Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
374 views414 pages

Dcna 1

Uploaded by

sjslall

This document provides a table of contents for a guide about implementing Cisco Data Center Network Infrastructure. It outlines topics like describing Cisco Blade Switches, implementing traffic flows with firewalls, configuring access control lists, implementing security contexts, and implementing routing. The document contains over 150 pages across multiple volumes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Dcna 1

Uploaded by

sjslall
374 views414 pages
This document provides a table of contents for a guide about implementing Cisco Data Center Network Infrastructure. It outlines topics like describing Cisco Blade Switches, implementing traffic flows with firewalls, configuring access control lists, implementing security contexts, and implementing routing. The document contains over 150 pages across multiple volumes.

Original Description:

dcna

Original Title

dcna-1

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

This document provides a table of contents for a guide about implementing Cisco Data Center Network Infrastructure. It outlines topics like describing Cisco Blade Switches, implementing traffic flows with firewalls, configuring access control lists, implementing security contexts, and implementing routing. The document contains over 150 pages across multiple volumes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
374 views414 pages

Dcna 1

Uploaded by

sjslall
This document provides a table of contents for a guide about implementing Cisco Data Center Network Infrastructure. It outlines topics like describing Cisco Blade Switches, implementing traffic flows with firewalls, configuring access control lists, implementing security contexts, and implementing routing. The document contains over 150 pages across multiple volumes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 414

DcNI-1I

Im plem enting C isco


D ata C enter N etw ork
Infrastructure 1
Volum e 2
Version 2.0

Student G uide

TextParlNum ber'97-2674-01
.111,1111
t l56 Q .

DISI'LAlM !!R W ARRANTY:THIS UONTENT IS BlfING PRIIVIDEi!)''AS IS.''C1SC()M AKISS AND YOU RIfCEIVEN()W ARRANTIISIN +
CIINNECTII)N !.5'ITH TH1:Q'IINTIENT PROVIDED HE:REUNDER.I(XPRESS!IM PLI1iD. STATUTORY OR 1N ANY OTHER PROV ISl()N OF
TH ISCON rI'NT (1RUO M M UNICATION BIT'E'W EIfN CISfJ()AN D YOU.CISCO SPITCIFICA LLY DISC LA1M 5ALL lM PLl!'
,D
%.
%ltRAkNl'IES.lN('LUDINIIWARRANTIl!SOF M EIRCHANTAB1LITY,N()N-INI?IlINGEMIiNT AND 17ITN IESSFOR A PARTICULAR
PtIRPOSEL,()R ARl%ING 17R(IM A (.'IIURSIfOFDEALING.USAG E(IRTRADE PRACTICE.n islrarningproductnlaycontall:carlyrclcasc
contcnt,andwhiIe('iscobcIi
evesittobcacctdratc itfallssubjccttothedisclain3erabove
Table of C ontents
V 0 Ium e 2
Describinq the C isco Blade Sw itch Fam ilv 1-433
O verview 1-433
Objectives 1-433
Introducing the Cisco Blade Switches 1-434
W here and W hyAre Blade Switches Used? 1-434
Blade Servers and Switches Benefi ts 1-434
Comparing Cabling DesignO ptions 1-435
Managem ent 1-436
Securi ty 1-436
QoS 1-436
HighAvailability 1-437
Configuring Layer2 Trunk Failover 1-438
Introducing the Cisco Blade Switch forHP Blade Servers 1-440
HP c7O00 Bladesystem Characteristics 1-440
HP c300O Bladesystem Characteristics 1-440
Network lnterconnectBays 1-441
Introducing the Cisco Blade Switches forDellBlade Seers 1-445
Cisco IOS on Cisco Blade Switches 1-452
Licenses 1-452
License Activation 1-452
Replacing M alfunctioning Devices 1-453
Obtaining the License 1-454
Removing a License 1-454
Exam ining the License Inform ati
on 1-454
Replacing a Switch in a V i
dualBlade Sw i
tch 1-457
Standalone O peration 1-457
Introducing the Cisco Blade Switches forFCS Blade Servers 1-459
Sum mar 'y 1-461
Module Summary 1-462
References 1-463
Module Self-check 1-466
Module Self-checkAnswerKey 1-472
lm Dlem entinn FW SM fora Data CenterNetwork lnfrastructure 2-1
O verview 2-1
ModuleObjectives 2-1
Im plem entinq Traffic Flow s 2-3
Overview 2-3
Objectives 2-3
Firew allOverview 2-4
Isolated Legacy Networks 2-4
Connected Networks 2-4
Firew alllm pl
em entation 2-6
FW SM O vervi ew 2-11
Scaling FW SM Perform ance 2-11
FW SM Ini tialConfiguration 2-21
W hen to Use PVLAN? 2-34
Firew allM odes 2-35
Routed M ode 2-35
TransparentM ode 2-35
Using Transparentvs.Routed M ode 2-36
Configuring IP Addresses in Routed M ode 2-37
Configuring the Translation 2-41
ldentity NAT 2-48
Static ldenti
ty NAT 2-48
NAT Exempti on 2-49
Maximum NumberofNAT Statements 2-51
Summary 2-57
Im plem entino ACLS 2-85
Overview 2-85
Objectives 2-85
Configuring Layer2 Filtering 2-86
FW SM and Layer2 Security 2-86
MAC AddressTable Attackand Remedy 2-88
Consguring MAC Address Table Custom izati
on 2-88
Configuring ARP Inspection 2-90
Configuring Ethedype Fil tering 2-92
Configuring ACLS 2-93
ACL Processing 2-94
ACL Configuration 2-95
Manipulating ACLS 2-95
Time-BasedACLS 2-99
ACL Logging 2-100
ACL System Resource Utilizati on 2-104
Summary 2-106
Im plem entinc Contexts 2-107
Overview 2-107
Objectives 2-1()T
FW SM Virtualization Overvi
ew 2-108
Security Contexts Ovewiew 2-108
Classifying PacketsW hen Sharing the Interface 2-113
Configuring FW SM Contexts 2-119
System Execution Space 2-119
Adm in Context 2-120
Accessing Contexts 2-120
Adm in Context 2-122
Verifying Contexts 2-124
Removing Contexts 2-124
Changing the Context 2-125
Managtng ContextResources 2-126
Configuring Resource Management 2-126
Defining Resource Limitations 2-128
Configuring Memory Parti tions 2-130
Verifying MemoryPaditions 2-130
Sum mary 2-132
Im olem entinq Routinn 2-133
Overview 2-133
Objecti
ves 2-133
Configuring Static Routing 2-134
How to Determ ine W here to Forward the Traffic 2-134
How FW SM Makes Forwarding Decisions 2-134
DefaultRoute 2-135
Static Route Convergence 2-136
Configuration Exam ple 2-136

Ii lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystemsll
nc.
Configuring Dynam ic Routing 2-137
OSPF Limitations 2-138
Verifying OSPF Operation 2-140
BG P Lim itations 2-144
OptionalBGP Comm ands 2-146
Using RH1to lnjectTranslated IP Addresses 2-147
Using Asym metric Routing Groups to Allow Asymmetric Routing 2-148
Using Asymmetric Routing Groupswi th AsymmetricRouting in Fai
loverwith Multiple Contexts 2-149
Summary 2-150
Im plem entinq Failover 2-151
O verview 2-151
Objecti
ves 2-151
FailoverO vew iew 2-152
Active-standby Failover 2-152
Active-Active Failover 2-153
FailoverLinkRequirem ents 2-154
State Link 2-155
FailoverEventwith Acti ve-Active 2-157
FailoverO peration 2-160
Rapid Link Failure Detection w ith Cisco 1O S Autostate 2-164
Configuring Failover 2-165
Primary and SecondaryRoles 2-165
Configuration Replication 2-165
Sum m ary 2-180
Im plem entinq Deep PacketInspection 2-181
Over
Niew 2-181
Objectives 2-181
Deep Packetlnspecti on Overvi
ew 2-182
URL Filtering O vew iew 2-190
URL Filtering O peration 2-190
Configuring W ebsense Server 2-192
Configuring Secure Computing SmartFilter 2-193
Enabling Buffering 2-193
Enabling Caching 2-193
ldentifying Traffic 2-194
Sum m ary 2-196
Module Sum mary 2-197
Module Self-check 2-198
Module Self-checkAnswerKey 2-200
lnm lem entinn N etw ork A nalvsis w ith Cisco NA M 3-1
Ovew i
ew 3-1
ModuleObjectives 3-1
Introducinq C isco NAM 3-3
Overvi
ew 3-3
Objecti
ves 3-3
NetworkTraffic M onitoring O vew iew 3-4
Challenges 3-4
Benefits 3-4
NAM DeploymentDependenton Moni toring Purposes 3-9
The Big Picture Defined 3-11
Cisco NAM Service Module 3-16
Cisco NA M Data Sources 3-33
Plan forC isco NAM Depl oyment 3-40
Cisco Catalyst6500 Seri es Sw itch NAM S 3-43
Sum m ary 3-48

u2008ClscoSystems,lnc. lmplementingClscoDataCenterNetworkInfrastructure(DCNI-I)v2.0 iii


Im nlem entinq InitialConfiquration 3-49
Overview 3-49
Objectives 3-49
Cisco NAM lnstallation 3-50
NAM Hardware Installation 3-52
Verifying NAM Installati
on 3-53
Cisco NAM lnitialConfiguration 3-54
InitialIP Settings 3-55
Enabling W eb Server 3-56
VLAN Configuration 3-57
W hatAre SNMP Community Strings? 3-57
Summary 3-74
M onitorinq.View inq.and Savinq Data 3-75
Overview 3-75
Objectives 3-75
Scenario 1:Li ve Network Moni toring and Analysis 3-76
Problem Description 3-76
Monitoring Plan 3-76
Action 1:PortMonitoring 3-77
HistoricalReporting and Trending 3-79
Action 2:Detailed PortMonitoring 3-82
Action 3:Using NDE with Cisco NAM 3-96
Scenario 2:Response--rime Monitoring 3-103
Verify Cisco NAM Deployment 3-103
Scenario 3:URL Moni toring 3-114
Scenario 4:Troubleshooting 3-121
Action 1:Threshold: and Alarm s 3-122
Action 2:TriggerPacketCaptures 3-135
Summary 3-149
Cisco NAM M aintenance 3-151
Overview 3-151
Objectives 3-151
Cisco NAM Software Upgrade 3-152
Nonresponding Cisco NAM 3-154
Shutting Down Cisco NAM 3-155
Cisco NAM Troubleshooting 3-156
Sum mary 3-161
Module Summary 3-162
Module Self-check 3-163
Module Self-check AnswerKey 3-165

w SmpsemenlingCiscoDataCenlerNetworklnfrastructure1(DCNI-I)42.
9 (I)2923 CiscoSyslems,lnc,
uesson12I

D escribing the C isco B lade


S w itch Fam ily

O verview

Objectives
Introducing the C isco B lade Sw itches
Tlhistopie dcscribcsthe Cisvo blade family switches.

Using C isco B lade Sw itches


w Data Center- blade serverenclosures
wO ptim ize rack space and high availability
Cisco Catalyst6500

> A

'1'
11563:
T. :

Encl-of-Row Top-of.qackAccess 1,lslf.t?.It('/61Itf(I'ot''''i.


Ac%$l<;t
q
Access Catalyst4948 Clsco Blade Switch

W here and W hy A re B lade Sw itches Used?


Data centcrstypically llavenum erous scrverswhich take spacc,need cabling and m anagemcnt.
Integrated bladeswitchcsprescnta third cabling design option,in addition to end-of-row and
top-of-rack,
From a Iogicalnctwork pcrspcctive,thisdesign ism ostsim ilarto a top-of-rack design.
M ind thatthe blade switch dcsign can introducc com plications forthc spanning treedesign
bccauscthereare more access layersw itchesperrack

Blade Servers and Sw itches B enefits


I3lade serversare used to optimize serverdcploymentin data centcrs.M ultiplc serversare ptlt
ilyto oneenclostlreand tllus:
K Optim izc rack spacc usagc--bladc serversand switchcsuse less space than standalone
cotlntcrparts
w Reduce thc nccessa!y cabling from selwersto thc network cquipmcnt
. Nlorc cfticicntly usc powcrand producc lcsstherm aloutputperscrvcrunit
w Add resilicncy with rcdundantfan and powerunitsfrom theblade chassis
K M ake the solution more scalablc

1.434 lmplementingCiscoDataGenterNetworklnfrastruclure1(DCNI-I)v2.Q (I)2Q()8CiscoSystems.lnc.


C om paring Cabling D esign O ptions

@ 2008 Ci
sco Systems,fnc. fmpementi
ng the Ci
sco Catalyst6500 Series.Cisco Catafyst4900Senes,and Bfade Switches 1-435
Cisco B lade Sw itch Features
Managem ent:
Cisco IOS CLI,SNMP MlBs,CiscoW orks m anagem enttool
Integration with ManagementVodule
* Integrated security:
ACL,802.1:,TACACS+/RADIUS
. High availability:
STP enhancementslUDLD,t.2 trunk failoverlIEEE 802.3ad
. Quali
tyofservice (QoS)

2= s . I a r
uz N ' .... .u
.
w
F ' #'**>>' j ,.
?.
'
- 4. S'X '
# ..** -
'x . .
' :;

A
r
:
,y k
,,,1
.a0)

Al1Cisco blade switchcsofferacomplcte setofintelligcntserviccsto deliversecurity,quality


ofscrvice(QoS),and availability in thcscrvcrfarm accessenvironment.
A Cisco bladcsw itch cxtendsCisco infrastructurc scrvicesto thc scrvcredge and uscscxisting
llctwork investm cntsto help reduceoperationalexpcnscs.

M anagem ent
Thcbladc switchcsoftbralltlle Ilctwork managem elltcapabiliticsavailableon standalone
Cisco Catalystsw itchcsalong w ith bladc scrverellclosure managcmentintcgration:
w BasicaccesswiththcCisco IOS comlnand-lincinterface(CLI)
* Dcvicc lcvclacccsswith standard Sim ple Nctwork M anagcmentProtocol(SNM P)M IBS
availablcacrossCisco CatalystSericsSwitches
* Integration with blade serverm anagclnentm odulc
w CiscoW orksm anagementtool

S ecurity
Security Inechanism sincorporatc security accesscontrollistsIACLSI,IEEE 802.1x,
TACACS''/RADIUS.ctc.

Q oS
QoS l
ncclpal:ismsavailablcincludc ingressratclimitingmmarking,sllapcdround robin (SRR).
al
ld priority queuing.

1-436 lmplemenlingCiscoDalaCenterNetworkinfrastructure1(DCNI-!)v2.0 Q 2908CiscoSystems,lnc.


H-
1gh va-
1lab -
1l-
1ty
'rllc bladc sw'itchcs incorporatc lhespanl,ing-lreecllhallcclnclttstll;llarcavailablc on Catalyst
SericsSsvitclles:
* Port.tlplink,backbollc fast
w Rootgtlard.bridgc protocoldatatll)it(13PDU )guard/filtcr
* PcrV LAN Spalllli1)g Trec Plus(PVST i)alld Pc'
r'VLAN RapitlSpanlpillg Trec PItls
(IIVRST-I.)
* I
.J1)iDircctiollalLillk Dctcction (UD1..D)
* I-klyer2 trunk failllvcr

(
I)2008 Cisco Systems,Inc. Implementing the Cisco Catal
yst6500 Seri
es,Cisco Catal
yst4900 Series.and Blade Switches 1-437
Layer 2 Trunk Failover
. Challenge'
.Uplink pod failure should triggerIink outage to server
ports:
Serverwith NlC teaming can switch ffom prim aryto secondary
N IC
+

4' 5 link state track l


?%'A. 1
' -. :'.
'
' lnterface Portchannetl
. ' G
K c j
ltnk et*t* group 1 upstre&m
..' '.
'1 .
'
) lnterface rlngeGlgableEtherneto/l - IQ
link stlte group l downatream
1 '
I t..
y . 1
I ' LJ f 1
10 1 1
Server1 l
Blades j
1y
-''<.
f * ** '-%.
'.w. ':
$-4..
) j
I
I- . - . - . - - - - . . - . - . . . . .1
BladesewerEnclosure

Bladc serverbladcsconnccted to a bladcsw itch havc l:o knowledge ofw'hethera switch llas
colyncctionsto thcrcstofthcnetwork.
lIpcase ofan tlplink portfailure,a scrvcrusing NIC tcalning would notsw itch ovcrfroln thc
prilnary to the sccondary NlC (ustlally connected to anotllcrswitch).
Laycr2 trunk failoverisused on the blade sw itchesto triggerlink outagcsto serverportsin
cascofa link outageon thcuplink ports.thusenabling selwerto switcllovcrto thcsccondar.y
N IC .

C onfiguring Layer2 Trunk Failover


To enable Laycr2 trunk failover.the following contigtlration stepshave to be takcn:
Step 1 Contigtlrca Layer2 trtlnk failovergrotlp w'ith lhe link state track global
contigtlration comm and.
step 2 Detincthctlplink ports asupstream with the link state group upstream intcrface
collfiguration com mand.
step 3 Dcfine theserverdownlillk portsasdowllstrcam with thclink stategroup
dow nstream interfacccontiguration com m and.

Note ln the exam ple.the interface Porlchannel1 was configured in advance.

1-438 lmplementirtgCiscoDataCenterNetworklnfrastructure 1(DCNl-1)v20 @ 2008CiscoSyslems, Inc,


C 1sco B Iacl(.)S w 1tc1) P Iatfo rm s
HP c-class ''' s7 ' '

.'J
I1';*
DELL 'hx'
-px-r--' cT z d ' I *I

FujltsuSl
emens $.lr:
*F*v,.
e
..A -
z ; - ,4,

.A

I
sM ;I,
.-.
Jz 7

HP pr lass

Cisco ollkrsthcse bllltlutswilches:


K Fih'c'isco bladesw'itchcsforIIP.I)cl1.and FtljitstlSienlellsbllltlescrvcrsyslcllls
K Tu'()()L.51blatlc svvilcllcsforH P alld lB51 blatlc servcrsystcllls:

Note The OEM ctlstom swi tches offerm anyofthe sam e features benefi
ts and value butare
designed speci
ficall
y forIBM and HP blade products.They are sold by IBM and HP only.

@ 2008Clsco Systems.lnc. fmptementing the Csco Catafyst6500Seri


es.Cisco Catal
yst4900 Series,and Blat
je Switches 1-439
Introducing the C isco B lade Sw itch for H P B lade
S ervers
Thistopic dcscribesthc Cisco blade sw itch forHP blade senrers.

H P c7000 B ladesystem O verview


Front:
- 8 full-height/l6 half-heightsefverbl
ades perenclosure
. Rear'
-
2 slotsforGigabitEthernetswitches
.-
2 slots FC orGigabitEthernetswitches
-
4 slotsforhi
gh-speed I/O (forexample InfiniBand,10Gigabit
Ethernet)
. i
LAN e tchor LAN switohof
tr .
.
p- thrx gh p-wtllrxqh
j
;' )J sANswlzhor sANswi tchor
1
; pess.throuqh pass.throogh
'
. . sAN swlyctTor SAN swllch(pr
3d pass.throuh pass.tbcotlgh
F7ront Rear SAN smtchor SAN switchchr
pass.throogb pass.tbrough

HP c7000 B ladesystem C haracteristics


The HP c7000 Bladesystcm hasthese characteristics:
w 10 rack unit(RU)cllassis
w Ftlll-heightserverbladcswith up to cightpcrenclosure
w Half-heightserverbladeswith up to 16 perenclosure
K Half-hcightstorage bladew ith up to 15 pcrenclosure and a totalof90 drivcs pcrenclosure
. 10 GigabitEthenlet-capablebackplanc
. l/O options:1?'I0 G igabitEthernet,InfiniBand.Fibre Channel
* lntegratcd HP Bladcsystem lnsightDisplay lillked to ollboartlmanagementadlninistrator
forIocaland rem otc systeln managclnent
. Up to six hot-swappablcpowcrsuppliesconfigtlrable forN +N orN+1redundancy

H P c3000 Bladesystem C haracteristics


Thc HP c3000 Bladesystcm hasthcse characteristics:
w 6RU chassisortower
w Full-hcightsetwerbladesw ith tIp to fourperenclosure
. I'lalf-lleiglltserverbladcswith up to cightpercnclosure
w Four1/0 intercollnectbayswith eithcrEthcrnet,InfiniBandeorFibre Channcl

1-440 lmplemenlipgCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0 @ 20()8CiscoSystems, lnc.


Netw ork Interconnect Bays
The lIP 1)ladcsystcln c-classcllassisllas tbtlrpairsofintercollneclbays(using k'rtlss-eonltects
llorizolltalIy acrossll1cbays).

(()2008 Cisco System s.lnc. Implem enting the Cisco Catalysl6500 Series,Clsco Catatyst4900 Series,and Blade Switches 1-441
C isco B lade Sw itch 3020
* 8 external10/100/1000BASE-T RJ45 uplink pods:
- 4 shared with SFP ports - one can be active ata tim e
-
2 shared with internalcrossoverto paired CatalystBlade
Switch 3020
. 16 internal10/100/1000BASE-T downlinks forsewerconnecti ons

PortLEDS

/ls)
,
'
,'
7
T
ky
X
?
.:%*
'
.S
-'
.E'
j:jj'/r
t
.y
j?j
f
) '
r
. ..

(;L.k
we ' .z
o
. .A
.

Console 4x SFP 8x R.145


Uplink Ports Upl
ink Ports

Tlle Cisco Blade Switch 3020 forIIP c-class Bladcsystcm providesan intcgrated switching
solution w ith Cisco rcsilicncy,advanced security.and enhanccd m anagcability to thc scrk'
cr
edgcxwllich reducescabling rcquircments.
Thc Cisco Bladc Switch 3020 shipsasa singlc tlnitand should be ordercd in quantiticsoftwo
forrcdundancy purposc.A singlc bladecan llaveup to fouroptionall000Base SX tibersmall
form-factorpluggablc(SFP)modulcs. +

The Cisco Blade Switch 3020 isa Laycr2+ sw itch and suppol'tslnany Layer3 functions,
exceptIP rotlting.Itiscompatible with the HP c-class servcrblades likc BL460c.BL480c.
BL456c.BL685c.and BL8x0c.
The following system properticspcrtain to the switch:
* l28 M B ofm eluory and 32 M B oftlash
p 48-(Jb/ssw itching fabric
. Up to 36-M p/sforwarding ratc bascd on 64-byte packets
. Up to 8l92 M AC addresses
T11e tbllow ing intcrfaccsare availablc:
* I('
tinternal10/l00/l000BASE-T downlinksused forscrvcrconnections
* 8 1-Gb 11.145 coppcruplinks
.

w OptionalfourSFP SX m odules fortiberconllcctivity w'


hcrc eithercoppcrorSFP portis
activc

Note Ports 17-20 are com bination ports,suppoding ei


therGxed RJ..45 connectors orSFP
connectors lnsertion ofan SFP connectorautomatical ly isabses the associated copper
connector

1.442 ImplementingCiscoDataCenterNetworkInfrastruclure 1(DCNI-I)v2.0 @ 2008CiscoSystems,lnc.


Note Ports 23 and 24 uplinks can opti
onally be configured as internalcross-connects to a paired
Cisco Blade Switch 3020.

tJp to six tlplink portscanbc ptltinto aportcllanncl.providing 6-(ib/sconllcctivitjr.

C isco Blade Sw itch 3020 Features

Categofy Features
Spanning Tree . IEEE 802.1D.802 1s.802.1w
* PVST.PVST+.RapidPVST
M PeC-VLAN Rapid Spanning-Tree (PVRST+)
* PortFast.UplinkFast BackboneFast
. Spanning--rree RootGuard (STRG),UniDirecti
onalLlnk
Detection (UDLD)
LinkAggregation . IEEE 802.3adwith LinkAggregationControlProtocol(LACP)
* Etherchannelusing PortAggregationProtocol(PAgP)
VLANS w IEEE 801.Q and Cisco ISL tagging
. VLAN Trunking Protocol(VTP)
. DynamicTrunking Protocos(DTP)
* 1024 VLANS and 4000 VLAN lDs
Advanced QoS . 802 1pclassofservi
ce (CoS)anddi fferentiated sel
-vices
codepoint(DSCP)field classification
. Cisco QoS ACLS
w SRR scheduli
ng
w Cisco Commi tted Information Rate (CIR)
Vullicasting * lnternetGroup ManagemenlProtocop(IGMP)snooping vl&
v2
w Multi
castVLAN Registration (MVR)
w Per-portbroadcast multi
cast and unicaststorm conlrol
. 1000 Consgurable IGM P groups
Security * TACACS+,RADIUS
. IEEE 802.1x
. Port-based ACLS(PACLS)
K SSHVI& SSHVZ.Kerberos,SNMPV:S
> MAC address notification
. Protected por!feature
Management > Cisco Discovery Prolocol
. Cisco 1OS CLI.CiscoW orks
. R MO N 1 and II
. SNM PVI,SNMPv2c,and SNMPV: S
. SPAN,RSPAN
. End-to-end Cisco so com mon userinterface and soflware
upgrade across entjre switch nelwork

@ 2008Cisco Syslems.Inc. Imptementing the Clsco Catatyst6500Seri


es.Cisco Cataf
yst4900 Series.and Bfade Switches 1-443
Sw itch A rchitecture
(.
-(
711E;(91()r'
9(.
)rt
1 1
l I
'
1 32M8 *e - 1 . - 12aMB '
Flash ; # SDRA I
I I
l 1
l I
l 1
1 I
I TCAM *-. ASICS '' TCAM I
I
I j
I I
I 1
I . I
l
X II)tL'
arqb%'ItC)t)1 '' I
(- In 1
. )(lrlet..,l1t?1th
z( pjlE
'()f1S 16 tE
qf.
'
lrvtlr1
J)owrl11(jl
' q
(Ig(.J$
74.
?(I ilavt1' . F(
z3 ?w), 4SFP po(.ts' I
!J;.
'I1;lk.Pr.
,rlq)I P@rt: I

Thc figure showsan ovcrvicw oftheCisco Blade Switch 3020 arcllitecttlrc. The following key
col
npollontsconstitutc tlle switch:
* Processorthathandlesthc controlplane functionality
* FlaFll,TCA M .and w'
orking memory thathold thc Cisco IO S il
nage. loaded Cisco I()S
code.and N'ariousmemot'y structurcs
K ASICShandling packetlnanipulation
w Physical(Pl1Y)layerforbridgingbetweenASICSand physicalports
. Ports intenpal(l6 servcrdownlink ports).cxtcntal(eightRJ-45 and fotlrSFp-bascd ports)
and interswitch(two connectivityports;ifuscd.twouplinkportslesscanbeused)

1-444 bmplementingCiscoDataCenlerNetworktnfrastructure)(DCNI-!)v2.D (
t)2008CiscoSystems, lnc.
Introducing the C isco B lade Sw itches for D ell
B lade Servers

D e1IPow erEtlge 1955 O vorv1ew


v Front:10 seerblades perenclosure
Rear:4 slots forI/O sw itches

It): ,.*' ' - IChI


: . . Iu w w 'xx ;
... - I .T . . .
k:l . ...
0amxj ,Io3
# ' ' ,t>
1. '' 711 '''*'
': X> O -e=. v
- ,.. .. .
N.
NQ ,
'
'
,..
j
;)
jK
-.
#w
,.
,-
'.
., ..
(
.
t
g .
'
:
.. ,
. ,
)
:<
'.
j,
c
'o
q
,
a
.
c
,
k.
'
ve
dr
i
rxf,

Note DellPokverEdge 1955 System is a DellPewerFdge 1855 System stlccessor.

$)2008 Cisce Systems,lnc. tmpfementiflg the Cisco Catalys6500Seri


es,Csco Cataf
yst4900 Series,and Blade Switches 1-445
C isco Blade Sw itch 3030
* 6 externaluplink ports:
-
4 SFP pods
-
2 R.145 10/100/1000BASE-T copperports
. 10 internal10/100/1000 Mb/s downlinks forsewerconnections
EOS:June 9,2008

4. 71i.k.'i. r - 4-- .aw.


. .k.- . . @#..*#>@@
console .: L
r@
.- wjw:..jf,?.l( ,y/
'

:dt2x'
-lt t-
1-
R.145 4: SFP
Uplink Ports Uplink Pods

Thc Cisco Blade Sw itch 3030 forDellPowcrEdgc l955 and 1855 Blade ServcrSystcms
providesan intcgratcd switching solution with Cisco resiliency.advanccd sccurity,and
elthanced m anagcability to thcscrvercdge which reduccscabling rcquircments.

Note The switch reacbesen-of-sale(EOS)statusonJune 9.2118.

Tlyc Cisco Blade Switch 3030 isa Layer2+ switch and stlpportsmany Layer3 functions,
uxceptIP routing.Itiscom patible with tlw DellPowerEdge 1955 and predecessor l855 Bladc
ScrvcrEnclostlre.
Up to fourcan be installcd perchassis,w ith thc second sctoftwo requirillg Ethenletdaughtcr
cardson each serverblade.
Thc follow ing systcm propertiespcrtain to the switch:
K l28 M B ofmem ory and 32 M B offlash m emory
* 32-Gb/ssw itching fabric
* Up to 24 M p/sforwarding ratcbased on 64-byte packets
* Up to 8192 M AC addrcsscs
Thc follklwillg interfacesareavailable:
K l0 itlterlpal10/100/I000Base-T downlillksused forserverconllections(ports l-l0. portfast
cnabled)
* Two cxtcrnal10/l00/1OOOBASE-T copperports(ports l1.l2)
. FourcxternalI0/l00/1000 SFp-based copperorfiberSx-based ports(pol-ts l3-I6)
. Serialconsolew ith portredirection to DcllDM RAC

1-446 ImplementingCiscoDataCenterNetworklnfrastrudure 1(DCNI-I)v2.0 @ 2008CiscoSystems.Inc.


C isco B lade Sw itch 3030 Architecture
Console Port
C I
1 1
l . I
1 3ZMB . . ' -' .#.+.;'...: *e 128 ve I
I Flash SDRAM I
1 1
I 1
I 1
1 1
I 1
I
l
TCAu ASIC ASIC TCAM 1
1
I I
1 1
I I
1 I
..
c.. g j
I
I 1
'
1
4sF ' ,Ra.s 10 ServerDownlink '
,z 1
I ,
;
.,
.l
p
?.gt
l,kx Ports Ports 1

@ 2008 Cisco Systems.Inc. trnpfementing tbe Cisco Cata


yst6500 Serl
es,Cisco Cataf
yst4900 Serfes.and Bl
ade Switches 1-44:
D ellPow erEdge M 1000e O verview
Front:16 half-serverblades perenclosure
Rear:6 slots forI/O switches

DcllPowcrEdge M 1000c Systcm Charactcristics: *

. 10RU clpassis
w t!p to 16 half-servcrbladesperenclosure
w Hot-swappablcnonreduntlant(thrce)orredundant(31I.3q'3)powcrsupplics
. Six 1/()sw itch modules forthree rcdundantfabrics(can hostCisco BladeSwitch M 3032.
M 3l3()G,M 3I30X )
K Nine llot-swappable fan modules
K Threc chassiscontrollersw ith KVM switclh

Note EthernetFlexso Swi


tches provide on-dem and stacsi
ng and uplinkscalability.

1.448 lmplementingCiscoDataCenterNetworklnlrastructure 1(DCNI-I)v2,O @ 2908CiscoSystems,lnc.


C isco B lade S w itch 3032
. 8 externaluplink pods:
4 10/100/1000BASE-T R.145 copperpods
4 SFP ports(using Cisco TwinGigConverterinX2 slots)
. 16 internal10/100/1000 Mb/sdowntinks forserverconnections

.
o j N 111# .
g

1
4x R.145 4x SFP
1
Console
Uplink Ports Uptink Pol
'
ts

-1'1)i
J(.'isco Blade Sw itch 3032 forDellPowcredge N1ll)()()e l3ladc SenrerSystclnsprovidcs:11)
illtegratcd s' kvitcllil'
lg soltltion '
w itl:Cisco resilicllcy-adv'
allced sectlrity.and cnllanced
lllallageabi1ity to tlle scrN'credge.urllicl' lredtlcescablillg rcqtlirelnellts,Tl'
le-isco Bladc Sqvilcll
3()32 isa Layer3 s'k vitch.
'I-1)etbllovvillg systcl'
llpropertiespcl
lain to tllc s'
w itch'
.
lelnor.v alld 64 N1B of'llasl)I'
* 256 N1B ofl' lltvlllt'ry
w 4Fl-CJb/sswitching fabric
K U1
)to 36 Vlp/sfonvarding ratcbasctl01164-by1c packels
* L;1
)to 8l92 N1A(.
aaddrcsses
Tllttlbllow ing illterfacesarc availablc'
.
* It'Iillterl:all0/I00/l000Basc-T do'
kvlllillkstlsed t'
tlrservcrctlnllections
* F()Llrcxtcnlall07100/l000BASIE-T R.145 collpcrptll
4s
* FotlrcxternalSFp-based ctlpperorfibttrpllrtstlsing'isco T'
svintiig converternltltltllc il'
l
5:2 qlots
K Serialcollsolc
m F:1st1
-,
Tlllenletl
'
nallagttnlentintcrlce colllttlctetltt,C'isco NlallagclllentConncction

(()2008 CiscoSystems,I
nc. Impl
ementi
ng the Ci
sco Catalyst6500 Series.Cisco Cataiyst4900 Serles,and Blade Swi
tches 1-449
C isco B lade Sw itch 3130G and 3130X *

* 3130G:8 externa!uplink ports:


4 10/100/1000BASE-T 9.145copperports
4 SFP ports(using CiscoTwinGig Converterin X2 sl
ots)
. 3130X:6 externalupl inkpods:
4 10/100/1000BASE-T RJ45 copperports
2 X2 10 GigabitEthernetports
w 16 internal10/100/1000 Mb/s downlinks forserverconnecti
ons
3130G 3130X
,. r(r
'.:.
'''
,.m- r- ,..

*@ k w w * .

4: RJ45 4: SFP
1*
conscle 4
t 1:
Upll
nkPods Upls
nkPods Uplx RJ
lnk 45ls Uply
Por xXPor
lnk 2 ts Console

'rhcC isco Bladc Sw itches313OG and 3130X forDcllPowcrEdgeM 1000e BladcServer


Systclllsprovidc an integrated sw itching solution w ith Cisco rcsilicncy. advanced security.and
cnhanccd lnanagcability to thc scrvcredge.which rcduccscablingrequircments.
Thc following systcm propertiespertaillto thc switcll:
. 256 M B ofmcm ory and 64 M B oftlash l
nemory
. l28-G b/ssw itching fabric
. Up to 59.2 M p/sfonvarding rate bascd on 64-bytc packcts
. Up to l2.000 M AC addresses(dependson lhc telnplatc tlsed)
Tllc following intcrfacesarc available:
w l6 intcrllalI0/100/1000Basc-T downlinkstlsed forserverconncctions
* Scrialconsole
. FastEthernetm anagementinterface conncctcd to CM C
. Cisco Blade Switch 3I30G:
FourcxtenlallO/IOO/IOOOBASE-T RJ45 coppcrports
FotlrcxternalI-Gb Sll
-p-based coppcrorfibcrportstlsing Cisco TwinGig convcrtcr
module in X2 slots
* Cisco Bladc Switch 3130X :
Fourexternall0/100/lOOOBASE-T RJ45 coppcrpol'
ts
Fourcxternal10-Gb X2 bascd ports
'isco Bladc Sw itches3l30G and 3I30X supportvirtualbladc switch functionalit
'y.

1-450 smpl
ementiggCsscoDataCenterNetworklnfrastructure1(DCN-I)42.
0 Q 208CiscoSystems,lnc.
'

C isco B Iade Sw itch 3130 and 3032


A rch 1tecture
16 Server
Dow nlink Ports Console Port
10/100 Ethernet
1
I .N . I
I : . . .
. ' l
I / .. #F .2;.: ''' 4
..
I ' . .'' I
I 1
1 I
I 1
I 1
I I
l ASIC I
I
I
ASIC ASIC I
I
I I
I I
I 1
I I
I I
1 x..e.
oojj
. 4jaj
tx
j 4 R.J45pods XZ/SFP XZ/SFP .. ,. u o.ty,
. I

Q 2008 Ci
scoSystems.lnc. Itnpi
ementingthe Cisco Catalyst6500 Series Cl
sco Catalyst4900 Series.andBfade Switches 1-451
S oftw are Licenses and Features
Same im age with differentlicensesto activate feature set
Cisco Blade switches 31xO ship with IP Base image
. Cisco Blade switch 3032 can run only IP Base im age

standarL2+Featureset X 1 X i x
IP Source Guard and DynamicARP Inspection X X j ...X
. . .. . . . .. . . . . . . j. ..

R1
P/St
at1
c,EI
GRP Rub X X 1 X

I
Pv6Manageabh l
ity
MullicastOSPF BGP
.
X 1 X
s
j
i
X
x
- J. . . 1 . . - -- . - .

X l x
1 x
.

t ( x -'
C isoo IO S on C isco Blade Sw itches
Cisco Blade Switches3Ix0 run a ullivcrsalCisco IOS image thatisthesam e imagcused ffar
any fcaturc sctand containsallCisco IOS featurcs.
Only thccrypto version(K9)isavailableseparatcly from theCiscosoftwarecenter.
Licenses
Thrce licellsctypesexist:IP base, IP services,and advanccd IP scrviccs.
A liccnse isrequired foreach switch. including each sw itch in a stack. and islocked to 1he
tlniqtledcviccidentit-ier(UD1)oftheswitchand doeslpotexpire .

Cisco Blade Switchcs31xo ship w ith IP Base Stantlard license installcd. thusto activatcany
otherfcaturcseta licensc file hasto be changed.
Thishasno impacton Cisc.
o lOS version updatis.

Note T'
he Ci
sco Blade Switch 3032 can only run the IP Base image.

License A ctivation
A ctlstolnerpurchascsaProductAtlthorizationKey(PAK), obtainsU Dlsforthc deviccsto
tlpgradc.and passcsthc illformation to Cisco liccnsc portal.
Licenscsare then elcctrollically scntto tllccustolncr, wllo appliesthem to thc dcviccs.
No intcrnetconncctivity from thc switch to Cisco isreqtlired.

Note DifferentPAKS fordifferenttypes ofswitches exist, and an individualPAK can generate


multipleIicensesbefore itexpires (similartoa debitcard).

