory.
Identi
fies the IP addresses and i
nterfaces
from which the FW SM accepts connections.
SSH access can be configured on the I
owest
security interfaoe in contrastto Telnet.
4.
ssh timeout mnutes
(Optional)Setsthe SSH sessionidletime
5.
ssh version (1 l 2)
before the FW SM di
sconnectsthe session.
Value can be between 1 and 60 minutes.
defaultbeing 5 m i
nutes,
(Optional)Restri
ctstheversionofSSH
accepted by the FW SM .Bydefault. the
FWSM acceptsbothversi
ons (SSHVIand
SSHv2).
Note
The SSHVZ requiresa3DES li

censetowork. The cryptographic algorithm s used by SSHv2
are Iimited to3DES and AES.Onl

ySecure HashAlgorithm (SHA)and Message Digest5
(MD5)are availableforthe integrity.
Kcep in m ind thatthe Catalyst6500 ScriesFW SM should bcconfigured with interfaccs. IP
addresses.properrouting,FW SM namc, and domain name to allow rem otcaccess. lfdolnain
name islotspccitied.thedqhlltlt.domain.j??:w/J isgeneratctl.

Note
The userauthentication attem ptlimitis setto three and is notconfigurable.
Verifying SSH C onfiguration

To verify the SSH configuratiollusc thc colnlnandslisled il)thelablc.
Verifying SSH Configuration Com m ands
2-66
com mand
Descrlptlon
show ssh sessiona

c.
len t ip
Exam ines the SSH sessi

ons.
show debug ssh debug

J.evre.l
Veri
fies the SSH wi
th debugging
Impl
ementingCiscoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0
(
D 2008Cisco Systems. lnc.
Thiscxalnplc sllowrstllc col)tigtlratiol)tllataIlou'sSSIIfroln :1:13,sourcc IP adtlresscolllillg

fioll'
ltllc illsidc scglnent.Thc tilucotltissctto 5 111intlttls.
fwsm tconfigl#crypto key generate rsa modulus 1024
fwsm tconfigl#write memory
fwsm lconfigl#ssh 0.0.0.0 0.0.0.0 inside
fwsm lconfiglgssh timeout 5
'I'llc sizc tbrthe RSA key bcillg gencratctlis l024.

Tlliscxalnplcpcnnitsa hllstol'
ltl'
lc illsitlc interlbce'
w ith al1address01-l92.l68.I.2 to access thc
FSVSN.
1-al'
ld allovvsSSlIto bc idlc forl'
naxilpltlln of3()n'
iillutcs.
fwsm lconfigl#ssh 192.168.1.2 255 .255 .255.255 inside
fwsm tconfigl#ssh timeout 30
lmplementing FW SM fora DataCenterNetworkInfrastructure
2-67
G tll-Based Rem ote Access

* Adapti
ve SecurityDevice Manager(ASDM)isfree
. Prerequisites:
Javascri
ptorJava m ustbe enabled
-.
lz.
1Q.1 t
SupportforSSL mustbeenabl
ed
y& - ..-
Pop-up bl
ockersm ustbe di
sabled
I=
fwsm (config)#
http l0.Q.1.0 255.255.255.0 innide

http server enabl.
''' J.j!'57
''
'
.
'r .... , ,.z..1 - ;I
..-
http aource ZP addrea, malk aource neerface

Http aerver enable
* All
ows HU PS through interface from source
IP addresses and enables HTTPS
...
-. r - .
yr'r
..
-i
.w
.-c-.
.g.,.
--
..,,5.
To uscCisco ASDM ,the HTTP overSSL (HTTPS)servcrmustbe cnablcd so thatHTTPS

connectionsare allowcd to thc Catalyst6500 SericsFW SM .
A maxim um offive conctlrrentCisco ASDM instancespcrcontcxtare available, with a
maximum ()f80 Cisco ASDM instanccsdivided between a1lcontcxts. Thcnum berofCisco
ASDM sessionsallowcd pcrcontextiscontrolled using resourcc classes.
The m inilnuln Cisco ASDM and Catalyst6500 SeriesFW SM software compatibility version is
ASDM 5.0(lIF and FW SM 3,l.
Cisco ASDM can be run asthc following:
m A Iocalappliation thatrcquircsthe illstallation ofCisco ASDM on the clientworkstation.
The localapplication connectsto FW SM from th=workstation via Sccurc StwketLaycr
(SSL).The advantagesare:
Upgradesofthc localapplication arc pcrformed automatically.
Cisco ASDM can be invokcd from desktop shortcuts. No browscrisrequircd.
Oncdcsktop shortcutallowsyou to conncctto m ultiplc sccurity appliances, notonly
to the Catalyst6500 ScriesFW SM .
m A Java appletthatisdynalnically downloaded from thc device to which you connect.
Cisco A SD M Prerequisites
The workstation used fbrCisco ASDM accessmustlnccttheseprerequisites:
w Ithasto bcinstallcd w ith supported Java vcrsions l.4.2 and 5.0 (also known as l.5).
K Itm ustbc cquippcd with web browser:
Enablcd w ith Javascrip!and Java

SSL supportm ustbe enabled
Pop-up blockersm ustbcdisablcd since they may prcventCisco ASDM from
starting(CiscoASDM willllotitk you)

2-68
ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0
Q 2008 Cisco Systems, lnc.
Configuring Cisco A SDM A ccess

To tlsc C'isco ASDN1.HTTPS scry'
erIlasto bcenabled alld IITTPS collncctiollsto the (-'atalyst
65()0 ScricsFNVSM 111t.
1stbealloqved.To configtlre IITTPS acccssto tllc('atalyst6500 Serics
.
F'
$VSN1tkscsthccollllllalltlslistcd i1)tllclablc.
HTTPS A ccess to the FW SM Com m ands

Comm and
Description
http source TP addz-ess
ldentifies the IP addresses and interfacesfrom whi

ch the FW SM
http server enable
Enables the HTTPS service on FW SM.
mask souvce--in-qerface
acceptsconnecti
ons.
Tllisexalnple sllowstl
'leconfiguration witllyvl'
litlllIITTPS isallow-ed tkoll'
ll0.().4.0/24 llctyvork
colllil'
lg froln thc illside scglncllt.
http 10.0.4 .0 255.255.255.0 inside
http server enable
@ 2008 Ci
sco Systems,Inc.
I
m pl
ementi
ng FW SM fora Data CenterNetworkInfraslfucture
2-69
P N -B ased
em ote
ccess
Ipsec VPN form anagementpurpose:

* Routed'
.site-to-site VPN client
* Transparent:site-to-site Only
i:akmp poltey l Auth.ntsrptioa
iekmp poliey l .neryption 34**
ieakmp poliey l group 2
ilakmp policy l hash $hh
iaakmp enble outsid.
crypto ipmac tran,form.eet vpn ewp-3iea llp-mha-hole
isakmp key PRSHRKY addreea 209.165.200.223
accesa.lile TUNN?L ext*ndad parmit ip hoz:
209.165.200.225 209.165.201.0 255.255.255.2:4
crypto map teln*t Tlnnel 2 ipsec-ialkmp
crypto =ap telnle bunnet l aatch addre/. TCNNZL
crypto map Lelnet-tunn/l l 5et p**r 209.165.202.129
crrpto map telnet-tunn*l l et trlnsform-set vpn
crypto map telo*t-tunnel interfac. outgide
.-,
-....----.-
'.. f
r
z. ..w .
.u
.. .
'
-'
-1
.
--'
l
'v'
1'
..
.'
WRAR
'
* Sam ple site-to-site VPN confi

guration
TheCatalyst6500 ScriesFW SM alsosupportsIP sectlrity(1Psec)fbrmanagcmentacccsswith

which trafliccan safely travclovcrinsccure networks.such asthe Internet. The Catalyst6500
SeriesFW SM can conncctto anotherV PN concentrator. such asa Cisco PIX tircwallora
(--isco 1OS router,tlsing asitc-to-site tullnel.You spccify thcpcernetworksthatcan
com lnunicateoverthetunnel.ln thc case ofthc Catalyst6500 SericsFW SM . the only addrcss
availablc on thc Catatyst6500 SeriesFW SM etld oftlw tunnelisthe interfaceitsclf.
The routed modecan atso akxeptconnectionsfrom VPN clients. eithzrhostsrunning the Ciseo
VPN clicnt.orV PN concentrators,such as the Cisco PIX GrewallorCisco IOS router, running
the Easy VPN clicnt.1l)thiscasc tlle IP address ofthe clientisnotknown;instead. the VPN
tunnclsettlp rclieson clientauthentication.
Transparentfirewallmode docsnotsupportrelnote clicnts. only Sitc-to-site tunnels.
A maximtlm offive concurrcntIpsecconnectionspercontcxtareavailable, with a maximum of
ten concurrentconncctionsdivided bctween al1contcxts. The num bcrofIpscc scssionsallowed
percontcxtiscontrolled using resourccclasses.
TheVPN-bascd relnote acccssm ightbcuscd in disasterRecovcc centerorbackup ccnterto

scctlrely acccss the Catalyst6500 SericsFW SM from the primary data center.
Configuring VPN A ccess

To configurebasic Ipsec VPN acccssparametersthcstepslisted in the tablc have to be
accom plished.
Configuring Basic Ipsec VPN Access Param eters Procedure

Step
1.
Actlon
Notes
isakmp policy priorit:ye
Setsthe lnternetKeyExchange (lKE)
encryption (des I 3des)
encrypti
onalgorithm.Multipl
elKEpolici
es
can exist.The priority is a value between 1
and 65.534,with 1 being the hi
ghestpriority.
2-70
lmplementing Cisco Data CenterNetwork Infrastructure 1(DCN1

-1)72.0
Step
Action
2.
isakmp policy prioz-rye group
Sets the Diffie-Hel

lm an group used forkey
(l 1 2J
exchange Group1is768bits.whileGroup2
isakmp policy pz'cnrry' hash
Sets lhe authentication algorithm .
3.
Notes
i
s 1024 bilsand thus.m ore secure.
(md5 I sha)
4.
isakmp yolicy pz'ioril

:;z
SetsthetKEauthenticationmelhodasa
isakmp enable in tez-face name
Enables 1KE on the tunneli

nterface.
6'
crypto ipsec transf0rm -set
Sets the authentication and encryption
authentlcation pre -share
shared key. Al
ternati
vely.certifi
cates can be
used i
nstead ofa shared key by specifying
tbe rsa-sig option.Consul
tthe FW SM
documentation form ore i
nformation about
this method.
rransfchz-m name (esp-mds-hmac I melhodsusedforlpsectunnelsina
esp-sha-hiiacl (esp-aes-256 I
esp-aes-192 I esp-aes I espdes 1 esp-3des)
transform set.
Configuring the VPN Client lpsec Access Procedure

Step
Action
Notes
crypto dynamic -map

dynaic map name priority set
trans for= -s'
e
-t trans foz'
m setl
Specifies 1he transform sets allowed for

clienttunnel
s.
(transform set21 (...) 2
crypto map crrpto map name

prlorry ipsec-isakmp dynamic
dynamc map name
Assignsthe dynam iccfypto maptoa static

tunnel.
3'
crypto map cvyp to map zvalrle
Speciriesthe irlterfaceatw'
l
nicn l:e client
inter face iJ2t7erface n-anle
tunnel
s term inate.
4'
ip local pool pooz name

fl-st ip address- -
Specifiesthe range ofIP addressesto be

used forVPN remote access tunnels
last 7p address Emask rlas.

e)
5'
access -list acl. name
Specises the tunneltraffi

c destined forthe
(extendedl permlt (pz-orocoi)
FwsM
host fw'
sm ntrerface address
oo J.- a JJr-esses mask.D
6'
tunnel -group name generalattributes address -pool

pool zzanle
Assigns the VPN address poolto a tunnel

group
7
.
group -policy name attributes

and
split -tunnel-policy tunnelall
Specify thatonly trar

fic desti
ned forthe
yw su ks tunneled
group -policy group zrarne

external server -group
Sel'ver g2'ouF3 rlanle pasaword
sezvez passurord
Sels the VPN group password
Implementing FW SV fora DataCenterNetworklnffastruclure
2-F1
Note
Only one crypto m ap name can be assigned to an interface.Ifboth site-to-site tunnetand

VPN clients should be terminated on the same interface use the sam e crypto map name.
To ftlrtherconfigure the site-to-site lpsecaccess,thc stepslisted in the table have to bc

accom plished.
C onfbguring the Site-to-site Ipsec Access Procedure

Step
a'
Actlon
Notes
isakmp key keyscrng addresa

peer-address
Sets the shared key used by both peers.
access-list ac1 name
ldenti
fiesthetrafficallowed togo ovefthe
Iextendedl (deny k permit)

(prorocoz) host
tunnel.
crypto map cryp t:o map name

priortry
ipsec -is akmp
.
Creates an Ipsec tunne!
4.
crypto map crypto map name

priorit:;z match adzresa
AssignstheaccesscontrolIist(ACL)tothe
tunnel.
fwrsm interface addvess

des t- addres s m-ask
a cJ. na me
s.
crypto map cryp to map name

priorit:yr set peer-p '
a
-ddress
Specifiesthe remote peeronwhichthe

tunnelterminates.
6,
crypto mlp crym t:o map name

F?rorit:y aet transform
- -se t
transfor'
m setl
Speciqes the transform sets forthis tunnel.
Itransform
- set21 (...)
2-72
crypto mlp crqrp to map name

in terface r2t:erface name
Speci
fies the interface where 1he tunnel
terminates.
8.
http source IP address mask

source nterface
Identifi
esthe IP addressesandinterfaces
from whichthe FW SM acceptsconnections.
9.
http server enable
Enables the HTTPS sewice on FW SM .
ImplementingCiscoDataCenterNetworkjnfrastructure 1(DCNI-I)v2.0
Q 2008 CiscoSystems, Inc.
IC M P on FW S M
w ICM P form anagem entpurpose
fwsm tconfigl#
icmp (permit l deny) (host ip address ( jp addresa mask 1 any)

(:cmp typel interface name
> Allows ICMP ofcertain type to and from an intedace
'#
'j
:
'x
--
/ .
>.
,
,.
Otl
tsideNetworknlrl'
kQ
.
10
'
--'
0.0.0/24 -
.'1
#'
Insi
deNetwork
',h- 10.0.0.0/2zs
,
/6
,
1
'
-
icmp deny any outside

icmp permit any tnside
ICM P can bepennittcd ordclpied to reacl)aCatalysl(A50()SericsFSVSNIilplerf'

accw itl1IC'N'
SP
eitllutrli'ollla hostto llle Q'atalyst6500 Scries FNVSM orf'
roln tllcCatalyst650()Sel'iesFTVSM
t()a llostmw'llicllretluircslhe ICM P reply to bc allowetlbtck.
Note
Ifonly ping is reguired from the Catalyst6500 Series FW SM to a host--onl

y echo repl
y back
tothe intel
face should be all
owed- usethe ICMP i
nspection engine i
nstead ofthe icm p
comm and.
(I)2008Cpsco Systems.fnc.
fm plem ening FW SM fora DataCenterNetwchck lnrrastructure
2-73
O ut-of-B and M anagem ent

w Disable pass-through trafficthrough the managementinterface
. Routed mode only
fwsm tconfig-tfl#
management-only
w Dedicates the intedace for

managementpurpose
I
T
Outside
X
. ..
'
4
.
. G
lnsi
de
...ty .
interface vlanlo
managament-only
An interface on a Catalyst6500 Serics FW SM can be dedicated forthe m anagem cntpurpose.

O n such an interfacepthc trafficcannotpass through the C'atalyst6500 ScriesFW SM .
Uscthc m anagem ent-only com mand on the interfaceto achievethat.
Otlt-of-band m anagementisavailablc only in routcd m odc (in transparcntlnodethisisthc
dcfaultbchaviorfortheBridge-Group VirtuallnterfaceEBVIJintcrface).
2-74
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCN1-1)v2.0
@ 2008Ci
scoSystems. Inc.
C onfiguring A A A Services
U nderstand ing A A A
.
AAA servi
ces:
Authentication'
.W ho are you?
Authorization:W hatare youallowed to do?
Accounting'
.W hatdid you do?
Discrete percontext
AAA database'
.
-
.
.
LOCal
-
V'14
ot
ide
ori
..s. t
1R
0
0N
0e
0t
/w
24
,.,.
sew er-based:
.IRADIUS
#
2i.,u
,.>'
.TACACS+
L'l
k
Qx - - - -u--as
AAA
'if'
'
j'j
/
--#.
#
'
'
e
AAA Server
1O 0 0 1!0
Q 2008CiscoSystems.Inc.
Imptementlng FA'
SM fora Data CenterNetworklnfrastructure
2-:5
A A A Services D escription
Alllheltliczltion controlsthcaccessby validating usercrcdentials.typically a uscrname and
password.Thc Catalyst6500 SeriesFW SM can authcnticatc a1ladlninistrativc connectionsto
tllcFW SM.includingTelnet,SSII,consolesASDM (using HTTPS),VPN managcmentaccess,

privilcged EXEC lnode,and network access.
Allthol.ization controlsaccessperuscraftcra useraulhenticatcs,and can authorize managem cnt
comm ands.nctwork acccsssarkd V PN acccssformanagcm cntconncctions.lfauthorization is
notenabled.authcntication providesthe same acccssto serviccsforallauthenticated users.
Note
I
fcommand authori
zation isturned on,the TFTP sewercom mands are checked by the AAA
serverforauthorization which coul
d resul
tin delays in case manyACLS are confi
gured.
Al'coltlltil'g isused to track traftic passing throtlgh the Catalyst6500 SericsFW SM , thus
enabling tlscractivity to be rccorded.Accounting ofthe trafticcan be doncperuser, if
authcntication is used.Othcnvise.tratfic isaccountcd pcrIP address.Accounting information
includcs sessionsstartand stop tim e.uscl-nalne.num berofbytespassed forthc scssion, 1hc
scrvice uscd.and thc duratiollofeach session.
Note
lnm ul
ti
pl
e contextmode you cannotconfigure anyAAA com mands i
n thesystem
confi
guration.However i
fyou configure Telnetauthenti
cati
on in the admin context. then
authentication also appliestosessionsfrom the switchtotheCatal
yst6500Series FW SM
(whichentersthesystem execution space).
2-76
ImplementingCi
-I)v2.
0
@ 2098CiscoSyslems,Inc.
C ontrolling A ccess to tlle FW SM

fwsm tconfigl.
aaa authentication (telnet I ssh 1 http) console (LOCAL I

eerver group (LoCALJ)
.
AAA authentication fordifferentaccess methods
fwsm tconfigl#
aaa authentication enable console (LOCAL 1 server group

tLocALl)
.
AAA authorization forprivileged EXEC Ievel
fwsmlconfigl#
aaa accounting enable (privilege zeve:l server-group
/kAA accounting forprivileged EXEC Ievel
M anagclllentaccessto tlleC'atalyst6500 ScricsFW SM can bccolltrollctlusillg AAA .
A uthentication
Note
The LOCAL param eteris case sensitve
A uthorization
Caution
The userID associated wi

th 1he I
ogin sessi
on is lostifthe system-wi
de enabse password is
used to authenticate.
@ 2008CpscoSystems.Inc.
Implementing FWSM fora Data CenterNetwork Infrastructure
2-77
Tllccomm and structurc oftheCatalyst6500 SeriesFW SM can also be assigned to different

pris'ilegc lcvclsw'ith thcprivilegecomm and contiguration statelncnt.
privilege gshow IclearIconfigurejlevelIebvlgmode fenable1conligure)1command

('
t)??,???t???:/
privilege Param eters

Param eter
Descrlptlon
show 1 clear I
(Opti
onal)Thesekeywordsal
low youtosettheprivilegeonl
yfor
configure
the show clear orconflgure form ofthe comm and.The

conflgure form ofthe com mand istypi
cally the form thatcauses
a configuration change,ei
theras the unmodified com mand
(withoutthe show orclearprefi

x) oras the no form.Ifyoudo
notuse one ofthese keywords.al1form s ofthe comm and are
affected.
level .
ieve.
l
A levelbetween 0 and 15.
mode (enable J
configure)
(Opti
onal)Ifacommandcanbeenteredinunprivi
legedor
privil
egedmode,aswellasinconfi
gurationmode,andthe
command command
This parameterrefers to the com mand thatyou are confi

guring.
Youcanonlyconfi
guretheprivilege levelofthe maincommand.
Forexam ple.you can confi
gure the IevelofaIIaaa comm ands
butnotthe Ievelofthe aaa authentication comm and and the
aaa authorlzation com mand separately.Also.you cannot
confi
gure the pri
vilege Ievelofsubcom mands separatel
y from the
main com mand.Com mand authorization m ustbe enabled ifyou
specify nondefaultcomm and privilege Ievels.Thi
s is
accomplishedwiththeaaa authorlzatlon com m and LOCAL
com mand.
com mand performs di#erentactions in each mode you can set

the privil
ege levelforthese modes separately.The enable
parameterspeci
fiesbothunpri
vileged modeandprivileged mode,
whi
le the conflgure parameterspeci
ses configuration m ode
whi
ch i
s accessed using the conflgure term inalcommand.
Accounting
An accotlllting rcqtlestisgeneratcd w hclltlscrlogsinto and logs outofthc Catalyst6500 Series
FNVSM throtlgh Tclnet.SSH.orlITTP.
Comm and accounting issupported formanagem entsessions. Ifcom m and accounting is
cnablcd comlnandsentcred by thc userare scntto AAA serverasaccounting requests. Only
TACACS #issupportcd.
Troubleshooting A A A Services
Nvllcn trotlblcshooting AA A scrvices.the debug com lnands listcd in thc tablc can bc used
Troubleshooting AAA Services Com m ands
2-78
com mand
Descrlptlon
debug p ix uauth
Shows pix uauth debug messages.
debug radius
Shows debug messages forAAA.
debug tacacs
Di
splays TACACS+ debug inform ation.
ImplementingCi
-I)v2.
0
C ontrolling A ccess to the F

Exam ple
SM
e .#
I
nsl
deNetwork
*:m
.'.
ev
!()0 0.0/24
$ *#'
'.
$?
j
.
y$
:*Sr
,...'
..
7
z.;
..
p
. ..
- - -
. .
/$$ss
f, ..t
t#t!.
''.;.,.r,.1 .)7.7.?rts;er..:',w
'
p-
f.
.
uwj z
d
y: yk
.
'
z.
a
,..
phslk/tk:5()rA/f,r
j()(j(jjj(;
aaa authentication ssh console my-acs LOCAL

aaa authentication http console my-acs LOCAL
aaa authentication enable console my-acs LOCAL
username security-admin password p8ssworD
ln tlle exalnple.AA A scrvicesare tlsed to authellticatethe SSII,A SDM ,and privileged EXEC
mode acccssusing tlle localdatabasc.
@ 2008 Ci
sco Systems,Inc.
Impl
ementi
rlg FW SM fora DataCenterNelwork I
nfrastructure
2-79
Controlling A ccess Through the F SM

> Authenticate HTTP and SMTP traffic
aaa-aerver AuTHout protocol tacacs+
1
aaa-server AuTHout (inside) host 10.0.0.1

key AhAuauthKey
I
access-liet MAIL AUTH extended permit tcp any Rny eq smtp

access-ltst KKIL-KUTH extended permit tcp any any eq www
aaa authentication match MAIL AUTH inside AuTHout
e
#
. .'
<;
e'
01 FITTPsu'?p
xs
.
tt
s we
1()bSer
ver
J.'
o,
().
2nc
Outsi
deNetwork
2 ,.,#.
198.133.2190/24
j,
:
'*'
l............kj
AAA S
erver
Insi
A
deNetwork
10.0.0.0/24
Traftictlow through tlw Catalyst6500 SeriesFW SM can be controlled w ith AAA .

To check the crcdentialsofa clientaccessing the W eb server,the AAA m echanism scan be
used.The following orderhappens:
step 1
Clientistrying to open HTTP orSM TP session.
m ep2
PackethitstheCatalyst6500 SeriesFW SM ,which authenticatesuserin cooperation

with AAA server.
step 3
lfthe userprovided correctcredentials,thetrafficdcstined to HTTP orSM TP server

isallowed,otherwise the traflic isdropped.
A uthentication
Userscan beprom pted to aulhenticate thcmselvesto the Catalyst6500 SeriesFW SM before
gaining accessto network resources.ForFTP,HTTP, and Telncttraflic thatrcquiresuscr
authentication,the FW SM firstauthenticatesthc userand thcn passesthe traft'
ic to the
requested destination.Otherprotocolscan be configured to require userauthentication that
musttirstbeperfornwd via FTP,HTTP.orTelnetto theFW SM . This can be doneby aceessing
anetwork resource through a connection lhatrequircsauthentication orby connecting to a
virttlalservercontigured on theFW SM thatprovidesauthentication.
Virtualscrverson the FW SM can becreated using thcvirtualhttp orvirtualTelnet

comm ands.
Traftic flowsthatrequire authentication are specificd by creating an extended ACL. The A CL

is then specified in thc aaa authentication m atch com mand. A lternativcly,you can uscthc
aaa authentication include com mand,which identitiestraftic w ithin the com lnand. However,
you cannotuse both m ethodsin the samc contiguration.
Localdatabase can supportcut-through proxy authentication.ltcan bepopulated using the
usernam epassword comm and.Theconfiguration ofthclocaldatabase can be donc by adding
the Iocalparalneterto the aaa authentication comm and.
2-K
lmplementkngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
@ 2008CiscoSystems, Inc.
A uthorization
Tral'lic flow'sthatarc cllccked foratltllorizetlaccessby aTAI--AC'S 1scl

-vcrarc spccilictlby
clvkttiI1g an cxtendcd AC L..Tl'
le ACL is tllclltlscd in thc aaa allthorization m atch collllllal
'
ld.
A Itenltttively,you callusc tllc aaa authorization include conllualltl.Tl'
le bcginnillg ofcacll
traI
'lic tlosv catlscsa qtlcl'y to besentto tlle T/NC'ACS Iscrqr
eruritlltl'
lcparalnctersofll'
lc traftic
114
.1'
$5.
,.'Fl'
lf
2TACACS Iserv'crrettlrnsa#(*?wlj?()r(1L.
,13'indicatiol).
Note
Details on configuri
ng the TACACS+ and RADIUS servers forconnection authorization can
be found in the FW SM Configuration Guide.
A ccounting
Troubleshooting A A A Services
!V1)t?11troublcsllootillg AAA servicesathc dellug colnlnandslisted i11tllc table cal'
lbc tlsed.
Troubleshooting AAA Services Com m ands

Com m and
Description
show uauth
Di
splaysoneoraI1currentl
yauthenticatedusers (exceptfor
managementsessions)the hostIP to whichtheyare bound.and
any cached IP and portauthorizali
on information,
show np
Displ
ays informati
on aboutthe network processors.
debug pix uauth
Shows pix uauth debug messages
(iI)2008CiscoSystems,lnc
lmplem enting FW SM fora Data CenterNetwork lnfrastructure
2-81
C reating ServerG roups
aaa-server AUTHIn protocol tacacs+

max-failed-attempta 2
1
aal-server AUTHIn (insidej host 10.0.0.2

key AAAuauthKey
- +=
e '*6
S#
.
h: .'
L. .
.'
@ ..
out
si
deNetwork
19813a2,90/24
xt.
r websewer
--x 19'90'
2Q0
1
;
.
)
K-.
%<<>
AAA Server
6
#
.
-. .#
.
.
.#
Inslde Network
10 0 0.0/24
Thc aaa-servercomm and isused to identify the AAA serversbeing tlscd forauthentication.
whilethc aaa authentication m atch colnm and identitics thc sourcc and destination addrcsses
oftraftic thatnccdsto bc authcnticatcd.
Idcntify the AAA servers tirstby crcating the scn'ergroup, using the aaa-servercom m and.
aaa-server vver'el.u qrol
lpprotocol(kerberosjldapInt1radius1sdi1tacacs+l
aaa-serverParam eters
Param eter
Descrlptlon
server group
Specifiesa nam e given lo the servergroup.
kerberos p ldap I nt I Speci

fiesthesewertype.
radius t sdi ( tacacs+
Each scrvcrgrotlp islim ited to onc scrvertypc. TheCatalyst6500 SeriesFW SM contactstlle
lirstscrverin thc group.and ifitistlnavailable, ittricscontacting the rclnaining servers in
order.Ifa1iserversarc unavailable.the Catalyst6500 SeriesFW SM attcmptsto use thclocal
database,ifthc loeatdatabase isconfigurcd as afallback m cthod ofaulhenticalion.
Al
teryou entcrthe aaa-servercolnm and.the Catalyst6500 Series FW SM takesyou to scrvcr
grotlp configuration modc whcrc additionalparamctcrs, such asm ax-failed-attem pts,can bc
sct.
Next.tlse theaaa-serverhestcom mand to definc thc serverand the servergroup to which it

belongs.
aaa-server s'el'b'e?'...gl
'llltp p'n/tata
/k
'
7cf? name)host.
%el.b'
e''J7g/ft7l'qgtimeoutseconds?
2-82
nfrastructure 1(DCNI-I):2.0
(D2008Ci
scoSystems, Inc.
aaa-serverhostParam eters
Param eter
Description
servergroup
Specifi
esthe name ofthe AM serv'
ergroup as defi
ned by the
aaa-servercomm and Each sen/ergroup is specific to one lype
ofserverzKerberos.LDAP.NT.RADIUS,SDI.orTACACS+.
(ntrea'face- name)
Specifiesthe networkinlerface wherethe authentication server

resides.The parentheses are required in this param eter.
server ip
Specifies the IP address ofthe AAA sewer.
key
(Optional)A case-sensitive,al
phanumerickeywordofup to 127
characters.Spaces are no1perm i
tted in the key,butotherspeciaj
characters are perm i
tted.The key is used between the FW SM
and serverforencrypting data between them.
timeout seconds
(Optional)Speci
fiesthe timeoutintervalforthe request.Thi
si
s
the tim e afterwhich the FW SM gives up on the requestto the

primary AAA server.Ifthere i
s a standby AAA server.the FW SM
sends the requestto the backup sew er You can m odifythe
timeou!intervalusing the tim eoutcom mand in hostmoda.
FtlllosviI'
lg tllisconlll3and.lllc FW SN'
1takcsyotllo hostI'
ntlult
zNvhereyotlcolltigtlrcadditiollal
Ilostlnodc paraluctcrs.stlch astlle accotlntillg portand atltlpcllticatiol'
tportto bc tlsctl.
Tlli.
rsalnplc llcturork sllow 11il:ll'
lc ligtlre hasol'
lc TACAC'S#scr:cr.
(t)2008CiscoSystems,lnc.
lmptem enting FW SM fora Data CenterNetworklnfrastructure
2-83
S um m ary
Tlistopic stll
nlnarizesthc key pointsthatwcrc discussed in thislesson.
S um m ary
. The CiscoCatal
yst6500 SeriesFW SM does nothave aphysicalconsole
port.
. SSH provides secure remote terminalaccess
* The ASDM GUIusesHU PS toaccessthe Catalyst6500SeriesFW SM .
. VpNbased access can be used to encryptthe managementtraffic.
ICVP toandfrom theCatalyst6500 SeriesFW SM hastobe expli
citl
y
enabled,
* An i
nterface can be dedi
cated form anagementaccess only.
Access methods can be combined with M A services.
w M A can be used to authenti
cate users accessing servers through
FW SM ,
. AM canusea Iocaldatabase orand externalRADIUS orTACACS+
> '
server.
2-8,
4
SmpfementingCi
scoDataCenteNetworkSnfrastructure1(DCNI-I):2.
Q
(
l)2008CiscoSystems. lnc.
uesson3I
Im plem enting A C LS
O verview
Objectives
Upol)clllllpleting tllislessol).yotlu'
iIIbcablcto dcscribc al
ttlcollfigtlre ACLS011tllcCisco
tl'aralysl6500ScrieqFlk.
sM .Thfsability illcludt?sbeingabletf.
7l'
ncc!lllesctlbjectivbes.
'
K Dcscribc tllc Laycr2 liltcringoptiolls011tllc C'atalyst(A5()()SeriesF'SVSM
w Describe tllc stcpsrcqtlircd to collfigtlre M A(-addrcsslablc Inalliptlltltion
* Dcscribe the stcpsrcqtlirctlto colltigtlrc AddrcssResoltltiol)Prolocol(ARP)iIlspectioll

* Describethcstepsrcqtlircd to deploy cthertypc fi1ters
K Describcliltcring svitl!AC'LsoI)tlpc FSVSNI
w Dcscribetllttstcpsusedtocontigtlrcandvcril(y'ACL collt
igtlratiollalld opcratioll
C onfiguring Layer 2 Filtering

Thistopic cxplaillsthe nced forLayer2 filtering options,and dcscribeslyow to configurc M AC
addresstable manipulation,ARP inspcction,and ethertypeliltering.
T raffic Filtering on Layer 2

. Layer2 traffic is passed between the FW SM interfaces
Transparentm ode onl
y
w Methods:
Static MAC address table entries
.
ARP inspection
Ethertype ACLS
MAc A
MAC B '
MAC (;
7.
MAC A
MAC D
'
,
ARP
.4
lr#
= za.
t,.;
.
:'
Outstde Network
10 00.0/24
,
.s
-#
zww
lpxkl
.
,
j.
-':
'
Inslde Network
10.0.0.0/24
Ullauthorizcd accessto resourcesand information.diverting thc traffic to diffcrentdcstination,
andcompromising theresourcesavailabilitywith denialofsclwice(DoS)aresomeofthe

attacksthatcan also be triggcred on Laycr2.Spooting ofM AC addresscs. i
njectingruscBridge
ProtocolDataUnits(BPDUS),andpoisoningARP aresomeoftheexamples.
To protectand guard againstsuch attacksLayer2 tiltering isuscd. Laycr2 Gltering is
pcrformed upon Layer2 inform ation.such asM AC address, protocoltype.orM AC to IP
lllapping.
FW SM and Layer2 Security

Laycr2 attackspcrtain to thc Catalyst6500 SeriesFW SM i1)transparentmode ofopcration.
TllcCatalyst6500 Series FW SM offcrssecurity to bc implelncntcd on Laycr2 also with thesc
m cchanism s:
w Conliguring static M AC addresstable cntrics

K Deploying ARP inspection
. Usillg elhertypcACLS
2-86
ImpsementngCiscoDataCenterNetworklnfrastructure1(DCNI-I)42.9
(()22*8CiscoSystems, lnc.
C tlsto 1z11z1ng t1)e M A C A dtlress Ta b Ie

To guard againstMAC address spoofing:
. Add static MA(;entry
. Lowerthe MAC tabteagingtim er
. Di
sabl
e MAC addressIeaming on untrusted interr
aces
0009 Tcbe 2100
l
zcbe.
zlaa
< /# ooogx
z.
.-
'
005056c00001
Pw
k'w
.
Out
sl
deNetwoA C ' InsfdeNelwork
10000/24 :ZQ.
n .
1
-.
.
g#<f .
lArm$
,
.0.000/24
00097cbe2100
!
#
.. ,p.
-
xy
Z
0016.76db c084
mac.address-table
mac.addreas-eab le
mac-address-tab le
mac-learn outside
Note
statfc outaide 00097cbe.210O

stavic outside 0050.56c0.0001
static outside 0nl6.76db .c0%t
dtsable
Thisoperation pertainsonlytothe Catal

yst6500Serles FW SM operatinginthe transparent
mode.
@ 2008Cisco Systems.Inc.
lmplementlng FWSM fora Data CenterNetworkInfrastructure
2-87
M A C A ddress Table Attack and Rem edy

M AC addressspoofing isused by attackcrs to divcrtthctraftic on Layer2. To assistin
guarding againstM AC spooting,these functionalitiescan be used:
* Adding a static M AC addrcssesto the M A C addresstable

* Controllillg thetim e a M AC address rem ailpsin thc M AC addrcsstablc by configuring thc
aging timcr
* Disabling M AC address learning on thc intcrfacesthatare nottrusted
W ith static M AC entricsconfigurcdsin casca clicntw ith tlle sam eM AC addressasa static
entry attem ptsto send trafticto an intcrface thatdoesnotmatch the static entry,theCatalyst
6500 ScriesFW SM dropsthe traffic and gcneratesa systcm m essage.
C onfiguring M A C A ddress Table Custom ization

The com m ands listed in the tablcare uscd to coniigurc thcpreviously lnentioncd
ftlylctionalities.
Configuring MA C Address Table C ustom ization Com m ands

*'
com m and
Description
mac -addresa -table

atatic zctyerface name
mac- address
-
Adds a static MAC address to the table,I

fa clientwith the same
MAC address as a static entry attem pts to send traffic to an
interface thatdoes notmatch the stati
c entry.the FW SV drops
the traffi
cand generates asystem I
og message.
mac-addreas-table
Definesthetimeoutvaluefordynam icVAC addresstableentri

es,
aging-time
t7meout
: va.
lue
The defaul
tis5veminutes and canbe setbetween5and 720 (12
hours)minutes.
mac-learn
interface- name disable
Disabl
es the dynamiclearningofthe MAC addressesofentering
traffic. lfdisabled.static enlries mustbe configured,otherwise the
FW SM oes notallow trafficto pass through.
Note
Thesecom mandsare onlyavailablewhenthe Catal

yst6500Seri
es FW SM orcontexti
s
operating intransparentmode.
ln thecxalnplc,tlle figurc static M AC entriesarc configured in thc table fortlpe outside

intcrfaccto preventspooting ofthose M AC addrcsses.Additionally. dynam ic M AC lcarning is
disablcd to furtherstrengthen M AC address table sccurity.
2-1
%
lmplementing CiscoDala CenlerNetwork lnfrastructure 1(DCNI-I)v2.O
E 11ab I1ng A R P Inspe ction

ARP spoofing preventi
on:
.
*
e
controlARP packetsflow
Compare MACIIP and soufce intefface tO staticenlry
Perm ltordenythe packet
ARP Request
. w f ARPReqtlesl
.-
yP
'
0
t
l0o0s9
()z
sc
6bexzl()() .
c$).()Ix 1
0016 76db (:084
KK
.j
' ''
.
lnsrde Nelwork
okl
ts
e()N0e/t
wo
..
1
(r
)d
()
2
4rk k
mG$s
0.0
0.
0/24
.,...
,.:v....,..::.'u ....1
,.k
.
' #/
wg
'
arP outside 10.0.0.1 00:9.7cbe.2l00

arp-inspection outssde enable flood
Note
@ 2008Ci
sco Syslems,Inc.
ARP inspection settings apply to aI1bri

dge groups withi
n a context
Impl
emepti
ng FW SM fora DataCenlerNetwork I
nfrastructure
2-89
C onfiguring A R P lnspection
Thccomm alldsIisted in thc table are used forARP inspcction.
Configuring ARP Inspection Com m ands

com m and
Descrlptlon
arp interface name

ip addres s mac address
Addsa stati
c ARP entry.
arp-inspection
EnablesARP inspection.Theflood option (which isthedefault)
flood 1 no'- floodl
interfacesasopposedtono-flood,whi
chresultsinthosepackets
n terface name enable
Note
makes FW SM forward nonmatching ARP packets outaII
beingdropped.
ln transparentm ode,the Catalyst6500 Series FW SM usesdynam ic ARP entries in the ARP

tabl
e fortraffic to and from the FW SM ,such as managementtraf
fi
c.
To vcrify and cxam ine thc ARP inspection operation use thc show arp-inspection com mand.
Tlleoutputoftlliscomm and rorthe exalnple in thc figurc showsthatARP inspection isenabled
tbrthe outsidc ilpterface.and nonmatching ARP packctsarctlooded outallinterfaces.
fwsm#show arp-inspection
interface
arp-inspection
outside
inside
enabled
disabled
miss
flood
2-99
lmplementingCiscoDataCenterNetworklntrastrtlcture1(DCNI-I)v2,0
@ 20()8CiscoSystems. lnc.
Eitl1ertype A C L
Controlnon-lp and ARP Layer2 traffic perethertype
* Connectionless m ustbe applied to both interfaces
w
!
t) BPDU
,... .p?
./'
-x- ...-.
x
.
fby.
..
Jm
t.
#*
*
x
;
..<
.
$
''
x/
;'
t
.1pu
-.-'--.'
;p'
r
,...2. :v.
'sz,lnsldeNetwork . kw
v't.f
x
otl
tsp
deNetwoi
'
key.
i
q.l
#.
ARP(0xo806)
10 0 0 0/24
100 0 0/24
access-list ETHER ethertrpe deny bpdu

accesa-list ETHER ethertype permit 0X0BQ6
I
accesa-group ETHER in inLerfaee inslde
access-group ETHER in lnterface outside
Note
()2008Cisco Systems.lnc.
Ifyou use failover.you m ustallow BPDUS on both interfaces with an ethertype ACL to avoid
bridging l
oops.
lm ptementing FW SM fora DataCenterNetwork Infrastructure
2-91
C onfiguring Ethertype Filtering

Enabling cthertype t'
iltcring isa lwo-step process:
Step 1
Contsgurc thcethcrtypeACL.
Step 2
Apply the contigtlred ACL to theinterfaces.
Thcaccess-listethertypecom mand configures an ACL thatcontrolstrafficbased on its

ethcrtypc.Thc /?(?x-???/???/?t??'paralncteris a 16-bjthcxadecimalnum bergreaterthan orequalto
0x600.RcfcrtotheAssigned NumberssectionofRF(.'176)4)(http://tools.ietf.org/lltlnl/rfcl700)
fora listofcthertypcs.
Thc access-group comlnand isused to apply thc ACL to an intertace in cithcringressoregrcss

direction.Traffic thatentersthc Catalyst6500 ScriesFW SM iscontrolled by an inbound ACL
on tllc sourcc interfacc.Traft-ic tl:atcxitsthe Catalyst6500 SeriesFW SM iscontrollcd by an
outbotllld AC L on thcdcstination intcrface.
In any case.to allow any traffic to enterthe Catalyst6500 SeriesFW SM , an inbound ACL
m ustbeattachcd to an intcrfacc;othcnvise,the FW SM autolnatically dropsa1ltrafficthat
entcrs thatinterfacc.
By dcfault,trafticcallexittheCatalyst6500 SericsFW SM on any interfaceunlessitis

rcstrictcd by an outbound ACL,which addsreslrictionsto those alrcady cont-igurcd in the
inbotllld ACL,
In thccxample in the t
igure,the BPDU traftic isblockcd.whileA RPSarepennitted. The AC'L
isapplicd to both inside and otltside intcrfacesin the ingrcssdirection.
To vcrify and cxamine the ACL contiguration and operation use the show access-list
colnlnand.
fwsm#show access-list
access-list mode auto-commit
access-list cached ACL log flows : total
denied O (deny-
flow-max 4096)
alert-interval
access-list ETHER; 2 elements
access-list ETHER ethertype deny bpdu (hitcount=o)

access-list ETHER ethertype permit 0x0806 (hitcount=4l4)
Note
2-92
Formore information on ethertype values referto RFC 1700.
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!):2.0
(I)2008CiscoSystems. Inc.
C onfiguring A C LS
S tandard A C L
ldentifytraffic perdestination address only
* Cannotbe applied to interfaces fortraffic control
* Used to controlredistribution ofOSPF routes
a
fwsm lconfigl#
access-list acceas ist name standard (deny Ipermit)

(any I ip address iaskl. Configures a standard ACL
accesa.list OSPF standard penmit 192.168.1.0 255.255.255.0
Note
@ 2008CiscoSystems,lnc
The ACL takes mask param eterinstead orwirdcards as on Cisco lOS routers
(mpfem entfng FW SM fora Data CenferNetworklnfrastructure
2-:3
Extended A C L
* Identify lraffic wi
th an entry perprotocol sotlrce and destinati
on IP
address,source and destination port.and ICMP type
. Connection-oriented
. Fi
rstm atch,loptobottom orderofprocessing
* Im pli
citdeny
fwsm lconfkg)4
access-list acceas ist name Iline z:ne numberl (extended)
(deny I Permtt) protocoz pource address mask (operaeor portl

dest address maaA (operator por-t I iemp eypel (inactivel
. Configures an extended ACL
fwem lconrtgh.
access-group accesa zzar name (in I out) tnterrace

fnterface name
w Applies ACL to an intedace
Extcnded ACL ismadeupofoncormorcacccsscontrolentrics(ACEs).An ACE isasingle

cntry in an ACL thatspccifiesa perm itordeny rulc,alld isapplicd to a protocol. a source and
dcstination IP addrcssornetwork,and optionally thcsource and dcstination ports,
A11added ACE foragiven A CL nam eis appcnded atthe end oftheACL.tllllcss itisspecified
sv'itl)tl
:t,liI7c 11tlrrlt)cr.
Extcndcd ACLSareconncction oriented.
.therefore.they do notnced to bcapplied on both
illcolning alld outgoing interfaces.
A C L P rocessing
TllcACL isprocessed untilthe firstm atch,from top to bottom . W hen the Catalyst6500 Series
FW SM isinspccting an ACL to dccide whctherto drop orfonvard apackct. the packctistcstcd
againstthc ACESin thcorderin wllich thcy arc listed. W hen an ACE matchcsa packct.the
Catalyst6500 ScriesFW SM ccascsto tcstthc ACES.Thcreforc. theordcrofACESin an ACL
isrelcvant.
AC L5llavc an im plicitdeny atthc end ofthc list.Thereforc, tlnlesstraffic iscxplicitly
pcnnittcd,itisdroppcd.
2-94
lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0
(()2008Ci
scoSystemsl lnc.
Ye
A C L Configuration
To tlcfine alld colltigurc :11)exlcnded ACL tlse tllcaccess-listextended antlaccess-group
colnlnalds.
Tllc access-listextendefltrolllllland adtls aI1ACIE to an AUL.
Param eter
Description
access 2ist name
Specifiesthe name ofthe ACL.
line .
1ne- nummber
Permits entries to be inserted into the ACL.lfnotmentioned,new

entries are added to the bottom ofthe ACL.
protocc?.
l
Specifiesthe protocolto match (forexample IP TCP User
sotsrce address
aesr a3dress mask
Datagram l
arotocot(UDPI lnternetControlMessageProtocot
(ICMP),EnhancedInteriorGalewayRouting Protocot(EIGRP).
Generi
c Route Encapsulation (GRE).OSPF.etc).
Specifysource(desti
nation)IP networkoraddress and mask.
opez-atror
Specifiestheoperatorusedtocomparethepod number(greater
than (gtl,IessthanIItJ,equal(eq),notequal(neq),orrange).
povt
Specifies the TCP/UDP portnumber
cmp -type
Specifies the ICMP m essage type when ICVP packets are

matched.
inactive
MakesanACR inactive withoutremoving i

tfrom the ACLitself.
To re-enable a previousl
yi
naclive ACE re-enterthe comm and
wi
thoutthe inactive keyword.
'I'l:caccess-group trontlllalld appliestllc collliguretlACL to an illterfacc i!1illgressorcgrcss

dircction.
M anipulating A C LS
Note
Q 2008 Cisco Systems,1nc
Reordering ACES mightcause a drop in perform ance.
lm plementipg FW SM fora Data CenterNetwork Infrastruclure
2-95
ontrolI1ng raffic fro
Inside
web/MailServer
o**
>.
1
192.!158.11
)()
DMZ
192.168 1.0/24
lac sv'rp
su'rp
Ir
verrlet
Outsrd.
'
jp jcup
...-
1*8.1:
30.
219.0/
21
lre*ss-lflo corp
acc*ss-lilt corp
acceas-ltat covp
access-ltst corp
acceal-li8t rorp
4.Network
$0.
4.
1.
:/24
lin@ 5 lxtlnd*d deny tcp any any lq trc

lin@ l lxtended permit tcp any ho/t 192.16:.1.1: eq mxtp
liw* 15 extended deny tcp lny any eq mhtp
lin. 20 extended p*rmit ip Rny &ny
lin. :0 extended perptt lrmp lny any
aeceza.group Qorp in tnterfaee inaide
In thisexam plc,thetrafficisbcing inspectcd whcn itentcrsthe insidc interfacc. ifitwas

initiatcd in thc inside segm cnt:
w A1llntcrnetRclay Chat(1RC)trafficinitiated from the insidescgmentfrom anysourccto

any destinatiollisdroppctl.
. Simplc M ailTransfcrProtocol(SM TP)trafticdestined to the web/mailscrverat

192.168.l.l00 on the dem ilitarizcd zone (DM Z)froln any source ispcrmitted.
w A1IothcrSM TP traffic isdropped.
. Allthc IP and ICM P traffic ispcrmitted.
Sincc extendcd ACLSareconnection-oricnted thc rcturn SM TP traflicfrom the wcb/lnail

serNrerin thc DM Z.aswellasal1othcrIP traffic from DM Z and outside segm entsarc also
pcrm itted.
2-96
lmpl
emenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D
()2D08CiscoSystems,lnc.
ontro II1ng T raff1c fron) th e

vz...
..Q
X
DMZ
192 168 10/24
W eb/MallServer
j92 168 j100
Inc ottwrlp
p
lntemet
'
'
..
Outside
198.133.219.0/24
t:,.
''...'
'
IcMP
-'lrtide Network
.. '
.
10 0 0.D/24
acceaa.list server llne 5 eptended eny tcp &ny any eq irc

aeceaa.list sevver line :0 extended permit tcmp any any
I
access.group aerver n interflce dmz
Implementing FWSM fora Dala CenterNetworklnffastructure
2-97
Controlling Traffic from

XQ'
<
utside
wewvarlserver
1:21s8.!.1oo
DMZ
192 168.1.0224
SMTP Www
,CMP
eh
Intemet
''
',
k
..>..8J n'
Outsrde
1* .133,219.0/24
''.
eNetwork
10.0.0.:/24
accesa-kie: public linq 5 extend@d plrmit tep any homt 1:8.133.:19.25 eq www
aecesp-liy: public linl 10 axt*nded pqrait tcp lny hoat 19:.133.219.:5 lq lmtp
acceay-list public line 15 @xt@nded permit teap ahy wny
acceas.group public tn interflc. outsid.
ln thisexam ple,the traffic isbeing inspected when itentcrsthe outsidc interface,ifitwas

initiatcd in thc outsidc segmcnt:
. HTTP traffic destined to the web/mailservcrin thc DM Z ispennittcd.Thc servcris
translated into thc public IP address l98.133.2l9.25 towardsthe Internct.
* AI1ICM P traftic ispcrm itted.
* AllothcrIP traffic initiated by the clientsin thc Internetis dropped dueto implicitdcny.
*
2-98
lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems.Inc.
E IR1)anc 1ng E xte nded A C Ls

Tim e-based Acl
-s--use time range to controlACL usage
* Controlling ACL Iogging with Iog opti
on
.
fwsmlconfig)#
time-range name
fwsm tconfig-time-rangel#
periodic days-of-the-week eme to ldays-of-rAe--eek) tme
absolute start tme date (end eme datel
.
Configuresa time range
fwsm tconfig)#
access-list access zst name (extendedl (deny 1 permitl...tlog
(lieveil (tnterval-pecs-l I disable I defaultll Itime-range name)
@ Enables logging ortime range perentry
Tim e-B ased A C LS

A tilnc rallgc cal)beapplied to tlle AC E to sclledule llc A(.'E to bcactivatcd atspecific lilnesof
tllctlay alltlvctlk.M tlltiplc lilncl'
:tllgescan bf
cdetilled.
Thccol
nlnandslistetli!)the tablc aretlsetlto tleploy tilne-bascd AC'I.
-S,
Tim e-Based A CLS Com m ands
Com m and
Description
time-range name
periodic days-of-frhe-
Speci
fiestherecurringtime range perweekday (Monday through
Sunday.dail
y,weekdays,weekend)and timeoftheday.
wreek trjme to (dayes-ofthe-w'eek) rme

time -range name
absolute start rime
Specl
fies an absokute startand end tim e.
date (end tzme date)

access-list
access J.s tr name
Appli
esthe confi
gured time range when an ACE is created The
speci
fied time-range option on ACL describes the allowed access
Iextenzed) '
tdeny i
time.
permit)...(time-range
nanlel
Note
(
l)2008Cisco Systems.lnc.
lfa time-range com mand has both an absolute and periodic values specified.the periodic
option is evaluated only after!he absolute slar'
ttime is reached and is notevaluated any
fudherafterthe absolute end lim e i
s reached
Implementl
ng FW SM fora Dala CenterNetwork Infraslructure
2-99
A C L Logging
By defaultthcCatalyst6500 SericsFW SM generatesthe systcm log lncssagc 106023 forcach
packetdenicd by the extended ACE exceptforthe implicitdcny atthe end.
tXXX-l06O23 : Deny protocol src
(interface name:source address/source- port) dst
interface name:dest address/dest port (type (string), code

(codel) by access-group acl-id
lfthc Catalyst6500 SericsFW SM isunderattack,thc numberofsuch system log mcssagesfor
dellicd packctscan be vcry large.To rclievc the Catalyst6500 ScriesFW SM from that
ovcrhcad burdcn.the Iogging ofsystcm mcssage I06loo- which providesstatisticsforeach
AcE--cotlld be cnabled,and lim itthcnumbcroflnessagcsproduced.
%XXX-n-106l00: access-list ac1 id (permitted I denied)

interface name/dest addressldest port) hit-cnt number (tfirst
hit p numier-second-intervall) -
protocol interface name/source addresslsource- port) ->
Altcnlatively,logging can be disabled.This isachieved by the Iog optionsofthe extended

access-listcomm and.
access-listaccess /J'
.
5'/ ?;t???7cgextendedl1deny jpermit#...Elog gg/cTv/q(interval'
tx.
.)j
disablejdefaultllgtime-rangename?
Tllctable tlcscribcsthe logging parametersofthe access-listcom mand.
access-listextended Iog Param eters

Param eter
Descrlptlon
2evel
Defines the Iogging Ievelfrom 0 to 7,6 being the default.
knterval secs
Speci
hes 1he time inlew albelween successive 1og messages,
from 1 to 600 with 300 being the defaul
t.
disable
Di
sablesaIlIogging.
default
Enables logging to messages 106023. The sam e i

s achieved
withoutspecifying any Iogging option fora parli
cularACE.
Note
W hen using ti
m erange and Iogging optionsinthe sameACE,thelog keyword should be
configared before tlm e-range keyword.Ifyou disable the ACE using the lnactlve keyword,
use the inactlve keyword as the Iastparameter.
Forftlrtherinfonnatiollaboulthe logging optionsfbrACLSreferto thc FW SM configuration

doctllnentation.
Tllcse behaviorscan bcset:

* Enable lnessagc l06I00 illstead ofm cssage I06023
K Disable a1llogging
* Rettlrn to t!
4c dcfaultlogging usilhg message 106023
2-100
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0
1 e
ange E xam ple

% .x
..r
Q
W eb/Mai!Server
192 168 1 100
DMZ
192.168 10/24
Internet
; 4.
'.
l2ck
Outslde Net
7./t4/-' rz.yJ de Network
198.133.219.0/24
10.0.0.0/24
.
-
time-rlnge weekdays
periodsc weekdays 8:00 to 17:0:
1
accesn-list outside in extended permit tcp >ny any eq www time.range weekdaya
access.group outsie tn tn tnterface outsde
(m plementing FW SM fora Data CenterNetwork fnfrastructure
2-101
PrlyIng
'wam#ahow @ccess-11st
Rree:s.lilt mod* auto-c --it
ecceee-list clched hCL log fowel totel 0. d*ni*d Q (deny-:lov-mlx 4Q96)
alerT.interval 300
Rccese.liat covp; 5 elemente
aceese.ltat corp ltne 1 extended deny tep any eny eq irc (hitd>tw234) ;xcf6d73fl
accees.list corp lkne 2 exTended p*rxit tcp any host 19:.16:.1.100 lq amLp
(hitcnt-lso) 0x::dal4;b
aecesy.liat corp lins 3 exeended d*ny tcp lny any eq sotp (httcnteo 0x90:9*05.
accela-tiao corp ltne 4 ext*nded permit tp @ny lay (hitcnt.34671 0x48314491
lcceas.liet corp lkne 5 ext*nded parmt: iexp any any thitcat-a3l 0x:4cbn$46
. Verifies thatACL isidentifying the traffic

fwsmtconfigl#
debug acl config
debug acl error
*Troubleshootthe AC LS
To vcrify theACL cont

iguration and operation use the show access-listcom m and. The
com malld showsthc dctailcd ACL inform ation cntriesalong w ith the hitcounts.
To pcrfbrm trotlblcsllooting ofthe ACL configuration.usc the debug com mands listed in the
tablcw ith caution so asnotto overwhelln thcFW SM .
Tim e-Based ACLS Com m ands

com m and
Descrlption
debug ac1 con fig
Showsdetailed inform ationuponan ACL bei

ng updated.
debug acl error
Shows detailed i
nformation ifan erroroccurs when an ACL is
updated.
Thisoutputshowsdetailed information upon adding an acccsscontrolentry to a crop ACL.

fwsm/admin lconfigl#access-list crop extended permit tcp any
any eq 53
Hash Input : crop extended permit 6 any any eq
Hash Output :
0x 5a4236 97
fwsm/adminlconfigl#
add acl style rule in tree
Source IP = 0.0.0 .0, Source Mask =
O.O.O.Q? Dest Mask = 0.0.0.0
Dest IP =
Source Port l
Ox0, Source Port 2
0x0 Source Port
Operand = 0
Dest Port l = 0x35, Dest Port 2 = OxO, Dest Port
Operand = 3
ACL Number = 2, Protocol = 0x6 Perm ission = l
ACL : alloc counter ; Treeld=o, Rule Type=lo; Start Index=2054;
End Index=l2686
Allocating Counter Index : 0x80b
2-192
lmplemenli
ngCiscoDataCenlerNetworkt
nfrastructure1(DCNt-!)42.9
(
I)2:()8(JscoSystems, lnc.
FW ID
ED Mask = Oxfff
Source Interface Mask
oxfff
Source IP Value = 0x0, Source IP Mask = Oxffffffff
IP Value = Ox0, Dest IP Mask = Oxffffffff
Source Port 1 = 0x0, Source Port 2 = Oxffff
Dest Port 1 = 0x35, Dest Port 2 = 0x35
Acl Number Value = 0x2 , Acl Number Mask = Oxffff
Protocol Value = 0x6 Protocol Mask = Oxff
CLS Flag Value = 0x8/ CLS Flag Mask = 0x8
CLS Flagl Valtle = Ox3, CLS Flagl Mask = Ox3
CLS Cotlnter Index = 0x80b, CLS Priority = 128849031
Signalled CLS Download Thread
add acl style rule in tree : ACL Rule Added
New flag equal to o1d one
o1d = 0x0 , new = Ox0
Compilation NOT forced by 'updateRuleFlags '
Fixing ACE Index - O1d=l, Newrl
Fixing Rule Priority - 01d=128849031, N2w=128849032
ACE line number changed from 1 to 1
Rules Download Complete : Memory Utilization :
1%
@ 2008 Cisco Systems,I

oc.
Implementl
ng FW SM fora Data CenterNetwork jnfrastructure
2-:03
Catalyst6500 Series F S
. Comm itted to NP afteradding entry
CL
peration
tltilizes system resources
(can hitIim it)

fwma#aHow rqaouree rule
Default Coneigur@d Abaolute
CbS Rul.
Lai;
Ltmtt
Max
Policy N*T
XCL
PlNer
'ixup
Est Ctl
Eat Data
hhA
Cpnlol;
283
17633
125
1117
70
70
992
283
:%1
10633
42B
1417
70
70
992
293
Total
14173
14173
B33
19$3:
85O
:634
7:
70
196*
566
partition Limt . Coneigured Limit - Kvaillbl. to *lloclt.