The Cisco liccnscportalcan provide thc liccnse history forany device.

1-452 lmplemenling Ci
sco Data CenterNetworklnfrastructure 1(DCNI-I):2.0 @ 2008 Cisco Systems, lnc.
Replacing M alfunctioning Devices

Thisrcqtliresa ('isco.col'
l'
llogil'
lsthe oltlU DImtllcncw U r)1.aI1(!llle servicc contractl'
. ltll'
lpbcr.
No PAK isreqtlired.

Note A maxim um ofthree replacemenlIicenses can be generated from the originalIicense before
a TAC callis required.

Tlleotlleroptiollisto tlse spariIlg.and replace thc failcd s'


w'itch '
svilh 11likesparc.

C
0 2008Cisco System s.jnc. lmplementlng lheClscoCatal
yst6500 Senes,Cisco Catalyst4900 Serles,and Blade Switches 1-453
anagl
-ng C I
'SCO I S L-
ICPNSes

''- - ..
e . s
):
l' - ' ' ' '
'''-..q
,2q
r
.2
:
y4
7
d
J
d
j;
7
*
8jlll .' ..E
..
jg:'
x -- '$
...' '' !!..
.
.. .........
..

ewttch# llcense install flash; rlfs-lps


Inltlkliag lic*nmee from *'kalhlrltl-iplm
'n@ta1lx ...#*etut*lipgew 1c**... :uecwelfutz:uppoyt*d
1/l licenpea vere succesafully inatllled
0/l licsnsea wer. extsttng licensea
0/l llcenses were fasled to inatall

switch# 19:46:56: %10: LICENSE IMAGE APPLICATION-S-LICKNSE LEV:LI


Next reboot level = lpaervlce, and Lsrenae a paervicee

O btain1ng the License


Thesearcthe options tbrobtainingthe license:
. BtlythcPAK codcfor:1spccificIiccnsc(itrepreselytsthcproofofpurchase).
* GctthcUD Iforthe switchesto bcupgraded.
w Log to tlpe Cisco Iiccnsc portala!http:''
5NNy'v'u'isc(),c()l1)'g()'liccllscs alld creatc a Iicense t5le
.

using the PAK and UD1.


* Download the license file reccived by cmailto the sw itch tlash lnemory.
% Installthe licensew ith the llcenseinstallcom mand.
>
Rem oving a L'
Icense
Ifrcquircd-a licensc can be removed with licenseclear EXEC eom m and.
switch#license clear ipaervices
Feature: ipservices
l License Type : Permanent
License State : Active , In Use
License Addition: Exclusive
Comment:
Are you sure you want to clear? (yes/(no)): yes

Exam ining the License Inform ation


Usctlpe following colnmandsto cxam inc and vcrify the liccnse infonnatiolp:
* To display availablclicenscs.usc thc sbow license filecom mand.
. To cxalnine stattlsofindividtlally licensed tkatures. use tlleshow Iicense statusand show
licensedetailcom mantls.
. To display licensable UDls, use theshow Iicen&eudicomm and.
* To dcbtlg liccnsing,usethedebug licensecomlnand.

1-454 ImplemeotingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0 @ 2008Cisco Syslems, Inc.
Use

1
'
T
.xlllnfl'
lc 1)1e s'
kvilc'
llLl1'
)I(rkz
'
quircd foroblailling !J1e Jjtrellsc).
'
switch#show license udi switch 1
Device# PID SN UDI
*1 WS-CBS3I3OX -S FOC1132HZSR WS -CBS II3OX .S :FOC II3ZH ZSR

C)2008 Cl
sco Systems.lnc. Impl
ementing the CiscoCatalyst6500 Series.Cisco Catalyst4900 Series.and Blade Switches 1-455
*

V irtualB Iade Sw itch


. Stack CatalystBlade Swi tch 3130 swi
tches
Manage as one switch
* Enables active-active serverconnectivity
* Virtualportchannel- combine portsfrom differentblade switches
. Catalyst6500
- *%,
.- ...
.
3130VBS r
9SS I
. ..
/+
. 7
' .
v ' ' '
4.
x ..
7. <.
t.
' j Q l
1 . .. 1
xtc.
. .7c':. 1 .
f 1
74
<. **
.
a
,.' .
,, I
Loca(server.server
XN
V'' I
j
1
-
7q
-> k.
7p
' w d
lrafficstays within <''' 1
VBS domain I . j
h7'
< L73'
. . ':':.y6 I
.'Q jy
.
s.
..
.c I ps I
<.
.k. 1 1

Villualbladc switch technology providesa higll-bandwidth intcrconnectbctw een up to eight


Cisco CatalystBladc Sw itch 3130 switchcs.ellabling thcm to bcconfigurcd and lnanagcd as
onc logicalswitch.
ThisFim pliiics managemcnt,allowsserver-servertrafficto stay within thc virtualbladc switch
dolnain instcad ofcongcsting thccorc nctwork. and can hclp significantly consolidatc exterllal
cabling.
The following pertainsto thevinualblade switch stackl
* CatalystBladc Switch 3130G and 3l30X can bc tlsed in thc same stack
m Serveractive-activeN IC team ing ispossible witl)Pol-tchannclto span multiplephysical
switclles
* M anaged asa singlc switch
* Singlcswitch in a spanning trce and Layer3 topology
* Enablesvirtualportchanneldeploylnent--colnbining ports t-
rom diffcrentphysicalblade
Sw itchesin a stack
m Spccialstack cablescan be0.5.l, or3m eterslofg'
,they are keycd t-
ol'dircction
1I:a singlc virtualbladcswitch domain thcrc isonc mastcrSwitch with lIN rcsiliency for
master;thatis each m cmberisa copy ofthc Iuastcrsw itch.
N ew virtualblade switch membcrsgetCisco IOS Sohwareautomatically tlpgradcd (to the
salne Cisco IOS Software asthc lnastcrswitch has)and automatically contigured from the
m astcrswitch.

1-45: lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D @ 2008 Cisco Systems, Inc.


Replacing a Sw itch in a VirtualB lade Sw itch

Standalone O peration
A f'atalystIlladc Srvitcl'
l3032 ora (ralalystBladeSwitcll3I30 (lpcrating iI1stalldaIone lllodc
bellavcs1ikca CatalystB Iade Swritch 3030 switcll.

@ 2008Clsco Systems,Inc. Impp


ementingthe Cisco Catalyst6500 Series,Ci
sco Catalyst4900 Series.and Bl
ade Swi
tches 1-457
V B S D eploym ent S cenarios
4 NIC perserver
Moreserverbandwi
dth

single VBS Separate VBS :


9.
.
t
11
j:
:' .
7
P
C
II
kj;
:
CostEffective Moreresili
ent '%t E
t'
'v

... Ika -7. .'Jl2 w .


etF
J
: jjjy;y pjrjky' y ..
. ijz
=
k)r-- ypj;-:*.
'
.
s. t
. .
k . .
?, . +.b.
.<' .Y*.-
<x
,''
-
.- .
' x
.
. ;
x ' -
.4z.
. .
x.
.
x'. '
% '' ,
@aj
dh.pzw T
'.
'. *
.7eu
jt.>. '...71'r
t. Q..' .
q
.
x

V irtualblade switchesean be deployed in differentscenarios,depending ofthe eustom ernceds,


assllown in thc figtlrc:
. A single virtualbladeswitch isthe costcffectivc solution and m ostcom mon.
. Separatcringsw ith separatevirtualbladeswitchesarc morc rcsilicnt.
* FourNlC serverscenariogivesmoresclazcrballdwidth(forcxampleforVMware).

1-458 lmplemenli
ng Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)v2,0 @ 2008Cisco Syslems, Inc.
Introducing the C isco B lade Sw itches for FC S
B lade Servers
Tllistopicdcscribcsthe ('isco bladc sw itcl
lcslbrFCS B latle Servcrs.

Fujitsu Sien3ens Prim ergy BX600


O verview
* Front:
.
10 dual-socketserverblades perencl
osure
5 quad-socketserverblades perenclosure
. Rear:4 slotsfor1/O switches

l: .
'
;- .,.
.
r :j
> .

(D 2008 Cl
sco Systems,lnc. Impl
ementingthe Ci
scoCatalys!6500 Sertes.Ci
sco Catalyst4900 Series,and Bl
ade Switches 1-459
C isco B lade S w itch 3040
. 6 externaluplink ports:
- 4 SFP pods
- 2 R.145 10/100/1000BASE-T copperports
w 10 internal10/100/1000 M b/s downlinks forserverconnections

'-
t, ,. k... $
Console ?,
. j
lj
1' 1Ql
S jj
jI--
llll
;l1114.
JX1 JJX- j.
t'
u)v.j,
.
!:..
<-
y
t
.

2: R.345 4xSFP
Uplink Ports Uplink Ports

TheCisco BladeSwitch3040forFtl
jitsuSiemcnsPrimergy BX600 BladeServcrSystcms
provides an illtcgrated swritchillg solution with Cisco resiliency- advanccd security.and
elphanccd lnanageability to the servcrcdgc. yvllich rcducescabling rcquircjnellts.
Tlle Cisco Bladc Sw itch 3()40 isa Laycr2+ switch and stlpportsm any Layer3 functions.
cxceptIP routing.Up to fourcan bcinstalled perchassis.
Thc fbllow ing system propcrtiespertain to thc sw itch:
> I28 M B ofm cmory and 32 M B oftlash mem ory
@ 32-Gb/s switclling fabric
* Up lo 24 M p/sfolavarding rate based on 64-bytepackets
@ Up to 8192 M AC addresscs
Tlpc following intcrfacesarc availabte:
* l0 internall0,'l00/I000Basc-T downlinksuscd forscrvcrconnections
* Two extcrnal10/lQII/IOOOBASE-T copperports
> FourcxtcnlalI0/l00/1000 SFP based copperortiberSX based ports
w Serialconsole with portredircction to DellDM RAC
The llardware architecttlre isthe salne as forthe CBS 3030 switch.

1-460 ImplementingCl
scoDalaCenterNetworkInfrastructtlre1(DCNI-I)72.0 (()2008 Cisco Systems, Inc.
S um m ary
This topic stlmlnarizesthe key pointstllatwere disctlssed in this lesson.

Sum m ary
w Cisco blade switches are used in blade serverenclosures.
. A Cisco blade switch is equivalentto a standalone Cisco Catalyst
sw i
tch.
x Layer2 trunk failovershuts the serverporlupon corresponding
uplink failure,
*Cisco bladeswitchesareavailableforHP,Dell,and Fujitsu
Siem ens blade system s.
@ VBS functionality enables CatalystBlade Switch 3130 stacking.
, Cisco OEM blade switchesare available forHP and IBM blade
system s.

@ 2008 Cisco Systems,Inc. lmplementing the Cisco Catalyst6500 Seri


es Cisco Catal
yst4900 Series and BladeSwitches 1.461
M od ule S um m ary
Tllistopic stlm marizesthe key pointsthatwere discussed in this modulc.

M odule S um m ary
@To
ECNM
depl
oythsc
wi aer
hilaar
ble
cjma ndesi
ica!agegab
nl
e'anied.
appl dSOA datacenters'follow the
.The Cisco Catalyst4900 Series Switch is desi gned to deliverthe highest
reliabil ity and serviceability in a 1RU or2RU configurati on.
. Mul tiple generations ofsupervisors existforthe Ci sco Catalyst6500
Seri es Switches:Supewisor1,2,32.and 720.
. The Supervi sor Engine 720 provides higher-perform ance managem ent
and forwarding functions to Catal yst6500 geries Switches than any other
supervi sorengine available.
. The Supew i sorEngine 720 is designed to suppod three generations of
Iine cards.providing flexibili ty in network design and investment
protection.
* The VSS 1440 manages redundantIi nks,which eternall y actas a single
po4 channel.
. Thz Catalyst6500 Series Switch with Ci sco 1O S Software M odularity
m inimi
evos utizes
ona! down
y soft
' imeeand
twar boos
infras tructs oper
tur ation
e adv aleffici
ancement es,
ncy through e

Module Sum m ary (Cont.)


. Exported NetFlow data can be used fora variety ofpurposes,including *
network m anagementand planning.enterprise accounting and
depadmentalcharge backs ISP billing,data warehousi ng,and data
mining formarketing purposes.
. To suppor tQoS Ievels,severalfeatureshave been incorporated into the
hardware ofthe Catalyst6500 Series Swi tch,Including the M SFC,the
PFC,andthe portASICS.
. EEM off ers the ability to monitorevents and take inform ationalor
corrective action when specific monitored eventsoccurorwhen a
threshold is reached.
. High-availabilityand reliabilityfeaturesare integrated technologi es onthe
Catalyst6500 Series Switch,and the platform offers integralcom ponents
to deli
vermaximum uptime and faultdetection.
. SPAN.RSPAN,and ERSPAN sessi ons allow the network adm inistrator
to monitorand analyze traffic Iocall y orrem otely.
w Blade servers are used to optimize serverdeploymentin data centers.

1-462 lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNl-1)v2,0 @ 2008CiscoSystems,Inc.
R eferences

k
ll2008 ClscoSystems.lnc. fmpf
ementlng the Cisce Catal
yst6500 Series.CiscoCatalyst4900 Serles.and BfadeSwitches 1-463
'

* Fornlore illfonnation on the Cisco Catalyst6500 SeriesSecure SocketsLayer(SSL)


ServiccsM odule,go to SSL s' c?a'ce.
j'A./fpJ///c #)?
'thetrW&7)'
. .
5'/6500 JrCisco 7600Seriesat
llttp:..w u'w vcisct.co1'1.
'eI1.
'LJS.
.'
p1'
otltIcts,
'lllv.
'sw itcllcs.l)s7()8'
prodtlcts data sl1ect09l86a0080
()t24f'
e9.l1tl11I
* Formoreinformation ontheCisco ContentSwitching ModulcsgotoCiscoCalalb'
st6500
5'cp'?'cx Colitentls-u'/c/lfzig A/f.
?dlf/t?at
lltt1):,Furww ,cisctl.colll/cll'tls' 'lprtpdtlcts.
lhss'
.
f
tsvN'itclles.ps708'prodtlcts data shcctog18ba()()80
(1887t3.1141111
K Form ore inforrnation on thc Cisco Application ControlEngine,ge to Cisco Application
C)>r??;/?w/E':gine A, /t)Jl//c at
1)ttp:/'.'w'w'u.,cisct).ck)m. .'en.
'tJS.
. .'
pl'()tI,'colllyteral-
'll'
lfltltlltlsa
/psz7()6''
pstlgll6.
'pl'odtlct data sllcctot
.
l
()()accd8()4586l1
.
7...ps708 Products Data Sheet.htlnl
. Formore information on theCatalyst6500 ScricsSwitch W irclessServicesM odule, go to
Cisco ()Q//f//)o'/6500SeriesWireless5'
t?/'a/t'c.j
.tvodtlleat
l)ltp:,'/'
w'&v'
u?.cisco.colA'
1,
?'
0I1,
7U S?7
pl'ot1/co1Iatcral/lllotltlIcs./
'ps27()6/ps(n526/I)rt)dtlct data slhtzctog
.

()()kl(
.
tctl8()36434() 1)s7()8 Prodtlt-ts r)ala S11(?t'
' rt.1)t11ll
. Forluore infonnation on Cisco M ultiproccssorW AN Application M ode.go to Cisco
A.
/l//?#??'
f?cc.
tf)rlf'
.,
4x Applicatiol'A/()J(?at
lltt1):,'.
'1.
5.urNvqcisc(.co1)1.
'cll.
't.
3S.
'))l'
tAd.
'
ct'llatcrttl'111t)dt!1cs.'
j)s551tl.
/prodtlct data sllcctot
looaeu'd
8l(1()1Xt)4'
. ,.
5 I)s7()8 Prodtlcts Data S1)ecl.l1tJ111
w Formore infonnation on Cisco ContentServicesGatcways.go to Cisco Co?olt>rl/Sen' ices
(J't7?(JIt'qJ'at
l'
lltp: ' $$'!N'N'.cisc().c()m.
'e1).'
. LISJprtltl//
ctll1ateraI%$irclcss.
. ''
w irclssNv'
'ps77g.
'pl
'oduct data shcfltt)
t)l8()k,( '
)08()lab17. 5 ps708 Prodtlcls I')al:l 1
..... h
;l1cklt.l1ll1'
1l
* Form ore inform ation on lhe Catalyst6500 ScricsComm unication M ediaM odel, go to
CiscoCatalb'
v
%l6500Series(7,14/Ci.
%c()zfif'
lpSeri(
:s()-bl??l?;,/??k'
t'
?//()l'
lsiedia Jz
/otf/t?at
1)ttp:.'.
'w'!w .cisco.coln'el/U S'
'prkxtl.
'collatcral/sw ittwlles.'l3ss7I8,'ps708?prodtlct data shei
ltot)
()()k!eet!S()(3(z42(3t'.l
At!ul
. Formorcillformationon1heTl/E 1and ScrvicesModule,goto Catalb'
st6000Ffzrn/r
l'oiL'
e T1t'
??lJ Services Affpt///cat
Ilttl):?'.
'$zvs,!N'.cisc(7.c()lzA/'
cl1J't-rS,
7):rs?dtIrts/
'I1:v'/
'I1)()dt1lcs/ps.
!lIslroducts data shcetog186a()()8 *
(1()9231
,8.lllm I
* Formoreinforlnation onCiscoNetworkAnalysisM odulcs(NAM-landNAM -2),goto
Cis(.
()C-t7/t'
?('
.
j'/6500Seriesand (7't:'
f?7600SeriesNt?/1$'
f?l'l'AnalbsisModltleat
l'
kttp:)ss.
'w'u .cistzo.
coln/en/t.
TSr
'
)7!'tbt('
rrt)l1kttet
':1l.
J'
1l4ttlttles.
')
7s27fJ(7.
Jps525.
')nrt7dt1ct tlata slhectotl
(ltlaeckl8tl4bal
ll1 1,s708 Products I'
lata Slp(?0t.lllltlI
* Forlnorc infonnation on Catalyst6500 Scrics Sw itch Allomaly Guard,go to Cisco
,
1?1t??,?t7'k'G'lal'd atT(?Jlf/t?at
11ltp: h' 'y!'
!. ss'.elset.
h.colll'ell.I-/S.
.pl'od.collateral,Inllkltlli
lsy'
psz70f7,psb235'prodtlct (lata sllecttlt?
()():lcu'tlhl()22()a7c ps7()8 Prokltlcls Data Slleet.lltlnl
. FormoreinformationonCiscoTrafticAnomaly Dctcctor.gotoCisco Fl'
qflczlr7tp??7t7tJ'
Dgfcctor Ar foc/l//e at
l1tlp:. '.u'u hv.cisckl,clllll'cn,'tlS.'pro(l/
'coIlateral'l'lotltllcs''ps27()(>/
'I>s6236'
'pl't'(luct data shcctot
?
t4pilt:cd8()2201)6c ps708 .
... 13rtldt.
lcts L7:1t1
.1 S1
1et'tt.l'
1(l111
w Formorcinformationondefaultqucuemappingsanddropthresholds.gotoDqjtlltD?'tl/?-
Thwxhold Pel'centagesand L-b5'lQ?/?fc M appingx at
llttp://ww w.cisco.cole en/us/docs/switclles/lall/catalyst6soo/ios/lz.zsx/configuration/guid
e/qos.htm l#wpl478881

1-464 Impl
ementi
ngCiscoDataCenlerNetworkInfrastructure 1(DCN1
-1)v2.
0 @ 2008CiscoSystems,jnc.
k
ll2008 ClscoSystems,lnc. fmpf
ementi
ng the CiscoCafal
yst6500 Series,CiscoCatatyst4900 Serles,and Btade Switches 1-465
M odule S elf-c heck
Usc the qtlestions here to revicw whatyou leanled in thismodule.Thecorrectallswcrsand
Folutionsarc found in theM odule Sclf-check AnswerKey.

W hich data ccnterevolution driverslowsthepowerdem and growthby incrcasing thc


utilization ofthe resources? (Source:Dcscribing theCatalyst6500 and 4900 Series
Switch DataCenterArchitecturc)
A) Human collaboration
B) Businesscontinuity
C') Virtualization
D) Agility
()2) qrhichtwoofthefollowing Ciscodalacelpterplatformsarcsuitableforthcdatacentcr
core laycr?(Choose two.)(Source:Dcscribing the Catalyst6500 and 4900 Scries
Switch Data CenterA rchitecttlrc)
A) Cisco Catalyst4900 ScricsSwitches
B) Cisco Ncxtls 5000 ScriesSw itches
C) Cisco Catalyst6500 Serics Sw itclles
D) Cisco Nexus 7000 ScricsSw itchcs
E) Cisco Blade ScricsSwitchcs
Q3) W hich ofthefollowingCisco Catalyst4900 Seriesswitchismodular?tsourcc:
Dcscribing and Positioning theCisco Catalyst6500 and4900 ScriesSwitchcs)
A) Catalyst4900-51
B) Catalyst4948
C) Catalyst4948-I0G E
D) Catalyst4948-M
Q4) W hichthrcchigh-availability fcattlrcsdoCiscoCalalyst4900Scricsswitchcsoffcr?
(Chooscthrce.)(Sourcc:Dcscribing and Positioning thcCisco Catalyst6500 and 4900
ScriesSwitchesJ *
A) l+ lrcdundanthot-su' appablc powcrstlpplies
B) Rcdtlndantstlpcrvisorengiltcs
C) Rcdundantbackplanc
D) Rcdundant,hot-swappable fallswith variable speed
E) HSRP,VRRP and G LBP support
F) StatcfulSwitehover(SS(3)

$-466 lmpl
emenlingCiscoDataCenterNetworklnfrastructure)(DCNI-!)v2.
D @ 20OBCiscoSystems, lnc.
A1 Access laycr
B) Aggrcgatitllllaycr
(--) Corc laycr
Nexus70()0
Nextls5000
'isco k'atalyst65()0 Scrics Switcll
Cisco C'atalyst49()0 ScricsSu itcll
5. f.
'isco blatlesu'itc11

5. Distribtlted sustaillcd 48 M p/'


sperDF('3

(.)8) NVIIicl)two slots il:(Misco Catalyst6509 Switcllchassiscal)llosta Supervistlr720


engillci.(Choose two.l(Sotlrcc:Dcscribing thcCisco ('atalyst65()4)Scl'icsSwitch
A
Stlpervisots)

C)2008Clsco Systems,1nc lmptementingthe Cisco Catalyst6500 Series.Ci


sco Catalyst4900 Seri
es,and Bl
ade Switches 1-467
()9) W hich componclltoftheSupervisor720holdstherouteandswitchprocessors?
(Sourcc:Describing tlpe Cisco Catalyst6500 ScriesSwitch Stlpenrisors)
A) PFC3
B) M SFC3
C) Switch fabric
D) DFC3
Q I0) W hichtwo ofthcfollowing arebcnefitsofthcVSS?(Choosctwo.)(Source:
Describing thc Cisco Catalyst6500 SeriesSwitch Stlpervisors)
A) M EC
B) V irtualdcvicc contexts
C) Active-activc data plane
D) Enhanced 1-2 security
E) Redtlced sw itchovertimc
Q lI) W hichofthefollowing modulescanbeuscdtodeploy theVSL?(Sotlrce:Describing
thcCisco Catalyht6500 Series Sw itch M oduleand PowerSupply Options)
A) W S-X6704-10GE
B) W S-X6708-l0GE
C) W S-X6716-10GE
D) W S-X6724-SFP
W hattwoVSL protocolsareusedto illitializeVSS'?(Choosctwo.)(Sourccz
ImplerncntingCiscoCatalyst6500VSS 1440)
A) StatefulSwitchover
B) Link M anagclncntProtocol
C) IP BidircctionalFonvarding
D) Enhanced PAgP
E) Rolc Resolution Protocol
Q I3) W'lpich DualActive Detcctionmechanism isdeploycd overLayer3directEthcrnet
collnection'?(Sourcc:ImplemcntingCisco Catalyst6500 VSS 1440)
A) IP BidircctionalForwarding
B) Enhanced PAgP
C) RoleRcsolution Protocol
D) H SRP
Q l4) W hatisthe Iaststep ofVSS convcrsionprocess?(Source:ImplclnentingCiscoCatalyst
6500 V SS 1440)
A) sw itch convertm ode virtualcom mand
B) reload comlnand
C) switch virtuallink sbilch-ntlm bel'comm and
D) switcllacteptm ode virtualcom m and

1-468 lmptementingCi
scoDataCenterNelworkInfrastructure1(DCNI-I)v2.0 (()2008CiscoSystems, 1nc
'

A) (71S('
0 BASE
13) (-1S(*0 l.ATI-'S'F
.

(') C1S('0 LATEST AI'TIVATE


Relllll&'c ollc lcq'clofillstalIlilcs

A) DEST-SRL'
I1) SR('()N I-Y
(-') D EST ON l.Y
I)) D IEST-SRC-IN T
I() Ft-lLl-

Trtle
Falsc

C)2008Cisco Syslems.Inc. Implementing the Cisco Calal


yst6500 Seri
es,Cisco Catal
yst4900 Series,and Bl
ade Switches 1.469
Q20) W hichofthefollowingcommandshastobeuscd inordertoenabletheQoSprocessing
on PFC?(Sourcc:ImplcmentingQoS)
A) enabIeqos
B) m lsqos
C) enablepfcqos
D) pfc qos
()2l) W hcreisaCOPP policy applicd?(Source:ImplemcntingOoS)
A) Through a globalconfiguration
B) On thcincolning intert-
ace
()') To a internalPFC to M SFC intcrt
-ace
D) To a controlplane intcrface
Q22) W llichtwooptionsareavailabletodcfincanEEM policy?(Choosctwo.)(Sourcc:
llnplcm cnting EEM )
A) EvcntDctcctors
B) CLIApplet
C') EvcntM anager
D) EventM allagerPolicy Engine
E) TclScript
Q23) W llattwo GOLD diagnosticscanbeuscd fortroublcshooting?(Choosetwo.)(Sourcc:
Utilizing Automatcd Diagnostics)
A) Bootup diagnostics
B) On-demand diagnostics
C) IIealth m onitoring diagnostics
D) Schcduled diagnostics
Q24) W hatisuscdto triggerthcSmartCallHometo send themessagc?(Source:Utilizing
Atltomatcd D iagnostics)
A) Contactinformation
B) Alcrtgroup
C) Profilc
D) Destination addrcss
E) Destination transportmethod
W hatarcthethrecsupported traftic sourcesforthcSPAN source port'
?(Choose threc.)
(Sourcc:ImplcmcntingSPAN,RSPAN,andERSPAN)
A) Interface
B) NetFlow
C) VAC L
D) VLA N
E) Portchanncl
926) W hatisthesourceofRSPAN sessiononthedcstinationswitch?(Sourcc:
Im plem cnting SPAN.RSPAN .and ERSPAN )
A) Intcrface
B) RSPAN VLAN
C) VLAN
D) Portc-hanncl

1-470 ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystems, Inc.
vruj
y
F:tIse

@ 2008 Cisco Systems.Inc. Impl


ementing the Cl
sco Catalyst6500Series.Cisco Calalyst4900 Series.and Blade Swftches 1-47.
4
M odule Self-c heck A nsw er Key
Q l1 C
Q2)

1-B ('

1-B

Q8)
Q9) B

Q)20)

Q23) B.D

1-472 ImplemectingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0 @ 2008Ci
scoSystems, lnc.
@ 2008ClscoSystems.fnc. Implementi
rlg the Cisco Catal
ysl6500 Series.ClscoCatalyst4900 Series.andBladeSwitches 1-47.
3
1-474 implementingCiscoDataCentefNetworki
nlrastructure)(DCNl-1)v2.
9 @ 2998CiscoSystems,lnc.
uodqle21

Im plem enting FW S M fora


D ata C enter N etw ork
Infrastructure

O verview

M odule O bjectives
2-2 ImplementlngCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0 (D2008Ci
scoSystems,lnc.
Lesson1l

Im plem qnting Tra#i FIpF q

O verview
TheC isco Catalyst6500 ScricsSwitch callbcprovisioncd Nvith Cisco scrvice lnodtllcsto
provide additionalprocessing ftlnctionsbcyolld routing and switchillg.01,eof'tllese nlodulcsis
tlte Cisco Catalyst6500 Serics FircwallScrvicesM odulc (FSVSM ),n'hich providesintegratcd
fircwallservices in the C'atalyst6500 Scries Sw itch chassis.Desiglling networksthattlse the
Catalyst6500 Scries FSVSM rcqtlircsan ullderstalpding oftirewallscrviccsalld thc FNVSM .
This lcssolldiscussesthe IP lletvvorkilpg ten' ns and concepts relevalltto the undcrlyillg
operations ofthc Catalyst6500 SeriesFW SM .describestlpcchallengestllatlircvvallsaddress.
alld tllekey fcattlrcsand arcllitccttlre ofthe Catalyst6500 ScricsFSVSM .

Objectives
Upon completing thislesson,yotlwillbcablcto explain the basic installation and configtlration
procedtlresforconfigtlring thc Catalyst6500 SeriesFW SM .Thisability includesbeing ablc to
mecttllcseobjectives:
> Explain tlle ptlrposcand opcration offircwalls
* Describe the charactcristicsoftlle Cisco Catalyst6500 ScricsFW SM
w Describe tlle stepsnccdcd to deploy basic Catalyst6500 Scrics FSVSM colltiguratiolt
* ExplaillCatalyst6500 SeriesFW SM nctworking modcs
K Dcscribc thc stcpsneeded to cont-
igtlrc routcd modc
* Describc the stcps ncedcd to colptigure trallsparentntodc
* Explain the Catalyst6500 Serics FW SM NAT alpd PAT
* Dcscribetlle stcpsncedcd to configurc NAT alld PAT
Firew allO verview
Thistopic describesthe fundam entalprobem sthatGrewallsarc tlcsigned to address.

C o nnected N etw orks

f? / / h
k e, J
, :
Telecom m uters

N
N '' . . f '''
,
i
. .
'' '
i
) '.
f
'
$7
:
1. ).
' . l
i
x. .

Internet
hj /..' '
o o Net
works
y,. N.% I Headquarters
#e <
A e' *N I
- :7k=

Mobil
e Users Branch Of
fice

Isolated Legacy N etw orks


Early corporatc datanetworksw ere builton proprictary technology and wcrcoften attachcd
directly to mainfralneorm id-size systcm s.Early IP networks in acorporate sctting replaced
proprictary lransporttechnology with Ip-based nctworkscarricd prim arily cm facilities
detlicated to the company constructing the nctwork.assllown in thc figurc.
AI1im portantattribtlte oftheseearly corporate IP nctworkswasthc amountofisolation that
cxisted betwcen thecorporate network and any othernctwork.1l)gcncral, thc isolation was
colnplctcatthe IP layerw ith no mechanismsfortraft ic fiom unatlthorized dcvicesto be
ill
jcctedilltothenetwork.Securityconcernsil:thisnctworkrcvolvedprimarilyaroundthe
strcl,gth ofthcatlthentication providcd by the acccssserver.M uch ofthedata security issuesin
tllcsccarly nctworkswere controlled by thc mainfram eorm id-size system s, w hich stillowncd
nlostof'thcdata,

C onnected Netw orks


M odcn)corporate IP nctw orksare connected to the globalInternctand m ake use ofthe lntcrnct
forsom coralIot-theirdata transpon needs.as showl)in the figurc. Private circuitsstillexist
alld arc uscd forsecurity reasons.orm ercly to providc dedicated site-to-sitc bandwidth. The
ptlblic Intcrnetisalso tlscd forsite-to-sitc lillksand hasrcplaccd thc public switched telephone
network (PSTN )asthe prevalentmeansforconnccting remotc users. Additionally,corporations
arcproviding lnore servicesviathe lntenletto customersand btlsinesspartners.
Conllecting corporatc nctworksto 1hcptlbliclnternctoftkrsm any advantagcs. Low-cost,high-
specd access to the com orate network iseasily providcd forremote uscrsw ith w idely availablc
Intcrnctaccess in hom es.hotels.rcstaurants.ail-ports,etc.Traffic Ioadscan be convergcd on
one Illtenlet-based infrastructure.resulting in cost-savingst'
t)rsite-to-sitc and company-to-
colnpany connectivity.
2..
4 ImplementingCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0 Q 2008Ci
scoSystems. Inc.
Alollg with the advantagesofconnectingthe corporatcnetwork to thc globalIntcrnetcomesa
sctofnew sccurity challenges.Unknown and unauthcnticated systelnsare now capablc of
gcncratingIPtrafficthatisinjectedintoandrotltedbytllccorporatenetwork.Systemsfroln
wcb sclwersto lnainfralnesto workstationsare llow acccssiblc froln anywhcre in the world.
Conlprolnising onc system llasIlow bccolne al)easiertirststcp il:Inounting aI)attack on a
corporateIletwork
Thcrc are severaltechnologiesavailable to m itigatc the risksofllltcrnctcollneetivity while
I
llaintaining thc benetits.Tllesctecllnologiesincludcfircw allscrvices.

@ 2008 Cisco Systems,lnc. lrrlplementingFW SM foraDataCenterNetworklnfrastructure 2-5


W hat 1s a F -
1rew a II9.
. A firewallcontrols trafficflow from networkto network

X'- se
we
we
br
Demiti
tarizedZone(DMZ)
1
'-' y .r
. t
Intemet ' x.
7 - v .,..:.,.
y. 7e
Outside ynside
Network Network

A tircwallcontrolsacccssam ong a collection oftwo orm ore networksorinsidea nctwork.


This isaccom plisllcd by controlling tllc traftic thatfiowsfrom an intcrfacc to an interface.

Firew allIm plem entation


In the sim plcstilnplem cntations.a fircwallconncctstwo networkstogether. One network isthe
insidenctwork.thcothcristhe otltsidenetwork.Theinside network isthccollcction ofnctwork
resourcesthatmustbcprotected from thc outsidc nctwork.
Additionalnctworkscan be added to the collcction ofnetworksthalare controlled by a
firewall.A typicaluscofthiscapability isthccreation ofadclnilitarized zone(DM Z)nctwork.
DM Z nctworksarcalso referred to aspcrilncternetworks.Resotlrcesin theDM Z network often
have Icssstrillgclltsccurity rcquirem entstlpan thoseem ployed fortlpe insidc network. Systcm s
m ightalso be placed in thc DM Z ifthey arctlscd to providcscrvices to thc generalpublic.
The t'igure sltow'san cxampleofa tirewalltleploym entin which a public web serverisplaced
into thc DM Z while corporate workstationsand internal-use-only scrversareplaced into thc
insidc nctwork.Thc outside network isused to connectthc corporatcnctwork with theIntenlct.
The Grewallin thisexample can im plem cnta policy thatthe ptlblic wcb scrverisallowed to
receive HTTP requcstsabutresourcesiI)the ilpside nctwork canllot.

2-fh lmplementingCiscoDataCenlerNetworklnfrastructure1tDC.Nl-1)v2.
0 Q 22*8CiscoSystems lnc.
P a cket F 1lter111g
4'- W eb
f::
...' 15;f
?r,/6,r

DMZ

'- Intem et JA<


' '' *
h .. l
x .k
j #
.
.
outside ,...*1 'N loside
Network Network
.
,:;
< . pr.
..
I .' * ., c. :
j

Outside DMZ 150 Yes


Outside DMZ !80 No
DMZ Any Yes
lnside Any Yes
Outslde lnsIde No

(
t
))2008Cisco Systems,Inc. Implementing FW SM l(7ra Data CenterNetwork I
nfrastructure 2-7
'

P roxy S erver

=. w eb/Proxy
t
:
J
:1 servers
DMZ
I. -.,- r
... Intem qt :7
.c. :
.'# L 'f ' '
. #
NOutside :k....
. .
. Iraside
Otwork ' ' Net work

> *z :t: . @ *:
; .
Outside W eb:80 Yes
Outside W eb180 No
Outside Proxy Yes
DMZ Any Yes
lnslde Any Yes
Outslde lnslde No

Proxy scrvcrscan bc uscd to addressthc lim itationsoffirewallsthatrely on simplcpackct


Gltcring.A proxy scrverisa systcm thatacceptsconncctionsforprotccted uscrsand thcn
cstablishcsa second connection to thcrcqtlested resourcc.
Il1thc tigurc,thc policiesforpacketfiltering have becn changcd.An additionalsystem hasbccn
addcd to the DM Z and isrunning proxy selwersoftware.Traftic to thc wcb serverisstill
lilnitcd to port80.
.however,traffic from anywhere isallowed to reach thc proxy scrver.Any
illsidcsystem thatchoosesto acccssan Intcrnet-based rcsource iscontigurcd with the IP
addrcssoftheproxy scrvcr.Any conncctionsfrom the insidc nctwork go to thcproxy scrvcrto
cstablish itsown conncction withthc rcsource on thc Intcrnet.
Insidc userscan now acccssrcsourccson the Internet.However,theproxy sen'erisa systcln
thatisopen to alltraffic and necdsto be carefully sccurcd.A failure ofthcsccurity ofthe proxy
servcrwould com prom isc the protcction offered by thc tircwall.

2-8 lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I):2.0 (
I)2008CiscoSystems,lnc.
S tateftlI Packet F 1Itering
'tLt.. W eb
x. a Server

lnternet
. . .
, -/?
Outsi
de ..
se v.
. I
nside
Netwof'k Network

h' t$.
. jr . Jl.. .* '.' *
. 4 ) u -: *
Outside DMZ 80 Yes
Entri
esforeach activeconnecti
on: Outside DMZ:p80 No
. Source/Desllnationaddress
DMZ Any Yes
' Source/Desllnatlonport
Inslde Any Yes
. sequence numbers
TCF7f
lags tk' Outsl
de 1
nsl
de No
'L Establlshed Sesslon Yes

@ 2006 Ci
sco Systems.lnc. Impl
ementl
ng FW SM fora Data CenterNetworklnfrastructure 2-9
ConceptofV irtualFirew alling
. Logicalpartitioning ofa single FW SM into m ultiple
Iogicalfirewalls
pLogicalfirewall= Security context

Policiesand management
IPaddressspacetcanb:Pusedbetweencontextq) .... .y. w- a
. .y.<u
<&
Opqrati
onalmode(routqdjyYansqarent) e W ..
SetofVI-AN lnte#aces
Resource usage

V il-ttlalfirewallsprcscntIogicalpartitioning ofasingle physicalCatalyst6500 SeriesFW SM


illto lnultiplc logicalfirewalls.A logicaltircwalliscallcd a security context(orvirtual
f5rcwall).
Security contextsallow adm inistralorsto separatcand secure datacentersiloswhilcproviding
casy managelncntusing a singlc system .They Ioweroverallmanagem entand supportcostsby
hostilyg m ultiplc virltlaltirewalls in asinglc devicc.