14173
*
14173
0
'wam#ahow reaourc. ulage
Reaource
Current
Mec.addreamls
l
Telnet
I
Peak
2
l
Limit
65535
5
D*>i*d Contexe
B bridg@
0 lyatem
TheCatalyst6500 SericsFW SM activatestheA CL by comm itting itto the network processors

a shortpcriod oftilnc afteran ACE isaddcd. Ifin the processofcomlnitting thc ACL,a ncw
ACE isadded,thccurrcntproccss isaborted and atterwardsthc ACL isrccomm itted.
Aftercom m itting the ACL sugcessfully,thc Catalyst6500 ScricsFW SM displaysa mcssagc
similarto thisonc:
Access Rules Download Complete : Memory Utilization :
LargerACLS(tbrexamplc,60K ACEs)can takeupto fourminutestocol

nmit.
AC L System Resource Utilization

ThcCatalyst6500 Serics FW SM supportsup to a maximum num bc.
rofACESforthe entirc
systcln depcndillg ofthecomplexity ofACL,which is influcnced by the portrange numbcrs
and ovcrlapping IP addrcssesused (forexample,l0 0.0.0/8and I0.1.0.0/16).
.
UsinganobjcctgrouprcducesthenumberofACESinthecontiguration,butmaintainsthe
sam e numberin thc expanded ACES.which cotlntstowardsthc systcln lim it.
The nulnberofcxpanded ACEScan beobserved tlsing theshow aceess-listcom mand.

Ifa melnory Iimitation is reachcd.the Catalyst6500 SeriesFW SM producesan errorand
systcm log m cssagc (I06024).Along w ith tllat.aIltllc ACLSthatwcrc bcing com m itted to
network proccssorsare rcm ovcd.Only A CLSthatweresuccessfully comm itted in the prcvious
com m itlnentare used.Thus,pasting l00 ACESw ith only thcIastACE cxceedingthe melno:y
lilnitationresultsinall100ACESbeingrcjected.
Thedcfaultlim itforthe lpulnberofACESis74,188 forsingle contextand l0.633 pcrcontextin
lnultiplccontcxtmode.
To cl
lcck thcdefaultresourceallocation.use theshow resourcerule comm and. To check the
currclltresourcc tttilizatioll usctheshow resource usage com mand.
2-104
ImplementingCi
-I)v2.
0
om par1n g t13e
.
,!
L T ypc4s
#.
..; .:.;,jp.
(P trafficnelwork access
control(routedand
I
tt
raf
cdr
sap
lowed
turtless
iAI
per
ml
tf
ti
ed
by
an
ACLby
ondef
F-Waul
SM
Exlended
lransparent)
AM rtlles lraffic pdentlscation E/ended
IPtrafhcnelwork access
controlperuser
xten
ded(downl
oad
IE
from
AAA
.s
erverper
l
.
user)
tdenbfyaddressesforNAT
Extended
Modularpolicy traffic
ldentlficatlon prl(rafficclass
map
szwnaoa
------Ethertm e
Noc-lp trafficnetworkaccess
control(transparent)
Ethedype
ldentlfyOSPF fotlle
redlstrlbutltm
Slandard
Q 2008 Ci
sco Systems,Inc.
Idenlify traffic forAM rules
naml
cACLdownl
oad$
7eruseffrom
'Dy
CRADIUS serverorusage ofpreconsgured
lACLc)nFWSM perqamesentfrom server

Ildentkfy bcaltfafficfortranslation per
seurcearld destioation addressesfor
rxllpcyNAT
;Identifytraffic irla classmap. which is
'used forfeaturesthatsupporlmodtllar
pop.cyframework
'Cofnfigure anACLthatcontrolstraffic
lbasedondsethertype
Contrt)lthe redlstnbutltm ofOSPF rotltes''

'O3lydesklnatponaddresBpdentlfied
impl
ementl
ng FW SM fora Data CenterNetwork Infrastructure
2-105
S um m ary
Thistopic stlmm arizesthe key pointsthatwere disctlssed in thislesson.
S um m ary
. Layer2 filtering is used to preventMAC-and ARp-rel
ated attacks.
* Layer2 filtering can be used in transparentmode only.
w ACLS are used to identifytrafficperdifferentparam eters.
w A tim e range can be applied to ACLS to controlthe activation.
. The Ci
sco Catalyst6500 Series FW SM processesACLS in
hardware.
2-106
lmplementingCiscoDataCenterNetworklnfrastructtlre 1(DCNI-I)v2.O
@ 2008GiscoSyslems.lnc.
Lesson41
Im plem enting C ontexts

O verview
O bjectives
FW S M V irtualization O verview
Thistopicidentitiestlw virtualization ofthe Catalyst6500 Series FW SM with contexts.
C oncept of V irtualFirew alIs

Logicalpartitioning ofa single FW SM into multiple Iogicalfirewalls
Logicalfirewall= security context
Licensed feature(defaul
ttwo contextsl:
.-
License for20,50,100,and 250 contexts
Policiesand management
IPaddressspace(canbereusedbetweencontexts)
Operationalmode(routedortransparent)
e
,.
''
SetofVLAN interfaces
Resouxe usage
Virttlaltirewallsprcsentlogicalpal-titioning ofa single physicalCatalyst6500 SericsFW SM

into multiple logicalfircwalls.A Iogicalfircw alliscallcd sccurity contcxtforvirtualfircwall).
Scctlrity contextsallow adm inistratorsto separate and secure data centersiloswhile providing
casy m anagelncntusing a single system.They loweroverallmanagcmentand supportcostsby
hosting m ultiplcvil-ttlalGrew allsin a singledevice.
Security Contexts O verview

ThcCatalyst6500 SeriesFW SM callbe partitioned into multiplevirlualt
irewallsknown as
sccurity contcxts.By dcfault,two sccurity contcxtscan bccreated on oncCatalyst6500 Scrics
FW SM .To deploy m orecontextsa specialliccnsc isavailable for20.50. 100,and 250
concurrentsectlrity contexts.
A systcm contiguration filecontrolsthc optionsthataffectthe entire modtllc,and detincs thc

illterfaccsthatare accessiblcfrom cacllsccurity contcxt.
Tllc systcm configtlration tilecan also beused to configure resourcc allocation param ctcrsto
controlthcalnountofsystem resotlrces thatare allocated to a conlcxt.

Controlling resotlrcesenablesm ultiplc delnilitarizcd zones(DM Zs)and scrviccdifferentiation
ctasscs(gold,silvcr.artd bronze)percotptextfordiftkrentdatacenterseglumhts.
Each individtlalscctlrity contcxthas its own security policics,interfaccs.and administrators.
Each contexthas a scparateconfiguration filethatcontainsm ostot
-the dcfnition statelnents
fbund ina standalonc Catalyst6500 SeriesFW SM configuration filc, Thisconfiguration iilc
colptrolsthc policicsforthe individtlalcontext, including item ssuch asIP addressing,Nctwork
AddressTranslation(NAT)andPortAddressTrallslatiol)(PAT)definitions,atlthentication.
atltllorization,and accounting (AAA )definitions.trafticcontrolacccsscontrollists(ACLs).
and illterfacc security levels.
2-108
lmplementlngClscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.O
()2008CiscoSystems,lnc.
Note
Intel
-faces can be dedi
cated to a si
ngl
e conlextorshared among many contexts.
Note
Keep i
n mind thatcertainfeatures,Iike Open ShodestPath Fi
rst(OSPF)and Routing
Information Pfolocol(RIP)rouling.arenotsupported inmulti
plecontextmode.
(
Q 2008Cisco Systems,lnc.
fmptementing F'
W SM fora OafaCenterNetworklnfrastructure
2-109
U sing M u Itiple C ontexts

. Multiple contextswith own interfaces
. Mandatory fortransparentm ode
# c :: '
.z
z
i< '
- .
'''
....
'*'
cam pus
. .-!.
ty.
.
.. ..
s':
'
.77
...::. .-1
<n
<
.-
.
,
.e .
E:
W eb l
,
ttm q
. Servers *'
Appli
cati
onp '
--- .
) x
'
J
sut!lt,rA/jl;
rj. .
r.
:
y
,
y
.p .
)
y..:.,, .
Servers *
7
7'
1<L;
.
'
Thc figurc showsa Ilctwork with m ultiple contextsdcployed. Eachcontcxthasitsown

intcrfaces.
Tl
lisnetwork topology ism andatory whcn thcsecurity contcxtsarc operating in transparent
modc.
ln a transparentm ode,a single contextcan have up to eightintcrtacespaircd in differcntbridgc
groups.
M ultiple contextsallow deploymcntofactivc-active failoverfunctionality asan alternative to
cxisting active-passivc failover.
2-110
ImplementingCiscoDataCenterNetworkl
nfraslrtlcture1(DCNI-I)v2.0
@ 2008Ci
scoSystems, lnc.
'
*
d
Using M uItipIe Contexts (Cont.)

ISP A
V'
SQ
lSP B
V2 -Q
Extranet
.->
< .
tU
.. .
'
-
27
'
:!;
.-
--
campus
; j w.
y
'''''
'-
,
*
'
!
11jl!
q
..
..
(
.
l
g
--.
y,
.
j
.
:.#'.:yz Ar ;.:zsiy
@ 2008ClscoSystems,lnc.
..
Implem enting FW SM fora Data CenterNetworklnfrastructure
2-111
Sharing an Interface A m ong Contexts

. A single interface is shared among contexts.
* Cascadi
ng ofthe contextson a single physicalFW SM is not
supported.
. Only routed mode is supported.
9. z .z a
'
.
jw-
wo, ux :
'
? .q
o.. arv rs
Campus
Nell rk
-1
. ..
Appjjcatjon.
N'*
-.
.!ewe
rs '
V. '
.,
'
l .--
Database
s
l
we
Ser
vers .
>
(
k. -
Security contextscan share thcsalnc interfaceas shown in thc tigure.
Onc physicalCatalyst6500 SeriesFW SM isconnected to the cam pusnetwork alld to three

diffcrentdata ccntcrnctworks.The Catalyst6500 SericsFW SM ispartitioncd into threc
security contcxts,and each ofthe sectlrity contcxtscal)bc managed separately.
Thiskind ofconfiguration can beused inthe data centcrto conncctm ultiple separatc server
seglnelltsin a m ultitierdesign:
* Front-cnd tier,cncom passing thc web servers
K Application tier,cncompassing the application servers

* Back-end tier,encompassing thc database scrvcrs
Each sccurity context,and thus ticrshasitsown security policy.
Note
This can be used only in routed mode ofoperation.
Note
The Catalyst6500 SeriesFW SM doesnotsupportsharing the outsideinte/aceofone
contextwiththe inside interface ofanothercontext(knownascascadi

ng contexts).Tragic
thati
soutbound from onecontext(from ahigherto a I
owersecuri
tyinterface)canonlyenter
anothercontextasinbound traffic (Iowerto hi

ghersecuri
tyl'
.i
tcannotbe outbound forb0th
contexts,orinbound forbolh contexts.
2-112
lmplementingCiscoDataCenterNetworkInfrastruclure1(DCNI-S)42.0
Q 2(08CiscoSystems, lnc,
IP Packet C Iassifier
. A single interface isshared am ong contexts.
. Packetcl
assification determ inesthe correctcontext.
''
p;',; 'pkl'c..
SourceVLAN e
l-
*eb .
7i
,
''
servers
-.
c
ampus
Network
Destlnatlon IP
l*
k-
Application 'l'p.
Servers
..-
1 xw--.
e'''
->..
oatabase
,. e
Servers 8'
.:
Classifying Packets W hen Sharing the Interface
@ 2008Clsco Systems,Inc.
Implem entlng FW SM fora Data CentefNetwork Infrastructure
2-113
Kcep i11lnind thatpacketclassification requircmentsm ightmake sharing intcrfaces impractical

blxause the classitierreliesot!aetive NAT sessions to elassify thedestination addressesto a
context.Thus.theclassit
ierislilnited by how N AT isconfigurcd.
Note
AIItrafric m ustbe classi

fied,including trapic from inside networks.
These configurations arc notused forpacketclassification:
* NAT exemption.because itdocsnotidentify the mappcd (sharcd)intcrface.

* Rotlting tablc,becausem ultiplc contextsm ighthave routcsforthe same dcstination
network poillting lo differelltncxthops.
2-114
Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72,0
@ 2008CiscoSystems lnc,
M 1x 1f)g F 1revqaI1M o df.

ls
* Each contextcan be in transparentorrouted m ode
> Independentofothers(FW SM 3.1onwards)

Do notshare interfaces between transparentand routed contexts
Outslde Outside
Outspde
.;
#
nugj
'
'
t(s
Inslde
rWsMtconfigl#lhow
Context Naoe
*admin
taternell
ineernalz
(I)2008ClscoSystems,Inc.
DMZ1
...
.
'
Otltslde
''
Inslde
Insrde
ouza
Inslde
context
Class
defau't
default
lnter'aces
Vlanlo
V1anlQ5,Vlan50
Mod.
Roueed
Routed
default
Vlanl06,Vlan5l
Trlnsparent diak:/intz.cfg
URL
dtskq/adain cfq
disk:/tntl.cfg
lmplem enting FW SM fora Data CenlerNetworkInfrastructure
2-115
S ingle vs.M ultiple C ontext M ode:

Feature Lim itatio ns
AAA servers
Fai
lover
intedace
moni
toring
16
256
256;divl
ded between alIcontexts
Filtering sewers
16
4 percontext
Security contexts
N/A
100 (v2.3 based onIicensl

ng)
250 (v3.1based onIicensi
ng)
Sysl
og servers
16
4 percontext
'
vtAs interfaces
(
'
(
routedmode)
VL
n
esde)
(traAN
nspi
at
re
er
nfa
tc
mo
4 percontext
2s6 peroontext;
'''
-
256 jjooodj
vi
ddqetweenaI1contexts
e
.-.
8(4pairs) 1
j
. .
8(4pairs)
The table dclailsthc feature Iim itsforthc Catalyst6500 ScricsFW SM in both singlc and
m ultiplccolltextm odc.
Thc mostimportantfeaturcsare:
K Upto 255sccuritycontextspcrFW SM (licensc)

K Numbcrofinterfaccs:
256intcrfaces(VLANS)pcrsccurity context
M aximum IO00 interlacespcrFW SM physicalm odule
2-1!6
lmplementing Clsco DataCenterNetworklnfrastruclure 1(DCNI-I)v2.0
(
l)2008CisooSystems,lnc.
S 1nC
Jle vs .M u Itip le C o ntext M o cle:
R cso urce L 1IM 1tatio ns
MAC addresses
(transparentmode)
Hos
th ts connecting
rough FW SM
concurrently
Inspecti
on engine
connections,
persecond
Ipsec management
connections
concurrently
ASDM m anagement
sessions
concurrently
NAT translations
(
Q 2008ClscoSystems.lnc.
65.
535
262,144
10,000
65,535divided amongaIIcontexts
262,144 divi
ded among afI
contexts
10,000 di
vided among alIcontexts
5 Percontext'
I
10 divided among aIIcontexts
5 Percontext'
,
266,144
80 divided am ong a(Icontexts

2661144 di
vided am ong al1
contexts
Implementing FWSM fora Data CenterNetworkInfrastructure
2-117
'
Single vs.M ultiple C ontextM ode:
Resource Lim itations (Cont.)

#;
SSHmanagement
FW SM term inalor
bufferpersecond
30,000
connections
System messages to
System messagesto
sy
p
es
rls
oe
gcs
oenr
dver
TcP
orUDP
connections between
o hosts
p4rsjcoqd
'
5perconteM
100 divided amongaIIcontexts
y......-..
j
I
.....,
999,900
NewTCPorUDP
c
onnte
ionsbetween
any
wct
: 7
25.000 j30,000di
vldedamongaIIcontexts
.- ...
anytwo hosts
concurrently
'
25,000divided among aIIcontexts

1
1
'1
100,000
1 999,900di
videdamongaII
I
1
contexts
Because PAT requiresa separate translation forcach collncction. tllc cffcctive lim itof
conncctionsusing PAT isthetranslation lim itof256.000,notthc higherconnection lim it. To
reach the conncction lim it,you nced to usc NAT.which allows multiplcconnectionsusing thc
sam e translation session.
2-118
lmplement
ingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.
O
C)2008CiscoSystems.lnc.
C onfiguring FW S M C ontexts
'1'1)istopictlescribesCatalyst6500 Scrics FW'SM colltcxtcrcatioll.
V 1rtua IF 1rew a1IO verv1ev4

* FW sM -wide configuration is stored in flash:/system .cfg
Context-specific configurationsare stored in flash orrem ote
storage
fwsm(configj#p
contextHierarchy
changeto context n,
ame
changeto system
System ExecutionSpace;
'sessionslotnumbetr
*Swi
tches to anothercontext
orsystem space
RootContext
.d
'
! )31i'
:@' ''
AdminCcmtext
Remote roolaccess
Securl
tyConlexts
SSFI,Telnet.lpsec.ldTTPS
Note
There is no policy inheri

tance between contexts.
System Execution Space
Implem ending FW SM fora Data CenterNetworkInfrastructure
2-119
A dm in C ontext
Theadmincontextisjustlikeany othercontcxt.exccptthatwhenauserlogsinto theadmin
colltcxtithassystem adm inistratorrightsand can accessthe systcm and allothercontexts.
Thc admin contextisnotrestricted in any way and can bcused asa rcguiarcontext. Howevcr,
bccatlse logging into thc adm in contcxtgrantsyou adm inistratorprivilcgcsoverallcontexts,
ytlum ightnccd to restrictaccess to the admin contcxtto appropriatcusers.Theadm in context
111t1strcsidc on tlash m emory.and notrelnotely.The interfaccsallocated to the adlnin context
arc tlsed by lhcCatalyst6500 SeriesFW SM forany trafficcreatcd by the FW SM . such as
syslog messages.The adm in contextcan also be used to provide rcm ote accessformanagement
orthc cntirc FW SM .
Ifyoursystcln isalready in m ultiple contextm odc.orifyou convcrtfrom singlcm ode, the
attmincontextiscreatedautomaticalty asdisb:/adtttin.fz
lk tile.Thiscontextisnamed Ssadlnin.''
If'you do notwantto useadm in,cfg asthe adlnin contcxt.you can changc the adm in context.
Note
The adm in contextis a mandatory securitycontext.
A ccessing Contexts
Uscthc session colnlnand to connectfrom thc Cisco Catalyst6500 ScricsSwitch lO S Sotlw are
t()thcsystem execution space ofthc Catalyst6500 ScricsFW SM .
Uscrswho log in to the system exectltion spaccorwho log in to the adm in contextrem otely
cal)tlsc thc changeto com mand to accessany contextwithin thc Catalyst6500 SeriesFW SM .
Individtlalcontextscan also beaccesscd with thc stalldard managem entm cthodsofSecure
Shell(SSIl).Tclnet,Ipsec tunnels,and lITTPS PIX DeviccM anagcr(PDM )sessions.

W itllina sccurity context,the startup-contig file isused to referto the contiguration tile forthc
sccurity contcxt.
2-129
lmplemenli
ngClscoDataCenlerNetworklnfraslructure 1(DCNI-I)v2.O
(
I)2D08Cisco Systems,lnc.
Note
The ASDM does notsupportchanging m odes so you need to change m odes usi
ng the
cor
nmand-li
ne interface (CLl).
Note
The m ode m ultiple com mand sets mode inform ation thatenduresthrough reboots,
'
however,this m ode information is notstored in the system configurali
on file in flash
memory.
Impjementlr!g FW SM fora Data CenterNet

workinfrastructure
2-121
S stem Configuration
Configuration statem ents
'
.
lnclude,
w
Iodeaultipl.
Rdoi@eO/ak*xt ***:G
. Failoverconfiguration
* Resource allocation
* Adm in contextnam e
con
e.x
tltat
hnt
n fwce Vlanloo
all
pc
eint*r
Icon'tg-urldtykT/edmin.c'g
vw ntaxt a
llloclte-interzac.vzanzc
fwsmtconftgj#
ldmin-context rame
-'
llloclte-knterzac. VQlall
eonfig-url diakt/cuytl.c'g
wSets the contextto be admin
,
.
z 4 *
;
..
)
,B.g;.
;
J
t.
*
').'
System ExecutionSpace
Tl
lcsystcln.cfg tile storesconfiguration statcmcntsthataffcctthe Catalyst6500 SeriesFW SM
asaq'
holc.
Failovcrfunctionsarc notvirtualized and,thereforc,failovercollfiguration statcm entsare
colltaillcd in system .cfg.
Tllcsystem spacchascontrolovera11contextssystcm .
K Crcatesadlnin contextGrst
* Creatcsscctlrity contexts
w Assignsinterfaccsto contexts
Thtlstlle system .cfg GIe also hasconfiguration statem cjltsthatdetine the individualcontcxts,
alld allocatcsrcsourcesto them ,
Up to 250 VLANSare assigned to a contcxt'
,physicalinterfacesare controllcd by the
MtlltilaycrSwitchFcatureCard (M SFC).
A dm in Context
You can sctany contextto be the admin context.aslong asthe colltiguration tile isstored in
thc illtcrllalflash m cmory.
Tlcadlnin contextisdesignated with thc adm in-contextcom mand.

Changing the adm in contcxtterminatesany rem otc Inanagcm cntsessions. such asTelnet,SSll,
()1.lITTPS.Thcy have to be reestablished in thcncw adm in contcxt.
Note
A few system comm ands identify an interface nam e thatbelongs to the admin context. lfyou
change the adm incontextandthatinterface nam edoes notexistinthe new admincontext

be sure to update any system commandsthatreferto the interface.
2-122
lmplementi
ngCiscoDataCenterNetworklnlrastructure 1(DCNI-I):2.0
C reating C oIltexts
To create individualcontext'
.
Nam e the context
* Allocate interfaces
. Specify the configletUR L
p
con
textadmtn
allocate.interface Vl&nl9
cenfkg.url dak:/admin.cfg
l
fwsmfconfigl#
-.
i
i
!
E
context name
allocate -interface vlannumber
J-vlannumberl fmapped name

I-mapped D&me11
con fig-url ur2
.createsthe context
'
.
ik
z.
'
. ..'t '.i .
o r .,,.a.
-
'
13
System ExecutionSpace
'l'
T
lcconfig-urlctpllllllal'
ld is tlscd to specify tl
'je IocatiolliI1'
kvllich tllc colldiguration tilc oftl'
le
colltcxtisstorcd.
Note
The contexli
s notacti
ve untilthe config-urlcommand is issued.
Caution
lfthe confi
guralion file specified in the config-urlcom mand already exi
sts,then aI1allocateinterface commands shoul
d be i
ssued priorto issuing the config-urlcomm and.
fll2008CiscoSystem s.lnc.
lmplementing FW SM fora Data CenterNetwork Infrastructure
2-123
Verifying Contexts
From thc system cxecution spacc.you can view a listofcontcxtsincluding thename.allocatcd
intcrfaccs.and configuration tilcU RL by using thc show contextcolnmand.
show contextfdetail)(??tz???E'Iadmin jcount)

show contextParam eters
Param eter
Descrlptlon
detail
(Optional)Displayscontextdetail
s.
name
admin
(Opti
onal)Displaysinformati
onaboutthespecifiedcontext.
(Opti
onal)Displaysthe administratorcontext.
count
(Opti
onal)Displaysthe numberofcontextsconfigured.
fwsm#show context detail
Context ''admin t
' is ADMIN and active
Config URL: disk:/admin.cfg

Real Interfaces : Vlango, V1an9l
Mapped Interfaces : Vlan9O Vlan91
Class: default/ Flags : 0x00001857, ID: 1
Context ''bridgen
is active
Config URL: disk:/bridge.cfg

Real Interfaces : V lan92, V1an93
Mapped Interfaces: V1an92, V1an93
Class: default, Flags : 0x00001855,
Context I
'null'' is a system resource
Config URL : ... null
Heal Interfaces:
Mapped Interfaces:
Class : default, Flags: 0x00000809,
Context l'system n is a system resource
Config URL : flash :config
Real Interfaces:
Mapped Interfaces : EOBCO, GigabitEtherneto,
GigabitEthernetl, V lan90,
Vlangl, V1an92, V1an93
default, Flags : 0x0OOOO8l9/
Rem oving C ontexts

To rclzlove a sillglc context,use the no contextcolnlnand intlle system execution space. To
rclllovca11contcxts(including thc adm in contcxt).usctheclearcontextcomm and.
2-j24
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.D
@ 20()8CiscoSystems, lnc.
C hanging the Context
Note
Ifyou wantto perform a merge,skip to Step 2.

FWsM#changeto context name
Step2
FWsM/name#configure terminal
FWsM/nametconfigl#clear configure all
Cllallgtzlt)111e systeln ttxtttrtltion space.
i;terh3
FWshl/name (config)#changeto syrst

rem
II1tt!rt1)c c(:11tc)ktc()11ts!
ptll'
ati()1)l1A()tlc lkrtl1()c(l)lex!).
't)11&,:
ll,tt()ct1a1):4e.
Step4
FWsM tconfigl#context name

Elltcrtllc ncNv L11L.
FWSM (config)#config-url new' ur.
l
@ 2008 Clsco System s,Inc.
lm plementlng FW SM fora Data CenterNetwork Infrastructure
2-125
M anag ing C ontext R esources

ThistopieexplainstheCatalyst6500 SeriesFW SM contextresource m anagem ent.
'
C lass H ierarchy
.
Limits setin the defaultclassare the basis foralIotherclasses

and contexts notassigned to a class
.-
Fxecutive Class
Co
ntext
CEO )'(
.
ServersClass
'Contez
natacvqjbi,
'
.L
Context
Gen- l
Li
m ited Class
):
ftntA#
t(
yvisitpe j'(
,
Conlbxt'
To tlng,.
..
By defatllt,allsecurity contextshave unlil

nited accessto the rcsourcesofthe Catalyst6500
SeriesFW SM ,cxccptwhere maxilnuln limitspercontextarc cnfbrced. Howevcr,ifyou find
thatoneorm orc contcxtsusetoo many resources,and tbey, forcxample.causc othercontcxts
tobc dcnicd conncctions.you can configurcrcsource managcmentto limitthcuseofrcsources
percontcxt,
Configuring Resource M anagem ent

Resourcc m anagcm entdefinitionsare crcatcd by detining a class.Each classdetsnition contains
a spccitication ofthcresource Iim itsto bcapplicd to thccontextsassigned to thatclass.
A defaultclassdetsnestheresourcc lim itsthatarcapplied to contcxts thatare notassigned to

otherdefincd classes.The lilnitsin the dcfaultclassare inheritcd by othcrclasses. unlcss
specit
ically ovcrridden in the definitiolloftllc nondcfaultclass.
Each individualsecurity contextisassigned to aclass.M ultiple contcxtscan beassigned to thc
sam eclass.
Note
2-126
The Calalyst6500 SeriesFW SM does notIimilthe bandwidthpercontext'

,lhe
, however
switch containing the FW SM can Iim itbandwidth perVLAN.
implemenlingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-I)42.0
@ 2(08CiscoSystems, lnc.
'
V 1f'tualF 1rew a IIR esource Lim 1ter

C lasses are defined in the system execution space'
.
. Indi
vidualcontexts are mapped to classes
* Limitsare appliedtospeci
ficresourceswi
lhin aclass (integeror
percentage:0 means no Iimi
t)
* Resources can be oversubscri
bed class assi
gns a maxim um of10
percentofresources btlt50 contexts are mapped to it
fwsm#
show resource types -
'' z
r.4 * ' :
.,
.;
14> 16%
:4 .
j... i!r..
..
;,
Conos
Hosts
Spsec
ASDM
SSH
ez
.' .
4.i
'
.
2jn
gz
r
J.
-
..
Connectlons
1'losts
IPSeG mgmttunoels
ASOM sesslons
SSH sessrons
Conns
CPS
xj
ates
Fjxups
Syslogs
Flxups/sec
Syslog/sec
Mac-addresses VAC addresstable entoes

AII
A(1fesources
@ 2008CpscoSystems,Inc
XLATEobject
s
fmplem entlng FA'SM rora Oaa CenterNetworklnfrastructure
2-327
Defining Resource Lim itations

Rcsource lim itationscan bcdefilped in threew ays:
* Ratc-lim ited constlm ption ofa specitied resourcespcr-second
K Absolute amountofaspecified resourceconsum ed,expresscd aseitheran absolutenum ber
orapercentagc ofsystcm maximum s
w Absoluteam ountofalIrcsourcestrackcd cxpressed aseitheran absolute numberora
PercentageOfSystem lnaxim tlm s
The tsgure showstlleresourccsthatcan be individually controllcd w ith rcsource m anagem cnt

configuration com mands.Othcrresourcesare trackcd by the rcsourcc allocation function ofthc
Catalyst6500 SeriesFSVSM operating systemabutcallnotbe controlled on an individualbasis.
Tllcsc rcsourccsare controlled by thc alIkcyword ofthcrcsourcc lilnitcom mands.
'
o nflgurlng
esource
anage ent
fwsm tconfigl#
cllss name
limit-resource Iratel reaource name / all (numberl%l / OJ

*Creates class and allocates resources
fwsm (config-ctx )#
mel er C;aJ5
.
Assigns a contextto a class
e....- eostwxt admtn

allocltl-inters*c. g'*n100
j
eonfjg.urldtzkl/wdotn.cfg
j
1
l
I
'
Dq'n
t*xLexecuetv.s
wlloJlte.inLertacl vllnlol-vllnlo:
l $.,.. - . . . .v so:
j,,
con:#g-urtdtek:/lx*euttvlg.cfe
QtR
**X*Q*1VD----*--MI !
l
limit-r*lourc@ *t: lQ%
1 context relukpr guy*
1
class gol; .'
Iz&wtt.rlsourcoal1:Q:
j 1
1
allocat.@-$.nt*rfac* vl= lQ3-v1= 104
x*
l disk
l I 1con'g-ur
t/rlzullr-vuys.ezg
claa. gllv*r ' ' * $ ' context vi:itorl

ltmtt-reaogrce conns 500& I allocati-lnterrwcg vlanl05-vl*n106
limitere*ourcl hoste 2QQ
config-ur: diski/vlsitor:
Classesarc dcfined asslpown in thc Icftpartofthe outputin theexamplc.
First.aclassisdcfillcd with theclasscolnm and.The nalnc isa strillg up to 20 characterslong.
Tosctthelimitsforthcdcfatlltclass,enterdefallltforthcllamc.
Thc lirnit-resource com mand isthen tlsed to detinc thc individualrcsource Iim itations. The
nul
nberisan integergrcatcrthan orequalto l.Zero (0swithouta perccntsign)setsthe
resotlrces to the systcm lim it.You can assign more than l00 perccntifyou w antto
oversubscribethe dcvice.
A resourcenam ecan be m ac-addresses,conns.nxups, hosts,ipsec,asdm ,orssh,etc.
Note
Forthe com plete Iistofresource names wi

th mini
m um and maximum values referto lhe
Catalyst6500 Series FW SM docum entation.
Thcrightside oftheotllptltin thc example showshow individualsecurity contexts arc dcfincd.

Contcxtsareassigned to arcsourcc classwith thc rnem ber com lnand.
2-128
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
C o nf1g u r1I1c
q M e ln o ry Pa rt1t1o n s
fwsm (config1#
resource acl-partition ntzmber of partit:.ions
.
Sets the num berofpartitions
fwsm tconfig-ctxl#
allocate-acl-partition partron number
w
Assigns contextto m em orypartition
context test
allocate-interrace vlanlo; intl

allocate-interface vlan102 int2
allocate-interface v1an1l0-vlanll5 int3-int6
config-url ftp://userllpassword@lo.l.l.l/configlets/test.cfg
member gold
allocate-acl-partition 0
Note
Rules are used up on a hrst-come srst-served basis so one contextmightuse m ore rutes
than anothercontext.
Yotlckll)luanually assiglla colltcxtto a partitioll.

Note
@ 2006Cisco Systems.lnc
Cbanging lhe numberofpadilions reqpires 9ou ttl'eload 1bt?Calalys!6500 Series FW SM .
fm ptem entlng FW SM fora OaaCenterNetwork lnfrastructtlre
2-129
Configuring M em ory Partitions

To changcthe numberofmelnor.y partitionsuse thcresourceacl-partition com m and in thc
system exccution space and reload theCatalyst6500 ScriesFW SM .
Ifyou are tlsing failover,waita fcw secondsbeforereloadillg the Standby tlnitaswcll.

'thc
standby unitdoesnotrcload autom atically.and thc mcmory partitionsmtlstlnatch on both
tlnits.
Caulion
Traffic oss can occurbecause both units are down allhe sam e tim e.
You can assign an individualcontextto particularm emory partition with the allocate-aclpartition comm and undertllc contextconfiguration modc.
Note
Ifyou assi
gna contexttoa padi
tion thepaditi
on num beringstartswith0.So ifyouhave 12
partitions,the parti
tion numbersare 0through 11.
Verifying M em ory Pad itions

To verify llpe Inelnory partition contigtlration use theshow resource acl-partition com mand in
tllc systcln cxccution spacc.
fwsm lconfigl#show resource acl-partition
Total number of configured partitions = 2
Partition #0
Mode :exclusive
List of Contexts :bandn / borders
Number of contexts :2(RefCount:2)

Number of rules )D (Max :53087)
Partition #1
Mode :non-exclusive
List of Contexts Cadmin
momandpopD
momandpopA , momandpopB , momandpopc
Number of contexts :5(RefCount:5)

Number of rules :6(Max :53O87)
2-130
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008Ci
scoSystems. Inc,
itl2008Cisco Systems,Inc.
lm plem enting FW SM (ora Data CenterNetworkInfrastructure
2-131
S um m ary
Thistopic sulnm arizesthc key points thatwerc discussed in thislesson.
Sum m ary
Vidualfirewallsare im plemented with multiple securi
ty contexts.
. Contexts are created within the system configuration and defined
in individualconfigurati
on files.
* Resource managementcontrols the Cisco Catalyst6500 Series
FW SM resources allocated to each security context.
.
2-132
lmpiemeningCiscoDataCenterNetworklnfTastructure1(DCNI-!)v2.
9
@ 2D98CiscoSystems. lnc.
uessonsI
Im plem enting R puting

O verview
DeployillgthcCisco Catalyst6500 SeriesFircwallScrvicesModtlle(F'
SVSM )in arotltcd l
node
rcqtlircscithcrstaticordynam ic IP rotltillg.Thislesson describesalld explainsllow to
conligtlrc thcCatalyst6500 ScriesF'
W SM routing capabilitiesaincltldillg static routing,
dynalnicrotlting,and rotlteIlealtllinjcctioll(RHl).
Objectives
U pol)colnpleting tllislesson,yotlwillbe ablcto dcploy rotltillg on a Catalyst6500 Serics
FW SM .Thisability illcltldesbeingableto meetthcscobjcctives:

* Explain thc nced forstatic rotlting on thc Catalyst6500 SeriesFW SM
* Dcscribcthc stepsneeded to configtlrc static rotltcs
* Explain the need j
-ordynam ic routing on the Catalyst6500 Serics FW SM
w Dcscribc the availablcdyllalnicroutillg protocolsoI1the Catalyst6500 ScricsFW SM

* Explain thc need tbrR1.II
w Explain the nced forasym metric rotlting
w Explain the restrictionsofdynam ic rotlting

K Describc thc slepsnecded to configurcvariotlsdynanlicrouting protocols
C onfiguring Static R outing

Thistopicexplainsstaticrouting on thc Catalyst6500 ScriesFW SM .
U nderstanding R outes
W here to forward the traffic?
@ Through which interface?
. W hati
s the IP address ofthe nexthop?
el
Intecnet
(F.'
.
o 1
.
ez
2 '. 1
outside
19216810/24
'.''
..,
.
2 IF..Q.
'
Inssde
y,
7#
,
10/24
! 100.
10.0 2 0/24
. . ;.
..
lo(,2(
)/J4
esi
lcc,12
10(1.3.@24
...
<)
lth.
0d.
3
1(1()10/24
e:l
#92 16810/24
t'l
:)0()0/0
el
19216811
:$
Jy.-''
-
'
+. .##
..e
10.0.3 0/24
How to Determ ine W here to Forw ard the Traffic

In a routcd lnodc.thcCatalyst6500 ScricsFW SM behavessim ilarly to roulerswhen ithas to
forward a packctbctwecn thc interfaces.M ultiple interfacesmean m ultiple IP subnets,and
thtls.tlyc Catalyst6500 SericsFW SM has to dcterm ine how to tbrward an IP packettoward its
dcstination to routc the packct.
Thcrcaretwo tllingsaFW SM (orrotltcr.rcspcctively)hasto determine:

w W hatistlleoutgoing intcrface throttgh wllich a packctistransm itted?
K W hatisan IP addressofthe nexthop routcrto receivc the packet?
Since lnostIp-bascd comm unicationsarebidirectional,routesthathandlc thctraftic in both
dircctionshave to be colltigurcd.Routcsarc storcd in therouting table and are acquired by the
lneansot'a routing protocol(cithcrstatic ordynam ic),
How FW SM M akes Forw arding Decisions

Rotlters.by dcfault,m ake routing dccisiollswith regardsto thc routing table only.
In contrastto rotlters.thc Catalyst6500 Scries FW SM m akesrouting decisionsw ith rcgardsto
therotltingtablcandtrallslation tablc(whellNctworkAddressTranslationENAT)isnot
disablcd):
. Iftlle destination orstatic IP tralpslationalrcady cxists,thc cgressinterface istheone in the
translation tablc.notthc routing table.Thcrouting table isthen consulted forthe IP addrcss
ortlc ncxthop.
. lfthc dcstillation orstatic IP translationdoesnotexist.llle IP routing table isconsulted for
tllcnexlhop IP atldrcssand cgrcssintcrfacc.
2-134
lmplementingCi
sccDataCenterNetworklnfrastructure1(DCNI
-I):2.
0
@ 2008CiscoSystems!lnc.
C onfiguring Routes
fwsm tconfigl#
route if nnme dest ip masx Fa:evay ip (dstance)
n Adds a static route through specified interface

route outside 0 0 192.168.1.1
route inside 10.0.2.: 255.255.255.0 10.e.1.2
route inside 10.0.3.0 255.255.255.: 10.:.1.3
Intemet
elk.m eo
;7'cc'
Q .1
2*'m .1
.2 '
QL.
Q
jy j
ssj
t
j
e
Iz>.t r;4
10020/24
10012
E0
'
,
.
,.
' .
:.
y.
,
p'
--499
d,
-,r..;,
s,
t.,.-. ...
4 , f...sx' ' ,J.i:..?'
'
10.0.2.0/24
.
.q7'ZP
0
10
0.
03
1.
0?
/2
24
4
E
e0
o
O.000/O
e1
1(
).
(
).
$.t
i.
19216811
@ ,yr##
< :F
,.x .
10 0.3.0/24
BesidcsBorderGateway Protocol(BGP),statc routesarctile only way to enablcIP routillg to

tllc networksin tlle multiple colltextI
nodc thatarc notdirectly collnccted.
Rotltcsare conl
igtlrcd on the Catalyst6500 Serics FW SM usilpg thc routecolnlnand.
r()11tt,4*
/'1?4???1:7t/(?.
$'/ il),,1:7.
:J'kf(1lc7;$'(7!'i;lg(lis'tclll'
lf1
route Param eters
Parameter
Description
if- name
Specifies the interface to be used to transmittraffic toward the

desti
nation specified bythe route com mand.
dest
r ip
Togetherwith the m as/fparam eter,determinestherange of

destinati
on IP addresses covered by the route command.
t
nask
Togetherwilhthe deslip parameter,determinesthe range of

destination IP addresses covered by the route com mand.
gateuza.yr ip
Specifiesthe IP address ofthe nexthop router.
distance
(Optional)Hopcountto be associated wi
ththe route.Ifmulti
ple
routes to a particul
ardestination exist the route with the lower
m etric is preferred.The defaultmetric is 1.FW SM supports up to
lhree equal
-costroutes to the same destination perinterface for
Ioad baiancing.Equal
-costmultipath (ECMP)Ioad shari
ng isnot
supported.
D efault R oute
A rotltcconI
igtlrcd with a (F(?.
s'J ip alld l??t'
7.
# of0.0.0.0 isea11cd a dcfatlltroute.Packcts tllatarc
notcovercd by ally otherrotlte arehandlcd by tllc dcfaultroutc.
Note
@ 2008 Cisco System s,lnc.
The defaultroute can be abbreviated as 0 in the route cem mand.
lmplementing FW SM fora Data GenterNetwork lnfrastructure
2-135
Static Route Convergence

Static routc isrcm ovcd froln therotlting tablconly ifthc interface goesdown.Ifthe spccified
gateway bccomesunavailable,the static route isnotrclnoved.
Note
Staticroutes arealso used inthetransparentmodetosendthe traffi

cori
ginated inthe
Catalyst6500 SeriesFW SM to nondirecttyconnectednetworks(forexample,management

trafficIike syslog.authentication authorization and accounting(AAAJ orW ebsense).
Configuration Exam ple

Tllcfirstroute isa defaultrotlte thatisused forany traffic to the otltside network.The
rclnaining two rotlteshandle trafticto the two intcrnalnetw orksand cach ofthem hasa router
bctwccn thcnetwork and theCatalyst6500 Serics FW SM .
2-136
lmplementi
ngCiscoDataCenterNetworkI
@ 2008Ci
scoSystemslI
nc.
C onfiguring D ynam ic R outing

TI1istopic cxplaillsdynalnic routing tll t
'lpc Catalyst6500 SericsFNVSM .
D yna ,711c R ou ting P rotocolS u ppo rt

DM 2
10 1 20/24
R1P
.
2 '' >-
'
I
:
>V e.
10 02 0/24
.
1rlt(!rrlf)t
1 . X PM
'-'
zt:i
''.1 (28tItF;It1(, ., -. .
, If7s;Icl(: a-;--:
s'
?
'
.
q
.
192.1681.0/24
10130/24
.'
jjjjjl
1
..
-. jjy
o1,12
wt'
!0 0.3 0/24
O SPF
. RlP (passiveand defaultroute)

BGP stub(onlyadvertise)
(:)2008 Cisco Systems,Inc.
lmplementi
ng FW SM fora Data CenterNetwork Infrastructure
2-137
O S PF R outing Protocol
. Supported OSPF features include:
Metric istransm ission cost
OSPF authentication
- Two OSPF pr
ocesses
.-
OSPF Iink-state advedisement(LSA)flooding
Areas:
Intra-area,interarea,and external(type Iandtype II)routes

*Stub areasand not-so-stubby-areas(NSSAS)
.
. VidualIinks
Redistribution ofstatic,connected routes,and between
processes
. Notsupported in the m ultiple contextmode
-
A Catalyst6500 SericsFW SM can be configurcd with OSPF routing protocolto dynam ically
lcan:and advcllise thc routes.
OSPF usesDijkstra'sshortestpall)t5rst(SPF)algorithm tocalculatethebcstpathto the

dcstination.Thc inputinfonnation fortheSPF algoritllm consistsofIink-state advertisemcnts
(LSAS)kcptinthcIink-statedatabase(LSDB).
Thc Catalyst6500 ScricsFW SM maintainsafullLSDB.
M ostoftheO SPF features supportcd on aCisco rotltcrarc supported on tlle Catalyst6500
Scries FW SM aswell.
O S PF Lim itations
Two OSPF processcscan be run on a differentsctofintcrfaces.
Note
OSPF in notsuppofted i
n the m ultiple contextmode.
Furtherinformati
onaboutOSPF i
s avail
able in the Catalyst6500 Seri
es FW SM
docum entation.
2-138
ImpsementingCi
-I)v2.
O
E nab I1ng O S P F
fwsmtconftgl#
router ospf process -id
.
Configures OSPF process
fwsmtconfig-routerl#
network ip address mask area area d
* D efines IP addresses on w hich OSPF runs,and area ID

ose:
-.
V Q
-
'
.
r'
okptslde --' ,.tc ww- lnslcle
19216810Q4
io1.
3.0/24
--
.-..
w.
#
y#
10 0 3 0/24
router oapf 2
network 10.9.0.0 255.0.0.0 area O
()SI'F isellablcd by contigtlrillg routilpg proccssesusillg tllc router (lspfconlnlal

ld:
router ospf process -id
routerospf Param eter

Parameter
Description
pzm
ocess -J
An identifierused internally by the FW SM to trackseparate OSPF

processes.i
fmore than one is confi
gured.The FW SM supports
two OSPF processes.
A ftcrtlleO SPF proccss isctllltigtlrcd.tlle Iletu'

orksthatparticipalc i11lhc rotltiI1g proccssarc
tlcI
illcd Nvitl'
ltllc netAvork arca colunAalltl'
.
network ip address mask area area id
network area Param eters

Parameter
Description
ip- address
Any inlerface wi
lh an address in the range defi
ned by thi
s and the
mask parameleri
s used bythe OSPF routing process
mask
Any interface wi
th an address in the range defined by the
i
p address and thi
s parameteris esed bythe OSPF r/uting
process.
Note
@ 2008Cisco Systems.lnc.
The mask used is a slandard mask ratherthan the

wildcard maskused when configuring OSPF on a
Ci
sco Io s-based router.
lmplementing FWSM fora Data CenterNetworklnfrastructure
2-139
Param eter
Descrlptlon
area- id
Placeseachinterface in anOSPFarea. OSPF areas are used to

sub-divide a network thatis usi
ng OSPF as the routing protocol.
The area speci
fied on the FW SM mustmatch the area IDs
configured i
n the OSPF routers to which the FW SM is attached,
Verifying O SPF O peration

To vcrify and troublesllootOSPF operation,thc sam esetofcomm andsisused ason Cisco IOS
rotlters.
Note
Furtherinform ationaboutO SPF com mandsisavailable i

n the Catalyst6500 SeriesFW SM
Y F
documentation.
2-140
lmplementing Cp
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.O
()2008 Cisco Systems, lnc.
R IP R o utiI'Ig P ro toco l
. Features ofRIP supportinclude:
Metricis hop count
Each routercontains a nexthop database
.
Version 1(default)andversion2
Cleartextand M D5 authentication forRlPv2
w RI
P operation modes:
Passi
ve R 1P
Defaultroute updates
w Notsupported in the m ultiple contextmode
l'llc C'atalyst6500 Series FVSM stlpportsbotllR IP version l(RlPv I)and version 2 (RIPN'2).
tllc lirstolle bcillg tlledcl'
atllt,
Note
R1P isnotsupported inthe m ultipiecontextm ode

Furtherinform ation aboutRIP i
s available in the Catalyst6500 Series FW SM
docum entation
@ 2008 Cisco Systems,Inc.
lmplementi
ngFW SM foraData CenterNetwork Infrastructure
2.141
E nab I1n g R lP
fwsmtconfigh#
rip it name passive (veraion (1 ; 2 Iluthentication (text '

.
md5) kez #ey d1))
. Enables passive RlP with optionalauthentication forversion 2
fwsm tconfigl#
rip it name default (version (1 1 2 (authentication (text I

mds) key key :d))1
* Enabl
es sending ofdefaultroute
R1p
,r
slde
192O1ut
68.1.
.
Inslde
r;. a, ,a,(
)x4
Q.Q
. .. ... ..
l '#
.g.
#
10.0.3 0/24
r1p lnalde default vereion 2

rip insid. paaatve version 2
Passive RIP iscont-igured w ith the rip passive com mand:
ri
p ke
fpassive (version (1
key
yname
d1J1
(authentication (text pmd5)
rip passive Param eters

Param eter
Descrlptlon
if- name
The interface where RIP should Iistentothe RlP updatesfrom

neighboring routers.
version 1 (
(Optional)TheversionoftheRlPprotocol:RIPv1orRIPv2 lfnot
,
specified RlPv1 is used.
authentication
text
(Optional)FnablesRlP version 2authenti

cati
on
UsescleartextforRIP messageauthentication (not
.
recommended).
md5
UsesM D5forRIP m essageaulhenticalion.
keyr
Key and to authenti

cate RIP updates.
key d
Key identiscation value'valid values range from 1 to 255.
Dcfatlltrotlte update isconfigurcd withthc rip defaultconunand:
k p .
ri
trname default Iversion (1 1
ey'a
key id1)1
(authentication (text Imd5)
rip defaultParam eters
2-142
Parameter
Descriptlon
if- name
The interfacewhere RIP should Ii

stentothe RlP updatesfrom
neighboring routers.
version l I 2
(Optional)Theversi
onoftheRlPprotocol:RIPv1orRlPv2 Ifnot
specifi
ed R1Pv1isused.
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1)v2.0
@ 2008 Cisco Systems. Inc.
Param eter
Description
authentication
(Optional)EnabpesRIP version2 authentication
text
UsescleartextforRIP message authenlicalion (not

recommendedl.
md5
Uses MD5 forRIP m essage authenti

cali
on.
Aey
Keyand to authenticate RIP updates.
key j.d
Key ientifi
cation vasoe'valid val
ues range from 1 lo 255.
Note
Furtherinformati
on aboutRlP commands i
s available in the Catalyst6500 Series FW SM
documentation
Note
RIP cannolbe used by the Catalyst6500 Series FW SM to advedfse i

ndivfdualnetworks.
(()2008 CiscoSystems.1nc.
lmpl
ementing FW SM fora Data CenterNetworklnfrastructure
2-143
BG P Stub Routing
w Features ofBGP supportinclude advertisementofstaticand
directlyconnected routesto neighbors
. Li
mitations:
-
Onerouting process(in multiplecontextmodealso)

One BGP neighbor(inmultiple contextmode also)
iBG P on1y
.- No r
edistribution
m Suppoded i
nthe multiple contextm ode
. Requires a license
-
BG P stub routing processisused only to advertise theconfigured static and directly connectcd
routesto BGP neighbors.
BGP docsnotproccssthcaccepted routcsadvertiscd by the BGP peerand sim ply dropsthcm .

Note
A li
censeisrequired to deployBG P stub routing.
BG P Lim itations
BGP Stub routing islim ited to one process, oneBGP ncighbor.andonl
y intenpalBGP (iBGP),
cven ifdcploycd in m ultiple contextmodc.
Rcdistribution ofany routcsinto BGP isnotsupported.

Note
2-144
Furtherinform ati
onaboutBGP isavail
ablein the Catalyst6500 SeriesFW SM
docum entation.
ImplementingCi
scoDataCepterNetworkInfrastructure1(DCNI-!):2.0
@ 2008 Cisco Syslems. lnc.
>
E nab I1ng B G P
fwsm tconfigl#
router bgp as-number
* Confi
gures BGP stub routing process
fwsm lconfig-routerl#
neighbor ip-address remote-as as-n e er
.
Defines the neighborto whi

ch updatesare sent
fwam tconftg-routerl#
network ip-address mask mask
.
Specifiesthe network which are advedised by BG P

Inslde
10.0 3.0/24
uop
. .j
router bgp 65000
fk .
..
Out
sl
de
.
w
192 !68 10/24
neghbor 192.168.1.2 remote-as 65000

netvork 10.0.3.0 mask 255.255.255.0
BGP stklb rotltillg iscllabltld by collfigtlrillg rotlting proccssesw itlltllc router bgp colnlnalld:
router bgp as-nuni er
routerbgp Param eter

Parameter
Description
as-ntimber
Theautonomoussystem (AS)numberthatidenlifiestheFW SM
to otherBG P routersandhastobethe same ason neighboring
device since only iBGP is supported.
7'o starttllktBGP session svitl

'ltllc Iteigllbor.tlse thc neighbor relnote-ascolnllland'
.
neighbor ip -address remote-as as -number
neighborrem ote-as Pararneters

Param eter
Description
ip -address
The IP adress ofthe nei

ghboring iBGP router.
as .
-nunl
b ez'
The AS rltfmberthatidentifies the FW SM to etherBGP rc/t

-lters
an has to be the same as on neighboring device since only
i
B GP is supported.
Q 2008Cisco Systems,Inc.
Implementing FW SM foraDataCenterNetworkInfrastructure
2-145
O ptionalB G P C om m ands
BGP on tlpeCatalyst6500 ScriesFW SM also supportsthecomlnands listcd in thetablc.
O ptionalBG P Com m ands
Com m and
Descrlptlon
bgp router-id id
Defines a BG P router1D.
neighbor ip -address
Desnesa password used toauthenticate the BGP message to
password Ernode)
theneighbor.
password
Note
In more com plex iBGP depl

oyments,the BGP neighborhas to be enabled with the route
reflectorfunctional
ity.
To vcrify and troubleshootBG P operation.the salne setofcom mandsisuscd ason Cisco IOS
routers.
Note
Furtherinformati
onaboutBG P comm ands isavailable inthe Catalyst6500Series FW SV
docum entation.
2-146
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v20
@)2008CiscoSystems, lnc.
d
X
'
*
Route l-leaIth Injection

* Availabl
e since FW SM 4.0
* Leverage RHIto support
routing protocols natively
suppoded by Cisco Catalyst
6500 Series sw itch
cisco catatyst6500
SeriesSwitch
. -. .,
' ' '' '
S
,l
njectroutesdirectlyinto
MSFC:
..
Static routes
NAT poolinform ation
,.
E
2
lt
la
El
Va
LA
N
3o
zz
p
Eoutsl
je
Elirll(ltly()()r)r)(,(ltf,(jrllt.t6,s
,
lA1(
)
a
vt
u
l)
q,
a(
st
)!
i
raltslde j
t..............
.. ..............J
.,
ur g
,
101O302
vqIs
Na3o
r1slcf
-tDcz
.
)..
o..
,o!o301
..
, Per-contextRHl
. -. ..
' ''' '
57=*
'
1010402
vl
.Ax 3ac
%
j.
-.
<..
:q..1
,
L
,
k
.
L
6
k
,
'
'
'
III
j
;
C
j
k
j,I
,F
p' .1,
-35h(
,4
'r!
cl6.
.. .. - 1 sl
..
Using RHIto InjectTranslated IP Addresses
D 2008C lscoSystem s,Inc.

(
Impiementlng FW SM fora DataCenlerNetwork Snfrastructure
2-14-1
Asym m etric Routing Suppod

Challenge:Return traffic fora session routed through different
interface isdropped
* Putinterfaces in the asym metric routing group
* Acti
on upon packetwith no session inform ation on interface:
Layer2 headerrewri
tten
Failoverscenario:packetis redirected to the otherunit
w
.-
Differentinterface:packetreinjectedintothe system
m FailoverlStatefulm ustbe enabled
* Supported in the multiple contextm ode
Norlnally the Catalyst6500 ScriesFW SM ,likcany otherfircwalling devicc, doesnotallow

asym metric routing,
'thatis,in casc returlltrafric forasession isrouted through a diflkrcnt
ilytcrface than itoriginated from ,thetrafticis dropped, sincethere isno connection information
forthattraft
ic.
11)failoverconfigurations.return traffic fora connection thatoriginated on one unitmay return
through thc peerunit.
Stlch dcploymentsarc com mon wllen two interfaceson a single Catalyst6500 SeriesFW SM ,
ortwo Catalyst6500 SeriesFW SM S in a failovcrpair, are connected to diffcrentScn/icc
providersand the otltboulld conncction docsnotusea NAT address.
Using A sym m etric R outing G roups to A llow Asym m etric

Routing
To prcventthc Catalyst6500 SericsFW SM from dropping such traffic, asym metric routing
grotlpscan bedcploycd on the intcrfaccs whercthisislikcly to occur. W hen an interfacc
contigured w ith thcasym metric routing group rectivesa packetforwhich ithasno svssion
infbrmation,itchecksthc scssion inform ation forthc othcrinterfaccsthatare in the sam e
grotlp,lfa packctforsuch session isreceived thcsc actionsoccuriflllatch isfound:
* Ifthe incom ing traffic originated oI:a pecrtlnitin a failoverconfiguration a partorthc
cntire Laycr2 headcrisrew ritten and the packctisredirectcd to the otherunit. This
rcdirection continuesaslong asthe session isactive.
* Ifthe incom ing trafticoriginated on a differcntintcrface on the salncunit, apartorthc
cntireLaycr2headcrisrewrittenandthepacketisreinjectcd into thestrealn
Note
2-148
In failoverconfigurations a statefulfailoverhas to be enabled forsession informati

on to be
passed from the standby unilorfailovergroup to the active unitorfai
lovergroup.
Implementi
ng Cisco Data CenterNetwork l
@ 2008 Ci
sco Systems, Inc.
>
'
13a I1n
s l'
n ln etr1c
o ut1n
fwsm tconftg-ifl#
asr-group n
er
. Addsan interface to an asym metric routing group

lnternet
Context A. B ASR configuration
#
i.
1
7terfaptlon
ce V1an
1
descri
INSIDE
aBr-group 1
1nter!!ace Vlan2
descrlption OUTSIDE
:1:1:-I17t;k
l1) 2
i
f.m '
JQ
-. !
..
f
Ig
I1
I!
.
I5
1:
ti ''.
:
yje
p:
.' ee t* *.@**@@*e
r
'
.
O
.q
'.
v. ,.:.
knsltle(DtyA
'
.'
.(- ':
- W r a-- - - 3
1
:
FW SM 1
-.,
'' <
. !; l'.z
4.a.1a.#w.@eww-.,'..
:
1
$F'
.
''
...A
FW SM 2
1'Xi.rffG*
Inside
IrlGldeCly.B
asr-group Param eter

Param eter
Description
ntznl
A value ranging from 1to 32.Up to 32 asym melric rouling groups

can be created each group having m axim um of8 interfaces.
Tl'
lt.
tc('111lnalltllastt)be clttercd fllrcacl)illlcrl
-acetlq
tals.
villparticipal
.
e il'
lllleasyllltnetric
rotllillg grotlp.
Using A sym m etric Routing G roups w ith Asym m etric Routing in

Failoverw ith M ultiple C ontexts
Note
@ 2008C'
sco Systems.Inc.
ln the exam pl
e .statefulfailoveris deppoyed forasym metric routing to work properly.
ImplementingFW SM foraData CenterNelwork Infrastructure
2-149
S um m ary
Tlpistopic sum lnarizcsthe key pointsthatwerediscussed in thisIcsson.
S um m ary
. IP routing isneeded in routed mode toforward packets between
interfaces.
@ Static routes provide the m inim um CPU overhead.
. OSPF and RlP are notsuppol-ted in m ultiple contextmode.
. BGP stub routing announcesonl
y static and connected routes.
m
RHlisusedto injectconnectedroutes,staticroutes,and NAT
poolinform ation into the MSFC.

Asymm etric routing is used to all
ow the return traffic through a
di
fferentintedace than outgoing traffic.
2-150
ImptementingCi
sco DataCenterNetworkInfrastructure1(DCNI-I)v2.
0
(
I)2008CiscoSystems, lnc.
Lesson6I
Im plem enting Failover

O verview
Objectives
Failover O verview
Thistopicexplainsthe failoverfunctionality on the Catalyst6500 ScricsFW SM .
Redundant C atalyst 6500 Series FW SM Pair

+
RedundantFW SM high-availability options:

* Active-standbyforaIIcontexts
. Act
ive-active
Actlve
#..
w,
Campus
Outsrde Network
& .
z
e#.
.
Inside Network
;j
I
'y
Standby
Tlle failoverconfiguratiol)rcquirestwo idcnticalCatalyst6500 Series FW SM Sconllected to

cach otllertllrough atledicatcd failover link alld, optionally.a statc link.
Thetwotlnitsinafailovercontigurationmusthavethesamemajor(firstnulnbcr)andminor
tsecondnumbcr)softwarevcrsion.l'
Iowcvcr,you canusediffcrentversionsofthesoftwarc
dtlring a!:upgradeprocess;forexample. yotlcanupgradeoneunitfrom vcrsion 3.I(1)to
version 3.1(2)and have failovcrremain active.
Note
ltisrecom mended to upgrade both unitstothesame versionto ensure Iong-term

com patibi
ti
ty.
Both unitsm usthave the sam e Iicense.
A ctive-stand by Failover
ThcCatalysl6500 ScriesFW SM provideshigh availability tirewallscrvicesthrough an activestandby redtlndancy modcl. Tllc standby Catalyst6500 SericsFW SM monitorsthe health ofthe
active FW SM and takcsoverproviding f
irewallscrvicesifitdetectsa failurc ofthe activ
FW SM .
e
Each ofthc two C'atalyst6500 Serics FW SM Sin a rcdtlndantpairmustbe configur
cd
w ith aceessto the sam ecollection ofnetw orks.
Activc-standby failoverisavailable on unitsnlnning in cithcrsingle orm ultiple contextm ode.
2-152
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
Active-A ctive Failover
Note
Q 2008ClscoSystems Inc.
80thfaiioverconfigurationssuppod statefulorstateless(regular)failover
Implementing FWSM fora Data CenterNetwork t

nfrastructure
2-153
C atalyst6500 Series FW SM Failover Link

* Dedicatedfailoverlink(VLAN)
Used to determine the operating statusofeach uni
t
w Multiple context- resides in system execution space
.
Actlve
:..
campus
-
.-.
Outsi
deNetwork
I
IF
u:kI
over
i
!
i
. .!
)
r. z
.
''..
#
r-:#
jnsjd: Nejwork
ILL
Standby
Thc failovercontiguration requirestw o identicalCatalyst6500 Scrics FW SM Sconnccted to

cacl)othcrthrough a dedicated failovcrlink.
Thctwo Catalyst6500 ScriesFW SM Sin a failoverpairconstantly com municate overa failover
link to dctcrm inc the operating statusofcacllunit. Thisinfonnation iscom municated ovcrthe
faiIoverlink:
* Theunitstate(activeorstandby)
w l-lcllo messages (kecpalives)
. Network link status
K M AC addresscxchallge
. Cont
iguration rcplication and synchronization
Caution
AIIinform ati
onsentoverthe failoverandstatefulfai
loverIinks i
ssentincleartext, unless
you securethe com m unl
cationwi
th afailoverkey.
Failover Link R equirem ents

Thc failoverIink tlsesa spccialVLAN intcrface thatyotldo notconfigure asa norm al
networking intcrface'
,rathcr,itexistsonly forfailovercommunications. ThisVLAN should
onlybeuscd forthcfailovcrlink (andoptionallyforthestatelink). Sharing thc failoverlink
VLAN witllany otherVLANScan cause interlnittenttraffic problem s. as wcllasping and
AddressRcsolution ProtocolIARPIfailurcs.Forinter-chassisfailover, tlscdedicated intcrfaces
on the switch forthe failoverIink.
In lntlltiplccontcxtmodc,thc failoverlink residcsin thc system contcxt. Thisintcrface and thc
state link,ifuscd,are the only interfaces contigtlred in the systeln context. A llotherintcrfaces
arcallocatcd to sccurity contcxtsand configurcd from within sccurity contcxts.
2-154
ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008 Cisco System s. Inc,
C atalyst 6r
a00 S eries F'W S M S tatc Link
* Dedicatedfailoverlink(VLAN)
e Used to determine the operating status ofeach uni
t
* Multiple context- resides in system execution space
Actrve
Cam
pus
outslde Nelwork
Y
I!
l
slalel:ar
lover
tl
nkjjonk
Ii
!
)
'22 D'1'1
.
'
1.,/.
/#
..
n#
'nslde setwork
I f'
'f
Slandby
State Link
Note
@ 2008 CiscoSystems,Inc.
The IP address and MAC address forthe state Iink do notchange atfailover.
lmpl
ementing FW SM fora Data CenterNetworkIlfrastructure
2-155
Catalyst6500 Series FW SM A ctive-standby

Failover
w
Standby FW SM assum es IP and MAC address

Falled
# .; .
c :;
>
campus
w. m,..
,
g...
7e
Outside Network
Inside Network
Actlve
W hen a failure occurs.the stalldby Catalyst6500 ScriesFW SM becomcsactive. The

prcviously standby Catalyst6500 SeriesFW SM takesoverthe activc modtllc IP addrcsscsand
M AC addressand begins to processtraffic.
No cllangesare neccssary to the ARP orIP addressing infonnation used by any otherdevice in
thc network:however.the switching cnginc in thcCisco Catalyst6500 SericsSwitch mustbe
informed tllatthe M AC address tbrtheactive Catalyst6500 SericsFW SM is now owned by a
diffcrcntmodtlle.ThcCatalyst6500 SeriesFW SM scndsgratuitousARPS outon alIofits
VLAN intcrfacestoupdatethcCiscoClcanAcccssM anager(CAM )tablcsintheCatalyst6500

SericsSwilch.
2-155
SmplementingCiscoDataGenterNetworklnfraslructure1(DCNS-I)v2.
Q 20()8 Csco Systems. lnc.
C atalyst 6500 Series FW SM A ctive-A ctive

Fa iIover
*
Standby FW SM assum es IP and MAC address

Actlve- FalloverGrotlp 1
Stafndby- FarloverGroup 2
k
'
Campus
L
J
1.
1kj ':?'z:
I
#
'
< .#
x#
Oulslde Network
losldeNetwork
% -Actlve.-FalloverGrotlp 2
Standby- FailoverGroup 1
Failoverisprcclnptivc ifcontigured to beso--sllotlld tllcotherf-'alalyst65()0 SeriesFWFSM

advertiSca lligllcrpriol'ity lbra givel)failovergrotlpstllc FSVSM lvitlltlle lowerpriority can
givc tlp itsactivc role.
Note
No speciatlicense i
s necessary forfai
iover
Failover Eventw ith A ctive-A ctive
Note
t
o 2008Clsco Systems,Inc.
The failure ofa failovergroup on a unitdoes notm ean thatthe unithas fail
ed'another
failovergroup mightslii
lbe passing traffi
c through thatunit
lmplementing FW SM fora DataCenterNetwork lnfrastructure
2-157
Intra-chassis Redundancy
Cisco Catal
yst6500
Series Switch
r' '
!
!
Active
i
E
!
!
!
!
E
i
!
i
i
:
1
i
!
II
!
'
'
s
Ii
j(
i
'
'Z'
; :
''
,
'
I
.
j
i
OutsideNetwork E
1!
')!
!
E
Z
Inslde Network
.'./
!
2
Campus
.
. ..
E
2
5
E
E
j
.j
J
'
h 'l
'
standby
-:#
..
,
h
,
:
i
!
!
A rcdtlndantpairofCatalyst6500 Scries FW SM Scan be hosted in a singlcCatalyst6500

ScricsSw itcl!chassis.
Thisapproach providesrcdtlndancy in the casc ofam odulefailure. A1loftllc Catalyst6500

ScricsFW SM iltterfaces.including the failovcralld statelinks. are VLANSw ithin the hosting
Catalyst6500 Serics Switch.EachCatalyst6500 SericsFW SM isattached to thc samc V LANS.
Note
The backup Catalyst6500SeriesFW SM doesnotneeda fail

overcable.
2-158
Implementlr!g CiscoDataCenterNetworkInfrastructure 1 (DCNI-I)v2.0
@ 2008Cisco Systems, lnc.
lnter-c hassis R edurldan cy

. Configure spanning tree to blockpor
'
ts on the second Cisco
Catalyst6500 Series Sw i
tch
cl
scocatalyst65()0l
serl
esswllch1j
i
!
5
Acti
ve
h
E
2
5
Campus
.
1
E
!
i
Ej
:
.
/
.-p /
I!j
OutsldeNetwork i
!
E
i
*
2
ClscoCatalyst6500 j
:'l
, f!
!.
tf
i
2
E
E
!
!
Serl
tasSwitch25
Standby
Note
Q 2008 Ci
sco Systems,Inc.
yj,s . yyo .:,
'
,C
.
'
.
$i'
v..
IrasideNetwork
The Catalyst6500 Series Switch chassis hosting the redundantCatalyst6500 Series FW SM

isconfigured so thatthechassiscontai
ning the prim ary FW SM isactivelyswitching traffic
urldernorm alconditions.
Impl
ementing FW SM fora Dala CenterNetwork lnfrastructure
2-159
Failover O peration
Thistopicdcscribesthc failoveroperation.
M odule H eaIth M onitoring

Hellos on fail
overIink determine m odule health
. ARP requests are senton aIIinterfaces ifhellos are notreceived
.
Active
@& c
I!
Ij
campus
SJz
ll,
1:
ju
Fi
a
ojover
1E
Outstde Network
I!
.'
!
v. z
.'
k
7
I
nsl
deNel
work
Standby
The Catalyst6500 SeriesFW SM detcrlninesthc health ofthcotherunitby m onitoring the

failov'erlink.W hcn a unitdoesnotreccivetthello''lncssagcson thc failovcrlink thcunitscnds
an ARP requcston allinterfaces,including the failoverintcrface. The Catalyst6500 Series
FW SM retriesauser-coniigurablcnumbcroftimcs. Thc action thcCatalyst6500 ScricsF'
W SM
takesdcpendson the rcsponse from theotherunit. Possiblcactionsincltlde:
* Iftlle Catalyst6500 SeriesFW SM receivesa rcsponse on any interfacc. itdoesnotfail
+>
K lfthe Catalyst6500 SeriesFW SM docsnotreceive a rcsponse on any intcrfaccv the standby

unitsw itchesto active mode and classifiesthcotherunitasfailcd.
. Ifthe Catalyst6500 ScriesFW SM doesnotrlxeivv aresponseon the failovcrlink only,the
tlnitdocs llotfailovcr,Thcfailoverlink ismarked asfailcd. You should rcstorc thc failover
link assoon as possible becausctlle unitcannotfailoverto thestandby w hilc tlpe failovcr
1ink isdow n.
2-16*
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.0
@ 2008 Cisco Systems. Inc.
P art1alS w 1tc13 Fa 1
-Iure
Clsco
sCatalyst6500 i
enesswptch1 !
E
!
2
E
!
:
!
.
!
clscocatalyst6500 E
serlesswltch2
, - z .>.. Cr'
'1:
'
1--
. .
@ 2008 Ci
sco Systems,Inc.
!
g
h
I
.li'j
Campus
OlltsideNetwork
Acll
ve
li
a
j!t.......,...,:
.!,
q
l
' ''1
I jf'
:
2
stafzdby
'
2
'.j
j
jw,
y
.#'
jnsjde Network
lmpl
ementi
ng FW SM fora Data CenlerNetworkInfrastructure
2-161
'
PadialSw itch Failure (Cont.)

Ci
sco
Ser
Ca
taly
st6
500j
ies
Swi
tch
1
@
:
i
I
x
Acji
ve
.1:
..
j
i
:
I
j
@1
Inten7et
'
V- Z 2 :
1
1
Outsi
eNetwork
Nit..........1
!
:
.
''I
'
f
j
.
;y
.
t
l.
y
Standby
j
j
.
:
Glscs
oCatal
yst6500j
eriesSwp
tch2j
-1*
z
InsideNelwork
.
j
Thc diagraln showsa partialswitch failtlre thathasdowned theportscollnccting Catalyst6500

ScriesSwitch lto both thc insidc and otltside networks.ThcCatalyst6500 SericsFW SM in
Catalyst6500 Series Switch 1 isstillactive howcver,so traftic lnusttransitthe inter-switch
trunk twicezfirstasa packeton the outside VLAN,and again asa packeton the inside VLAN .
2-162
lmplementingCtscoDataCenterNetworkl
nfrastrudure 1(DCNI-I)v2.0
Q 2008Ci
scoSystems. Inc,
'
Illterface M onitoring
ci
scocat
alysl6500 j
f
senesswi
tc:1
@
standby
#
2
h
!
1
!
.Ii,,
j
i
i
@
I'
1i
.l
Internet
OulsldeNet
work
!
clscoCat
alyst6500 E
Serl
esSwp
tch2 j
k'7
'f
1: .t !2 .
!.
1
j
Ij
,
.
#
iI.............!
.
!
Acll
ve
i
j
k
.
#
.
jj
l
j
.
:
p.
InskdeNetwork
Implemeoting FWSM fora Data CenterNetworkInfrastructure
2-163
w Broadcastping test:The ping testsendsouta broadcastping rcquest.Them odulecounts

allreceived packelsforup to tive seconds.lfany packetsarereccived atany tim eduring
thisintcrval,tlle intcrface isconsidercd operationaland testing stops.
lfaIInctwork testsfailfbran nterface,butthe interface on the otherm odulc continuesto
stlccessfully passtraftic,tlle intcrfacc hasfailed,Ifthc thrcshold forfailed interfacesismet,a
failoverocctlrs.Ifthe othcrmodule intcrface also failsalIthc nctwork tests.both interfacesgo
illto thc unklpown state and do notcounttoward the tailovcrlim it.
An interfaccbccom csopcrationalagain ifitrcceivcstraftic.A failcd Catalyst6500 Scries
FW SM rcturnsto standby m odc ifthe intcrface failurethreshold isno longerm ct.
Note
An interface canbe marked asfailed (auto state down)when there are noIongerany
physicalports belonging to a VLAN thatis configured on the swi
tch forthe Catalyst6500
Seri
es FW SM .
Rapid Link Failure D etection w ith C isco lO S A utostate

Dctccting and responding to a failovercondition can take up to 45 seconds.Howcver,ifyotlare
tlsingCisco lOS SoftwarcRelcase I2.2418)SXF5orlaterontheswitch,yotlcanusctlle

autostatc fcaturc to bypassthc interface testing phase and providcsubsecond failovcrtim esfor
interfacefailurcs.W ith atltostate enabled.thesupervisorengine sendsautostate messagesto the
C'atalyst6500 SericsFW SM aboutthe statusofphysicalinterfacesassociatcd with FW SM
VLANS.
2-164
lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2,
0
()2008CiscoSystems, lnc.
C onfiguring Failover
T11is topic describcstllcstepsreqtlired to collfsgure failovcr.
C onfiguration O verview
The prim arymodule is active ifbooted sim ultaneously
. The pr
im aryM AC address is used ifpossible
. Configuration is synchronized from acti
ve to standbyr
copy running-config startup-config
w rite standby
failoversuspend-config-sync
w
Pnmary
>
h
k
Active
.1
f
$
Standby
Prim ary and Secondary Roles
Note
tl 2006 Cisco Syslems.fnc.
Because 1he configurati

on is the same on both modules the hostnames usernam es and
passwords are also the sam e
lmpdementl
ng FWSM fora Dala CenterNetwork Infrastructt/re
2-165
Tllc active m odule sendsthe configuration in running m clnory to the standby module.On thc
standby m opule.(he configuration exists only il1running m clnory.You can optionally save the
contigtlration to tlash m emory.so thatwhen yotlrcbootthe standby modulc whcn thc activc
modtllc isunavailablc.the standby m odulc can becomc theactive module.To save the
contiguration to flash m cmory aftcrreplication,use thecopy runnlng-conflg startup-config
com m and on thc activc module.ln multiplecontextmode,thiscom mand should bc used in thc
systcm cxcctltion space,aswcllas within cach contextw hich configuration isstorcd in tlash.
W hcn tlle stalldby modulccom pletcs its initialstartup.itclcars its running configuration,
cxceptforthcfailover com mandsthatmtlstbepre-configured and are Ilotreplicatcd.and the
active Inodule scnds itscntire configuration to the standby module.Ascomm andsare cntercd
on tlle activem odtllc,thcy aresentacrossthcfailoverlink to thc standby m odulc.
Thc writestandby com lnand can be used on the activc modulcto causc thestandby modulcto
clcaritsrtlnning contiguration.aerwhich the active m odule replicatesthcentire
configuratiol).Entcring thew rite standby col
nlnalld in the system execution spacecausesall
contexts to bcrcplicated.
Contigurationrcplication can be suspended using the failover suspend-conig-sync com mand.
2-1156
lmplementingCiscoDataCenterNetworslnfrastructure 1(DCNI-I)v2.O
@ 2008Ci
scoSystems, Inc.
Active-standby:Defining the Configuration on the Prim ary FW SM Procedure

step
Action
Notes
1'
failover lan interface

n terface- nanle vlan vlan
Designates the failoverinterface The

exam pi
e uses 'V LAN 100'
'forthe failover
interface.This VLAN should notbe used for
any otherpurpose except optionally,the
stale Iink,orbe assiqned to any switch ports.
This Q'
LAN does need to be assigned to the
FW SM bythe swi
tch,and this interface does
notneed an accessconlrollist(ACL),as
failovertraffic is allowed automatically and

othertraffic is deni
ed
failover interface ip
faiJ.over n terface Jlp address
nlas.
k stan dby ip- addre-ss
@ 2008 Cisco Systems,l

nc.
Assigns IP addresses to the failoverinterface

on each FW SM Both the primary and
secondary IP address m ustbe in the same
nelwork,as defined by lhe subnetmask.
lmplementi
ng F'WSM fora Data CenterNetwork lnfrastcudure
2-167
Step
Actlon
3'
Eailover link n terface name
4'
sta te j.n terface ip address
mask '
standby .ip adRress
-
s'
failover replication http
(vlan v'
J.an)
Notes
Defines the state interface forstatefut

failoveroperations. ThisVLAN should notbe
used forany otherpurpose except
optionally,the fai
loverIink orbe assi
gned to
any switchports.Ifthi
s intedace isusing the
sam eVLAN asthefailoverIinklthe vlan
parameterdoes notneed to be specified.
The state VLAN needs to be assi
gned to the
FW SM bythe switch,and thisinterfacedoes
notneed an ACL as connection state traffic
is allowed automatically and othertraffic is
denied.
As wi
th the failoverinterface, assigns an IP
address to the state interface.
(Optional)Directstheactive FW SM to
repl
icate state information forHTT'
P
connections.W itboutthi
s statement, HTTP
connections are disconnected in case ofa
failover.HTTP connecti
ons are briefand
frequent,and the slate inform ation although
updated Gonstantly,mightnotincludethe
IatestHTTP statesatfailover.Forthis
reason,you m ightwantto di
sable HTTP
replication to reduce the amountoftraffi
c on
the state Ii
nk.
failover lan unit primary
Designates this FW SM as the primafy
Note
2-168
Thiscommand is the only

confi
guration statementthat
differsbetween the primafy and
the secondary FW SM.
failover
Enables fail
overoperati
ons.
'
ip address ip address (mask)

(standby ip azdress)
AddsastandbyIP addresslo any i

nterfaces
withan IP address.
ImppementingCl
-I)72.0
@ 2008CiscoSystems Inc.
Active-standby:Defining the Configuration on the Secondary FW SM Procedure

step
Action
Notes
1'

an herfa ce- name vlan v2an
Designates the fail

overinterface.The
exam pl
e uses KVLAN 100'.forthe fail
over
i
nterface.This VLAN should notbe used for
any otherpurpose except optionally,lhe
state Iink orbe assigned to any switch ports.
This VLAN does need to be assi
gned to the
FW SM bylhe switch and this interface does
no1need an ACL.as failoverlraffic is all
owed
automatically and othertraff
ic is denied
2'
fa.
f.
ioleez- 2:rerface ip address
mask standby ip- address

on each FW SM.Both the prlm ary and
secondary IP address mustbe in the sam e
network.as defined bythe subnetm ask.
Implem enting FW SM fora Data CenterNetwork Infrastructure
2-169
Step
Actlon
Notes
failover lan unit secondary
DesignatesthisFW SM asthesecondary
FW SM .
Note
failover
This comm and i

s the only
confi
guration statem entthat
differs between the primary and
the secondal
'
y FW SM.
Enabl
es failoveroperations.
2-179
ImplemenlingCiscoDataCente!Networklnlrastqldure1(DC.Nl-1)v2.
()
@ 2008CiscoSystems, lnc.
Active-Active:Defining the Configuration on the Prim ary FW SM Procedure

Step
Action
Notes
failover 1an unit primary
Designates the uni

tasa prim ary unit.
2'

nterface- name vlan vzan
Designates the fal

loverinterface.The
example uses 'VLAN 100*.forthe failover
interface.This VLAN should notbe used
forany otherpurpose excepl.optionally.
the state Iink,orbe assigned to any
switch ports.ThisVLAN does need to be
assigned to the FW SM by the switch.and
this interface does notneed an ACL,as
failovertraffic i
s al
lowed automatically
and othertraffi
ci
s deni
ed
a'
fa 2over interface ip address
mask stanclby ip- addvess
Assigns IP addresses to the failover

interface on each FW SM .Both the
prim ary and secondary IP address m ust
be in the same network.as desned by
the subnetm ask
@ 2008Cisco Systems,fnc
Im pfementing FW SM fora DataCenterNetwork pnfrastructure
2-171
Step
Actlon
4'
failover link interface name
(vlan v.
lan)
Notes
Definesthe state interface forstateful

failoveroperations. ThisVLAN shouldnot
be used forany otherpurpose except,
optionally,the failoverI
ink,orbe
assigned to any swi
tch ports.Ifthis
interface isusingthesame VLAN asthe

failoverIink, the vlan parameterdoes not
need to be specifi
ed.The state VLAN
needsto be assigned to the FW SM by
theswitch.and thisinterface doesnot
need anACL asconnection state tramcis
allowed autom aticallyand othertraffic is
deni
ed.
5'
stat:e n rerface ip address mask
As with the failoverinterface, the state

intefface needs an IP address assigned.
standEy ip address6
failover group l
primary
exit
failover group 2
secondary
exit
7.
context c'on tex tr name
Configures the failovergroups with a

maximum oftwo permitted.Each fai
lover
group mustbe uefined as ei
thefa
primary orsecondafy failovergroup. For
load balancing,a differentunitpreference
is assigned to each failovergroup.
Assigns each contextto a fail

overgroup.
join-falover-group (l 1 2)
2-172
failover
Enables fai
lover,
changeto context con trext name

monitor-interface nrerface name
Enables monitoring on an i
nterface
lmplemenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 2008ClscoSystems. Inc.
A ctive-Active:Defining the Configuration on the Secondary FW SM Procedure

Step
Action
Notes
1'
Eailover lan interface

intevface- llame vlan v.
ian
Designatesthe failoverinterface.The
example uses 'VLAN 100.'forlhe failover
interface.This VLAN shouid notbe used for
any otherpurpose except,optionall
y the
state Iink,orbe assigned to afly swi
tch ports.
ThisVLAN does need to be assigned to the
FW SV bytheswitch,and lhi
s interfacedoes
notneed an ACL as fail
overtraffic is allowed
automaticar
ly anclothertraffi
ci
s deni
ed.
2'
fai J.ov'
er in rez'fa ce .
p address
mask stan dby ip'- addre-ss

on each FW SM .Both the primary and
secondary IP address m uslbe in the same
network,as defined by the subnetmask.
fm pfementlng FW SM fora Oafa CenterNetwork fnfrastructure
2.17'3
Step
Actlon
Notes
failover lan unit aecondary
Designates thi
s FW SM as the secondary
FW SM .
Note
This com mand is the only

confi
guration statementthat
differs between the primafy and
thesecondaryFW SM .
4,
2-174
failover
lmpjementing CiscoData CenterNetwork lnfrastructure 1(DCNI-I)v2.D
Enabl
es failoveroperations.
@ 2008 Cisco Syslems. lnc.
'
C o n f1g u r111q In terface M o n 1to r1n g

fwsm tconflgl#
monitor-interface fneerface
. Enables interface m onitoring

Ewsm lconfigl#
failover interface-policy numbert%)
. 6$()tstk)()t8)rtlskt()I(1
E
'''
''''
''''''''''''''
!CISCO(;ajal
h''''''''''
St
an
dby
yst6soo
fe.tlover tneerface-policy 2
mon.
ieor-interfaae f.n.
qi/e
mrnitor.lntertac* outsde
lnternet
...
Outsl
deNelwerk
6)2008 Cisco System s.Inc.
5
'
' fk'
(
E Serles Swltch 1 '

i
i * ' ': .;
'
le 1
f
E
E
!..............
pt............7
''
E
:
!
.
E
5
E
Acllve
'
' #fi
wpt
'
E
.
Inslde Network
E
!ChscoCalaiys,6500
Eserlesswltch2
Im plementing FW SM fora Dala CentefNetwork Infrastructure
2-1T5
V erification and T roubleshooting

fwsm tconfigl#
show failover
* Exam ines fai

loverstatus and configuration
fwsm (conf1g)#
show np (l I 2) fogrp-table (0-2 I all)

* ExaminesMAC and tlagsinnetwork processors(MAC addressestoggle
onfailover)
fwam(conftg).
show np (1 1 2) vlan (2-4996)

. Exam ines failovergroup ID assigned to an interface
fwsm (conf:tg)#
show np (1 I 2) global-table
* Examines MAC addresses ofthe failoverand Iogicalupdate interfaces
(doesnottoggleonfail
over)
To cxam ine the statusofthc failoveroperation and configuration,usc thc com m andslistcd in
tllctable.
Verifying the Status ofthe FailoverOperation and Configuration Com m ands

com mand
Descrlptlon
show failover
Displays inform ation aboutthe fai

loverstatus E)fthe uni
t.
show np (l
table (0-2
show np (l
(
2-4096)
show np (l
t 2) fogrp- Displaysthefogrp-tabl
einformation.
1 a.
ll)
I 2) vlan
Di
splaystheVLAN informati
on.
I 2)
global-table
Displaystheglobaltableinformati
on.
2-176
Implementing Gi
sco Data CenterNetwork lnlrastructure 1(DCN1-1)v2.
0
% 2D()B Cisco Systems. lnc.
V er1f1cat1on a.3d TroubIeshoot1ng (Cont-)

fwsm lconfigl#
debug fover sw itch
.
Exam ines failoverstate m achine debugs
fwsm (config)#
debug fover fail
p
Exam ines fai

lure eventdebugs
fwsm (config)#
debug fover (rx I tx)

m
Exam ine failoverm essage reception and transmission
fwsm (config)#
debug fover ifc
w
Examines network i
nterface status trace
'l't'
,trotlblcshootthc failoveroperatiol'
land (
J()nligtlraliol).tlsc tlle col'
nlnandslistcd inlllc lablc.
Note
Use these com mands with caution i

n production networks.
Troubleshootthe FailoverO peration and Configuration C om m ands

com mand
Description
debug fover switch
Displaysfail
overswi
tching status
debug fover fail
Displays fail
overinternalexcepti
on
debug fover (rx j tx)
Displaysfail
overmessagereceiveandmessagetransmi
t
debug fover ifc
Displays network interface status trace
@ 2008 Cisco Systems,fnc.
(mpiementl
ng FW'
SM fora Data CenterNetwork lnfrasfructure
2-177
Verifying the Fa1IoverC onf1guration

FWSM#ahow fatlover
Failover On
Fltlovet unit 'ttlry

Flilovwr LAN Iht*rtae@ failovwr Vl= 2Q
Unit Poll frequancy 1 seconds, holdtlme 15 a*conda
Intertace Poll frequency 15 seconds
Interface Pollcy 50%
Monitored Interfaces Q ot 250 maximum
Conflg arnc: acttve
Last 'atlover at: Q3:21::0 Mer 02 2006
Tb. koltl 'riaary - standby
Active timer 2453 (sec)
Interface inside (10.1.lQ.2): Normal (Not-Monltored)
Interface outslde (10.1.0.1:)l Normal (Not-Monttored)
Otb*r No.t! F@spnd*ry - Aetiv.
Active time: 50 (sec)

TnLerfaee inalde (lQ.1.l0.1)) Normal (Not-Monltored)
Interface outsid. 4l0.0..l1): Normal (Not-Monitored)
The show failovercom mand isused to display the failoverconfiguration ofthe Catalyst6500
SeriesFW SM .
The otltptltshow t:indicatesthescconditions:
K Failovcriscnablcd.
. ThisCatalyst6500 SeriesFW SM istlpedcfaultprim ary FW SM in thc redundantpair.
K Thc failovcrintcrfacc isusing VLAN 20.
w ThisCatalyst6500 SeriesFW SM iscurrcntly in standby modcbecause a failoverhas
occurrcds
'tlle otherCatalyst6500 SericsFW SM isin activcmode.
2-178
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D
(
I)2D08CiscoSystems,lnc.
erify1ng the Fa1Iover C o nfig u ratio n
(Cont.)
Stateful Pailover Loglcal Update Statlatics
Link : state Vlan 21
Stateful Obj
xmit
General
339
sys emd
33l
up time
0
RPC services
0
xlat.
0
TCP conn
Q
UDP conn
0
ARP tb1
8
RIP Tbl
0
LZBRIDGE Tb1
0
Klate Timeout 0
TCP NPa
4
UDP NPs
0
Logtcal Update Queue Information
Cur
Max
Total
Recv Q:
0
l
Xmft Q:
0
l
xerr
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
33l
33l
0
0
0
0
0
0
Q
0
0
37
0
334
341
Thisplinltluldisplaystlle relpaillder('
)flhe tltltptltfrolzzthe sllol''failever colnlnand.
lmpfementi
ng FWSM fora Data CenterNetwork lnfrastructure
2-1F9
S um m ary
Thistopicsumm alizesthe key pointsthatwere discussed in this lesson.
S um m ary
. Cisco Catalyst6500 Series FW SM failoveris provided by an
active-standby pairofm odules.
. Failovermonitoring is used to cause a failoverto the standby
Catalyst6500 Series FW SM in response to network events.
. Configuration statements in the system execution space are used
to define the failoverconfiguration.
2-1B0
lmplementlngClscoDataCenlerNetworklnfrastructure1(DCNI-I)*2.0
(
I)2008CiscoSystems, Inc.
uqsson71
Im plem enting D eep P acket

Inspection
O verview
Thislcsson idcntifiesand describcsllow tlleCisco Catalyst6500 SeriesFirewallServices
M odtllc(FW SM )handlesthepacketswhereinspcctionbcyondprotocolllcadersisrequircd.
Objectives
Upon colnpletilpg thisIesson,yotlwillbeablcto tlndcrstand and implemcntdeep packet
illspectiollon tlleC'atalyst6500 ScriesF'
W SM .Tllisability incltldesbeing ablc to Ineettllese
objcctivcs:
* Describcdeep packetinspectiollon tlle Catalyst6500 ScricsF'
SVSM
* ldcntify thc com mandsuscd to contigtlrc and vcrify decp packetinspection
K DescribethcU RL tiltcring fullctionality
* ldcntify the com m andsto contigtlre and vcrify tlpe URL Gltering ftlllctiollality
D eep Packet Inspection O verview

Thistopiccxplainsthcdeep packetinspcction ftlnction on thcCatalyst6500 SeriesFW SM .
D eep P acket Inspection

. Deep packetinspection exam ines and m odifiesapplication data
payload
. This m ethod fi
xes applications broken by FW SM :
Embedded IP address
Embedded TCP/UDP portnumber
Multiple connections
. Thi
s method isalso used to provide application-levelsecurity:
.
MailGuard
URLfiltering
-.
Deep packetinspection isuscd in situationsw llcre thcCatalyst6500 SeriesFW SM needsto

analyzc ormodify thc application data payload contailpcd w ithin an IP packet.
Application data analysisisneeded in situations wherc a protocoluscsm ultiple connectionsfor
ollc interaction.Thcse applicationsoften usc a controlconnection to a wcll-known portthatcan
bespccified inthcaccesscontrollists(ACLs)govclmingtrafficaccessthroughtheCatalyst
6500 ScriesFW SM .Secondary data connectionsare opened to otherportsthatarenotwellknown.Deep packctinspcction isused to dctectthe protocolcom mandsthatspecify the port
llumbersofthcsc sccondary connections,so tllatllow entriescan bc dynam ically added to thc
stateftllpackctinspection tables.FTP isan exalnplcofthiskind ofapplication.
Application data payload modificationsarc necessary forapplicationsthatcm bed IP addresscs
ofcithcrcndpointw ithin theprotocolpackctsthattraversc an Catalyst6500 SericsFW SM that
ispcrforming Network AddressTrallslation (N AT)orPortAddressTranslation (PAT). Data
payload m oditications arc also tlsed to provide security forsolne applications. Forcxam ple
M ai1Guard controlsaccessto Sim ple M ailTranstkrProtocol(SM TP)senrersand lim itsthe

com lnandsthatcan be sentto thosc dcfincd in RFC 282l(llttp://'
tools.ictf.org/htlnl/
'rfcz8zI).
URL tiltcriltg isalso possibie with datapayload lnodification.
Applicatiol:inspection engincswork with N AT to hclp idcntify thc location ofembedded
addrcssing infonnatioly.ThisallowsNAT to translatethcsc cm bcddcd addresses. and to update
any cllecksum orothcrficldsthatareaffccted by thc translation.
Eacllapplication inspection engine also m ollitorsscssionsto dcterm inc the portnumbersfor
sccontlary channcls.M any protocolsopcn secondar.yTCPorUserDatagram Protocol(UDP)
portslo im prove performance.The initialsession on awcll-known portisuscd to negotiatc
dynalnically assigned portnumbcrs.Theapplication inspection engine monitorsthesescssions,
identilicsthc dynam ic portassignmcnts.and pennitsdata cxchangeon thcse portsforthe
dtlration ofthespecific session.
2-182
lmplementingCiscoDataCenterNetworkInfrastructureh(DCNI-I)v2.
9
@ 2(08CiscoSystemsflnc.
The ligtlre showsthe Catalyst6500 Series FSVSNIinspection cllgine capabilities.

Additionalcapabilitiestllatarc Ilotlncntioned iI1the figtlrc also illcltltlc thesc:
. Specificapplications:
M icrosoh svindoqvsM essenger

M icrosoftNetM ceting
Rea!Player
Cisco IP plloncs
Cisco ColnlntlllieatorSoftplloncs
K Scctlrity services,NvhicllincludePoint-to-pointTunlpcling Protocol(PPTP)

lnspcction cngincsrclated to tlle data centercnvironlncntsarc listed in tlle table.
Inspection Engines Related to the Data CenterEnvironm ents

lnspection Engine
Description
Advanced HTTP Inspection
Helps protectfrom web-based attacks and othertypes ofport80
Engi
ne
m isuse.
Enhanced FTP Inspection Engine
Provides command fil

tering formore than ten di
fferentFTP
com mands.
Extended SMTP Inspection
Provi
dessupportforExtended SMTP (ESMTP)protocoland
Engine
supports fil
tering potentially harmfulcomm ands.
Enhanced lnternetControl
Provi
des state tracking ofICMP packets to enable secure usage
Message Protocol(ICMP)
ofping,traceroule,etc.
lnspection Engi
ne
@ 2008 Cisco Systems.lnc.
lmplementi
ng FWSM fora Data CenterNetwork I
nfrastructure
2-183
Inspectlon Englne
Descrlptlon
Sun Remote Procedure Call
Based on implem entation from FW SM 2.1 soft

w are release
(SUnRPC)Inspection Engine
some RPC applicationsIikeNetworkInformation Sefvice (NlS+)

use SUnRPC overTCP- anew consgurable optionwillbe
introduced fortheSUnRPC TCP inspection engine. The default
portis111.The defi
nitionofthe new inspecti
on engine inthe
inspecti
on enginestableal
lowsthe TCP packetsm atching 111as
source as wellasdestination pods to be processed by the
SUMRPC fixup.
NIS+ Inspection Engine
Basedonim plementationfrom FW SM 2.1 software release,thi

s
inspectionenginewillinspectpodmapperrequestsand cachethe
NIS+service portnum ber.
2-184
ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems,Inc.
onfiguring Deep Packetlnspection

w The inspectcom mand replaces earli
erfixup comm and
* Use modularpolicy fram ework com mands to configure deep packet
inspection
class-map inspection detault
match default-inspection-traEfic
policy-map global polscy
claaa Snspection-default
inspect dnsmaximum-length 5l2

inspect ftp
inspect h323 h225
inspect h323 ras
tnspect rsh
lnspect smtp
inapect nqlnet
lnspect sklnny
inspect sunrpc
tnspect xdmcp
inspect sip
lnspec: netbioa
tnspect tftp
service-policy global policy global
Enabling and applying deep packetinspectiollalwaysconsistsof:

w A classmap tllatidentiticsthc traffic thattlle Catalyst6500 ScriesFW SM stlbm itsto thc
inspcction engine w ith thc class-m ap comlnalld to Inatch thetlesired traffic.Use thc m atch
colllm a,ld to selectthe desircd lraftic.
* A po1icymap thatlillkstllcclassmap(andthusthcrclcvanttraffic)tolheinspcction
enginc.Dcfinc apolicy map w ith the policy-m ap comm alld:
Use thecolptigured classby specifying itwith thcclasscomm and.
U llderthe class,dctine which inspection engineis to bc tlsed witl)thc inspect
comlnand.You can optiol:ally append apreviously del
ined m ap.
w A servicc policy thatappliestlle policy m ap to one interfaccorto alIinterfaces.Apply tllc
policy witl)tlleservice-policy comm and.
* Optionallydcfillemapsforvariousprotocols(1ITTP,FTP,ctc.)tospccifyprotocol-or
application-rclatcd parametersto jinc-tune an inspection engille.
Note
@ 2008Cisco Systems,lnc.
Application inspection isenabled by defaultformany,butnotapI protocols.To determine the

inspection engines enabled by default exam ine the defaultpolicy configuration.
2-185
C onfiguring Inspects for D eep Packet

Inspection
lnspecti
onsare performed by configurable inspection engines
Seven inspection enginesare notconfigurable:
C USEEMe
NetBIO S Nameserver
Oraserv
.. Real
Audio
Sun RPC overUDP
- TFTP
XD MC P
. Only the firstIP fragm entis inspected
. TCP packet
s cannotspan segments
. NAT/PAT variations are Iim ited with som e engines
. Perform s 4000 DNS inspections persecond
.
Inspcctsarcpcrformcd by inspcction cngincs.Scvcn ofthcse inspection engincsare not

collfigurable.butarc cnablcd by dcfault.
27 inspcction cllginesarcindividtlally contigurablc.Contigurable cnginescan be enabled or
disabled.Tlle portsInonitored by the inspection engineare also contigured.
Illspcction cngincshave scverallim itationsincluding:

w ThcGrstIP fragmenlisthc only fragm cntofapackctthatcan bc inspected.
* TCP packetsto be inspected m tlstbecontained in a sillgleTCP segm ent.