2-1O lmplementlngCiscoDataCenterNetworklnlrastructure1(DCNI
-I)v2.
O @ 2008CiscoSystems,lnc.
FW S M O verview
Tliislt/pic iderltifies rhc characlcris!ics(,rtlle Catalystf)5f)0 sericsFB/SM

FW S M H arclw are
. Cisco Catalyst6500 Series Swi tch and Cisco 7600 Series Router
firewallsystem
. Hi gh performance firewall,5.5 Gb/s
@ M axim um of1 m illion simultaneous connections
. Maxi mum of100,000 connection setupsand teardowns per
second
. 256,000 PAT and 256,000 NAT translations
p Up to fourblades perchassis
' ) 1

Scaling

@ 2008 Cisco System s.lnc Implementing FW SM fora Data CenterNetworkInfrastrtlcture 2-11


. Tlpcsccond solution consistsin assigning each Catalyst6500 SeriesFW SM adistinctsetof
VLAN S.Tram c istherefore associatcd to agivcn Catalyst6500 ScricsFW SM based on its
illcorning oroutgoing VLAN tag.
w The tllird solution consistsin the network adm inistratorovcrriding the dynam ic routing
proccssby Inanually assigning a specit ic Catalyst6500 Series FW SM based on the source
ordestination ofthe traffic.

2-12 lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)K .


0 @ 2008CiscoSystemsllnc.
FW SM K ey Features
Fabric-enabled card
Based on proven Cisco PIX firewalltechnology
> Suppodstransparentorrouted firewallmode
* Upto250 securitycontexts(virtualfirewallinstance)
Up to 256 VLANS in a single routed context
Up to 100 VLANSpereach routed contextin m ulti-contextmode
, Up to 8 pairs ofVLANS in each transparentcontext
. Up to 1000 VLANS in aI1contexts

Key IkattlresoftheC'atalyst6500 SeriesFW SM incltlde thesc:


* Supportstransparentor routed firewallInode:W hcn contigured to run in rotltcd modc.
the Catalyst6500 SericsFW SM isconsidered arotlterhop in thenctwork and pcrforms
NAT bctwecn conllected nctworks.W hcn contigtlred in trallsparelltm ode.theCatalyst
6500 ScricsF'W SM acts1ike a Qsbump in thcwirc''alld is notcollsidered arotltcrllop.The
illside and otltside interll
acesare the same nctworks,btltdiffcrelltVLANS,with theC'atalyst
6500 Series FW SM providing thecon,lectivity.
* Supportsup to 250 security contexts:Tlle Catalyst6500 SeriesFW SM can bc in sillgle or
lntlltiple contextmode.In mtlltiplecolllcxtInode,up to 250 scparatc sccurity colltextscallbe
colltigtlrcd,depcncling oI1the softwarc licensebeing tlscd.M tlltiple contcxtsarcsim ilarto
havillg mtllliplestand-alonc rcwalls,convcnielltly colltaincd within a single module.
* Supportsup to 256 VIaAN Sin a single routed context:Up to 256 V LANScallbe
conligtlred in a singlc rotltcd context.
* Supports up to 100 V LANSper each routed contextin rnulticontextmode:W hcn
m tlltiplerouted contextsare tleployed,each contextcotlld have l00 VLANS.
* Supportsup to eightpairsorV LAN Sin each transparentcontext:Each transparent
contcxtcotlld bedcploycd w itlleightpairsofVLANS bridgc groups.
* Supports up to 1000 V I-A NS acrossalIcontexts:A crossa1lcontexts.a luaxilntllu of
l000 VLANScan becontigured.
* Supports5-G b/sthroughput:ThcCatalyst6500 ScricsFW SM providcsup to 5-Gb/s
tllrotlgl'
lput.

@ 2008 Ci
sco Systems,l
nc. lmpl
ementing FWSM fora Data CenterNetworklnfrastructure 2-13
w Supportsone m illion concurrentconnections:The Catalyst6500 ScriesFW SM supports
t1p to onc m illion concurrentconncctionsatany givelltime.
w Supports 100,000 connectionsper-second:Up to 100,000 conncctionscan be established
per-second.
* slultiple bladesare supported in onechassis:In a single Catalyst6500 SeriesSwitcll
cllassis,up to fourCatalyst6500 ScriesFW SM m odulcscan be supportcd.

2-14 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
0 @ 2008CiscoSystems.Inc.
FW SM Key Features (Cont.)
. High-availabilityfeatures include:
Active-acti
ve and active-slandby contexts
Pre-em ptopti on foractive-active
lntra-orinter-chassis statefusfailover
. Routing
Dynamic
Asymm etric
q Network integration improvem ents include:
Mixed Layer2 and Layer3 mode support
PrivateVLAN (PVLAN)support
Perinlerface DHCP relay ' -
. Scalability .' '

Interchassisor Intrachassisfailover:Failovcrcallbcdcploycd in a singlcor


I'lultip1e cllassis.

('
))2008 CiscoSystem s,Inc. tmplementing FW SM fora Data CenterNetworkInfrastrucltlre 2-15
* Ncwork intcgration
M ixed lxayer2 and Layer3 m ode support:M ixed Laycr2 and Laycr3 modc
supportisnow pennittcd on thc sam cCatalyst6500 SericsFW SM .enabling tlcxiblc
network deploym ents.
PrivateVLAN (PVLAN)support:ThcCatalyst6500 ScricsFW SM isnotaware
ofPV LANSconfigurcd on tlle switch supervisor, and propcrly processestraffic
com ing from a secondary VLAN thatisconfigured asa secure VLAN with IEEE
802.IQ taggingoftheprimary.thusleveraging theIogicalscparationand traffic
isolation pros'ided by PVLANS.
Per-interfaceDH CP configured per interface:Per-intcrfacc DHCP relay can now
bcconligured perinterface instead ofpcrthe cntirc colhtext, providingbcttcr
grallularity and controlofDIICP scnziccs.
* Scalability
Supportfor 250 virtualcontexts:Contextshave bccn incrcascd from l00 to 250.
Ability to apply thew'rite mcm ory com mand to aIlcontexts:Thisfeaturem akcs
cont-iguring a large ntlm berofvirtualcontextseasicr.
Increased num berofglobalstatem ents to 4000:This illcreasc ilnproves
scalability when detining apoolofglobaladdresscs.
ACL m ernory enhancem ents:An increase of20 pcrcentin totalavailable ACL
m em or.y improvesscalabilit
y.
Sessionsfor IIOn-TCP/UDP packets:Thisfeature pcrm itsthcscpackelslo be
forwarded througllthefastpath instead ofthe slow path.improving perfonnancc for
Gcneric Routing Encapsulation (GRE).Extended ServicesPlatform s(ESPs).and
mtllticasttraffic. +

Supportsup to 10 DH CP relay statem ents:An increase from 4 to 10 D HCP relay


statcmclltsprovidcsscalability bcncfits.
Provides80 HTTPS sessionsfor Cisco Adaptive Securlty Device M anager
(ASDM ):Thisrepresentsan increasefrom 32to 80 HTTPS sessionsforASDM .

2-16 lmplemenlingClscoData CenlerNetworklnfrastructure 1 (DCNi-!)v2.D Q 2D08 Clsco Systems. lnc.


FW S M A rchitecture O verview

g13/1
-'h,.- g'ayz 111ld11
,
1
.
b
.( ' 9,
3/4 L
l.
p'
x i'l. 2 '.
(-- J4,
i
t qi
rws t
h4Jw.,
' t-;
';
1. .. '' >
.pz-
j r
>
/
tN.
t..
;
.
tr
uj' ,i3I6
y 8%
.)
.
,.
$$
.<,
.
, x
t-
'..
,
3m
..
. / r
)
Cisco Izw sM
Calalyst6500

@ 2008 Cisco System s,Inc Implementing FW SM fora Data CenterNetworklnfrastructure 2-17


Three-Layer rchitecture verview
ControlPath
. ct-t/ospF/tixups

. ....
. :' .
:.j'
Jt:.
T. r. Sessitm Vanagem ent
' .
:. . . .
' '
-:
.
);:t
.):. 1Gb
,)
y ,
/. j,- /1(iW:.; k.
.3 ....
...,,
-.
2
.
j,.
:
..
k
,..j:
;-.E.y'
k
y
t
..
y
.;.
:r'
;t
.
rl
!!
.jljk
/lp1
r-
lpl
'1fIld
tl
'
:
l1:,,jd
sk
.l
::llk
.
. ' 'i t:k .
't)
'
l
k;
sy-)
;,
. .
j1ip?r:z
( '
r-
, ?$y,jj
4 k
jt.
tj-rt.
( k:-:.L: lii'.j,:y
@yl
,
iky,(i
y.
t,J
;yjf:r-..k
j;t,C'
r(
.t
.? .;.2 .;..
''' ;;
-'it '
k $
yt'
(f
i .'
t )C
;'
(
;)
k
'
,
itl
.
;
?(
J1:!.s . . ;.3: ,..$
,.
)l
),.
q .. ... . . .,
T
y
jhijy
lij
.;f.
.p
n
'.6...
%
.
p
t-t

.
-)-
,t
..i.
(
,
., ,z
.
. t
. .;
-?I
)t
'tp
rp
t;:
$
'
..gj...
. o )
!
$
.($
'
tk
ytr
,
.-
jt
''
:rt'
j
;'
?
z j
t
l!
'
;
:)-
:
rr.'
k
yr
.
;..-. ..r
,- .
;.
-
i
r
'?
t'
d
....f
'1
t.
ri k
.'
:
.!
.
''.
.. $
,
. ''
l!'i
t;
l
jl
t
't
k
l
..
;'
'
tz
'
;L
.(
)
@.)
i'
'(
l
t
jf
1'
yl&y
.
rt
'h
lyf
or,!
tz
' r'
,,
t
.i, ))'qJ
C'J
)r
lt
L
li
Lf
l'''i
'
.'
.. @
. . p? ,:.. FastPath

6 Gb/s Ethercharlnel

To ClscoCatalyst6500
Localbus fabric orbus

The processing functionson thc Catalyst6500 SericsFW SM areprovided by a three-layer


architccture consisting ofthrce nctwork processorsand a PC com plcx.
Tllc IowestIayerofthc architecttlrc consists oftwo nctwork proccssorsthatconnectdirectly to
the Ethclf hannetPortchannclfrom the backplane oft14eCatalyst650 ScricsSwitch. Thcse
network processorsprovidc fast-path processing ofpacketsthatarc partofexisting flows.
Thc sccond layerofthe architccttlrc consistsofoncnetwork processorconnected to both
nctwork proccssorsfroln thc fast-path layer.The scssion m anagementnetwork processor
proccssesncw session rcquesls.Thc scssion lnanagem cntnctw ork proccssoralso performsthc
SimplcM ailTransferProtocol(SM TP)tixup function.Fixup functionsmodify uppcrlaycr
protocoldatatoadjtlstforNAT,
Thc third Iayerofthe architccture consists ofaPC com plex thatperfonnsa11otherfixup
ftlnctiolls.aswellasroutingand thecommand-lilleillterface(CLl).

2-18 lmplementingCiscoDataCenterNetworklnfrastructure 1(DGNI-I)72.0 @ 2008CiscoSystems.lnc.


'

FW S M F 1Ie S yste m
. The FW SM includesa 128 MB Com pactFlash card
.
Sixpadi
ti
onsonthecardare used (cf:n)
Paditi
on 't yc'. zq.
:
' J' '
-

Maintenance
Networkconfi
guration
Crashdump
cf:
4 Applicalionpartition(defaul
t)
cf'5 Application partition

cf26 Contexlconsguratlons(di
skl)

(()2008 CiscoSystem s.Inc. lm plementing FW SM fora Data CenterNetworklnfrastruclure 2-19


'

Feature C om parison'
.FW S M vs.A SA
9 k .j > . ;j ,j
!I .'y;'r ' . . '
Performance .
.
2.
''.
'''d'L.C*/*''1
-.,.. -
,.- -...
1- .6.50-
.
M-b/s..---j1
-- -0.-G.b
./s/2
.0Gb/s--.
-
Typeofinterfaces )E.....W .8N: '
I Extemalinterfaces Extemalinterfaces
VLANS IQX 2O0 100(250future)
FailoverIicensing : -q
'
u .
tt
N@ j Yes -
l Y(m
VPNfun ctionality L'2
;'. rr.t,.Nq Yes Yes
Y,ykLk5k-w-.--oyk.. - k...-.......- -
..
...... .... ............- ..... .- : ,x - -.- ..-- - . ......-- - .
-z.
!
(
u'
,.
..!.'
IE)ig!;i(;rl!ttlrt!t; )(
.J #k.
;
)
<
..!
1.il '.' .,,
ki.
,
j ,.
. . ... Af'(htl
....-.
----- ..-
hk()

Defaultpol
icy ..Ajjtae y
s fyjxj. All
owshi
gheri
evel Al
lowshigherlevel
l
(;.
- .. .... . .,
l
1toIowerI
eveltraffic toIowerleveltrafflc
- . -

Thischartliststhe key differellcesbetwcen the Catalyst6500 Serics FW SM and theCisco ASA


5580-40 Atlaptive Security Appliancc.
Catalyst6500 ScriesFW SM isablc to processmoretraftic than almostalIadaplivesecurity
appliance dcvices,cxceptthe latcstA SA 5580-20 Adaptive Security Applianceand ASA 5580-
40 Adaptivc Sectlrity Appliancc'
,howcvcr,tcrlnination ofvirtualprivatc network (VPN )
connectionstkrtratlic tlowing through tllc fircwallsenricesm odulc isnotsupported on a
Catalyst6500 Serics FW SM .The Cisco Catalyst6500 SericsSw itch providesintelligent
serviccs.stlch asintrtlsion detection.via Cisco Intrusion Detcction ServicesM odulcs(IDSM S).
and IP sccurity (IPsec)selaziceportadaptcr.
W hen designing sccurity policy fordata centers,the following isusually true:
. Therc isl1o need forIpsec V PN S.
. M any V LANSare uscd.
. H igh availability isa must.
* Powerconstlm ption isa signiticantfactor.
. Thc soltltion should scale becauscdalacentcrsevolvc.
Thus,thc Catalyst6500 SeriesFW SM isa llaturalchoicc fordata ccnterscctlrity policy;thalis.
thcnum berofVLAN intcrfacvs,failoverfunctionality,and sealability (with deploying up to
fourCatalyst6500 SericsFW SM perCatalyst6500 Series Sw itch chassis).

2-2: lmplementing Ct
sco DataCenterNetwork lnfraslructure 1(DCNI-))v2.
D (
I)2908 Cisco Systems.lnc.
FW S M lnitialC onfiguration

FW S M T raffic F Iow

N
Ou
ett
w
so
idre
k tj.
6t '
?1:)
Inside
Network
.
G>sz
Cisco Catalyst
6500 Series
FW SM

(()2008 Cisco System s.lnc. lmplementlng FW SM fora Data CenterNetworklnfrastructure 2-21


FW S M V LA N S

DMZI
DMZI
. Nebrxk

outside okdside VLAN ': lnsideVLAN Inside


Network i
( ,..Netw?fk
SM
DMZ2 DMZ2
. Network

Cisco Catalyst6500

The figure shows how a Catalyst6500 SericsSwitch containing a Catalyst6500 SeriesFW SM


conncctsto anctwork.
In tllis typicalIletwork sccnario,thc Catalyst6500 SeriesFW SM conncctsto the network usillg
tw o VLANS:one VLAN isused fora conncction to the inside network.and theotherVLAN is
uscd foracollncction to the outsidc network.Because thc Catalyst6500 Series'FW SM is
attached to VLAN S.any physicalorIogicalsw itch pol4can bc uscd as al7inside oroutsidcport
on the FW SM .

2-22 mpdementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0 @ 2008Cisco Systems lnc.


C ol1f1g ur1ng FW S M V LA N s on C 1sco IO S
C reate the necessary VLAN S
Group the VLANS into firewallVLAN groups
Assignthe VLAN groups to individualFW SMS

vlan 55-57.70-85,100

firewall vlan-group 50 55-57


firewall vlan-group 51 70-85
firewall vlan-group 52 l00

firewall module 5 vlan-group 50,52


firewall module 6 vlan-group 51,52

Router tconfig l#firewall vlan -group 50 55-57


Router tconfig l#firewall vlan -group 51 70-85
Router tconfig l#firewall vlan -group 52 100
step 3 A ttllc cnd.the tirevvalIVI-AN grotlpssllotlltlbc llssociatcd vvitl'
liI
ldividtlallircvvall
services m odtlles,tlsiI)g tllc'
lire'
wallrnodule collllp'
lalltl.1I1thisexalnple.tlle I
irew all
N'LAN grotlpsarc llssignetllo FS'
VS'
NIS il'
lslots5 and 8.
Router lconfig l#firewall module 5 vlan-group 50,52
Router lconfig l#firewall module 8 vlan-group 51,52

Note FlrewallVLAN groups can be shared by more than one Catalyst6500 Seri
es FW SM.

@ 2008 Cisco System s.Inc. Im plem enting FW SM fora Data CenkerNetwork Infrastructure 2-23
Verifying C isco IO S Setup
Router#show firewall vlan-group
Group vlans

50 55-57
51 70-85
52 l0Q

Router#ahow firewall module


Module Vlan-groupa
5 50,52
8 51,52

Thc show firewallvIan-group and show firewallm odule comm andscan be used to verify the
V LAN contigtlration.

2-24 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
O (
I)2008CiscoSystems,lnc.
A ccfassing tlle FW SM
Router#
sension sloe 5 processor 1
p Connectsto the FW SM from Cisco IOS

Console> (enable)
seasion 5
p Connects to the FW SM from the Catalystoperating system

FwsMx
enable
w Enters enable m ode

7'llc t'atalyst6500 ScricsF'SVSN'Iprolnptsfora logil)passw-ord.14.11iclldelltlltsttl('i.


%L'
().After
cntcriI1g thclogi11passu'ordsyetlrccciv'c tl:c disablellpotlcprolnpt.U sc tllc enableconuuantlttn
clltcrtllc cllablc modc.Tl'
lc dcfatlltcnablc passyvord isblaltk.and itcal'lbcclltcrcd by pressillg
t11t
?1-.
JI1lcrkcy.

@ 2008 Ci
sco Systems,Inc. lmpl
ementi
ng FW SM fora Data CenlerNetwork I
ntrastructure 2-25
Configuring Basic Settings
Change the login and enable passwords
2. Configure hostand domain names

password highly lsecuregg


enable password evenB3tt#rpWordl
hostname bastion
domain-name exlmple.com

Allofthc basic scttingsareconfigurcd t'


rom the main contiguration lnode on the Catalyst6500
Scrics FW SM .
Thc login password ischanged w ith thcpassword com mand.
FWSM (config )#paaaword highly lSecureg9

Note The password comm and can also be speci


fied as passw d.

Thcenable modc password ischanged with the enable password comm and.
FWsM tconfig l#enable paasword evenB3tt#rpWord l
Both login and enablepasswordsarc casc-sensitive and can be up to l6 charactcrslong.Thc
passwordscan contain letters.ntlm bers.and spccialcllaractcrs,except1he question mark and
space.
Thchostname ofthcCatalyst6500 ScricsFW SM dcfaultsto FI ;'
StV and can be changcd w ith
111e hostnam ecolnmalld.
FWsM tconfigl#hostn-me bastion
Thcpromptchangcslo retlectthc ncw hostnam e.
Thcdomain naTnc isconligured w ith tllc dom ain-nam e com m and.
bastion tconfig l#domain-nxme exxmple .com

Caution The hostand dom ain names are used during the processthatgenerates RSA keys for
Secure Shell(SSH)and HTTPS accesstotheCatalyst6500SeriesFW SM.Thehostand
dom ain nam es shoul
d be configured before keys are generated.

2-26 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems.Inc.
C onfiquring Interfaces
Routerlconfigl#interface vlan l00
Routerlconfig-ifl#nameif outside
Router tconfig -ifl#security -level 0

Routerlconfigl#interface vlan l0l


Routertionfig-ifl#nameif inside
Router tconfig-ifl#security -level 100

Routerfconffgl#ineerface vlan l02


Routerlconfig-ifl#nameif dmz
Routertconfig-tfl#security-level 50

. Specify name and securi


ty Ievelforeach interface

Beforc thc Catalyst6500 Series FW SM allowstraflic tllrough aI1illterface.thc illterl -


ace nalne
mustbc dcfined witlla rclevantscctlrity level.
The nalne istlscd in othercontigtlration statclnelltsto refcrto a spccitic intcrt-
ace,alld sllotlld
be lneaningfulto allyonc reading theconfiguratiol).The nalue can bcany textstring up to 48
charactersin lcngth,alld itisnotcase-sensitivc.
Thc security levelisanunlberfroln 0 to I00 tllatdcfinesthe secul'ity characteristicsofthe
network attached to thespccifqed interfacc.
ln thc cxalnplc.VLAN l00 isdet ined asan illterface Slan-icd (?lf?.
5't/c with a sccurity Ievclof
zero.V LAN l0lisdctincd asan interfaccnalzled il'sidelvitlla sectlrily lcvelof I00,while
VLAN 102 istletined asa11illterface nalncd dnlz willla sectlrity levelof50.

(()2008 Cisco Systems,Inc, (mplementingFWSM foraDataCenferNetwork Infrastructure 2-27


U nderstanding Security Levels

insi
de to o side

0 30 70 100
outsideto ide

Each intcrfacchasasecurity levelthatisrcpresentcd byantlmberbetwecn0(lowest)and l00


(lligllcst).The Ggure showstherelationsllips implied by thcavailable security lcvcls. Outside
lheoutcr(daslled)circlcissecurity lcvel0.Tllet'
icldbctweentheoutcr(dashed)circleandthc
lniddle(ftlIl)circle representssecurity level30.Security level70 liesbetwecn the m iddle(full)
circlc alld thc inner(dotted)circle,and security lcvelI00 istllc illtcriorofthc inner(dotled)
circlc.
(ioing from a lowersecurity levelto a highersccurity leveltakesyou inside, while going from
a highcrto a lowersecurity leveltakesyou outsidc.W hel)dcalingw ith a firewallwith m ultiple
interraces.and each with diffcrentsecurity lcvels.this inside and outsidc directionality
dctcrlninesthe security andN AT policicsthatareapplied.

2-28 ImplementingCiscoDataCenterNetworklntrastructure 1(DCNI-!)72.


9 @ 2008CiscoSystems. lnc.
M u Itip Ie Intorf'act7
.s w ith
the S arne S ectlrity Leve.I

-4':-.: W eb server
%.71f:
1 ovz1
1 192 168 10/24
1 , ..
j '

Intecnet A-
%' ' # #
Xthw W-#tv
outside Network .
198 133 219 :/24 I rau-zn l'ns'de Network
securitytevel0 I
1
1921
..
GC
'
(1()r24
..
10000/24
secuntyLevell0a
I
,,
.:
.. Apprlcatpon
-7n
t7 sewer

(()2008 Cisco Systems.inc Im plementing FW SM fora Data CenterNetwork Infrastructure 2-29


Intra-lnterface Firew allServices

rp1

192 16iI.1.0724
Inslde '
192.168 255 0/24
'
'
At)()
ti
rI
t'
.
'I
(?b'
f'
lI'1I r e'e-.
% l'

192 168.3 0/24


192 168 2 0/24

5%

Tllc Catalyst6500 ScriesFW SM can becontigured asa Ssfirewallon a stickf'to controltraftic


among hostsattached to one ofthe interfaccs.
Tlle sam e-security-trarnc perm itintra-interfacecolnm and isused to allow trafficto tlow .
ACLSare cont igured to controltllc type oftrafficthatisallowcd to tlow .Thc routcrcol
m ecting
the subnetsalso nccdsto be configurcd to send alltraftic to tllcCatalyst6500 ScricsFW SM for
proccssing.

2-30 lmplementing CiscoData CenterNetworklnfrastructure 1(DCNI-I)v2.O @ 2(28 Cisco Systems,lnc,


Note The supervisorengine ofthe Cisco Catal
ys!6500 Seri
es Switch and Cisco 7600 Series
Routermustrun Ci
sco IOS Software Release 12.2(18)SXForIater- a specialmessage is
used to com m uni
cate the PVLAN m apping to Catal
yst6500 Series FW SV

@ 2008 Ci
sco Syslems.1nc I
m pl
ementing FW SM fora Dala CenterNetworkInfrastructure 2-31
* Promiscuous
Can comlnunicatc with hostson m apped com munity and isolated ports
Listcn to sccondary V LAN
Send traftic using primary VLAN

Note TheCatalyst6500SeriesFW SM can takethe roleofPVLAN router.

2-32 kmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-h)v2.
0 @ 2098CiscoSystems. Inc.
F SM in PVLA N Environm ent
@TheFW SM regulates MsFc V e-'C ,: ipIocal-proxy-arp
com m unication between the ,
',
s 10J(
).1o.1
outside world''and hosts
i' VLAN1001t '
f-oodocpiz144
)0
si
ttingin aPVLAN $*
vc
Ho
01t
su
min
nt
ha
i
cet
PV
e Lt
beA
wNeecn
an F
nWS
Tr
us
o
pd
a
e
rMntVl
e '
z
'
iil' 10.
10'
10'
50
themselves orwith tiae ..h.
' pomaryvtA,k
'2vuAs ,ooo
Outside world via the MSFC ::
as permitted by the FW SM cisco
Ca
6t
aly
500sty'
e:
'
..
) .'$ f
,,
e*
''
VLAN50j. . j. seVcIANndaslryloVLAN
X p
z , ,
.....
.
l
r !
r -

t-
-.
lsofateclPods ,-2.-.
HostA '..#' x#'
.
? HostB
z' K
1Q.10.10.100 '!0.10.10.10f
00t)0aaaa0:00 0000 72000000

Frlam tlle perspeclivc t)fan FMTSM .there isntptllillg particlllarabou!tlleconfiguratiollsllown i))


the figtlre.Froln tllc perspective ofa rotltcr,llle Catalyst6500 ScriesFW SM issitting on a
prom isctlousportalld seesalltraflic to and froln the PVLAN .
HostA antlhostB are on isolated portsinsidc tllc secolldal'
y VLAN 500.No comm unication
can take place bclwecn tllcll'witlloutinvolving a routcr.Bolh hostsarcconfigured lo usethe
M tlltilayerSwitch Fcaturc Card (M SFC)astheirdcfatlltgateway.TlleCatalyst6500 Scrics
FW SM isinscned between them andtlte M SFC.Tlle prinzary VLAN ofthePVLAN is 1000
and istnlnked ovcrto the Catalyst6500 SericsFSVSM .The M SFC llas I 1o knowledgeofthe
PVLAN atlcastfroln a rotlting pcrspectivc,lncalling interfacc VLAN l00lisa regtllarVLAN
interface.
I-ltlstB sclldsal1AddressRestalution Protocol(ARP)reqllestft)rIPaddress 10.l0.10.l00 of
hostA,buttlpc PVLAN doesnotlctthe ARP rcquestreach hostA dircctly.Illstead.itis
directcd on to tlle primary VLAN and hitsthcCatalyst6500 Series FW SM .whicl)bridgesit
olpto thcM SFC.Tllc M SFC isconligtlrcd with local-proxy-ARp.Itrcplicsto hoslB with its
own M Ac-addrcss,thcn sendsan ARP reqtlestforIP address l0.l0.I0.l()()ofllostA.and
rotltesstlbseqtlcntpackctsfi 'ollll0.I0.l0.I0lto I0.!0.l0.I00.
TlleCatalyst6500 SericsF' W SM is providing intcr-isolated pol'tsccurity.lfilltcr-isolated porl
conll
ntlllication isreqtlired,thc Catalyst6500 ScricsFSVSM callcnable rotltillg back otltthc
san'
leillterrace.Usillg tllisfeattlrei1)conjtlnctionwitl)PVLAN intcgration,a1lcolnlntlnications
to,froln,alld within a PVLAN can beconlrolled by tlle Catalyst6500 ScricsFSVSM .
Colnlntlllicatitln between isolatcd ports isprcvented.sincctllc Catalyst6500 ScricsFSVSM svill
notretlle packctsback otltthc interfacc tl3cy calne in froln.
Hostsin the PVLAN are protccted frol
'n each otherand f'
rotn tllcotltside world by theCatalyst
6500 ScriesFSVSM .

()2008 Cisco Systems,Inc. Implementing FW SM fora Data CenterNetworklnfrastructure 2-33


W hen to Use PV LA N?
A scctlrity policy inthcdatacctlteristypically created bysegregatingdevices(namcly servers)
into diffcrelltgroupsaccording to the sectlrity requirementsand type, which m eansthata
previotlsly singlc IP subnetshotlld be splitinto separatc IP subnets.
Sincesplitting ofan IP stlbnctinto two orm orc IP subnetsrequiresnotonly reconfiguration of
nctwork cquipmcnt,butalso scrverswhcrc ccrtain applicationsmightdepend on static IP
address(alld thusthiswould rcquirealso application reconfigtlration), such a solution is
typically tmdesirablc.
In such cascs.PVLANScan bc uscd to segrcgatc servcrsinto scparate scgmentswithout
changing thcircontiguration.

2-34 ImplemenllngCiscoDataCenterNetworkI
nfrastructure1(DCNI-I)v2.0 @ 2008Ci
scoSystems, Inc.
Firew all M odes
'I-l'
l1stop1c

F 1rew aIIM o d es
r
1 I
I
InsideNetwerk C outsi
deNelwork
VLAN 20 I VLAN 40
r 1 l 1
L i-- --l .
* 1-------I 1
'
#E
/
' 10001 198133.219.100 .
%'
10 00 83 j
1 !98 133 219 25

E' rransparentMode i
E !
! Layer2 ;
t
nst
desetwork '''' i outs,
deNetwork
VLAN 20 l VLAN 40
t il000 ol241
! ; 141
. :1ooo.c/
24'
' ' '
............... 1 !................
: (
- #/ -:#
10 0.0.83 10.0 O 100 10 00 25

R outed M ode

Transparent M ode

C)2008Clsco Systems,Inc. Impl


ementtng FW SM fora Data CenterNetwork I
nfrastructure 2-35
N ctwork probcssdenialofsel w ice (DoS)tloodss and S'firewalking''attacks(thatdetennine
firewallfltering policiesand revealprivate addressesbehind an address- lranslatingGrewall)
arcrcndered im potentwith transparentfirewalls. Thisprevcntsfnalicioususersfrom scoping
the network to dcrive com ponentand nctwork infonnation. making networksresilientto
attacks.

Using Transparentvs.Routed M ode


Transparentl'irewallsare mosttlsefulin colnplcx environmentsthatrequire imm ediatc ornew
tirew alldeployments.Enterprise routing networksthatconsistofmultiplcrouting protocols.
stlch asOSPF.BGP,and high availability (HSRP, VirtualRouterRcdtlndancy Protocol
(VRRPI.andGateway Load Balancing Protocol(GLBPI)can levtragethestcalthsecurity
provided by transparcntfirewalls.
Trallsparentfircwallsare invisible to routing updatcsand can be safcly insertcd in cxisting
networksw ith 11o mandatory reutcchangcs.

xt

2-36 Implementing Ci
sco DataCenterNetworkInfrastructure 1(DCNI-I)$/2.0 (D2008 Cisco Systems.Inc.
C onfig(1ring F-
1rew aIIM odes
rwsMlconftgl#
firewall transparent

* Specises transparentm ode

FwsM lconfigl#
no firewall transparent

Specifies routed mode

7'11cdel'
atlltlnodc I
k'rthc Catalyst6500 SericsFW'SM isroutcd nlotle.
Thctirewalltransparentconllllal'
ld isuscd to placc tlle C'atalyst6500 ScricsFW SM i1,
trallsparelltlntldc

Note Firewal
lmode is setpercontext

onfigllring IP ddremses in ollted ode


Thcip addressclll'l 'llllal'
1d istlsed il1rotltetll'
ll()tlc to colltigtlrc 1.
11)IP atldl'ess(111apartictllar
illtcrfacc.The paralllctersspccil- y tl'
lc IP addrcssal' ld stlbnctnlask lo bc tlscd 1brthe illterl- acc.
Bollltlltladdressalld lnask tlsc tl' ledottcd dccilnalnotatiol' t.'
kvllilc tlle standby kcyw'ord alltl
addressistlsed l'brf'tliIover.

(()2008 Ci
sco Systems.lnc. lnlpl
ementing FW SM fora Data CeoterNetwork lnfraslructure 2-37
Configuring IP A ddresses
in R outed M ode
FWsMlconftql#intqrfac. vlan 1O;
FWsMlconfig-ifl#nameif outaide
PWsMlconflg-lfl#necurfty-levet 0
FWsMtcontig-ifl#tp lddress 19%.133.219.15 255.255.255.1
w Specifies an IP addressforeach interface

'
u
b
kot websewer
.

DMz
192.166.10/24

lnternet p
Outsida Network
w
'e
:p
198 133.219.0/24 Inside Network
100 0 0/24

ln thisexalnplesthe outsidc interfaceparam etersarc contigurcd in VLAN 100.

2-38 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
- I)v20 Q 2008Clsco Systems. Inc.
C ol)f1g u rin g IP A d d resses
-
111 T ra nspa rer1t M od ()
FWsMlconflgl#interface vlan l00
FWsMtconfiq-ifl#bridge-qroup l
FWsM tconfig-tfl#namef inside
FWsM lconflg.ifl#securiey-level 1O0
FWsMtconflg.ifl#exit
FWsMteonflgl#tnterface bv# l
FWsMlconfig-tjl#ip address 10.0.0.100 255.255.255.0 standby 10.9.0.101

* Speci fies a m anagementIP address foreach pairofbridge-group


interfaces

Outsi
de %
* ##,
... .
.

Outside Nelwork
k -e'j
'W
10000/24 InsldeNelWork
10 0 00/24

@ 2008 Cisco Systems.Inc. Implementing FW SM fora Data CenterNetwork Infrastructure 2-39


Transparent M ode Design
Considerations
. Known as a Layer2 tirewallor''steaIth firewall'
. 250 transparentsecuritycontexts
w Up to eightpairs ofinterfaces pertransparentfirewall
* Layer2 ACLS
.AddressResolution Protocol(ARP)inspection
. Multi
castpass-through
* No outsi
de shared VLAN
. One managementI P address pertransparentfirewallcontext
. The same subnetbutdi fferentVLANS on the inside and outside

Thc listmentionsthe lim itationsand design considerationsforthe transparentmode. N

2-40 ImplementingCi
scoDataCenterNetworklnfrastructblre1(DCNI-I)v2.0 (()2008 Cisco Systems,Inc.
C onfiguring the Translation
'
7*11istopic idclltiticsthe Fb%'S5.
1 N AT and PAT tlu!1slation.

N etw ork A ddress Translation


Term inoloqy
1
1
1
1
Inside Network OutsideNetwork
'x
.v x

Z
p; LocalAddresses I GlobalAddresses
xF.
''
.
I
I
I
I
kk; >..
' % 't ''':.m' .7&'. ' * s.'' '..
'
Ins,cseuocal outsrdet-ocal ' I p lnslcieosoual . outs'deGloilal
I
z#d k.
. 31... .;1*..' 1 :'2: vS X..'J''. e

l Otdsl
e Local . Insr
.. .
d eLocal.
... I p
..Out
sldeGl
obal.C l
nsi
deGi
oba..l.
I

@ 2008 Cisco System s,Inc. Im plem entirlgFW SM foraDataCenterNetwork Infrastructtlre 2-41


%

Thisexam plcnctwork hasan inside network of l0.0.0.0/24 and an otltside nctwork of


I98.133.2l9.0/24.
Nctwork trallslation istlsed to allow a system on a privatc network to comm tlnicatc with aweb M #
serverthatison lhe public Intcrnet.To perform thisfunction.the network translation onthc
tircwallisconfigured to translatethe IP addrcssofthe inside systcln toa valid addrcsson thc
outside nctwork.An addresswith thcsam e Iastoctethasbeen allocated forthispumose.

2.
.
42 lmplementingClscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
D Q 2008ClscoSystems, lnc.
Q 2008Cisco Systems.Inc. lmplemeoting FW SM fora DataCenterNetworkInfrastructure 2-43
Port A ddress T ranslation
Mt ' #z z: * ' #&' 7 *

( lot
)o83.
2418 .
j19:.13:$219.2s.
80l ,' l198133.21925:24181,98.133.
219.25:
*0)
I
1
1
'..-.
10.0.0 83 I
j
Y
- y4 lnsldeNetwork Outside Network
12.
0.00/24 1981332190/24 (
-
A
y#
1
'
1o.o.().s4
I
1
198.133.
21925
'' 1
I
1
. .. :z. . . I . :, . z. z .
i ,()
'()0
84.24:8 t198133219.2s:so1
.
Ilai
s.lz:$2192s.2419k1981aa.
2!9.7sim1
l

PAT addsportntllnbcrsto thc translation tablc.


A typicaluse ofPAT isto provide network accessfora largc insidc network, while conserving
addresseson the oulside network.In tlliscxam plc, one address in the outside network isuscd to
prosride acccssforan inside network with a classC network ofhosts. Thc exam plc packcts
show'two diffcrentsystcm sgenerating requcststo a web scrver. Each system istlsing thesame
TCP portto send the reqtlcst.Notice thatthe insideglobaladdrcss forcach requestisthc same
IP addrcss.butthe PAT function ol)tllc firewallhas allocatcd differentportsforthe reqtlests.