* Some inspection ellginesllavc Iimitson thc NAT and PAT functiensthatthey support.
* Thc Dolnain Namc System (DNS)inspcction cnginc islimited to 4000 Gxupspersccond.
2-186
lmplementingCkscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.O
@ 20()8CiscoSystems.lnc.
>
FTP Inspection
Internet
z.'
J.Z
8r '.
''..z4
.
-.
y. ...'.
/.
,
-<&''
ftp -map ft;p -in

request-command deny appe cdup
!
policy-map global policy

class inspection default
inspect ftp strict ftp-in
Tlle cxamplc showsstrictFTP illspectwith FTP map contigured.

svhen FTP isttlnlleled ovcrHTTP itprevcntsweb browsersfrolu sclldillg elnbedded
colnlnands.ltw'illalso contain tlle basic FTP inspcctiolp.
lfFTP requcstcontainsconlloand thatisnotRFC colnpliant.thc conncction willbccloscd and
syslog willbc generated.
lf'FTP requestincludesFTP com luandsdisallowed by al1FTP m ap,thcconlycction willbc
closed and syslog willbe generated.
Note
(
0 2008 Cisco Systems.Inc,
Since the i
nspectwas configured underthe globalpolicy,itdoes nothave to be speci
ficall
y
appended to the interface.Using a defautti
nspection classdoes note require to configure
specialinspection class.
Implementing FWSM fora Data CenlerNetworklnfrastructure
2-187
Ins ectio n
I
Jdi
s
j, K
..
' <
http-map inbound-htkp
conbent-leng*h mn l0p max 2QQ ackion rese: log
content-typ@-verificltion Match-req-rsp action reset 1og
max-header-length reqveat lQ0 lction reeet 10:
mwx-uri-length l lction reawt Iog
port-mtaus* p2p Kction drop
port-misuse im action drop
port-misuee default lctton allow
1
clRes-map http-port
mltgh por: tcp eq vvw
I
poligy-map outaide- policy
elass http-port
tnapeet http inbound-http
I
eervtee-poliey outpidl-policy interflce outside
The exam ple shows HT'

I'P inspectwit?lHTTP m ap configtlred.
These stepshaveto becomplcted:
2-1B8
step 1
Create an HTTP map to detinepararnetersforHTTP inspect.
step2
Create aclass-m ap forHTTP inspection.
step3
Create apolicy map forHTTP inspection.
step4
Create service policy to detine scope ofinspection.
nfrastruclure1(DCNI-!)v2.
Q
@ 2908CiscoBystems.lnc.
show C ollm ands

. Veri
fy deep packetinspecli
on contigurati
on with these comm ands:
show running-config http-m ap
. show r
unning-conflg ftp-map
- sbow r
unning-config class-m ap
.... show r
unning-config policy-m ap
... show r
unning-config service-policy
. Verify deep packetinspecti
on operation with the show service-policy
com mand
fwsm/admin#show service-poltcy
Global policyl
Service-policy: globalpolicy
Claas.map: inspection default
Inspect: dns maximum
-- length 512 packet 0, drop 0, reset.drop 0
Inspect: ftp, packet 0, drop 0. reset-drop 0
Inspectl h323 h225. phcket 0: drop ;. reset-drop 0
IsupecL: h32) ras packek 0. drop ;. reset-drop 0
Ipspect:netbios, packet e, drop Q. reset-drep 0
Inspec': rsh. palket 0, drop 0. reset-drop 0
. . .output omieted ...
To exalnine the deep packetinspection colltiguration,use tllese comlnands:

K show running-config http-nlap
* show running-contig ftp-m ap

w s'how running-config class-m ap
* show running-config policy-m ap
* show running-config service-policy

To verify deep packetinspection operatiol).tlse the show service-policy comm and.
fwsm/admin#show service-policy
Global policy :
Service-policy : global policy
Class-map : inspection default
Inspect : dns maximum-length 512 , packet 0, drop 0, reset-drop O
Inspect : ftp, packet 0, drop 0, reset-drop 0
Inspect : h323 h225/ packet 0, drop 0, reset-drop O
Inspect : h323 ras , packet 0, drop 0, reset-drop 0
Inspect : netbios, packet 0, drop 0, reset-drop 0
Inspect : rsh , packet 0, drop 0, reset-drop O
Inspect: skinny packet 0, drop 0, reset-drop O
Inspect: sqlnet, packet 0, drop
reset-drop 0
Inspect: sunrpc, packet 0, drop
reset-drop O
Inspect : tftp , packet 0, drop 0, reset-drop 0
Inspect : sip , packet 0r drop 0 , reset-drop 0
Inspect : xdmcp , packet 0, drop 0, reset-drop 0
(mplementi
ng FW SM fora Data CenterNetwork lnfrastructure
2-169
U R L Filtering O verview
Thistopicexplainsthe U RL Gltering funetionalit'
y on Catalyst65(* SeriesFW SM .
U R L F1Itering
'
'
....
S*4 ss
rj
l
e
t(
we
9ri
rl
rp
lnternet
>
x.-, ,
t)
'
;
.
h
i;
..
6*
4j19.1'.
4.
rti
lRequestsenttoGl
teringserveranddestinati
on
1f
;
'Allowedrequestisreturnedtouser
$'
i
%
i'
Deni
edrequestisdroppedbyCatal
yst6500Seri
esFWSM
Filtering can bc applied to connection requestsoriginating froln am orc secure network to a less
secure network.
Although ACLScan be used to preventoutbound accessto specific websitesorFTP servers,

contiguring and managing wcb usage in thismannerisnotpracticalbecauseofthe size and
dynamicnatureofthelnternct.TheCatalyst6500SeriesFW SM canbeused inconjtmction

with a separate servernm ning one oftheInternetfiltering products:
w W ebsenseEntemrise:SupportsHTTP,HTTP overSecureSocketsLayer(HTTPS),and
FTP filtcring
w SecureComputingSmartFilter(fonnerlyN2H2):SupportsHTTP andlong URL filtering

Althotlgh Catalyst6500 SeriesFW SM performanceislessafrected when using an external
server,uscrsmay notice longeraccesstim esto wcbsitesorFTP serversw hen thc tiltering
serverisrelnote from the FW SM .
U RL Filtering O peration
W hcn a userissucsan HTTP,HTTPS,orFTP GET request, the Catalyst6500 SericsFW SM
sendsthe requcstto the web orFTP sen'er and to the filtering sen'
cratthe sam etime. Ifthe
filtering servcrperm itsthe connection tbrtheuser,these actionsoccurforeach requesttype:
* ForHTTP,thcCatalyst6500 SeriesFW SM allow sthe reply from thew eb serverto reach
thc userwho issued thc originalrequest.
> ForHTTPS,the Catalyst6500 SeriesFW SM allowsthecomplction ofSecure SocketLayer
(SSL)connection negotiation,andallowsthereply from thewebservcrtoreachtheuser

who issued the originalrequest.
+
2-190
lmpl
ementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
'
K ForFTP.thc Catalyst6500 SeriesFW SM allowsthe stlcccssftllFTP rcturn codcto reach

tlleuserunchallged.Forcxam plc,a succcsstulrcttlrn codc is250.
.(--CPD c()??lll?(7??J
sllcL
'e.
v.
jhll.
It
-tllc tiltcring serverdeniesthc conllection.thescactiollsoccurforcach requesttype:
. ForHTTP,the Catalyst6500 Series FW SM rcdircctstllc uscrttAa block page,indicating

tllatacccsswasdcnied.
K ForCITTPS,theCatalyst6500 SeriesFW SM preventsthecolnpletion ofSSL connectioll
negotiatioll.The brow scrdisplaysan en'
orInessagc,stlcl)as:%t-l
-lle Page orthe contentcan
notbe displayctl.''
w ForFTP.tlleCatalyst6500 ScricsFW SM alterstlle FTP return code to show tllatthe
connection wasdcnicd.Forcxalnplc,thc Catalyst6500 SeriesFW SM changcscodc 250 to
codc550.f)?'
!'(
.
'f.'
/t
'
??'3'not/4?//?t:
/.
* ForScctlre Conlptltillg SlnartFilter(forlnerly N2I-12,)if-yotlcnablcd uscratlthcnticaliollon
thcCatalyst6500 ScriesFW-SM forIITTP,HTTPS.orFTP,tlle FW SM also sendsthe
tlsel'llaTlle to the filtcring scrvcr.Thctiltering scrvcrcalltllclltlsc user-specific tiltcring
settings.orprovidcenhanccd rcportillg pcr-user.W ebscllse supportsfiltering by IP addrcss
ollly.
Note
Fil
tering appl
ies onl
y to outbound connecti
ons.
Ifuseratlthenticatiol)iscnablcd on thc Catalyst6500 SericsFW SM ,tlle FW SM also sendsthe

uscnlalne to tlle filtering servcr.The liltering servercan usctlscnlam etiltering settingsor
providc cnhanccd rcporting rcgarding usagc.
@ 2008 Ci
sco Systems,fnc,
lmplementing FWSM f
ora Data CenterNetworklnfrastructure
2-191
C onf1gur1ng U R L F1Itering
:.
7
w..
*
-''
.
x.
k1
Intem et
Filering
Server
1O.0.10.45
x.7
url-server (perimeter) vendor websense hoat 10.0.10.45

filter url http 10.0.0.0 255.0.Q.0 0 0 allow
l
url-server (perimeter) vendor n2h2 hoat 10.0.10.45

filter url http l0.0.Q.9 255,0.0.0 0 0 allow
U RL Gltcring iscontigured Grstby identifying tht tilteringscrvers.
Configuring W ebsense Server

+
To idclltify a W cbscnsc Enterprisc sclwer.cntcrthe url-server venderw ebsense colnmand.
url-server(if a:7,r?t?)vendorwebsensehostip addressgtimeout.

%ecllntl%jgprotocoltcp
(version llt4tltudp)
url-servervendorw ebsense Param eters
Param eter
Descrlptlon
f name
Theinterface through whi

chthe FW SM com muni
cateswiththe
server.
host ip address
The W ebsense serverIP address.
timeout seconds
The numberofseconds between 10 and 120 before the FW SM

stopstrying toconnecttotheserverand attemptsto connectto
thenextserverinthe Iist(lfavail
able).The defaultvalueis30
seconds.
protocol tcp (version
Specifi
esthatcomm unicationbetweenthe FW SM andthe
(l 1 4);
WebsenseserverusesT'CP.whichisthedefaul
tprotocol.
protocol udp
Version 4 is recomm ended although versi

on 1 is the default.
Version 4 allows the FW SM to send authenticated usernames to
the W ebsense serverand to suppod URL caching.
Specises UDP which has greaterthroughput,butwhich does not

suppod I
ong URLS.
Y r
2-192
lmplementngCiscoDataCenterNet
worklnfrastructure1(DCNI-!)v2.O
@ 2008Ci
scoSystems,Inc.
C onfiguring Secure Com puting Sm ad Filter

To idclltify :11)N2H2 Scntiill)serveraelttct'thc url-servervendor n2h2 colllnland.
url-seN ervendor1-12112 Param eters

Param eter
Description
if naze
The interface through whi

ch the FW SM com municateswith the
server.
host ip address
The W ebsense serverIP address.
port number
Specifi
es the portused to comm unicate with the N2F12 server.
The defaultis 4005 forTCP orUDP.
timeout seconds
The numberofseconds belween 10 and 120 before the FW SM

stops trying to connectto the server and attemptsto connectto
the nextserverinthe I
ist(ifavail
able).The defaultvalue i
s30
seconds.
protocol tcp
Specifi
es thatcom munication between the FW SM and the
W ebsense serveruses TCP whi
ch is the defaul
tprotocoj.
protocol udp
Speciges UDP whi

ch has greaterthroughput.butwhich does not
suppo!
'
tI
ong URLS.
Enabl1ng
'Iffering
By def
atllt u'llen a uscrisstlesa reqtlestto colpncctto a wcbsitc orFTP servcrvthe Catalyst
6500 Serics FSVSM sendstllc reqtlestto tllttvveb orFTP scrvcr.alltlto tllc fiItcring serverattllc
salnc1illlc.If'llpe tiltering selwcrdoes llotl'
espolld beforc tlpc web orFTP scl
w cr.thc rcply lirln
tlle web orFTP scrverisdnpplq
led.To avoid dropping tral'
t
ic.yotlcan colll
igtlrc tlleCatalys!
6500 Serics I''h/SN1to btll
'lrrcplies froln wcb alltlFTP sers'crs.svllen tllf
ztiltering scn'cr
cN'
cllttlally rcspollds,tlle C'alalyst6.
500 ScricsF'
SVSM can allt)w'tlle collllcctikpn.
url-block block Param eters

Param eter
Description
illocg
k-bl'ffer-.
1.
flzltr
Sets the amountofmemory assigned to lhe bufterfrom 0 to 128

bl
ocks.Each block is 1550 bytes.
Enabling C aching
@ 2008 Cisco System s,fnc.
lm pfementingFVV'SM foraOata CenterNetwork lnfrastructure
2-193
Note
Requestsforcached IP addressesare notpassedtothefilteringserverandare notIogged.

As a resul
t,this activity does notappearin any repods.
To cnablecaching.cntcrthe url-cache com mand.
url-cache 4dstIsrc dsttL'bb'

le.
%
url-cache Param eters
Param eter
Descrlptlon
dst
Configures the FW SM to cache the destinati

on serveraddress for
any userthataccesses the sen/er
src- dst
Configures the FW SM to cache the source and destinati

on server
address,so accessisonl
y cached fora given useratthe source
address.
kby-tres
Specifiesthe cache size between 1 and 128 KB,
Identi ing Traffic

To identify HTTP traftic to be tiltercd by a fiitcring scrvcr.enterthc filterurlcommand.
filterur1Ehttp I#(pl./g-r(?r/1(
l.
voltt'
(L'
e ip 't?lfrcc r?.
ltlk
$
;/(tlest ip dest 1??t7.$.
/(Eallow)(proxy-block)
Ilongurl-truncate1longurl-deny)(egl-truncatel
-
filterurIParam eters
Param eter
Descrlptlon
http I por:E-port:q
Speci
fiestheporttowhichtheHTTprequestissent.wi
ththe
source- ip source- mask
Speci
fythesource addressandm askforrequeststhatareto be
fil
tered.Speci
fy00 foral1addresses.
dest- ip dest- mask
Specifythedestination serveraddressand mask.Specl

fy0 0for
http keyword specifying port80.
ajjaddresses.
*
allow
Configures the FW SV to allow connecti

ons to pass wi
thout
sl
tering ifthe fil
tering serverisunavailable.Connectionsare
droppedwithoutthisoption.
proxy -block
Preventsusersfrom connectingto anHTTP proxy server.
longurl-truncate 1
SpecifylheprocessingforURLSthatareIongerthanthe
cgi-truncate
Confi
gures the FW SM to truncate Comm on Gateway Interface
longurl-deny
maximum length of1159 bytes.By defaus

t,the FW SM drops the
packetifthe requeslis a I
ong URL.Ifyou specifythe Iongurltruncate opti
on.the FW SM sends the hostname orIP address
porti
on ofthe URL forevaluation to the filtering server.The
Iongurl-deny opti
on deni
es the URL and forwards tbe userto
the block page.
(CG1)URLSto i
ncludeonl
ytheCGIscriptIocati
onandthescript
name,butnotthe parameters.
Note
The maxim um Iength of1159 bytescanbe increasedforW ebsenseservers,
To cxcmpttratlic from being filtered,cnterthefilter urIexceptcolnm and.
2-194
tmplementing Gisco Data CenterNetwork lnfrastructure 1(DCNI

-!)v2.
0
()2001$Cisco Bystems,lnc.
url-server (perimeter) vendor websense host 10.0 .10 .45

filter ur1 http 10.0 .0.0 255.0 .0 .0 0 0 allow
?
url-server (perimeter) vendor n2142 host 10 .0 .10 .45

http 10.0.0.0 255.0.0 .0 O 0 allow
2-195
S um m ary
Thistopic summ arizesthc key pointsthatw ere discussed in thislcsson.
S um m ary
Deep packetinspection exam ines and modi
fies application data
payload.
* Deep packetinspection fixes applicati
onsbroken bythe Cisco
Catalyst6500 Series FW SM .
* URLfi
ltering is used in combination with an externalserver.
. Traf
ficfrom blacklisted URLS isdenied bythe Catalyst6500
Series FW SM .
.
2-196
ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0
@ 2008CiscoSystemsllnc.
M odule S um m ary
Tl)is topic stllnmarizesthc kcy ptaints thatvcre discussed in 1.12islnodule.
M odule Stlm m ary

' The Cisco Catalyst6500 Series FW SM analyzes and m odifies
fields in the lP,UDP,and TCP headers,using statefulpacket
filtering to controltragic between two ormore networks.
. VLANS are used to connectthe Catalyst6500 Series FW SM to
the network in eitherrouted ortransparentmode.
m The Catalyst6500 Series FW SM usesTCP connection
m anagem ent,NAT policies and deep packetinspection to detect
and mitigate attacks.
K The Catalyst6500 Series FW SM supportsm ultiple security
contextsto im plementvirtualfirewallsand provide centralized
services underdi
stributed control.
* The Catalyst6500 Series FW SM supportsb0th active-standby
and Matefulactive-active failover,in eitherintra-chassis or
interchassis configurations.
@ 2008Ci
scoSystems.lnc.
lmplementing FW SM fora DataCenterNetworklnfrastructure
2-197
M odule Self-c heck

Usc tllcqucstionshcre to review w hatyou learned in thism odule.The correctanswersand
solutionsare found in the M odule Self-chcck AnswerKey.
Q 1)
lIow lnanyCatalyst6500SeriesFW SM modulesaresupportcd inaCiscoCatalyst

6509 sw itch chassis? (Source:Ilnplcm cnting Traftic Flows)
AJ
B)
C*)
DJ
2
4
7
8
W llich statem cntistrue regarding Catalyst6500 SeriesFW SM transparentl'

node?
(Sourcc:lmplelncnting TrafficFlows)
A)
B)
C)
D)
Each interface hasaunique IP address.

Only oneV LAN isrcqtlircd pcrcontext.
Transparentm ode t'irewallspassonly routed traftic.
Transparentmode tirewallspassm ulticasttraftic
In whatordcrdoestheCatalyst6500 ScriesFW SM match rcaladdrcssesto NAT
colnmands?(Source:lm plem enling Traffic Flows)

A)
StaticNAT andPAT,policy dynamicNAT.regtllardyllalnicNAT,NAT
B)
DJ
Q4)
exem ption
NAT cxemption.static NAT and PAT.policy dynam icN AT,regulardynalnic
N AT
Policy dynam ic NAT,regtllardynamic NAT.staticNAT and PAT.N AT
exclnption
NAT exemption,policy dynam icNAT,regulardynam icN AT.static NAT and
PAT
W hatfcaturcpreventsmaliciotlstlscrsfrom impcrsonatinghostsorrotlters?(Source:
IlnplcmentingACLs)
A)
A RP inspection
B)
C)
D)
()5)
Etllertype ACLS
Extcnded ACLS
N AT exem ption
W hathastobeconfiguredpriortoenabling theSSH rcmotcacccssto theCatalyst6500

Serics FW SM ? (Source:Im plclncllling M anagem entAccess)
AAA scrver
A)
B)
RSA kcy
C)
Routeroperationalnledc
D)
Adlnin contcxt
W hich routing protocolsdoestllcCatalyst6500 SeriesFW SM activcly participatc in?
(Sourcc:Im plementing Routing)
A)
BG P and R1P
B)
If;RP and BG P
C)
OSPF and RlP
D)
2-198
OSPF and EIGRP
SmplementipgCirmoDataCenterNetworkInfrastructu'e1(DCNI-I)42.0
Q 2908 Cisco Systems. 1nc
Aj
B)
C)
D)
Dccp packetinspcctioll
Dynalnic PAT
SYN cookics
U R.
L l'
ilteri1)g
A)
IE
.
I)
C)
D)
Destination '
VLAN alld dcstillatiol'
iI1*
'atltlress
.
Destination VLAN and stltlrce IP adtlrcss
Source V LAN antldeslillatiolllP atltlrcss
SotlrceVLAN and sotlrcc lP atltlrcss
(
i
D 2008Cfsco Systems,fnc.
lmplemerlting FW SM fora DataCenterNetkvorklnfraslructtzra
2-199
M odule Self-c heck A nsw erKey

B
()
'
D
2-200
lmplementing Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)72.

0
@ 2008Cisco Systems, lnc.
Mpdule31
Im plem enting N etw ork

A nalysis w ith C isco N A M
O verview
Module Objectives
3-2
ImplementingCi
-I)12.0
@ 2008Cisco Systems. Inc.
Lesson1I
Iptoducing C isco N A M
O verview
Objectives
N etw ork Traffic M onitoring O verview

This zopicdescribesllctwork traffic m ollitoring,thcm otive,and thcbenefits.
'
lm portance of M onitoring Traffic

+
Challenges:
Benefi
ts:
Insuretraffic flow andopti

m um
performancefrom one poi
ntto
another
w Receive i
nformation before an
outage orservicedegradation
. Understand the cause forslow
networkltraffic,orappli
cation
.
Ease deploymentofnew
technol
ogies
Im Prove utilizati
onofnetwork
resources
. Efschentplanning fornetworkgrowth
* Reduce networkdowntimeand
failures
* Gainfactstojustifyexpendituresand
ROI
* Proacti
ve moni
toring
.-. -.!
....-.
--
=- .
:
'
:-H
Z
?
k
r-uu-fu :';xl p-tw-.x..
-cr---'
::7
-E
q'y:
.2
5.
;.i:
.
1
*
.y.
,
v
.F
r.
-
uli .
..
:.
'
.
P.
-
'
tJ.
-
5
;!q
-
,.:.
,
2
. -.1 f- .,*@
*
r
a.
.
:
t*
;*
,.
.
. 'iI . . !
1 z.
1,
j,
...,
.i...
,k
.
..
.u
;
21.
4.
+
.,
S.
t#.t
r.
C hallenges
Network adm inistratorsand corporate cxccutivesundcrstand thatmanaging thc network is
im portantand vitalto businessopcrations. Itissilnply notenotlgh to know ifa deviccisdown
orthe tletwork isslow.You necd to be proactive by m onitoring thc dcvicesand thenetwork
and watehing fortrendsordeviationsfrom an established bascline.
W hcn there isanetwork problem,you m ustlyavctherightinformation to make dccisionsto

rcsolve thcprobleln quickly. You can obtain thisinformation only by m onitoring thc
application trafficand knowing who i5generating thctraffic and wherc thc traftic isgoing. lf
morebandwidthiswal-rantcd,recommcndationsneedto bejustiticd. Network monitoring can
providcthecostjustitication.Visibility intotheperfonnanccofnctworks, and thc system sand
applications thatrullon thcm , isessential. By gaining visibility into thc nctwork.youcan
proactively rcsolve problem s.plan forchangcsin resotlrce usage, and fnanagc valtlable network
resourccs.
Benefits
Cisco lnakcsmanaging thc network easy by providing visibiIity into the nctwork and btlilding
intclligcnce illto the dcvices.
Can nctworksrun withoutpcrformancc m anagemcnt?Can network cnginccrsredcsign

networkswithoutunderstanding how theexisting nctwork isbeing uscd? Can new applications
be dcployed overcxisting networkswithoutunderstanding the im gactoftheapplication traftic
on thc performance ofthe application orthcperform ance ofothercxisting applications? By
levcraging pcrfonnance data, you can perfonn tasks lnore cfficiently and effcctivcly.
3-4
Implementlng CiscoData CenterNetworkInfrastrudure 1(DCN1-1):2.0

+
M onitoring networksllclps you t

o Inaximizc investrncntsin the following w ays:
K lmprovc utiIization ofllctwork rcsources
w Facilitatc deploymclltofncw tcchllologics,sucl!asvoiee
, qual
ity ofscrvice(Qt)S). and
M ultiprotocolLabelSwitching(M PLS)
. Enablceffieientplanning forfuture
nctworkgrowth
* Reduce network downtilne and failures
@ 2008 Ci
sco Systems, Inc.
I
m pl
ementi
ng NetworkAnal
ysiswith Gi
sco NAM
3-5
'
Netw ork Perform ance M anagem ent

Campus tt*
. QJ
47
: W#N
T:
BCanp
eh
O.,
** E*ev &
z
.
,
'
Js.
vu
*;.
.
W AN .
-f -z.
- --..A.
-k,.
..
Rr
Variousdata collection sources

Devi
ce interfaces
spannedtraffi
cfrom portsand
VLANS
NetFlow data exports
Datac.nter
(serverfarm)
'
'
;
'j
.
'
..
..
d.a..
''
Bandwidth usage
Troubleshooting
' ..
* Collectionpurm se:
Appl
ication response tlmes
. .. .
x
''
'
. .
''
.
q
x..,j ,y.j
r r
.
Data can be gathcrcd and analyzcd from variotlsdata sourccs;
* Routerand switch interfaces

* Trarfic spanned orforwarded from portsand V LANS
* NetFlow Data Exports(NDES)
K Packctheadcrs(Diffserv andTypcofServiceETOSIbits)
* Nctwork-Bascd Application Rccognition (NBAR)
Port-levelorinterfacestatisticsm ay bethe tirstalarln when issuesarise. Thcsestatisticsare
available mostofthetilnc by sim ply querying thc rotltcrorsw itch. ltmay only bcneccssary to
monitorthcsc statisticsatcriticalpoints in the network and notatallacccsspoints.
Collectingstatisticsatuppcr-laycrprotocols(lletworkthroughapplication)wouldrequircthe
useofNetFlow oraRemotcMonitoring vcrsion2(RM ONZ)probeoranalyzer, such asCisco
NAM .NctFlow and Cisco NAM can providevisibility inte what(applications, hosts.
conversations)isusing valuablcW A N orLAN rcsourcesatthc core ordistribution layers and
attheW AN edge oraccesslayer.
To gathcrintbnnation aboutthc traffic travcrsing the :etwork. the packetslleed to be analyzed.
Packetson an interfaceorNetFlow statisticscan be copied, spanncd,orforwarded from other
dcvicesorinterfaccs.The information in tlpepackctheaderscan providca wcalth of
illformation on how the network isbcing uscd. (How thigoccursisdiscussed lateri
n this
lesson.)
Butthc traftic cannotbcanalyzed ifitisnotscen. Tllerctbrc wherc you gatherthc dataand
w hy you are gatherillg thc data should be abig partofCisco NAM deploym cntplanning.
Thclecation ofw'hcre you gatherthc data dependson yotlrcollcction purpose:
* Application responsc timcs(server farm )

.
Bandwidtl)usage
* Troublesllooting
3-6
ImplementingCi
-I)72.0
@ 2008Gisco Systems, lnc.
>
W hat D ata to C ollect

' Port-levelstati
stics- utilization, collisions,and fragm ents:
Basic physicalstatistics are good forusagetrending and
baselining
Usefulanm here in the network
NotnecessaryforaIluserports
e Detailed physical-,network-,and application-layerdata:
CollectLayer2-7 statistics forunderstanding traffic breakdown
Valuable forW AN aggregation links
.
ValuableforLAN aggregationlinks(building-to-buil
ding,
distribution-to-core,serverfarm-to-core)
.
W hatcollection intervals?
Shorterintervals forreal-time monitoring and troubleshooting
(5-30 seconds)
.
@ 2008Cfsco Systenls.lnc.
Longerintervalsforhistoricaltrendgng(5-15 minutes)
lrnplementi
ng NetworkArtalysiswithtlisco NAM
3-7
'
N etw ork Perform ance M etrics

N;''t'v4zchrk P eI1ornlarl('e
q'
$.lf>lrIf:
: ;;
4. *
Response Tlme
* Time el
apsed between theend ofa queryonone endof
a conversati
on pai
rand thebeginning ofa resm nse
from the otherendofa pair
m Latency'afunctlon ofresponseti
m elisany
characteristicofa networkorsystem thatlncreases the
response tlme
Reliabili
ty
* A measurementofthe consistencyofperformance of
any nete rk.system,orapplicati
on.according to i
ts
speci
fications
Deviceorlnterface
Uti
lizations
* The amountofdata moved successfull

yfrom one place
to anotherin agiven timewith a speci
sed amountof
bandwldth
NetworkUtiti
zat
lon
*HowthenetworkIsbelngused,includingprotocolsand
Pattem s
users,and how thepatterns are& anging
M easuring the health ofanetwork istypically done with businesspcrfbrmance m etrics, such as
thc following:
* Response tim e:Thcelapsed tim cbctween the cnd ofa query on oneend ofaconvcrsation
pairand thcbeginning ofa response from the otllcrend ofa pair. Latency isany
charactcristic ofa nctwork orsysteln thatincreasesthc rcsponsc time.
* Reliability:A m casurem entoftheconsistcncy ofany network, system ,orapplication in
performing accordingto itsspecitications.
* Utilization:The pcrcentage oftotalbandwidth tlscd fortransporting data. Utilization is
ohcn monitorcd on an ongoing basisto evaluateusageofthe network ovcrtim cfor
capacity-planlling purposes.
Tllcse mctricscal)be uscd to evaluatchow wcllnetwork, systcm .and application resotlrccsare
pcrform ing and how these resourccsaffcctthedelivcry ofnctwork senziccs, both forprescnt
analysisantlftlture planning.
3-8
lmplementing Cisco Data CenterNetworkInfrastruclure 1 (DCNI-I)v2.0
@ 2008 Cisco Syslems. Inc.
D eployincl M on itoring per P urposo

Branch
,
4
..
Campus
u
'
.
A :
j
.
.
eu swAz.
,
z
.
..
.
,'
'-.
t
ua/
'a.
'''''
v
c.
..
.
.
- .
y .r .'#
.
4
7*
Htstorical
Reportsng
'
;
i
(StaljstlcsoverTl
me)
W AN Edge
Datacenter
*
.-;
(C
Uon
ti
ll
z
alp
o
ntions
Erccr
sol
Ta
lker
s
ver
sa
Pr
ccol
s)
.
(
7
11
:
Reaul
me
jT
yji
j
zatjT
or
nafrc
J .L
< .yy
'8
>
FaugtIsolation and
Troubleshooting
(Thresholds Alarms
PacketDecode)
'4
1i d
'd
1' '
>.
,.y
'i
'
.
# y# a,
.# :
4 (x
'.o
#K-qv# ,
?.
,
$
#,
q
.
#j r),j
.....
ot
t,
tk.tt4
eerformance
M onjtorlng
jaesyj
ouseyimes.
Hea
s1
wth
'tcVoI
h/qP,
ollQoS)
ler
.
NA M D eploym entDependenton M onitoring Purposes
* 2008 Cssco Systems.l

nc.
lmpl
ementing NetworkAnahystswith Cisco NAM
3-9
* Troubleshooting:Dcterm ining thecatlse ofnetwork issucscan be aidcd by the use of

packetcapturesorpacketdccodcs,orby sctting thrcshold conditionson statisticscollccted
and alarm ing on thcconditionswhen a threshold isreachcd.
. Perform anceanalytics:Evaluating thc experience ofthe end userwith using thcnetwork
can empoweryourorganization to be more proactive in responding to application rcsponse
tim csorvoice orvidco quality issues.Also,monitoring 1he trafficperdifferentiated
sers'icescodcpoint(DSCP)valucscan hclp withfine-tuningQoS settings.
3-10
lmplementi
ngCiscoDataCenterNetworkIpfrastructure 1(DCNI-I)72.0
@ 2008 Ci
sco Systems, lnc.
The B ig Picture Defined
(
l)2008 Cisco Systemsllnc.
Implementing NetworkAnalysiswith Ci
sco NAM
3-11
Interface Statistics
. lnterfaces store pedormance statistics on the traflic received and
sent:
Statistics overtim e
Can be obtained via SNM P
Can tri
ggeran eventupon threshold reached
. Typicalinterface statistics include:
.
Utilization
- Packet
s in and out
-
B/esinand out
Multicastpackets in and out
Errors
Thc Cisco Catalyst6500 SeriesSwitchescollectstatisticson thc amountoftraflicornumbcrof

errorso11each ofitsinterfaces.These statisticsarcstored in an M 1B il1thc deviccand can bc
rctrievcd by applicationsusing SNM P.
Mostdeviccsalsosupportlnini-RemoteM onitoring(mini-RM ON)statistics, which supplies
morcthanjustthesc intcrfacestatistics.
'italsoprovidelhesestatisticsand featurcs:
* Hoststatistits:Byle and packetcountslo and froln ahost(by M AC addressatthe datalink laycr,network adtlress atthe network laycr. and nctwork addressatthe application
laycr).
* Conversation statistics:Bytcandpackctcountsfrom onehosttoanother(byM AC

addressatthe data-link layer,nctwork addressatthe network laycr, and nctwork addressat
theapplicationlayer).
* Thresholdsand alarms:RM ON cal)sctup thrcsholdstolookforvariousconditions(for
cxample.Iinkutilizationgrcatcrthan70percentfor60 seconds)and inform amanagemellt
statiol)with an SNM P trap w hen thecondition occurs.
3-12
ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.O
@ 2008Cisco Systems. Inc,
'
S N M P M IB s
.
u IBr
Variablesdefiningdevice status (e.g..temperature = 85degrees)

Justfacts,notwhetheritis good orbad
Defined according to SMIrules
:.118 Iand N!IB h,
A managed objectisdescri
bed using a unique01
.
MIB 1and MIB 11:

Standard M IB fordevlces
MIB extensions'
VLAN statistics'VoIP,SMO N.DSMON M lBs
'
Syst
e
mI
D
. Deqf
'nption
. xosocref
I
nl
ectaces
'
FkcltltllA(1tz!L)Ie
. Tfaf
sccauots
'
F
r
r
o
rcf
xlnts
.
6!c
RMON Iand 11
MlBs
Vendorspeci
fic.Ci
sco M IB d q)
()
!
;
1.:alrl
g6k
yq!e>'2)aI
;
ISzt
l
c!
t;
'es I hnt
edaoes
ART MIB
I
pQ
l
Intexaoes
l
!
i
j jsherf
aces
I cotp
r.
l
ers oa.l
peq 'z
ht
yl
es I.
r
ners FI
lesi
C)2008 Ci
sco Systems.lnc.
lmpl
ementing NetworkAnalysiswith Cisco NAM
3-13
R M O N M IB C ontents
. RMON l(stati
sti
cson Layers 1and2):
A Traffic rates errors,and packetsize
uIcd.RMoNcaobe
# e
l
e
dte
cn
aa
tb
al
ys
sn
wj
lh
tp
ci
:Ch
ps
oc
ro
t
s
distri
bution
+ Short-and Iong-term histofy ofstatistics
overtime
+.Thresholdconditi
onsseton statistics
+ Eventforreachingthresholds(alarms)
Hosts and conversations
Packetfil
ters and captures
p.,z's'. .'.*siaf
:
6 - -''
; L*
.
. RMON 11(statisti
cson Layers3 through7):
Masterlistofprotocols seen on data
: '.*
source
Statistics on these protocols
Hostsand conversations (networkand

applicationlayers)
..
'.
e'
.*'
RMON.II
sondar
d
'''.''.'
:
.
..,.....
RM
'
St
nnO
dN
ar
d'
i
Thc figure show'

s the contentsofthe RM ON M IB. The RM ON M IB isastandard M IB
included asa sllbtrcc offthe M 1B2 stlbtrec.
RM ON,in bricf,collcctsthc follow ing:
* Basic Iayerstatistics:Linc utilization. packcts,and errors,and protocolutilization and
packcts
. H oststatistics:Byte and packetcountsto and from a hostby M AC addrcssatLaycr2.
nctwork addrcss atLayer3,and nctwork addrcssatthe application laycr
w Conversation statistics:Byte and packetcountsfrom one hostto anotherby M AC addrcss
atLayer2,network addressatLayer3 and network addressatthc application layer
w Packetcapture:To capture asubsetofnctwork traffic fordetailed protocolanalysis

w Thresholdsand alarm s:To setup thrcsholdsto look forvariousconditions, such as
cxceeding a spcciticd bytc rate orpackctratc. and to inform am anagcmcntstation withan
SNM P trap w hcn thc condition occurs
Due to thc largc nulnberofstatisticsgathercd pcrinterfacc, lnostRM ON implelnentationsare

in standalone network dtviccs, often callcd RM ON analyzcrs, such astbe Netw ork Analysis
M odtlle (NAM ).Thcexception to this isthc usc ofa sm allsubsctofRM ON implemcnted on a

sw itch to collectbasicdata-link layerstatisticsand a bricfhistory ofthese statistics, and to be
ablcto sctthrcsholdsagainstthestatisticss aIlon a per-portbasis.ThissubsetofRM ON is
known asm ini-RM oN (statistics. history.alarms.andcvents).
RM ON 11offerscxtensiollsto the RM ON lstandard by providing statisticsbcyond the datalink layer.Statisticsare availablc o1)thc network layerthrough theapplicalion laycr. Basically,
RM ON 11looksdecpcrinto cvcry packetitanalyzcsto dctailwhich nctwork layeraddressesare
constlming the mostbandwidth,whicllnctwork layeraddressesarc talking to each othcr and
which applicatiolls-identitied by portllumbers, arcconsum ing bandwidth.
3-14
Impl
ementingGiscoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0
Q 2008 Ci
sco Systems, lnc.
N etFlow Statistics
NetFlow isused to analyze packets sentthrough a NetFlowenabled device
. I
nspectsthe packetand stores statistics perflow
. Flow isdeterm ined bythe protocoland conversation information
* Statistics can be expoded via ND6 to collectors
.
*
.
; .
:;'.i' '
NetFlow Engine
;.. r'
.,
vp4t)!
tt
.
L'
*,
.y.
-------1:' .
j
I
.
'
7
2
pji
l:q
y
i
4
).;
?
J
f
/
'
d
7
r>
.'
...--.+ '. 't
j
f
v
?
4
jj.
)u
t
,
j
L,
yt
jk:$
y
.
.
)ht
i,
.
..
..:
y
x
W
,
;
i
,
r
.
.
:#y
.
,
p
h
j
,
,
y
-.
-.
.-1
w
l
;
.
k
yy
l
j
y
y
vvzs
kL
FE
55
I
(
)
l
e
65.
r$
y
J.
.
t
.
)I
j
1.
l
k
t
ql)jt
;
b
s,
q
t
.
cjj
l$
t
qj
.iy
:);
...-...
**
) 1Yl)'
.
.....j..)j
,.
'
5
'
;f
a
lr;
.X;
$t.f
rl
z
;tj112)r
@
.
h
.
.
Q 2008Clsco Systems,Inc.
'
..
,
'
......
f. . .
i .. v
.,
A c;t4
.
k
jjpjjyk
j
j
j
j
.
;3.k
.
'j .1:j
.
.
u
g
f
p
,
.
-,sj,.
.
7
.
.j:
vk ?..'
&.
;
.,
;.
-,
.
xz?
z
,
.j
'.
.,,
..
.
.-. .
..
lmplemenbng NetworkAnalysiswilh Cisco NAM
3-15
C isco N A M S ervice M odule

Tllistopic describesthc Cisco Catalyst6500 ScricsSwitch NAM servicem odtlles.
C isco NA M Service
odule O verview
Flow Monitorlng Anapytics
* Baseline metrlcsto measure business impact

Monitorsongoingoperatlons
Processes NetFlow information togain insighlinto tramcfrom
both Iocaland remoteswitcl'es
ApplcatponResponseTime
e Measeresappl
icationtransecii'
onIirnes
Plnpointsproblemstothe networkorth:application
Ofrerscrlticalinsightirdeapplscationbehavlor
voi
ceQuali
ty
Troubleshootlng
Ds
scover:actl
vecall
s
. providesinslgl:tintobothVo1Psignallngandtramc
AssessesVcIP verformancelevels
ComprehensiveRaoketrzpturecapabilitlestoplnpolntarld
resolv problems
. Trigger-basedcaptures
Remcdestorageandanalysis
lntelllgentfiptersand decodes
W'itl:Cisco NAM ,Cisco offersa soltltion thatprovidcscnd-to-cnd nctwork visibility while also
addressing nlany ofthenetwork and pcrfonnancc lnonitoring isstlesthathavc bcen raised.
By analyzing the traft
ic fonvardcd to it,Cisco NAM can analyze the sourceofthe traft
ic.its
dcstination.thcprotocol.and thc amotlntoftrafticperhost.perconversation,and pcr
application.Thetablc categorizcstllecapabilitiesofCisco NAM .Hcre are somccom mon
applicationstbrCisco NAM and related fcattlresto stlppo!lthcsem onitoring applications.
Flow Inonitoring analytics:

* Dclivcrsbasclincm ctricsto m castlre busincssimpactand monitorongoing opcrations
* ProccssesNetFlow infonnatiollto gail)insightinto traffic from both localand remote
routcrsand switches
Application responsc time:
w M easuresapplication transaction tim cs
.
Pinpointsproblcm sto thenctwork orthc application
. Offerscriticalinsightinto application behavior

+
Voiccqtlality:
* Discovcrsactive calls
w Providcsinsightinto botl:VOIP signaling and traffic

* AssesscsVOIP pcrfonnallcc levcls
3-16
lmplementi
ngCiscoDataCenterNetworklpfrastructure 1(DCNl-1)v2.0
Q 2008Ci
scoSystems.Inc.
()2008 Cisco Systems.lnc.
Implementing NetworkAnalysiswith Cisco NAM
3-17
NA M -I and N A M -2 M odules
Embedded seNice m odules
w Provide dedicated hardware to deliveradvanced perform ance
analytics and end-to-end visibility
. Digerentperformance m onitoring Ievels
@ Em bedded trafficanalyzersoftware
.
w Webinte#aceaccess(HTTP and HTTPS)
Qj
j'
-. - !?-.;;
= .,
srj
,
!
-;
(1'IIL1' !
1
'' i
.
E-b
g1''- j
:q
I
= H
-
->-.rC-.
-=g w.w .r.
=..
l. . .h-L
.
..
'
..
I A z
'
!h:c
.
<.i:*=''
.
.
'
..
Cisco NAM -Iand N AM -2 areem bcdded service modulesthatprovide dcdicatetlhardwareto

dclivcradvanccd perform ance analyticsand cnd-to-cnd visibility.
Cisco hasdeveloped a second generation of

-N AM SforCisco Catalyst6500 Serics Sw itchcs
and Cisco 7600 Series rotlters.Thc second-gcncration Cisco NA M Sare intcgrated and powerful
traftic-m onitorillg servicesmodulesthatocctlpy a singlc slotin thechassisand cnablcyou to
gail)application-levclvisibility into nctwork trafficto improvcpcrfonnance, reduce
failures and m axim izereturnson netw ork investm ents.
Thc Cisco NAM Sare available in two hardwarc versions, N AM -1 and NAM -Z,and offcrlligh-
pcrformancemonitoringand crossbar(fabric)connectivity tomcctdiversenctwork-analysis

needsin scalableswitching and routing environm cntsrunning atgigabitspceds. lncltlded with
tlle Cisco NAM Sisan cm bcdded.web-based TrafficA nalyzer. which providesfull-scale
relnote monitoring and troubleshooting thatisacccssiblcthrotlgh aweb browser.
ThcCisco N AM Sprovide visibility into al1layersofnetwork traft'

icby using RM ON 11and
othcradvallced M IBs.Cisco N AM accessesthc built-in remotc monitoring (m ini-RM ON)
fkaturesofthe Cisco Catalyst6500 SericsSwitchcsand Cisco 7600 Scriesroutcrsto providc
port-leveltram c statistics atthe M AC ordata-link Iaycr. Cisco NAM also delivcrsthc
intclligcllce requircd to analyzc traftic flowsforapplicationss llosts conversations and
nctwork-bascdserviccs.suchasQoS and VoIP.
3-18
ImplementingCi
-I)v2.0
C 1sco N A
H ardw are S pecif1catio n

4:
Fabrlc and Bus Stlpport

srocessor
Yes
Dtlal
CYes
'Dual
' + Accelerator
BAM
Hard Dlsk
Capture Buffer
Pedormance
Monstonng Appplcations
512 MB
20 GB
125 MB
Sub-gfgabit
FastEthemet
Low capacdyGE
1
1GB
i29 GB
6300 MB
Gigablt
Highcapacdy GE
NtlmberofSPAN and VACL

Sesslons
Num berofNetFiow Sesslfm s 1

.
. .. ....
.
..
DeploymentScenanos
Dlstributpon
Access
ko 2008 Cl
sco Systems.lnc.
2
E
1
. .
ServerFarm
IDataGenter
SmallCore
lDi
sl
ri
buti
on
BranchOfEce
lV/ANEdge.
I
m pl
ementing NetworkAnalyslswlth Clsco NAM
3.19
The following topologiesand data sourcesare supported!
* LAN-SPAN.RclnoteSwitched PortAnalyzer(RSPAN).VAfl--bascdcapturcs,NctFlow
(vcrsions1,5.6.7,8.and9)
. w AN-NetlJlow (versions ls5,6,7.8,and9)from localand rcmotedeviccs,VAcl--bascd
capturcsforFIeXW AN andOpticalServicesM odule(OSM )interfaces(CiscolOS
Soflwarconly)
3-20
ImplementingCi
scoDataGenterNetwork'nfrastructure1(DCNI-I)v2()
@ 2(08CiscoSystems. lnc.
Il1te 1-l1c
aI o l-n u r1icc
at1o n
I-ITTP
4
*''
rs
12
!
ujni
Rer
ulo
jj
y
t.
nt
ac
epo
..
r .
V
..
.
sjkvp
HTTPS
w eb Browser
DatnfCom
ERSPAN
NDE
Sources
'
It
W eb Sexer
<.
'
MonitorlnterfaceforNDE ...;.J
j
#
J'
Y
'
*
.
J#
i
'
/-.:.
f'
.#$')
yL
'Zt%.
;,*,
.
,.
.b
..
kK
t'
.
f)j '';.
. 'z ..
DataVACL
from S
Sparlned or
ources
't 1e
!
1
*v4'*'+*''.v'
PollProcess
RMON Prx ess
Not
e'The NAM-2 cansupporltwc)
ssmullaneousSPAN arpd VACL sessloos
Tlle ligure showsllow'data tlows lhrougllthc variousproccsses iI1Cisct)NA M .
(()2008 Clsco System sllnc.
lm plementing NehvorkAnalysiswithCisco NAM
3-21
'
Em bedded Traffic A nalyzerSoftw are

. Configuration ofthe Cisco
NAM :
..
..
* LL::-'
L-!..''
-t-
-.
x-
,
y.%
,c
=-==
.
i.
:
r
kF
F.
''i.
'r
' .m.
-.
setupnetworkparameters
j
l
k
j
a72
7
u,
i.j
Sel
ec
ionoftrafficto
I:EE
r:jk...=
moni
tt
or
-.
.
j
jjjj
,
a
g
j
*121:
-
.I
Tm es ofstatisticsto
gather
w Real-tim e and historical
reports
. Performance analytics
-
@
g
:j
jj
.
jj
'.
.
.j
E@1
:.
E1
Reports:
. VLANandswp
tchportmonl
toring
Appficatlon.hosts.and conversatlon
monit
orf
ng
swi
tchheal
thmoni
toring
QoS(D,
ffSe>)monl
toring
Reat-tlme NetFlow monitoring
* Troubleshooting
Appli
cationresponsetlmemoni
tori
ng
volp and video monitoring
URLmonitoring
Packelc-apture anddecode
Hlstorfcaltrend reportpng
Tlpe figurcshowsthcTraffic Analyzcrsoftwarc thatiselnbeddcd in theCisco Catalyst6500

SeriesSwitchand Cisco 7600 SericsrouterNAM Sand acccssiblc with HTTP and HTTPS from
a web browscr.Thc Traftic Analyzersoftware notonly allow sthe uscrto configureCisco
NAM fbrm onitoring,butalso providesm any real-tim cand historicalreportson LAN and
W AN traflic and nctwork-bascd serviccs.
The Traffic Allalyzcrsoftware isembedded in the NAM -1and NAM -2 and accessibleusing
HTTP/S from a wcb browser.TlleTraffic Analyzersoftwarenotonly allowstheuserto
contigtlre Cisco NAM formonitoring,butalso m onitorstraftic forvariousnetwork usagc
sittlationsalpd providesmany reportson how the nctwork isbeing used.
. Use Cisco N AM forreal-tim eorIivc network monitoring and analysisofthcintcrfaceson
the hosting switch (application protocols,hosts.and conversation usagc)and ovcrallhcalth

(CPU.rrlemofy).
* UseCisco N AM forllistoricalreporting and trending ofthese statistics.
w Use C'isco NAM foranalyzing theperforlnance ofapplications from thc perspectivcofthc
tlser(application rcsponsctimc.voiccquality monitoring, URL hits.and so on)
w Also.usc Cisco NAM forproaclivetroublcshooting by triggcring alannsbased on detined
conditionsortriggering packetcapturcsto gathcrm ore cvidcnce.
Note
The TrafficAnalyzerisem bedded in Cisco NAM software 2.2,and Ialer.Access to the

Traffic Anal
yzeri
s through a web interface. The web inte#ace requires MicrosoftInternet
Explorer6.0 (minimum)orNetscape 7.0 (minimum).and supportsboth Engli

sh and
Japanese versions ofthe browsers.
Note
3-22
Forenhanced securi
ty, theTraffi
cAnalyzersupporlsSecure SonkelsLayer(SSL)securily
with up to 168-bitencryption and offers role-based userauthorization and authentication
locall
y orusing TACACS+.
Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008 Ci
sco Systems. lnc.
Note
The Traffic Analyzersuppods Cisco NAM-I and NAM-2 and does notsuppod the first-
generati
on NAM Italso suppodsthe Cisco branch routersseri
es NAM (NM-NAM)(not
coveredin thiscourse).
Note
(D 2008Ci
scoSystems,lnc.
Ttle Traffic Analyzerissuppoded with Cisco lO S Software ReTease 12.1(13)E (minimum)or

CiscoCatatystoperatingsystem Release 7.3(1)(minimum)onthe Cisco Catalyst6500
Seri
esSwitchsupem isorengines.
lmplementing Network Analysiswith Ctsco NAM
3-23
'
Live
$I'#1,111*:
etw ork
o n itoring :Po
tatistics
N A h1 T 1.afflc ...
k.:1t'lyR.ey'
m j
<e' #t
? &*''''*tL:
)''t'6 :ttT'1.t
Flr:ftt*
#- .-
*=''- #% sAz> al:l>;latlrG.
r.)a -
' '
t'e...@@.*-*. t?#.@.eh./ '''-'-----...
Viewtraffi
canderror fM T- Tpesd
crk/t
e&v e''-StatlstlcgfOra11
l
nterfaces.
' *'
c. ,. . ErlolReteg
a n!1
Selectan lnterface
and dnlldown in the
lnlerfacetoobtaln
moredetalls
sl
Jt-el1tT
*41
.
+M '''ez5 ''''''
.'
k ,
#b/i '
-z x'iiwkt'w'iu hi.
w kwxtw-q:
o 5.-5s: elw
dm
zx
l.ez
eal
Z 3 '
0X 3.<097 2B* 923
Bfo
1: etf
r,4 .!,'. .
''.r''.?;3 ,sc ..' v'
ettp w kt a
l.zr
tlql vx ()x
.q'
.
. . . .
Qal > @, .!w
;x
ntm
pn ex
'
...+.......w.....w....
m.......-..-.-.-..w--.,. Pod-l
eveistati
sti
csincltldewtil
ization.packets. 444(**- ! gt!. y.yI
errors,andcollisions.
a Can al
so monitorselected portsfor
'
' j
app
l
catl
ons1hosts.and conversations
!
le.x
.
1o M+at
4
ut
so..$
t
pe!
).1Af
.- - . . - -7
.7 -UQ
Switch m onitoring and reporting isavailable forevery porton the Cisco Catalystswitch
regardlcssoftheNAM configuration.In othcrwords, switch portmonitoring isalways
available becausc itisthe very foundation ofperformance monitoring and troublcshooting,
Thc M onitor> Switch tab providesstatisticson the hosting switcll. The PortStats> Current
Ratestablc allowsyou to view the datacollected forthe sw itch. Thc information displayed
rcprescntsthc datacollected pcrsecond ovcrthe lasttim e interval. On Cisco NAM .the miniRM ON statisticspulled froln the hostsw itch provide utilization and errorstatisticsforeach
activc port.
Using pol4 statistics.you can galhcrimportantinformation aboutthe switch pcrform ance as

wcllasutilizationpatterns.Sw iteh portstatisticsincludcpacketand bytccotlntsaswcllasport
tltilization.Sw itcl:portstatisticsalso includescn'orstatistics, such ascyclicrcdundancy check
(CRC)and alignmenterrors.oversizcd and undersizcd fram cs. fragments,jabbers,and
collisions.They also providc intbrlnation on broadcastand m ulticastactivity. You can
configurcCisco NA M to notify you when any ofthese valucsexccedsthresholdsyou havc
defincd forthcm ,
Cisco NA M gathersthese statisticsfrom thc mini-RM ON agentin the Cisco Catalystswitch.
No overhcad isaddcd by collccting thestatistics, and you can use thc statisticseven whcn you
configure othcrdata sourcesforCisco N AM . such asVLAN SorCisco Etherchanncltunncls. lf
you wantmore inforlnation than thc m ini-RM ON statisticsprovidc. such asnetwork layerhost,
convcrsalion pairdata,orapplication protocoldata, you can copy traffic from any combination
ofportson the sw itch to Cisco NAM to provitlc morc insight. You can configtlrea sw itch to
copy ormirrorportorVLAN trafficand selld itto a SPA N portforfurtheranalysis. This
proccdurciscalled spanning.
Sclecting aportand clicking Detailsprovidesintbrm ation aboutthesclccted portandalso

prescntsapackctsizedistribution value.
+
3-24
Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0
@ 2008 Ci
sco Systems, Inc.
Live N etw o rk M o nitorinq :Port D riII-D ow n

. Drilldown to view packetsize distributionfora selected port
* Cqfe- e a e- m> r $l2)tnc
n =r*
gee ee l
weu lsale ..
r.r.,.. lrmr/vxywkl.vh..-..
1*f1*# Ae'- * * 29* 9:*
A- St*la; tm
Cr- *txe Qe . tp
'
W 'lM ef
K ,?e.M5- e.
. ase-s,,a ew
K 547.1*3* .*
'
O
4wh
'
'*
3'Y'
''*
2.>
2.*>
1.% '
t.*
4.Nh
'
Impl
ementing Network Analyslswilh Clsco NAM
3-25
'
Ll
've et ork onitoring.
'
PP Iication and rotocol on ito ring
ProtocolDi
stribution
11
*xSG- &tISc/'rk +'
1'
.
'
.. .
I
!
Convef
sation Pairstatistics
..
. .
..
'
..
''
t:'#
I t5.
11 4,p
t.0'
P d*'1
I$4 a,I
v',...
'
*.5'
:
,.
* 'L ''''''''''''
''
:r3
A:)
.s.sx...l>
.-..
-..u..a,
....w
..
.. .
.. .
......
..m . .I.
-.
'
A' I
conggureddatasource
Drilldown to the protocols andobtaln
lnformationOnhost:andX nversatiorl:
' k ''i . '

% S*.:
. 3'..'l..-
e ''%+-'=''> *
inmp
Obtainvisibllltylrltotheupper-layer
10Cooting the traffic
*Iw'm .
>
twvxw..-
w.kwvv
!I 4
''
z $fl2
- --- -
..
protocol
sandappli
cat
lonsforthe
-
IM e*
11 *dp
(
.-*r
..
j
eup'1-,..
$-.'#' - -..
* -'' '-' -' '
'
,
qh
zn
4
1x@wue.4/.LLqpAp.*
SM COYI OL'tets *
.''
l
S
'k
.
!r r
'.
I
).**
= ;
:Q ... ..-
fN,..
c
u.- .....
.'
...*. ....-...
l> 2;
*:
.:
*:.,
.. ......
-. ,
..ue
> ''.
'
jj'?
'*=
px, r..w' ....... . .w.

.- .
.. m
...
-m@'''* 'N n-'<'''v
Detai
led Hostan Conversation Statisti
cs
W hen lraffic isforwarded to the NAM -land N AM -2 foranalysis,tlsing SPAN orexporting

N ctFlow statistics.Cisco NAM can providc insightinto nctwork traft'
ic and provide statistics
on TopN hosts,applications,and convcrsations.
<
W hen trktftic is spanned to thc NAM -1and NAM -Z.Cisco NAM can (ook insidt the llve
packetsto gatllcrinformation from itspacketheader.Application m onitoring identificscvery
application thathasconsulncd bandwidth by how m uch and dctectsw llich hostsarcusing
wllich applications.Hostand conversation-pairmonitoring providcsbandwidth consumption
pcrhostand show syou which hostsare talking to each otheralong w ith thc amountoftraffic
cach hostisgcncrating.In addition,responsctimcspcrapplication w ithin each application
scrvcrcan bc meastlred and reported.
W hel:NctFlow statisticsare cxported to Cisco NAM , thc tlow statistics also provide
applicatiollahost,and conversation monitoring. (Servcrresponsc tilncsarc notavailable for
NetFlow data sources.)
M oniloring applications.hosts.conversations, and serverresponsetimescan htlp you
proactively spotbottlcnccksbefore yournctwork stlffersblowsto pcrform allce and availabjlity.
Itcan also hclp you im prove trafticperformance since these m etricsrevealusagcpatternsfor

usersaswellasforrouterand switclA.intcrfacc, scrvcr.and application rcsources.
3-26
lmplementingCi
-!)v2.0
Q 2008 Cisco Systems, Inc.
'
L1ve N etw o rk r'

Jo I11to r1n (
J:
Sw itch Hea Ith M o n 1to 1-1nc
x
g
(Ilr1!TIIIy1
1.:51 3FIaffir &lI)

d1vze1.
pj'.
LL
*-1'j;
7
f.
'?
1T(
.
qjA
p4.uyl
a
pi
z
ls
'.'
)'l
rj/
ttt
;.
K1(.
'. 'a' '
..'
.
(! :
.col- 1
sz ' . '.1 .
z j.''
j;
j;
jk
v;jj
*:,
>m-
..... .. -.
e0
50
-- --
10
2(
1
0,
()t)
4
pzx- eloomw-
j
3
t)
ax r+e.T- Tte ym ?xtf'23JtFJ
(m.
Gf
1
4
t,
T*
4fI
'''
*
Y *e''*
>
e
Prote&*oe
1C1
@ 2008 CiscoSystems,lnc.
:1e3 (08FNk
;F (7)%:
3F036 fB7#N.
5517 tlb!T9k
?37e9
SS$;
lmplemerlting NetworkAnafysfs with Ciscc&AM
3-27
Perform ance A nalytics'

.A RT M onitoring
Cisco NAM Scould be eitherNAM-I,NAM-Z,orNM-NAM,
depending on network equipment
'
):
'
z
yj:.
w
(!.
)
DeployNAMSclosest
to theapplicatpon
serversacd clients
Q
2ZQ
'
' $'
,
.*
*'#
1
R% #
. ..
V ''-
'
ServerFarm
ClientPCs
ServerResponse Time
7.27
Serverand Nelwork Response Time
6. 1j#1't.
--.
$:
j
.!
..
j)i
.= p;t,
'(j
! j w py.- j
:
:.
..1jt
Cisco NAM providesessentialijlfonnation on application perfonnanceasexperienccd by thc

end user.W ith itsncw transaction-awarcapplication responsc-time feature.Cisco NAM can
isolatc application performance problcm sto thc nctwork,theapplication,ortheserver.W hy is
thisiTnportant? Having m easurementstllatretlectthe network perforlnancethatthe users
expcriencehdpsyou to do thc follow ing:
. Quickly idcntify thcsourceofperfonnancctlegradationand rcsolveproblemsbeforeuscrs

even Iloticc
* U nderstand application behaviorovertim c to supportthc planning forchange
w Ilnplcmcntnew networkresources.applyQoS.and soo11

* Deploy and vcrify W AN optilnization scrvices
K Understand userexpcctationsto supportthe dcvclopmcntofsea iceslevels

Cisco NAM collcctsrcsponsc-timc statisticsforTcp-bascd clicntand servcrrequestsand
acknowlcdgcmelttsto providc im portantlatency data. Thisdata can also be trcndedovcrtim e.
Thus,changes in nctwork and application usagccan be correlatcd with fluctuationsin rcsponse
tim esto predicthow changesin userpopulations, network rcsources,and W AN bandwidth
lnanagemcntw illaffcctapplication pcrform ance.
3-28
ImplementingCi
-I)v20
.
'
Perforllla.nce A naIytics :
D 1fferent1ate d S erv1c(!
)s M o I',1to r1ng
* Validates planning assum ptions and QoS
allocati
ons
. DeteGts inGorfectly m arked Orunauthorized
traffic
-- '
--'
- '''-'.
' - ''
'
'''
l t- :
.
;z'
;
:
;.
1... k
1' .
1- -
..*..
....w
t
j.ii q
*> *
l
j
t.
,':c%.' :
't'
& .
'' c
>
,1
:..e.* i
' .
'' '
y *'
.:
& **.
1f;MP26)
(Dscp
%uAj
**-f':1
'
111esscncc.()'isco NA M aggregatesstatisticsby DSCP ajptlitalso stlpportsgrotlpillg ofDSC-PS
illtoclllsses()1
-serviccthatl'napontolllc(?()S 17()1iciestllatyotlhavciluplenacntcd.Thisenklblcs
ytltlt()l'
tllly ctlstolnizehow (-'isco NAM rcportsIlit'
lserv slatisticsso thatitl'
natchcsyotlr
cllvirolllllellt.
C)2008CiscoSystem s,Irc.
Implem enting NetworkAnalystswith Cisco NAM
3-29
Perform ance A naIytics:U R L M onitoring

. Hitson top URL sites x.- ...... ua. .
,.,..-fc
..'
,.
CollectURL host,path, #'
... .
,
.
.
S
M
.
*
'
*
'
9
*
'
*'
*
*,
..t;.;.1. '''('.''
'% /.
and Content
c j xo/
nwlxtzr41
,
* Coll
ectusage
* ZO'O'T?
* **
'
E)t,tisytitlsy'
.
* mo 1%4Tr
>*
!
Packetand byte
c'$ -p'
a:z'e
''z',
'
*.
'
'
rates
C $ > el
o1 l3T
Hostand
Convorsation
StatjStjcs
c'. > v'

wfxfaz
-'
*>
ls
O $ *'
d?2'
*f3?4 ***'' ''C1*
2
-'
e $9 '
*.mR:$*'yz . -'
.'
*'-<t
*#
,e
- - - .- .
-.- ..- - --- .--.
- -,.,
- 'c-v.
-.
.;.---- -.-- 14<oow- f'-f- s,: ).yl
Filtering ofURL by
host path and content
C ; > knqp1M ,37
eegm zi.r- repo lv zz- ex
''9...'..1-..*0.
**...- -.
cs-w sr- s..j.c
c'e-e- ...-...s,.,
.n
Cisco NAM canalso becont

igurcd to listento HTTP traftic(TCP port80)onaselecteddata
sourcc to collcctURL information.
A URL,forcxalnple,http://host.domaill.com/intro'
?idm l23,consistsofa hostpart
(host.domain.com).apathpart(intro).alld anargumcntspart(?id=l23).Thecollectioncanbe
contigurcd to collectallpartsoritcan bc contigtlred to collectonly som eofthepartsand
igllore othcrs.
W llcn the URL statisticsarccollected.you can view the URL and the numberofhitsto it. This
URL collection list,illustrated in thc figurc.can be tiltered to Iook forany partofthe URL,
llost,patll,orargulncnt.
To obtain addtionalstatisticson the HTTP traffic,you can create an URl--based application.
TllisallowsCiscoNAM tocollectapplication-basedstatistics(packetorbytestoand from).

hosts.and conversations.
3-30
lmplementing ClscoData CenterNetworklnfrastructure 1(DCN1-1)v2.D
Cisco NA M can be used to scttllresholtlsand alannson variotlsnetwork param eterssuch as

increased utilization,severe application responscdclays.and voiccqtlality dcgradation-and to
gcncratc alertson potentialproblcms.W hen a potel,tialproblcm isidelltitiedsone()fthem ost
powerjklcapabilitiesofCisco NAM isthc capability to vicw thccontcntsofpacketsto drill
dowl)deeperinto thcsource ofa problem.
W llellapotentialproblcm area isidentificd,thcpackctcan beatltomatically capturetland
decoded to hclp resolve theproblem bcfore itaffcctsusers.Capttlrescan bc pcrform cd tlsillg a
web brewserfrom any dcsktop-alld dccodcscan bcvicwed throtlgh the TraflicAnalyzcrGU1
whilctlle data isstillbeing caplurcd.
'
l'hc capttlrc and decode capability ofNAM provitlesdepth and insightinto data analysistlsing
triggcr-based cdpttlrcs,filtcrssdecedes,and a capture analysislclolsettlaquckly pilzpf
aintarld
resolvcprobleln areas.
CapturedpackctscanbcsavcdonarclnoteIllternetSmallComptlterSystcmsIllterf
acc(iSCSI)
drivcorNetwol'kFilcSysteln (NFS)diskto extendthedatastoragccapabilityofCiscoNAM .
NA M allalyzesand dccodcsthe capturesstored relnotcly,performs systcln administration,and
providesinform ation on available disk space.
(Q 2008Cisco SystemslInc.
im plementing Network AnalysiswithCisco NAM
3-31
'
H istoricalReporting and Trend1ng

* Store and retrieve up to 100 days ofhistoricaldata
w Reportgranularity- detectanomalies thatwould otherwise be
m asked overa Iongerrepoding intewal
. Li
ve reporting by setting granulari
ty to 1 minute
. TopN r
epod granularity m inimum is 5 m inutes
ll
d,du
1:@
,-.
NAD<TrarfitA**1zKer
.
..
.. ,
.. .
o .u jse...x,.
,.e.m
1r.j:..r
*.
7
1-,s .,,.,.ox j.xs
I:
!
:
..
;
okq
.,
I .1.t
j
(
ID.CY.
. ....--
(
iC
E;
T
W.
=1
. -...-..-.....-
--
Thc Cisco N AM offersan cnhanced historicalreporting capability thatprovideshighly granular
visibility (onc-m inutc granularity)into network traffic.including individualapplicationsand

cnd uscrs.Helping enable operations staffto identify issucsthatcan disruptbusiness
opcrations.tlle live reporting capability ofCisco NAM cxposcsproblcm sthatwould otherwise
bc nlasked ifcriticalreportupdatesoccurrcd lcssfrcquently.This infonnation facilitatcsthe
qtlick idcntificatiolland vcritication oftraffic allomalics so thatim pcnding problemscan be
rapidly rcsolvcd.
3-32
lmplementingCi
-I)v2.
0
(
l)2008CiscoSystems.lnc.
C isco N A M D ata So urces

Tllistopic describesCisco NAM data sources.
Data Sources forA naiysis

NAM-Em bedded Traffic Analyzer
&!
t
'k
'
s
Y
a
Metlqo-
x
%
<!
cz,j
'''T: M#Ii.RMON
'
I
oj 1
i
a:v
; s
.
:
=&
y.
NerFlow
NBAR
MIB.II
jm
Note:AIIfeatures mightnotbe availableon al1CiscoCatalystswitchesand routers
1!isinlptrtantto l
'nanagctl'
le data sourcesstlpplying datato Cisco N AM .You 1
nt1stunderstalld
how Cisco N AM and itsdata sotlrcesarecontigtlrcd in ordcrto inlcrprctthc variousNAM
reports,Cisco NAM l'
nakcsuse ofn'
lultipledata sotlrcesto provide visibility into thelletwork.
incltldil'
lg thc follow ing:
* M ini-RM ON :Forper-switch portLayer2 statistics
* VAC IUSand Cist!o ExpressForwarding:To copy actualpackctstraversing tlle switch
fabric and routcrintcrfaccsto Cisco N AM foranalysis
*
NIIB 11:Forpcr-rotltcrillterface statistics
* NetFlow :To providc application,hest,alld collversatiollilpl

-orlnation from a num bcrof
rem ote alld localtrafl
ic tlows
II1sonc SPAN configurations.nltlltiplecopiesofthc salnc sotlrcepackctcan bcscntto tllc
SPAN dcstillationport.Forexa,zlple.a bidirectional(both lransmitand receivc)SPAN scssioll
iscoltfigtlrcd forsourcesaIand :12 to a destinatiollportdl.Ifa packetentcrsthc sNvitch
tllrotlgl!alalld getsswvitclled to a2.botl)incolnillg (troll'
la1)and otltgoing (to a2)packetsare
scntto dcstillation portdl.Botllpacketsare tllesalue (ifa Layer3 rewritcocctlrs.tlle packcts
arc differcllt).Silnilarly.forRSPAN scssiollsw itl)sourcesdistribuled in l'

ntlltiplc switchcs.tllc
dcstillatiol)portsl'
niglltfblavard Intlltip1ecopiesofthe salnc packet.The same istrtle for
VLANS:lfapacketisboth sentand rcccivcd by twoports thatarc pal4ofthe sal'
ne V LAN,itis
counted tw ice.To avoid cotlnting packctstw ice witl)VLANS,tllc dcfaultdircction forspanning
VI-ANSissetto receiveonly.Thc two dataportsavailableNvith a NAM -2 can also bc tlsed
cffectivcly to lnollitortllc reccivedirection on one dataportand tlle translnitdirection on tllc
other.Silnilarly,ifCisco ExpressForwarding isfonvardillg packetsf'
roln allrouterillterfaces,
tllcn tllc packetis seel)tqvice:onccol1thc ingress ilterfaceand once on thc cgrcssintcrface.
(l)2008Cisco Systems,lnc.
lm plementing NetworkAnalysis withCisco NAM
3-33
Yotlm usttlnderstand thc exactnaturcofthedata source to properly interpretthe traftic analysis

rcports.
Note
7he NBAR M 1B has notyetbeen im plemented within the Cisco Catalyst6500 Series Switch
and Cisco 7600 Series router.W hen these devices include supportfor!he NBAR M IB , the
Cisco Catalyst6500 SeriesSwitchand Cisco 7600 SeriesrouterNAM willsupportNBARprotocoldiscovery on those devices as well
Note
The NME-NAM ls1heNAM available forCisco branch seri

esroutersand provi
desaddi
tional
visibili
ty atthe W AN interfaces.
3-34
Implementing Ci
sco DataCenterNetwork lnfrastructure 1(DCN1
-1)72.
0
@ 2008Cisco Systems.Inc.
'n'
l
l-R
N ,SP N,and RS P N
#C
Mi
npauox
j.L
f
.
$
'
.
y;
gt
f
.
/.
k
a ':
(u 2
ac:
.
k
cpscocalalyst65
j
$.1
t)
m
I
1:
senttoNAM Data
F'ort
.
use SPAN to copy porl.
X'
ED l
<
x .x.'..
.. .'
..
' '.
spanned
'
rrt
affi.
'''
-''-'
vo x,or
toNAM
EtherchannekTraffic
MrnI-RMON Traffic
collected byInternas
NAM Irlterface
.. .
Sert
esSwlt
cl'
spanoedTrafic
V:
.J
f
'
. .
Traffi
cPassesoverProducti
onLi
nks
wbenUslngRSPAN t
o Monit
or
Traffi
conaRemot
e switch
Note The NAM-2 hastwo mtmitoror

destination portstosuppod two
taneousSPAN/RSPANsesslons
srm uI
CisooCatalystSwitch
TlleIniIi-RM ON isan interface tlscd to gatlpcrl'

nini-RM (.
)N statistics frol
n each ofthcenabled
portso,lthehostdevice.Thisallowsyotlto view basic Laycr2 statistics forcach portand to
decide iffurtheranalysisisnecessary forany ofthcpol-ts.Iffurtlleranalysisisncccssary,Cisco
NANfanalyzcsactualtrafticpassed to itwith thc SPAN orVACL Incchanisln oftlle Cisco
Catalystswritcll.
Spallning isthe tcrlz:tlscd to klcfinc thc configuration thatisrequircd to copy trafsc froln
sourccports,VLANS.oraCisco Etherchannelttlnnelto adcstilation ssvitcllplll-t(SPAN port)

foranalysis.A SPAN sessiol)isan association ofadcstination nlonitorportwith oneorlnorc
sotlrccsoftraftic.Sourcescal'
lbe pllysicalporls,VLAN S,ora Cisco Etllcrt-llanllcltunnel.
svhcn Cisco N AM isillstallcd.the hostswitch recognizesitasa SPAN tlcstination.Thc tlser
sclcctsoncorInorc portsaV LANS.orEtllerchallnels and lheswitch copicstllc trafiic froln tlle
sclcctcd sotlrcesto Cisco NAM tbrallalysis and rcporting.
A useroften Ilasa need tt)analyzctraftic llowscapttlred by SPAN on abox diflkrentfroln
wllcre they arecaplured.Sw itchcsthatstlpportRclnotc SPAN (RSPAN)allow tlle tlscrto

capttlre them onitored traffic and trallsm ititto a relnote switch thathasanembcddcd N AM ,
using an RSPAN VLAN.Howcvcr.RSPAN analyzcstraftic only on the same Laycr2dom ail)
froln where itissotlrccd.A lsostlle Laycr2 dom ain iscollfined to Cisco switchcsdue to spccial
propel-tiesol-the RSPA N VLAN thatarcsuppol'
ted by Cisco swilchesonly.
Note
The NAM-2 hardware includestwo destinations to allow increased flexibili

ty fornetwork
m onitoring.
Note
The abili
ty to use SPAN VI-ANS allows you to achieve additionalmonitoring flexibili
ty.
Rem ote switches can be confi
gured to exportdata on a specialuser-dehned VLAN.Cisco
NAM can then span this rem ote VLAN effectivel
y spanning data from a remote switch.This
capabilityisknownasRemote SPAN (RSPAN).
((
7 2008 Ci
sco Systems.Inc.
lmplementing NetworkAnalysiswi
thCisco NAM
3-35
Note
RSPAN data traverses producti

on Iinks.This addi
tionaltraffic can have an adverse
perform ance impacton yournetwork.Please consi
derthese impl
icati
onsbefore
implem enti
ng remote monitoring using RSPAN.
Note
RSPAN and SPAN are m utual

ly exclusive,thatis.i
fyou use RSPAN,you Iose the ability to
SPAN data to thatport.Considerusing a NAM-2 with its second data pod to allow Cisco
NAM to use bothSPAN and RSPAN together.
<
3-36
lmplementingCi
sco DataCenterNetworkInfrastructure1(DCNI
-I)72.
0
()2008CiscoSystems,Inc,
E:
-
67 14
'
j
i
l
y'
.
((t
'
Use ERSPAN to
'
.o ,..,,.,
t
6
r
6o7u10
bs
l
esshj
ojx
y
ots
pj
r
y
ojj
j
bol
e
jj
m
yj
s
yay
ay
t
jyy
g
to send personnelto the
Y.
:
.. .4
'
j
'
t.
..
/'
#
)'.
j<
;.
. .
siteorhauIingarounda
rtaj)
jeana1yzer
PO
.
'
;
CPS.tXICldalyst6500
SOICYSvs
Gh
I ERSPAN
I Traffic
I
' y!lj
z.
h.tf '
.
.4
E'RSF'AN Trafric
cojjected by NAM
Management
lrltoufacp
TralficPassesoverProducti
onLi
nks
W hen Uslng ERSPAN to Monitor
TrafficonaRemoteSwltch
Packets are encapsulated In GRE
headeranddlrectedtoIPaddressof
ERSPAN destlnntlon
Cls= CataiystSwitch
ERSPAN (Encapstllatcd RSPAN)providesasoltltionto tllcIimitationsjustdescribcd.The

I@RSPAN featurcallowsthc tlserto capture traft'
ic and encapstllatc itin aGclleric Rotlting
Encapstllation(GRE)IPpacket.Tlliselpcapsulatedpackctcantllenbcscnltllrougl)al
ly Laycr3
nctwork asa GRE ttlnncled packet.
ERSPAN increasestlle deploylnenttlcxibility ofCisco NAM .cnablilg itto lnonitortraffic
(koln rcm otc partsofthe network.Cisco NAM tan rcccive ERSPAN traffic throtlgh thc internal
nlanagelnclltport(salncused by NetFlow trafiic).Altelmativcly.thcERSPAN trafliccanbc

directed to the switcll,alld tllclltlle receiving portcan bc spallncd to Cisco NAM foranalysis.
ERSPAN traffic scntdircctly to Cisco NAM is treatcd asa separate data sotlrcc indcpelldcntof
tlle spanned traftic.ERSPAN isstlpportcd ol1Supervisor720 with Cisco lOS Sohwarc Rclease
I2.2(l8ISXE orlater,and PFC3B.

Note
Sending excessive ERSPAN frarfic directly to NAM willslow GUlresponse time.
Implementing NetworkAnal
ysiswith Ci
sco NAM
3-37
V A C LS
Usea VACLfortrafficanalysisl
To analyzeW AN interfaces thatcanno!be spanned
I
fno more SPAN sessionsare avallabl
e foruse
To pre-filterspecifictypesoftrafficforanalysi
s
VACLtraffi
csenttotheCi
scoNAM dataportIooksjustlikeSPAN datatothe
Cisco NAM
Cisco Catalyst6500 Seri
esSe tch
Eyamppa A VLAN ACL can be

usedto capturew AN traffic
and forward Itto Clsco NAM
asan Ethernetframe
.
s .
1!
o1!
-
#
.
VACLTraffic Sent
to NAM Data Pod
CopiedTraffic
VLAN accesscolltrolIists(VA CLS)can bca valuablc sotlrcc oftraftic foranalysisby Cisco

NAM .VACLScan bc used in thefollow ing ways.
The Cisco Catalystsw itch SPAN capability islim itcd to tw'
o SPAN sessionsand LAN ports.
You can analyze W AN linksusing the NAM -land NAM -2 by using oneoftwo methods:
* VACLS:You can use aVACL to configure thc W AN portdata to bccaptured and

forwarded to Cisco NAM asEthernetfram es.Thisfeatureonly worksforIP traftic overthe
W AN intcrfacc.
w N DE :
VACLScan be used with LAN porlsand arc useftllifno more SPAN sessionsare
11vaiIab1e.
VACLS can bc used to help filterspccit
ic typcsoftraftic forfurthcranalysisby
Cisco NAM .
3-38
lmplementlngClscoDataCenterNetworklnprastructure 1(DCNI-I)v2.O
'
d
N etFlow D ata Expo rt

tfu
T
'
c ..
. ' ..
':
..
MInLRMON
NDE Tralfic from Local

HostDevicecarlbe
. ,
cojpedtoCi
scoNAM
'
/
j
' <t'y..
'
j,
T
.'*
.
j)
j
y
O
.:l::
d
r,..
j
',p
v
ku
..
'
&t
NDE TrafficCollected by
a Sing1e InternalCksco
NAM Interface
cisco catalyst65/0
seriesswilch
NDEtrafficforenabl
edpnterfaceson
1 NDE Packets
. I
.
&j
ED 1
remot
eNetFl
ow-enabd
eddevices
passesoverproducti
onlinkstoCisco
NAM on UDPpcd 3000
NctFiow.
Enabled
Dewce
NetFlow suppods menitoring ol

apRlications.hosts'conversations,
and Diffserv
The l'
igurc showsllow the NDE feature istlsed f
brW AN lnollitoring.In addition to tllc intcnlal
illterlccsofCiseo NA M forSPAN .VACL.and IHiIIi-RM ON.tllere isalso an intcrface for
NDE packetsarrivingtoCiscoNAM with UserDatagram Protocol(UDP)port3000.NDE

packetscontain information abotttone orInorepacketflows forcnlcornlore intert
-accson a
localorrcmoterotltcrthatcan be parscd andatlded to thcRM ON M IB and rcported on by
Cisco NAM traffic analysissoftware.NetFlow allows forthe m onitorillg ofapplications,llosts.
conversations,and Diffserv (remotc).
Thc tlowsarcconfigured on thc remotetlevicc,possibly by illterface,and cxpol
-tcd to Cisco
NAM with UDP port3()00.The tlowsreprcscntdatacom ing into olle interface on thc rcmote
dcviee alld cxitillg outofanotheril3terfacc.Aslong asthedevice iscapable ofnlnning NctFlow
and cxpol'ting collectcd traftic statistics.Cisco NAM can receivcand processsuch tlata.
Note
Detailed monitoring forvoice,VLAN,ART Di

ffserv(Iocal),and packetcapturesand
decodes are notavailable on NDE data sources.
ysiswi
th Cl
sco NAM
3-39
Plan for C isco NA M D eploym ent

Thistopicdescribeshow to plan forNAM dvployment.
C isco N A M D eploym ent O verview

Placement
...-.of
Clsco *$.- wI
NAMS
Qrl-
4-*..
''
!. -
Proactive Alerts
ceptable
resAc
wn
set
i
mes? 'r
@
.: .x.
Acceptabln
ulillticm?
/*7*t . '.,
nqppte
da?ta
ca
ur
res
.<,-
Data Sources
:
'- .- ' .
-
j.j
0.
'
NetFlow dala
exporl
KIIB.IIinlerface
SpannedsAtch
stats
rxlrlsanciVLAN!I
.- .
E'rnai
lexpoq?
Schedule?
orasujarj.t
?yoj
Reporting
Requirem ents
supervisorrroduleVACLource
.
9!1
Thc data thatCisco NAM collccts.and thereportsthatitgcncrates, willonly bc asgood asthc

cffortand consideration you ptltinlo thc planning stagcs.You m ustbring yourknow ledge of
yotlrnetwork and busincss,and how thcbusiness uscsthcnetwork,into the planning stages
whcn deploying Cisco NAM to enstlrc tllatyou collecttlhe datayou wantfrom thc sourcesthat
make them ostsensc,and to prcsentthedata in the m ostproductive way.
Thc Cisco NA M Inodule nccdsto view the network traffic to providetrafficvisibility and
analysis.Thcrefore,the network adm inistralorm ustfirstdeterm ine whatinfonnation isdesired
from thc analysissotlwarc,and whatdata mtlstbe collected to gctthedesired rcports. Properly
dctennining thc data to collectto obtain the reporting rcquirem ents isperhapsthe very crux of
nctwork m anagcment.The succcssofyourNAM implementation dcpendson a clear
tlllderstanding ofthc reporting rcquircmentsand how to obtain thedata tlsing Cisco NAM .
To gain a bcttcrundcrstanding ofthisissuc,considcrthc following questions:
. Are there bandwidth and rcsponsc time reqtlircm cntsorpoliciesthatyourcom pany
requireslnonitoring otP
. W hatbtlsinessortccllnicalproblclnsarc you trying to solvc with Cisco NAM ?A specitic
application orresponse-timeprobtcm?Voiccordataqualityofscrvice(QoS)detivel'
y?
M onitoril:g forrcal-tilncorhistoricalperformance?Acuteproblemsorfaultisolation?
Somc combination ofthese?
w Nvhattypesofreportsare necdcd (utilization,hosts.convcrsations, applications protocol
usage.response time.and so 011).wllatshould the granularity ofthe databe and when
should the rcportsbe schcdulcd?
3-49
kmplementingCiscoDataCenterNetworklnlrastructure1(DCNI-!):2.
9
@ 22*8CiscoSystems.lnc.
. llow w illCisco NAM vicw thc traftic to analyze? W illtllepacketsbe spanncd to tlle
interfacc ofCisco NAM orexported by NctFlow,orcan tlle switcl)portstatisticsbe used?
w Arc NAM modtllesin thc appropriatelocationsto collectthisdata'

?
Thcsc planning alld dcploymentisstlesarc highliglltcd in thisscenario and rcpcated in tllc
tlpcom ing scellarios.Eacllscenario w illlook atdiffcrentwaysto deploy-conligtlre,alld tlsc
Cisco NAM to solvc rcal-world problelns.
@ 2008C isco Systems,Inc.
lm plementing NetworkAnalysiswith Clsco NAM
3-41
Yotlm ay need to detinc diffbrcntlevclsofsecurity to mcetthevarying needsofyourusers.
Forexalnplc,in-deplh contiguration and custom ization ofCisco NAM to deliverthe

monitoring needed requiresa ccrtain lcvclofaccess.Butthe monitoring and rcporting features
ofCisco NA M ottcn servc abroad rangc ofuserswho have differentsecurity requirem ents.
This situation lnay apply to the Cisco NAM in yourenvironmentbecauseyou may w antto givc
Inany usersaccessto som c partsofCisco NAM and securc otherparts.However,giving
tlnlim itcd acccssto aIlthe Cisco NAM features could tlndennine the vcry purpose for
deployillg N AM S in tlle Grstplace.Thc problem isthis:Asdiscussed earlicr, thedatayouget
from Cisco N AM isollly asgood asyourplanlling forand contiguration ofit. So,ifyou give
configtlration accessto al1yourusers,you wilinotbe ablc to guarantecthatthe collectionsthat
you configurcd a wcck ago w illstillbc the salne when you go to review the performanceof
yournetwork.Forcxalnplc,lctussay you have configtlred Cisco NAM foralarm ing and event
notification on adata sourcc forhistoricalrcporting.Ally changesm ade to Cisco NAM may
disablcthe alarm syou rely on fornotiticatiollorthc data sourccsyou areusing formonitoring.
So.whcn plalllling forCisco NA M dcploymcnt.considcrwho should haveaccessto its
contiguration utilities at
ld who sim ply necdsacccssto the reports.Doing so witlhelp ensure
thatCisco NAM willcolltinuc lo deliverthc datayotlnccd.
342
lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.
D
D eploym ent of C isco NA M in D ata C enter

I
h;
k
.
'
;
.
Q
'
(
;
.
'.y
i,
(,
*4,# bh
l
.
-,gup::l...ep.g.....--.-.
!
)
...
. ....
:k
't
i'
i
?
.
.q
ktjlfjy,
z
J.
;
'
)'
)
i?
,
v# . **
,,
# *
,'
,.
3'f
.
.
)
(
.
( ,.
:
,;y
.
.
.
h
k
z ,,v...
.)
t
'4,/<
)
.;
.
pj.-..:zj
1s'
I
zf-'D' Deploycisco NAMSa#
#
-- 'h
tcriticaland aggregation pointsinthe data
j
center
'
'
Collecting thc datayou need is lnade casierby the tlcxibility ofCisco NAM to be placed wllcrc
itisnecded and whcrc itcan gatherdata froln eithcriocalorrcmotc switcllcsand rotltcrs.
TypicaldcploymentplacesforCisco N AM incltlde LAN aggregatiol)poilltswhere itcan
collectthemostdataascrvicepoints(serverfarlns datacentcrs,andso011)wherepcrfonnancc
iscritical-and importantaccesspoints.Acttlalplacem entdcpendsonthe problcms you arc
trying to solvcw ith Cisco NAM .Asshown in thc Ggurc,tlle Cisco Catalyst6500 SeriesSwitch
NAM can becom plemented w itllthe C'isco branch routersscriesNAM and theNM -N AM for
lllollitoring W ANS.
C isco Catalyst 6500 Series Sw itch NA M S

Thc Cisco Catalyst6500 SeriesSwitchescan hostNAM -1orN AM -Z.These NAM Scan collect
antldisplayper-portLaycr2 statisticsinconjunctionwith thclni11i-RM ON oneveozilpterfacc.

You cal)acllicve m ore ill-depth analysisofI-AN portsby spannillg orcopying traffic from
portssVLANS,orEtherf-llallnelsto the embeddcd NAM ,orby tlsillg VACLSto m irrordata to
Cisco NAM if'no spannillg scssionsare availablc.
Yotlcan analyzercnlote switcllcstlsing thc RSPAN fcature ofCisco Catalystswitcllcs.You
can achicve adetailed analysisot
-W AN ports by tlsing VACLSon a Iocaldcvice orby
fbrw arding NetFlow data from eitherthe localora rcmotedcvice.
Tlle Cisco Catalyst6500 SericsSwitch N AM Sarc vitaltoolsthatprovide higl:perform ancc to
lnonitortraflicrunningatsub-gigabitspeeds(NAM -l)andgigabitspceds(NAM-2).Cisco
NAM scan bc dcploycd in tllefollow ing arcas:
K Distributiol:orcorc Iaycrtl
-unk polts
* Service points(forexal
npie.in tlata centcrsascrvcrfarm s.orCisco Unilietl
Colnlntlnications M allagcrcItlstersil)IP tclcpllony)wherepcrfonnancc iscritical
. CriticalaccesspoiI
lts
Placeluelltalld intcnded tlsccalldictatc the need fbrthehighcr-pcrftlrfnancc NA&f-2.
@ 2008 Ci
sco Systems.Inc.
I
m pl
ementi
ng NetworkAnalysiswi
th Cisco NAM
3-43
P Ian n 1ng C heckl1st

1'')t;S1;,'., @;.4 4 4
Identi
fythe problems orneedsyou are trying to sol
ve with Cisco NAM.
ldenti
fywhatdatacolectionandmonltori
ngneedscanhelpresolveproblems
orneeds.
Determine how manyCisco NAMSyou need to depl
oyand where youneed
to deploylhem.
Identl
fy the approprlate SPAN sources:port.VLANIorCl
sco Ethec hannel
tunnelforeach Cisco NAM.
Deflneeccesspollcl
es.datacolleciionandreKrting,andalarrnconfiguratlon
requirements foreach Cisco NAM to match needs.
Configure security,moni
toring,and alarming asdefi
ned Inthe prevlous
steps.
Revl
ewCiscoNA system resourcestoensurelhatCiscoNAMconti
nuqsto
suppod yourcollectlon and monitori
ng needs.
Vi
ew.modi
fy.andmonitortheconfi
gurationasnecessary.
The tigure shows aplanning checklistofitemsthatyou should considcrwhen deploying Cisco

NAM .
Therc isno easy formulafordeterm ining how m any N AM Syouw illneed,whereCisco NAM S
should be deployed.and how'thcy should be configured,Itdependson whatbusincssor
technicalproblcmsyou are trying to solvc.Following are some gtlidclinestbrplanning and
implclncnting Cisco NAM .
* ldentify thc problem sorneedsyou wantto resolvewith Cisco NAM .
* Idcntify whatdata and reportswillhclp rcsolvetheproblclnsorllceds.

m Deterlnille how many NAM Syou necd and whcreyou need to dcploy thcm .
* ldcntify the appropriate data sources(portalld illterface,scgmcnt,V LAN,orCisco
Ethcrchannclttlnnel)foreach NAM .
K Dcfinc whatacccsspolicies,data collcction and reporting.oralan'n fcaturesarenecdcd for
cach N AM .
K Configtlre sccurity,m onitoring.and alarlnsto meetthe ncedsthatwcredetined.
. Rcvicw NAM system resourcesto ensurcthatNAM resoklrccsrcmain low enough to
supportyourdatacollcction and monitoring nceds.
* View and modify yourreportsand contiguration asnecessary.
3-44
lmplementing Cisco Data CenterNetwork lnfrastructure 1(DCNI

-I):2,
0
Q 20D8 Cisco Systems.lnc.
Frequently A sked Q uestions

w
Q 2008 CiscoSystem s,Inc
W hatare the busy parts ofmy network?

Are these parts ofthe network experi
encing a temporary bottleneck or
operating atfullcapaci
ty and saturation?
W ho is sending orreceiving the mosttraffic?
W hich hostshould 1isolate to determine ifi
tis being used fora DoS
attack orforexcessi
ve file downloads?
W hatare m ytraffic patterns?
W hen should Ischedule operations to avoi
d the busy periods orto
examine problem sthatrecentl
y occurred?
W hatare 1he appl
ication traffi
c characteristics?
W hateffectdoes deployi
ng a new apppicati
on have on my network?
How is traffic flowing through the neM ork from a QoS pointofvi
ew?
is there a porti
on ofthe traffi
c thatrequires specialper-hop behavior
because itIsvoice orotherspecialtraffic?
lm plementing NetworkAnalysiswith Cisco NAM
3-45
Frequently Asked Questions (Cont.)

* W hati
s the status ofVo1P traffic?
..
Isgoodcallquali
tybeing provided to users?
* Arethereanyundesirable applicationsbeing runonthe network?
...
Are my resources being used forbusiness pum oses?
* Can speci
fic characteristicsofthe traffi
c be detected fortroubl
eshooting
by using sophisticated fil
tering?
* How do Iknow ifa usercomplaintaboutslowness is legitimate?
How can Iidentify whetherthe cause ofa problem i
s the network orthe
server?
. How can Ibe al
erted to potentialservi
ce degradati
on before itoccurs?
Thc figure showsmore frcquently askcd questionsaboutthe deploymcntofthe Cisco Catalyst

6500 Scrics Sw itch NAM :
w W hatisthc statusoj-Vo1P traftic? Isgood callquality bcing provided to users?

. Arc there any undcsirablc applicationsbeing run on thc nctwork? Are my resourcesbeing
uscd forbusinesspurposcs?
w Can specitic characteristicsofthe traftic bedetected fortroubleshootingby using

sophisticated liltering?
w I'
low do lknow ifa tlsercomplaintaboutslownessislegitimatc?
K How can Iidentify whethcrthe cause ofaproblcm isthe nctwork orthc server?
* How can lbc alerted to potcntialscrvice degradation beforc itocctlrs'?
3-46
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.
0
@ 2008CiscoSystemsllpc.
v e
(32008Cisco Systems.Inc.
Implementing Network Analysi

s with CiscoNAM
3-4T
S um m ary
Tllistopic summ arizcs thc kcy pointsthatwere discusscd in this Icsson.
S um m ary
* Networktraffic should be m onitored proactively in managing the
overallnetwork.
. Real
-tim e moni
toring statistics provi
de imm ediate data onthe
currenttrafficfortroubleshooting.
w Historicalstatistics provide valuable trending and capacityplanning information fornetwork pl
anners.
. The RM ON 11M 1B provides extensive visibility into applicati
on
traffic,including hostand conversions.OtherMlBs(DSMON,

SMON,VoIP,andART)providemoredetailsforanalyzingQoS.
.
Data sources used foranalysis include SPAN,RSPAN,VACL

and NetFlow.
3.
48
l
mplementingCiscoDataCenerNetworklnfrastructure1(DCNI-!)v2.
()
()2908CiscoSyslems,tnc,
Lesson2I
Im plem enting Initial

C onfiggration
O verview
Objectives
l11,
1(11)colllplcting thislessoll-yotl'
w i11btrablelt)tlcscribc tllc Cisco Catalyst6500 Serics
Ssvitcl'
lNA NIillstallation and il1itiaIcontigtlraliollstcpsTllis incltldesbcing able to Illcctthcsc
objcctivcs:
* Describe the Cisco NAYIillstallalion
w
Explai1,
1tleCisco N ANIinitialscttlp
Ilcscribevariouswaysto acccsstllcL'isco N A N1
C isco N A M Installation
This topicdcscribesCisco NAM installation.
N A M -I and N A M -2 R equirem ents

. Configure SNM P agentand SNM P read comm uni
ty string to allow
the Cisco NAM to read the m ini
-RMON portstatistics
* Referto notes forspecific Cisco lOS requirem entsforthe SPAN
and ERSPAN features
('riC;t2(.)(
'M
,;l!
)I
j?R
rtk)C$()()Fr(?ri
t?F;f
lsAzi!
.t
ihl
Fql1(J!.Ary/I'
qt
'
)r
4'
.; t .
Supewisor32
Rel
ease 12.2(14)SX1orIater
Supervisor720withPFC3A/B/BXL
Rel
ease 12.2(18)SXF orIater
Supervisor720-10G withPFC3C/CXL Release 12.2(33)SXH1orlater
NA M -land NAM -2 have minimtlm operating systcm softwareversion and supervisorengine

colnbination rcquircments.
Thc hostdevice requiresno additionalconfigtlration to hostCisco NAM otherthan the
hardwarcand softwarerequirementsjustdiscusscd.Howcvcr,evcry (7
.isco Catalystswitch is
capable oI-gathcring a subsetofRemotc M onitoring (RM O N)statisticson aper-portbasis
knownasmini-RMON (Layer2 statistics,history oftllosestatistics.alarlns.andevents).
Typicallyethcse statistics areused to providc generalportstatusand hcalth.To utilizethis
capability.you m tlstdetine the Sim plc Network M anagclncntProtocol(SNM P)comm unity
stringsto cllable data collection by Cisco NAM (and/orathird-party managem entapplication).
You shotlld alwaysconsulttheproductreleasc notesthatare included with thc productforthe

mostup-to-datc lpardwareand software requircments.
3-50
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
o.b B row ser R'eq u 1rem ents

*
Confi
guration:
EnableJava and Javascript
AcceptaI1cookles
Checkfornewerversions ofpageseverytime itIoadsa page
M ernoryand diskcache size m tlstbe atleasl6 MB
Afthough lhe TrafffcAnalyzerdoesnolreqtlireit.aJava plug-rnmi
ghtbe required
to use a JVM
'
lnternetExplorer I
I
!
Mozlrla
Flrefox
6.0
17
MicrosogW indows2000
MicrosoftW pnclowsXP Pfofe&slonal
MlcrosoftW lndows2000
MlcrosoftW indowsXP Professional
Solaris
2RE Version 5.0 Update 6
MlcrosoftW pndows2000
MlcrosoftW pndowsXP Professional
Solacs
RedHatEnterprlse Llnux
Note
Itis always a good idea lo check the Iatestrelease notes forup-to-date information
regarding system requirements.
Note
Clients notconform ing to lhese requirem ents can al

so work butthey have notbeen tested
and certifi
ed by Ci
sco and,therefore.are notsuppoded i
fproblems arise.
lm plem entsng NetworkAnaiysiswith Cisco NAM
3-51
N A M Hardw are Installation
Aftcryou havc identifed the appropriate locationsforCisco NAM and you have determ ined
thattlle Cisco Catalystswitch hosting Cisco NA M Inectsa11requircmcnts, you can installthe
NAM bladc and configure itforbasic m anagcmcnt(forusc with thc Traftic Analyzersoftware
thatiscm bcddcd in Cisco NAM ora third-party application)and forany additionalmonitoring,
data sourcc,oratltostartoptions.
You can installCisco NAM in any sloton the hostCisco Catalystswitch exceptslotsthatare
K serk'ed forthe supervisorm odules.
Cisco NAM isa com plex piece ofelectricalhardware and should betrealed carefully. lnstallers
sllotlld fbllow a1lsafety precautionswhen handling and installillg any elcctricalcomponcnt.
Follow alIrccolnlncndationsIisted in the installation guidc to cnsurc the bestoperating
environmcntforCisco NA M .
Cautlon
Cisco NAM m ustbe properlyshutdownbeforeremoving itfrom the switchorserious

damageto Cisco NAV canoccur.Review NAM maintenanceinformation priorto removing
the NAM blade.
3-52
SmplementingCiscoDataGenterNetworklnfrastructure1(DCNl-1)92.0
@ 2t*8CzscoSystems, lnc.
Verifying NA M Installation
@ 2008Clsco Systems.(nc.
lmptementing Network Anat

ysiswith Cisco NAM
3-53
C isco NA M InitialC onfiguratio n

Thistopic describesCisco NAM initialcontiguration.
InitialSetup
AccessCLlofhostingdevice('
Telnetorconsoleport)
Establish console session to Cisco NAM m odule
Log intoCiscoNAM (defaultIogin:root,password:root)

EnterIP configuration:
IP address,subnetmask,and broadcastaddress
IP hostname and dom ain name
-
Defaultgateway
..PA
N/WAN -'
.
s.; ...yjy v
,
DNS nameserver(ifapplicable)
..
.
5 Verify IP configurati
on
6 Mj Telnet
.. .
-y .
ConsolePort
You mustprovide Cisco NA M with an initialIP contiguration to enablccomm unication with
otherdeviccs,whethcrformanagementpurposes(Tclnet)orforretrievingdata.
To contigurethe IP settings,accessthe CLIofthe hosting device with Telnetorthrough the
consolepol-t,and then session to the slotnum berwhere Cisco N AM resideswith one ofthc
+
tollowing com mands:

(sstltliksession slot slot number proceasor l
Note
The syntax differs slightly forCisco 1OS and Cisco CatalystOperating System Software
devi
ces.
The login promptfortheNAM CLIisdisplayed. By default,the adm inistrative Iogin is ttrootf'

w ith the password also setto i'root.''Itisimportantto changethispassword forsecurity
purposesby tlsing the password com m and.TheNAM bannermessage indicatesifthe default
passw ord hasnotbeen changcd.
3-54
lmptementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
O
@ 2008ClscoSystems, lnc.
IP Settings and
eb Server
* Access Cisco NAM and setIP to enable remote access

6500#session slot
Root@localhost#ip
ip
ip
ip
ip
ip
slot num proceasor l

address ip-address subner-maak
broadcast broadcase-addre//
host host-name
gateway defauze-gate-ay
domain domafn-name
nameserver ip -address (fp -addresal
. Before using Cisco NAM Traffic Analyzersoftware.enable the

web seweron the Cisco NAM
Root@localhost.#ip http server enable
Youarepromptedfocthe
Enter a web username :

Enter a password :
Web Usornameand
password whenIoggtng
pn to the weblnlerface or
theClsco NAM
e, *#
7L
-.
HTTP or
HTTPS
-<-'
-
k '.e '
lnitialIF)i;ettirl(;s
-I'1'c tigtll'
c alltltllc tablc showrlhcsyntax antlcolnl
nalldsto con(igtlrcl11t
Jllcccssal'
y IP scttillgs.
NAM IP Settings Syntax and Com m ands

Com m and
Description
root'
'
loca lhosttlip address
ip -addz-ess subne tr-wask
Configuresthe IP address and subnetmask
rootr
loca lhost#ip broadcast Configures the IP broadcastaddress
broadcast -address
root'
aloca lhost .localdomain# Configuresthe IP hostname used in the CLlprompt show
ip host hostr-name
com mands and 1og messages
roott
a'naml .localdoma in#ip
gateway defaul:-ga rew'
a.y-
Configures the defauf

lgateway
root'
a'loca lhost#ip domain
doma.
1:-nanle
Consgures !he dom ain nam e forthe NAM
z'oottc'localhost .localdomain#
Configuresoneormore IP addressesasdom ain nam e
ip nameserver ip-addwess
system (DNS)name servers
(ip -addz'essl
rtoott
f
bloca lhost .localdomain#
show ip
Note
tll2008ClscoSyslems.Inc.
Verifiesthe NAV IP confi

guration
The configuring ofone orm ore IP addresses as DNS nam e sewers step is optionalbut
hi
ghly recom nlended.Unexpected deiays can occurifa name serveri
s notset.
lm ptem entdrlg NetworkAnalysiswlth Cisco NAM
3-55
Enabling W eb Server
Aftcryou configure Cisco NAM w ith an IP address,you can com municatc with Cisco NAM
overthe network.Bcforc you can acccssCisco NAM through a web browser.you m ustcnable
tlpcN AM web Servcrusing the CLI.
To enablethew eb servcr,choosc cithcrHTTP orHTTPS asthe accessprotocol.By dcfault, the
IITTPS com mandsare disablcd.
ForIITTP.tlse the ip http serverenablecomm and.ForHTTPS,usethcip http secure server
enablecomm and.
Yotlcan also chooseto nln thc scrvcron a portotherthan TCP 80.Ifyou cllangc thcIITTP
pol1,yotllntlstrestartthe servcr.
Note
Afterentering the command to enable the sem er you are then queried fora web
admini
stration username and password.This isthe accountinform ation used to accessthe
Cisco NAM TrafficAnalyzersoftwarewitha browser.Rem em berthatthe CL1accountfor
Cisco NAV isnota webaccountand cannotbeused toaccessCi
sco NAM witha web
browser.
To cnable theHTTP sccurc scrver,installa strong crypto patch. Ifyou prcfcrto t15cSccurc
SllellProtocol(SSH)rathcrthanTclnct.youmtlstalsoinstallastrongcryptopatch.
To installa strong crypto patch.follow thcse stcps:
step 1
Download the patch from Cisco.com and ptlblish the patch on an FTP scrver.
step2
Installthepatchby cntering thcfellowing command (wherehp-llrlisthcFTP

locationand thcnamcofthestrongcryptopatch):
root@localhost#patch ftp -uvl
Note
3-56
These steps are genericto aiiNAM S.
lmplemenling CiscoDataCenterNetworklnfrastruNure 1 (DCNI-!)v2.Q
@ 2008Cisco Syslernsl lnc.
V LA N and S N M P C onfiguration
6500(conftg)#
analysis module szo e management-port access-vlan mgme-vlan
Definesthe m anagementVLAN
K Before using third-pady network managementapplications
to com m unicate with C isco NA M ,firstenable SNM P attributes:
.
SNMP system variables(name.Iocation,contact)

Communi
tystrings(read-only,read-write)
Via the CLIorwith Cisco NAM web intedace
e *4
-
SNMP
--
'
,e
V LA N Configuration
@ 2008ClscoSystem s.lnc.
lmplem enting NetworkAnalysiswith Cisco NAM
3-57
During installation ofCisco NA M .Cisco N AM ism ade awareofthc SN M P com m unity strings
ofthehostswitch thatare already set.Forcxam ple. to configure SN M P comm unity stringson
the hostsw'itch,use the tollow ing comm ands:
root*localhost .localdomain#s= p co--unity communey -srrng rw
root@localhost.localdomain#aM p community communty-srrng ro
TheNAM isnow ready to usefortraffic monitoring.
3-58
lmplementngClscoDataCenterNetworklnfrastructure1(DCNI-!)K .
()
(
l)2(98CiscoSystems.lnc.
'
Logq 1I'Icj In
,,
http'//<N/lM IP addtessv
:;
:;N.
t
l
:tiT:2i
48I9:I!
%(
&t
'Nogep
Ao
N'kulGo
*'
.t i ..I
NA 51 7*1.$1!fl(' AItEAI)'ze1.
....
' '.
x.ahyo!$7..,*ts '=q'.n.x'<z:J'rv-.vrzss.pwm..rvvjvjj.s.Jx.y..---m.---u.-.. c
ZeH*WWX
> ;
edmln
ygeb Usernaore and
F*ee-@#*
***@.*
PaSSWOfd
'
1.,.
1
)I.j
Logglng in to the Cisco

NAM web Interface brings
?ou Sothe Syslerri
Overwew openlng screen
Tlle figtlrc sllowsthcstcpsto acccssthc wcb scrvcrand log i1 to tlle elnbcddcd Traflic
Alllllyztlrsoftware,
Q 2008Cisco Systems,Inc.
Im plem enting Network Analysiswith Cisco NAM
3.59
'
S 9stem
,k11d1I1'
t l$c0
verview
s.
ksj .r1.affl(.A 11a1yze1.
'
. .,.
pAAIU F 1H l* l* tm
G
<
A1Iofyourconfiguratsonoptions
wlllaffectthe resource utilization
and performartce oflhe Cisco
NAM- penodlcalky monltorthese
slatistics
k-
M- .1'e- *?- 14-
-R*
c,t-
T*tM R**
:- t) am fj
fgm F!M ezl- M
1$elo f075o
The firstscrcen thatappearsafteryou log in to Cisco NA M isthe Systcln Overview.This

screcn illustratesthc hostnam c and IP addressoftheN AM .how long theNAM hasbeen up.
alld the amountofCPU,m emory,and disk spacc thatisbcing utilizcd.
Kccp in m ind thatCisco NAM hasGxcd resourcesand al1ofthe m onitoring.alarm ssand packet
capttlrcsyou detinc are stored in NAM lnemory.Bc awarc thatthel'
nore traftsc you analyze,
thc m oreNA M resotlrcesyou consum c.So,chooscyourdata sourcesand yourcollcction of
statisticswiscly to ensurethatyou m aintain the validity ofyourdata.A good practicc i5to
slowly and incrcmentally add data collcction and monitoring optionsand thcn understand thcir
inlpacton Cisco NAM by view ing thc system resourcctltilizationsshown onthisscrecn.
3-60
Imps
ementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
@ 2008CiscoSystems.I
nc.
@ 2008 Ci
sco Systems.Inc
l
m plementi
thCisco NAM
3-61
Configuring isco N
Netw ork Param eters
ToconqgureClscoNAM nel/orKRara- tee

selectlheAdnxn>System >Network
Paralneterssub> nu
CIsf@
..
.
9 ' go
>PethlhC#!X!+ :$M
.. . .
'
*
'
e...... 1:21sg1s621,
<n1E> a4
. ,
> ..I...$ .
EGXV'P*#*HZM
Fo*ewv 1821681:6J17
l*et''''- h9.37..c'e$:.nrri:
+fe *
e lx:dx
ge vv.o lAel
NetworkaccesscorisguTation
oplionstbatweredesnedduring
jrlstallatlonalthe CLIcant:e
You m ustcontigure Cisco NA M network accessparamcters initially from the CLIbeforeyou

can acccsstheN AM by way ofthe nctwork.Afteryou havc setthesc parameters,you can thcn
change thcm wilh thc web interface.
Tlhc tigtlre show sthe nctwork param etersthatcan bc changed on Cisco NAM ,including the
following:
* IP address
* IP broadcast
w Stlblpetm ask
* IP gateway
. Hostand domain names
* Name servcrs
3-62
lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.9
C o 13f1g u r1ng S ecur1ty and U s()r A ccess

*
Useraccountmanagement'
.
W hich users should have access to which features?
Define securi
ty polici
esthatm eetyoursecurity needsand the
functi
onalreguirements ofCisco NAM users
. Define security poli
cies to protectyourdata requirements
* Enable third-party managem entsystems to comm uni
cate with Cisco
NAM wi
th SNM P com munity slrings
UserAccountManagement
1r.
e-.d
'seteeot
e.arxm.'Ic.
f.:''(rd*II'
ho1e.' 'j
' '
..
( i
..s
.
.
j i...: .
!: .
t'
#?tI?(y
@ 2008 Cisco System s.lnc.
':
'
:
''*' L
-... .
.
NAM e/'
y.x
l $.
'
X'
lm plementlng NetworkAnalysiswithCisco NAM
3-63
'
reating N ew Users
.I14'1It, s'.
:.,$1 'rraffjv A ua1'vzk1.
CI5C@
1e*:*
9t- Qdee.
'
'
.
Toaccesstheuseraccount
s.
'm, -
'''*- .- - t
e e*> ..#
selecttDat
heAc
>Use
rs>Lcu l
ablarqi
sensu
bc-nc
tee.
#*17' ' 'r
' ' G tG .
''''
'
Th
tabp
dlsdNpy
s
tinWs
geus
er
ace
coun
tsean
accs
eeg
ssd
pn
ges
ClickCreate 10at18new us@r
UselheNew Userpop upb0xtoconqgtlre
tbepass- e andprivilegesoflhenew usef
'V
N*>F quee!
Ve -
C'olxeMF*
r w- cqw
f-Awowcr- - m VQ** *
;s
.,...51..x-(
The NAM cnablesyou to add variouslevclsofsecurity to useraccounts.You can secure acccss

to Cisco NA M and itsdata by crcating diffkrentuseraccotlntsin thelocaldatabaseasshown in
thcGgurc.The tirstlevelofsccurity isassigning passwords to uscraccounts.Thcsccond lcvcl
ot-security isto contigure tlseraccountsto limitaccessbased on the NAM lkature set.Thc
NAM feattlrcs include the following:
* Accountmanagement
* Systcm contiguration
w Packctcapturesand dccoding
. Alarm configuration
* Collection configuration
* Collection vicwing
These configuration optionscnableyou to limitaccessto Cisco NAM based on the functional

necdsoftllc user.Forexamplc,cnginecrsrcsponsible forfaultm anagclnentsystemscan bc
given acccssto collection and alarm configtlration to define alarmsand notitication.Enginecrs
responsible fortroubleshooting can be given collection view and captureaccessprivilcgcs.
Nctwork planners can be given collection configuration and view acccssprivilcgcs.You m ight
w'antto considcrassigning a1lacccssto oncpcrson w ho isrcsponsiblc foroverseeing thc
variousncedsofusersin yourorganizatiol).Itisup to you to dccidc which usersneed acccssto
each ofthe feattlresavailablc.AI1usersby defaulthave thccollcction vicw userprivilegc.
allow ing thcjn to view any rcportforthc collccted data.
3-64
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.
0
@ 2008CiscoSyslems,Inc.
You cal)plxlvitle additionalpassword security by adding TACACS IscrNr

crstlpptrlfbr
atlthcnticatillg tlscrswho arct2ollfigtlred forN A N1 tlse.asslloy$'I)i11lllc l'
igtlre.
TACACSI isal)authenticatiol!protocoltllatprtpvides rcnaotc accessatltllclpticatitlll.

atlthorizatioll.alld rclated scrvices.vith TACACS1.tlserpasswordsalld privilegesarc
adlnillistcrcf.
liI)a centraldatabasc to providc scalabiIity.To use 'I-zNt.'ACS+ scrviceswitllthe
NA M .Iirsty()tl117t1stllave.oriIlstall.aTAC'ACS lscrvcrall(1col)iigtlrctheTACACS fserver
to includc :111accoulltfortlle N A M .
A TACAC'S ltlscrgroup sllkltlltlbe crcated Ibreach privilegetypc.NAM privilcgesarc
colptigtlred iI)tllc TACAC'S fscrverasCisco I()S shellcolnlnallds.Sce theCisco NAM tlser
(ltlidc fbrlnorc illfbrm atiol!oI1thc NANITAC'AC'S icolltigtlration options forNAM
privilegcs.Retkrlo yourilltlividtlalTACACS+ illstaIlation and tlscrgt,idcsforillstrtlcliollson
collligtlrillg yotlrTACACS1 servcr.
svllen yotlhavc conlpleted lhe TACACS+ sclarcrcontigtlralion.tlse thc AdInin > Users>
TACACS+ lask to cntertllc 1P addressofthcTAC'ACS #-sclwcrand tlle kcystkatyou assigncd
tbrthe NAM 011theTACAI'S1 sclwer.
@ 2008 Clsco System s,Inc.
lm plemenling NetworkAnalysiswlthCisco NAM
3-65
hird- a y
to Isco
ccess
slng
,:1l
1,I1I, x.
ksI.
rj.arfjr
I$t@
'
Configure CisooNAM
MIe inforrretionfrom NAM
bsing SNMP SNVP v1
'
$:*$4al&: andvzare)ugported
'
li.1 ..ll
.>
ax-
...
t- aAe v- :
configurat,opfautitatesthause
bwborngh
umng itwdthother
ypilrl
rjbe
.
yne
tn
wo
rrmnagernepnar
tstys
ter
srk l
BsexistingClscoNAM.ausswBl
grs
..
ToaccesstheSNMP
c.- w.sl.m/Komrn
c
on
s
g
ur
a
t
i
o
n
g
c
c
ee
o
.
s
e
l
ec
l
l
b
e
- NIAM
Admln >System >NAM SNMP
subrr-ntj
t''--''RMONL8b
W*
l-
ofciscoNhv forengio- rs
C
l
be
lert
l
kd'
thwr
erla
di
orbru
ton
t
o
hoeptple
ftBof
ea
te
O
ead
.or
llyl
on
afhdcllckCreateloaddrydelota
communjtystrlngs
g'
,
)'
ppwjpowv
e
-
DisabloSNMPcommunlcgllonby
delebngSNMP comrxnltysnoqs
'r
j. ''I
You can define SNM P colnmunity stringsto allow accessto Cisco NAM with a network
managemcntsystcln (NM S)othcrthantheelnbcddcdTrafficAnalyzerforaccessingthcdata

collccted by Cisco NAM asshown in the figurc.You can usc SN M P comm unity strings 5o that
othcrapplicationscan send SN M P gct-and-sctrcqueststo Cisco NAM ,sctup collections,poll
t
lata.alld so on,to and from Cisco NAM .
An SNM P com munity isadomain ofoneorm ore SNM P agcntsand one orlnore SN M P
managelncntconsolcsthatshare accessinformation and conligtlration.ln othcrwords.
com mtlnity stringsaresim ilarto passwords,and they cnablc nctwork lnanagcm entagcntsand
consolcsto agrecon whatinfonnation and conliguration optionscan be shared.Forexam plc if
anetw ork m anagemcntconsole wantsto retrievc inform ation from an agcnt,theconsolem ust
be contigurcd w ith the read-only com munity string ofthatagentto read data from it.Ifthc
nctwork m anagementconsolealso wantsto setparam eterson theagent.itmustbe configured
with thcread-writecom lnunity string.
W hcn yotlconfigurcyourN AM com munity stringsas shown in the tigure yotlare configuring
colnluullity stringsthatanotherthird-party,cxternalm anagclnentconsolclnustuse to collect
informatiol:from orscnd infonnatiollto Cisco NA M .To do so.click thcC reate button and
add thc com munity stringsforread-only and rcad-write.To prcvcntany outside SNM P access
to Cisco NAM ,do notconfiguretllc SNM P stringsordelele allSNM P strilpgscurrently
contigtlrcd.
Note
The NAM suppods SNMP com munication with SNV P version 1 orversion 2.
Note
Forswi
tches running the Catalystoperating system only,ifthe IP permitIistisenabl
ed,
verify thatthe internaladdressofthe NAM i
s added to the Iist,using the setIp perm ltsnm p
com mand.
To obtail)theNA M intenlalIP addrcssfrom the Traffic Analyzer.click Testfrom thc Swilch

Com munity String dialog box undcrSetup > Sw itch Paramctcrs.The Switch Com munity String
Testdialog box isdisplaycd.
3-66
ImplementingCi
-I)v2.0
'
U6l1t T rc
a1I
T
o accessllleAldltTraisscreelh'seletilllle
Ad
rrlirl>Lllaqrlosllcs>Akldp!Tf1Ilslzblierdu
t11.l11.
6I5C*
ToklscAtldllTrallyclu::*1sthrst
'tpnqSetdlp > '
enableItbyselec
Pfeferencesandc.
tlefklflHtp4flAtlfjrl
Trallfhefzkbox
x'.
I 'r:t1(fIf .4jaaIyzeI.
.
r
.
A:y!w
'J
y#
e.
'
r
s
vv:vwttot##,
l
'
gJ
.
>t
:.
lbkw
t1)
>
'
>.
4J
'' ' >; '#z# .
oA;vW;fY'G' Ii- -
Y < 1* . : '
-e%>r''fe '' * ''*
.
A.djt &l.I1
''
' -
';.:1'.
.cwy- -
wo.rujx w m tae > mc
AI/#JA.,
1wo.
')e..
Xkn m .I:D V *
te* .attf .0:xkle .r.
>
v..o
pyr.yikp
10m 145D8 bve t- bel

tp761#5zpA Afe%%*-'*dd'*t*
ses- '
,oel..0.,,.vthzclJ+p
Audi
tTrai
lprovidesusefulinformati
on such as which userIogged in
which IP address the userIogged in from,and whatactiviti
es were
perform ed during thatsession
'
$k'I1e11you have Iillishcd collfigtlring C-isco N ANIforscctlrcand ftlllctiollalacccss,yotlcan
track criticalwcb and C1..Itlseractiviticsin :111auditlog.
To cllable tllc AtlditTrai1.selctztSetup > Preferencesand chcck'rNuditTrail.