2-44 ImplementingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0 l 2008 Ci
sco Systems. lnc.
C o nf'
1g u rin('
J N A T C o ntro I
. NAT controlrequires thatpackets traversing from an inside interface to
an outside interface match a NAT rule
. NAT controlisdisabled by default
FwsM (config)#
nat-control
* Enables NAT control
R'
k.t
: websecver
DMZ
192.168 10/24
NAT 1
* #
Internet R1 i i
'
Otltslde Retwork
NM x'#
198 133219 0/24 lnspde Network
10 0 0 0/.
24
NAT 1

@ 2008 Cssco Systems,I


nc. ImplementingFW SM foraDataCenterNetworkInfrastructure 2-45
C onfiguring Dynam ic NA T and PAT
FWsMtconfigl#nat (inside) l 10.1.2.0 255.255.255.9
FWsM tconfigl#nat (dmz) 1 10.1.1.0 255.255.255.0
FWsM tconfigl#global (outstde) 1 209.165.201.3-209.165.201.10

p Identifies the realaddressesfortransl


ation

72:7. w ebsen/er
*.
1
DMZ
IQ 1.l0/24
NAT 1

Intemet # !
Outspde Nelwork +
''
209 165 201.3-209.165.201.10 Inside Network
Gpobal1 10 12.0/24
NAT 1

Dyllam ic NAT translatesagroup ofrcaladdressesto a poolofmapped addrcssesthatare


routable on the destination nctwork.TheCatalyst6500 ScriesFW SM assignsan IP addressto
the hostyotlwantto translate whcn accessing thedestination nctwork from a mapped pool.
Thisonly happcnswhcn the realhostinitiatesthe connection. The translation relnainsin placc
only tbrthcduration ofthc connection. Afterthc conncction tim csout, thataddress isrcleased
forotherhoststo use.
The porttranslation rcmainsin place forthe duration oftheconncctions butcxpiresaftcr30
secolldsofinactivity.Thistim eoutisnotuserconfigurable.
Remote hostscan initiatc connectionsto atranslated hostifperm ittcd by the ACL, butaftcrthe
translation hasbccn tim ed out,the rem ote connectionsare droppcd. regardlessofthe ACL
statem cnt.
Dynam icN AT can beused when protocolscannotuse PAT (such asG RE vcrsion 0). or
applicatiollswith adata stream and controlpath on diftkrcntportsand are notopcn standard
(such as multimcdiaapplicatiotls).
ln theexam plc.tllc natcomm and idcntificswhich interfaceshave hoststo be trallslated whcn
traversing the Grewallto an interface configtlred w ith theglobalcotnmand. >

Note Use differenlNAT IDswhen i


dentifylng differentsetsofrealaddressestohavedifferent
m appedaddresses.

2-46 lmptementingCiscoDataGenterNetworkInfrastructure 1(DCNI-I)v2.O (I)2008 CiscoSystem sl lnc.


I11atlditiol'
l.static PAT pfzrl'
l'
li(satll
ni11istratorsto providc a sillglcadtlressto rclnotc tlscrtbr
acccssi11g F'I-P,Il-l'TI>.and SN4TP scrvcrs.cvelltllougl)tllesescrv'crs lllightbc diftbrclltstrvcrs
on thercallletwork.Forcxalllplc:
FWsM tconfigl#static (inside ,outside) tcp 209 .155.201 .3 ftp
10.1.2.27 ftp netmask 255.255.255.255
FWsMlconfigl#static (insideyoutside) tcp 209.165.201.3 http
10.1.2.28 http netmask 255.255.255 .255
FWsM tconfiglkatatic (inside,outsidej tcp 209.165.201.3 smtp
10.1.2.29 smtp netmask 255 .255.255.255

Note Overlapping stati


c configurati
ons were allowed in initialvecsionsofCatalyst6500 Series
FW SM (version .x)butwere(aterdisallowed.In Catalyst6500 Seri
es FW SM k'
ersilm ,
3.1.
overlapping configuralionsare supported again.

(t
J)2008 Cl
sco SystemsfInc. Impl
ementing FW SM foraDataCenterNetworklnfrastructure 2-47
ypassing N w hen
N T ontrolis Enabled
FWsMlconfigl#nae (inside) Q lQ.1.l.Q 255.255.255.9
FWsllconfkgl#static (instde,out,ide) 10.1.1.3 lQ.l.l.3 nekwask 255.255.255.255
FWsKlconfigl#erceel-liat EXEMPT permt ip l0.1.2.Q 255.255.255.0 any
FwBxlconfigl#nat (inaida) Q accesy-lt:t 'XKMPT

* Bypasses NAT

''XQ':- w eb server
tzk.
t
DMZ
10 1 2.0/24

Intemet 1
'
g x.
w.z.'' '
Outslde Network ''
209 165.2010/24 Inslde Network
1Q.1.1.Q/24

In solne cases,forcxamplc,to use applicationsthatdo notsupportN AT, yotldo notwantto


perforln NAT translation forcertain llostswhcn NAT controlis enablcd.
lfyou do notwantto perform NAT translation fbrcertain hostswhen NAT controlisenablcd
you can colpfigtlre traf'
lic to bypassNAT in one ofthree w'ays:
Identity NAT (nat0 com lnand)
StaticidentityNAT (staticcommand)
NAT excmption (nat0 access-listcom mand)
Identity NAT
*=
Idcntity NAT issim ilarto dynam ic NAT in thatyou do notlim ittranslation fora hoston
specificintcrfaces.ldentity NAT.whcn cnabled. m ustbc used forconllectionsthrough all
ilpterfaccs.You cannotchoose to perfonn norm altranslation on realaddrcssesol1onc intcrface.
whilc tlsing identity N AT on another. l'lowever.rcgulardynam icNAT lctsyou specify a
particularinterface on which to translate the addresses. W hen using idcntity N AT, ensurcthe
rcaladdrcssesare routable on a1llletworksaccording to ACLS.
Thiscxalnplc tlses idcntity NAT forthe insidc 10. l.l.0/24 network.
FWSM (config)#nat (inside) 0 10.l .l .0 255. 2 55 .255 .0

Static ldentity NAT


Static identity NAT Ictsyotlspccify the illtcrfacc on w'hich to allow thc realaddrcsscsto
appcar.Youcalluseidcntity NAT w hen acccssing oneinterfacc, w hilc using regulartranslation
whcn accessing another. Static idcntity NAT permitsthe use ofpolicy NAT. which identifcs
the rcaland destination addressesw hcl)deterlnining thc realaddresscsto translatc. For
cxam ple,tlsc static identity N AT fbran insidc addrcsswhen accessing an outsidc intcrface witll
a dustination serverA bu1use norm allranslation whcn acccssing outsidcServerB .

2-48 lmplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 @ 2008 Cisco Systems. Inc,
'f'hisexalnple tlscsstatic idclltity NAT f-
tlr:11'
1illsidc IP addrcss(l0 1.I.3)'
. kvl'
)ellaccesscd by tllc
otltsidc.
FWsM tconfiglkstatic (insideyoutside) 10.1 .1.3 10 .1.1.3 netmask
255 .255 .255.255
'1'
11iscxalllple tlsesslatic itlelltity NAT fbr:111otltsidcatldress(209.l65,2()l.I5)uzl'
Ictlacccsst!d
by thtrillsidc.
FWsMtconfigl#static (outside,inside) 209.165.201.15
209 .165.201.15 netmask
'1'1)iscxalllplc statically lnapsan clltirc subnct.
FWsMtconfigl#static (insidezdmz) 10.1.2.0 10.1.2.0 netmask
255 .255.255.0

FWsM lconfigl#access-list NETI permit ip host 10 .1.2 .27


209.165.201.0 255.255.255.224
FWsM tconfigl#access-list NeT2 permit ip host 10.1.2 .27
209.165.200.224 255.255.255.224
FWsMlconfigl#static (inside,outside) 10.1.2.27 access-list
NETI
FWsM tconfigl#static (insidezoutaide) 209.165.202.130 access-
list NET2

Thiscxalnplccxelltptsal)il:sitlc I'
lcturork B'hcn acccssing any dcstillatiol7addrcss.
FWsM lconfigl#access-list EXEMPT permit ip 10.1 .2.0
255.255.255 .0 any
FWsM tconfigl#nat (insidel 0 access-list EXEMPT
'l'lliscxalllple usesdynalnicotltsitlcN AT fora I
'
IN'IZ nctubork'alld exenptsallotherDN'
IZ
llctNvork
FWsM lconfigl#nat (dmz) l 10.1.2.0 255.255.255.0 outside dns
FWsMtconfigl#global (inside) l 10.:.1.45
FWsM tconfigl#access-list EXEMPT permit ip 10.1.3.0
255.255 .255.0 any
FWsM tconfigl#nat (dmz) 0 access-liat EXEMPT
1'11iscxamplcexcnnptsan insidc atldrcss,
$5llt?n accessing tvo tliftkrenttlcstinatiolladdresscs.
FWsM tconfigl#access-list NETI perm it ip 10.1.2.0 255.255.255.0
209.165.201.0 255.255.255 .224
FWsM tconfigl#accesa-list NETI permit 10 .1 .2.0 255.255.255.0
209.165 .200.224 255.255.255.224
FWsM tconfigl#nat (inaide) O access-list NETI

(D 2008 Cisco System s,lnc. lmplem entingFW SM fora Data CenterNetwork Infrastructure 2-49
O rder of P rocessing and M axim um
N um ber of N A T S tatem ents
Realaddresses are matched to NAT com mands in a
specific order:
1 NAT exemption(natt)access-list)
2 StaticNAT andstaticPAT (regularand policy)(static)
:
'$PolicydynamicNAT (nataccess-list)
RegulardynamicNAT (nat)

The natcommand 2Q90


The globalcommand 4000
Thestatlccommand 2000
PollcyNAT forslnglemode 7942accesscontrolentries
PolicyNA'r formultlple mode 7272 accessconlrolentries

The Catalyst6500 SeriesFW SM m atchesrcaladdrcssesto NAT comm andsin a spccific ordcr,


tlnti1thc firstl
natch is found:
N,&T exem ption (nat0 access-listvom m and):In ordcr. unlilthe tirstm atch isfound.
Idcntity NAT isnolincltldcd in tlliscategory's itisincludcd in tlle rcgularstatic NAT or
rcgularNAT catcgory.Including ovcrlapping addresses inN AT exemption statcmcntsis
notrccom nlendcd.dtle to potentialtlnexpected restllts.
NtaticNAT and statlePAT.regularand policy(staticcom mand):lnordcr. untilthe first
match isfotlnd.Staticidentity NAT isincludcd in thiscategory. In thc case ofovcrlapping
addresscsin static statemcnts, awarning isdisplaycd.bu!thcy are supportcd.
Poliey dynam ic NAT (nataccess-listcom m and):In ordcr, untilthe tirstm atch isfound.
O verlapping addressesare allowed.
RegulardynamicNAT (natcommand):Bestmatch Rcgularidentity N AT isincludcd in
.
tlliscatcgory.ThcordcrofthcN AT comm andsdoesnotmatter' .thcNAT statclnentthat
bcstlnatchesthe realaddrcss is uscd, Forcxampleea gencralstatementisdefined to
translatcalIaddrcsses(0.0.0.0)on an interfacc. A sccond statemcntisdefincd to translatc a
subsctof-tllenetwork (I0.l.I.1)to a dif-
fcrcntaddrcss. W hen 10.I.I lm akesa connectioll.
.

the specitic Matem entfor l0.1.l.lisused because itbcslm atchcsthe realaddrcss.


Incltlding overlapping statcmentsisnotrccom mcnded. due to incrcased mem ory
rcquiremelltsand processing ovcrhead on thc Catalyst6500 SericsF' W SM .

2-50 lmplementingCl
scoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008 Cisco Systems, lnc.
M axim um N um berof NAT Statem ents
3-lle t'atalyslt$5i)0 Serics F-NVSM stlpponstltefolltlw illg ntllnbersol
-nat. glebal,alld static
ckllnluandsdivided betsvettn al1colptexts, ori1a siIlglc lllotlc:
. 'i-ilcnatcolnlnalld:24)00(2k)
K Tllcglobalcolnllland:40()0 (4k)
w Tllcstaticcolnllpantl:200()(2k)

Note ln addi
tion,the Catalyst6500 Series FW SM supporls up to 3942 access controlentries in
ACLS used forpolicy NAT single mode,and 7272 access controlentri esformultiple mode.

L
(42008 Cisco Systems,Inc. Implementing FW SM fora Data CenterNetworkInfrastrtlcture 2-51
A dvanced N A T :M ultiple N A T ID s

nat (tnaide) 1 11.0.1.0 255.255.255.:


nat (lnatde) 2 10.0.2,: 255.255.255.0 2N
-
r #
nat (
nat (lnaide)3
inside) 410.0.3
10.0. .02
4.0 55.2
255. 55.255.0
255.255.0 2 +
a
10 0.2 0/24

lntem et Lc.
-
.r .1 .2>
w , .z p. .r 1
' .

. outside Inside ' '


192.168.1.0Q4 10.0.1 0/24
10.0.3.0/24
global (outside) 1 192.166.1.11 4 .
global (outslde) : 192.168.1.12 '
global (outa#de) 3 l92.l68.1.1.3
Q->- !' #jj
lobal (outs1de) 4 :
t92.166.l.14 #
12.0.4.0/24

M ultiple NAT IDscan be uscd to provide separate translated addressesforvarioussegmentsof


thc il3sidc nctwork.This isaccomplishcd by using multiple NAT IDs in the natand global
comm ands.lnsideaddresses thatare covered by thc IP addressand the Inask ofa spccific nat
comm and use thetranslated addressesin theglobaicom m and with tlle sam eNAT ID .
Forexample,thc network slpown in the figurc usesfotlraddresseson thecxtenlalnetwork.
Eaclladdrcss isuscd to provide accessforaparticularsubnetofthcinside nctwork. +

2-52 ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008Ci


sco Systems. lnc.
P o I1cy T
accesg-list partnerA permtt ip host lD n 0 10 172 16 l 100
access-1lst partnerB permlt ip hoat 10.0. 0 10o 172 16 2 100
static (inetde outsidel I?2 16 0 201 access-list partnerA
static (instde outside) 172 16 0 202 accegs-11st partnerB

Extranet <
h I #+
Out/ide Network h
N '
x/
$
'
172 16 00/16 Zslde Network
100.0.0/24
access-l1st partnerA permtt tp hogt 10.0.0.100 172.16.1.100
accesp-lls: partnerB permlt tp bost 10.0.0.100 172.16.2.100
nat llnalde) 20l access-ltst partnerA
nat (inslde) 202 access-l1st partnerB
global toueslde) 201 172.16.0.201
global (outaide) 202 172.16.0.292

Policy NAT is tlsed to sclctrtthc trallslaled addrcssto bc uscd based f)l1thc critcria cxpressed iI1
a!)cxtclldcd A('L.AI1exttllldctlA(. 'L allowrs policy NAT to iIpcltlde tllcsotlrcc alld dcstillatiol)
atldresscs alld pklrtsin tlledecision-lnaking proccss.

Note ACLSm uststillbe configured to allow tbe traffic flow enabled by the policy NAT
confi
guration.

('
D2008Cisco Systems,Inc. lmplementlng FW SM foraDataCenterNetworklnfrastructure 2-53
Identity N T

lntemet t
.- #
+ #.
Outside Network ''
198.133 219.0/24 lnsideNetwork
12@.107.224.0/24

nat (ineidm) Q 128.107.224.0 255.255.255.0

OR
Btatlc (inalde.outslde) 128.107.224.0 129.107.224.0 netmask 215.255.255.0

ldcntity N AT allow'san inside addressto beused on the outsidcnetwork.


Identity NAT isoften used when resourcesw ith publicly routcd addresscslnustbcprotected by
a tirewall,ldcntity N AT can becontigured with a statlc com m and ora natcomm alld w ith a
NAT ID of0.ldcntity NAT colpfigured with thcstaticcomm and allowsconllcclionsto be
initialed from eithersideofthe fircwall,while the nat0 com mand allowsconnectionsto bc
initiated only from within the insidc network.

Note ACLS m uststillbe configured to all


ow the traffic flow enabled by the identi
ty NAT
confi
guration.

2-54 ImpiementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.0 @ 2008 Cisco Systemsl Inc.
N T E xem p t1o r'1
acceas-list to-daz permit 10.0.0.0 255 155 255 0 10 l 0 255 255 255 0
acceas-lst to-dmz permlt 10.0.0.0 255.255.255 0 10 0 2 0 255 255 255 0
nat (tnsde) 0 aeceas-ltnt to-dmz

)'
r.
t.. ykebSeaer
...

DMZ1
10.O 10/24

Intem et *
h ! +
yz
'
- y
w .'
Outslde Network ''
198 133 219 0/24 DMZ2 loslde Network
10 0 20/24 10 0 0.0/24

7n9
..
:
ApspeII
ca1p
on
w er

Note ACLSm uststillbeconfigured to allow the trafficflow enabled bythe NAT exem ption
configurati
on.

Note Though ituses the natcom mand NAT exemption creates a two-way translation allowing
traffic tclbe initialad from tlithersi
de ofthe srtlwall.Tbis is the only bidirectionaluse ofthe
natcom mand.

@)2008 Cisco Systems,lnc. ImplementingFW SM foraDataCenterNetwork Infrastrblcture 2-55


Layer2 N AT/PA T
. NAT PAT.andstaticstatementswiltum onfunctionali ty.
. Tr ansparentsrewallbridge pai
rcansupm rtboth NAT and non-NAT traffic.
, Firewallwillresr ndtoARP requestforthe globaland static addressesinthe
same subnet.
* ManagementIP cannotbe partofthegl obalorstatlc pool.
w lnspectionswillbehave asin routed mode.
R1 s .t
10 1t0/24
(lutsi
de A1
E1 '
-/
z/ lo,1'
I
oo 'j
' Fwsv :
,0'.':
' 'o11'
$ 10''
s
1c11z so117 : Ct D1
B1 'Inside wy/ ' -#d

L'
L.
''
e- R2 TransparentFirewap
l
with NAT/PAT
t0 1'11f)
.

Tllc Catalyst6500 SericsFW SM can also perforln NAT in transparentm odc from software
versiol,3.4 ollwards.
Tllcse contiguration considcrations apply lo Laycr2 NAT/PAT deployment:
* Intcrface optionsforNAT.PAT,and statitarenotsupported.
* Routes(static)are needed on FW SM foraddresscsusing NAT thatarenotpartofthc same
subnetas FW SM bridge group.
* Rotltes(static)arencedetlonadjacentroutersforglobalandstaticpoolsthatarenotpartof
thc sam e subllctasFW SM bridge group.
* Tllc aliascom mand is notsupported.

2-56 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008 Cj


sco Systems. lnc.
S um m ary

S ulnm ary
* The Cisco Catalyst6500 Series FW SM analyzesand modifies
fields in the IP,UDP,and TCP headers.
> The Catalyst6500 Series FW SM uses statefulpacketfil tering to
controltraffic between tw o orm ore netw orks.
w NAT and PAT modi fy IP addresses and UDP/TCP ports as traffic
passes through the Catalyst6500 Series FW SM .
* The Catalyst6500 Series FW SM is a fabric-enabled card that
connects to the Catalyst6500 Series Sw itch through a 6-pod
Etherchannel,
* The Catalyst6500 Series FW SM offers scalability to 20 G b/s in a
single chassis.
. The Cat alyst6500 Series FW SM uses VLANS to connectto the
restofthe network.

@ 2008 Ci
sco Systems.Inc. (mpl
ementl
ng FW SM fora Data CenterNe
w ork lnfrastrucure 2-57
2-58 Implementing Ci
sco Data CenterNetworkInfrastructure 1(DCNI-I)v2.0 (()2008 Cisco Systems. Inc.
Lesson2I

Im plem enting M anagem ent


A ccess

O verview

Objectives
C onfiguring M anagem ent A ccess
Thistopic describcsthc variousmanagclnentaccessoptionson the Catalyst6500 Serics
FW SM .how thcy areconfigured and when thcy areuscd.

M anagem ent A ccess


Managementaccess interfaces:
Console
. Remote access
Gul-basedmanagement

Out-of-bant management
g'
'
t?
,
.
'
- -. ,- -.. -. .-.
'- E: .-z.
*'
-4.-
.-.
4.
. -.
. .Q...
..
m -.
.CX. .w
-.-- .-!
.n, /...
. .-
?.
.w-.-
t.
d-
n.
!.
o.
kJz
; @. .-.. .. .. .= .... ... ....- .. -
. .u
.) $
'z I

. ! I

Thc Catalyst6500 SericsFW SM can bem anaged usillg variousmethods:


* Accessthrough console collnection froln thc Cisco Catalyst6500 ScriesSwitch M ultilaycr
Switch Feature Card (M SFC)
K Using thcrcm ote acccss, stl
ch asTcllletorSccurcShcll(SSH)with in-band managcmcnt
* UsillgthcGul-basedCisco AdaptivcSecurity DeviceM anager(ASDM )
* Dcploying out-of-band m anagelnentto rcstrictm anagcmenttraffsc to specitic intcrfacc

2-60 ImpsementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Cisco Systems, Inc.


onsole ccess
msfc#
session slot moduie n er processor 1
. Accesses FW SM from MSFC through console
mafc#session sloe e provessor l
The defeulk eseape character is Ctrlv' then x
You Cao also type 'extl at ehe remoee prompe to end the sesslon
Trytng 127.Q.0.81 ... Ppen

User Accesa Verification


Paaaword:
Type help or 1?1 for ltse of avRtlable ccpmands
fwsny enable
Password:
fwsm#confivure termlnal
fwsmlconftgl#exit
fwsm#extt
Logoff ..

tconnecton to 127.0.0.81 closed by foreign hoebl

TllcCatltlyst65()()Series FWTSM doesllotlpave any extcrnalportsoracollsole port.Tllcreforc.


tlpc ollly'optiollto accessSllc (-'ataIyst(7500 SeriesFNVSM initially istlll'
otlgh tlle M SFI-by .

sessionilpg lo theCatalyst650()ScricsIJSVSN1.

Note Form ultipl


e contextmode,whenyousession into theCatalyst6500 SeriesFW SM you
access the system confi
guralion.

Logging through the C onsole

Note Keep in mind thatthe exitcomm and m ightneed to be entered m ul


tiple limes ifin a
configuration mode.

@ 2008Cisco Systems,Inc. lmpl


ementing FW SM fora Data CenterNetworklnfrastnacture 2-61
Privileged EXEC M ode
To changc thccontiguration.you mustcntertheprivilcged EX EC modc by using theenable
colnm and.Upon entering thc privilcged EX EC comlnand,you mustentcrthe privileged
password.which by defatlltisblank;thcreforc,pressthe Enterkey to contintlc,
Froln thismodc.the globalconfiguration m odccanbc acccsscd.Thc globalconfiguration lnode
doesnotrcquirc any password to be entcrcd.
Tlle contiguration mode isentered with the conflgureterm inalcom mand.
To cxitprivileged EXEC mode.cnterthc disable colnmand.You can also entcrthe exitorlhe
quitcom mandsto cxitthccurrentaccessmode (privileged EXEC lnode.globalcontiguration
lnodc,etc.).

M anaging A ccess Passw ords


The login password isuscd forscssionsfrom thc switch,asw'ellasTelnetand SSII
conllcctions.
Ollcc Ioggcd in.thcdefaultlogin password can fand should)be changed w ith the password
command.
To cllangcthcenablcd password,use thc enable passw ord command.The comm and changcs
the password forthc highcstprivilcgclevel. lflocalcom mand authorization iscontigured. the
privilcgcd passwordsforeach privilcgc levclfrom 0 to 15 can be sct.

Note The password is a case-sensitive string ofup to 16 alphanum eric and speci
a!characters.
You can use any characterin the password excepta question m ark ora space.

To restorc the password to thc defaultsctting,usc theno form ofthc comm and.
Thc passwordsarcsavcd in the contiguration in encrypted fonn,

2-62 Impl
ementlngCiscoDataCenterNetworklnfrastructure1(DCNI
-I):2.0 @ 2008Clsco Systems. lnc.
T elnet R em ote A ccess
fwsmtconftgl#
telnet source IP address mask source in terface

* Allows Telnetthrough interface from source IP addresses


fwsm lconfigl#
telnet tim eout mnutes

. Sets the Telnettim eout

v Cleartextaccess -'- '


- '-''
--- '
-
. Only serverside is im plem ented
.yyLss
telnet 0.0.0.0 0.0.0.0 tnside '

Note Only the adm i


n contextcan have up to 15 Tel
netsessions concurrently

Note Iftwo ormore concurrentTelnetsessionsare opened and one ofthe sessions i s atthe
M ore prorrlpt,the othersessions may hang untilthe &ore promptis dismissed.To di
sable
the More prom ptand avoid this situation entertlle pagerlines 0 com mand

W'l1cl)acctzssil'
lg tl'
lc Catalysl(,50()Scrics F'
W'Sh.
1tlsillg Tcllletthedcfatlltl'asssvord is('
i.
b4.
o.

@ 2008 Ci
sco Systems,lnc. I
m pf
ementing FW SM fora Data CenterNetworkInfrastructure 2-63
Configuring TelnetA ccess
To configure Telnetacccssto the Catalyst6500 SeriesFW SM ,use the comm andslisted in thc
tablc.

Configuring TelnetAccess Com m ands

Com m and Descrlptlon


telnet Identises the IP addresses and interfaces from which the FW SM
source IP address mask accepts connections,Ifthere is only one interface present,Telnet
source-n-ferface
- can beconfiguredtoaccessthatinte#ace.aslong asthe
intedace has a security Ievelof100.
telnet timeout mnutes (Opti
onal)Setsthe Telnetsession i
dletime before the FW SM
disconnectsthesession.Thevalue canbe between 1and 1440
minuteslwith the defaudtbeing 5 m inutes.

Note Tesnetaccess cannotbe configured on the lowestsecurily interface.

M ind thatFW SM should beconfigured w ith interfaces, IP addresses,and properrouting to


allow rem otcaccess.
Thisexamplc shows the configuration thatallowsTelnctfrom any source IP addresscoming
from tlle inside segnlcnt.Thc tim eoutis setto m axilnum .
fwsm (config)#telnet 0.().0.0 0.0 .0 .() inside
fwsm (config)#telnet timeout l440
Thiscxam ple pcrm itsahoston the inside interface with an addressof 192. 168.I.2 to accessthe
Catalyst6500 SericsFW SM .and allowsTelnctto be idle form axim um of30 lninules.
fwsm (config)#telnet l92 .168.l.2 255.255.255 .255 inaide
fwsm (config )#telnet timeout 30

2-64 ImpsementingCiscoDataCenterNetworkInfrastructure 1(DCNI


-I)v2.0 (I)2008 Cisco System sl Inc,
S S 81 R elnote A ccess
fwsm tconfigl#
ssh source IP addres, Dask source interface
. Allows SSH through inlerface from source IP addresses
fwsm tconfigl#
ssh tmeout mnuees
. Sets the SSH timeout
@ Configurati
on steps:
- Generate RSA key '- '
-- ''''--- '
-Configure SSH
1
crFpto keF generlte raa ooduAus 1024
wriee memory
! L: '
seh 0.0.0.0 0.0.0.Q inside #'' .
ssh eiaeout 5

Note Onl
y lhe adm in contextcan have up to 15 SSH sessions concurrently.

Note lftwo ofmgre concurrenlSSH sessitms are Opened and one ofthe sessitms is atlhe M ore
prompt.the othersessions may hang untilthe M ore prom ptis dismissed.To disabl
e the
M ore prom ptand avoid this si
tuati
on.enterthe pagerIines 0 com mand.

Note W hen starting anSSH session adot(.)di


splaysontheCatal
yst6500SeriesFWSM
console before the SSH userauthentication prom ptappears.This does notaffectthe
functionalily ofSSH'itappears atthe console when generating a serverkey,orwhen
decrypling a message using privatekeysduring SSH keyexchange before user
authentication occurs.These tasks can take up to two minutesorIonger.The dotis a
prtygress indicatorthatverifies lhatthe FW SM is busy and hasnothung.

@ 2008 CiscoSystems.Inc. Implementing FW SM fora DalaCenlerNetworkInfrastructure 2-65


Configuring SS H A ccess
To confgtlre SSH accessto the Catalyst6500 Serics FW SM ,usc the comm andsin thc order
specified in thc table.

Configuring SSH Access Procedure


Step Actlon Notes
1' crw to key generate rsa Generates an RSA key pairrequired for
modulus modu.
lus- size SSH.The modulus is 512-,768-,1024-,or
2048-bitsl ong.The largerthe keymodul us
size.the Iongerittakes to generate an RSA
key.The recomm ended size is atleast1024.
2 write memory Saves the RSA keysto persislentflash
mem ory.
3 ssh source JP address mask Identi
fies the IP addresses and i nterfaces
source- n terface from which the FW SM accepts connections.
SSH access can be configured on the I owest
security interfaoe in contrastto Telnet.
4. ssh timeout mnutes (Optional)Setsthe SSH sessionidletime
before the FW SM disconnectsthe session.
Value can be between 1 and 60 minutes.
defaultbeing 5 m i
nutes,
5. ssh version (1 l 2) (Optional)Restri
ctstheversionofSSH
accepted by the FW SM .Bydefault. the
FWSM acceptsbothversi
ons (SSHVIand
SSHv2).

Note The SSHVZ requiresa3DES li


censetowork. The cryptographic algorithm s used by SSHv2
are Iimited to3DES and AES.Onl ySecure HashAlgorithm (SHA)and Message Digest5
(MD5)are availableforthe integrity.

Kcep in m ind thatthe Catalyst6500 ScriesFW SM should bcconfigured with interfaccs. IP


addresses.properrouting,FW SM namc, and domain name to allow rem otcaccess. lfdolnain
name islotspccitied.thedqhlltlt.domain.j??:w/J isgeneratctl.
Note The userauthentication attem ptlimitis setto three and is notconfigurable.

Verifying SSH C onfiguration


To verify the SSH configuratiollusc thc colnlnandslisled il)thelablc.

Verifying SSH Configuration Com m ands


com mand Descrlptlon
show ssh sessiona Exam ines the SSH sessi
ons.
c.
len t ip
show debug ssh debug Veri
fies the SSH wi
th debugging
J.evre.l

2-66 Impl
ementingCiscoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0 (
D 2008Cisco Systems. lnc.
Thiscxalnplc sllowrstllc col)tigtlratiol)tllataIlou'sSSIIfroln :1:13,sourcc IP adtlresscolllillg
fioll'
ltllc illsidc scglnent.Thc tilucotltissctto 5 111intlttls.
fwsm tconfigl#crypto key generate rsa modulus 1024
fwsm tconfigl#write memory
fwsm lconfigl#ssh 0.0.0.0 0.0.0.0 inside
fwsm lconfiglgssh timeout 5
'I'llc sizc tbrthe RSA key bcillg gencratctlis l024.
Tlliscxalnplcpcnnitsa hllstol'
ltl'lc illsitlc interlbce'w ith al1address01-l92.l68.I.2 to access thc
FSVSN.1-al'
ld allovvsSSlIto bc idlc forl' naxilpltlln of3()n' iillutcs.
fwsm lconfigl#ssh 192.168.1.2 255 .255 .255.255 inside
fwsm tconfigl#ssh timeout 30

Q 2008Cisco Systems.Inc. lmplementing FW SM fora DataCenterNetworkInfrastructure 2-67


G tll-Based Rem ote Access
* Adapti
ve SecurityDevice Manager(ASDM)isfree
. Prerequisites:
Javascri ptorJava m ustbe enabled -. ..
lz.
1Q.1 t -i
SupportforSSL mustbeenabl
ed y& -
. - ..- ... I
Pop-up bl
ockersm ustbe di
sabled I= ''' -
J.j!'57
-. r - .
yr'r ''
fwsm (config)# '
.
- 'r .... , ,.z..1 - ;I
..-

http aource ZP addrea, malk aource neerface .w --


Http aerver enable
* All
ows HU PS through interface from source
IP addresses and enables HTTPS .-c-.
.g.,.
..,,5.

http l0.Q.1.0 255.255.255.0 innide


http server enabl. 2

To uscCisco ASDM ,the HTTP overSSL (HTTPS)servcrmustbe cnablcd so thatHTTPS


connectionsare allowcd to thc Catalyst6500 SericsFW SM .
A maxim um offive conctlrrentCisco ASDM instancespcrcontcxtare available, with a
maximum ()f80 Cisco ASDM instanccsdivided between a1lcontcxts. Thcnum berofCisco
ASDM sessionsallowcd pcrcontextiscontrolled using resourcc classes.
The m inilnuln Cisco ASDM and Catalyst6500 SeriesFW SM software compatibility version is
ASDM 5.0(lIF and FW SM 3,l.
Cisco ASDM can be run asthc following:
m A Iocalappliation thatrcquircsthe illstallation ofCisco ASDM on the clientworkstation.
The localapplication connectsto FW SM from th=workstation via Sccurc StwketLaycr
(SSL).The advantagesare:
Upgradesofthc localapplication arc pcrformed automatically.
Cisco ASDM can be invokcd from desktop shortcuts. No browscrisrequircd.
Oncdcsktop shortcutallowsyou to conncctto m ultiplc sccurity appliances, notonly
to the Catalyst6500 ScriesFW SM .
m A Java appletthatisdynalnically downloaded from thc device to which you connect.

Cisco A SD M Prerequisites
The workstation used fbrCisco ASDM accessmustlnccttheseprerequisites:
w Ithasto bcinstallcd w ith supported Java vcrsions l.4.2 and 5.0 (also known as l.5).
K Itm ustbc cquippcd with web browser:
Enablcd w ith Javascrip!and Java
SSL supportm ustbe enabled
Pop-up blockersm ustbcdisablcd since they may prcventCisco ASDM from
starting(CiscoASDM willllotitk you)
2-68 ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0 Q 2008 Cisco Systems, lnc.
Configuring Cisco A SDM A ccess
To tlsc C'isco ASDN1.HTTPS scry' erIlasto bcenabled alld IITTPS collncctiollsto the (-'atalyst
65()0 ScricsFNVSM 111t.
1stbealloqved.To configtlre IITTPS acccssto tllc('atalyst6500 Serics
.

F'
$VSN1tkscsthccollllllalltlslistcd i1)tllclablc.

HTTPS A ccess to the FW SM Com m ands


Comm and Description
http source TP addz-ess ldentifies the IP addresses and interfacesfrom whi
ch the FW SM
mask souvce--in-qerface acceptsconnecti
ons.
http server enable Enables the HTTPS service on FW SM.

Tllisexalnple sllowstl 'leconfiguration witllyvl'


litlllIITTPS isallow-ed tkoll'
ll0.().4.0/24 llctyvork
colllil'
lg froln thc illside scglncllt.
http 10.0.4 .0 255.255.255.0 inside
http server enable

@ 2008 Ci
sco Systems,Inc. I
m pl
ementi
ng FW SM fora Data CenterNetworkInfraslfucture 2-69
P N -B ased em ote ccess
Ipsec VPN form anagementpurpose: .-,
-....----.-
'.. f r
z. ..w .
.. . .u 1''v'
.. .'
* Routed'
.site-to-site VPN client '
-'-1
.
--'
-
* Transparent:site-to-site Only l

i:akmp poltey l Auth.ntsrptioa


iekmp poliey l .neryption 34** WRAR
ieakmp poliey l group 2
ilakmp policy l hash $hh
iaakmp enble outsid.
crypto ipmac tran,form.eet vpn ewp-3iea llp-mha-hole
isakmp key PRSHRKY addreea 209.165.200.223
accesa.lile TUNN?L ext*ndad parmit ip hoz:
209.165.200.225 209.165.201.0 255.255.255.2:4
crypto map teln*t Tlnnel 2 ipsec-ialkmp -
crypto =ap telnle bunnet l aatch addre/. TCNNZL '
crypto map Lelnet-tunn/l l 5et p**r 209.165.202.129
crrpto map telnet-tunn*l l et trlnsform-set vpn
crypto map telo*t-tunnel interfac. outgide

* Sam ple site-to-site VPN confi


guration

TheCatalyst6500 ScriesFW SM alsosupportsIP sectlrity(1Psec)fbrmanagcmentacccsswith


which trafliccan safely travclovcrinsccure networks.such asthe Internet. The Catalyst6500
SeriesFW SM can conncctto anotherV PN concentrator. such asa Cisco PIX tircwallora
(--isco 1OS router,tlsing asitc-to-site tullnel.You spccify thcpcernetworksthatcan
com lnunicateoverthetunnel.ln thc case ofthc Catalyst6500 SericsFW SM . the only addrcss
availablc on thc Catatyst6500 SeriesFW SM etld oftlw tunnelisthe interfaceitsclf.
The routed modecan atso akxeptconnectionsfrom VPN clients. eithzrhostsrunning the Ciseo
VPN clicnt.orV PN concentrators,such as the Cisco PIX GrewallorCisco IOS router, running
the Easy VPN clicnt.1l)thiscasc tlle IP address ofthe clientisnotknown;instead. the VPN
tunnclsettlp rclieson clientauthentication.
Transparentfirewallmode docsnotsupportrelnote clicnts. only Sitc-to-site tunnels.
A maximtlm offive concurrcntIpsecconnectionspercontcxtareavailable, with a maximum of
ten concurrentconncctionsdivided bctween al1contcxts. The num bcrofIpscc scssionsallowed
percontcxtiscontrolled using resourccclasses.
TheVPN-bascd relnote acccssm ightbcuscd in disasterRecovcc centerorbackup ccnterto
scctlrely acccss the Catalyst6500 SericsFW SM from the primary data center.

Configuring VPN A ccess


To configurebasic Ipsec VPN acccssparametersthcstepslisted in the tablc have to be
accom plished.

Configuring Basic Ipsec VPN Access Param eters Procedure


Step Actlon Notes

1. isakmp policy priorit:ye Setsthe lnternetKeyExchange (lKE)


encryption (des I 3des) encrypti
onalgorithm.Multipl
elKEpolici
es
can exist.The priority is a value between 1
and 65.534,with 1 being the hi ghestpriority.