7'0 N'icw'the audittraillogxg()to tlle z'
Ndm in > Diagnostics> Audit'rrailtask.Tllcaudittrail
pnlvidcsthc follovving typeo1
'inforlnaliollby tlscri1.
).tiIlle.IP addrcssofaccess point,and
*
bricl'descriptioll:
* A 11CLIcollllnandspcrlbrlllcd
K Llscrlogills.illcltldil'
lg liled attelnpls
. tJllatlthorized access
* Su'itched Pon Analyzcr(SPAN )scttlp cilallgcs

K NctFlow l.
lala E.xport(N DE)data sotlrcccllanges
K Ellablc/disablc data collectitllls
* C'rcatc/dclclc rcports
K Start/stllp capttlrk
'
ls
*
Add/delctetlsers
Note
(Q 2008 Cisco System s,lnc.
The NAM can be contigured to forward audittrailasertsas syslog messages to a remote

system .
lm plementingNetworkAnalysis withCisco NAM
3-67
'
C onf1guring C 1sco N
S ystem T1m e
To
etrtnhle
os.tNAM
isrr
ec
thes
Ad
nCl
>s
Sc
ern >s
NyAst
Mem
Syl
te
em'sTe1l
rrxlt
y
stlbfnenu
.4 iII 1
4
N A sj T j.ajrj(...$uajvzrj.
Y4eA:e#*ne *A #%r.>L.(t1.).Ntqxf.>rrWrlTe4
Kk:: $#:,*/,TIn,*
.
,
>leM.@orrnklll
,
>...
....
.. .
* >
t- - -
. .. ..
*F-
.c-
,tww-l4
-wp.
*
r- *w * m .& e 2dN
#- W*- T**Y t3;*xer f)<*-
m4-
--.-u -
..
p ..
s ' , .i
. ,
k.
-
tfs
P8CAC
v
V
1
&YM - *
w o kxx
s-ehAtu-FWGY WP
u- o wx
&o eaze
s,,
r- t.Pe @*>
V ee cemf- e
->
:> M *
Conggure theClsoo NAM system ti- tosynchronizewlth *

the llrrmsetontheNostsMtchchrctxqgurethBClscr
NAM tosetItstirx base onanNTPserver
M ostanalysisofthcdata thatisreportcd by Cisco NAM isdcpendenton thetime thatthc

rcportcd evcntsocctlrred.Thercforc,itisimportantthatthe time ofthcNAM ispropcrly sct.
Tlpc systcm time ofthc NAM can be cithcrsynchronizcd with thetimc seton the hostdeviceor
itcanberetricvcd andsetfrom aNetworkTimeProtocol(NTP)serverthatisresponsiblcfor

sctting thetime on aI1network deviccs.
3-68
lmpp
ementingCiscoDataCenterNetworklntrastructure1(DCNI-!)72.0
()2008CiscoSystems.lnc.
Usc tllc Adnlin > System > E-m ailContiguration task to dctillctllc cxtcrnallnailscrvcrtpop
orcxchangc)anklc-mailatldress()ftllc recipielltto be tlscd.
lmpfem enting NetworkAnafysfswfth Cisco NAM
3-69
'
S ystem dm inistratio n :S ystem

Settings FTP Reports and Iarm s
.Il1'I1$, N.
sAI T 1.afflf.A 11alyze1.
,
.
ql5@
;
'
Y'
mlA - * %'1efhp'lvl'
ee;PFr?s'
ilsrvczavAe
e1* t>e.Itc*pIIgIze*,lqo
.
-m - -
. . ..
w.
,.
e p
>Y!.EQ- - ytlkfl
<P
po PG
To
on
eFTP
vern
leat
ctit
AdcmI
nfi>gtl
Sre
ystthpm
>FTsPerCo
.sgeur
ohno
subcenu
Slrrglartoe.rreiltheCiu NAV canbe

conhguredtouse/TPt
otransferal
arrrsand
rem rtsfrtxntheNAM loanFTP server.iftbig
frethod
i
s
c
t
ms
g
ur
ed
a
l
a
r
ms
an
d
r
e
po
willbe
e'ROflO to the'K eosedFTPserrt
vs
er
Fmw
pdlr
@****N'
Bob
M** '* t
M* ''
**:***
e
e- .
f
w .'
.
I ApI.
-
...- ;1r
d
p
1l
-e
.h
.-rl
The NAM also allowsreportsand alarm sto be transferred using FTP.

Use the Adm in > System > FTP Configuration task to add externalFTP scrvers, theiracccss
credentials.and the directory to placc the rcportson the FTP server.
3-70
lmpkementing(
DscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0
@ 2008ClscoSystems. lnc.
'
Gte
v
d 1n 1strat1o 11: ste''n
Ott113 s
e
u 11sh 1n
e o rts
T'oconfigtllo 111(%wnl)publscatir.m seliActIlle
Adml
n>Syst
We
hi
ll
r
at
pon
seumbr>
rep
tlbPtz
j,
.r;. .> -
11..11I.':.r1'I.:1
kaIt'ze1'
.,
w .
> ..
. ...t
. . w p .?k
'.
1tL '.
I..'ien- weu a
? ..
r.- v:e>
jsom- -
,*&*14xef,gtx
( * te:
l.. e - ;v
>
.. . .
. . .
. ..
**k'SM XM
N
t.oev
feo
jvx!-Tk,eee
u w.aVW
A- e ce t>ct(* '
e
r-- pk::
:
1
acd !e;l(3rts(:ret?nSA1h()Utei('Nln
SCSS11)U1
eI(.y.
W et);)t,N1c8t1tln6a!beO;)eIl()r
FeSlflfltt?d!lS1n6)XCU3C1d/Or
pl1l)1IGat1r;nC.cld()
'
r''e:
w c- qx xt
*#Y rov!
?*q'*'ed.*'Jtr'e
P
13WKlO CW
@
lo1feT*eTwetvpttrt'et*;e519
rw'A'ewdre @
T()cllablcl11is fbature.selectAdlnin > Systeln > NN'eb Publication.sclectthc rcpol'

ttypesto
ptlblish on thc web.and opliollally rcstrictaccessusillg :1Ptlblicatiol)C'ode and/oracccss
trolltrollist(AI-'L ).
(I)2008 Cisco System s.lnc.
3-71
'
yste
lnlstratlon.
s
P references
11 sers
.,11,111,
tIsto
'
Tl.affl:Ajlall.zer
.
c.
Y@eA..>*:<@6<'a'*Fr5T1'mJ+A1
'e#'*'**#*:
Toc
igtl
he
uesfeer
reo
pref
eresnub
ces
thon
ef
se
tr
tze
pt
>Pr
ces
rre's
r'el
uect
Checkthls5e1dloenablerP
hostnarre resolutionforuse
ofhostnarresintablesaod
graphs
I... ' :
Usethisfietcrtocuslom ize
thedefaulknumberofrows
inatable
Usethis5e1dto cuslornize
how oflentbe CdscoNAM
fefreshesthse
fgeda
w tathatyou
e*e - - fl'1= ) 16
**'+ *'**$&M *C' B0
2***:@/wh@p:(1.1$) 10
'*'ru:R?4MNR>
AVG ''*'.*10**
SGOJAYRIAA*
rbxkm.
sv- * '
L1
Us0Iher.e5e11s
0ktfnbeFS
toforrrk'l:dataart
- t- -
Checklhisfield to
enableAudstTraij
L-J
kjsetusfieldto
..
.
.
1.'j> rkf)1qa za1,;!a rl
EY- $;e t;oo
custorrizelhed8fault
nurnbecofbarsIca
s
w e oe
Ate Tre r6
L* - LJ
.
f
. xpp/
y
($.
cs.,1
From the Setup > Prefercncesm enu,you can do the following:

. Custom izc how many rowsofatablc are displayed pcrscreen from lto l000)thc dcfault
valuc is l5.
w Configurc the rate atwhich the Traftic Analyzerrefreshesthe data yotlview in M onitor.
froln l5 to 3600 scconds;dcfaultvalue is60 seconds.
*
* Configurc how m alty graph barsare displaycd in Tophlhostgraphs;dcfaultvalue is 10.

* SelectifyotlwantthcTraffic Analyzcrto use IP hostnam esrathertllan an IP addrcssin the
tablcsand graphs.
* Configtlrc how to display largenum bcrs.
* Enable AuditTrailfortracking criticalwcb GUIand CLIuscractivitics.
* Enablc ESP-NUIIHeuristic.which forcesCisco NAM to check aIlpackctsw ith an ESP
hcaderto sce ifitcotlld be using Nullcncryption and parsc contentappropriately.The ESPNulllIctlristic featurc addsproccssing overhead.so itisdisabled by dcfatllt.
These settingsare globalpretkrencesscttings and apply to allusersoftllcTraft'
ic Analyzcr
softw areoI1(--isco N A M .
3-72
lmplementingCiscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0
@ 2008Ci
scoSystems,Inc.
'
Or1f91n
o st
N
1tc13 o nf1c tlra.t1o n

T 1$1ffit
'A 11:)Iyzr1'
l@tlp
%eleet;I>'@d*,*.1*n
%........................
t
9*12/nM9Shlob:* *omhy*#(1??16:dsgl1e19>t%db(!92f6ed$911/)
j.sor pwjN.sacyv.s.pn
#+* e QvXyNe
M A- C-er/N FtUCY -
&vdeet-
43e D hxy:D*
Co MI>
p- .eo.,fyrorveta r
.v
lnformallorlalhollt1be
hostknj%wI((.j1.syjue
%- wr:gtpo+.:rcd
Cornrrltkolr'allon arld
YM Tm lwet*r* '''''
f'
ra wm-
@ 2008 CiscoSystem s.Inc.
Ste'n >
e ono A!D!$6,N:IM(mrel*'Y5
*dtmlw,vwec.
3-73
S um m ary
Thistopic summ arizesthc key pointsthatwere discussed in thislesson.
S um m ary
Cisco NAM mustbe provided with an initialIP configuration to
enable com munication wi
th otherdevices.
. Ci
sco NAM access parameters are initially configured from the
CLlto accessthe Ci
sco NAM bywayofthe network and can be
changed via the web interface.
m Use a standard web browserforclientaccess to the Cisco NAM
Traffi
c Analyzersoftware.
* SeveralI
evels ofsecuritycan be defined forCisco NAM access.
.
3-74
Implementing Cl
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.0
uepsop31
M onitoring,V iew ing ,and

S aving D ata
O verv iew
Objectives
S cenario 1: Live N etw ork M onitoring and

A nalysis
This topicdisctlssesthc scenario whcrc NAM isused forlive nctwork monitoring and analysis.
*
Live Netw ork M onitoring and A nalysis

Problem description:
Severalremote branch offices willopen soon
Ensure thataccess to criticalapplications hosted atthe data
centerfrom the rem ote branch is optim al
Monitoring plan:
-. Moni
torswitch health
-
Monitorbasicportstatistics(utilization)
Detailed analysis ofselected interfaces using SPAN feature
. Ci
sco NAM m onitoring willprovide:
Hosts,conversations,and application usage
Server-clientresponse time monitoring
.. URL moni
toring
. Packetcapt
ures
.
Problem Description
Thc network monitoring team has metto discusswaysto be morc proactive, espccially with a
large branch ofticc opening soon.
The goalisto enstlre excellentperform ance acrossthe W AN when the branch officesare
acccssing applicationshostcd atthccom orate scrvcrfarm .
M onitoring Plan
Thc action plan isto pcrfonn thc following actionsand then reportback on the results:
K M onitorswitch health
. M onitorbasic portstatistics(utilization)
w Detailedallalysisofselccted interfaccsusingSwitched PortAnalyzer(SPAN)feature

+
<
3-75
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
()2008CiscoSystems lnc.
A ction 1:Port M onitoring
@ 2008 Clsco System s.Inc
lnlplementing NetworkAna6ysiswithCisco NAM
3-77
<
Aftcrthcswilch iscontiguredforSimplcNetworkM anagemcntProtocol(SNM P),thcnetwork

lnal:agcmenlteam can look atthcutilization ofcach port.Using theTraffic Analyzcrsoftware,
click M onitor> Switch > PortStats.The Pol'
tStatsreportisdisplayed in the figurc.
M ostofthe monitorviewsoftkrthreepcrspectivesby choosing the appropriate radio buttonsat
thetop ofthcdatatablc:
* CurrentRates:Providesstatisticsfortraffic collected dtlring the lastrcfresh cycleonly.
* TopN Chart:Providesa listofportsranked by volum e fordata during the lastrcfresh
cycle only.
K Cum ulative Data:Providesabsolutc valuesfordatacollccted since thc interfacc statistics
counterswcrc lastclcared.
Thc Iletailsbutton providcspacketsizc distribution forthe portsclected,whilctheReal-Time
buttolpprovidcsarcal-timegraphforvariouspcrforlnanccstatistics(thatis.bytespersecond,
packetspcrsecond).
The rcfresh cycle can be m odified by choosing Setup > Preferences.changing the Refresh
Interval,and clicking Apply.Ifthe Auto Refresh check box is sclected on any datascreen,the
tablesand chartsw illbcrcf'
reshed as new data iscollccted.
Using these vicws-the network m anagementteam happily notcsthata1lcriticalportsarcbarely
utilizcd.Thctealn canuscthis information to confirm thebandwidth prcdictionsthatwcreused
to dcsign itsnctwork.Ifalpy abnorm ally lligh utilization orerrorconditionshad existed.the
network lnanagelnentteam could usethese viewsto help determ ine the cause.
Alld the bcstway to bcalcrtcd to issucsisto configtlrcthreshold and alannson thesccritical

pol-ts.Thispracticc iscovcrcd in *tscenario 4:Troublesllooting.''
<
3-78
lmplementing Cisco DataCenterNetworkInfrastructure 1(DCNI-I)v2.0
Q 2008Cisco Syslems.lnc.
'
1ew P o rt tat1st1cs
tI$co
m et.
eaIT 1l'ne
..
T'd
.k
'g .P
y
CF
'
4k);va.
w'
14
17)>
'A' s......k$/', ..#,tsz..'qv'uv(6
e.
!lr6z.
- '.v' !w..Z'
..
).<. g
> .
7p.'..sir...
u.
1.r.
5b. .
'
/
Rl'
v- Ar.p- *' '&. .'..' , p. ,':''
p.>., s1a1&
.
S/1()rttern)report(Feal.tllnelllllsalf!)
avallablefrom InostItlt>llllorlagrtvilorts
< ,. ,.
>t/LMe4
'-
'
' Cl
rl- M e ''T- cCM T#%** Tree Te p* *' hFl''-'
f, --'=a 'P-
tt- .e
'
RoalblkM.
,graphthatstarts
p1ottlrt$;whcnwit,dow is
displayed.4plirltptesofdata
Iss/lf'wn
*** E*''b''1
''tG''e*
jayy
m
Fezr
9
.1*
0x00
1
>wgu(
PN%r4*l#kv xr**
d6p It17:!16 !7'k e)hN)
= 4e
'm
Q 2008Clsqo Systems.fnc.
* *
Sf*-' ''e'' '

1.2+ 7:K+*
CC4
:6*1
0%'
p
#p
z,1* vt
. ' ' ..
*'64,
'''-II
k,p..
x 1.. e,f.e
h/1
. q h
'
j -x-.2j
hl.w ).
-x.-,K
4x.n
'
SelectplrtandcbckRna!rpn:eto
vlekv(k)r.se ralemove'tlroe
Impfementing NetworkAnaf
ysiswith Ci
scoNAV
3-:9
'
EnabIe C oIIectio n Core
onitoring
,II1,1Ii' s .
xsl'
rrafj.
l.:11alyz.1.
t I:t2o
.'
Y Ae.''''47w1.p >114z'4r''yf%mW.
twyh
er':p '
C@I* M wnlt*II#1g Fult1*rs.
>6,.1.
#..P+ 43*H
. -... !
the:- Seper
vl
rof
Z F-pe f- - l
--
Z K- pwrecs
> - <*
'
f&!
.
)$jf1
..
x
The supervlsofrrodulestatpsttc.s(loterface VLAN 8ndNBAR

stalistlcs)areasx rceofdatafortheerrkleddedCisc,oNAM
FN lheChsco NAM loanaiyzeaodreportonlhesestatisbrs
rrxlollonnofthesedatasotircesrtklslbeenabled
I11thiscasc.the supcrvisormodule isproviding the datato Cisco N AM foranalysis. These

statisticsconsistofthc portstatistics.V LAN statistics, and Nctwork-Bascd Application
Recognition(NBAR)protocoldirectory.
Like any NAM data source,when tlle statisticsordata source issetup ordetined, no
proccssing ofstatisticstakesplaceby Cisco NAM untilmonitoring iscnabled forthc individual
data sourccs.asillustrated in the figure.
3-80
lmplementingCiscoDataCenterNelworklnfraslnacture1(DCNI-I)42,0
Q 20(3 CiscoByslems.lnc,
*
1e
1lj.jlj.
hz:sjy1
.vffix kltal)zer
..s.xwsaav
'...
1tcI3 eaItl'1 S tat1st1cs

**#
. a.
'F'
.t. '.
v .; . .' z..&#L
a..
.
v '. ' v.z6.
j'z.rv''t'...pJ<2 .)w...'.'e?.
.' '..'
V2r?li'-<v'A.'
rT.77
T
4cwr- - gaylhutz- xzevzxz:em

S-t%pt11g11111
cG ev-
. 0 .- t. ..
Reap.t
lmeqrajllthatstarts
piottingwelepwlldow is
4
displayed 4nynlltesofdala
rsqhnwn
>
'
loql-lqy>.m..<pv
Fllrlherdowolhescreen
vlew rryerrxlryosaqe feas
.2
(,
- 4 ''O K '
- 3w
@%
w.
- -
4* rys'x
seldl!>
- <
.f - .-.'
zsAz
- '''
3-81
A ctio n 2:D etailed Port M onitoring

<
Thistopicdescribesdetailed portmonitoring with N AM .
A vailable Data Sources

* Cisco NAM can analyze and reporton portactivi
ty byviewing
packets,NetFlow records orothersources
+
:):
a1:,63(
n!1r(l6)
SPAN Session(Pod.VLAN,
-. .
. *-
Dataport
Etherchannel)
Remote SPAN (RSPAN)Session
Dataport
+
VACL(WANInterfaceorLANVLAN) iatixort
NetFl
ow DataExpod(NDE)
NDEi'
atapoft
SupervisorModule(enableMVi-RMON) SNMPQuerils
Oneofthc keysto a successfulN AM dcploym entisproperly selecting and configuring data

sourccs.Thc uscrmustundcrstand thatthisisa two-stcp process.First.datam ustbe sentto
Cisco N AM tbranalysissalld second.sevcralm onitoring optionsm ustbcenablcd forvarious
subsetsofthctrafficthatissentto Cisco N AM foranalysis.
DatacanbcsellttotheNAM -landNAM-2 tbranalysisusingthcfollowingmethods(cach

upcom ing scellario m ay usca diffcrenttypc ofdata source):
* SPAN session:Copy packctsfrom ports.VLAN S,orEthcr hannelsto a NAM -Iand
N AM -2 data port;thcN AM -2 hastwo dataports.
* RSPAN session:Copy packetsfroln a remoteswitch:ports,VLANS,orEtherchannclsto a
NAM -land NAM -2 data port;the NAM -2 hastwo data pods.
. VLAN accesscontrollist(VACL):TheVACL hastwopurposcs:

M ollitorIP trafl
scon a W AN interfacc.Bccause W AN interfacesdo notsupportthe
SPAN function,use thesw itcl:CLIto manually configure a VACL in ordcrto
monilorW AN trafficw ith Cisco NAM .
UseVACL forVLAN traffic m onitoring on a LAN ;traffic can bcsentto Cisco

NAM by using thc SPAN feattlre of(he switcll.Howcver in instancesw hen a Iarge
amountofLAN trafficbcing spanncd exceedsthe m onitoring capabilkty ofCisco
NAM ,prefiltcrlhe LAN traffic befbre itisforwarded.Thiscan bc done by using
VAC L.
K NetFlow Data Export(NDE):Forward NetFlow rccordsfrom adeviccto aspccial

interface (N DE Dataport)on thc NAM -land NAM -Z.
3-82
Implementi
ngClscoDataCenterNeG orkl
nfrastructure1(DCNI-I)v2.0
@ 2008Ci
scoSystems,Inc.
+
Kecp i11lllilltltllatu'hcn ytltldcfiltc a sotlrccofdata.althispoillttllcdata isbcing scntto 'isco

NAN,Ibtltllotyctbcing analyzcd.The sccond stcp isto ellablecolleclion ofstatistics for
diffcrelltstlbselsoftllc forwardcd traftic.Tlle data sourccsprovidc tlle traftic to Cisco N AN1
forallalysis.Thel'
lwhen thc collcctiol:ot'statisticsisenablcd.tllctraffic isanalyzed alld brokcll
tlllw'llillto stlbsetsoftraffic (alItraflit!.illdividualVLAN s.iIldividualM tlltiprotocolI-abk!I
Switclli,lg fMPLS)tags,orsubsetsofNDE sources).ThcuserwilltllellcontigurcCisct'NAM

to Illollitorvariotls typesofstatistics(allplicatiolls-protocols.llosts.collversations,allt.
lso oll)
tbrthesc trafiic sotlrces.
(Q 2008C isco System s.Inc
Im plementpng NetworkAnalysiswithCiscoNAM
3-83
S panning T raffic to C isco N A M for

D etailed A nalys is
z.
*
.
.z .
t.
Datapcd-l
'
- - -.
Dataport-z
NDE
Dataport
SPAN Session#1coples
cribcalGigabitportto
.. Dataportol onthe Ctsco
NAM fodetailed
analysls
..
SPAN Session#2 coples
a VoiceVLAN to
Dataporbz onthe Clsco
jjyi
v or(sjajj
ecj
analysis
Ifnetworkpacketsarccopied(spanned)totheDataportintcrfacesonCiscoNAM .CiscoNAM can

providcdetailcdanalysisofthetrat-fic.By viewing thepackctheadcrs,monitolingtransaction times.
and capturing the cntircpacket,Cisco NAM can providclposts.conversation.and application
slatistics,aswellasprovidcresponse-time lnonitoring-URL monitoring.and packetcapturcs.
To copy packetsfroln switch ports,V LANS,oran Ethcrchannel.thenctwork m anagemellt

tcam can tlse the SPAN feature to copy tlle packetto a detined Dataporton Cisco NAM .In this
scenario.the network lnanagem clpttealn willuse SPAN to copy thecriticalportsand VLANS
to the Dataportinterfaceon Cisco NAM fordetailed analysis.Keep in m ind thatifpackets
froln multiplcportsarc copicd to thisiltterface.the traflic and statistics arc aggrcgated.
Spallning istheterllluscd to definethecolltiguration reqtlired to copy tram c from sourcc ports,
VLANS.oraCisco Etherchanneltunncltoadestinationswitchport(SPAN port)foranalysis.

A SPAN session isan association ofa destination monitorpol
4 with oncormore sourcesof
traft
ic.Sourcescan bc physicalports,VLANS.oraCisco Etherchanneltunnel.W hen Cisco
NAM i5installcd.the hostsw itch recognizesitasa SPAN dcstination. Thcuserselcctsoncor
nlorcpol
-ts,VLANS.orEtherchannclsand the switch copiesthetraffic from the selcctcd
sotlrcesto Cisco NA M foranalysisand rcporting.
Note
The NAV-2 hardwareincludestwodestinationstoal

low increased flexibilityfornetwork
monitoring.
Note
The abili
tyto spanVLANSallowsthe usertoachieve additionalm oni
toring flexibility. Rem ote
switches can be configured to exportdata on a specialuser-defined VLAN . The NAM can
then span this rem ote VLAN effectively spanning data from a remote swi
tch.This capabi
li
ty
isknown asRSPAN (Remote SPAN).

Note
3-84
RSPAN data traverses production Iinks'so keep in m ind thatwhen using thisfeature,
RSPAN copies and forwards packets to a remote NAM foranalysis,and thus additional
traffic willbe placed on yournetwork.RSPAN and SPAN are m utually exclusive'ifusing
RSPAN then you wi
llIose the abilityto span data to thatport.Consi
derusing a NAM-2 wi
th
its second data pod to altow Cisco NAM to do both SPAN and RSPAN together.
lmplementingCiscoDataCenterNetworklnfrastructuret(DCNI-I)72.0
To span data to tllc NAM -Iand NAM -2 tbranalysis.firstchoosc tllc Setup > Data Sources>
SPAN task.A table willbe displayed show ing the active SPAN sessions.Thisscrccn isalso
uscfulttlrcfcrto whcn I
irstacccssing tlle NAM -1and NAM -2 t()verify w hatthccurrcntNAM land N AM -2 data sotlrccsarc,in casc they were changed since you Iasttlscd the Trafl
ic
Analyzersohwarc.
lfa SPAN scssion isalready active.anothcrone callllotbe created (tlnlessa NAM -2 isbcing
tllilized)tlntilthcctlrrcntsession hasbeen dclctcd.Anothcroptiol!isto Editthe ctlrrelltsession,
butonly iftheSPAN type isnotto beclpanged.
Note
TheActi
ve SPAN window willdi
splayaIISPAN sessionson the hostswi
tchand notjustthe
NAM-rel
ated SPAN sessi
ons.
SclcctCreate to contigure a new SPAN scssion on lhe switch.
lmplementing NelworkAnalysiswilh Cisco NAM
3-85
'
Onfigure P N
.
y:
(...k#l)
(l.
?
j.
j,:
t.
bj
.
'.i:2j
.)
1(
.
g
.
;.
()
(
))
:u
...
.t
vrR
ont.
j1(
k11
41
'$$'
2)'.)(@
r)
kt
.
y
r;
1r
.)'
)1
..,.
tr
j
:
k:z
jy
;,
L
,.
j
r
(((
.
1o
'(
.!
Ilk
rr
......ovyxay j v
connourationscreenforcatioua
$- :>
@ she '- CJvt- ('

)''-'-''''' C
Jv AN>
s.k*e,Nqx-
Module2 2portsbbusn kczousFrczl v
* SPAN
ty
e(ept
Ethercl
aapnn
lm.VLAN
.
wAN---.-.-.-wlrf= : DV AK RT 7 .,,
C) O xx :3 a<ei
A
$- ($1271
.
raj
j
''' ''Qn..k
..
.:
ii
!
;
1
111 l.
a'
:>v: 1
'' t:-.-....-..-zznzzzz?
Spansessiooscanconsistofone
ormoreporlsorVLAN.
N butnota
mixofgort
sandVJANS
,,rt,t
svxgsession conngorableopM
tl
ons
Indude
Rspym i/uAN)
- switchrx iule(ifspanning ports)

* SPANiestinadoointedace
(DATAPORTIorDATAPORTZ
forNAM.2on1Y)
. spAjldirection
. spAxsources
4goswk
vea. j
4
)
.
jceowlx.
js:qsos
ML
These stepswillconfigure a SPAN session on thelocalswitch:
step 1
You can selectSw itch Port.VLAN ,Etherchannel,orRSPAN VLAN forspanning.

In thisscenario,acriticalGigabitportwillbe selected fordetailed analysis. Thus,
click the radio button Sw itch Port,
step2
SelecttheSwitch M odule containing theportorportsto span.
step3
80th directionsoftrafficneed to be monitored.Click thc radio button Both.
step4
Choosc the Gigabitportfrom the Available Sourceslist.M ove to the Selected

Sourceslistby clicking Add.
step 5
W hen done adding a1ltheportsto span,click Subm it.The SPAN session is created
on the sw itch automatically.
step 6
lfusing nativeCisco IOS Softw are,you mustthen click Save from theprevious
Active SPAN Sessionswindow to cem plete creating the SPAN session and save to
thc startup contiguration.
step 7
Repeatthese stepsto setup a second SPAN sessien forthevoice VLAN . Two active
SPAN sessionsareavailable only w ith aNAM -2 service m odule.
3-86
lmpl
ementingCiscoDataCenterNetworktnfrastructure1(DCNI-I)v2.
O
@ 2D08CiscoSystems,lnc.
Bcsitlestlle DATAPORT 1alld DATA P(.)RT2 data sotlrces,tlltlrtru'illbc othcrsto clloosc f'
roll).
asllotctlllcrc.
* AIvIZSPAN :M onitorsal1tnlfl
itrlbrwarded to the N AM -lalltlNAM -Z by lncal
lsof
spalll)illg scssionsand VACL trallic.
w DATA PIIRT X :M onitorsalIlraffic fbrwarded tt)al)iIltlividtlalNAM -2 data portby
lplttallsofspanlling sessionsClltlVACL traffic(NA M -2 optiollollly),
* %.'Ia.
A N X :M onitorsal1tral'
fic forurardcd to the N A M -1alld N AM -2 by lneallsofspallllillg
sessiollsalld VACL traflic lllatllasnlel
nbership in the VLAN sclccted.
* Encapsulated RSP.
A.
N (E RSPANI:Nl(nitorsalltntflic rcceiq'cd via ERSPAN .
w 51PI-N TajjX :M onitors:111trallic tkprwrardcd to tlyc N A 51-lalld N AM -2 by lllcallsof
spallllillg scssiollsantlVAQ'L lrill'
lic tllatl'asInelllbersllip iI)tllc NIPLS traftic tlow
selcctcd.
* NDE default:M onitorsal1NtltFltlw traffic sen!by a sillglc NctFlow'device.
*
N I)E custom :M onitorsa stlbsctt)fN etFlow traflic j'

r()llltlsillgle device.
to 2008 CiscoSystem s,Inc
Im plem entlng NetworkAnalysiswith CiscoNAM
3-87
Enabling datacollection inform sCisco NAM ofhow to analyze thedata,including w hattables,

graphs,and chansw illbe gencrated,and how many entrieseach reportwillcontain.
. Application statistics:Enablesthc monitoring ofapplication protocolsobscn'

ed on thc
data sourcc.
w Hoststatistics(network and applicationIayers):Enablesthemonitoringofnetworklayerhostactivity.
* Hoststatistics(M AC Iayer):Enablesthemonitoring ofM Ac-laycrhostsactivity.Also

enablcslnonitoring ofbroadcastand m ulticastcountsforhostdetailscreens.
K Conversation statistics(network and applicatlon layers):Enablcsthemonitoringof

pairsofnetwork-laycrhoststhatare exchanging packets.
K Conversation statistics(M AC Iayer):EnablcsthemonitoringofpairsofM Ac-layer

hoststhatare cxchanging packets.
w VLAN trafficstatistlcs:Enablcsthe m onitoring oftraffic distribution on differentVLANS
forthc data sourcc.
* VLAN priority (classofserviceICoS1)statistics:Enablesthcmonitoringoftraffic

distribution using differenlvaluesofthc 802.lp priority ficld.
K Network-to-M Ac addresscorrelation:Enablesthe monitoring ofM Ac-levelstatislics.
which arc shown in hostdetailw illdows.W ithoutthiscollection.a M AC station cannotbe
associatcd with aparticularnetwork host.
3-88
lmplementingCi
scoDataCenlerNetworklnfrastructure1(DCNI-I)72.
9
@ 20(3 CiscoSystems, lnc.
Sillce packetson tllccriticalsw ilch portsarcbeing colpicd to tlpc Ilkltkll'ort-Iinterface on C-isco

NA M ,usc tllc Data Sourcc drop-down lnclltlto clloosc DATAPIIRT 1.
Tllt!lollosvillg tbtlrgrapllsarcsllowll:
* slostActive Applications:Thisgrapllsllowstllc lltllllbcrofbytt
ascollcctcd pcrsecolld tbr
cach protocol.
* s'
lostActive Ilosts:Tl1isgraph slloqvstle llunlberofbytcscollcctcd persccolld forcach
addrcss.
* Stwrver RespenseTilne:Tllisgraph sllovvsthescla.t
2rrcspol3sc tilnc alld tllc prtltocoltlscd
by the servcr.
* ProtocolSuite:Thispicclla!
'1shows tllcTOPN lletwork prt'ttwols.
Tllcsc grapl'
!ssllou'theTOPN .u'
llercN by defatlltis 10,btltcan bc collfigured froln lto 15 il:
tllcglobalprcrerclpcess
'click Setup > Preferences.
fmpsementingNetworkAnalysfswf
thCisco NAM
3-89
'
.e I
I
.n
p jI
.CatI
.O n tatl
-Stl
*CS
.
!> .
.. ..
.'
.i
'qz
' ' #' . uf *? '.5t '
!. .
r, o
Y* *%* *4.$dJ'? y..r4' F!.':%:.w..t4w-'z't'
;p.$1eAt1*p*
Protoctlls8ndlmrrpntr'
etesSef!nOnthe
j.e-e -- -eIpxz1:& > ,raf4eT
DATAPORT interfaceorltheCisco NAM
C)vwr- - . C?Te t' ''
.'
tee UATAPORT1 *
7 '
t7
.' ''' -
: ' /* *w
Rt'rnenlber SF'AN wasuseu f'1 2 'e'

toforwardthetrafscfrc)m the
: '
swltchportsandVLANStothe '
DATAPORT olerfaceOnthe . r 4
cisooNAu f
orl
h.
st
w eof - .-$
v 10 *'
z.= .*'
M 46*
m .:,4
.pRejJihap'
.
-
'c> '
'.*'*'
'e'.=
111> 4FA
&15.,- N
k- e$*%v R 4**- 1
detaledanay s
1.!0eIN'@r.tl
a
.1%
.1%
#:e :$1
. .. .
Thc Overview graphsprovidcd a quick look.in graphicalfonnat.attheTopN protocolstlites.

activchosts.and activeapplications.To vicw morc than thcTopN applicationsand the
distributiol:ofpackctsand bytesbased on thc application protocol,click M onitor > Apps>
IndivldualApplications.
Again.since packetson lhe criticalswitch portsarcbeing copicd to thc Dataport-1interfacc on

Cisco NAM .tlse theData Source drop-down menu to choose DATAPO RTI.There arc thrcc
displaysto view :
* CurrentRatesTable(illustrated in the tigure):Thisdisplay enablesyou to view the

Iltllnbcrofpackcts and bytescollected forcach application group thalwasseen on thc data
sotlrce overthe lasttimc intcrval.
* TopN Chart:Thischartenablesyou to vicw the ntlmberofpackclsand bytescollcctcd for

thcTopN applicatiollprotocolsin a graphicaltbrmatoverthe lasttime intelwal.
K Cum ulative Data:Thisdisplay enablcsyottto view the numbcrofpacketsand bytcs
collccted foreach application group seen on the selected data source since the collection
wascrcatcd orsinccCisco NAM wasrestarted.
To drilldown into the application protocoland sce the hostsusing thisprotocol,simply click
the radio button nextto the protocoland click Details.
Followingaresomctipsto consider(appliestootherstatisticreportsaswell):
* To rcfresh thetable.click Refresh.
<
w To qtlickly locate datain atable,entertextin thctextbox.and click Filter.
* To sorta table variable by percentage ofthe total.click on the colum n headcr.Thc variablc
isIistcd in dcscentling ordcraccording to tlle perccntageofthc total.
* To vicw datathatisgroupcd,click the + sign in frontofthe group llamc.
* To change thereportilpg timc inten al.click Setup > Preferences.
Y
3-90
lmplementi
ngCiscoDataCenterNetworklnrastructure1(DCNI-!)v2,
0
@ 2008 Cl
sco Systemsllnc.
lmpl
ementlng NetworkAna4ysiswdth Chsco NAM
3-91
'
ie 1ng
.I11.lI
4.
*
CI$
,'.v..fJ41..1.
ost tatistics
+
yp&
hIT1.
arfjt.xnply:ej.
'
go
!tw'- - ..wp.'1,.*,- .'riwflen.
Hegtsanu curreotratesseenoot:e
DATAPORTSnledace(m lbe Cism NAM
1'x-1X
'
. .I. . '.
w xv ,ol o'as4*, o.vrv J- q'4x> .= zl
q
RenvmberSPAN wasused
.-.- .. - .- . .-. n ..... .
toforward the trafficfrom the
'
''
' '
swrlch portsaocrVLANS(o:he
'
''
DATAPORTinterfaceonthe
'
* JMm3 4R2721 510.M.5* :32.0e1F* 1% *585:
CCSC,ONAh!fOrthistypeof
* * *''* '* 'R*'
. 20 v
k. yyp:g 144Ypp. J efge j.jl
detalledanalysps
.........
=
--.- ........w.. w..
t..s- .,- - - . - ..: Selecthosland
*..
Iaunchothorreports
..j.
,.!
s.j'
ge.xy4f
;
4j
.rr
,,
I)
1:
'
'
ortools
Click M onitor> Hoststo vicw thc variousdata collccted foreach hoston the selectcd data
source.The same toolsapply to thismonitoring w indow.Forcxam ple.whcn you selccta host
and click Details.information on the hostisprovided,such asprotocolsuscd,conversations
witllthe source host,and so on.
v -
3-92
lmpdementingCtscoDataCenterNetworklnfrastructure 1(DCNl-1)v2.D
@ 2008Ci
scoSystems. lnc,
@ 2008Clsco Systems,Inc.
Im plem enting Network Analysiswith Cisco NAM
3-93
iew ing
L N T raffic Statistics
). . fTl
'7 x
'
.PQ7!
'
V* A?***>@ ** r''x *'L%?1#' '#'''

V* '1r''
.
@kAKTra#tle%tall.lit.
b- .- --& a- > .$RR o G
byrNlMtatdlfil.:
(J)
(lhct- -
uonlkortrafqc
ratespervtA.N f
or
theselpcteddata
SGufce
= .. t3Te -
ALLSPM
r'
.- '- -
*
*wv'- 1..35',''''-'
'
:. krux/ok tn4o*** .. i/k:'

.r.
. ;=' w''
/'
*e.+'*e
.
k-'lh'
.
wveki%
, !1m:
,j,x :jw Nymzras
:.7
49&n
fgl.1Q$;
22.:2 1'% ::J4F3:
Q1,
>#/4
''
62:4 2F% ,3:e1et
p;
! lpt:
- .-- >) v t- oesp

sv il4twt
o- :
1 ......o - - > . -. ..,
23e4
-1* )'hl
'
!I.. ,.,,
j
+
Tllistigurc providesan exam ple ofthcreportsyou willsce ifyou cnablccollectionofthc

VLAN Traftic Statisticsforasclcctcd data source from the Setup > M onitor> Core M onitoring
mcnu.These rcpoltsprovide traftic distribution statisticsby VLAN numberand can bc useful
tbridentifying resource tlsage pattcnlsby VLAN ID.
v'
TheV LAN Traftic StatisticsCurrentRatestablecnablesyou to vicw variousdata collected for

each VLAN ID.Thc infonnation displaytd rcpresentsthedatacollectvd persecond overthe
lasttim c illterval.
TheTopN VLAN Traftic StatisticsChartcnablesyotlto vicw the various data collectcd forthe
TopN VLAN IDs in a graphicalfonnat.The infonnation displayed reprcsentstbedatacollected
persecond ovcrthe lasttim c interval.
The VLAN TrafticStatisticsCulnulativc Data tableenablesyou to vicw variousdata collcctcd
forcach VLAN ID .Thc infonnation displayed rcprcsentsthctotaldata collcctcd sincc thc
collection was created orsince Cisco NAM wasrestarted.
Forinfonnation on setting thc time interval,referto the GlobalPrcferencc Settings.
3-94
lmplementlngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0
(D2008Ci
scoSystems. Inc.
'
In
r'l r'l
a IS IC S
.lI'.I1'. N .
&11'r1.affie Anal.1'zq,.
CI$C(J
':
4
z.'
<
?
(/'
L
y
'
lj
.
l
.
evs
Iv.
;lzx
)
;G7
jw3
*
;
f
.
'
Vp'
Y
Mks:..
%.sJ
.
'
j
'
'
'
;
''
.
/
%' .' .
r';'
'
;
J4'
;'''''
Jt'
:'
(
'a.
'
';
2'..
.
J. .
,.4
'v?sf .,4
$w'z4z
>
;
.
s>
obo
v
zt'
s
.
f'
yf
i
r,
Lo
4
4'
x.
.%
L
bt
.x1
;.
'
$Ji
-*
k
,
j'
.%
2'
a
=
s
,L
fv
.z
. ..
>'w
Jet.
i>'Lv .g..f
C' ***t.9.4- 4**te:frtm>S MW.fF2I.1>1*T
'
#P.!.
> 419676.
hC7i
...
.1 ca
xx- - m. Z..''
)4e oww% $'hc '' tkl>
x eRm e.M .
2L'PM
'*
px- ,.2. areet.y.y.j:#.......;.
...
........
s....j
'.'.'*<&4a::.:y..
.. ?
n. . 4f.ta)xf .
.. .
Monilortrafhcbased on
dlrferentvalutj:ofthe
802 1ppnontyfield
# e-wi- em . '. T4v*.. ..
. .. .
!c
' o ''''t'
i
,.. .'l
$86:4
l6f:1
106'?1!15
SazakEl
ges/s'e
This figure showsthe rcportsyou willsee il-yotlcnablecollectiol!ofthe VLAN Priority

Statistics froln thc Scttlp > M onitor> Core M onitoring m clltl.Thesc rcportsprovide statistics
by aggregating traftic by thc valtle in tlle 802,lp priority field.Thisillfonnatiollcan bevel'
y
tlscfulforvcrifying CoS (col
lfigtlrationsand identifying possiblcconl
igtlration problcm s).
@ 2008 Ci
sco SystemslInc.
l
m ps
ementi
ng NelworkAnalysisw'
ith Cisco NAM
3-95
A ction 3: U sing N D E w ith C isco N A M

Thistopicdescribeshow to usc NDE w ith Cisco NAM .
'
M onitoring NetFlow O verview
Remote Device
(NetFlow-Enabled)
Datapod-l
Dataport-?
NDE
Dat
aport
.
NetFlow Data
Expod (NDE)
. .
.
gydefaultthepccal
superkcLsorEngi
neorMsFcE
s
alwaysavailableasaoNDE
delce
Since a routeratthe sm allerbranch oflicc doesnothavean embcdded N AM -land NAM -Z,thc

NetFlow datacollected atthisroutercan beexported to a remote NAM -1and NA M -2 fbr
storagcand rcporting.
NetFlow data thatisexported from a rcmote device can be received on aremote NAM
illtcrface.Asillustrated,the NDE packctscan bc directed to the NAM -1and NAM -2 NDE
Dataportinterface.
3-96
lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.0
Configuration Steps
Confi
gure NetFlow device to fo- ard to NAM-I orNAM-2 on UDP pod
3000
Use the jistening mode (TrafficAnal

yzersoftware)to see who issending
NDE traffictotheCisco NAM
3.Define the NetFlow device:
NDE data source is auto-created foraIlforwarded traffic
'. Al
ternati
vely,create custom NDE data source forsubsetofaII
forwarded NDE traffi
c
-..
unee tacoo
Traffic
Fl
owdataisexportedwhen
enabli
ngsl
elrxwoothis
i
ncoml
ngr
nt
erlace
Netrpow
z.
>e
.
z:
'
..
ZporlData
OE>:
'
.
a.
u..,:
*:
'
#
' ..
O6e
,.yy)
,
j;.y
k@
()
(;'
%9
Q'
%9
Thc firststep il1tlsing NDF packetsfbrmonitoring purposes isto configtlre the Ncllrlow device
toforward thcm to aNAM on UscrDatagralllProtocol(U DP)port3000.(Bydefatllt,thclocal
stlpcrvisorellgilleorMultilaycrSwitchFcatureCard (M SFC)isalwaysavailableasanNDE
dcvice.)
Thecollfigtlration colnm andsforNctFlow devicesto exportNDE packetsto Cisco N AM are
plattbrm alld devicespecilic.Tlle exam ple contiguratiol)comlnandsprovided hercarctlle ones
m ostcolnl
nollly found fbrdevicesrunning C'isco IOS Software:
Note
Step 1
Form ore detailed information see yourdevice documentation.
Selectthc intcrfacc on wlticllyou wisllto turn on routcd flow cachc.Uscthc ip flow

ingresscomm and to cnableN etFlow on a subinterfaccIcvcl.Usc theip route-cache
flow com mand to enablc NetFlow on tlle I
nain illterface.
650O (config)#interface type slot/port

Step 2
6500 (config-if)#ip route-cache flow

Exporlroutcd llow caclle elltriesto U DP port3000 ofthc rclnote NAM .
6500 (config)#ip flow-export destination NAM JP address 3000
lm plem enting NetworkAnalysiswith Cisco NAM
3-97
'
onh gure Is enlng

dIl$,ilt.
Nx(sj T x.aff'jr A na1yz.r

.
f1$t*
Y* Ar:le v*514(.
1 At'#>%v..
n6ez #**l':'
#z..
'p#.kk/rteye'aY.%pr.
I;
**1FI4w t1lt@olog Mpd*
USethelisteni
#k- t- - ' '-/M/- X/

ngrrodetodeterminewhicbdevices
z are forwardinjNDEpacketstolheCtsrm NAM-the
((
..81xuopel
restl
uevicesfoundareIistethere
> ''Op
.
ode
.a ,.,
>
ac- uu
M eranewdewce Isdetectez the
NetFlow (Ievlce Fyendin9NDE ;>3ckel:1t7
theCisco NAM rrustbeenteredInto the
'$G e
.-
'z?'* $*- 'o

-**'''-*'
' *'''''m - *- t- . = '- p
a r x w . . n pue
. oee ''-
Fotrz- atrptm':(qps!
-''- '-' - '-''-*''-
1..1w.. A.&4 l..! '.,s,:q
NAM NDE devicetatiednorderforthe

ClscoNAM locollectdalonlt
View Interfacesrepoded
sendingNDE toCisco NAM
Skartsthe
lssteningnxydm
Addsselecteddevlce
loNAK!NDEtable
+
Next,Cisco N AM m ustadd the dcvicesthatare scnding NDE beforcN DE packetswillbe

cotlsidered formonitoring.W hen th2 NetFtow devices are added to Cisco N AM ,itcreatesa
dclaultNDE data sourcc forcach device.
Butw hatdeviceswcrc conl-igured to send N DE to Cisco NAM ? Usc the NetFlow Listening
M ode task to display al1dcviccsscnding NDE packctsto Cisco NA M ,Launch the NetFlow
Listcning M ode by clicking Setup > Data Sources> NetFlow > Listening slodeand clicking
tlle Startbutton on the Listelling M odc table.A ssum ing Auto Rcfrcsh isselected, thetable will
periedically update(listcning mode willautom atically stop aftcr1hour)to display the dcvices
Cisco NAM isreceiving NDE packcts from .
Highlightoneofthedcvicesand click Detailsto vicw the interfaccsrcported in thepackctsand
w llelllerornotthe dcvicc hasbccn added to theN AM NetFlow table.Ifthe device hasnotbecn
added to theNAM N etFlow tablcshighlightthe device and click the Add button. A new dialog
willquel'
y the userfortlledcvice SN M P read com munity string to retricve the textstring
intcrfaccdesignations.Adding thedcvice to thc NDE tablecrcatcsadcfaultNDE data source,
which can be used to monitorthe aggrcgatcofallenablcd tlowson the device.
Note
Remem ber to create an NDE data source the device mustbe added to the NAM NetFlow
tllt)I(,.
W hen thedcvice isadded to the NAM NetFlow devicc tablc with theassociated SNM P read
community string.the Detailsw indow willalso display thctextstrillg interface designation and
notjusttheinterfaceindcxnulnbcr.
The dcfaultNDE data sotlrce.crcated whcn a dcvice isadded to tlle NAM NetFlow table, isan
aggregateofthe data on allNetFlow cnabled interfaccsofa devicc.To focusin on a particular
tlow (one ormorc interfaccs),acustom ND E data sourcccan be created thatextractsthe

desired tlowsand trcatsthissubsetasa distinctdatasourccagainstwhich NAM analysisand
rcporting can be perfbnncd.Usc thc Custom Data Source task to crcate an N DE datasourcc for
asubsetot-al1t
low s.Formore information on creating Custoln Data Sourccs.referto the
onlinchclporthe IvherGllide/i)?'theNcJu'f
J?'l'Analt'
.
vi.
%A/r?:/l//e'F?Y!//'R'Analtcer,Release3.6.
.
3-98
ImplementingCi
-I)v2.
0
@ 2008CiscoSystems.Inc,
<
Besides adding dcviccs from thc Lislening M odew indow.dcvicescan beadded/editetvtlelctcd

atany timc tlsing thc Setup> Data Sourccs> Netlrlow > Dcvicestask.Additionally.if
lnollilorilg reportsarc notshowing any data-firstrcfcrto thislistand lligllliglpttllestlspect
dcvice alld click tlle 'restbutton to verify connectivity.
W llcn NDE packetsarc being fbrwardcd to CiscoNA M by a rcmote deviceand havebecn
atlded to thc NDE Tablc in C isco N AM .Cisco NAM crcatcsadefatlltN DE data sotlrce fora1I
the flows from thisdevice.W hcn thishappens,usc tllcTraftic Analyzcrsoftware to cnable
collection ormonittpring ()fthc NDE datasotlrcc.
Impl
ementing NetworkAnalysiswith Cisco NAM
3-99
'
E nab le C ollection of R em ote N D E

Statistics
l$1l''IlI Na
I 'rr1.
jjIj A nalvzej.
1
'
'
Y* .e*1* .* .iz':u'>*x :RtusA>.4.%-#'.!
6@T* @nI1@I1ne !;upe#l*l*
>r
s . ,
t.:l%qqwr.s : ' . 'x

.
>
j?9
.e,j11
.yir
EJ - x- - ,- .)
1cp
E'
so Ctrrvelz- Re>&(-w11;+e.mI@-:) 90:
rs Tu*ptMw
--
.
The NDE statlstlcsavallablefrom theremoteNatFlow.

eoableddevice areagourceofdataforthe CiscoNAM
FortheCisccNAM to analyzeandreportonthese
statlslics rxnitonngofthesedatasourcesmllstbe
enabled
In thiscascsthc rcm otebranch rotlterisproviding NDE packctsto Cisco NAM foranalysis.

Justlikcany NAM data source,the NDE packcts,ordata sourcc.atthispointareonly being
acccptcd by Cisco NAM .no processing ofstatisticstakesplaceuntilmonitoring isenabled for
lllc individtlaldata sources-asillustrated in the figurc.Rcmote NDE packetsare represented in
tltcdata sourcedrop-down window as:NDE-<rcm otc IP addrcss>.
3-100
lmplemenling Cisco Data CenterNetwork lnfrastructure 1(DCN1-1)v2.O
@ 2008 Cisco Systemsvlnc.
V icwing ofApplicatiollstatisticsfronlrelnoteN DE statisticsisavailableby using tlle M onitor

tab antlclicking on thc appropriatc sublnellu.ln thiscascaselectNlE-<rem ote NetFlow
enabled deviceIP address> astlledata source.
Note
Rememberthatpacketcaptures and real

-time graphs overtime are notavailable using NDE
asadatasource si
nce the NDESacestafistics from NetRow and notactualpacketsfor
analysis.
ysiswith Ci
sco NAM
3-101
'
V iew
Q l$@
.
onversations and H osts via N D E

'
'
,.
'
- .
. .
'z.. g.
'.
1.v..
rfft!J.
t.4
.. ' .s'.',...
.k ' .. . ''T .'t,.
1
'
: .;
f
.
k..;w
-< ktt7J
'.
'
.
'a
'''k
$14t.
zit.
. .
e
?* Are* @*.4 i p''
%*f- *:: Ro@1.
Datacapluresandreal.tirre graphs
ove:tirre are n0tavallable using
NDE asadatasoorcesincethe
NDESarest
atist
icsfromNet
Fl
ow
()4- - -'
()e -
andn()tpackess
a..t
L'''c ''' (
I'
rz.e.
f
'
t.1
.
w.
W P**1'4el#*
.
o ...G
;
!
*<ik.* #%- *- y - K4;M.J0 .
.w,
(7
v 1 '.' ..'
-:
'''1+ e-
NDE.19216615124$ v
All
!J. ;I43
7a
- .#.pAa 19 w
p J:4a: ,@w
J94;
e tf5$
- ezesv R 4>e*p> !
ClickDelaliGtor.ee
applpcatonprotocY tlsed
andIt9Gonversations
r
-
r- ''r 'pI-. .--
o
;
t,,* >/1
'''''
-
..
Vicwing ofhostand conversation statisticsfrom rclnotc NDE statisticsisavailable by using the

slonitortab and clicking on thc appropriate stlbmenu.1l)thiscasc-choose NDE-<remote
NctFlou'cnabled dcvice IP addrcssm asthcdata Sotlrce.
3-102
dmplementing Clsco Data CenterNetwork Infrastructure 1(DCNI-I)v2.0
Scenario 2:R esponse-Tim e M onitoring

Thistopicdiscussesthescenario wllereApplicatiollRcspollseTime(ART)isuscd.
A pplication Response T im o M onitoring

> Problem description:
An increase in em ployeesand applicati
on usage atthe selver
farm
Response-time moni
toring isessentialto ensure productivity of
itsem ployees
> M onitoring plan:
Verify C isco NAM deploym ent
Setup response-tim e m oni
toring
View statistics
Configurealarmsforproacti
vemonitoring (referto the
troubleshooting scenario)
Nvith theopenillg oflnany ncw oftices,criticalcorporateapplications.locatcd attlleccntralizcd

scrvutrfilrln,arc being hcavily acccssed.Having slow orullavailable accessto tllesc
applicatiollsistlnacceptable.Thtls.the nctwork lnonitoring tcalu hasn'
lctttltlisctlsswaysto
lnonitortheapplication rcsponsetilnesofthcscapplications.
Tllc action plan isto perfonn the following actiollsantlthen rcportback on thercstllts:
* Verify thatCisco NAS1isdeploycd in appropriatc locationsformoltitoring response tilne

K Settlp Cisco NAM to Inonitorapplication rcsponsc tilnes
. M onitorthe applicatiollresponse-tilncstatisticscollcctctlby Cisco NAM
K ConfigtlrealannsforproactiveInonitoring (vicNv thcstcpsforcontigtlringresponse-tilne

alannsinsccnario4:Trotlbleshooting.'')
Verify C isco N A M D eploym ent

The NAM can Inonitorapplication responsctil
ncsby capttlring packets.tinle-stam pillg thcln.
and lncasurillg tlle tillle betqveel)a clicnlrcqtlestand thc fttltilllnentofthatrequcstby tlle
server.Thisinforlnation hclpsyou idcntify whcrc the applicalion tlclaysare occtlrring attlle
sel-verson thenetwork betwccn tlle clientalld serverswitch.oratthc clicnt.
Response-tillle l
'neasurelnentscan bca vcr.y uscftllindicatorofscrvcrorIlctwork pcrforlnallcc.
Yotlcal)uscthisluonitoring ftlnction to warn yotlwhen a serverorthc nctwork pcrfornlance
dcgratles.ltworksby collecling statisticsbastxlol,uniquctralysactiolls(TCP seqtlencealld

acknowlcdgclnelltIlulnbers)in tllepacketsofconversationsitobservesinyotlrdatasotlrcc.
@)2008 Cisco System s.inc.
lm piem enting NetworkAnalysiswith Cisco NAM
3-103
I1)addition to response-tim ereporting,you can also tlsc otherrcporting featuressuch as

application statistics,TopN talkersto thc scrver,conversationsbctwccn the serverand clicntsto
idcntify w'ho the sen'eristalking to and whatitsbandwidth consum ption isfbreach pair, or
utilizatiollorcrrorson the switchportthatthe servcrconncctsto.A lltheseperspectivesand
optionsllclp you both identify trcnds inthe perforlnanccofthe application serverand
trotlblcshootproblcmswhen they arise.
Foracute application ornetwork perfonnance problclns,you can usethe NAM packetdecodc
fcattlrc to vicw traftic on a packct-by-packctbasis.
+'
3-104
ImplementingCi
-I)v2.0
In thisscenario.theNAM Slocatcd atthc dislribtltion layerarecurrently spanning traftic

to/from tllc variousVLANS.Since tlleNAM SareNAM -2 type scrvicc modtllcs,asccond
SPAN scssion can bc crcated to span traffic fronlthe applicatiol!serverslocatcd atlhcscrver
fann (asetofpllysicalports).Thiswillallow theNAM Sto view al1cliellt/scrvcrtrallsactions.
(NotcthatNDE rccordsgNetlrlow recordslcannotprovidercsponse-tilnel'

nollitoring'
.not
ellotlgh informatiolliscontailled in tlle rccords.)
TheTrafiicAnalyzersoftwarcon Cisco NAM cal
lconfigtlre tllcSPAN sessionson the hosting
dcvicc.Thc upcoming sleps span orcopy tllepacketscom ing f'
roln and goillg to fourswitch
portsIocatcd on M odule 3.ln thissccnarit),thcsc are thcportscollllccted to tlleapplicatioll
servcrs.Sctting tlp the SPAN scssion willallow tllctraflic goillg to and froln tlle serversto be
analyzcd forrcsponsetim csby Cisco NAM :
Step 1
@ 2008 Cisco System slInc.
From tllc Activc SPAN Scssionsw illdow,click Create.Tlle Creatc SPAN Session
window appcars.
Im plementingNetworkAnalysiswith Cisco NAM
3-105
'
et
ata ource
,1h.fIn
ont.
1.ffjr.&xalyzer
C1><@
orts
.;
j,jj
....... ..... /'.:;w>
'
'''
Y4/A1+:*.*'.*: yr'ex'74r
..
-'
'FF
gj
j
.:
dF.r?
'
r
''
.
)'
k'
t.;s
z''
',.'-k
J
''
'
/$ry-'
f
;
'iil
''''''''*'''''1b
'
p:
!
;1*
'
J
qii,
i
.kld'
k
'
?
/r
'
.
/9p
v
1pt
k
,!.
?)'
.
?'
.
:5
61.:'r;
J?
.
r7
)
.i
E
.
!'
.
/
i
'
,
h
;
-J
.$
.J
,'
kj
.6
..
.I
F
J
C
;t
,L
.r
.'
..'
.. 7
.$
.t
.3:
4. s:..
$pA:'Ngqtp..w*x ('.Rz C)Tx Lbs.

Fa.
'g/
iFe3/'
.l
rt
rdtzeaBows,or '
:
IF
F/
eX
V5
twopossibpe
SPANsessi
ons F
e
p
:
f
s
?
FaW
..
MAM-2sorbice
F&)/1t'
gofh)
F41/46(poth)
... .............. F%3/4?(:0*,)
7 'hM .1
1 FeN.
*(9*)
:.
z.zvvzzz.z.::.;:.:7j
.
IF,.
')/J
4S
P
4OBkv*' '
.......''.'''''....6'
F
Fs
e3
l/
/8
g
'
i
1r, 1r
)..
,.r
.,,.
' ,q.;1
-P
ortgtObeSpanpedtot
heNAM
(()A.rAeoRw lirlterface
4SPe*y
f'
:i'
: .yogswrepoqslatef
ort
hi
str
ac.
'''
F,?/p()
Felp1
sravl?
+
.
'
thetatasourcetoselectwkllbe
DATAPORTZ
. . ..... .
!yejmvj,Njj
i
mjj
C*8*5t*
spAjjsessi
on
These stepswillcontigurethe span session,copying the packctscom ing from and going to four
switch portslocated on m odulc3:

step2
You can selectSwitch Port,VLAN ,Ethcrchannel,orRSPAN VLAN forspanning.

In thisscenario,there are fourswitch portsconnected to the application servers.
Click thc radio button Sw itch Port.
step 3
step 4
Choosc the Switch M odule containing theportsto span.

Sincewe alrcady haveone active SPAN session forthe voice VLANS,selectthe
SPAN destinationtobethesecondinterfacconCisco NAM (DATAPORTZ).Two

SPAN sessionsare only available with aNAM -2 servicc m odule.
step s
Both directionsoftraffic need to bem onitored.Click theradio button Both.
Step 6
Choosethe portsconnectcd to the application scrvcrstiom theAvailable Sources

tist.M ove to the Seleded Sourceslistby '
zlickitlg Add.
step7
W hen you are doneadding alIthe portsto span,click Subm it.The SPAN session is
created on the switch autolnatically.
step 8
lfusing nativeCisco lOS Softwarc you mustthen click on Save from the prcvious
Active SPAN Sessionswindow to colnpletecreating theSPAN session and save to
the starttlp configuration.
Note
3-106
Response--ri
m e Monitoring needs to see request-acknowl
edge pairto perform i
ts analysis.
Make sure the selected data sources are capable ofseeing both packets.
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
0
@ 2008CiscoSystemslInc.
Oncc tlledatasotlrccissctup.continue the settlp forResponse--rinlc M onitoring.Click Setup

> slonitoring > Response Tim eM onitoring.Yotlw illbe givel:thc option to cllooscwhicl)
dala sotlrce you walltto monitor.In thisscenario,itwasDATAPORTZ.
Pditing llle sclcctcd data sotlrce(lpellsa dialog box w'

llich allowsytltltc/configtlrelhe
rcsoltltion ofthe response-til
ne salnplcsalpd Ilosv tlle salnplesarcrcported.Thcrcportinterval
allowsyotlto dcfinc thc salnpling intervaland tllealnotlnt01-tilnc to collectrcspo,lsc-tilne
salnplcs.Thc nextsevelloptionsarebucketstllatCisco NAM usesto store tlle restlltsofthc
rcsponse-tilue salnplesforrcporting ptlrposcs.Forexanlplcaifa salllple respollse-tilne
lneasurenlentisdctcrnlincd tobcIcssthan 5lnilliscconds(!ns).tllcn CiscoNAM Nvotlld

increlnenttlle RSPTi1ne1btlckctby 1and Cisco NAM willrcporttllatsanlpleasone responsetin'
le salnplc oflessthan 5 lns.Asyotlcan sce,thescoptionsgivc yotlm tlch controlovcrtllc
grantllarity ofresponse-tilne lneastlrclnentsalpd rcportillg youcallcollt-igurc.
@)2008 Cisco System s,Inc.
Im plementing NetworkAnalysiswithCisco NAM
3-107
'
U nderstanding the Statistics

Clpents
e!
pw/
' x.
Cisco
, f+
!
NAu
SeFVPC
<
Ye-
or
--txet
wo,.
k
..
'2
.!
e!*4
.
'
i
'
!
i
i
Cl
i
enrNetwor
iDel
ay
s-,,e-New.rk
.
2
E
2
i
!
!
1
ServerNet
workDelay
.
:
NetworkDelay
vot
aloepay
xv
.aw
,op,
.
--t.---
!
K,E>
!
!
i
! Appt
1
lay
. De
i
!
:
!
!
3
.
!
E
i
!
.
:
*
1
!
Transactponlprrlels the totalamountoftime from tbe firstpacketofa cllentrequestuntiltl7e

cllentrecelves the finalrespclnse packetfrom the server
Brhcn vicwing thc variousstatisticsforresponse-tilne lneastlrcl

nents.you willencountcrthcsc
tcnns:
* ClientNetwork Delay(CND):Thenctwork'roulld-trip time(orflighttilne)betwecna

clicntand the Cisco NA M sw itch orrouter.
* ServerNetwork Delay(SND):Thenetwork round-trip timc(ortlighttilne)betweena

scrvcrand the NAM switch orrouter.
w Application Delay(AD):Thetime ittakesascrvcrapplication (forexample,aweb scrver

application)to respond to a rcquest.AD isthc tilne bctween tllcclientrequestaniving at
the scrverapplication and the firstrcsponscbeing rcttlrned by the application.
* Network Delay (ND):Thenetwork round-triptimc(flighttime)between aclicntanda

servcrtllrougl)tlle NAM sw itch orrouter.ND iscqualto the sum ofCND and SND.
. TotalDelay (TD):Thelotalamountoftimcfrom thctirstpacketofaclientrequestuntil

thc clielltreceivesthe tirstresponsc packctfrom thc application servcr.TD isthe sum of
tllc ND and the AD.
m TransactionTime(TT):Thetotalamoulltoftilnefroln theGrstpackctofaclientreqtlest
ulltilthc clicntrcccivesthe finalresponsepackctfrom thcscrvcr.
3-108
ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI
-I):2.0
(
I)2008CiscoSystems,Inc.
'
1ew 1ng tl.

1e tc
at1st1cs
'iI!'I1I'
s $T$:1 T j.$.1ff1f .&lka1yze1.

Mfgls
7717:
'
7t
;'
'r .
'
-b
> .
:.
'
't
.p
#dk
1tkt:t
p,
L(;'
f
.
k
:
'
.E<';J,'a3w't'
'
@
k;
,'.t
k@.;,..
.'
.
.p
4.
'.
ibpk
.'
$:
f,
.
>'
.
4 t.
'
1
?#:
;u,
k'
Y* AeeI4w@ *
'1:r.l
silt. .J%s'
>'
.
.
Q 2008 Cisco System s.Inc.
'
-.
'
$
7777!.'
lr
t
f
r
Ts)
'
h
,
tr),
'
/t
'7
4p
r
$
.
t#
>*
'' y!''.'.' m''s'.- : '' 'e ' ''

%*I#*I A pSy1lt!,1*n R*@ptd11@* Tirn*
w.
x sewerAppllcation Perserverapplicatpon
Appltcatlon depay.oetworkdelay,totaldepay
Transactlon lkrne
ServerNetwork
sewernetworkdelay
Networkdelay
Server/clioolAppppcatlon Perserverlcrlentpalr
Applpcatpon delay,network delay.totaldelay
Transactlon tlme
Server/cllenlNetwork
Cllentnetwork delay
Servernetwork delay
Networkdelay
Im plementlngNetworkAnalysiswilhClsco NAM
3-109
d
'
'
Ie ing tatlstics.
- erver p Iication
'lI'
:1l''
& Isdo
s .A!! 'r1.arflf'..tna1yzer
.v.y11
c.4
rrwk.
r
at1
'y
9'
%tA!@* @*)'>r@@ #R@6T'X'JWJ- $* +4zijg'
xrrm
r: a ;
'
$
*ev*l #p$)$i@*1i*n :@*p*o** #1m *
#u
- - *'''''- - -- - .cm .qfpxf .
Ze -
StatisNcspersen/er
applicatiorl
>Y ut&*c-
#E3A.-
Q Te cw-
- - DATAPORT2%>
Sewsl
t1F9
>+rJrl
ea'1
.
1t
@
'J
/k
Fq
'
'
#k.t1
r
'3'
*
.
='
'x'
'
z
id
i
t
'
u
jw
j;i
j
v
jj
;
.j)$
,j4
j.,
6
fg
;
l
tq><-.h
'.f..'*.'-''-'l
.
.$ %. '#)e''L
.
...'..
..'
..'.J.
.u'''.''
.<.n
.o'
.'
1*:
4'
1
z'x
...
1
; C'.
. .;
,/
.;sf;;
t
).
',
ny
p
k...=.;ma..;
.,
u.,..
1.
1
,
61
4
,
.
,j
2w
,
j.
.
pji
q
r
.
'
:
r
>,,
h
.
a
t.
.
p
t
l..
K
. >r
'#
d'
.$
2
:
,
'
bb
.
'
b
,
d',#
i
'.
t,'.
1.
y.
'
j
j
.
k
'
.
g
'
,
:
.t,
b
',
q
i
'
b',
i
@
',
p
''
6
rlg9
?%
a
r
...'
m
i
'
t
'
.
)
j
.;@
:
t
..i
.
.t
3
.@
.7
?j
r
;3
p9
4
.
j!
;
-:
,
-j
.
.
)
O ? 1r:.'D 1H.D, *Fronnthesestalistlcs yeucanjnpointthe
rocationoflhedelay
p Wasitinthedientnetwork?
$ 94
':
'*'X'*v-
'
K ts fK
* Was't(juetotheapplication?
. . -
1% 15 #g :;
>$ tF#3
j
.
'''-''*''v*v''.
-*-*.'**e'vmt*'
***',,'-*=x-'wv
..
t- ---'
To view response tim eperserverapplication,click M onitor > Response Tim e> Server
Application.
Each row in thetable representsan application perserver.The A11Dataradio button showsal1

applications.Altcrnatively,choosethe TopN Chart,which providesa graph ofthe top
applications.Foreach application,the tableshowshow many clientsuscd thc application,the
application delay,the network dclay,thetotaldelay,and the transaction tim e.
Ifyou selectone application and then click Details,adistribution ofresponsetim esforthat
application isshown.
Ifyou selcctone application and then click Capture,apacketcapture isautomatically started
forthatapplication and server.
And asseen earlier,historicalreportscan easily be started from thiswindow qusing the Report
button.
+
3-110
lmpsementingCsscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
Q
@ 201)8CiscoSystemsplnc.
V1(.
)w ing Stat1st1cs:
S erver A p p I1cat1o l3 D 0.tc
a1Is
*-
- - - ''
Tl!eDlnt.rilsLxJllonM 11
prowdesprk'el.apppermtlnF.e
11r!e dIS1r1bU!1OrS
1:.*
:5.* V
D:.:1K$K.
D..*
W* >*
tz*''
6.* '
7.*
4*.
,Ke
q4'
7 -
Ae**fTr '
Reo - Tl- 1*- '' Inaes)
M re%
f!*> <5
> A w/fe tetA'
een5&!KI15
1 Rewxm eatetween15e M1
W I*T;KFr.= te
@ ONKGO -
2 p-
($)2008 Clsco System s,Inc
M wm
(w 4nyev
Seeeet:>%
olC<*
*
X** MPd*F6m*3lef#AYW*
etwcwkr)mleylrmxlfmei*ve l&xl
S-ve*fwix:!>*f(m )tetiM #xyl
Aoxr- jmn)toajweroxl
KI*xi1*
IX R M
Teeee
Fe t&*1IC*/*'PPIX;
I?2tO 1* Dd
jqv
1r*4A1
5
1$
0
%'11f*
14#tr?5
/0/1
$4yayjz;
Q!:0J2*
lm plementing NetworkAnalysiswlthCisco NAM
3-111
Ifyotlsee som cthing ofconccrn in the rcsponse-tilne tablc,you can click Capture to have a
packetcapture session starlup automalically and collectonly packctswith thesclcctcd
application and scrvcrIP address.To m anagcthe packctcaptures-use1hcCapture tab. M ore
infonnatiollon packetcapttlrcswillbcprovided in tKscenario 4.
'Troublcshooting.''
And asscel:earlier.real-tim egrapllsalld Ilistoricalrcportscan easily be started from these
windows.
3-112
lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-))v2.
D
()2008 Cisco Systems, lnc.
Aslnentionetl,the responsc-tilncdata callbe sllown fbra1Iapplicatiolpscollectctlorfor1hc
TopN servcrs(shonrn in this f'igtlre).Each barin thc graph represcntsan application perserver.
Tllc variable graphed can beehangcd froln thedrop-down l'
nentl.asshowlliI1thetigure.
Im plementingNeM orkAnalysiswith Cisco NAM
3-113
Scenario 3:U R L M onitoring

Thistopicdiscttssesthe sccnario where NAM isused forURL m onitoring.
U RL M onitoring
* Problem description:
Understand and trackhow intranetweb servers are used
* Moni
toring plan:
Create data sourcesto monitorURL packets atthe core Iayer
Setup URL monitoring
View URL hitstatistics
Asnew productsorapplicationsrollout.thentlmberofhitsto awebsite oftheproductora

URL ofthc applicatiolllnay bc daunting.In ordcrto understand both hitsto thewebsite aswell
asapplication availability,thc network managcmcntteam hasbeen rcqucsted to m onitorthe
W AN forURL hits.Tlle goalisto cnsure thatsufticicntbandw idth hasbeen allocated.
Tlleaction plan isto perfon'
n the follow ing actionsand thcn reportback on thc results:
K Vcrify tllatCisco NAM isdeployed in appropriate locationsformonitoring URLSatthe
corporate headquarters.
* Sctup Cisco N AM to l'
nonitorU RL hits.
K M onitortlle URL statisticscollected by Cisco NAM .
3-114
lmplementlngCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0
ln thisscenario,theN AM Slocatcd althe core layercan bc contigtlrcd to monitorthcoutgoing

traftic011thefiigabitportsconnectcd to theW AN.ThiswillalIow thc NA M sto view allU RL
traflicto the Intcnlct.
Note
NDE records(NetFlow records)cannotprovide URL moni

toring.
TllcTraffic Analyzcrsoftwarcon Cisco NAM can conligure 1he SPAN sessionson tllehostillg
device,Thctlpcom ing stepsspan orcopy tltcotltgoing traffic on thcGigabitportscollnected to
tlle W AN.Settillg tlp the SPAN scssion willallow the trafficgoing to thc lntcrllett()be
allalyzed by Cisco NAM forU RL hits.
step 1
@ 2008Ctsco Systems.Inc.
From thc Active SPAN Scssionswilldow,click Create.Thc Crcatc SPAN Scssion

window appears.
Impl
ementi
ng NetworkAnalysiswith Cisco NAM
3-115
Set U p D ata S ource S P N Po rts

dlulli. x
t1:*
I*rll.4nalyzrr
q'.1.......>.Qtu'V..J.W .
GX..;tXYp
X.XX.'..
j..
,...k. .;,..
<
RANT-
. . .
.
ont.
.j.
J)s- p- (%u.AM t.$- cf
' l
c$
spa
otNerp
or
tsscon
ect
edpeto2the
wxv
ou
ter
onnMo
du
(')o aaw,-
gpe x- - f- DATAO RT? v

sF>.Tw:lzp..eeax r'1ex rz';:4 f'7eq.&
. . .z
A-
GM -
*- -IY t-
NAM.2servsce j
1
rrctul
ealowsf
or .
1
tw
opossi
ble i
SP
AN
4! venb'
.
4v-p.vI.,.
v..
u--
sesslons
t
kl...j: '
l .ponst
ot
hespannedtotheNAM
(DATAPORTZ)l
nt
erf
ace
- TO vleevremrtslaterforthistramc the
'
tjatasx rcetoselectwillbe
DATAPORTZ
l.
. .
Ip..?!...kl xIrp!:,
createsthe
SPAN sesslon
Thescstcpsw illconfigurethe SPAN scssion.copying the packetsleaving thcG igabitportsalld

going to thc Internetrouters.
step 2
You can sclcctSwitch Port,VLAN,Etherchannel,orRSPAN VLAN forspanning.

In this sccnario,weare using tlle switch portsconnected to the Internctroutcrs.
Click thcradio btltton Switch Port.
Step 3
Chooscthe Switch M odulecontaining the portsto span.
Step 4
Since wealready havcone activc SPAN session,selectthc SPAN dcstination to be
thcsecondintcrfaceonCiscoNAM (DATAPORTZ).TwoSPAN scssionsarconly

available with a NAM -2 scrvicc m odulc.
step 5
Justthc transm ittrafdic nccdsto be m onitored.Click theTx radio button.
step 6
Choose theports conllecled to the Intcrnetroutersfrom thc Availablc Sources list.

M ove to the Sclccted Sourccslistby clicking Add.
step 7
W hen done adding allthe ports to span.click Subm it.The SPAN session iscrcatcd
on (heswitch autolnatically.
step 8
It-tlsing nativc C isco IO S Sottw are.you m ustthcn click on Save froln thc previous
Active SPA N Sessionsw indow to colnplctecreating the SPAN session and save to
the startup configuration.
3-116
lmplementi
ngClscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0
@ 2008Ci
scoSystems.I
nc.
'
et
'
ollection
111,il1' x.'.
k5I T ).affi A 11nlyze1.
(;Ist o
sxv.......;.....
z.,.. . .<
,z
.. . . *
s
>:,o'b..,
.,yv.,
.
.4.:
.
/Ckk.
t
x
.
!
1$
:
;k;i
'
.
'..
,
:'
:
zp.
:
,..
;
y.r
.
y... .
'
...$'
k
f
.
;
z
)
3-'
44.J
.
;1
.z
.
tf
4o/r
1
.
;
d
.
C
'
.C<
,
s
s
Jd
.
,
7
y
x
.
'
),
y.
.
y.
s
.
t
44
>7
.4v
;
v
t
e
'vva'
v
r...k/
.
v
,
d
.
k
or
i
z
.,,
y
;.
t
7.
'
h#$&!Jk:b'''''1.b''?.J'>'rJ'''11S'fR'$
l'4'''
s . .. .,. ..f
.
The NAM.2DATAPORTQ i
nterface
E
.
s...
'
y.xeroe, 1gll w nxy(:.:,- t'

s'.
l
Mechre/
'419$.Eb!<:11:64>
Selec'!wblchpadofthe
URLshouldbeccplected
bytheCisco NAM
t'r;coedc- etn.- 'Pe e Nmx- sl

'''
()ct- a)xe pe lmorenz- st
.
r c- pe e -- loxe- )
(' 6* M$(mlv(> el**>
,)
;A$,.l (2
I>'mI1j
.
Onc the data sotlrce issetup.contilpuew itllthe contiguration ofURL mollitoring.I11tllis

sccnario,thcnctwork m anagcnlclpttealn wantsto lnonitorthcotltgoing traflic to the Intenlet.
Tllc prcviousfigtlresillustrated how to configure a SPAN scssion to Iuonitortransnzitpackets
atthe core Iayer.The inlerface on Cisco NA M thatwaslnonitoring thiswasDATAPORTZ.
Tllisistllc DataSotlrce.
A URL,forcxal
mple,llttpr//htlst.dtlmclill.colm intro?id=123scollsistso#'ahostpart
(host.dolnain.colu),apathpal'
t(illtro).and anargunacntspart(.
?id=l23).Thccollcctioncanbe
colltigured to collectal1partsorto collectonly sol'
ncoftllcpartsand ignoreotlers.
ThcM atch Only ficld isan optionalparaluctcrto lilnitcollectiol)ofURLSthatlnatch the

regtlIarexpression oftllistield.
Dcpcllding on svhicllradio btltton option is selccted-the forlllatol-tllcU RL varies.For
cxalnplc.tlc Icadillg bllttp:''partisonly presentifthe shost''partiscollccted.Kccp this
variablc in lnilld whcn col,l
iguring a M atch Only expression.
Note
@ 2008Ci
sco Systems,Inc.
URL m oni
toring can occuron a per-data-source basis.
lmpl
ementi
ng NetworkAnalysiswithCisco NAM
3-117
'
1e
dII4',lI'
CI$*
. <,.#: d
..p. -.
1t tat1st1
-cs
N.
&Aj Traff1 ,:.llalxzej'
'
'
uv.
J. '
p.. q.qr
kk
.J
'7.
.
.(.'.;2..
71. - ''' ztpijy' .4
*..
.ej
.eir
.'x+,.
vAke
#c- - -ep--- m ztel*:1m:
D, AA attvwl
'
.
'
-'
t-.- MtA- : kK
.'
c
r
T'
r
S'nf;ehlshostaddres:hsagcptllar
G1$eto animportaotserb'ef
appllcatlc)n youcao setthe URLto
b0collecledaGanappicatlonor
protocc/ theo 11* appicahopcanbe
analyzedIlkeotherapr)s(view bosts'
conkersaoons etc)
' .a
URLSseenonthe
C'Oosgtlre Ciot8Source
$
1
1
4
#erintrzteeI)?14:/
* tqm !1*1W l
* faA7t6e1&?S46.w relo oe
- >w ,* l:z1
<h)
r 6 * eq7lq:'3!$46****,*
R g > o* '* rzzI- - - oe
I
4w-$ .(
,.j
p4p- $.f:e*qpu I
o
rye '
e
77
.
'
1
- . .. $
. qs .
jg4ooxl> : a,f
l yyj
l..
- -e - - -. ...
qoyxgu e . .
A ftcra data sotlrcc hasbeen conf-igtlrcd forURL monitoring.thestatisticscan bcvicwcd from

the M onitortab.Click Nlonitor> Apps> URLS.Thcw indow displaysthc collcctcd URLSon
the configurcd data source.
Ifdesired.you can use theFiltcroption to filterthe URLSdisplayed by URL,host,path,or
argulncnt.Chooscthc filteroptiollfrom thedrop-down lncnu.cntcra textstrillg,and thcn click
Filter.
3-118
ImplementingCi
sco DataCenterNetworklnfrastructure1(DCN1-1)1
/2.
0
Ulll
--based applicationsareextcnsionsto thcprotocoldirectory.W hen lhc URL in an I'ITTP
reqtlest(aURL onTCPport80)matchesthecritcriaofaUltt-based application,tllctrafticis

classiiicd asthatprotocol.
A Ul
klw-basetlapplication can bc usetlin the same way asany otherprotocolin thc protocol
tlircctory.Forexanlple.a Ultl--based application can bc tlsed iI1collectiolls.capturcs,and
rcports.
AnincoluingURL ismatclled againstthccriteria(illustratedintheligtlrc)ofthcconligured

U Rl--based application-in tlleorderofthc index,tlntila lnatch is fotlnd.W hcn aInatch is
found,tle relnaining Ultl--bascd applicationsarc notconsidered.Therefore,to Iuovea criteria
highcrup in the lnatch list.change the indcx nulnbcrto a lowcrvaluc.
(()2008Cisco Systemsllnc.
lm prem enting Network Analysiswith Cisco NAM
3-J19
'
E nable C o llection fo r U R L-B ased

A P pI1cations
'dI'.1I1' sAsf 'r1.aff,f. A&taIyze1.
l
Cl5t*
-
'rrRJ ft
.'l.'...tAo
'
*#.'1re #.AP#!b#-bMd.
-'
)
Fhr
olocodw
*
Enebleofdlsabiecollectlonof
statps:cs(hosls onversatpon
resxnsetirre)(m I*f,new URL.
basedapNlcatlon(M'arlyolhef
protoolulngthhsrrenu
pe- td
f :
' : . .
'' 4 r'c. '

.
: .t .
lra..'i....'
j
0-
x-s
1 rm
z z -
6a
! na
l >*
d' e r
e r.
Prcviously.you saw how to crcate a ''URL-''protocolfrom theM onitor> Apps> URLSrcport.

ThcScttlp > ProtocolDircctory > Ulkl--Bascd Applicationstask willletyou m anually crcate,
cdit,alld dclctc URL protocols.Asillustratcd in the figure,sclecting the Settlp > Protocol
Directory > IndividualApplicationstaskw illpresclltyou with a Iistofalready defined
protocols,including thcU ltl--bascd protocol.
Uscthisscreen to crcate proprictary protocolsto m onitoror,in rare circum stances,to editthe

scttingsforwcll-known protocols.
Note
3-120
ltis recommended thatusers do notm ake changes to the protocoldi

rectory from thi
s
screen.T'
he NAM is designed to function with defaultprotocols. At
so,modifi
cati
ons that
SNMP m anagem entapplicationssometimesm ake to the protocoldirectorym i
ghtconfli
ct
with custompzati
ons made on this screen.
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)$/20
()2008CiscoSystems,lnc.
S cenario 4:Tro ubleshooting

Thisttlpic discusscstlle scenario wherc NA M isused forlrotlbleshooting.
Troubloshooting
p
Problem description:
The network managementteam wants to ensure thatthey are
proactive to any arising performance conditions atthe data
center
e Monitoring plan:
Selectwhich statisticsto alarm on
Determ ine the appropriate threshold to triggeral
arm s,and
determ ine how to alertthe team
- Conf
igure thresholds
- M oni
torand forward alarm s
Triggerpacketcaptureswhen conditionsarise
.
ltisobviottslhatthc network lnanagcmenttcam calpnotcolltinuously be looking atstatisticsto

determ ine ifproblem sm ay be occtlrrillg.And to sim ply waitfbrtle pholleto ring froln
cmployeescol
nplaining abotltproblem sisnotbeing proactive and thc wrollg approach.Thus,
thcnctwork m anagem cnttealn haslnetto dctcrminewhich statisticscould bcwatched by Cisco
NAM alld tllen havcCisco NAM alertthe team to whcn thc statisticshita tllrcshold condition.
The networkl'
nanagcm cnttealn hasdiscussed thc varioustllresholdsand alarlns,which
statisticsto nlollitor,how to collfigtlrc thrcsholds.how to forward alanns.and possibly llosv to
tl'
iggcrpacketcapturesto gatherm orcevidencc on tlleconditioll.
@ 2008 cisco System s,Inc.
Im plementing NetworkAnalysiswithCisco NAM
3-121
A ction 1:T hresholds and A larm s

Thistopic discusststhrtsholdsantlalannsand how to eontsgure them on N AM
U nderstand ing T hresholds and A larm s

T hink B efore Y ou C onfigure
W hatisanalarm ,a
thresholdlan event.a
trap?
.
w hatdo Imoni
torand
how do ldeflnethe
threshol
ds?
:. .h
W hatisconsi
dered
normalon my network?
:
I
-l
ow do IIetothersknow
aboutfailures on my
network?
Configurillg alarm sisa seriousmatter.This isbccause alarmsarewhatnetwork m anagersand

enginccrsrcly o11to notify them wbcn network ordcvicc performancc fallsbclow expectations.
A larmsrcquirca carefulanalysisofw hatvariablesare slorcd in thc M 1Bsthatwillinform you
ofnctwork and deviccproblem sand an cqually carcfulilnplcm entation ofthose alarms.
W llatisconsidcrcd nonnalon yournetwork? You may wantto considerbaselining your
nctwork to cstablish yourexpectationsofnonzlalbchaviorbcfore you begin defining alarms.
Allothcrrcason to carefully considcrwhalalarrnsyou nced isbecause thcy consum eNAM
rcsources,and uscofresourcesobviously can affectNAM performance.
Befbrcyou learn the detailsofalann configuratioll hcre is a revicw ofsolneterm inology:

Alarm :An alarm isthe condition thatidcntiticswhcn nctwork ordevice perform ancc falls
bclow dct
incd ornonnalexpectations.You tlsc thrcsholds(rising,falling,orboth)to dctine
the boundariesofyourexpectations.You sctthresholdsagainstM IB variablesand, with
CisclaN AM .you can sctthresholdsagainstRem ote M olpitoring (RM ON)variablcs.There
arc diftkrcntkindsofvariablesin M IBs.butthcm ostcom mon typc thatyou w illencountcr
ol)C'isco NAM isa countervariablc.Countcrvariableswork by increm enting thevalue in
tlpc M IB N'ariable by oneeach time itsecsa match forthcvariable.Forexamplc.ifyou use
tllc variablc broadcastpackets,thcn evel'y timcCisco NAM rekxivc:
sabroadcastpacktt,it
willincrcmenttlle counterby I.One way to tlse alannsw ith countcrvariablesisto
llleastlrcthcdiffcrence (dclta)betw een the value ofthe variablc atthestartand atthe cnd
ofthc sam pling intcrval.thusrcporting ollly the ntlm bcrot-packctsobserved during the
salnpling intcrval.Theotheroption forevaltlating thcdata isby using the absolutevalueof
tllcvariable whcn itwasread.Forexamplc,ifthe M IB variablc forbroadcastspacketshad
an absoltltc valuc of33874 whcn sam pled.thcn Cisco NAM willreport33874 broadcast
packtltssince the M lB variable waslastclearcd.
3-122
ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O
* Event:An evcntisthe actualoccurrcncc oftllccondition yotlhavc defincd in yotlralarln.

stlch asw l:et)tllc nctwork pcrfonnallce fallsbclow yotlrexpectations.An cvcntoccurrence
isstorcd in thc M IB and isuscd foralarln reporting.
* Trap:A trap isan SNM P Inessagc gencratcd by tleSN M P agcntin thc device that
observetl1he cventand isselltto the managcm cntstation thathasbccn conligured to
rcccivctllcsetraps.A trap ishow Cisco NAM isalertcd to conditions;Cisco NAM can thcll
alcrtpersolllleltlsing allothertrap,asyslog m cssage,oran e-lnail.
@ 2008Ci
sco Systems,Inc.
Impl
ementi
ng NetworkAnalysiswith Csco NAM
3-123
'
C onfig u ring T raffic A nalyzer'

.
Def1ne the ThreshoId C onditio ns
()rhr'piJ)'.'
NAM MIB
Thresholds
y .
Enablesyou to desnethresholds oral

arms basedon byte
orpacketcountsbyprotocolfornetworkand MAC Iayer
hostsand conversations
NAM Voice
Enablesyouto defi
nethresholds oral
armsforpacketI
oss
Threshol
ds
andjitterforSCCP,H.
3231SIPIandMGCP
NAM RTP
Stream
Thresholds
Enablesyoutodeflnethresholds oral
armsforpacketloss
stalisticsbasedonthe RTP sequence number
Switch
Thresholds
Enabl
esyou todefinethresholds oral
armsforvarlables
sted I
n the mInI
-RMON agentoftheswltch;thisincludes
variablessuchasrx)rtutil
izallon,fcagments,jabbea
1ali
gnmenterrorsi lisi
ons1andmore
The Traftic Analyzcralarm feattlresallow you to createalarm stbra varicty ofthe variables
stored in M IBseithcron Cisco NAM oron the switch orroutcr.Thc following featuresallow
you to crealeand customizcalarm sto m eetyournecds.Rcvicw the varioustaskspriorto using
tllc softwarcto conligtlrc.
Use thege taskslo dcfinetlyresholds forlivem onitoring ofdata.voice,and video traffic:
. NAM M lB thresholds:N AM M IB tllresholdsenablc yotlto crcatealarm sand dcfinc
thresholdsbased on byle orpackctcountervariablcsby protocolfornetwork and M AC
laycrhostsand convcrsatiells.Additionally,M lB thrcsholdsalannscan also be creatcd for
serverresponse tilnc,server-clientresponsetime.Diffscrv traftic statistics,Diffserv host
statistics.and Diffscrv application statistics.
. NAM voice thresholds:NAM voice thresholdscnablc yotlto crcatealarm sand detinc
thresholdsforpackctlossalld iittcrforSkinny ClicntControlProtocol(SCCP).11.323,

Session InitiationProtocol(SIP),and MediaGatewayControlProtocol(M GCP).
* NASI RTP stream thresholds:NAM RTP strcam thrcsholdsenablcyou to create alarm s
alld dctinc thrcsholds forpackctlossstatisticsbascd on tllc RTP sequence numbcr.
w Switch thresholds:Switch thresholdsenableyou to crcate alarms and detinethrcsholdsfor
the variables storcd in tllc m ini-puM oN agentofthe localswitch.Thisincludesvariablcs
forportutilization.f'
ragmcnts.jabbers.alignmcnterrors.collisions.andmorc.
3-124
lmplementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O
@ 2008CiscoSystems lnc.
C onfigu ring Traffic A nalyzer:

D efine A ction hen Threshold ls M et
(''
1t')()yf'.
'
z' ;p..
NAM Sysl
og
@c.. :..'
$
.
1
)Enables youto store M1B and voice events, aswellas
!system alertsi
nei
theraIocalorremotesyslogfi
le
NAM Alarm MailJEnablesyoutodefinee-mailrecipientsthatshoul
dreceive
(noti
ficationofeventsgeneratedbytheTrafficAnalyzer
j,,
.,.,....-...........-......-.................rr......
-...,.
,.......,............ ..
...........................,.,.,....... ........-....,....,..
NAM Trap
Destinations
)
jEnablesyoutod.efinethe IPaddressandUDP portforthe
imanagementstationsthatshouldreceivenotificationof
d
1eventsgeneratedbytheTrafficAnalyzer
..
..
.. .
.. .
.. .
Use these tasksto dcfine how tllc nctwork mallagelnentteam shotlld bcalerted to thresholtls
thathave been reacllcd.
* NAS'
I syslog:Syslog colltiguratiollenablesyou to scnd alcrtsassyslog messagesto either
a Iocalorrem otcsyslog fi1e,
K NA5Ialarm nlail:NA M alarm lnailallowsyou to forward alcrtsase-mailmcssagesto a
listoftlelsncd recipicnts.
. NA M trap flestinations:NAM trap destinationsenable yotlto definethc IP addrcssand

U DP portforthcm allagclnentstationsthatshotlld receivcnotilication ofcventsgcncratcd
by Cisco NAM .
@ 2008Cisco Systemslinc.
Implementing Network Analysiswith Cisco NAM
3-125
'
onf1g urin
isco
llI1tllj.
hresholds.
'
I hresholds
NAhl'
j'1.ajfjrAnpjyz.1.
f 1SC@
.
a ' . -It..t,;'-,.At.
'
i:7
.' %-
Exarrplp Morllterthermazpmom appllcallon

response9rre tc tNe gppllcatlonserverIocate
attbeciorptyratgserverfarrn
'-2
'''1,.4-:'
.
k
:kkk;. '
Y* - ''''* 't.= y'ks'''.' :414>4'..

*4.
1ftretl*q'.!g'''
11A* M1: ThI@*h*1d*
It
:tlhI.Y e le :
, . .' ,.IJ
.
'
(
Lq
L
. ) .e e '.-
* .G
- -
!-
+
- r:
e ''' 'M e .cmf- e
'''
> .' Choosetha

y. ..r apalysistype
t71#Packelt
.
:.......--- . ...#'
gfd
wjw,sjr,e<,j!,!
a.jd,
.w,:
.
Choosewhat$4113variable
y0uwantlo cmnitor
nBy-s
(xlavses .-
hlewols:teyercorxrerseur,s
Kthctey
.tl'fc,vl:
serxesKda.
ylmkpm Keqpon:eTdel.
Ktlkcteh'ercnrw rsetlon:
ses*!Bh.,e$
JkpgllcatonSle:sqc:
cr
lepld> es
'*'-'''''''serv*!Rvtp
onseT'nhes
Lrn#':
S;erq.qt9111p1@:
SeftfencllefdR*vponql'
Serv*!'rlfneotlt:
DLWl@ru/7'reYld9a1:
Dre ervHoll%*$:
:111r>ockte: *1
Dl#SeN'APPIICG QRStsll
!nPyles
04;BWe:
..,. .
. ..
% .u
'
Ne-co LtverHo91
V**e .
1rPtltAel'i '*
6*6** IP
's
'
c
:'- < . ' . '
'@ t
'
.
'v
,...
.)
*
c
.
'
.
Thcnctwork managem enttcam hasdccided to closely m onitorthc m axim um application

rcsponsc time to the application scnzcrslocated atthc corporate serverfann.Use these stepsto
configtlrc thc plan:
step 1
Using theTraffic Analyzcrsoftware.chooscSetup > Alarm sto entersetup m ode

tbralarm s.
step 2
Choosc thc NAM M IB Thresholdstask.
Step 3
Click thc Createbutton.
step4
Choosethevariabletomonitor(thatis.ServerResponseTlmes)from thedropdown listforthevariablcyotlwantto alarl

n on.
Step 5
Choose thctypcofanalysisyou wanttopcrform on thc variablc.Thetype of

analysisdependson the M IB variablc selccted.Form ostNAM threshold alanns,
you havc theoption ofalanning by the ntllnberofreccivcd packctsorbytesor
transm ittcd packetsorbytes.Forapplication-based alarlns,the selection iseithcr
packcts orbytes,and forthe rcsponse-time alarm s.thc analysisselectionsincludc
avcragc.maximum ,rctrics,timeouts.and bytcs.You can also choosewhich nctwork
protocolyou wanttotilteron(lPsIP version6 glPv6) InternetPacketExchange

(IPXJ.AppleTalk,DEcnctsorBanyan ViltualIntegratcdNctworkService
(VINESI).lnthissccnario chooseServerNlaximum RespenseTime.
Step 6
3-126
Click Nextto moveto the ncxtconfigtlration scrcen to sctthe threshold parameters,
lmpiementi
ngCiscoDataCenlerNetworkl
nfrastructureh(DCNI-I)v2.0
Tllistigtlreshosvsyou the relnaining configklralion choicesthatyou 111t1stI

nake to colnpletethe
alan'n setup forthcctln'
clltcxanlple.Theconfigtlration choiceswi11var.y dcpclldillg ol1tlle
variableselected.
The l
irstoption isto selectthe datasotlrce.In tllisscenario,tlle trafficgoing to and com ing
froln theapplication servcrsisbeing spanlled to thcsecond SPAN interface (DATA PORTZ)oI)

Cisco NAM t)n thedistribtltion laycrsw itch;ref'
erto an carlierscellario.(Remcm bcr.bcforc
you can detille aN AM M I13 threshold,you lntlstcnablcdatacollcction tirst.The NA51 M IB
tllreslpold alarmscnableyou to crcatealarlnsforhostsand convcrsations.Thcrcforc,you must
enablc hostand convcrsatiollstatisticsforevery data sotlrccyou wantto configure an alarm
on.)
Next,entcrtheparalnctcrs spcciI
ic to thc sclectcd thrcshold typc.Forexalnple,ifServcr
RespollseTilne wassclcctctl,elltcrtheIP atltlrcssofthc scrverfortlpedevice you Avantto alanu
on.Thcn.dctine the intel-val tlle lengtl)oftilne in sccondsoftllc collcction period alld a
descriptive nalnc fortllc alarln.
Forsolllevariables.notresponse tinAe,yotlnztlstalso choosc thc sanlplc typc Absoluteor
Dclta.svhcllyou aretlsillg cotlntcrs,yotlshotlld allnostalsvaysusc Delta bccausc itisused to
lncastlrc thcalzlountthatthc coullterhas illcreased dtlring a sampling interval.
Alwayssctthcva1tle l
-ortlle rising and fallillg tllrcsllolds.Klow vvhatisllornlalalld abnorlnal
by Inonitoring and trending thc variables.asseen in tlle prcviotlssccnarios.Settillg both
thrcsllold valtlcsgivcsyou thc option to rcsetlreannltlle alarlu.Thc rcason forthis isbecatlse

alarmsarc likcbinary ssvitches they are citheron or01
-1-Nvhen yotlttlrn al1alarm on.itstays
olltlnlessyotlsctanothcrtllreshold to cllallge thealarl'
n tioln on to off.Rising tllrcslpoldsscla,c
to rcann fallillg thresholds.and falling thrcslloldsscrvcto rcann risillg tllresllolds.
@ 2008CiscoSystemslInc.
lmpfementing NetworkAnal
ysiswith Ci
sco NAM
3-12T
.
Afteryou havesctyourthresholds.you mustchoosewhich action thealarm should take.

.
K Log theevcntwith syslog m essaging.
* Send a trap m cssage to the lnanagementstation cont
igured to receivc them . lfyou choosc
to scnd a trap.you m ustenterthecom m tlnity stringofthe m anagcm entstation thatw ill
receivc the trap in thcdialog window.The com munity string mtlstm atch the trap
com lnunity string setin Setup > A larms> NAM Trap Dcstinations.
* Both(log tbeeventand sendtrap).