2-70 lmplementing Cisco Data CenterNetwork Infrastructure 1(DCN1


-1)72.0 @ 2008Cisco Systems, Inc.
Step Action Notes

2. isakmp policy prioz-rye group Sets the Diffie-Hel


lm an group used forkey
(l 1 2J exchange Group1is768bits.whileGroup2
i
s 1024 bilsand thus.m ore secure.
3. isakmp policy pz'cnrry' hash Sets lhe authentication algorithm .
(md5 I sha)
4. isakmp yolicy pz'ioril
:;z SetsthetKEauthenticationmelhodasa
authentlcation pre -share shared key. Alternati
vely.certifi
cates can be
used instead ofa shared key by specifying
tbe rsa-sig option.Consultthe FW SM
documentation form ore information about
this method.
5 isakmp enable in tez-face name Enables 1KE on the tunneli
nterface.
6' crypto ipsec transf0rm -set Sets the authentication and encryption
rransfchz-m name (esp-mds-hmac I melhodsusedforlpsectunnelsina
esp-sha-hiiacl (esp-aes-256 I transform set.
esp-aes-192 I esp-aes I esp-
des 1 esp-3des)

Configuring the VPN Client lpsec Access Procedure


Step Action Notes
1 crypto dynamic -map Specifies 1he transform sets allowed for
dynaic map name priority set clienttunnels.
trans fo-
r= -s'
e
-t trans foz'
m setl
(transform set21 (...) -
2 crypto map crrpto map name Assignsthe dynam iccfypto maptoa static
prlorry ipsec-isakmp dynamic tunnel.
dynamc map name
3' crypto map cvyp to map zvalrle Speciriesthe irlterfaceatw'
l
nicn l:e client
inter face iJ2t7erfa-
ce n-anle tunnel
s term inate.
4' ip local pool pooz name Specifiesthe range ofIP addressesto be
fl-st ip address- - used forVPN remote access tunnels
last 7p address Emask rlas.
e)
5' access -list acl. name Specises the tunneltraffi
c destined forthe
(extendedl permlt (pz-orocoi) FwsM
host fw' sm ntrerface address
.D
oo J.- a JJr-esses mask-
6' tunnel -group name general- Assigns the VPN address poolto a tunnel
attributes address -pool group
pool zzanle
7 group -policy name attributes Specify thatonly trar
fic desti
ned forthe
. yw su ks tunneled
and
split -tunnel-policy tunnelall
8 group -policy group zrarne Sels the VPN group password
external server -group
Sel'ver g2'ouF3 rlanle pasaword
sezvez passurord

Q 2008CiscoSystems,lnc. Implementing FW SV fora DataCenterNetworklnffastruclure 2-F1


Note Only one crypto m ap name can be assigned to an interface.Ifboth site-to-site tunnetand
VPN clients should be terminated on the same interface use the sam e crypto map name.

To ftlrtherconfigure the site-to-site lpsecaccess,thc stepslisted in the table have to bc


accom plished.

C onfbguring the Site-to-site Ipsec Access Procedure


Step Actlon Notes
isakmp key keyscrng addresa Sets the shared key used by both peers.
peer-address
a' access-list ac1 name ldenti
fiesthetrafficallowed togo ovefthe
Iextendedl (den-
y k permit) tunnel.
(prorocoz) host
fwrsm interface addvess
des t- addres s m-ask
3 crypto map cryp t:o map name Creates an Ipsec tunne!
priortry
. ipsec -is akmp

4. crypto map crypto map name AssignstheaccesscontrolIist(ACL)tothe


priorit:;z match adzres-
a tunnel.
a cJ. na me
s. crypto map cryp to map name Specifiesthe remote peeronwhichthe
priorit:yr set peer-p '
a
-ddress tunnelterminates.
6, crypto mlp crym t:o map name Speciqes the transform sets forthis tunnel.
F?rorit:y aet tran-
sform
- -se t
transfor' m setl
Itransform
- set21 (...)
crypto mlp crqrp to map name Specifies the interface where 1he tunnel
in terface r2t:erfa-
ce n-
ame terminates.
8. http source IP address mask Identifi
esthe IP addressesandinterfaces
source nte-
rfa-
ce from whichthe FW SM acceptsconnections.
9. http server enable Enables the HTTPS sewice on FW SM .

2-72 ImplementingCiscoDataCenterNetworkjnfrastructure 1(DCNI-I)v2.0 Q 2008 CiscoSystems, Inc.


IC M P on FW S M
w ICM P form anagem entpurpose
fwsm tconfigl#
icmp (permit l deny) (host ip address ( jp addresa mask 1 any)
(:cmp typel interface name
> Allows ICMP ofcertain type to and from an intedace

'#
'j
:
>.
,
.'1
#'
.
- f ,. ,
/ .
'x
--
Otl
tsideNetworknlrl'
10
kQ
'
.
--'
Insi
deNetwork
',h- 10.0.0.0/2zs
-
'
-
/6
,
1
.0.0.0/24 -

icmp deny any outside


icmp permit any tnside

ICM P can bepennittcd ordclpied to reacl)aCatalysl(A50()SericsFSVSNIilplerf' accw itl1IC'N'


SP
eitllutrli'ollla hostto llle Q'atalyst6500 Scries FNVSM orf'
roln tllcCatalyst650()Sel'iesFTVSM
t()a llostmw'llicllretluircslhe ICM P reply to bc allowetlbtck.

Note Ifonly ping is reguired from the Catalyst6500 Series FW SM to a host--onl


y echo reply back
tothe intel
-face should be all owed- usethe ICMP i nspection engine i
nstead ofthe icm p
comm and.

(I)2008Cpsco Systems.fnc. fm plem ening FW SM fora DataCenterNetwchck lnrrastructure 2-73


O ut-of-B and M anagem ent
w Disable pass-through trafficthrough the managementinterface
. Routed mode only

fwsm tconfig-tfl#
management-only r
w Dedicates the intedace for I
T
managementpurpose '
1 z

Outside 4 lnsi
de
X . .. . ...ty .
. G .

interface vlanlo
managament-only

An interface on a Catalyst6500 Serics FW SM can be dedicated forthe m anagem cntpurpose.


O n such an interfacepthc trafficcannotpass through the C'atalyst6500 ScriesFW SM .
Uscthc m anagem ent-only com mand on the interfaceto achievethat.
Otlt-of-band m anagementisavailablc only in routcd m odc (in transparcntlnodethisisthc
dcfaultbchaviorfortheBridge-Group VirtuallnterfaceEBVIJintcrface).

2-74 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCN1-1)v2.0 @ 2008Ci


scoSystems. Inc.
C onfiguring A A A Services

U nderstand ing A A A
. AAA servi ces:
-
Authentication'.W ho are you?
Authorization:W hatare youallowed to do?
-Accounting' .W hatdid you do?
. Discrete percontext
. AAA database' .
LOCal V'14
..s. t
,.,. ot
1R
ide
0 0N
0e
0t
/wori
24
- sew er-based:
.IRADIUS #
2i.,u ,.>' t
'
j'j
/
.TACACS+ L'l
k Qx - - - -u--a- '
--#.
#
s
AAA 'if' '
e
AAA Server
1O 0 0 1!0

Q 2008CiscoSystems.Inc. Imptementlng FA'


SM fora Data CenterNetworklnfrastructure 2-:5
A A A Services D escription
Alllheltliczltion controlsthcaccessby validating usercrcdentials.typically a uscrname and
password.Thc Catalyst6500 SeriesFW SM can authcnticatc a1ladlninistrativc connectionsto
tllcFW SM.includingTelnet,SSII,consolesASDM (using HTTPS),VPN managcmentaccess,
privilcged EXEC lnode,and network access.
Allthol.ization controlsaccessperuscraftcra useraulhenticatcs,and can authorize managem cnt
comm ands.nctwork acccsssarkd V PN acccssformanagcm cntconncctions.lfauthorization is
notenabled.authcntication providesthe same acccssto serviccsforallauthenticated users.

Note I
fcommand authori zation isturned on,the TFTP sewercom mands are checked by the AAA
serverforauthorization which could resul
tin delays in case manyACLS are confi
gured.

Al'coltlltil'g isused to track traftic passing throtlgh the Catalyst6500 SericsFW SM , thus
enabling tlscractivity to be rccorded.Accounting ofthe trafticcan be doncperuser, if
authcntication is used.Othcnvise.trat- fic isaccountcd pcrIP address.Accounting information
includcs sessionsstartand stop tim e.uscl-nalne.num berofbytespassed forthc scssion, 1hc
scrvice uscd.and thc duratiollofeach session.

Note lnm ul
tiple contextmode you cannotconfigure anyAAA com mands i n thesystem
confi
guration.However i fyou configure Telnetauthenti
cati
on in the admin context. then
authentication also appliestosessionsfrom the switchtotheCatal yst6500Series FW SM
(whichentersthesystem execution space).

2-76 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 @ 2098CiscoSyslems,Inc.
C ontrolling A ccess to tlle FW SM
fwsm tconfigl.
aaa authentication (telnet I ssh 1 http) console (LOCAL I
eerver group (LoCALJ)
. AAA authentication fordifferentaccess methods

fwsm tconfigl#
aaa authentication enable console (LOCAL 1 server group
tLocALl)
. AAA authorization forprivileged EXEC Ievel

fwsmlconfigl#
aaa accounting enable (privilege zeve:l server-group
/kAA accounting forprivileged EXEC Ievel

M anagclllentaccessto tlleC'atalyst6500 ScricsFW SM can bccolltrollctlusillg AAA .

A uthentication

Note The LOCAL param eteris case sensitve

A uthorization

Caution The userID associated wi


th 1he I
ogin sessi
on is lostifthe system-wi
de enabse password is
used to authenticate.

@ 2008CpscoSystems.Inc. Implementing FWSM fora Data CenterNetwork Infrastructure 2-77


Tllccomm and structurc oftheCatalyst6500 SeriesFW SM can also be assigned to different
pris'ilegc lcvclsw'ith thcprivilegecomm and contiguration statelncnt.
privilege gshow IclearIconfigurejlevelIebvlgmode fenable1conligure)1command
('
t)??,???t???:/

privilege Param eters

Param eter Descrlptlon

show 1 clear I (Opti


onal)Thesekeywordsal
low youtosettheprivilegeonl
yfor
configure the show clear orconflgure form ofthe comm and.The
conflgure form ofthe com mand istypically the form thatcauses
a configuration change,ei
theras the unmodified com mand
(withoutthe show orclearprefi
x) oras the no form.Ifyoudo
notuse one ofthese keywords.al1form s ofthe comm and are
affected.
level .
ieve.
l A levelbetween 0 and 15.
mode (enable J (Optional)Ifacommandcanbeenteredinunprivi
legedor
configure) privil
egedmode,aswellasinconfi
gurationmode,andthe
com mand performs di#erentactions in each mode you can set
the privil
ege levelforthese modes separately.The enable
parameterspeci fiesbothunprivileged modeandprivileged mode,
while the conflgure parameterspeci ses configuration m ode
which is accessed using the conflgure term inalcommand.
command command This parameterrefers to the com mand thatyou are confi
guring.
Youcanonlyconfi guretheprivilege levelofthe maincommand.
Forexam ple.you can confi gure the IevelofaIIaaa comm ands
butnotthe Ievelofthe aaa authentication comm and and the
aaa authorlzation com mand separately.Also.you cannot
confi
gure the pri
vilege Ievelofsubcom mands separatel y from the
main com mand.Com mand authorization m ustbe enabled ifyou
specify nondefaultcomm and privilege Ievels.Thi
s is
accomplishedwiththeaaa authorlzatlon com m and LOCAL
com mand.

Accounting
An accotlllting rcqtlestisgeneratcd w hclltlscrlogsinto and logs outofthc Catalyst6500 Series
FNVSM throtlgh Tclnet.SSH.orlITTP.
Comm and accounting issupported formanagem entsessions. Ifcom m and accounting is
cnablcd comlnandsentcred by thc userare scntto AAA serverasaccounting requests. Only
TACACS #issupportcd.

Troubleshooting A A A Services
Nvllcn trotlblcshooting AA A scrvices.the debug com lnands listcd in thc tablc can bc used .

Troubleshooting AAA Services Com m ands


com mand Descrlptlon
debug p ix uauth Shows pix uauth debug messages.
debug radius Shows debug messages forAAA.
debug tacacs Di
splays TACACS+ debug inform ation.

2-78 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems,Inc.
C ontrolling A ccess to the F SM
Exam ple

e .#
.'.
*:m
I
nsl
deNetwork
. ev !()0 0.0/24
K $ *#' i
'.
$?y$
j
. p ' p
. .. p- f.
.
:*Sr
,...'
- - - . . .
uwj z
d
y: yk
7
z.; ..
.. /$$ss .
'
z.
a,..

f, ..t ''.;.,.r,.1 .)7.7.?rts;er..:',w
t#t!. phslk/tk:5()rA/f,r
j()(j(jjj(;

aaa authentication ssh console my-acs LOCAL


aaa authentication http console my-acs LOCAL
aaa authentication enable console my-acs LOCAL
username security-admin password p8ssworD

ln tlle exalnple.AA A scrvicesare tlsed to authellticatethe SSII,A SDM ,and privileged EXEC
mode acccssusing tlle localdatabasc.

@ 2008 Ci
sco Systems,Inc. Impl
ementi
rlg FW SM fora DataCenterNelwork I
nfrastructure 2-79
Controlling A ccess Through the F SM
> Authenticate HTTP and SMTP traffic
aaa-aerver AuTHout protocol tacacs+
1
aaa-server AuTHout (inside) host 10.0.0.1
key AhAuauthKey
I
access-liet MAIL AUTH extended permit tcp any Rny eq smtp
access-ltst KKIL-KUTH extended permit tcp any any eq www
aaa authenticati-
on match MAIL AUTH inside AuTHout

01 FITTPsu'?p
, 3 xs
.s we
tt 1()bSer
ver
e #
. .'
<;
e' .
J.' o,
.
().
2nc j,
Outsi
deNetwork 2 ,.,#. . .
:
198.133.2190/24 '*'
l............kj Insi
A
deNetwork
AAA S 10.0.0.0/24
erver

Traftictlow through tlw Catalyst6500 SeriesFW SM can be controlled w ith AAA . +

To check the crcdentialsofa clientaccessing the W eb server,the AAA m echanism scan be


used.The following orderhappens:
step 1 Clientistrying to open HTTP orSM TP session.
m ep2 PackethitstheCatalyst6500 SeriesFW SM ,which authenticatesuserin cooperation
with AAA server.
step 3 lfthe userprovided correctcredentials,thetrafficdcstined to HTTP orSM TP server
isallowed,otherwise the traflic isdropped.

A uthentication
Userscan beprom pted to aulhenticate thcmselvesto the Catalyst6500 SeriesFW SM before
gaining accessto network resources.ForFTP,HTTP, and Telncttraflic thatrcquiresuscr
authentication,the FW SM firstauthenticatesthc userand thcn passesthe traft'
ic to the
requested destination.Otherprotocolscan be configured to require userauthentication that
musttirstbeperfornwd via FTP,HTTP.orTelnetto theFW SM . This can be doneby aceessing
anetwork resource through a connection lhatrequircsauthentication orby connecting to a
virttlalservercontigured on theFW SM thatprovidesauthentication.
Virtualscrverson the FW SM can becreated using thcvirtualhttp orvirtualTelnet
comm ands.
Traftic flowsthatrequire authentication are specificd by creating an extended ACL. The A CL
is then specified in thc aaa authentication m atch com mand. A lternativcly,you can uscthc
aaa authentication include com mand,which identitiestraftic w ithin the com lnand. However,
you cannotuse both m ethodsin the samc contiguration.
Localdatabase can supportcut-through proxy authentication.ltcan bepopulated using the
usernam epassword comm and.Theconfiguration ofthclocaldatabase can be donc by adding
the Iocalparalneterto the aaa authentication comm and.

2-K lmplementkngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O @ 2008CiscoSystems, Inc.


A uthorization

Tral'lic flow'sthatarc cllccked foratltllorizetlaccessby aTAI--AC'S 1scl -vcrarc spccilictlby


clvkttiI1g an cxtendcd AC L..Tl' le ACL is tllclltlscd in thc aaa allthorization m atch collllllal 'ld.
A Itenltttively,you callusc tllc aaa authorization include conllualltl.Tl' le bcginnillg ofcacll
traI 'lic tlosv catlscsa qtlcl'y to besentto tlle T/NC'ACS Iscrqr eruritlltl'
lcparalnctersofll' lc traftic
114
.1'
$5.,.'Fl'
lf
2TACACS Iserv'crrettlrnsa#(*?wlj?()r(1L. ,13'indicatiol).

Note Details on configuri


ng the TACACS+ and RADIUS servers forconnection authorization can
be found in the FW SM Configuration Guide.

A ccounting

Troubleshooting A A A Services
!V1)t?11troublcsllootillg AAA servicesathc dellug colnlnandslisted i11tllc table cal'
lbc tlsed.

Troubleshooting AAA Services Com m ands


Com m and Description

show uauth Di
splaysoneoraI1currentl
yauthenticatedusers (exceptfor
managementsessions)the hostIP to whichtheyare bound.and
any cached IP and portauthorizali
on information,
show np Displ
ays informati
on aboutthe network processors.
debug pix uauth Shows pix uauth debug messages

(iI)2008CiscoSystems,lnc lmplem enting FW SM fora Data CenterNetwork lnfrastructure 2-81


C reating ServerG roups

aaa-server AUTHIn protocol tacacs+


max-failed-attempta 2
1
aal-server AUTHIn (insidej host 10.0.0.2
key AAAuauthKey

- += @ ..
h: .' xt.
r websewer
e '*6
S#
, L. .
--x 19'90'
2Q0 I
6
.
1 #
outsi
deNetwork .
-. .#
.' * 19813a2,90/24 ;.
)K-. .
-
.#
.
%<<> Inslde Network
10 0 0.0/24
AAA Server

Thc aaa-servercomm and isused to identify the AAA serversbeing tlscd forauthentication.
whilethc aaa authentication m atch colnm and identitics thc sourcc and destination addrcsses
oftraftic thatnccdsto bc authcnticatcd.
Idcntify the AAA servers tirstby crcating the scn'ergroup, using the aaa-servercom m and.
aaa-server vver'el.u qrol
lpprotocol(kerberosjldapInt1radius1sdi1tacacs+l
aaa-serverParam eters

Param eter Descrlptlon


server group Specifiesa nam e given lo the servergroup.
kerberos p ldap I nt I Speci
fiesthesewertype.
radius t sdi ( tacacs+
Each scrvcrgrotlp islim ited to onc scrvertypc. TheCatalyst6500 SeriesFW SM contactstlle
lirstscrverin thc group.and ifitistlnavailable, ittricscontacting the rclnaining servers in
order.Ifa1iserversarc unavailable.the Catalyst6500 SeriesFW SM attcmptsto use thclocal
database,ifthc loeatdatabase isconfigurcd as afallback m cthod ofaulhenticalion.
Al-
teryou entcrthe aaa-servercolnm and.the Catalyst6500 Series FW SM takesyou to scrvcr
grotlp configuration modc whcrc additionalparamctcrs, such asm ax-failed-attem pts,can bc
sct.

Next.tlse theaaa-serverhestcom mand to definc thc serverand the servergroup to which it


belongs.
aaa-server s'el'b'e?'...gl
'llltp p'n/tata
/k
'
7cf? name)host.
%el.b'
e''J7g/ft7l'qgtimeoutseconds?

2-82 lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNI-I):2.0 (D2008Ci
scoSystems, Inc.
aaa-serverhostParam eters

Param eter Description


server- group Specifi
esthe name ofthe AM serv'
ergroup as defi ned by the
aaa-servercomm and Each sen/ergroup is specific to one lype
ofserverzKerberos.LDAP.NT.RADIUS,SDI.orTACACS+.
(ntrea'face- name) Specifiesthe networkinlerface wherethe authentication server
resides.The parentheses are required in this param eter.
server ip Specifies the IP address ofthe AAA sewer.
key (Optional)A case-sensitive,al
phanumerickeywordofup to 127
characters.Spaces are no1perm itted in the key,butotherspeciaj
characters are perm i
tted.The key is used between the FW SM
and serverforencrypting data between them.
timeout seconds (Optional)Speci
fiesthe timeoutintervalforthe request.Thi
sis
the tim e afterwhich the FW SM gives up on the requestto the
primary AAA server.Ifthere i s a standby AAA server.the FW SM
sends the requestto the backup sew er You can m odifythe
timeou!intervalusing the tim eoutcom mand in hostmoda.

FtlllosviI'
lg tllisconlll3and.lllc FW SN'
1takcsyotllo hostI'ntlultzNvhereyotlcolltigtlrcadditiollal
Ilostlnodc paraluctcrs.stlch astlle accotlntillg portand atltlpcllticatiol'
tportto bc tlsctl.
Tlli.
rsalnplc llcturork sllow 11il:ll'
lc ligtlre hasol'
lc TACAC'S#scr:cr.

(t)2008CiscoSystems,lnc. lmptem enting FW SM fora Data CenterNetworklnfrastructure 2-83


S um m ary
Tlistopic stll
nlnarizesthc key pointsthatwcrc discussed in thislesson.

S um m ary
. The CiscoCatal yst6500 SeriesFW SM does nothave aphysicalconsole
port.
. SSH provides secure remote terminalaccess
* The ASDM GUIusesHU PS toaccessthe Catalyst6500SeriesFW SM .
. VpN- based access can be used to encryptthe managementtraffic.
ICVP toandfrom theCatalyst6500 SeriesFW SM hastobe expli citl
y
enabled,
* An interface can be dedi
cated form anagementaccess only.
> '
Access methods can be combined with M A services.
w M A can be used to authenticate users accessing servers through
FW SM ,
. AM canusea Iocaldatabase orand externalRADIUS orTACACS+
server.

2-8,
4 SmpfementingCi
scoDataCenteNetworkSnfrastructure1(DCNI-I):2.
Q (
l)2008CiscoSystems. lnc.
uesson3I

Im plem enting A C LS

O verview

Objectives
Upol)clllllpleting tllislessol).yotlu'
iIIbcablcto dcscribc al
ttlcollfigtlre ACLS011tllcCisco
tl'aralysl6500ScrieqFlk.
sM .Thfsability illcludt?sbeingabletf.
7l'
ncc!lllesctlbjectivbes.
'
K Dcscribc tllc Laycr2 liltcringoptiolls011tllc C'atalyst(A5()()SeriesF'SVSM
w Describe tllc stcpsrcqtlircd to collfigtlre M A(-addrcsslablc Inalliptlltltion
* Dcscribe the stcpsrcqtlirctlto colltigtlrc AddrcssResoltltiol)Prolocol(ARP)iIlspectioll
* Describethcstepsrcqtlircd to deploy cthertypc fi1ters
K Describcliltcring svitl!AC'LsoI)tlpc FSVSNI
w Dcscribetllttstcpsusedtocontigtlrcandvcril(y'ACL collt
igtlratiollalld opcratioll
C onfiguring Layer 2 Filtering
Thistopic cxplaillsthe nced forLayer2 filtering options,and dcscribeslyow to configurc M AC
addresstable manipulation,ARP inspcction,and ethertypeliltering.

T raffic Filtering on Layer 2


. Layer2 traffic is passed between the FW SM interfaces
Transparentm ode onl y
w Methods:
Static MAC address table entries
.
ARP inspection
Ethertype ACLS

MAc A
MAC B ' MAC A
MAC (; MAC D '

7. ARP
,
.4 ,
.s
,
-#
z
lr#
= za.
t,.;
.
:' Outstde Network
. Inslde Network
lpx-
.kl
.zww
,j.
'

-':
10 00.0/24 10.0.0.0/24

Ullauthorizcd accessto resourcesand information.diverting thc traffic to diffcrentdcstination,


andcompromising theresourcesavailabilitywith denialofsclwice(DoS)aresomeofthe
attacksthatcan also be triggcred on Laycr2.Spooting ofM AC addresscs. i
njectingruscBridge
ProtocolDataUnits(BPDUS),andpoisoningARP aresomeoftheexamples.
To protectand guard againstsuch attacksLayer2 tiltering isuscd. Laycr2 Gltering is
pcrformed upon Layer2 inform ation.such asM AC address, protocoltype.orM AC to IP
lllapping.

FW SM and Layer2 Security


Laycr2 attackspcrtain to thc Catalyst6500 SeriesFW SM i1)transparentmode ofopcration.
TllcCatalyst6500 Series FW SM offcrssecurity to bc implelncntcd on Laycr2 also with thesc
m cchanism s:
w Conliguring static M AC addresstable cntrics
K Deploying ARP inspection
. Usillg elhertypcACLS

2-86 ImpsementngCiscoDataCenterNetworklnfrastructure1(DCNI-I)42.9 (()22*8CiscoSystems, lnc.


C tlsto 1z11z1ng t1)e M A C A dtlress Ta b Ie
To guard againstMAC address spoofing:
. Add static MA(;entry
. Lowerthe MAC tabteagingtim er
. Disable MAC addressIeaming on untrusted interr
aces

0009 Tcbe 2100


l
< /# ooogx
zcbe.
zlaa Pw
k'w ! #
.. ,p.
-
z.
.- . xy
'
00097cbe2100
Outsl
deNetwoA C ' InsfdeNelwork
10000/24 :ZQ.
Z
005056c00001 -.
. n .
g#<f . 1
.0.000/24
lArm$
,
0016.76db c084

mac.address-table statfc outaide 00097cbe.210O


mac.addreas-eab le stavic outside 0050.56c0.0001
mac-address-tab le static outside 0nl6.76db .c0%t
mac-learn outside dtsable

Note Thisoperation pertainsonlytothe Catal


yst6500Serles FW SM operatinginthe transparent
mode.

@ 2008Cisco Systems.Inc. lmplementlng FWSM fora Data CenterNetworkInfrastructure 2-87


M A C A ddress Table Attack and Rem edy
M AC addressspoofing isused by attackcrs to divcrtthctraftic on Layer2. To assistin
guarding againstM AC spooting,these functionalitiescan be used:
* Adding a static M AC addrcssesto the M A C addresstable
* Controllillg thetim e a M AC address rem ailpsin thc M AC addrcsstablc by configuring thc
aging timcr
* Disabling M AC address learning on thc intcrfacesthatare nottrusted
W ith static M AC entricsconfigurcdsin casca clicntw ith tlle sam eM AC addressasa static
entry attem ptsto send trafticto an intcrface thatdoesnotmatch the static entry,theCatalyst
6500 ScriesFW SM dropsthe traffic and gcneratesa systcm m essage.

C onfiguring M A C A ddress Table Custom ization


The com m ands listed in the tablcare uscd to coniigurc thcpreviously lnentioncd
ftlylctionalities.

Configuring MA C Address Table C ustom ization Com m ands


*'
com m and Description
mac -addresa -table Adds a static MAC address to the table,I fa clientwith the same
atatic zctyerface name MAC address as a static entry attem pts to send traffic to an
mac- address - interface thatdoes notmatch the static entry.the FW SV drops
the traffi
cand generates asystem I og message.
mac-addreas-table Definesthetimeoutvaluefordynam icVAC addresstableentri
es,
aging-time The defaul
tis5veminutes and canbe setbetween5and 720 (12
t7meout
: va.
lue hours)minutes.
mac-learn Disabl es the dynamiclearningofthe MAC addressesofentering
interface- name disable traffic. lfdisabled.static enlries mustbe configured,otherwise the
FW SM oes notallow trafficto pass through.

Note Thesecom mandsare onlyavailablewhenthe Catal


yst6500Seri
es FW SM orcontexti
s
+
operating intransparentmode.

ln thecxalnplc,tlle figurc static M AC entriesarc configured in thc table fortlpe outside


intcrfaccto preventspooting ofthose M AC addrcsses.Additionally. dynam ic M AC lcarning is
disablcd to furtherstrengthen M AC address table sccurity.

2-1
% lmplementing CiscoDala CenlerNetwork lnfrastructure 1(DCNI-I)v2.O @ 2008 Cisco Systems, Inc.
E 11ab I1ng A R P Inspe ction
ARP spoofing preventi
on:
. controlARP packetsflow
* Compare MACIIP and soufce intefface tO staticenlry
e Perm ltordenythe packet

ARP Request
. w f ARPReqtlesl
.- KK
.j ' #/
yP ' '' wg
' okl
ts lnsrde Nelwork '
(r
)de()N0e/t wo4rk k
.
0
l0o0s9
t ()z
sc
6bexzl()() . 1 () 2 ..
mG$s
c$).()Ix 1 ,.:v....,..::.'u ....1
.,... 0.0
,.k .
0.
0/24
0016 76db (:084

arP outside 10.0.0.1 00:9.7cbe.2l00


arp-inspection outssde enable flood

Note ARP inspection settings apply to aI1bri


dge groups withi
n a context

@ 2008Ci
sco Syslems,Inc. Impl
emepti
ng FW SM fora DataCenlerNetwork I
nfrastructure 2-89
C onfiguring A R P lnspection
Thccomm alldsIisted in thc table are used forARP inspcction.

Configuring ARP Inspection Com m ands

com m and Descrlptlon


arp interface name Addsa stati
c ARP entry.
ip addres s ma-
c address

arp-inspection EnablesARP inspection.Theflood option (which isthedefault)


n terface name enable makes FW SM forward nonmatching ARP packets outaII
flood 1 no-
'- floodl interfacesasopposedtono-flood,whi
chresultsinthosepackets
beingdropped.

Note ln transparentm ode,the Catalyst6500 Series FW SM usesdynam ic ARP entries in the ARP
tabl e fortraffic to and from the FW SM ,such as managementtraf
fi
c.

To vcrify and cxam ine thc ARP inspection operation use thc show arp-inspection com mand.
Tlleoutputoftlliscomm and rorthe exalnple in thc figurc showsthatARP inspection isenabled
tbrthe outsidc ilpterface.and nonmatching ARP packctsarctlooded outallinterfaces.
fwsm#show arp-inspection
interface arp-inspection miss

outside enabled flood


inside disabled

2-99 lmplementingCiscoDataCenterNetworklntrastrtlcture1(DCNI-I)v2,0 @ 20()8CiscoSystems. lnc.


Eitl1ertype A C L
w Controlnon-lp and ARP Layer2 traffic perethertype
* Connectionless m ustbe applied to both interfaces

! t) BPDU
,... .p?
#*
x
* ;
.
..< .
#
#.
./' $ '' x/
x
.
-x- ...-. ARP(0xo806) ;'
t
.1pu -.-'--.'
fby.
..
Jm
t. otl
tsp key.
deNetwoi
' ;p'
r ,...2. :v.
'sz,lnsldeNetwork . kw
v't.f
x
q.l
i
10 0 0 0/24 100 0 0/24
access-list ETHER ethertrpe deny bpdu
accesa-list ETHER ethertype permit 0X0BQ6
I
accesa-group ETHER in inLerfaee inslde
access-group ETHER in lnterface outside

Note Ifyou use failover.you m ustallow BPDUS on both interfaces with an ethertype ACL to avoid
bridging l
oops.

()2008Cisco Systems.lnc. lm ptementing FW SM fora DataCenterNetwork Infrastructure 2-91


C onfiguring Ethertype Filtering
Enabling cthertype t'
iltcring isa lwo-step process:
Step 1 Contsgurc thcethcrtypeACL.
Step 2 Apply the contigtlred ACL to theinterfaces.
Thcaccess-listethertypecom mand configures an ACL thatcontrolstrafficbased on its
ethcrtypc.Thc /?(?x-???/???/?t??'paralncteris a 16-bjthcxadecimalnum bergreaterthan orequalto
0x600.RcfcrtotheAssigned NumberssectionofRF(.'176)4)(http://tools.ietf.org/lltlnl/rfcl700)
fora listofcthertypcs.
Thc access-group comlnand isused to apply thc ACL to an intert- ace in cithcringressoregrcss
direction.Traffic thatentersthc Catalyst6500 ScriesFW SM iscontrolled by an inbound ACL
on tllc sourcc interfacc.Traft-ic tl:atcxitsthe Catalyst6500 SeriesFW SM iscontrollcd by an
outbotllld AC L on thcdcstination intcrface.
In any case.to allow any traffic to enterthe Catalyst6500 SeriesFW SM , an inbound ACL
m ustbeattachcd to an intcrfacc;othcnvise,the FW SM autolnatically dropsa1ltrafficthat
entcrs thatinterfacc.
By dcfault,trafticcallexittheCatalyst6500 SericsFW SM on any interfaceunlessitis
rcstrictcd by an outbound ACL,which addsreslrictionsto those alrcady cont-igurcd in the
inbotllld ACL,
In thccxample in the t igure,the BPDU traftic isblockcd.whileA RPSarepennitted. The AC'L
isapplicd to both inside and otltside intcrfacesin the ingrcssdirection.
To vcrify and cxamine the ACL contiguration and operation use the show access-list
colnlnand.
fwsm#show access-list
access-list mode auto-commit
access-list cached ACL log flows : total denied O (deny-
flow-max 4096)
alert-interval
access-list ETHER; 2 elements
access-list ETHER ethertype deny bpdu (hitcount=o)
access-list ETHER ethertype permit 0x0806 (hitcount=4l4)

Note Formore information on ethertype values referto RFC 1700.

2-92 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!):2.0 (I)2008CiscoSystems. Inc.


C onfiguring A C LS

S tandard A C L
a ldentifytraffic perdestination address only
* Cannotbe applied to interfaces fortraffic control
* Used to controlredistribution ofOSPF routes

fwsm lconfigl#
access-list acceas ist name standard (deny Ipermit)
(any I ip address iaskl-
. Configures a standard ACL

accesa.list OSPF standard penmit 192.168.1.0 255.255.255.0

Note The ACL takes mask param eterinstead orwirdcards as on Cisco lOS routers

@ 2008CiscoSystems,lnc (mpfem entfng FW SM fora Data CenferNetworklnfrastructure 2-:3


Extended A C L
* Identify lraffic wi
th an entry perprotocol sotlrce and destinati
on IP
address,source and destination port.and ICMP type
. Connection-oriented
. Firstm atch,loptobottom orderofprocessing
* Im pli
citdeny
fwsm lconfkg)4
access-list acceas ist name Iline z:ne numberl (extended)
(deny I Permtt) protocoz pource address mask (operaeor portl
dest address maaA (operator por-t I iemp eypel (inactivel
. Configures an extended ACL
fwem lconrtgh.
access-group accesa zzar name (in I out) tnterrace
fnterface name
w Applies ACL to an intedace

Extcnded ACL ismadeupofoncormorcacccsscontrolentrics(ACEs).An ACE isasingle


cntry in an ACL thatspccifiesa perm itordeny rulc,alld isapplicd to a protocol. a source and
dcstination IP addrcssornetwork,and optionally thcsource and dcstination ports,
A11added ACE foragiven A CL nam eis appcnded atthe end oftheACL.tllllcss itisspecified
sv'itl)tl
:t,liI7c 11tlrrlt)cr.
Extcndcd ACLSareconncction oriented. .therefore.they do notnced to bcapplied on both
illcolning alld outgoing interfaces.

A C L P rocessing
TllcACL isprocessed untilthe firstm atch,from top to bottom . W hen the Catalyst6500 Series
Ye
FW SM isinspccting an ACL to dccide whctherto drop orfonvard apackct. the packctistcstcd
againstthc ACESin thcorderin wllich thcy arc listed. W hen an ACE matchcsa packct.the
Catalyst6500 ScriesFW SM ccascsto tcstthc ACES.Thcreforc. theordcrofACESin an ACL
isrelcvant.
AC L5llavc an im plicitdeny atthc end ofthc list.Thereforc, tlnlesstraffic iscxplicitly
pcnnittcd,itisdroppcd.

2-94 lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0 (()2008Ci
scoSystemsl lnc.
A C L Configuration
To tlcfine alld colltigurc :11)exlcnded ACL tlse tllcaccess-listextended antlaccess-group
colnlnalds.
Tllc access-listextendefltrolllllland adtls aI1ACIE to an AUL.

Param eter Description

access 2ist name Specifiesthe name ofthe ACL.


line .
1ne- nummber Permits entries to be inserted into the ACL.lfnotmentioned,new
entries are added to the bottom ofthe ACL.
protocc?.
l Specifiesthe protocolto match (forexample IP TCP User
Datagram larotocot(UDPI lnternetControlMessageProtocot
(ICMP),EnhancedInteriorGalewayRouting Protocot(EIGRP).
Generic Route Encapsulation (GRE).OSPF.etc).
sotsrce address Specifysource(desti nation)IP networkoraddress and mask.
aesr a3dress mask
opez-atror Specifiestheoperatorusedtocomparethepod number(greater
than (gtl,IessthanIItJ,equal(eq),notequal(neq),orrange).
povt Specifies the TCP/UDP portnumber
cmp -type Specifies the ICMP m essage type when ICVP packets are
matched.
inactive MakesanACR inactive withoutremoving i tfrom the ACLitself.
To re-enable a previousl
yinaclive ACE re-enterthe comm and
wi
thoutthe inactive keyword.

'I'l:caccess-group trontlllalld appliestllc collliguretlACL to an illterfacc i!1illgressorcgrcss


dircction.

M anipulating A C LS

Note Reordering ACES mightcause a drop in perform ance.

Q 2008 Cisco Systems,1nc lm plementipg FW SM fora Data CenterNetwork Infrastruclure 2-95


ontrolI-
1ng raffic fro Inside

web/MailServer
o** >.
1 192.!158.11
)()
DMZ
192.168 1.0/24
lac sv'rp
. su'rp .
Ir
verrlet .
Y '
jp jcup .
Outsrd. ...- 4.Network
1*8.1:
30.
219.0/
21 $0.
4.1.
:/24

lre*ss-lflo corp lin@ 5 lxtlnd*d deny tcp any any lq trc


acc*ss-lilt corp lin@ l lxtended permit tcp any ho/t 192.16:.1.1: eq mxtp
acceas-ltat covp liw* 15 extended deny tcp lny any eq mhtp
access-ltst corp lin. 20 extended p*rmit ip Rny &ny
acceal-li8t rorp lin. :0 extended perptt lrmp lny any
I
aeceza.group Qorp in tnterfaee inaide

In thisexam plc,thetrafficisbcing inspectcd whcn itentcrsthe insidc interfacc. ifitwas


initiatcd in thc inside segm cnt:
w A1llntcrnetRclay Chat(1RC)trafficinitiated from the insidescgmentfrom anysourccto
any destinatiollisdroppctl.
. Simplc M ailTransfcrProtocol(SM TP)trafticdestined to the web/mailscrverat
192.168.l.l00 on the dem ilitarizcd zone (DM Z)froln any source ispcrmitted.
w A1IothcrSM TP traffic isdropped.
. Allthc IP and ICM P traffic ispcrmitted.
Sincc extendcd ACLSareconnection-oricnted thc rcturn SM TP traflicfrom the wcb/lnail
serNrerin thc DM Z.aswellasal1othcrIP traffic from DM Z and outside segm entsarc also
pcrm itted.

2-96 lmpl
emenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D ()2D08CiscoSystems,lnc.
ontro II-
1ng T raff-
1c fron) th e
vz... W eb/MallServer
..QX j92 168 j100
DMZ Inc ottwrlp
192 168 10/24

p '
lntemet ' ' f
t:,. IcMP .. '
..