ThcN AM also givesyou the capability to controlapacketcapture on the data source upon
receiptofthc alarm .(Learn m oreaboutpackctcaptureslaterin this sccllario.)Click Finish to

enablc thc alarm .
3-128
Impl
ementi
ng Cisco Data CenlerNetwork I
nfrastructure 1(DCNI-I):2.0
@ 2008Cisco Systems,I
nc.
Contiguring sNvitch tllresholdson the NA M -land NA M -2 allowsyou to setalannsforthc

variables storcd in thc I'
nini-ltNfohlagentin the Cisco Catalystswitcll.Usillg thisoplion,you
cal)create port-lcvelalannsfortltilization.dropped cvcnls.bytes,packets,broadcasts-
I'
nulticasts.cyclic-l'ctltllldallcy-clzcck(CRC)alignlnenterrors,undersizedfralues.ovcrsized
fral
nes.fraglnents,jabbers,andcollisions.
To contigtlre alarlns forthcscvariables,choose thept
-)rtyotlwalltto alarln on-lhe variable.
salupling interval.adescriptivc nalneasalllple type,threshold dctinitionsand valtles.alarln
evcntoraction,and thc colnlntlnity string forthe I'
nal:agem entconsolcthatwillreccive traps,if
yotlconfigtlrcd thcalarm to trap on the cvcnt.Rclnelnbcrthatyotllnustcreate a ncw alann for
every Pol
4 yotlWllntto ala17n On.
ThcSalnplc Typc isbased ol)thevariable yotlchoosc.Ifyou w'antto conlparc thcdiffcrellce
betw'een a variable atolle tinle intelw'alwith thenexttimc interval,tlpcltusethesalnplctypc
Dclta.Tllisistypicalforcotlntervariabletypes.Tlle deltavaltlcis then eolnpared to tllc
threslpold valtlc.
()2008Cisco Systems,Inc.
lmplementing NetwockAnal
ysi
swith Cisco NAM
3-129
'
C o nf1g u ring la rm s .
'
Send Iar s via Syslog
.I1',I11I N.,tsj '.r1.IjIfjc .Ajla1yze1.
1*
. , t'
)ju'.t :uca
..
.. z
-rj.;
.L
r a
kv..
'u.
o
.gI
J .z$.. '
.' .
g'
mtArq> *.T'# >'.!@''' &?'*.
uQ !#
KA* AI*4RI* $#'*l@.
,
>I1&M*$Au.
,
!'3q..<*.
V* (ikRp
'- ()kx.
$4,'.- (A1t>tw
L1R()- .
ri-' '.
p . . .....
Sendasyglogmessageto
oithprthelocalorrerrote
syslogsewerlfalarmsare
generatedzmenviolatlons
occurop MIB voice RTP
Y
:<:rw*'- k Loe.
:>Kemh*mffvi.
1,-'- *- t*
oreutm- w-
('i:.:ui
l92Ijap2(j:(j
DBCOO the
rornoteSySIOg
SOFVECShere
<-'''*f- ''--:
AINA
1*2-.
TheNAM Syslog fkattlre enablesyotlto forward messagesgencrated by thc alannsto cithcrthe

NAM syslog orto a rcm ote scrversyslog filc.Thisisaparticularly tlscfulfeaturebccausc you
can revicw thesc t5Iesto help identify pattcrnsand repetition ofproblclnsand cventsonyour
network.CiscoW orks and othcrthird-party systelnssupportthe parsing ofsyslog filesfor
centralizcd cvcntnotification and monitorillg.To enable thisfeattlrc.choose thc syslog 5lc
location,localorrcm ote.foreach ofthe thrce eventtypts:M IB tbrcsholds,voice,and
thresholds and system alerts.Ifyouchoosc Iocal.Cisco NAM w illstore alertm eEsagcsto itS
own syslog filc.Ifyou choose to Iog cvcntsand alertsto rem ote scrvcrs,entcrcitherthe IP
addrcssorIP hoslnam c forup to Gvc rem otc scrvers.You can m ix and match any com bination
ofevcntswitl!locations.Forexample.ifyou have aperson dcdicatcd to lnanaging yourvoicc
systel
n.yotlmay choose to forw ard aIlvoicc threshold eventsto a servcrdedicated to voice
m anagemcnt.
3-130
ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0
Olle l'
norc stcp isrequired to colzlplete the contiguration ofalarlnsw ithin the Traffic
Analyzcr configtlring itto forward trapsto a net:vork lnanagem cntconsole.Contigtlring traps
isalso asilnple process,A1lyotlneed to do isgathcrsom e illforlnation the IP address.thc
UDP porlnulnber,and tl,ecolnlntlnity string tbrthe lnanagelncntconsole thatyotlhave
designatcd to rcccive the traps.Noticcthatyou can colltigtlre lhcTrafl
icAnalyzcrto scnd traps
to n'ltlltiplctlestinations,allw'itlltllcsalne(ordiffcrcnt)U DPportntlluberandcolul
utlnity
strillg.
Note
The welf
-known SNMP trap UDP pod numberis port162.
Im plementing Network AnalysiswithCisco NAM
3-131
'
onflgurl
Kng jarm s.
x
S end larm s v1a E - a1l
,
II1d111.
6 I$C*
.;w .o
N'.
k'
sj T rljff1t.'.:,1pIvz
' e1.
.
.t;)..
(j
,'. ... .1 ..'.' '''':i.'

r.!'d
'.'.''ka8'''
. .
'
,.
..
.< -
- A- . !dnetyoscoxmtum:rrvmtpct&cocom
''.
(
t.,.. ., *
.b*4*.&'x**.
me
e@et,cocx
151.
1'
p Ipo..d *ldkeeMu.
>W.- .S-JM- - .EM#
.
OW*
'C* O
- -
En
ermulliplee.rrsaipaddresses
tot
rof
ce
vCi
esan
.frehlnobscation
orl
ccig
NAM alarrns
ClicktoctlnflgtlfeE.maifserver
(Admln >Systam >Emall
Configur
ation)
Asa11alternativc to notification viasyslog ortrap.Cisco NAM callbe configured to send an em ailto a Iistofrecipientswhen an alarm oceurs.To contigure,uscthe Setup > Alarm s>
NA SIAlarm M ailtask to enable thc fcaturcand cntcra com ma scparatcd listofrecipients.
3-132
ImplementingCiscoDalaCenterNetworklnfrastructure 1(DCNL-!)v2.D
Forthresholdsthatllavc been reaclled and wereconfigurcd to have thcalarm loggcd locally,

yotlcan view tllcalalrnsIogged by sclccting tllc Alarlnstab.
FortheN AM -landN AM -2 servicelllodtlles,thisaction allowsyou to vicw thesyslog
m cssageslogged on Cisco NAM .To cleartlle NAM log,click tlle Clearbuttoll.
Implem enting NetworkAnalysiswith Cisco NAM
3-133
V iew ing A larm Logs:Sw itch T hresho lds

I1d.1I1. s.
$
:oalyze1.
'sI 'rrsfjj(..
CI5*
.,.. .i
.
. . ..
z$I''JD177
#Y :- - a:e!Ta.D + x%*)#&> DG
switch
'7)wN- .
kz1'' - ..'1,f
.G
1 51e D*
22.
7
,,4241 '% awi- '
Agoo:ldescriptiorlentpred
duringsetllpGanhelp
vinpointtheexac;tnature of
thealarm
Ifyou choose the Sw itch link,you can view thcalarlnsgcncrated by the Cisco Catalystswitch.
Thcsealarms are a resultofthesw itch threshold contiguration choiecsyou m ade under1he
Scttlp > A larm s> Switch Threshold menu.This Iog m aintainsup to 256 entries.
Al1cventis fired when the alarm threshold setism ct.Tllcevcntstoresthe tim eoftheevent.lf
tllatsamc threshold iscrossed again,a llcw cvcntisgenerated and replacesthc previousone in
tlc log.
3-134
ImplementingCi
scoDataCenterNetworkInfrastructure 1(DCNI
-I)v2.0
()2008CiscoSystems,Inc.
A ction 2:Trigger Packet C aptures

This tlapicdcscribcslllepackctcapturc and dcctlde featurc ()n NAM .
'
Packet apture and Decode

.
dId.611I
l$fQ
N A1
$I .
I',.affi AIhalyzeI.
verview
.##
.##;;.
'
..
W,
n)$.
h;
6.JZJJ.
S
.
i
.
Ap
l
#>.
?
't
J
i.<.
b6(kt
>Xq
'
w''
1%%%$
XX*i
*II
f'
f'
1
**1
e'
X./.
I
VWAV4*
'JJJVXX'
f.
%
n'
'
.'z''
&.'k.
z'
:
&%:
,..
'I'
W
Yme.* #'* 'ffth'f/
filpstlle
.
Setupaodrnanagecapturebuffers(NAM RAMI
Capluresettingsand51ters
'
Quickcapture(sia!landslop)
'
Decodlng lhecaplures
SavtngbuffersNAM harddlsk
Addtporlalrefm lediskslorage
Managtngcapturefites
'
'
'
. Packetcaptures can also be automaticall

y triggered when a threshol
d is
crossed and an alarm isgenerated
Tllcpacketcapttlrc fcattlre enablcsyou to collectpackctsfroln a data sotlrcethatyotlhavc

del-ined and thcn vicw thc restlltsofyourcollcction.packctby packet.
Thcpackctcapttlrc lnclltloftkrslnany options fortiltering thcpackctsyou w ish to capttlrc,and
tllc lncnu iscasy to tlsc.Tlle optionsyotlnccd to collsidcrwhel'
lcapttlring packetsarchow
Intlcl)oftlle packetyotlwantto capltlre (headcrand payload).aswellasfiltcring optiollsto

lilnitthe nulnberofpacketscapttlrcd.Yotlcan filtcrtraffic ona prc-alld post-capture basis,and
yotllleed to selectyourdata sotlrce.
Nvhen yotlfinish capttlring data.you callcitllcrdecode itby viewing tle capttlrc ordownload
the packctsinto a Glc fbranalysisby othcrthird-party tools,sucl)asapplication prot
iling,
luodcling tools.antltoolsthatcan rcad thc .pcap fonnat.Alternativcly,to expcditc the capttlrc
configtlration-n'
lally lnonitorrcportsallosv yotlto sclcct:1table entry alld use thecontelltsasthc
basisfora capttlrc configtlration.
3-135
'
a ture
uffers
,I1I.tII. s'.
tA1v1.af(1t.zjtal.szr1.
6I%*
Y@u@ewewmy+ >'o 'lr'lbee'
ShOM aIIcapturebuffers
(NAu RAu)apdtjjejr
plul* %.:.1
*..
#C1- **''l.elM - > ,$+ *+
currentstatus
t.'.aazep,otm
''
hq.
1rt.aA
''.fp.''Ia !t..1..l.lwpfff
' fnuv'.1:t$1&1$x l1p:v;i$I
Modifyselectedcapture
buffersettings pause.
cl
ear.andrest
ar
lcaplure
CIPOZ'P0OV?
CaPtbre
Sel
eckbuff
eFand
decodepackots
kzrlAtqcjv ;A&I4:
toc.*%F 1:C<1240?.yj3$4:
tpc.sAy I0tt:;@F::344J
1e >7* L-.*#
19%:p :314, kwrAe:
10::!
0 RsnlnMql
Savebuferto5I
eonharddi
sk
use Captnre >Fllestoview
Del
et
elel
ectc
xd
orap1buKers
ThcNAM allows you to have multiple capturc scssionsrunning atonce.and thereforeitis

neccssary to have a way ofm anaging a1lthc potcntialcapttlrc btlffers.Exectlting the Capture >
Buffcrstask prcscntsyou with a listofallcurrently dcfincd buftbrsand thcirstatus:
* Running:Packetcapture isin progrcss.
* Paused:Packetcapture ispaused.Capturcd packetsrem ain in buffcr,butno new packets

arccapttlrcd.
w Cleared:Capturcisstopped(by user)altdcapturebuffcrisclcared.
* Locked:Captureislocked (stopped)bccauscthebufferisfull.
This inftlrlnation isimportantbecause packetcapttlrc tltilizesmemory and CPU and there isno
scnsc in Icaving a bufferrttnning orallocated ifitisnotnccessary.From thisscreen theuscr
cancrcatenew buffcrs(capturesessions),cditsettingsofabtlfferincludingpausingand
starting,decode collected packcts in abuffcr.savcthc buffcrto the NAM hard drivc,and delete
tlle buffer.
3-136
ImplementingCi
scoDataCenterNetworklnfrastructuse 1(DCNI
-I)v2.0
@)2008CiscoSystems,Inc,
'
evJ a tu re ettin s
C+'ta*%edirqlw
Statusofcapture
Selectdatasource(deine
earslerfrolnlheSetop>
DataSotlrcesrrerTgl
savepackctkoeitherlhe
NJSM buffer(RAM) t)rtothe
N8M harddlskora rercole
dlsk
llefinebow theCiscoNAM
handpesrlew packetswhen
rhebufferisfahl
Capttlre.filtennqOptions
eoableyotltofilLerotitany
unwanledtraflicbyacidress
artd/orprolocolbefore11Is
Cleafbufferhrsllo
%.INev- t*m .sGYzfee > .$111r PKT

c> eIi-- S1.t=
wF>
e'Y'4lwltlztls C1**r*:
Y #d*C> *K. &
charlgesoltlngs
firfl' '*d
H <' COFW
Cv zrehfe
DATAIDCIRT2 v
P<'.e>;A5;izejeee:l$0B
'7'3t- M1*tpe ot Ylfeemze(e )10
t'
1&*'
m w- Ftl
-'
X'c- ur.pmvkt F*&re(Ae)
nFp.:
rdder*.
eo *ew-t tr)kvxxe ;'
.,exA *:*t
SJ' IP
v P'O*t*''t
S- ce'
lnfMrfr(eBp-rIUl1j
'
'rheslf'
f!e
F- ceMaek'
'Ssr
'slmetlt'
nefeemltlll)
OFRnMZn
1)e.*or.
;#
!uNet'
ea
storedinCiscoNAM
r7
n'emoryforanalysls
PI:Mrteraerx!
p.
-v::
'
;g
6
8p es nol!
'
:l
'
'ccp(esp'nuyj)
.e
Clctxtwm *t.':
Capturecootro1s.c8ptq?femtisL
beStoppedtotnhangesettlngs
.tr
t.
vr
t !j.
;
,.
,
.r
....
1!
'..kis,,.l'f...q.l
$ fj.
,.. '
.
Tlpc tirstalld nlostiInportantconl
iguration option forcapttlring data is sclcctillg yotlrdata
sourceawllich you do froln thc Capttlre Froln licld in tllcCapttlrc> Scttingsdialog.
* Capttlreto Buffer:Aslvith a11protocolallalyzers,tllere isan absoltltc Iilnitto thc ntllnber
ot
-packetsthatCisco NAS?Icallcapturc alld store in lnclnol'
y,btltitalso hasfeattlresto
optilnizcthc tlse ofNAM resotlrceswllilc nlaxilnizillg the lltllnberofpacketsstored.Thosc
lkattlrcsinclutle:
Svrap when Fu1l:TI1isoption cnablcsyotlto dctinc whataction Cisco NAM should
takcwhelltllebuffer(RAM allocatcd forpackctcapttlre)isftlll.Sllotllditlock tlle

packetcapturesothatnopacketsgetoverwritten'?Orshould itovcnvrite(wrap)the
oltlestpacketswhcn the btlffcrbccom csful1?
BufferSize:lIcrcyou have the option to define how mtlch ofthc NAM m emory
you walltto allocate to packetcapttlre.Obviotlsly,the more yotlclloose llere the
lessyotthave forothcrNAM featurcs and olhcrCapttlrc Btlfj
krs.M axilntlll'
tbuffer
sizes are:l25 M B (
orNAM -1,300 M B forNAM -Z.70 M B tbrN M -NAM .alld I46
M B forNM E-NAM .
w Capture to Disk:Thistkaturc isused to capttlrepacketsto disk instead ofnlemory.Yotl
canselcctcithcrthe localNANIharddiskoranycollt-igured relnotestorageoptions.(Scttlp

ot-lhcrclnotc storagc isdiscussed laterin tl1istopic.)Yotlcan also selecttlle f5Ie size,thc
Iltllnberoftilessand w hethcrornotto rotatc tlle Glesifal1oftllcln fiIlduring capttlreor
silnply to elld tlle capture.Notetllatiftlle ntllnbcroffilcs(No.Filcs)option isgrcatcrthan

I,Iutlltiple tiles willbecrcated on tllchard drive.
@ 2008 Ci
sco Systems,Inc.
Impl
ementi
ng NelwofkAnalysiswi
thCisco NAM
3-137
K Capture Filter:W ith thisoption.youcan configureCisco NA M to ignoretraffic beforc it

isstored in mcmory.This isa very usefuloption ifyou havc already narrowed the search
forthe sotlrcc ofthe problem alpd you wantto honc in on aspecific subsetoftraflic. You
can Glterby protocoland/orby M AC orIP address tbrboth source and destination
addresscsand add a mask to define which partofthe addrcssto include and which partto
ignorc.You can also detinc how you wantCisco NA M to apply the filter to include a1l
packetsthatmatchtheGlter(inclusive)orcxcludcallpacketsthatmatchthefilter
(exclusivc).
3-338
Note
Tochangethe capturesettingsyoum ustfirstclearthecapturebuffer.
Note
You can use address and protocolfilterstogether, butnotpod and custom filters,
lmplemenli
ngCiscoDataCenterNetworklnfraslructure !(DCNI-))v2.Q
@ 2D08CiscoSystems,lnc.
The NAM Traflic Analyzersoftvvare allow sfora sllol-tcutto reducethe til'

nc and effbl'
treqtlired
i1 settillg tIp a datacapttlre.Dtlring a typicalrcvievv ofm o,litorrcports,you lllay colnc across
an entry thatyotltletcnnine reqtlircsl'norc in-dcpth analysistlsing data capture.Ratllerthan
going to the Capm re> Settingsdialog and hoping you rclnelnbered alIthepertincnt
illlbrnlation to sctup thecapture filters,yotlcan simply sclcctthccntry it)the lnonitorreport
tablc alld click thc Capturc button.Thisaction sets up a data capture tlsing thedata i1 the tablc
entl'
y astlle Iiltervaltlcs.Thc collection is il
nlnediately startcd and thetlserisshown thcdecodc
scrcen ofthcpackctscapttlrcd so far.
@ 2008 CiscoSystem s,Inc.
lm plem enting NetworkAnalysiswith Cisco NAM
3-139
'
usto
a ture ilters
Capture>CustonnFdters>CeptureFlllers
E* ** @
L- '' - '
IlaveblankIffillerlsrxolocol
Indeperlderlt
CI
' pr' '
Entsryourdatastring.ycqirntlsl
erlterlhehexadecirnalvalueof
jhedatastnngyouwantt0jlter
)-.
0n
.
1
-
pxa.-:
'1
--
* * .R''
cx...
'
-
oo w
adtm
podlonsofthedatustNngare
relevantforfilteringande ich
portionscan beignored
Theoffsgt(decirrut)andbase
h*lI
Thenvsknelds(hexadeonwl)
enableyoutodenoeztich
'''
St
al
ugandst
atusI
naskseoabl
eyout
osearchforthe 1wi
qr
'
.
y1I*e.'
*.
j
stattjsolEthernetframestba!areovefsizedor
,
optionsInstructthefilterwhere in
thepackeltobeginsearchingfor
theuataslring
tlnderslzeclorhave CRC oralignrx nterrors
Ij'thc f'iltcrsincltldcd in thepacketcapture settingsoptionsdo notprovideenough controlto

lneetyotlrnccds.you can create yourown tilterin the Capturc> Custom Filters> Capture
Filters mcntl.
Ctlstoln tsltersenable you to search fordata pattcnpsfound eitherin thcprotocolheadersorin
the data ficld ofthc packet.Thisgivesyou thc ability to rcad the packctasasinglchexadecilnal
data strcam w hcre you can tellCisco NA M to capturcordisrcgard packetsthatmatch thedata
pattcrn thatyotldefined in the custom t
ilteroptions.To usc thisfeature,yotlneed to identify a
fcw tl1iIlgs.
. Yotlwillllccd to writcthedata pattcrn you arc Iooking forin hcxadccimal.Referto thc
C'isco NAM UserGttide formore instructionson hexadecim aland datapattern m atching.
K You willalso need to tellitwhereto bcgin thc datapattenlsearch.Ifyou choose absolutc.

yotlarc tclling thefilterto begin looking atthc firstbitof'the packet.Ifyou choose
protocol,you are instructing thc tilterto bcgin looking atthe Grstbitofthe protocolheader.
w Stattlsm asksenableyou to t'
ilteron crrorconditions in Ethcrnetfram essuch asoversized
ortllldcrsizcd framesorCRc/alignmenterrors.Thcsc arc dcfincd by Cisco NAM and you
m tlstuscvalucs assigned to each ofthese in ordcrto t
ilterby status.
Delining yourown custom tiltersisavcry powcrfuland complcx tooltlyatrcquiresthoughtand
prcparation.Rctkrto thcSettiltgs chaptcrofthe Cisco NAM UserGuidc formoredetailcd
il,Ibrm ation and instructiollson defining custoln filtcrs.
3-140
Implementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI
-I)v2.0
C)2008 CiscoSystems,Inc.
To view and l
'iltcrthe resultsofyourdatacapturc.selecttlle buffcrto decodc froln the Capture
> Buffersdialog.and click Decode.The tlppcrportion oftllc screellsllowsyotlstllzlmary
infbrl
uatiollforcacl)packet.Tllissection includesthe folloAving tields:
* Pkt:Thisincludcsthc sequcnccntll
nbcrassigncd by Cisco NAM asitentcred thc switch.
. Tinle:Tllis isa rclative tilncstalnp illdicating how lntlclltilue ltasclapscd since tltecapture
oftllc f'
ilwstdisplayed packettnottheGrstpackctin thc btlffcr).Yottcan also view tilne by
absoltltc tilnc.C'heck lhe C isco NAM UserGtlide l
brl
nore inforlnatioll.
. Size:Tllis (
'icld givestllcsizc ofthe packetiI)bytcs.
* Source:Tllis ficld gives the address(citllcrLayer2 orLayer3)orIP hostnamcofthe

dcvicc transnlitting thepackct.
M Destination:Tllis f
-ield givcsthe addrcss(eitherLayer2 orLaycr3)orIP hostnanle ofthc
dcvice rcccivillg the packet.
* Protocol:Tllisfield givcs thchighcstIaycrofprotocoltllatCisco N AM recognizcs.
w lnfo:Thisficld givcsinronnation providing l'
nore detailabotltthc packet.
Tlpe colltents in thc Iowcrllalfofthe screcn provitlcyou with dctailcd inforlnation aboutlhc
packcttllatyou have highliglltcd il)thc tlpperportion ofthe scrccn.TllisdctaiIcd inforlnation
providcsyotlNvith il,form ation in tlle Gcldso1-cach protocolheaderofthepacketasw ellastlle
data ticld.Yotlcan also sec the Layer2 Etllenletlpcadcr illfbrlnation aswellasportionsofthc
Layer3 IP hcadcrinfonnation.Use thc.1/- sylnbo!sto the leftofeach hcadcrto vicw morc
packetdetails.Thebottom pain displaystllehexadecilnaldtllup ofthc packct.whicl)includcs

thcsanle iI1lbnnation as i11thc tlpperportiol!ofthe detailwindow .butvvritlellil1hexadccilnal.
Yotlcallalso apply a filtcroI)tlle colltents in the lkalne to rcl
inc yourviesv ofpackets(Display
Filterbuttoll).Y()tIcan (
'iltcrby IP orM AC addrcss.orby a plaintcxtpattern found in pattkel
stlnllnary,oryotlcan apply a custoln-post-capture tilterby cllotlsing theoption ofyourclloicc
frol'
n thcdrop-down Iistabove thc lnforlnation f-ield.
(D 2008 Ci
sco Systems,lnc.
I
m pl
ementi
th Cisco NAM
3-141
Packetanalysisis very beneficialfortroubleshooting packct-levclproblem s.TheNA M offers

a11additionalal3alysistoolto enhance thisproccss.theTCP Stream tool.To launch,selecta
TCP packctfrom thc packctdccodew indow',and click thc TC P Stream button.A new'window
isopencd thatfollow sthatTCP stream througl)the packctcapttlre.providing you with every
detailavailable in the TCP packet.incltlding thedata.
3-142
lmpiementing Cisco Qala CenlerNetwork lnfrastructtlre 1(DCNI-!)v2.9
TheNAM canalsoprovidcyouwithstatisticaldetailsofally captured filc(btlffcrsmustbeol)

tlleNAM localhartldriveoraprcviotlslydel
-illedcxterllaldrive).providingyouwithtraffic
ratesalld llostsand application stals fora givelltimcpcriod.To Iaunch,go to tlleCapture >
Filestask.A listofthe f5lesstored on the localNAM llard drive isdisplayed.Use thc Storage
drop-down lnenu to see tiles stored on onc ot
-thc defined cxtcrnaldrivcs.Selectthe filc to
analyzeand click the Analyzebutton.A new wiIldow isdisplaycd thatsllowsstatisticstbrthc
entire capturc.You can fine-tunc which statisticsarc displayed by ellterillg acombination of
tilne,protocol,alld/orhostand clickillg the Drill-llown button.
Note
An additi
onalremote externaldrive can be configured to expand the data storage
capabiliti
es ofCisco NAM .Laterin this topi
c.itwillbe discussed on how to settlp the
addi
tionalstorage.
ysi
swith Ci
sco NAM
3-143
'
ave uffered ata to

1sk LocaI 1sk
.
f15.C*
'
..xs,
..
,
;.
$
1::
>x:Jk
)
.:4,$$1
.'
#<:
- - --''-*fe I,- m 'AeI.:!G
.k Ik
tbeciscoxAMhard(ssk
'
*oAz.ae** mz:q''ppkz'-'
c.p'tut@ &..**i@.n*
ard
Sepectlngthecaplure@om the pislchf

caplure buffersandrrmntraplysavingitto
1'''l'. s .
k51 'rraffi A.'itlvzel.
-.
isco
/.
eI
'
'
CrealedbyQU'rA Capture
feat
urefrom rrrnitlngwlnclow
(Caplufebutlon)
21e oee@s9
L-
l1 ,15'.r:l..
1.1*4w.-4i
n r.... f.. # .a.
53t*cm * 1kY
lee
k'''*- 1:6- 2*7. (

r*
4e
1tA:!A!,!1!d
>,
<-
Lte ed
44 l'te #
.
t'lee e4
ffu
t
1r. .
Atltoomllc CaptureiBtherapturebcler
usedzmeo
'acoohgoredalarm psNetto
lnggerapacketGapture
By dcfault.Cisco NAM storcsthccaptured packctsin abufferin RAM .Saving buffersto the

Iocalhard drive ofCisco NAM allow syou to kcep the traffic tiltered and stored foranalysisat
a latertilne aswellas frcctlp lnemory forolhercapturebuttkrsorNAM m onitoring.
Tllcrcarc basically two waysto store btlftkrsto the localhard driveofCisco NAM :
w The firstm ethod isto selccta buffcrffom the Capturc > Buffers listand click Save to File.
. Thesecond m ethod isto conflgureCisco NAM to Caplure to Disk when thecapture
settingsare defincd.
3-144
lmplementsngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2,O
@ 2D()8CiscoSystems,lnc.
Fortlcxibility antlillcreased storagc.Cisco NAM can also storc thc packetscaplured oIla
rcm ote disk.
To use thcrelnotcdisk optionmcolltigtlreCisco N AM with dclailsabouttlle remotedisk,using
tlle Adrnin > System > Capture Data Storage task.
Tllcrelnotestorageselazcrcanbcofeithcrtype'
.Network FilcSystem (NFS)orlnternctSmall
ComputcrSystelnsIllterlace(iSCSI).
lmplementing NetworkAnal
ysi
swith Ci
sco NAM
3-145
'
*
efin 1ng
.
.uu%S
e ote
ata torage
' D.;
YYAI.- * '''4 . ''-': &'

.h,& .*y 1..
4
G*ptM,* #.'. %I@I:*
..
>
t.
o -ow
.z. ..k.h:.:...............
... .
Nolo TheNFS
servermuslbe
ableLogrant
accesstotbe
CdscoNAtIin
oruertowrlte to
thedlsk
.! .,..'.kk.)
'
reIrnOte'DC
10
> *e pvm.lclscoco'l,
ro
yexptjrf/nem
'
'
c:;.....-..- >
Se
vor
dir
sk
451eIoceare
tet
dhe
anre
drr
tot
hee
cjjrectofy tohckd lhe
EapturedpacketlIe
Pr*':- e
&swou(.....-.)
.-...softllmec..zulpclsw,s-3raeos-z
m-vww-wxw--mwwwma-vvov--
(usedtoseleclthedisk
v -
!'
'If
;Gp
,l
!t
I1:j
'jp#..
e.
v j!
'.
s1k.1F
NFSOptlonslodeqne
:hOUanXferpfotcfol
tjrreoutandre1
ryvaIues
'
To tlsc a1
1NFS remotedisk,click thc Create NFS button to dcfinc it.Provide aname forthe
disk (in ordcrto idcntify itin theN AM uscrintcrfacc).entcrthe hostname ofthc serverthathas
the rcmotc disk,and providethedirecto!'
y where thccapttlrcfilcsshould be located.
Note the follow ing:
w Thc NFS servermustbe contigured to grantrcad and writeaccessto Cisco NAM in order
ft'rCisco N AM to beablc to storecapturc tilcson it.Thc following cxample showshow to
settlp an NFS directory(/home/somcuscrName)on aLinux serverforaNAM (atIP

addrcss 1.I.I.2)to store capturedata.
Locate a userID thathasrcad and w rite acccssto thc targetNFS directory.
Forcxalnplc.ifthe targctNFS dircctory is/hom c/solncuscrName,open the
/ctc/passwd fileand search fora userelltl'y thatcontainssomething like the
following:
* Someuserhlame:xiso3:so3::/llolnc/solneuserNam erA ill/tcsll
In thisexam ple,theuserID is503.
Etlitthe/etc/exportsGle and add a lille likc thc fo1low ing:
* /hom c/someuserName l.1.1.2/255.255.255.255(rw.a1l squash.anonuid=so3)

Activatc the change:type:f'
usr/bln/exportfs-a.
w IfthcNFS directory containssubdirectoriesthatare notwritablcby Cisco NAM , thesc
stlbdirectorieswillnotbe Iisted in NAM capturc screcns.
3-146
lmppementiog CiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2 0
Q 2008Cisco Systerns.Inc.
Cllcck tlse existing partition# Svhen tllc rclnote iSCSltargcttlisk llasalrcatly bccn forlnatted
a11d 11:.
1s:
'
1I'
)a1
'tititll'
ltable.
Note
(()2008Cisco System s.Inc.
Before Cisco NAM can recognize the configured iSCSIdevice.Cisco NAM m ustbe
reslarted so thatitcan load the device drivers.
Im plementlngNetworkAnalysisw ithCiscoNAM
3-147
'
a n a In
tlre
Capture>F'1109
Selectcaplurelleson
CiscoNAM harddisk
''-'
j
:..).ikl..:( j7 *.4:
r)
!..,
!..s- - :- - - .-'p.4''. ''
......
$>% . . ...j
.
vtqe
'
'
(jocal)orrerrotadisk
Do& loadselecle 51eto

ystlrcclrnputerIn Sniffer
jjgcjjjejorrrjay
m.?jqe> .$,avj
'
)'
e***e
i
>.
$- 1-
cy
H*'> 2<'t1(1@isee91)?'e E'o$*th'Bo31o 1!611M

r?ne
...'..v .
q> v.e21'11
Merge5pesllhtocele(from
I
woe- xpww l.m l-.vm-
j -
...>
(
'
aw j pwupj
rw -> - -- ..
NurrerofFllesoption)
Likc thc btlftkrsin Cisco N AM memory.itis irnportantto beablc to m anage the capture Glcs
stored on citllcrtheCisco NA M hard drivc orany detincd cxternalstorage dcvices.Several
taskscan be perform cd on these filcsusing thcCapture> Filcstask.which w illlistal15les
found on tlle Cisco NAM hard drive.
* Decode:Selcctthcdesired t
ilcanddecodeittjustlikedecodingbuffers).
. Analyze:Providctraffic.protocol.and hostratesovertimc forthc capturc 5le.
. M erge:Sclectmultiplctilcsand lnerge thcm into a single file.

. Download:Savca sclccted file to yourclicntmachinc in the .cnc Network GeneralSniftkr
forlnat.
. Deleteand DeleteAlI:Delete oncoraI1thc tilesfrom the NAM harddrive.
+
3.148
lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1):2,0
Q 2008CiscoSysyems.Inc.
S um m ary
7'11is tt'picsullllllllrizestlle kcy poillts thatvcrc disctlsscd in this lessoll.
'
yLl113l13a3-9
Switch monitoring and reporting are available forevery porton the

Cisco Catalystswitch,regardless ofthe Cisco NAM configuration.
. Application monitoring notonlyoffers you valuable appli
cation
distribution statistics,butitalso gives you the abili
ty to see which
network hosts are using which applications.
. ART m oni
toring provides measurem ents thatreflectthe user
experience ofnetwork pedormance so you can quickly identifythe
source ofperform ance degradation and resolve problems before
users even notice.

You can use Cisco NAM to collecthi
tstatistics forevery URL
seen.allow ing youto analyze web traffic.
. You can configure Cisco NAM to capture the packetsfrom a data

source and view and decode them .You can also configure
thresholdsto send alarm s to users forspecific conditions when
they occur.
Implementi
ng NetworkAnalysi
s withCisco NAM
3-149
<
3-150
lmplemenlk
ngCscoDataCenterNetworklnfraslructure1(DCNI-I)v2.
()
Q 2908CiscoSystems.lnc.
uesson41
C isco N A M M aintenance
O verview
Objectives
C isco NA M Soo w are U pgrade

ThistopicdcscribesCisco NAM m aintcnance options.
C isco N A M Im age U pgrade

.
Application image (hdd:l):

1 ResetCi
sco NAM usingthe maintenance image (cf:1)
2 Log in to NAM CL1wi
th root
3 Retri
eve image from FTP site and upgrade
4.Folfow prompts
ExitNAM CLI
ResetCisco NAM usingtheapplication i

m age (hddrl)
Maintenance image(NAM-Iand NAM-2 = cf:l):
ResetCisco NAM usingtheapplication i
m age (hdd:l)
Log in to NAM CLIwi
th root
Retri
eve image from FTP site and upgrade
Follow prom pts
ExitNAM CLI
ResetCisco NAM usingtheapplicationimage (hdd:1)
TheN AM -1and NAM -2 cardsttse the following two im ages:

w A m aintenance im age:AllowsCisco NAM to be Ioadcd w ith abasic opcrating system to
perforln m aintenancc tasks,such asupgrading thc application im agc.
w An application im age:Containsboth thc Cisco NAM operating systcm and thcCisco

NAM traffic analysissoftware.
Yotlcan tlpdatc eitherofthcseim agesby rcbooting Cisco NAM with thc image you are not
tlpgrading.I11othcrwords.to update the application image.rcset,orrcboot.Cisco N AM using
the mailttcbtallcc image.W hcn the properilnagc isloaded.connectto the Cisco N AM
com mand-line intcrfacc (CLI)and issucthc update command with thc FTP URL,whcrc the
llew imagc isstored asthc command param etcr.Follow a11prompts,cxitthc CLI,alld resct
CiscoNAM to usetheapplication image(thcdefault).

Note
To determ ine which im age Cisco NAM is using you can use the show m odule com mand or
sesslon to Cisco NAM .W hen using the application i
m age.the show module output
indicatesthe software version thatis being used by Cisco NAM .lfusi
ng the m aintenance
im age,lhe software versionnum berisnotthe NAM releaseversi

onand should befollowed
by an Mm .*lfCisco NAM is booted using the m aintenance image.the bannerthati
s
displayed when a session to Cisco NAM is created indi
cates thatthe m aintenance image is
being used.
To upgradc thc NAM applilb

ation image.yotlmustbootCisco NA M to tllentaintenanl'e
partitiol).To tlpgrade the NAM maintenaltl'
e ilnagc,you IntlstbootCisco NA M to thc
t7/?/?//(':?/f???parlitior1.
3-!52
lmplementingCkscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O
@ 2D08CiscoSystems.lnc.
<
'
P atch InstalIatio n
Patches are increm entalupdatesto soft
w are releases thatare
installed wi
th the patch NAM CLIcomm and
. Patchesare available onlyforthe Cisco NAM application image
p
root@localhost#
patch ftp ://user:password@host/full-path/filenr e

>
Installs a patch
<- *
.E
>
NAM-I,NAM -2
Note
(:32008 Clsco System s.Inc.
Before patching Cisco NAM ,make sure thatCisco NAM iscurrently booted with the
applicalion image
Im plementingNetwerkAnalysiswithCisco NAM
3-153
C isco N A M R eset and S hutdow n

65904:
F .
hw-module module NAM szoe reset

*
'
Resets a Cisco NAM module
6510#hw-module module 1 reaet

Device BOOT varlable for reaet - fempty>
Warning) Devic. list ie not verifted.
'
NAv cL1
Uoreachable
-
Proceed w1th rlload of module?lconfirm1

% reaet iasued for module 8
Three optionsforNAM-I orNAM-2 shutdown:

' Opt
ion 1.
'Issuethe sbutdown commandfcom
NAM CLI
Option 2:lsluethe module shutdown command
from supefvl
sorCL1
OCt
N
M
ion3'
.PresstheShutdownbuttononCi
sco
statusLED =,.''.
''
-W'
Do notremove Cisco NAM unti

lshutdown processis
complete
Nonresponding C isco NA M
IfCisco NAM isnotrcsponding.take the following actions:
Step 1
Check to cnsurethatthcsession com mand worksfrom the switch and routerCLI.
step2
Check toensurethatyoucanpingoverEthernetout-of-bandchannel(EOBC),
step 3
Check to ensurethatyou can ping to them anagcmcntIP address.
step4
Collectoutputoftheshow teh-supportcom m and from both Cisco NAM and the

switch orrouter,
step 5
Collcctcore tiles.
step 6
Check whctherCisco NA M isscated correctly in thc chassis,
step 7
ResctCisco N AM .asshown in tllc tigtlre.There are two waysto resetCisco NA M :

. Ifthc NAM CLIisstillreachable.cnterthe rebootcom m and.
* Ifthc NAM CL1isunrcachable,thcn resctthc module from the CLIofthc host

as fbllow s:
3-154
step8
Resctinto m aintenance imageorhelper.
step9
Clearthe collfiguration.
step 1Q
Reinstallthe application im age.
Impl
ementingCi
scoOataCenterNetworkfnfrastructure1(OCNf
-1)v2.
0
@ 2008CiscoSystems.fnc.
Shutting Dow n Cisco NA M
Note
The shutdown procedures can take severalmlnutes.
lm plemenlingNetworkAnalysiswithCisco NAM
3-155
C isco N A M Troubleshooting
ThistopicdescribesNA M troublcshooting.
'
S ystem R eso urces

F--dr.I:.''
k;...ltI'
ut..J(I
NA SI Traffit'A 1lalyz.1.
.
L.xcw71 tq.- ..- .
- . ..
....
.,
jx
' .' . . .
'
w'
t,zk'
Y e @1'*e*:* *.+'.
rr >. lte''r > ' ee'fIF'e: v':e5
$y*:@nA Oy*4*1*#y
> '.<.1,,141I>x.siq'eu
i)j: G
:r
x e > 11Az> ,D H O UK
P AH - 1R11* 1*.111
Sol Q#--J 4:e e4#Ge: : ' '
Me-yyU/zd*n 46%
Thc NAM offcrsm uch data and many reportsthatgiveyou visibility to yotlrnetwork. You can
choose from among the data sotlrccsavailablc to youand tailortheN AM m onitoring and
reporting tunctionsto meetyourspecificneeds.
A lwaysrememberthatCisco NAM hasGxed rcsourcesand thatalIofthc monitoring rcports,

alarm s.and capturcsyou detinearc stored in Cisco NA M m emory,w hich iscurrently 512 M B
forlhe NAM -1and lGB forthc NAM -Z.A llofthcwaysthatCisco NAM dclincatesdata for
them onitoring and reporting tllatyou choosc.and allofthc packctsthatyoucapture for
decode.consum e mcm ory.Thcre isadefinite pointofdim inishing retunzs,bccause the m ore
you collfigure formonitoring,the Inore likely itisthatpackcts willbc dropped.comprolnising
the reliability ofthc dataand reportsthatyou rcly on.So chooscyourdata sourcesand your
Inonitoring and reporting needsw iscly to ensure thatyou maintain thc validity ofyourdata.
A good practice isto slowly and increm entally add datacollcction and monitoring optionsand
thenN'icw theirilnpaclon Cisco NAM by viewing system resource utilization in thcAdm in >
SySt0!11> SyStCITIRllsotlrcesmellu.
3-156
lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.O
'
D 1agnost1cs: heck S ystem

.
1()rts
View fai
lures orproblem sthathave occurred
Il.$I'.
N.
51 'rl''affit .:nalvze1.
,'
Cl5CO
'
'.
*112
.1%*YNY.' L sq '
gl4'e a
- *.'rh. k
r
,
.
r
fp? s
.
'p
yi
.v ...pt
p-t
.
z
ad
p
os
u'
t'
.l
k' .
3.
#f7
17$
Fi
A
'
Y Arel* '
e * -.- : ' ' # ''' ''
To4N $../e@lt yv1+>> 81@et.
''
1$.Ic''.-- z1,.
11I #Cwpee- eaje ttv et-e xe m @@N*N
.
'.
F2f.
'l'm.u$rJJ.:
'zjAaqswtex:
,
..
1
2
3
4
5
B
?
:
q
ID
'5Yv e'rb zl KgY*le'eG rtr- sl

15Rw e7.* N fm :ope cmsp,#nl
4*
72*
!$hkl. (IF(5J;lfmi
..
T311q)rlaee/
!5Yv OTtf19 Te#- o pehz
1CNo. 0Afl $9 O W$)f- 6* ru 1+ :1*BW'*'e**rylryqeo
1$Nkw W (K18 fdl* C:KO tKlru re* 1@5RPCre4tdt4/
1%h*.v (/35916 r?!7 LMZ!fmord+5rx!dlq+/to:FWJ'-yestF
J$*. (* * ,5 K'9%3r'- +1ru 4%*/le3< eeexxsl
16N.pg (*$.3IM* SAQ!trrorklf%dru r6rW 102Rr%CterKlertt
!5Nog 165:I3 &D Y 1- tklru ee;w * $> r.M tl#
'
'Yotlcan vic'
svany tbilurcsorproblclllslllatthe ('isco N A N1Traftic Allalyzcrhasdctcclcd
dtlri1,g 1101'11)111opcratitllls,-1
-11is il'
l(klrlnatiollcal'
lbe '
$icw-ed by goil'lg to tllc Adll)i1)> l'
liagnostics
> Systcln A.1eI4sscrecn iI1tlle C isco N A N1TraI'IitrAnalyzcrsoftqvarc.
'
(D 2008ClscoSystemsllnc.
lmpiem enting NetworkAnalyssswith Cisco NAM
3-157
'
D 1agnostics:C heck A uditTra1I

.
View acti
vitiesthathave occurred
'o+14I!..p.'tI.Yt.''1
'd1''111'
f 15<@
w
t 'Qt
NA5.I 'r1.affl4...klkalyze1.
.
'
'
?*u* * *A'#em # .N%<''J*.'q>A>y:rAx

Ao#11 TI11
# cee- - e4-e x- xejtexf:err

&1# 1#l
b
'
n'p
me v
i1T- t.'' t
iklt.)J
''' iG
x w m .ts zsx ,aktfzAlz

> > m * f?'4& ''''- Sn * * x
> * ?(*'(*139 . $A$6:s::
#5
'
V * m * f@> e *l !n *& D
26* R F01D 28 m- $021I44:3
x - v z.el.tk1* te> su z:
Is- w * s2% !7!89sm235
,
'
..
.77.
+
''-
.:fixmfiq$1..,.j
..;
.r'C 'k
us. kw
' ''t- e
**2*51AeedfM V
AAlKml*
vw e
t- ko
tllo k>
to k.
X e
=* ' F**
y- jex ?
Yotlcan vicw a listing ofreccntcriticalactivitiesthathave been recorded in an intcnpalsyslog

Iog file.Syslog m cssagcscan also bc scntto an extcrnallog.The follow ing uscractiviticsare
loggcd in tlleatldittrai1.
K AllCLIcom lnands
K Userlogins(including failed attcmpts)
* Unauthorized accessattelnpts
* SPAN changes
. N DE data sotlrcechangcs
K Enablillg and disablillg data collcctions
* Crealing alld deletillg rcports
* Starting and stopping capturcs
. Adding and dcleting tlsers
This inforlnation can bc viewed by going to the Adm in > Diagnostics> AuditTrailscrecn in
thc Cisco NAM Traffic Analyzersoftwarc,
As illtlstraled in thc figurepeach activity includcsa datc,tlle userID.an IP address(in case ofa
remote accessl.antlanotcdescribing theactivity.The inttrnal!ogtilcsare rotated after
rcaching a certail)size lim it.
3-158
lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D
@ 2008Ci
scoSystems,lnc.
'
D iag nostics : heck

C onf1g u ratio n
on ito r an d C a
cptu re
* Verify how the Cisco NAM is configured forcollecting various statistics
1,,Il1,
.t
x.
tsl 'rraffi(' ..&,,al).ze1.
q,
J
.
V 7j.
. t..
'
. ap
Y- A:e1*1*:* 'r' >'x'' &' 'h''' > ' X'''''

'
d.'.i 'E''*IL2C11
-.
yNltsnwc.jo't;q.:q94t
t.''lip;l.41$g1
.
'
... . ..
'k '. s .. ..47- 9t
F9!/'
*ct- o.. a:e> x - w ea3zx)FST

1'v:ektxl'
d 9:**
2A M
4 - mo
S &eN4
(
I)2008 Clsco Systems,l
nc.
.
t
'e
bv4ez twavk#i....
$ t'IdP'7PI9C;
1 E1N WM TX/
-
,em G ?.02
4Q5'0
rlp/aex
4*eu.4,.
Ur<*1*P
L
rlx
X e Nxsoay.
1
toce
ter4**7 R
lhery1vdm 'Ce -eQerr
t*ur- '- eRap'
l- 1
lmplementing NetworkAnal
ysiswithCi
sco NAM
3-159
'
D'
Iagnostics:Check Logged M essages
'11I*'l!'
NA51T1't
vf'
fI(!Anal).zer
C I$C@
''
- .
21)lp0t
')(Z
'L
'
L3
.u
.. ....= '
. - '.
'-
YouApy:*n: @ k'ev.:7+:wv.'%'' 9T@<> GtT4vAm

#@<h.$upp*1l
h!ethGt4:)@l!
*/A >*# :$ ::.9$'*4 'F' 2@'
Checkforthese words.
. Er
ror
. Fai
led
xo
*wuame- :
Fw:-exMaa z*.4
. Incorrect
tx n- m -- .-
'
. Warning
M - rh x zwo -
(- .- ,'
x.
x-vxw&7ep--.:(xa)'
wxx-.r- - -- -.eg
w*>-@z..mw.-xw:-..:
- ':
Tht
lNAM hasa tcchnicalsupporloption thatgathersdiagnostic infonnation from thcCisco
NAM hardware and opcrating systcm .Thisinform ation can be viewcd by displaying thc
Adm in > Diagnostics> Tech Supportscreen in the NAM Traffic Analyzcrsoftwareorby
entcring tlpc show tech-supportcom mand in the NAM CLI.In both cases.scrolldown to the
/
'var/log/mcssagesinfonnation (toward thcbottom )and look forkeywordsindicating problcm s
(error,failed,incorrect.warning).Thc inform ation should indicatethe sourccoftheproblcm
and provide you w ilh a starting pointforcorrecting it.
Finally.makcsurc thatyou rcview the relcasc notesforany known issuesand w'orkarounds as
welIastheCataltb
xt/65/7/.
7Seriem$'
/c7?alulC'zw 7600Sel.
iesS/&Jtv'Nettb'
olk .
,
1z2t#1'
.
$'$.
:bI()(IltIQ,/ll.
:/:7//:??/t?/?:,?;(/(?o3!(lgllt'
a(i()NXp/Ffflraklclititlnaltrout)lesht)otillgtips.
3-160
Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72.0
@ 2008Ci
scoSystems,Inc.
S um m ary
S unnlnary
Periodically,the firm ware in Cisco NAM mightneed to be
upgraded orpatchesm ightneed to be installed.
Shutdown Cisco NAM before removing itfrom its slot.
e Diagnosticsand reports are available formonitoring the overall
heal
th ofCisco NAM .
.
@ 2008 Cisco Systems.Inc,
Implementi
ngNetworkAnalyslswi
thCisco NAM
3-161
M odule S um m ary
Thistopicsum marizcsthekey pointsthatwercdiscussed in this module.
M odule Sum m ary

. C isco NA M can analyze the source ofthe traffic forwarded to it,its
destination,the protocol,and the am ountoftraffic perhost,per
conversation,and perapplication.
. You can installCisco NAM in anysl
oton the hostCisco Catalyst
6500 Series Switch exceptslots thatare reserved forthe
supervisorm odules.
* M ini
-R M O N is a sw i
tchfeature thatm ustbe enabled forCisco
NAM to provide usefulinformati
on aboutEthernetports.
. To upgr
ade the Cisco NAM application image.you m ustboot
Cisco NAM to the m aintenance parlition.
. To upgr
ade the Cisco NAM m aintenance image,you m ustboot
Cisco NAM to the application partiti
on.
3-062
ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
O
M odule Self-c heck
V11icllofthc 10llo'
w'iI)g isa vaIid data sotllvc forC isco N A 5.
1servitre Inodt)le?(Sotlrcc.
Illtrodtlcing Cisco NAM )
A)
B)
C)
1))
SPAN
Laycr2 acccsslist
Prclix lisl
lP acccsslist
I
qi)
Policy-basctlrotlting
Implemeoting NetworkAnal
ysiswith Ci
sco NAM
3-163
Q7)
Q8)
W hichhastobcenabled to view portstatisticsonCiscoNAM ?(Source:M onitorings

Vicwing,and SavingData)
A)
B)
C)
M ini-RM ON forselcctcd intcrfaccs

Historicalreporting and trending
Core monitoring
D)
Switchhcalth statisticscollection
UndcrwhichoptionisthcSPAN datasourcccreated?(Source:M onitoring.Vicwing,

alld Saving Data)
A)
Setup > Data Sources> SPAN
B)
Adm in > Data Sources> SPAN
C)
M onitor> Data Sources> SPAN
D)
Sctup > Sw itch Paramcters> SPAN
3-164
lmplementlngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
M odule Self-c heck A nsw erKey
3-165
3-!66
lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0
@ 20D8CiscoSystems.lnc.

DCNI-1 Implementing Cisco Data Centre Network Infrastructure 1 SGvol2 Ver2.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DCNI-1 Implementing Cisco Data Centre Network Infrastructure 1 SGvol2 Ver2.0 PDF

Uploaded by

Copyright:

Available Formats

DcNI-1I

Im plem enting C isco

lm Dlem entinn FW SM fora Data CenterNetwork lnfrastructure

Configuring the Translation

Configuring Layer2 Filtering

Im plem entinc Contexts

Configuring Dynam ic Routing

Using RH1to lnjectTranslated IP Addresses

Using Asym metric Routing Groups to Allow Asymmetric Routing

Im plem entinq Failover

Im plem entinq Deep PacketInspection

lnm lem entinn N etw ork A nalvsis w ith Cisco NA M

Introducinq C isco NAM

Im nlem entinq InitialConfiquration

Cisco NAM lnstallation

Cisco NAM lnitialConfiguration

M onitorinq.View inq.and Savinq Data

Cisco NAM M aintenance

D escribing the C isco B lade

Introducing the C isco B lade Sw itches

Using C isco B lade Sw itches

W here and W hy A re B lade Sw itches Used?

Integrated bladeswitchcsprescnta third cabling design option,in addition to end-of-row and

From a Iogicalnctwork pcrspcctive,thisdesign ism ostsim ilarto a top-of-rack design.

Blade Servers and Sw itches B enefits

w Add resilicncy with rcdundantfan and powerunitsfrom theblade chassis

C om paring Cabling D esign O ptions

Cisco B lade Sw itch Features

Al1Cisco blade switchcsofferacomplcte setofintelligcntserviccsto deliversecurity,quality

ofscrvice(QoS),and availability in thcscrvcrfarm accessenvironment.

w BasicaccesswiththcCisco IOS comlnand-lincinterface(CLI)

H1gh va1lab 1l1ty

w Rootgtlard.bridgc protocoldatatll)it(13PDU )guard/filtcr

* PcrV LAN Spalllli1)g Trec Plus(PVST i)alld Pc'

Layer 2 Trunk Failover

link state track l

ltnk et*t* group 1 upstre&m

C onfiguring Layer2 Trunk Failover

Dcfine theserverdownlillk portsasdowllstrcam with thclink stategroup

ln the exam ple.the interface Porlchannel1 was configured in advance.

C 1sco B Iacl(.)S w 1tc1) P Iatfo rm s

Cisco ollkrsthcse bllltlutswilches:

K Fih'c'isco bladesw'itchcsforIIP.I)cl1.and FtljitstlSienlellsbllltlescrvcrsyslcllls

The OEM ctlstom swi

@ 2008Clsco Systems.lnc. fmptementing the Csco Catafyst6500Seri

Introducing the C isco B lade Sw itch for H P B lade

H P c7000 B ladesystem O verview

SAN smtchor SAN switchchr

HP c7000 B ladesystem C haracteristics

K Half-hcightstorage bladew ith up to 15 pcrenclosure and a totalof90 drivcs pcrenclosure

. l/O options:1?'I0 G igabitEthernet,InfiniBand.Fibre Channel

. Up to six hot-swappablcpowcrsuppliesconfigtlrable forN +N orN+1redundancy

H P c3000 Bladesystem C haracteristics

Netw ork Interconnect Bays

C isco B lade Sw itch 3020

p 48-(Jb/ssw itching fabric

* 8 1-Gb 11.145 coppcruplinks

w OptionalfourSFP SX m odules fortiberconllcctivity w'

Ports 17-20 are com bination ports,suppoding ei

Ports 23 and 24 uplinks can opti

tJp to six tlplink portscanbc ptltinto aportcllanncl.providing 6-(ib/sconllcctivitjr.

C isco Blade Sw itch 3020 Features

IEEE 802.1D.802 1s.802.1w

ltnk ett group 1 upstre&m

Inltlkliag licnmee from 'kalhlrltl-iplm