Outside
b
''...' -'lrtide Network
. p
198.133.219.0/24 10 0 0.D/24

acceaa.list server llne 5 eptended eny tcp &ny any eq irc


aeceaa.list sevver line :0 extended permit tcmp any any
I
access.group aerver n interflce dmz

()2008Cisco Systems.lnc. Implementing FWSM fora Dala CenterNetworklnffastructure 2-97


Controlling Traffic from utside

XQ' wewvarlserver
< 1:21s8.!.1oo
DMZ
192 168.1.0224
SMTP Www
,CMP .
.eh Intemet ''
',
k I /
R ..>..8J n' .
Outsrde ''. eNetwork
1* .133,219.0/24 10.0.0.:/24

accesa-kie: public linq 5 extend@d plrmit tep any homt 1:8.133.:19.25 eq www
aecesp-liy: public linl 10 axt*nded pqrait tcp lny hoat 19:.133.219.:5 lq lmtp
acceay-list public line 15 @xt@nded permit teap ahy wny
acceas.group public tn interflc. outsid.

ln thisexam ple,the traffic isbeing inspected when itentcrsthe outsidc interface,ifitwas


initiatcd in thc outsidc segmcnt:
. HTTP traffic destined to the web/mailservcrin thc DM Z ispennittcd.Thc servcris
translated into thc public IP address l98.133.2l9.25 towardsthe Internct.
* AI1ICM P traftic ispcrm itted.
* AllothcrIP traffic initiated by the clientsin thc Internetis dropped dueto implicitdcny.
*

2-98 lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Ci


scoSystems.Inc.
E IR1)anc 1ng E xte nded A C Ls
. Tim e-based Acl-s--use time range to controlACL usage
* Controlling ACL Iogging with Iog opti
on
fwsmlconfig)#
time-range name
fwsm tconfig-time-rangel#
periodic days-of-the-week eme to ldays-of-rAe--eek) tme
absolute start tme date (end eme datel
. Configuresa time range
fwsm tconfig)#
access-list access zst name (extendedl (deny 1 permitl...tlog
(lieveil (tnterval-pecs-l I disable I defaultll Itime-range name)
@ Enables logging ortime range perentry

Tim e-B ased A C LS


A tilnc rallgc cal)beapplied to tlle AC E to sclledule llc A(.'E to bcactivatcd atspecific lilnesof
tllctlay alltlvctlk.M tlltiplc lilncl'
:tllgescan bf
cdetilled.
Thccol
nlnandslistetli!)the tablc aretlsetlto tleploy tilne-bascd AC'I.
-S,

Tim e-Based A CLS Com m ands

Com m and Description


time-range name Speci
fiestherecurringtime range perweekday (Monday through
periodic days-of-frhe- Sunday.dail
y,weekdays,weekend)and timeoftheday.
wreek trjme to (dayes-of-
the-w'eek) rme
time -range name Specl
fies an absokute startand end tim e.
absolute start rime
date (end tzme date)
access-list Appli
esthe confi gured time range when an ACE is created The
access J.s tr name speci
fied time-range option on ACL describes the allowed access
Iextenzed) '
tdeny i time.
permit)...(time-range
nanlel

Note lfa time-range com mand has both an absolute and periodic values specified.the periodic
option is evaluated only after!he absolute slar'
ttime is reached and is notevaluated any
fudherafterthe absolute end lim e is reached

(
l)2008Cisco Systems.lnc. Implementl
ng FW SM fora Dala CenterNetwork Infraslructure 2-99
A C L Logging
By defaultthcCatalyst6500 SericsFW SM generatesthe systcm log lncssagc 106023 forcach
packetdenicd by the extended ACE exceptforthe implicitdcny atthe end.
tXXX-l06O23 : Deny protocol src
(interface name:source address/source- port) dst
interface -
name:dest ad-
dress/dest port (type (string), code
(codel) by access-group acl-id
lfthc Catalyst6500 SericsFW SM isunderattack,thc numberofsuch system log mcssagesfor
dellicd packctscan be vcry large.To rclievc the Catalyst6500 ScriesFW SM from that
ovcrhcad burdcn.the Iogging ofsystcm mcssage I06loo- which providesstatisticsforeach
AcE--cotlld be cnabled,and lim itthcnumbcroflnessagcsproduced.
%XXX-n-106l00: access-list ac1 id (permitted I denied)
protocol interface name/source addresslsource- port) ->
interface name/des-
t addresslde-
st port) hit-cnt number (tfirst
hit p numier-second-intervall) -
Altcnlatively,logging can be disabled.This isachieved by the Iog optionsofthe extended
access-listcomm and.
access-listaccess /J'
.
5'/ ?;t???7cgextendedl1deny jpermit#...Elog gg/cTv/q(interval'
tx.
.)j
disablejdefaultllgtime-rangename?
Tllctable tlcscribcsthe logging parametersofthe access-listcom mand.

access-listextended Iog Param eters


Param eter Descrlptlon
2evel
. Defines the Iogging Ievelfrom 0 to 7,6 being the default.
knterval secs Specihes 1he time inlew albelween successive 1og messages,
from 1 to 600 with 300 being the defaul
t.
disable Di
sablesaIlIogging.
default Enables logging to messages 106023. The sam e i s achieved
withoutspecifying any Iogging option fora parli
cularACE.

Note W hen using tim erange and Iogging optionsinthe sameACE,thelog keyword should be
configared before tlm e-range keyword.Ifyou disable the ACE using the lnactlve keyword,
use the inactlve keyword as the Iastparameter.

Forftlrtherinfonnatiollaboulthe logging optionsfbrACLSreferto thc FW SM conf-


iguration
doctllnentation.
Tllcse behaviorscan bcset:
* Enable lnessagc l06I00 illstead ofm cssage I06023
K Disable a1llogging
* Rettlrn to t!
4c dcfaultlogging usilhg message 106023

2-100 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0 @ 2008CiscoSystems. Inc.


1 e ange E xam ple
. % .x W eb/Mai!Server
..r
Q 192 168 1 100
DMZ
192.168 10/24


Internet ; 4.
c l #
'. #
l2ck .
-
Outslde Net 7./t4/-' rz.yJ de Network
198.133.219.0/24 10.0.0.0/24

time-rlnge weekdays
periodsc weekdays 8:00 to 17:0:
1
accesn-list outside in extended permit tcp >ny any eq www time.range weekdaya
access.group outsie tn tn tnterface outsde

@ 2008 Cisco Systems.Inc. (m plementing FW SM fora Data CenterNetwork fnfrastructure 2-101


PrlyIng
'wam#ahow @ccess-11st
Rree:s.lilt mod* auto-c --it
ecceee-list clched hCL log fowel totel 0. d*ni*d Q (deny-:lov-mlx 4Q96)
alerT.interval 300
Rccese.liat covp; 5 elemente
aceese.ltat corp ltne 1 extended deny tep any eny eq irc (hitd>tw234) ;xcf6d73fl
accees.list corp lkne 2 exTended p*rxit tcp any host 19:.16:.1.100 lq amLp
(hitcnt-lso) 0x::dal4;b
aecesy.liat corp lins 3 exeended d*ny tcp lny any eq sotp (httcnteo 0x90:9*05.
accela-tiao corp ltne 4 ext*nded permit tp @ny lay (hitcnt.34671 0x48314491
lcceas.liet corp lkne 5 ext*nded parmt: iexp any any thitcat-a3l 0x:4cbn$46

. Verifies thatACL isidentifying the traffic

fwsmtconfigl#
debug acl config
debug acl error

*Troubleshootthe AC LS

To vcrify theACL contiguration and operation use the show access-listcom m and. The
com malld showsthc dctailcd ACL inform ation cntriesalong w ith the hitcounts.
To pcrfbrm trotlblcsllooting ofthe ACL configuration.usc the debug com mands listed in the
tablcw ith caution so asnotto overwhelln thcFW SM .

Tim e-Based ACLS Com m ands

com m and Descrlption


debug ac1 con fig Showsdetailed inform ationuponan ACL bei
ng updated.
debug acl error Shows detailed i
nformation ifan erroroccurs when an ACL is
updated.

Thisoutputshowsdetailed information upon adding an acccsscontrolentry to a crop ACL.


fwsm/admin lconfigl#access-list crop extended permit tcp any
any eq 53
Hash Input : crop extended permit 6 any any eq Hash Output :
0x 5a4236 97
fwsm/adminlconfigl#
add acl style rule in tree
Source IP = 0.0.0 .0, Source Mask = Dest IP =
O.O.O.Q? Dest Mask = 0.0.0.0
Source Port l Ox0, Source Port 2 0x0 Source Port
Operand = 0
Dest Port l = 0x35, Dest Port 2 = OxO, Dest Port
Operand = 3
ACL Number = 2, Protocol = 0x6 Perm ission = l
ACL : alloc counter ; Treeld=o, Rule Type=lo; Start Index=2054;
End Index=l2686
Allocating Counter Index : 0x80b

2-192 lmplemenli
ngCiscoDataCenlerNetworkt
nfrastructure1(DCNt-!)42.9 (
I)2:()8(JscoSystems, lnc.
FW ID ED Mask = Oxfff
Source Interface Mask
oxfff
Source IP Value = 0x0, Source IP Mask = Oxffffffff
IP Value = Ox0, Dest IP Mask = Oxffffffff
Source Port 1 = 0x0, Source Port 2 = Oxffff
Dest Port 1 = 0x35, Dest Port 2 = 0x35
Acl Number Value = 0x2 , Acl Number Mask = Oxffff
Protocol Value = 0x6 Protocol Mask = Oxff
CLS Flag Value = 0x8/ CLS Flag Mask = 0x8
CLS Flagl Valtle = Ox3, CLS Flagl Mask = Ox3
CLS Cotlnter Index = 0x80b, CLS Priority = 128849031
Signalled CLS Download Thread
add acl style rule in tree : ACL Rule Added
New flag equal to o1d one
o1d = 0x0 , new = Ox0
Compilation NOT forced by 'updateRuleFlags '
Fixing ACE Index - O1d=l, Newrl
Fixing Rule Priority - 01d=128849031, N2w=128849032
ACE line number changed from 1 to 1
Rules Download Complete : Memory Utilization : 1%

@ 2008 Cisco Systems,I


oc. Implementl
ng FW SM fora Data CenterNetwork jnfrastructure 2-:03
Catalyst6500 Series F S CL peration
. Comm itted to NP afteradding entry tltilizes system resources
(can hitIim it)
fwma#aHow rqaouree rule
Default Coneigur@d Abaolute
CbS Rul. Lai; Ltmtt Max
Policy N*T 283 :%1 B33
XCL 17633 10633 19$3:
PlNer 125 42B 85O
'ixup 1117 1417 :634
Est Ctl 70 70 7:
Eat Data 70 70 70
hhA 992 992 196*
Cpnlol; 283 293 566
Total 14173 14173
partition Limt . Coneigured Limit - Kvaillbl. to *lloclt.
14173 * 14173 - 0

'wam#ahow reaourc. ulage


Reaource Current Peak Limit D*>i*d Contexe
Mec.addreamls l 2 65535 B bridg@
Telnet I l 5 0 lyatem

TheCatalyst6500 SericsFW SM activatestheA CL by comm itting itto the network processors


a shortpcriod oftilnc afteran ACE isaddcd. Ifin the processofcomlnitting thc ACL,a ncw
ACE isadded,thccurrcntproccss isaborted and at- terwardsthc ACL isrccomm itted.
Aftercom m itting the ACL sugcessfully,thc Catalyst6500 ScricsFW SM displaysa mcssagc
similarto thisonc:
Access Rules Download Complete : Memory Utilization :
LargerACLS(tbrexamplc,60K ACEs)can takeupto fourminutestocol
nmit.
AC L System Resource Utilization
ThcCatalyst6500 Serics FW SM supportsup to a maximum num bc. rofACESforthe entirc
systcln depcndillg ofthecomplexity ofACL,which is influcnced by the portrange numbcrs
and ovcrlapping IP addrcssesused (forexample,l0 0.0.0/8and I0.1.0.0/16).
.

UsinganobjcctgrouprcducesthenumberofACESinthecontiguration,butmaintainsthe
sam e numberin thc expanded ACES.which cotlntstowardsthc systcln lim it.
The nulnberofcxpanded ACEScan beobserved tlsing theshow aceess-listcom mand.
Ifa melnory Iimitation is reachcd.the Catalyst6500 SeriesFW SM producesan errorand
systcm log m cssagc (I06024).Along w ith tllat.aIltllc ACLSthatwcrc bcing com m itted to
network proccssorsare rcm ovcd.Only A CLSthatweresuccessfully comm itted in the prcvious
com m itlnentare used.Thus,pasting l00 ACESw ith only thcIastACE cxceedingthe melno:y
lilnitationresultsinall100ACESbeingrcjected.
Thedcfaultlim itforthe lpulnberofACESis74,188 forsingle contextand l0.633 pcrcontextin
lnultiplccontcxtmode.
To cllcck thcdefaultresourceallocation.use theshow resourcerule comm and. To check the
currclltresourcc tttilizatioll usctheshow resource usage com mand.

2-104 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems. Inc.
om par1n g t13e L T ypc4s
. ,! #. ..; .:.;,jp.

(P trafficnelwork access I
control(routedand Exlended iAItt
perraf
mltf
ti
cdr
ed sap
by lowed
an ACLby
ondef
F-Waul
turtless
SM
lransparent) :
AM rtlles lraffic pdentlscation E/ended Idenlify traffic forAM rules
IPtrafhcnelwork access IE xten
from ded(downl
AAA oad 'Dynaml
cACLdownl oad$7eruseffrom
.serverper
controlperuser l CRADIUS serverorusage ofpreconsgured
.user) lACLc)nFWSM perqamesentfrom server
Ildentkfy bcaltfafficfortranslation per
tdenbfyaddressesforNAT Extended seurcearld destioation addressesfor
rxllpcyNAT
Modularpolicy traffic szwnaoa ;Identifytraffic irla classmap. which is
ldentlficatlon prl(rafficclass ------- 'used forfeaturesthatsupporlmodtllar
map Ethertm e pop.cyframework
Noc-lp trafficnetworkaccess 'Cofnfigure anACLthatcontrolstraffic
control(transparent) Ethedype lbasedondsethertype
ldentlfyOSPF fotlle Slandard Contrt)lthe redlstnbutltm ofOSPF rotltes''
redlstrlbutltm 'O3lydesklnatponaddresBpdentlfied

Q 2008 Ci
sco Systems,Inc. impl
ementl
ng FW SM fora Data CenterNetwork Infrastructure 2-105
S um m ary
Thistopic stlmm arizesthe key pointsthatwere disctlssed in thislesson.

S um m ary
. Layer2 filtering is used to preventMAC-and ARp-rel ated attacks.
* Layer2 filtering can be used in transparentmode only.
w ACLS are used to identifytrafficperdifferentparam eters.
w A tim e range can be applied to ACLS to controlthe activation.
. The Ci sco Catalyst6500 Series FW SM processesACLS in
hardware.

2-106 lmplementingCiscoDataCenterNetworklnfrastructtlre 1(DCNI-I)v2.O @ 2008GiscoSyslems.lnc.


Lesson41

Im plem enting C ontexts

O verview

O bjectives
FW S M V irtualization O verview
Thistopicidentitiestlw virtualization ofthe Catalyst6500 Series FW SM with contexts.

C oncept of V irtualFirew alIs


Logicalpartitioning ofa single FW SM into multiple Iogicalfirewalls
Logicalfirewall= security context
Licensed feature(defaul
ttwo contextsl:
.-
License for20,50,100,and 250 contexts

Policiesand management
IPaddressspace(canbereusedbetweencontexts) ,.
Operationalmode(routedortransparent) e ''
SetofVLAN interfaces
Resouxe usage

Virttlaltirewallsprcsentlogicalpal-titioning ofa single physicalCatalyst6500 SericsFW SM


into multiple logicalfircwalls.A Iogicalfircw alliscallcd sccurity contcxtforvirtualfircwall).
Scctlrity contextsallow adm inistratorsto separate and secure data centersiloswhile providing
casy m anagelncntusing a single system.They loweroverallmanagcmentand supportcostsby
hosting m ultiplcvil-ttlalGrew allsin a singledevice.

Security Contexts O verview


ThcCatalyst6500 SeriesFW SM callbe partitioned into multiplevirlualt irewallsknown as
sccurity contcxts.By dcfault,two sccurity contcxtscan bccreated on oncCatalyst6500 Scrics
FW SM .To deploy m orecontextsa specialliccnsc isavailable for20.50. 100,and 250
concurrentsectlrity contexts.
A systcm contiguration filecontrolsthc optionsthataffectthe entire modtllc,and detincs thc
illterfaccsthatare accessiblcfrom cacllsccurity contcxt.
Tllc systcm configtlration tilecan also beused to configure resourcc allocation param ctcrsto
controlthcalnountofsystem resotlrces thatare allocated to a conlcxt.
Controlling resotlrcesenablesm ultiplc delnilitarizcd zones(DM Zs)and scrviccdifferentiation
ctasscs(gold,silvcr.artd bronze)percotptextfordiftkrentdatacenterseglumhts.
Each individtlalscctlrity contcxthas its own security policics,interfaccs.and administrators.
Each contexthas a scparateconfiguration filethatcontainsm ostot -the dcfnition statelnents
fbund ina standalonc Catalyst6500 SeriesFW SM configuration filc, Thisconfiguration iilc
colptrolsthc policicsforthe individtlalcontext, including item ssuch asIP addressing,Nctwork
AddressTranslation(NAT)andPortAddressTrallslatiol)(PAT)definitions,atlthentication.
atltllorization,and accounting (AAA )definitions.trafticcontrolacccsscontrollists(ACLs).
and illterfacc security levels.
2-108 lmplementlngClscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.O ()2008CiscoSystems,lnc.
Note Intel
-faces can be dedi
cated to a si
ngl
e conlextorshared among many contexts.

Note Keep in mind thatcertainfeatures,Iike Open ShodestPath First(OSPF)and Routing


Information Pfolocol(RIP)rouling.arenotsupported inmultiplecontextmode.

(
Q 2008Cisco Systems,lnc. fmptementing F'
W SM fora OafaCenterNetworklnfrastructure 2-109
U sing M u Itiple C ontexts
. Multiple contextswith own interfaces
. Mandatory fortransparentm ode
# c :: '
.z z

- .
i< '''' .
s':
.
,
.e .
E:
.. ..
.... I r . ' W eb l,ttm q
. Servers *'

.::. .-1 Appli


cati
onp '
cam pus .77
..-
'*' .
. .-!.
ty. <n
<.- --- . . .
'
J
sut!lt,rA/jl;
rj. .
r.
:
-
y
-
,
y
) x .
.p .
)
y..:.,, .
M Servers *
7
1<L;
7'
.
.
'

Thc figurc showsa Ilctwork with m ultiple contextsdcployed. Eachcontcxthasitsown


intcrfaces.
Tl
lisnetwork topology ism andatory whcn thcsecurity contcxtsarc operating in transparent
modc.
ln a transparentm ode,a single contextcan have up to eightintcrt-
acespaircd in differcntbridgc
groups.
M ultiple contextsallow deploymcntofactivc-active failoverfunctionality asan alternative to
cxisting active-passivc failover.

2-110 ImplementingCiscoDataCenterNetworkl
nfraslrtlcture1(DCNI-I)v2.0 @ 2008Ci
scoSystems, lnc.
'
*
d

Using M uItipIe Contexts (Cont.)

ISP A V'
SQ * -
. .. .
.->
lSP B V2 -Q * < .
- tU '
-
Extranet . 27
.-
'
:!; .
-- campus
; j w.
y
''''' *
'
,
'-
(
.
l
-
g
..
--.
y, .

j !
11jl!
..

q
.
:.#'.:yz Ar ;.:zsiy
..

@ 2008ClscoSystems,lnc. Implem enting FW SM fora Data CenterNetworklnfrastructure 2-111


Sharing an Interface A m ong Contexts
. A single interface is shared among contexts.
* Cascadi ng ofthe contextson a single physicalFW SM is not
supported.
. Only routed mode is supported. 9. z .z a
' e
jw- , Y
. 1 wo, ux :
'
o.. arv rs
? .q
Campus -1 Appjjcatjon.
N'* .

Nell rk . ..
-.
- .!ewe
'
.
rs '
., V. '
.
. l .-- Database l
we
s Ser
.
vers - >
(
k. -

Security contextscan share thcsalnc interfaceas shown in thc tigure.


Onc physicalCatalyst6500 SeriesFW SM isconnected to the cam pusnetwork alld to three
diffcrentdata ccntcrnctworks.The Catalyst6500 SericsFW SM ispartitioncd into threc
security contcxts,and each ofthe sectlrity contcxtscal)bc managed separately.
Thiskind ofconfiguration can beused inthe data centcrto conncctm ultiple separatc server
seglnelltsin a m ultitierdesign:
* Front-cnd tier,cncom passing thc web servers
K Application tier,cncompassing the application servers
* Back-end tier,encompassing thc database scrvcrs
Each sccurity context,and thus ticrshasitsown security policy.

Note This can be used only in routed mode ofoperation.

Note The Catalyst6500 SeriesFW SM doesnotsupportsharing the outsideinte/aceofone


contextwiththe inside interface ofanothercontext(knownascascadi ng contexts).Tragic
thati
soutbound from onecontext(from ahigherto a I owersecuri
tyinterface)canonlyenter
anothercontextasinbound traffic (Iowerto hi
ghersecuri
tyl'
.i
tcannotbe outbound forb0th
contexts,orinbound forbolh contexts.

2-112 lmplementingCiscoDataCenterNetworkInfrastruclure1(DCNI-S)42.0 Q 2(08CiscoSystems, lnc,


IP Packet C Iassifier
. A single interface isshared am ong contexts.
. Packetcl assification determ inesthe correctcontext.
''
p;',; 'pkl'c..

SourceVLAN e
l- *eb .
7i
,
''
-. servers
.
e
campus
Network
l*
k- Application 'l'p.
..- Servers
Destlnatlon IP . 1 xw--. oatabase ,. e
->..
e'''
( Servers 8' .:

Classifying Packets W hen Sharing the Interface

@ 2008Clsco Systems,Inc. Implem entlng FW SM fora Data CentefNetwork Infrastructure 2-113


Kcep i11lnind thatpacketclassification requircmentsm ightmake sharing intcrfaces impractical
blxause the classitierreliesot!aetive NAT sessions to elassify thedestination addressesto a
context.Thus.theclassit ierislilnited by how N AT isconfigurcd.

Note AIItrafric m ustbe classi


fied,including trapic from inside networks.

These configurations arc notused forpacketclassification:


* NAT exemption.because itdocsnotidentify the mappcd (sharcd)intcrface.
* Rotlting tablc,becausem ultiplc contextsm ighthave routcsforthe same dcstination
network poillting lo differelltncxthops.

2-114 Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72,0 @ 2008CiscoSystems lnc,
M 1x 1f)g F 1revqaI1M o df.
ls
* Each contextcan be in transparentorrouted m ode
> Independentofothers(FW SM 3.1onwards)
w Do notshare interfaces between transparentand routed contexts

Outslde Outside Outspde Otltslde

.;
' nugj
# DMZ1
...
'
.
' t(s '' q ouza
Inslde Inslde Insrde Inslde
rWsMtconfigl#lhow context
Context Naoe Class lnter'aces Mod. URL
*admin defau't Vlanlo Roueed dtskq/adain cfq
taternell default V1anlQ5,Vlan50 Routed disk:/tntl.cfg
ineernalz default Vlanl06,Vlan5l Trlnsparent diak:/intz.cfg

(I)2008ClscoSystems,Inc. lmplem enting FW SM fora Data CenlerNetworkInfrastructure 2-115


S ingle vs.M ultiple C ontext M ode:
Feature Lim itatio ns

AAA servers 16 4 percontext


Fai
lover
moni intedace
toring 256 256;divl
ded between alIcontexts
Filtering sewers 16 4 percontext
Security contexts N/A 100 (v2.3 based onIicensl
ng)
250 (v3.1based onIicensing)
Sysl
og servers 16 1 4 percontext
'
vtAs interfaces (
' 2s6 peroontext; '''
-
-

(
routedmode) 256 jjooodj
vi
ddqetweenaI1contexts
e
.-. . .

VL
(traAN
nspi
n
at
re
er
nfa
tcesde)
mo 8(4pairs) 1
j 8(4pairs)
I

The table dclailsthc feature Iim itsforthc Catalyst6500 ScricsFW SM in both singlc and
m ultiplccolltextm odc.
Thc mostimportantfeaturcsare:
K Upto 255sccuritycontextspcrFW SM (licensc)
K Numbcrofinterfaccs:
256intcrfaces(VLANS)pcrsccurity context
M aximum IO00 interl-
acespcrFW SM physicalm odule

2-1!6 lmplementing Clsco DataCenterNetworklnfrastruclure 1(DCNI-I)v2.0 (


l)2008CisooSystems,lnc.
S 1nC
Jle vs .M u Itip le C o ntext M o cle:
R cso urce L 1IM 1tatio ns

MAC addresses 65.


(transparentmode) 535 65,535divided amongaIIcontexts
Hos
th ts connecting 262,144 divi
ded among afI
rough FW SM 262,144 contexts
concurrently
Inspecti
on engine
connections, 10,000 10,000 di
vided among alIcontexts
persecond
Ipsec management 5 Percontext'
I
connections
concurrently 10 divided among aIIcontexts
ASDM m anagement 5 Percontext'
,
sessions
concurrently 80 divided am ong a(Icontexts
NAT translations 266,144 2661144 di vided am ong al1
contexts

(
Q 2008ClscoSystems.lnc. Implementing FWSM fora Data CenterNetworkInfrastructure 2-117
'

Single vs.M ultiple C ontextM ode:


Resource Lim itations (Cont.)
#; : ' : 7 * z '

SSHmanagement
connections
5 j 5perconteM
System messages to
FW SM term inalor 30,000 100 divided amongaIIcontexts
bufferpersecond
System messagesto 1
sy
pes
rls
oe
gcs
oenr
dver 25.000 j30,000di
vldedamongaIIcontexts
TcP .- ... y......-..
.....,

orUDP
connections between 999,900
j
I
anytwo hosts 25,000divided among aIIcontexts
1
concurrently 1
NewTCPorUDP '1
connte
any wct
ionsbetween 100,000 1 999,900di
videdamongaII
o hosts I
1 contexts
p4rsjcoqd j

Because PAT requiresa separate translation forcach collncction. tllc cffcctive lim itof
conncctionsusing PAT isthetranslation lim itof256.000,notthc higherconnection lim it. To
reach the conncction lim it,you nced to usc NAT.which allows multiplcconnectionsusing thc
sam e translation session.

2-118 lmplement
ingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.
O C)2008CiscoSystems.lnc.
C onfiguring FW S M C ontexts
'1'1)istopictlescribesCatalyst6500 Scrics FW'SM colltcxtcrcatioll.

V 1rtua IF 1rew a1IO verv1ev4


* FW sM -wide configuration is stored in flash:/system .cfg
Context-specific configurationsare stored in flash orrem ote
storage
fwsm(configj#p contextHierarchy
changeto context n,
ame
changeto system
System ExecutionSpace;
*Switches to anothercontext 'sessionslotnumbetr
RootContext
orsystem space
.d '

! )31i'
:@' '' B
AdminCcmtext
Remote roolaccess

Securl
tyConlexts
SSFI,Telnet.lpsec.ldTTPS

Note There is no policy inheri


tance between contexts.

System Execution Space

@ 2008CiscoSystems.lnc. Implem ending FW SM fora Data CenterNetworkInfrastructure 2-119


A dm in C ontext
Theadmincontextisjustlikeany othercontcxt.exccptthatwhenauserlogsinto theadmin
colltcxtithassystem adm inistratorrightsand can accessthe systcm and allothercontexts.
Thc admin contextisnotrestricted in any way and can bcused asa rcguiarcontext. Howevcr,
bccatlse logging into thc adm in contcxtgrantsyou adm inistratorprivilcgcsoverallcontexts,
ytlum ightnccd to restrictaccess to the admin contcxtto appropriatcusers.Theadm in context
111t1strcsidc on tlash m emory.and notrelnotely.The interfaccsallocated to the adlnin context
arc tlsed by lhcCatalyst6500 SeriesFW SM forany trafficcreatcd by the FW SM . such as
syslog messages.The adm in contextcan also be used to provide rcm ote accessformanagement
orthc cntirc FW SM .
Ifyoursystcln isalready in m ultiple contextm odc.orifyou convcrtfrom singlcm ode, the
attmincontextiscreatedautomaticalty asdisb:/adtttin.fz
lk tile.Thiscontextisnamed Ssadlnin.''
If'you do notwantto useadm in,cfg asthe adlnin contcxt.you can changc the adm in context.

Note The adm in contextis a mandatory securitycontext.

A ccessing Contexts
Uscthc session colnlnand to connectfrom thc Cisco Catalyst6500 ScricsSwitch lO S Sotlw are
t()thcsystem execution space ofthc Catalyst6500 ScricsFW SM .
Uscrswho log in to the system exectltion spaccorwho log in to the adm in contextrem otely
cal)tlsc thc changeto com mand to accessany contextwithin thc Catalyst6500 SeriesFW SM .
Individtlalcontextscan also beaccesscd with thc stalldard managem entm cthodsofSecure
Shell(SSIl).Tclnet,Ipsec tunnels,and lITTPS PIX DeviccM anagcr(PDM )sessions.
W itllina sccurity context,the startup-contig file isused to referto the contiguration tile forthc
sccurity contcxt.

2-129 lmplemenli
ngClscoDataCenlerNetworklnfraslructure 1(DCNI-I)v2.O (
I)2D08Cisco Systems,lnc.
Note The ASDM does notsupportchanging m odes so you need to change m odes usi
ng the
cor
nmand-li
ne interface (CLl).

Note The m ode m ultiple com mand sets mode inform ation thatenduresthrough reboots, '
however,this m ode information is notstored in the system configurali
on file in flash
memory.

@ 2008 Cisco Systems.Inc. Impjementlr!g FW SM fora Data CenterNet


workinfrastructure 2-121
S stem Configuration
Configuration statem ents
'
lnclude,
.
w
Iodeaultipl.
Rdoi@eO/ak*xt ***:G
. Failoverconfiguration con e.x
all tltat
pc hnt
e- n fwce Vlanloo
int*r
* Resource allocation Icon'tg-urldtykT/edmin.c'g
vw ntaxt a
* Adm in contextnam e llloclte-interzac.vzanzc
llloclte-knterzac. VQlall
eonfig-url diakt/cuytl.c'g
fwsmtconftgj# -'
ldmin-context rame
wSets the contextto be admin ,

z 4 *
.
;
..
)
t.
,B.g;.
;
J
*').'

System ExecutionSpace

Tl
lcsystcln.cfg tile storesconfiguration statcmcntsthataffcctthe Catalyst6500 SeriesFW SM
asaq'holc.
Failovcrfunctionsarc notvirtualized and,thereforc,failovercollfiguration statcm entsare
colltaillcd in system .cfg.
Tllcsystem spacchascontrolovera11contextssystcm .
K Crcatesadlnin contextGrst
* Creatcsscctlrity contexts
w Assignsinterfaccsto contexts
Thtlstlle system .cfg GIe also hasconfiguration statem cjltsthatdetine the individualcontcxts,
alld allocatcsrcsourcesto them ,
Up to 250 VLANSare assigned to a contcxt'
,physicalinterfacesare controllcd by the
MtlltilaycrSwitchFcatureCard (M SFC).

A dm in Context
You can sctany contextto be the admin context.aslong asthe colltiguration tile isstored in
thc illtcrllalflash m cmory.
Tlcadlnin contextisdesignated with thc adm in-contextcom mand.
Changing the adm in contcxtterminatesany rem otc Inanagcm cntsessions. such asTelnet,SSll,
()1.lITTPS.Thcy have to be reestablished in thcncw adm in contcxt.

Note A few system comm ands identify an interface nam e thatbelongs to the admin context. lfyou
change the adm incontextandthatinterface nam edoes notexistinthe new admincontext
be sure to update any system commandsthatreferto the interface.

2-122 lmplementi
ngCiscoDataCenterNetworklnlrastructure 1(DCNI-I):2.0 @ 2008CiscoSystems.Inc.
C reating C oIltexts
To create individualcontext'
.
p Nam e the context
* Allocate interfaces
. Specify the configletUR L contextadmtn
allocate.interface Vl&nl9
cenfkg.url dak:/admin.cfg
l
fwsmfconfigl# -.
i
context name i
!
allocate -interface vlannumber E
J-vlannumberl fmapped name '
I-mapped D&me11 . '
con fig-url ur2 ik . ..'t '.i .
z.
o r .,,.a. ' 13
.createsthe context -

System ExecutionSpace

'l'
T lcconfig-urlctpllllllal'
ld is tlscd to specify tl
'je IocatiolliI1'
kvllich tllc colldiguration tilc oftl'
le
colltcxtisstorcd.

Note The contexli


s notacti
ve untilthe config-urlcommand is issued.

Caution lfthe confi


guralion file specified in the config-urlcom mand already exi sts,then aI1allocate-
interface commands shoul d be i ssued priorto issuing the config-urlcomm and.

fll2008CiscoSystem s.lnc. lmplementing FW SM fora Data CenterNetwork Infrastructure 2-123


Verifying Contexts
From thc system cxecution spacc.you can view a listofcontcxtsincluding thename.allocatcd
intcrfaccs.and configuration tilcU RL by using thc show contextcolnmand.
show contextfdetail)(??tz???E'Iadmin jcount)
show contextParam eters
Param eter Descrlptlon

detail (Optional)Displayscontextdetail
s.
name (Opti
onal)Displaysinformati
onaboutthespecifiedcontext.
admin (Opti
onal)Displaysthe administratorcontext.
count (Opti
onal)Displaysthe numberofcontextsconfigured.

fwsm#show context detail


Context ''admin t
' is ADMIN and active
Config URL: disk:/admin.cfg
Real Interfaces : Vlango, V1an9l
Mapped Interfaces : Vlan9O Vlan91
Class: default/ Flags : 0x00001857, ID: 1

Context ''bridgen is active


Config URL: disk:/bridge.cfg
Real Interfaces : V lan92, V1an93
Mapped Interfaces: V1an92, V1an93
Class: default, Flags : 0x00001855,

Context I'null'' is a system resource


Config URL : ... null
Heal Interfaces:
Mapped Interfaces:
Class : default, Flags: 0x00000809,

Context l'system n is a system resource


Config URL : flash :config
Real Interfaces:
Mapped Interfaces : EOBCO, GigabitEtherneto,
GigabitEthernetl, V lan90,
Vlangl, V1an92, V1an93
default, Flags : 0x0OOOO8l9/

Rem oving C ontexts


To rclzlove a sillglc context,use the no contextcolnlnand intlle system execution space. To
rclllovca11contcxts(including thc adm in contcxt).usctheclearcontextcomm and.

2-j24 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.D @ 20()8CiscoSystems, lnc.


C hanging the Context

Note Ifyou wantto perform a merge,skip to Step 2.

FWsM#changeto context name


FWsM/name#configure terminal
FWsM/nametconfigl#clear configure all
Step2 Cllallgtzlt)111e systeln ttxtttrtltion space.
FWshl/name (config)#changeto syrst rem
i;terh3 II1tt!rt1)c c(:11tc)ktc()11ts!
ptll'
ati()1)l1A()tlc lkrtl1()c(l)lex!).
't)11&,:
ll,tt()ct1a1):4e.
FWsM tconfigl#context name
Step4 Elltcrtllc ncNv L11L.
FWSM (config)#config-url new' ur.
l

@ 2008 Clsco System s,Inc. lm plementlng FW SM fora Data CenterNetwork Infrastructure 2-125
M anag ing C ontext R esources
ThistopieexplainstheCatalyst6500 SeriesFW SM contextresource m anagem ent.
'

C lass H ierarchy
. Limits setin the defaultclassare the basis foralIotherclasses
and contexts notassigned to a class

.- Context
Gen- l

Fxecutive Class ServersClass Li


m ited Class

Context
CEO )'(
''Contez ):ftntA# Conlbxt'
t(
yvisitpe j'(
.
. natacvqjbi,
.L , To tlng,.
..

By defatllt,allsecurity contextshave unlil


nited accessto the rcsourcesofthe Catalyst6500
SeriesFW SM ,cxccptwhere maxilnuln limitspercontextarc cnfbrced. Howevcr,ifyou find
thatoneorm orc contcxtsusetoo many resources,and tbey, forcxample.causc othercontcxts
tobc dcnicd conncctions.you can configurcrcsource managcmentto limitthcuseofrcsources
percontcxt,

Configuring Resource M anagem ent


Resourcc m anagcm entdefinitionsare crcatcd by detining a class.Each classdetsnition contains
a spccitication ofthcresource Iim itsto bcapplicd to thccontextsassigned to thatclass.
A defaultclassdetsnestheresourcc lim itsthatarcapplied to contcxts thatare notassigned to
otherdefincd classes.The lilnitsin the dcfaultclassare inheritcd by othcrclasses. unlcss
specit
ically ovcrridden in the definitiolloftllc nondcfaultclass.
Each individualsecurity contextisassigned to aclass.M ultiple contcxtscan beassigned to thc
sam eclass.

Note The Calalyst6500 SeriesFW SM does notIimilthe bandwidthpercontext'


, however
,lhe
switch containing the FW SM can Iim itbandwidth perVLAN.

2-126 implemenlingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-I)42.0 @ 2(08CiscoSystems, lnc.
'

V 1f'tualF -
1rew a IIR esource Lim 1ter
C lasses are defined in the system execution space'
.
. Indi
vidualcontexts are mapped to classes
* Limitsare appliedtospecificresourceswi
lhin aclass (integeror
percentage:0 means no Iimi t)
* Resources can be oversubscri
bed class assigns a maxim um of10
percentofresources btlt50 contexts are mapped to it
:4 . * ez
fwsm# . h
j... i!r.. '
4.i
show resource types -
..
;, .' . . .. 2jn

gz
r
J.-
Conos Connectlons
Hosts 1'losts
Spsec IPSeG mgmttunoels
'' z
ASDM ASOM sesslons
z r.4 * ' : 1 .;
SSH SSH sessrons
., 14> 16%
Conns CPS xj
ates XLATEobject
s
Fjxups Flxups/sec Mac-addresses VAC addresstable entoes
Syslogs Syslog/sec AII A(1fesources

@ 2008CpscoSystems,Inc fmplem entlng FA'SM rora Oaa CenterNetworklnfrastructure 2-327


Defining Resource Lim itations
Rcsource lim itationscan bcdefilped in threew ays:
* Ratc-lim ited constlm ption ofa specitied resourcespcr-second
K Absolute amountofaspecified resourceconsum ed,expresscd aseitheran absolutenum ber
orapercentagc ofsystcm maximum s
w Absoluteam ountofalIrcsourcestrackcd cxpressed aseitheran absolute numberora
PercentageOfSystem lnaxim tlm s
The tsgure showstlleresourccsthatcan be individually controllcd w ith rcsource m anagem cnt
configuration com mands.Othcrresourcesare trackcd by the rcsourcc allocation function ofthc
Catalyst6500 SeriesFSVSM operating systemabutcallnotbe controlled on an individualbasis.
Tllcsc rcsourccsare controlled by thc alIkcyword ofthcrcsourcc lilnitcom mands.
'

* -
o nflgurlng esource anage ent
fwsm tconfigl#
cllss name
limit-resource Iratel reaource name / all (numberl%l / OJ
*Creates class and allocates resources

fwsm (config-ctx )# e....- eostwxt admtn


j allocltl-inters*c. g'*n100
mel er C;aJ5 j eonfjg.urldtzkl/wdotn.cfg
1 1
. Assigns a contextto a class l
I
'
Dq'nt*xLexecuetv.s
wlloJlte.inLertacl vllnlol-vllnlo:
l $.,.. - . . . .v so:
j,,
! con:#g-urtdtek:/lx*euttvlg.cfe
QtR**X*Q*1VD----*--MI !
limit-r*lourc@ *t: lQ%
l
1 context relukpr guy* -
1 j 1 allocat.@-$.nt*rfac* vl= lQ3-v1= 104
class gol; .' . x*
1 k l disk
Iz&wtt.rlsourcoal1:Q: l I 1con'g-ur t/rlzullr-vuys.ezg
claa. gllv*r ' ' * $ ' context vi:itorl
ltmtt-reaogrce conns 500& I - allocati-lnterrwcg vlanl05-vl*n106
limitere*ourcl hoste 2QQ config-ur: diski/vlsitor:

Classesarc dcfined asslpown in thc Icftpartofthe outputin theexamplc.


First.aclassisdcfillcd with theclasscolnm and.The nalnc isa strillg up to 20 characterslong.
Tosctthelimitsforthcdcfatlltclass,enterdefallltforthcllamc.
Thc lirnit-resource com mand isthen tlsed to detinc thc individualrcsource Iim itations. The
nulnberisan integergrcatcrthan orequalto l.Zero (0swithouta perccntsign)setsthe
resotlrces to the systcm lim it.You can assign more than l00 perccntifyou w antto
oversubscribethe dcvice.
A resourcenam ecan be m ac-addresses,conns.nxups, hosts,ipsec,asdm ,orssh,etc.

Note Forthe com plete Iistofresource names wi


th mini
m um and maximum values referto lhe
Catalyst6500 Series FW SM docum entation.

Thcrightside oftheotllptltin thc example showshow individualsecurity contexts arc dcfincd.


Contcxtsareassigned to arcsourcc classwith thc rnem ber com lnand.

2-128 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008CiscoSystems. Inc.


C o nf1g u r1I1c
q M e ln o ry Pa rt1t1o n s
fwsm (config1#
resource acl-partition ntzmber of partit:.ions
. Sets the num berofpartitions

fwsm tconfig-ctxl#
allocate-acl-partition partron number
w Assigns contextto m em orypartition

context test
allocate-interrace vlanlo; intl
allocate-interface vlan102 int2
allocate-interface v1an1l0-vlanll5 int3-int6
config-url ftp://userllpassword@lo.l.l.l/configlets/test.cfg
member gold
allocate-acl-partition 0

Note Rules are used up on a hrst-come srst-served basis so one contextmightuse m ore rutes
than anothercontext.

Yotlckll)luanually assiglla colltcxtto a partitioll.

Note Cbanging lhe numberofpadilions reqpires 9ou ttl'eload 1bt?Calalys!6500 Series FW SM .

@ 2006Cisco Systems.lnc fm ptem entlng FW SM fora OaaCenterNetwork lnfrastructtlre 2-129


Configuring M em ory Partitions
To changcthe numberofmelnor.y partitionsuse thcresourceacl-partition com m and in thc
system exccution space and reload theCatalyst6500 ScriesFW SM .
Ifyou are tlsing failover,waita fcw secondsbeforereloadillg the Standby tlnitaswcll.
'thc
standby unitdoesnotrcload autom atically.and thc mcmory partitionsmtlstlnatch on both
tlnits.

Caulion Traffic oss can occurbecause both units are down allhe sam e tim e.

You can assign an individualcontextto particularm emory partition with the allocate-acl-
partition comm and undertllc contextconfiguration modc.

Note Ifyou assi gna contexttoa padi tion thepaditi


on num beringstartswith0.So ifyouhave 12
partitions,the parti
tion numbersare 0through 11.

Verifying M em ory Pad itions


To verify llpe Inelnory partition contigtlration use theshow resource acl-partition com mand in
tllc systcln cxccution spacc.
fwsm lconfigl#show resource acl-partition
Total number of configured partitions = 2
Partition #0
Mode :exclusive
List of Contexts :bandn / borders
Number of contexts :2(RefCount:2)
Number of rules )D (Max :53087)
Partition #1
Mode :non-exclusive
List of Contexts Cadmin momandpopA , momandpopB , momandpopc
momandpopD
Number of contexts :5(RefCount:5)
Number of rules :6(Max :53O87)

2-130 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystems. Inc,
itl2008Cisco Systems,Inc. lm plem enting FW SM (ora Data CenterNetworkInfrastructure 2-131
S um m ary
Thistopic sulnm arizesthc key points thatwerc discussed in thislesson.

Sum m ary
. Vidualfirewallsare im plemented with multiple security contexts.
. Contexts are created within the system configuration and defined
in individualconfigurati
on files.
* Resource managementcontrols the Cisco Catalyst6500 Series
FW SM resources allocated to each security context.

2-132 lmpiemeningCiscoDataCenterNetworklnfTastructure1(DCNI-!)v2.
9 @ 2D98CiscoSystems. lnc.
uessonsI

Im plem enting R puting

O verview
DeployillgthcCisco Catalyst6500 SeriesFircwallScrvicesModtlle(F'
SVSM )in arotltcd l
node
rcqtlircscithcrstaticordynam ic IP rotltillg.Thislesson describesalld explainsllow to
conligtlrc thcCatalyst6500 ScriesF' W SM routing capabilitiesaincltldillg static routing,
dynalnicrotlting,and rotlteIlealtllinjcctioll(RHl).
Objectives
U pol)colnpleting tllislesson,yotlwillbe ablcto dcploy rotltillg on a Catalyst6500 Serics
FW SM .Thisability illcltldesbeingableto meetthcscobjcctives:
* Explain thc nced forstatic rotlting on thc Catalyst6500 SeriesFW SM
* Dcscribcthc stepsneeded to configtlrc static rotltcs
* Explain the need j
-ordynam ic routing on the Catalyst6500 Serics FW SM
w Dcscribc the availablcdyllalnicroutillg protocolsoI1the Catalyst6500 ScricsFW SM
* Explain thc need tbrR1.II
w Explain the nced forasym metric rotlting
w Explain the restrictionsofdynam ic rotlting
K Describc thc slepsnecded to configurcvariotlsdynanlicrouting protocols
C onfiguring Static R outing
Thistopicexplainsstaticrouting on thc Catalyst6500 ScriesFW SM .

U nderstanding R outes
W here to forward the traffic?
@ Through which interface?
. W hati
s the IP address ofthe nexthop?
el ez
Intecnet (F.'
.
o 1 2 '. 1 .
2 IF..Q. '
. outside '.'' Inssde .
19216810/24 y, ,

! 100.
10/24 7#
.
..,

10.0 2 0/24
. . ;. .. : ... :$
.

lo(,2(
)/J4 esi lcc,12 Jy.-''
- '
10(1.3.@24
.
<) lth.
0d.
3 +. .##
1(1()10/24 e:l - ..e
#92 16810/24 t'l - 10.0.3 0/24
:)0()0/0 el 19216811

How to Determ ine W here to Forw ard the Traffic


In a routcd lnodc.thcCatalyst6500 ScricsFW SM behavessim ilarly to roulerswhen ithas to
forward a packctbctwecn thc interfaces.M ultiple interfacesmean m ultiple IP subnets,and
thtls.tlyc Catalyst6500 SericsFW SM has to dcterm ine how to tbrward an IP packettoward its
dcstination to routc the packct.
Thcrcaretwo tllingsaFW SM (orrotltcr.rcspcctively)hasto determine:
w W hatistlleoutgoing intcrface throttgh wllich a packctistransm itted?
K W hatisan IP addressofthe nexthop routcrto receivc the packet?
Since lnostIp-bascd comm unicationsarebidirectional,routesthathandlc thctraftic in both
dircctionshave to be colltigurcd.Routcsarc storcd in therouting table and are acquired by the
lneansot'a routing protocol(cithcrstatic ordynam ic),

How FW SM M akes Forw arding Decisions


Rotlters.by dcfault,m ake routing dccisiollswith regardsto thc routing table only.
In contrastto rotlters.thc Catalyst6500 Scries FW SM m akesrouting decisionsw ith rcgardsto
therotltingtablcandtrallslation tablc(whellNctworkAddressTranslationENAT)isnot
disablcd):
. Iftlle destination orstatic IP tralpslationalrcady cxists,thc cgressinterface istheone in the
translation tablc.notthc routing table.Thcrouting table isthen consulted forthe IP addrcss
ortlc ncxthop.
. lfthc dcstillation orstatic IP translationdoesnotexist.llle IP routing table isconsulted for
tllcnexlhop IP atldrcssand cgrcssintcrfacc.

2-134 lmplementingCi
sccDataCenterNetworklnfrastructure1(DCNI
-I):2.
0 @ 2008CiscoSystems!lnc.
C onfiguring Routes
fwsm tconfigl#
route if nnme dest ip masx Fa:evay ip (dstance)
n Adds a static route through specified interface
route outside 0 0 192.168.1.1
route inside 10.0.2.: 255.255.255.0 10.e.1.2
route inside 10.0.3.0 255.255.255.: 10.:.1.3

elk.m eo '
Intemet ;7'cc'
1 Q .1 2*'m .1 .2 '
QL.
Q '
. . d,
. -,r..;,
jy j
s,
ssj
t
j
e
t.,.-. ...
,
.
,.
' .
:. y.
--499
,
p'
4 , f...sx' ' ,J.i:..?' Iz>.t r;4
10.0.2.0/24
10020/24 E0 10012 3
. .
.q7'ZP
1
10
0.

03
1.
0
0?
/2
24
4 E
e0
o 1(
).
(
).
-$.t
i. @ ,yr##
,.x .
< :F

10 0.3.0/24
O.000/O e1 19216811

BesidcsBorderGateway Protocol(BGP),statc routesarctile only way to enablcIP routillg to


tllc networksin tlle multiple colltextI
nodc thatarc notdirectly collnccted.
Rotltcsare conl
igtlrcd on the Catalyst6500 Serics FW SM usilpg thc routecolnlnand.
r()11tt,4*
/'1?4???1:7t/(?.
$'/ il),,1:7.
:J'kf(1lc7;$'(7!'i;lg(lis'tclll'
lf1
route Param eters

Parameter Description
if- name Specifies the interface to be used to transmittraffic toward the
desti
nation specified bythe route com mand.
dest
r ip-
Togetherwith the m as/fparam eter,determinestherange of
destinati
on IP addresses covered by the route command.
t
nask Togetherwilhthe deslip parameter,determinesthe range of
destination IP address-
es covered by the route com mand.

gateuza.yr ip Specifiesthe IP address ofthe nexthop router.


distance (Optional)Hopcountto be associated wi
ththe route.Ifmulti
ple
routes to a particulardestination exist the route with the lower
m etric is preferred.The defaultmetric is 1.FW SM supports up to
lhree equal
-costroutes to the same destination perinterface for
Ioad baiancing.Equal
-costmultipath (ECMP)Ioad shari
ng isnot
supported.

D efault R oute
A rotltcconI
igtlrcd with a (F(?.
s'J ip alld l??t'
7.
# of0.0.0.0 isea11cd a dcfatlltroute.Packcts tllatarc
notcovercd by ally otherrotlte arehandlcd by tllc dcfaultroutc.

Note The defaultroute can be abbreviated as 0 in the route cem mand.

@ 2008 Cisco System s,lnc. lmplementing FW SM fora Data GenterNetwork lnfrastructure 2-135
Static Route Convergence
Static routc isrcm ovcd froln therotlting tablconly ifthc interface goesdown.Ifthe spccified
gateway bccomesunavailable,the static route isnotrclnoved.

Note Staticroutes arealso used inthetransparentmodetosendthe traffi


cori
ginated inthe
Catalyst6500 SeriesFW SM to nondirecttyconnectednetworks(forexample,management
trafficIike syslog.authentication authorization and accounting(AAAJ orW ebsense).

Configuration Exam ple


Tllcfirstroute isa defaultrotlte thatisused forany traffic to the otltside network.The
rclnaining two rotlteshandle trafticto the two intcrnalnetw orksand cach ofthem hasa router
bctwccn thcnetwork and theCatalyst6500 Serics FW SM .

2-136 lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0 @ 2008Ci
scoSystemslI
nc.
C onfiguring D ynam ic R outing
TI1istopic cxplaillsdynalnic routing tll t
'lpc Catalyst6500 SericsFNVSM .

D yna ,711c R ou ting P rotocolS u ppo rt

DM 2 .
10 1 20/24 2 '' >- '
. I :
R1P >V e.
10 02 0/24
. M - 1 . X PM
1rlt(!rrlf)t '-'
zt:i
' ''.1 (28tItF;It1(, ., --. .
, If7s;Icl(: a-;--: .'
jjjjjl
. s'
? q
. 1
..
-. jjy
o1,12
192.1681.0/24 10130/24 wt'
!0 0.3 0/24
e O SPF
. RlP (passiveand defaultroute)
BGP stub(onlyadvertise)

(:)2008 Cisco Systems,Inc. lmplementi


ng FW SM fora Data CenterNetwork Infrastructure 2-137
O S PF R outing Protocol
. Supported OSPF features include:
-
Metric istransm ission cost
- OSPF authentication
- Two OSPF pr ocesses
.-
OSPF Iink-state advedisement(LSA)flooding
-
Areas:
.
Intra-area,interarea,and external(type Iandtype II)routes
*Stub areasand not-so-stubby-areas(NSSAS)
. VidualIinks
-
Redistribution ofstatic,connected routes,and between
Y
processes
. Notsupported in the m ultiple contextmode

A Catalyst6500 SericsFW SM can be configurcd with OSPF routing protocolto dynam ically
lcan:and advcllise thc routes.
OSPF usesDijkstra'sshortestpall)t5rst(SPF)algorithm tocalculatethebcstpathto the
dcstination.Thc inputinfonnation fortheSPF algoritllm consistsofIink-state advertisemcnts
(LSAS)kcptinthcIink-statedatabase(LSDB).
Thc Catalyst6500 ScricsFW SM maintainsafullLSDB.
M ostoftheO SPF features supportcd on aCisco rotltcrarc supported on tlle Catalyst6500
Scries FW SM aswell.

O S PF Lim itations
Two OSPF processcscan be run on a differentsctofintcrfaces.

Note OSPF in notsuppofted i


n the m ultiple contextmode.

Furtherinformati
onaboutOSPF i
s avail
able in the Catalyst6500 Seri
es FW SM
docum entation.

2-138 ImpsementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
O @ 2008CiscoSystems.lnc.
E nab I1ng O S P F
fwsmtconftgl#
router ospf process -id
. Configures OSPF process
fwsmtconfig-routerl#
network ip address mask area area d
* D efines IP addresses on w hich OSPF runs,and area ID
ose:
-.
V Q
-
'
.
r'
okptslde --' ,.tc ww- lnslcle
-- .-.. y#
19216810Q4 io1.
3.0/24 w.
#
10 0 3 0/24
router oapf 2
network 10.9.0.0 255.0.0.0 area O

()SI'F isellablcd by contigtlrillg routilpg proccssesusillg tllc router (lspfconlnlal


ld:
router ospf process -id

routerospf Param eter

Parameter Description
pzm
ocess -J An identifierused internally by the FW SM to trackseparate OSPF
processes.i fmore than one is confi gured.The FW SM supports
two OSPF processes.

A ftcrtlleO SPF proccss isctllltigtlrcd.tlle Iletu'


orksthatparticipalc i11lhc rotltiI1g proccssarc
tlcI
illcd Nvitl'
ltllc netAvork arca colunAalltl'
.
network ip address mask area area id

network area Param eters

Parameter Description
ip- address Any inlerface wi
lh an address in the range defi
ned by thi
s and the
mask parameleri s used bythe OSPF routing process
mask Any interface wi
th an address in the range defined by the
i
p address and thi s parameteris esed bythe OSPF r/uting
process.

Note The mask used is a slandard mask ratherthan the


wildcard maskused when configuring OSPF on a
Cisco Io s-based router.

@ 2008Cisco Systems.lnc. lmplementing FWSM fora Data CenterNetworklnfrastructure 2-139


Param eter Descrlptlon
area- id Placeseachinterface in anOSPFarea. OSPF areas are used to
sub-divide a network thatis using OSPF as the routing protocol.
The area speci fied on the FW SM mustmatch the area IDs
configured i
n the OSPF routers to which the FW SM is attached,

Verifying O SPF O peration


To vcrify and troublesllootOSPF operation,thc sam esetofcomm andsisused ason Cisco IOS
rotlters.

Y F
Note Furtherinform ationaboutO SPF com mandsisavailable i
n the Catalyst6500 SeriesFW SM
documentation.

2-140 lmplementing Cp
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.O ()2008 Cisco Systems, lnc.
R IP R o utiI'Ig P ro toco l
. Features ofRIP supportinclude:
Metricis hop count
.

Each routercontains a nexthop database


Version 1(default)andversion2
Cleartextand M D5 authentication forRlPv2
w RIP operation modes:
Passive R 1P
Defaultroute updates
w Notsupported in the m ultiple contextmode

l'llc C'atalyst6500 Series FVSM stlpportsbotllR IP version l(RlPv I)and version 2 (RIPN'2).
tllc lirstolle bcillg tlledcl'
atllt,

Note R1P isnotsupported inthe m ultipiecontextm ode

Furtherinform ation aboutRIP i


s available in the Catalyst6500 Series FW SM
docum entation

@ 2008 Cisco Systems,Inc. lmplementi


ngFW SM foraData CenterNetwork Infrastructure 2.141
*
E nab I1n g R lP
fwsmtconfigh#
rip it name passive (veraion (1 ; 2 Iluthentication (text '
.
md5) k-
ez #ey d1))
. Enables passive RlP with optionalauthentication forversion 2
fwsm tconfigl#
rip it name default (version (1 1 2 (authentication (text I
mds) k-
ey key :d))1
* Enables sending ofdefaultroute
R1p
,r Q.Q l '#
192O1ut
.
slde
.
68.1.
. .. ... ..
Inslde
r;. a, ,a,(
)x4 .g.
#
10.0.3 0/24
r1p lnalde default vereion 2
rip insid. paaatve version 2

Passive RIP iscont-igured w ith the rip passive com mand:


rip ke
key f-
yname passive (version (1
d1J1 (authentication (text pmd5)

rip passive Param eters

Param eter Descrlptlon


if- name The interface where RIP should Iistentothe RlP updatesfrom
neighboring routers.
version 1 ( (Optional)TheversionoftheRlPprotocol:RIPv1orRIPv2 lfnot ,
specified RlPv1 is used.
authentication (Optional)FnablesRlP version 2authenti
cati
on .

text UsescleartextforRIP messageauthentication (not


recommended).
md5 UsesM D5forRIP m essageaulhenticalion.
keyr Key and to authenti
cate RIP updates.
key d Key identiscation value'valid values range from 1 to 255.

Dcfatlltrotlte update isconfigurcd withthc rip defaultconunand:


k p .
ri trname default Iversion (1 1 (authentication (text Imd5)
ey'a
ke-
y id1)1
rip defaultParam eters
Parameter Descriptlon
if- name The interfacewhere RIP should Ii
stentothe RlP updatesfrom
neighboring routers.
version l I 2 (Optional)Theversi
onoftheRlPprotocol:RIPv1orRlPv2 Ifnot .
specifi
ed R1Pv1isused.

2-142 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1)v2.0 @ 2008 Cisco Systems. Inc.
Param eter Description
authentication (Optional)EnabpesRIP version2 authentication .

text UsescleartextforRIP message authenlicalion (not


recommendedl.
md5 Uses MD5 forRIP m essage authenti
cali
on.
Aey Keyand to authenticate RIP updates.
key j.d Key ientifi
cation vasoe'valid val
ues range from 1 lo 255.

Note Furtherinformati
on aboutRlP commands i
s available in the Catalyst6500 Series FW SM
documentation

Note RIP cannolbe used by the Catalyst6500 Series FW SM to advedfse i


ndivfdualnetworks.

(()2008 CiscoSystems.1nc. lmpl


ementing FW SM fora Data CenterNetworklnfrastructure 2-143
BG P Stub Routing
w Features ofBGP supportinclude advertisementofstaticand
directlyconnected routesto neighbors
. Limitations:
-
Onerouting process(in multiplecontextmodealso)
-
One BGP neighbor(inmultiple contextmode also)
- iBG P on1y
.- No redistribution
m Suppoded i nthe multiple contextm ode
. Requires a license

BG P stub routing processisused only to advertise theconfigured static and directly connectcd
routesto BGP neighbors.
BGP docsnotproccssthcaccepted routcsadvertiscd by the BGP peerand sim ply dropsthcm . >

Note A li
censeisrequired to deployBG P stub routing.

BG P Lim itations
BGP Stub routing islim ited to one process, oneBGP ncighbor.andonl
y intenpalBGP (iBGP),
cven ifdcploycd in m ultiple contextmodc.
Rcdistribution ofany routcsinto BGP isnotsupported.

Note Furtherinform ati


onaboutBGP isavail
ablein the Catalyst6500 SeriesFW SM
docum entation.

2-144 ImplementingCi
scoDataCepterNetworkInfrastructure1(DCNI-!):2.0 @ 2008 Cisco Syslems. lnc.
E nab I-
1ng B G P
fwsm tconfigl#
router bgp as-number
* Confi
gures BGP stub routing process
fwsm lconfig-routerl#
neighbor ip-address remote-as as-n e er
. Defines the neighborto whi
ch updatesare sent
fwam tconftg-routerl#
network ip-address mask mask
. Specifiesthe network which are advedised by BG P
Inslde uop
10.0 3.0/24 . -
fk .
..

router bgp 65000


. .j Outsl
de
192 !68 10/24
.
w
neghbor 192.168.1.2 remote-as 65000
netvork 10.0.3.0 mask 255.255.255.0

BGP stklb rotltillg iscllabltld by collfigtlrillg rotlting proccssesw itlltllc router bgp colnlnalld:
router bgp as-nuni er

routerbgp Param eter


Parameter Description
as-ntimber Theautonomoussystem (AS)numberthatidenlifiestheFW SM
to otherBG P routersandhastobethe same ason neighboring
device since only iBGP is supported.

7'o starttllktBGP session svitl


'ltllc Iteigllbor.tlse thc neighbor relnote-ascolnllland'
.
neighbor ip -address remote-as as -number

neighborrem ote-as Pararneters


Param eter Description
ip -address The IP adress ofthe nei
ghboring iBGP router.
as .
-nunl
b ez' The AS rltfmberthatidentifies the FW SM to etherBGP rc/t
-lters
an has to be the same as on neighboring device since only
i
B GP is supported.

Q 2008Cisco Systems,Inc. Implementing FW SM foraDataCenterNetworkInfrastructure 2-145


O ptionalB G P C om m ands
BGP on tlpeCatalyst6500 ScriesFW SM also supportsthecomlnands listcd in thetablc.

O ptionalBG P Com m ands


Com m and Descrlptlon
bgp router-id id Defines a BG P router1D.
neighbor ip -address Desnesa password used toauthenticate the BGP message to
password Ernode) theneighbor.
password

Note In more com plex iBGP depl


oyments,the BGP neighborhas to be enabled with the route
reflectorfunctional
ity.

To vcrify and troubleshootBG P operation.the salne setofcom mandsisuscd ason Cisco IOS
routers.

Note Furtherinformati
onaboutBG P comm ands isavailable inthe Catalyst6500Series FW SV
docum entation.

2-146 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v20 @)2008CiscoSystems, lnc.
d
X
'
*

Route l-leaIth Injection


* Available since FW SM 4.0 cisco catatyst6500
* Leverage RHIto support SeriesSwitch
routing protocols natively
suppoded by Cisco Catalyst . -. ., . -. ..
6500 Series sw itch ' ' '' ' 57=* ' ''' '
S ,. . !
,l
njectroutesdirectlyinto
MSFC: E
2
El
Valt
LAla
N3o
zz
p ,
vt
lA1(
u l)
q,
a(
)a
)!
sti
Eoutsl
je w
raltslde j
.. Elirll(ltly()()r)r)(,(ltf,(jrllt.t6,s t.............. .. ..............J
.,
ur g
,
Static routes 101O302 ' 1010402
vqIs Na3o
r1slcf
vl.Ax 3ac
NAT poolinform ation .. .. - 1 sl
% cl6.
-tDcz . j. -.
<.. :q..1
)..
..
j,I
III
j;
C
j
k..
,-
L
,k
.
L
6
k
,'
' '
, Per-contextRHl o.. p' .1,
,F
,o!o301 -35h( -,4'r!

Using RHIto InjectTranslated IP Addresses

D 2008C lscoSystem s,Inc.


( Impiementlng FW SM fora DataCenlerNetwork Snfrastructure 2-14-1
Asym m etric Routing Suppod
w Challenge:Return traffic fora session routed through different
interface isdropped
* Putinterfaces in the asym metric routing group
* Acti on upon packetwith no session inform ation on interface:
-
Layer2 headerrewri tten
.-Failoverscenario:packetis redirected to the otherunit
Differentinterface:packetreinjectedintothe system
m FailoverlStatefulm ustbe enabled
* Supported in the multiple contextm ode

Norlnally the Catalyst6500 ScriesFW SM ,likcany otherfircwalling devicc, doesnotallow


asym metric routing, 'thatis,in casc returlltrafric forasession isrouted through a diflkrcnt
ilytcrface than itoriginated from ,thetrafticis dropped, sincethere isno connection information
forthattraft ic.
11)failoverconfigurations.return traffic fora connection thatoriginated on one unitmay return
through thc peerunit.
Stlch dcploymentsarc com mon wllen two interfaceson a single Catalyst6500 SeriesFW SM ,
ortwo Catalyst6500 SeriesFW SM S in a failovcrpair, are connected to diffcrentScn/icc
providersand the otltboulld conncction docsnotusea NAT address.

Using A sym m etric R outing G roups to A llow Asym m etric


Routing
To prcventthc Catalyst6500 SericsFW SM from dropping such traffic, asym metric routing
grotlpscan bedcploycd on the intcrfaccs whercthisislikcly to occur. W hen an interfacc
contigured w ith thcasym metric routing group rectivesa packetforwhich ithasno svssion
infbrmation,itchecksthc scssion inform ation forthc othcrinterfaccsthatare in the sam e
grotlp,lfa packctforsuch session isreceived thcsc actionsoccuriflllatch isfound:
* Ifthe incom ing traffic originated oI:a pecrtlnitin a failoverconfiguration a partorthc
cntire Laycr2 headcrisrew ritten and the packctisredirectcd to the otherunit. This
rcdirection continuesaslong asthe session isactive.
* Ifthe incom ing trafticoriginated on a differcntintcrface on the salncunit, apartorthc
cntireLaycr2headcrisrewrittenandthepacketisreinjectcd into thestrealn .

Note In failoverconfigurations a statefulfailoverhas to be enabled forsession informati


on to be
passed from the standby unilorfailovergroup to the active unitorfai lovergroup.
>

2-148 Implementi
ng Cisco Data CenterNetwork l
nfrastructure 1(DCNI-I)12.0 @ 2008 Ci
sco Systems, Inc.
'

-
13a I-
1n s l'
n ln etr1c o ut-
1n
fwsm tconftg-ifl#
asr-group n er
. Addsan interface to an asym metric routing group
lnternet
Context A. B ASR configuration f.m '
JQ i
# .. -. !
.
i.
1
7terfaptlon
descrice V1an1
INSIDE .'.(- ': FW SM 1
aBr-group 1 f - W r a-- - - 3 1 -.,
'' <
1nter!!ace Vlan2 Ig ti ''. : : . !; l'.z
descrlption OUTSIDE I1 yje
p- : 4.a.1a.#w.@eww-.,'..
:1:1:-I17t;k
l1) 2 I!
. .' ee t* *.@**@@*e : 1
I5 .q r
'
.O
'.
v. ,.:. $F'
.
...A
''
1: FW SM 2
knsltle(DtyA 1'Xi.rffG* IrlGldeCly.B
Inside

'
asr-group Param eter
Param eter Description
ntznl A value ranging from 1to 32.Up to 32 asym melric rouling groups
can be created each group having m axim um of8 interfaces.

Tl'
lt.
tc('111lnalltllastt)be clttercd fllrcacl)illlcrl
-acetlq
tals.
villparticipal
. lllleasyllltnetric
e il'
rotllillg grotlp.

Using A sym m etric Routing G roups w ith Asym m etric Routing in


Failoverw ith M ultiple C ontexts

Note ln the exam pl


e .statefulfailoveris deppoyed forasym metric routing to work properly.

@ 2008C'
sco Systems.Inc. ImplementingFW SM foraData CenterNelwork Infrastructure 2-149
S um m ary
Tlpistopic sum lnarizcsthe key pointsthatwerediscussed in thisIcsson.

S um m ary
. IP routing isneeded in routed mode toforward packets between
interfaces.
@ Static routes provide the m inim um CPU overhead.
. OSPF and RlP are notsuppol-ted in m ultiple contextmode.
. BGP stub routing announcesonl y static and connected routes.
m
RHlisusedto injectconnectedroutes,staticroutes,and NAT
poolinform ation into the MSFC.
. Asymm etric routing is used to all
ow the return traffic through a
di
fferentintedace than outgoing traffic.

2-150 ImptementingCi
sco DataCenterNetworkInfrastructure1(DCNI-I)v2.
0 (
I)2008CiscoSystems, lnc.
Lesson6I

Im plem enting Failover

O verview

Objectives
Failover O verview
Thistopicexplainsthe failoverfunctionality on the Catalyst6500 ScricsFW SM .

Redundant C atalyst 6500 Series FW SM Pair


+

RedundantFW SM high-availability options:


* Active-standbyforaIIcontexts
. Active-active
Actlve

#.. & .
z

Campus !
e#.
w,
o .
x
z
Outsrde Network I Inside Network
I
;j
'y
Standby

Tlle failoverconfiguratiol)rcquirestwo idcnticalCatalyst6500 Series FW SM Sconllected to


cach otllertllrough atledicatcd failover link alld, optionally.a statc link.
Thetwotlnitsinafailovercontigurationmusthavethesamemajor(firstnulnbcr)andminor
tsecondnumbcr)softwarevcrsion.l' Iowcvcr,you canusediffcrentversionsofthesoftwarc
dtlring a!:upgradeprocess;forexample. yotlcanupgradeoneunitfrom vcrsion 3.I(1)to
version 3.1(2)and have failovcrremain active.

Note ltisrecom mended to upgrade both unitstothesame versionto ensure Iong-term


com patibi
ti
ty.

Both unitsm usthave the sam e Iicense.

A ctive-stand by Failover
ThcCatalysl6500 ScriesFW SM provideshigh availability tirewallscrvicesthrough an active-
standby redtlndancy modcl. Tllc standby Catalyst6500 SericsFW SM monitorsthe health ofthe
active FW SM and takcsoverproviding f irewallscrvicesifitdetectsa failurc ofthe activ
FW SM . e
Each ofthc two C'atalyst6500 Serics FW SM Sin a rcdtlndantpairmustbe configur cd
w ith aceessto the sam ecollection ofnetw orks.
Activc-standby failoverisavailable on unitsnlnning in cithcrsingle orm ultiple contextm ode.

2-152 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008 Cisco Systems, Inc.
Active-A ctive Failover

Note 80thfaiioverconfigurationssuppod statefulorstateless(regular)failover

Q 2008ClscoSystems Inc. Implementing FWSM fora Data CenterNetwork t


nfrastructure 2-153
C atalyst6500 Series FW SM Failover Link
* Dedicatedfailoverlink(VLAN)
. Used to determine the operating statusofeach uni t
w Multiple context- resides in system execution space
Actlve

:.. r. z

I .
campus IF
u:kI
over ''..
#
- .-.
- i
! r-:#
Outsi
deNetwork i
. .!
) jnsjd: Nejwork
ILL

Standby

Thc failovercontiguration requirestw o identicalCatalyst6500 Scrics FW SM Sconnccted to


cacl)othcrthrough a dedicated failovcrlink.
Thctwo Catalyst6500 ScriesFW SM Sin a failoverpairconstantly com municate overa failover
link to dctcrm inc the operating statusofcacllunit. Thisinfonnation iscom municated ovcrthe
faiIoverlink:
* Theunitstate(activeorstandby)
w l-lcllo messages (kecpalives)
. Network link status
K M AC addresscxchallge
. Cont
iguration rcplication and synchronization

Caution AIIinform ati


onsentoverthe failoverandstatefulfailoverIinks i
ssentincleartext, unless
you securethe com m unl
cationwi th afailoverkey.

Failover Link R equirem ents


Thc failoverIink tlsesa spccialVLAN intcrface thatyotldo notconfigure asa norm al
networking intcrface',rathcr,itexistsonly forfailovercommunications. ThisVLAN should
onlybeuscd forthcfailovcrlink (andoptionallyforthestatelink). Sharing thc failoverlink
VLAN witllany otherVLANScan cause interlnittenttraffic problem s. as wcllasping and
AddressRcsolution ProtocolIARPIfailurcs.Forinter-chassisfailover, tlscdedicated intcrfaces
on the switch forthe failoverIink.
In lntlltiplccontcxtmodc,thc failoverlink residcsin thc system contcxt. Thisintcrface and thc
state link,ifuscd,are the only interfaces contigtlred in the systeln context. A llotherintcrfaces
arcallocatcd to sccurity contcxtsand configurcd from within sccurity contcxts.

2-154 ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008 Cisco System s. Inc,


C atalyst 6r
a00 S eries F'W S M S tatc Link
* Dedicatedfailoverlink(VLAN)
e Used to determine the operating status ofeach unit
* Multiple context- resides in system execution space
Actrve

Y '22 D'1'1
I!
l .
Cam slalel:ar
lover '
pus tl
nkjjonk 1.,/.
../#
Ii n#
outslde Nelwork !
) 'nslde setwork
f
I f'
'f
Slandby

State Link

Note The IP address and MAC address forthe state Iink do notchange atfailover.

@ 2008 CiscoSystems,Inc. lmpl


ementing FW SM fora Data CenterNetworkIlfrastructure 2-155
Catalyst6500 Series FW SM A ctive-standby
Failover
w Standby FW SM assum es IP and MAC address

Falled

# .; . c :;
>

campus l #
w. m,..
,
g... 7e
Outside Network Inside Network

Actlve

W hen a failure occurs.the stalldby Catalyst6500 ScriesFW SM becomcsactive. The


prcviously standby Catalyst6500 SeriesFW SM takesoverthe activc modtllc IP addrcsscsand
M AC addressand begins to processtraffic.
No cllangesare neccssary to the ARP orIP addressing infonnation used by any otherdevice in
thc network:however.the switching cnginc in thcCisco Catalyst6500 SericsSwitch mustbe
informed tllatthe M AC address tbrtheactive Catalyst6500 SericsFW SM is now owned by a
diffcrcntmodtlle.ThcCatalyst6500 SeriesFW SM scndsgratuitousARPS outon alIofits
VLAN intcrfacestoupdatethcCiscoClcanAcccssM anager(CAM )tablcsintheCatalyst6500
SericsSwilch.

2-155 SmplementingCiscoDataGenterNetworklnfraslructure1(DCNS-I)v2. Q 20()8 Csco Systems. lnc.


C atalyst 6500 Series FW SM A ctive-A ctive
Fa iIover
* Standby FW SM assum es IP and MAC address

Actlve- FalloverGrotlp 1
Stafndby- FarloverGroup 2

k 1.
1kj ':?'z:

Campus I #
' '
< .#
L J x#
Oulslde Network losldeNetwork
% --

Actlve.-FalloverGrotlp 2
Standby- FailoverGroup 1

Failoverisprcclnptivc ifcontigured to beso--sllotlld tllcotherf-'alalyst65()0 SeriesFWFSM


advertiSca lligllcrpriol'ity lbra givel)failovergrotlpstllc FSVSM lvitlltlle lowerpriority can
givc tlp itsactivc role.

Note No speciatlicense i
s necessary forfai
iover

Failover Eventw ith A ctive-A ctive

Note The failure ofa failovergroup on a unitdoes notm ean thatthe unithas fail
ed'another
failovergroup mightslii lbe passing traffi
c through thatunit

t
o 2008Clsco Systems,Inc. lmplementing FW SM fora DataCenterNetwork lnfrastructure 2-157
Intra-chassis Redundancy
Cisco Catal yst6500
Series Switch
r' ' !
! Active i
E !
! !
! E
i !
i i 'Z'
; : ''
:
! 1
II i
! ,
.
' Ii i ' ..
,
Campus '
s j( ' I . h
. . ..
j .j j -:# ,
:
i 1! ! Z
OutsideNetwork E ')! E Inslde Network
E
2 .'./ !
2
5
E ' J'
h 'l
i
!
E !
j standby

A rcdtlndantpairofCatalyst6500 Scries FW SM Scan be hosted in a singlcCatalyst6500


ScricsSw itcl!chassis.
Thisapproach providesrcdtlndancy in the casc ofam odulefailure. A1loftllc Catalyst6500
ScricsFW SM iltterfaces.including the failovcralld statelinks. are VLANSw ithin the hosting
Catalyst6500 Serics Switch.EachCatalyst6500 SericsFW SM isattached to thc samc V LANS.

Note The backup Catalyst6500SeriesFW SM doesnotneeda fail


overcable.

2-158 Implementlr!g CiscoDataCenterNetworkInfrastructure 1 (DCNI-I)v2.0 @ 2008Cisco Systems, lnc.


lnter-c hassis R edurldan cy
. Configure spanning tree to blockpor
'
ts on the second Cisco
Catalyst6500 Series Sw itch

cl
scocatalyst65()0l 1
serl
esswllch1j Acti
ve E
i
! - !
i
5 h E
i 2
5 yj,s . yyo .:,
s

. Ej
: '
,C
.'
.
Campus . t ./ $i'
.-p /
.
. I!j v..
OutsldeNetwork i ! :'l i
2 IrasideNetwork
E
i
, f!!.
E
*
E
2 tf !
ClscoCatalyst6500 j !
Serl
tasSwitch25 Standby

Note The Catalyst6500 Series Switch chassis hosting the redundantCatalyst6500 Series FW SM
isconfigured so thatthechassiscontaining the prim ary FW SM isactivelyswitching traffic
urldernorm alconditions.

Q 2008 Ci
sco Systems,Inc. Impl
ementing FW SM fora Dala CenterNetwork lnfrastructure 2-159
Failover O peration
Thistopicdcscribesthc failoveroperation.

M odule H eaIth M onitoring


. Hellos on fail
overIink determine m odule health
. ARP requests are senton aIIinterfaces ifhellos are notreceived

Active

@& c v. z
I!
Ij .'
campus SJz
ll,
1:
ju
Fi
a
ojover k
1E 7
I!
Outstde Network .'
! I
nsl
deNel
work

Standby

The Catalyst6500 SeriesFW SM detcrlninesthc health ofthcotherunitby m onitoring the


failov'erlink.W hcn a unitdoesnotreccivetthello''lncssagcson thc failovcrlink thcunitscnds
an ARP requcston allinterfaces,including the failoverintcrface. The Catalyst6500 Series
FW SM retriesauser-coniigurablcnumbcroftimcs. Thc action thcCatalyst6500 ScricsF' W SM
takesdcpendson the rcsponse from theotherunit. Possiblcactionsincltlde:
* Iftlle Catalyst6500 SeriesFW SM receivesa rcsponse on any interfacc. itdoesnotfail
+>
K lfthe Catalyst6500 SeriesFW SM docsnotreceive a rcsponse on any intcrfaccv the standby
unitsw itchesto active mode and classifiesthcotherunitasfailcd.
. Ifthe Catalyst6500 ScriesFW SM doesnotrlxeivv aresponseon the failovcrlink only,the
tlnitdocs llotfailovcr,Thcfailoverlink ismarked asfailcd. You should rcstorc thc failover
link assoon as possible becausctlle unitcannotfailoverto thestandby w hilc tlpe failovcr
1ink isdow n.

2-16* lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.0 @ 2008 Cisco Systems. Inc.


P art-
1alS w -
1tc13 Fa 1
-Iure

Clsco
sCatalyst6500 i Acll
ve !
enesswptch1 ! g
E h
: : !
: , - z .>.. Cr'
! .
2 % i
E '1: '
I
.li'j '.j
j
Campus . .
li
1--
y
jw,
.#'
-

OlltsideNetwork

!
aj!t.......,...,:
.!, q jnsjde Network
l
i ' ''1 2
.
! I jf'
(
. :
2
clscocatalyst6500 E '
serlesswltch2 stafzdby 2

@ 2008 Ci
sco Systems,Inc. lmpl
ementi
ng FW SM fora Data CenlerNetworkInfrastructure 2-161
'

PadialSw itch Failure (Cont.)

Ci
sco
Ser
Ca taly
ies st6
Swi 500j
tch 1 Acji
ve j
@
:
i
:

i I V- Z 2 :
1
I .1:
.. j
@1
Inten7et ' 1 -1*
x
: #
g Nit..........1 z
Outsi
eNetwork !
:
.
''I
'
f d InsideNelwork
.
:
l.
y :
( .
;y
j
.
t .
j
Glscs
oCatalyst6500j Standby j
eriesSwptch2j j

Thc diagraln showsa partialswitch failtlre thathasdowned theportscollnccting Catalyst6500


ScriesSwitch lto both thc insidc and otltside networks.ThcCatalyst6500 SericsFW SM in
Catalyst6500 Series Switch 1 isstillactive howcver,so traftic lnusttransitthe inter-switch
trunk twicezfirstasa packeton the outside VLAN,and again asa packeton the inside VLAN .

2-162 lmplementingCtscoDataCenterNetworkl
nfrastrudure 1(DCNI-I)v2.0 Q 2008Ci
scoSystems. Inc,
'

Illterface M onitoring

ci
scocatalysl6500 j
f 1
senesswi tc:1 standby j
@ , 2
i # h
i I !
1
! .
j k'7
'f
1: .t !2 .
@ .Ii,, i
Internet I'
.1i
.l. !. jjj
.l
:
p.
.
f ,
.Ij
#iI.............! .
#
.
.
OulsldeNet
work i ! InskdeNetwork
; w 3
! i
clscoCatalyst6500 E Acll
ve j
Serl
esSwp tch2 j k

@ 2008CiscoSystems.Inc. Implemeoting FWSM fora Data CenterNetworkInfrastructure 2-163


w Broadcastping test:The ping testsendsouta broadcastping rcquest.Them odulecounts
allreceived packelsforup to tive seconds.lfany packetsarereccived atany tim eduring
thisintcrval,tlle intcrface isconsidercd operationaland testing stops.
lfaIInctwork testsfailfbran nterface,butthe interface on the otherm odulc continuesto
stlccessfully passtraftic,tlle intcrfacc hasfailed,Ifthc thrcshold forfailed interfacesismet,a
failoverocctlrs.Ifthe othcrmodule intcrface also failsalIthc nctwork tests.both interfacesgo
illto thc unklpown state and do notcounttoward the t- ailovcrlim it.
An interfaccbccom csopcrationalagain ifitrcceivcstraftic.A failcd Catalyst6500 Scries
FW SM rcturnsto standby m odc ifthe intcrface failurethreshold isno longerm ct.

Note An interface canbe marked asfailed (auto state down)when there are noIongerany
physicalports belonging to a VLAN thatis configured on the swi
tch forthe Catalyst6500
Seri
es FW SM .

Rapid Link Failure D etection w ith C isco lO S A utostate


Dctccting and responding to a failovercondition can take up to 45 seconds.Howcver,ifyotlare
tlsingCisco lOS SoftwarcRelcase I2.2418)SXF5orlaterontheswitch,yotlcanusctlle
autostatc fcaturc to bypassthc interface testing phase and providcsubsecond failovcrtim esfor
interfacefailurcs.W ith atltostate enabled.thesupervisorengine sendsautostate messagesto the
C'atalyst6500 SericsFW SM aboutthe statusofphysicalinterfacesassociatcd with FW SM
VLANS.

2-164 lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2,
0 ()2008CiscoSystems, lnc.
C onfiguring Failover
T11is topic describcstllcstepsreqtlired to collfsgure failovcr.

C onfiguration O verview
w The prim arymodule is active ifbooted sim ultaneously
. The prim aryM AC address is used ifpossible
. Configuration is synchronized from acti
ve to standbyr
copy running-config startup-config
w rite standby
failoversuspend-config-sync

Pnmary

> .1
f
h
k $
Active Standby

Prim ary and Secondary Roles

Note Because 1he configurati


on is the same on both modules the hostnames usernam es and
passwords are also the sam e

tl 2006 Cisco Syslems.fnc. lmpdementl


ng FWSM fora Dala CenterNetwork Infrastructt/re 2-165
Tllc active m odule sendsthe configuration in running m clnory to the standby module.On thc
standby m opule.(he configuration exists only il1running m clnory.You can optionally save the
contigtlration to tlash m emory.so thatwhen yotlrcbootthe standby modulc whcn thc activc
modtllc isunavailablc.the standby m odulc can becomc theactive module.To save the
contiguration to flash m cmory aftcrreplication,use thecopy runnlng-conflg startup-config
com m and on thc activc module.ln multiplecontextmode,thiscom mand should bc used in thc
systcm cxcctltion space,aswcllas within cach contextw hich configuration isstorcd in tlash.
W hcn tlle stalldby modulccom pletcs its initialstartup.itclcars its running configuration,
cxceptforthcfailover com mandsthatmtlstbepre-configured and are Ilotreplicatcd.and the
active Inodule scnds itscntire configuration to the standby module.Ascomm andsare cntercd
on tlle activem odtllc,thcy aresentacrossthcfailoverlink to thc standby m odulc.
Thc writestandby com lnand can be used on the activc modulcto causc thestandby modulcto
clcaritsrtlnning contiguration.aerwhich the active m odule replicatesthcentire
configuratiol).Entcring thew rite standby col
nlnalld in the system execution spacecausesall
contexts to bcrcplicated.
Contigurationrcplication can be suspended using the failover suspend-conig-sync com mand.

2-1156 lmplementingCiscoDataCenterNetworslnfrastructure 1(DCNI-I)v2.O @ 2008Ci


scoSystems, Inc.
Active-standby:Defining the Configuration on the Prim ary FW SM Procedure

step Action Notes


1' failover lan interface Designates the failoverinterface The
n terface- nanle vlan vlan exam pi e uses 'V LAN 100'
'forthe failover
interface.This VLAN should notbe used for
any otherpurpose except optionally,the
stale Iink,orbe assiqned to any switch ports.
This Q' LAN does need to be assigned to the
FW SM bythe swi tch,and this interface does
notneed an accessconlrollist(ACL),as
failovertraffic is allowed automatically and
othertraffic is deni ed
failover interface ip Assigns IP addresses to the failoverinterface
faiJ.over n terface Jlp address on each FW SM Both the primary and
nlas.
k sta-
n dby ip- addre-ss secondary IP address m ustbe in the same
nelwork,as defined by lhe subnetmask.

@ 2008 Cisco Systems,l


nc. lmplementi
ng F'WSM fora Data CenterNetwork lnfrastcudure 2-167
Step Actlon Notes
3' Eailover link n terface name Defines the state interface forstatefut
(vlan v'
J.an) - failoveroperations. ThisVLAN should notbe
used forany otherpurpose except
optionally,the fai
loverIink orbe assi gned to
any switchports.Ifthi s intedace isusing the
sam eVLAN asthefailoverIinklthe vlan
parameterdoes notneed to be specified.
The state VLAN needs to be assi gned to the
FW SM bythe switch,and thisinterfacedoes
notneed an ACL as connection state traffic
is allowed automatically and othertraffic is
denied.
4' failover interface ip As with the failoverinterface, assigns an IP
sta te j.n terface ip address address to the state interface.
mask 'standby .ip adRress
-

s' failover replication http (Optional)Directstheactive FW SM to


repl icate state information forHTT' P
connections.W itboutthi s statement, HTTP
connections are disconnected in case ofa
failover.HTTP connecti ons are briefand
frequent,and the slate inform ation although
updated Gonstantly,mightnotincludethe
IatestHTTP statesatfailover.Forthis
reason,you m ightwantto di sable HTTP
replication to reduce the amountoftraffi c on
the state Iink.
6 failover lan unit primary Designates this FW SM as the primafy

Note Thiscommand is the only


confi guration statementthat
differsbetween the primafy and
the secondary FW SM.

7 failover Enables fail


overoperati
ons.
' ip address ip address (mask) AddsastandbyIP addresslo any i
nterfaces
(standby ip azdress) withan IP address.

2-168 ImppementingCl
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0 @ 2008CiscoSystems Inc.
Active-standby:Defining the Configuration on the Secondary FW SM Procedure

step Action Notes


1' failover lan interface Designates the fail
overinterface.The
an herfa ce- name vlan v2an exam pl e uses KVLAN 100'.forthe failover
i
nterface.This VLAN should notbe used for
any otherpurpose except optionally,lhe
state Iink orbe assigned to any switch ports.
This VLAN does need to be assi gned to the
FW SM bylhe switch and this interface does
no1need an ACL.as failoverlraffic is allowed
automatically and othertraff
ic is denied
2' failover interface ip Assigns IP addresses to the failoverinterface
fa.
f.ioleez- 2:rerface ip address on each FW SM.Both the prlm ary and
mask sta- ndby ip- addre-ss secondary IP address mustbe in the sam e
network.as defined bythe subnetm ask.

@ 2008 Cisco System s,Inc. Implem enting FW SM fora Data CenterNetwork Infrastructure 2-169
Step Actlon Notes
3 failover lan unit secondary DesignatesthisFW SM asthesecondary
FW SM .

Note This comm and i s the only


confi guration statem entthat
differs between the primary and
the secondal '
y FW SM.

4 failover Enabl
es failoveroperations.

2-179 ImplemenlingCiscoDataCente!Networklnlrastqldure1(DC.Nl-1)v2.
() @ 2008CiscoSystems, lnc.
Active-Active:Defining the Configuration on the Prim ary FW SM Procedure

Step Action Notes


1 failover 1an unit primary Designates the uni
tasa prim ary unit.
2' failover lan interface Designates the fal loverinterface.The
nterface- name vlan vzan example uses 'VLAN 100*.forthe failover
interface.This VLAN should notbe used
forany otherpurpose excepl.optionally.
the state Iink,orbe assigned to any
switch ports.ThisVLAN does need to be
assigned to the FW SM by the switch.and
this interface does notneed an ACL,as
failovertraffic i
s al
lowed automatically
and othertraffi cis deni
ed
a' failover interface ip Assigns IP addresses to the failover
fa 2over interface ip address interface on each FW SM .Both the
mask sta-nclby ip- addve-
ss prim ary and secondary IP address m ust
be in the same network.as desned by
the subnetm ask

@ 2008Cisco Systems,fnc Im pfementing FW SM fora DataCenterNetwork pnfrastructure 2-171


Step Actlon Notes
4' failover link interface name Definesthe state interface forstateful
(vlan v.
lan) - failoveroperations. ThisVLAN shouldnot
be used forany otherpurpose except,
optionally,the failoverIink,orbe
assigned to any swi tch ports.Ifthis
interface isusingthesame VLAN asthe
failoverIink, the vlan parameterdoes not
need to be specifi ed.The state VLAN
needsto be assigned to the FW SM by
theswitch.and thisinterface doesnot
need anACL asconnection state tramcis
allowed autom aticallyand othertraffic is
denied.
5' failover interface ip As with the failoverinterface, the state
stat:e n rerface ip address mask intefface needs an IP address assigned.
standEy ip address-
6 failover group l Configures the failovergroups with a
primary maximum oftwo permitted.Each fai lover
group mustbe uefined as ei thefa
exit primary orsecondafy failovergroup. For
failover group 2 load balancing,a differentunitpreference
secondary is assigned to each failovergroup.
exit
7. context c'on tex tr name Assigns each contextto a fail
overgroup.
join-falover-group (l 1 2)
8 failover Enables fai
lover,
9 changeto context con trext name Enables monitoring on an i
nterface
monitor-interface nrerface name

2-172 lmplemenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008ClscoSystems. Inc.


A ctive-Active:Defining the Configuration on the Secondary FW SM Procedure

Step Action Notes


1' Eailover lan interface Designatesthe failoverinterface.The
intevface- llame vlan v.
ian example uses 'VLAN 100.'forlhe failover
interface.This VLAN shouid notbe used for
any otherpurpose except,optionall y the
state Iink,orbe assigned to afly switch ports.
ThisVLAN does need to be assigned to the
FW SV bytheswitch,and lhi s interfacedoes
notneed an ACL as fail overtraffic is allowed
automaticar
ly anclothertraffi
cis deni
ed.
2' failover interface ip Assigns IP addresses to the failoverinterface
fai J.ov'
er in rez'fa ce .
p address on each FW SM .Both the primary and
mask sta- n dby ip'- addre-ss secondary IP address m uslbe in the same
network,as defined by the subnetmask.

@ 2008 Cisco System s.Inc. fm pfementlng FW SM fora Oafa CenterNetwork fnfrastructure 2.17'3
Step Actlon Notes
a failover lan unit aecondary Designates thi
s FW SM as the secondary
FW SM .

Note This com mand is the only


configuration statementthat
differs between the primafy and
thesecondaryFW SM .

4, failover Enabl
es failoveroperations.

2-174 lmpjementing CiscoData CenterNetwork lnfrastructure 1(DCNI-I)v2.D @ 2008 Cisco Syslems. lnc.
'

C o n f1g u r-
111q In terface M o n 1to r1n g
fwsm tconflgl#
monitor-interface fneerface
. Enables interface m onitoring
Ewsm lconfigl#
failover interface-policy numbert%)
. 6$()tstk)()t8)rtlskt()I(1 E
h''''''''''
'''
St''''
an ''''''''''''''
dby !CISCO(;ajal
yst6soo
fe.tlover tneerface-policy 2 E . E Serles Swltch 1 '
mon. qi/e
ieor-interfaae f.n. ! ' fk'
( i
' i * ' ': .;
mrnitor.lntertac* outsde .
5
' le 1
f E
E '
lnternet
!..............
pt............7
'' '
' #fi
... E : wpt
Outsl
deNelwerk !
.
-
w
E
. Inslde Network
E E
5 !ChscoCalaiys,6500
E Acllve Eserlesswltch2

6)2008 Cisco System s.Inc. Im plementing FW SM fora Dala CentefNetwork Infrastructure 2-1T5
V erification and T roubleshooting
fwsm tconfigl#
show failover
* Exam ines fai
loverstatus and configuration
fwsm (conf1g)#
show np (l I 2) fogrp-table (0-2 I all)
* ExaminesMAC and tlagsinnetwork processors(MAC addressestoggle
onfailover)
fwam(conftg).
show np (1 1 2) vlan (2-4996)
. Exam ines failovergroup ID assigned to an interface
fwsm (conf:tg)#
show np (1 I 2) global-table
* Examines MAC addresses ofthe failoverand Iogicalupdate interfaces
(doesnottoggleonfail
over)

To cxam ine the statusofthc failoveroperation and configuration,usc thc com m andslistcd in
tllctable.

Verifying the Status ofthe FailoverOperation and Configuration Com m ands


com mand Descrlptlon
show failover Displays inform ation aboutthe fai
loverstatus E)fthe uni
t.
show np (l t 2) fogrp- Displaysthefogrp-tabl
einformation. *
table (0-2 1 a.
ll)
show np (l
( I 2) vlan DisplaystheVLAN information.
2-4096)
show np (l I 2) Displaystheglobaltableinformati
on.
global-table

2-176 Implementing Gi
sco Data CenterNetwork lnlrastructure 1(DCN1-1)v2.
0 % 2D()B Cisco Systems. lnc.
V er-
1f-
1cat-
1on a.3d TroubIeshoot-
1ng (Cont-)
fwsm lconfigl#
debug fover sw itch
. Exam ines failoverstate m achine debugs
fwsm (config)#
debug fover fail
p Exam ines fai
lure eventdebugs
fwsm (config)#
debug fover (rx I tx)
m Exam ine failoverm essage reception and transmission
fwsm (config)#
debug fover ifc
w Examines network i
nterface status trace

'l't'
,trotlblcshootthc failoveroperatiol'
land (
J()nl-
igtlraliol).tlsc tlle col'
nlnandslistcd inlllc lablc.

Note Use these com mands with caution i


n production networks.

Troubleshootthe FailoverO peration and Configuration C om m ands

com mand Description


debug fover switch Displaysfail
overswi
tching status
debug fover fail Displays fail
overinternalexcepti
on

debug fover (rx j tx) Displaysfail


overmessagereceiveandmessagetransmi
t
debug fover ifc Displays network interface status trace

@ 2008 Cisco Systems,fnc. (mpiementl


ng FW'
SM fora Data CenterNetwork lnfrasfructure 2-177
Verifying the Fa1IoverC onf1guration
FWSM#ahow fatlover
Failover On
Fltlovet unit 'ttlry
Flilovwr LAN Iht*rtae@ failovwr Vl= 2Q
Unit Poll frequancy 1 seconds, holdtlme 15 a*conda
Intertace Poll frequency 15 seconds
Interface Pollcy 50%
Monitored Interfaces Q ot 250 maximum
Conflg arnc: acttve
Last 'atlover at: Q3:21::0 Mer 02 2006
Tb. koltl 'riaary - standby
Active timer 2453 (sec)
Interface inside (10.1.lQ.2): Normal (Not-Monltored)
Interface outslde (10.1.0.1:)l Normal (Not-Monttored)
Otb*r No.t! F@spnd*ry - Aetiv.
Active time: 50 (sec)
TnLerfaee inalde (lQ.1.l0.1)) Normal (Not-Monltored)
Interface outsid. 4l0.0..l1): Normal (Not-Monitored)

The show failovercom mand isused to display the failoverconfiguration ofthe Catalyst6500
SeriesFW SM .
The otltptltshow t:indicatesthescconditions:
K Failovcriscnablcd.
. ThisCatalyst6500 SeriesFW SM istlpedcfaultprim ary FW SM in thc redundantpair.
K Thc failovcrintcrfacc isusing VLAN 20.
w ThisCatalyst6500 SeriesFW SM iscurrcntly in standby modcbecause a failoverhas
occurrcds
'tlle otherCatalyst6500 SericsFW SM isin activcmode.

2-178 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D (


I)2D08CiscoSystems,lnc.
erify1ng the Fa1Iover C o nfig u ratio n
(Cont.)
Stateful Pailover Loglcal Update Statlatics
Link : state Vlan 21
Stateful Obj xmit xerr rcv
General 339 0 33l
sys emd 33l 0 33l
up time 0 0 0
RPC services 0 0 0
xlat. 0 0 0
TCP conn Q 0 0
UDP conn 0 0 0
ARP tb1 8 0 0
RIP Tbl 0 0 Q
LZBRIDGE Tb1 0 0 0
Klate Timeout 0 0 0
TCP NPa 4 0 37
UDP NPs 0 0 0
Logtcal Update Queue Information
Cur Max Total
Recv Q: 0 l 334
Xmft Q: 0 l 341

Thisplinltluldisplaystlle relpaillder('
)flhe tltltptltfrolzzthe sllol''failever colnlnand.

@ 2008 Cisco Systems,Inc. lmpfementi


ng FWSM fora Data CenterNetwork lnfrastructure 2-1F9
S um m ary
Thistopicsumm alizesthe key pointsthatwere discussed in this lesson.

S um m ary
. Cisco Catalyst6500 Series FW SM failoveris provided by an
active-standby pairofm odules.
. Failovermonitoring is used to cause a failoverto the standby
Catalyst6500 Series FW SM in response to network events.
. Configuration statements in the system execution space are used
to define the failoverconfiguration.

2-1B0 lmplementlngClscoDataCenlerNetworklnfrastructure1(DCNI-I)*2.0 (
I)2008CiscoSystems, Inc.
uqsson71

Im plem enting D eep P acket


Inspection

O verview
Thislcsson idcntifiesand describcsllow tlleCisco Catalyst6500 SeriesFirewallServices
M odtllc(FW SM )handlesthepacketswhereinspcctionbcyondprotocolllcadersisrequircd.

Objectives
Upon colnpletilpg thisIesson,yotlwillbeablcto tlndcrstand and implemcntdeep packet
illspectiollon tlleC'atalyst6500 ScriesF'
W SM .Tllisability incltldesbeing ablc to Ineettllese
objcctivcs:
* Describcdeep packetinspectiollon tlle Catalyst6500 ScricsF'
SVSM
* ldcntify thc com mandsuscd to contigtlrc and vcrify decp packetinspection
K DescribethcU RL tiltcring fullctionality
* ldcntify the com m andsto contigtlre and vcrify tlpe URL Gltering ftlllctiollality
D eep Packet Inspection O verview
Thistopiccxplainsthcdeep packetinspcction ftlnction on thcCatalyst6500 SeriesFW SM .

D eep P acket Inspection


. Deep packetinspection exam ines and m odifiesapplication data
payload
. This m ethod fi
xes applications broken by FW SM :
Embedded IP address
Embedded TCP/UDP portnumber
Multiple connections
. This method isalso used to provide application-levelsecurity:
.
MailGuard
-.
URLfiltering

Deep packetinspection isuscd in situationsw llcre thcCatalyst6500 SeriesFW SM needsto


analyzc ormodify thc application data payload contailpcd w ithin an IP packet.
Application data analysisisneeded in situations wherc a protocoluscsm ultiple connectionsfor
ollc interaction.Thcse applicationsoften usc a controlconnection to a wcll-known portthatcan
bespccified inthcaccesscontrollists(ACLs)govclmingtrafficaccessthroughtheCatalyst
6500 ScriesFW SM .Secondary data connectionsare opened to otherportsthatarenotwell-
known.Deep packctinspcction isused to dctectthe protocolcom mandsthatspecify the port +
llumbersofthcsc sccondary connections,so tllatllow entriescan bc dynam ically added to thc
stateftllpackctinspection tables.FTP isan exalnplcofthiskind ofapplication.
Application data payload modificationsarc necessary forapplicationsthatcm bed IP addresscs
ofcithcrcndpointw ithin theprotocolpackctsthattraversc an Catalyst6500 SericsFW SM that
ispcrforming Network AddressTrallslation (N AT)orPortAddressTranslation (PAT). Data
payload m oditications arc also tlsed to provide security forsolne applications. Forcxam ple
M ai1Guard controlsaccessto Sim ple M ailTranstkrProtocol(SM TP)senrersand lim itsthe
com lnandsthatcan be sentto thosc dcfincd in RFC 282l(llttp://'tools.ictf.org/htlnl/
'rfcz8zI).
URL tiltcriltg isalso possibie with datapayload lnodification.
Applicatiol:inspection engincswork with N AT to hclp idcntify thc location ofembedded
addrcssing infonnatioly.ThisallowsNAT to translatethcsc cm bcddcd addresses. and to update
any cllecksum orothcrficldsthatareaffccted by thc translation.
Eacllapplication inspection engine also m ollitorsscssionsto dcterm inc the portnumbersfor
sccontlary channcls.M any protocolsopcn secondar.yTCPorUserDatagram Protocol(UDP)
portslo im prove performance.The initialsession on awcll-known portisuscd to negotiatc
dynalnically assigned portnumbcrs.Theapplication inspection engine monitorsthesescssions,
identilicsthc dynam ic portassignmcnts.and pennitsdata cxchangeon thcse portsforthe
dtlration ofthespecific session.

2-182 lmplementingCiscoDataCenterNetworkInfrastructureh(DCNI-I)v2.
9 @ 2(08CiscoSystemsflnc.
The ligtlre showsthe Catalyst6500 Series FSVSNIinspection cllgine capabilities.
Additionalcapabilitiestllatarc Ilotlncntioned iI1the figtlrc also illcltltlc thesc:
. Specificapplications:
M icrosoh svindoqvsM essenger
M icrosoftNetM ceting
Rea!Player
Cisco IP plloncs
Cisco ColnlntlllieatorSoftplloncs
K Scctlrity services,NvhicllincludePoint-to-pointTunlpcling Protocol(PPTP)
lnspcction cngincsrclated to tlle data centercnvironlncntsarc listed in tlle table.

Inspection Engines Related to the Data CenterEnvironm ents


lnspection Engine Description
Advanced HTTP Inspection Helps protectfrom web-based attacks and othertypes ofport80
Engi
ne m isuse.
Enhanced FTP Inspection Engine Provides command fil
tering formore than ten di
fferentFTP
com mands.
Extended SMTP Inspection Provi
dessupportforExtended SMTP (ESMTP)protocoland
Engine supports fil
tering potentially harmfulcomm ands.
Enhanced lnternetControl Provi
des state tracking ofICMP packets to enable secure usage
Message Protocol(ICMP) ofping,traceroule,etc.
lnspection Engi
ne

@ 2008 Cisco Systems.lnc. lmplementi


ng FWSM fora Data CenterNetwork I
nfrastructure 2-183
Inspectlon Englne Descrlptlon
Sun Remote Procedure Call Based on implem entation from FW SM 2.1 soft
w are release
(SUnRPC)Inspection Engine some RPC applicationsIikeNetworkInformation Sefvice (NlS+)
use SUnRPC overTCP- anew consgurable optionwillbe
introduced fortheSUnRPC TCP inspection engine. The default
portis111.The defi nitionofthe new inspection engine inthe
inspection enginestableal lowsthe TCP packetsm atching 111as
source as wellasdestination pods to be processed by the
SUMRPC fixup.
NIS+ Inspection Engine Basedonim plementationfrom FW SM 2.1 software release,thi
s
inspectionenginewillinspectpodmapperrequestsand cachethe
NIS+service portnum ber.

2-184 ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Ci


scoSystems,Inc.
onfiguring Deep Packetlnspection
w The inspectcom mand replaces earlierfixup comm and
* Use modularpolicy fram ework com mands to configure deep packet
inspection
class-map inspection detault
match default-inspection-traEfic
policy-map global polscy
claaa Snspection-default
inspect dnsmaximum-length 5l2
inspect ftp
inspect h323 h225
inspect h323 ras
tnspect rsh
lnspect smtp
inapect nqlnet
lnspect sklnny
inspect sunrpc
tnspect xdmcp
inspect sip
lnspec: netbioa
tnspect tftp
service-policy global policy global

Enabling and applying deep packetinspectiollalwaysconsistsof:


w A classmap tllatidentiticsthc traffic thattlle Catalyst6500 ScriesFW SM stlbm itsto thc
inspcction engine w ith thc class-m ap comlnalld to Inatch thetlesired traffic.Use thc m atch
colllm a,ld to selectthe desircd lraftic.
* A po1icymap thatlillkstllcclassmap(andthusthcrclcvanttraffic)tolheinspcction
enginc.Dcfinc apolicy map w ith the policy-m ap comm alld:
Use thecolptigured classby specifying itwith thcclasscomm and.
U llderthe class,dctine which inspection engineis to bc tlsed witl)thc inspect
comlnand.You can optiol:ally append apreviously del ined m ap.
w A servicc policy thatappliestlle policy m ap to one interfaccorto alIinterfaces.Apply tllc
policy witl)tlleservice-policy comm and.
* Optionallydcfillemapsforvariousprotocols(1ITTP,FTP,ctc.)tospccifyprotocol-or
application-rclatcd parametersto jinc-tune an inspection engille.

Note Application inspection isenabled by defaultformany,butnotapI protocols.To determine the


inspection engines enabled by default exam ine the defaultpolicy configuration.

@ 2008Cisco Systems,lnc. Im plementing FW SM fora Data CenterNetwork Infrastructure 2-185


C onfiguring Inspects for D eep Packet
Inspection
lnspectionsare performed by configurable inspection engines
. Seven inspection enginesare notconfigurable:
-
C USEEMe
NetBIO S Nameserver
-
Oraserv
.. RealAudio
-
Sun RPC overUDP
- TFTP

-
XD MC P
. Only the firstIP fragm entis inspected
. TCP packet s cannotspan segments
. NAT/PAT variations are Iim ited with som e engines
. Perform s 4000 DNS inspections persecond

Inspcctsarcpcrformcd by inspcction cngincs.Scvcn ofthcse inspection engincsare not


collfigurable.butarc cnablcd by dcfault.
27 inspcction cllginesarcindividtlally contigurablc.Contigurable cnginescan be enabled or >
disabled.Tlle portsInonitored by the inspection engineare also contigured.
Illspcction cngincshave scverallim itationsincluding:
w ThcGrstIP fragmenlisthc only fragm cntofapackctthatcan bc inspected.
* TCP packetsto be inspected m tlstbecontained in a sillgleTCP segm ent.
* Some inspection ellginesllavc Iimitson thc NAT and PAT functiensthatthey support.
* Thc Dolnain Namc System (DNS)inspcction cnginc islimited to 4000 Gxupspersccond.

2-186 lmplementingCkscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.O @ 20()8CiscoSystems.lnc.


FTP Inspection

Internet *
#
./.
,
u
z.'
y. ...'.
J.Z
8r '.
''..z4
.
-. -<&''

ftp -map ft;p -in


request-command deny appe cdup
!
policy-map global policy
class inspection default
inspect ftp strict ftp-in

Tlle cxamplc showsstrictFTP illspectwith FTP map contigured.


svhen FTP isttlnlleled ovcrHTTP itprevcntsweb browsersfrolu sclldillg elnbedded
colnlnands.ltw'illalso contain tlle basic FTP inspcctiolp.
lfFTP requcstcontainsconlloand thatisnotRFC colnpliant.thc conncction willbccloscd and
syslog willbc generated.
lf'FTP requestincludesFTP com luandsdisallowed by al1FTP m ap,thcconlycction willbc
closed and syslog willbe generated.

Note Since the i


nspectwas configured underthe globalpolicy,itdoes nothave to be speci ficall
y
appended to the interface.Using a defautti
nspection classdoes note require to configure
specialinspection class.

(
0 2008 Cisco Systems.Inc, Implementing FWSM fora Data CenlerNetworklnfrastructure 2-187
+

Ins ectio n

Jdi
j, K
.. s ' < +

http-map inbound-htkp
conbent-leng*h mn l0p max 2QQ ackion rese: log
content-typ@-verificltion Match-req-rsp action reset 1og
max-header-length reqveat lQ0 lction reeet 10:
mwx-uri-length l lction reawt Iog
port-mtaus* p2p Kction drop
port-misuse im action drop
port-misuee default lctton allow
1
clRes-map http-port
mltgh por: tcp eq vvw
I
poligy-map outaide- policy
elass http-port
tnapeet http inbound-http
I
eervtee-poliey outpidl-policy interflce outside

The exam ple shows HT'


I'P inspectwit?lHTTP m ap configtlred.
These stepshaveto becomplcted:
step 1 Create an HTTP map to detinepararnetersforHTTP inspect.
step2 Create aclass-m ap forHTTP inspection.
+
step3 Create apolicy map forHTTP inspection.
step4 Create service policy to detine scope ofinspection.

2-1B8 lmplementingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-!)v2.
Q @ 2908CiscoBystems.lnc.
show C ollm ands
. Veri fy deep packetinspecli
on contigurati
on with these comm ands:
show running-config http-m ap
. show r unning-conflg ftp-map
- sbow r unning-config class-m ap
.... show running-config policy-m ap
... show r unning-config service-policy
. Verify deep packetinspecti on operation with the show service-policy
com mand
fwsm/admin#show service-poltcy
Global policyl
Service-policy: global- policy
Claas.map: inspection default
Inspect: dns maximum
-- length 512 packet 0, drop 0, reset.drop 0
Inspect: ftp, packet 0, drop 0. reset-drop 0
Inspectl h323 h225. phcket 0: drop ;. reset-drop 0
IsupecL: h32) ras packek 0. drop ;. reset-drop 0
Ipspect:netbios, packet e, drop Q. reset-drep 0
Inspec': rsh. palket 0, drop 0. reset-drop 0
. . .output omieted ...

To exalnine the deep packetinspection colltiguration,use tllese comlnands:


K show running-config http-nlap
* show running-contig ftp-m ap
w s'how running-config class-m ap
* show running-config policy-m ap
* show running-config service-policy
To verify deep packetinspection operatiol).tlse the show service-policy comm and.
fwsm/admin#show service-policy

Global policy :
Service-policy : global policy
Class-map : inspection default
Inspect : dns maximum-length 512 , packet 0, drop 0, reset-drop O
Inspect : ftp, packet 0, drop 0, reset-drop 0
Inspect : h323 h225/ packet 0, drop 0, reset-drop O
Inspect : h323 ras , packet 0, drop 0, reset-drop 0
Inspect : netbios, packet 0, drop 0, reset-drop 0
Inspect : rsh , packet 0, drop 0, reset-drop O
Inspect: skinny packet 0, drop 0, reset-drop O
Inspect: sqlnet, packet 0, drop reset-drop 0
Inspect: sunrpc, packet 0, drop reset-drop O
Inspect : tftp , packet 0, drop 0, reset-drop 0
Inspect : sip , packet 0r drop 0 , reset-drop 0
Inspect : xdmcp , packet 0, drop 0, reset-drop 0

@ 2008 Cisco Systems.Inc. (mplementi


ng FW SM fora Data CenterNetwork lnfrastructure 2-169
U R L Filtering O verview
Thistopicexplainsthe U RL Gltering funetionalit'
y on Catalyst65(* SeriesFW SM .

U R L F-
1Itering
' '
....
S*4 ss
rj
l
e
t(
we
9ri
rl
rp

> *
lnternet * x.-, ,

t)
'
;
.
h
i;

l ..
.6*
4j19.1'.

4.
X +

rti
lRequestsenttoGl
teringserveranddestinati
on
1f
;
'Allowedrequestisreturnedtouser
$'

i
%
i'
DeniedrequestisdroppedbyCatalyst6500Seri
esFWSM

Filtering can bc applied to connection requestsoriginating froln am orc secure network to a less
secure network.
Although ACLScan be used to preventoutbound accessto specific websitesorFTP servers,
contiguring and managing wcb usage in thismannerisnotpracticalbecauseofthe size and
dynamicnatureofthelnternct.TheCatalyst6500SeriesFW SM canbeused inconjtmction
with a separate servernm ning one oftheInternetfiltering products:
v
w W ebsenseEntemrise:SupportsHTTP,HTTP overSecureSocketsLayer(HTTPS),and
FTP filtcring
w SecureComputingSmartFilter(fonnerlyN2H2):SupportsHTTP andlong URL filtering
Althotlgh Catalyst6500 SeriesFW SM performanceislessafrected when using an external
server,uscrsmay notice longeraccesstim esto wcbsitesorFTP serversw hen thc tiltering
serverisrelnote from the FW SM .

U RL Filtering O peration
W hcn a userissucsan HTTP,HTTPS,orFTP GET request, the Catalyst6500 SericsFW SM
sendsthe requcstto the web orFTP sen'er and to the filtering sen'cratthe sam etime. Ifthe
filtering servcrperm itsthe connection tbrtheuser,these actionsoccurforeach requesttype:
* ForHTTP,thcCatalyst6500 SeriesFW SM allow sthe reply from thew eb serverto reach
thc userwho issued thc originalrequest.
> ForHTTPS,the Catalyst6500 SeriesFW SM allowsthecomplction ofSecure SocketLayer
(SSL)connection negotiation,andallowsthereply from thewebservcrtoreachtheuser
who issued the originalrequest.
+

2-190 lmpl
ementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0 @ 2008CiscoSystems. Inc.
'

K ForFTP.thc Catalyst6500 SeriesFW SM allowsthe stlcccssftllFTP rcturn codcto reach


tlleuserunchallged.Forcxam plc,a succcsst-
ulrcttlrn codc is250.
.(--CPD c()??lll?(7??J
.sllcL
'e.
v.
jhll.
It
-tllc tiltcring serverdeniesthc conllection.thescactiollsoccurforcach requesttype:
. ForHTTP,the Catalyst6500 Series FW SM rcdircctstllc uscrttAa block page,indicating
tllatacccsswasdcnied.
K ForCITTPS,theCatalyst6500 SeriesFW SM preventsthecolnpletion ofSSL connectioll
negotiatioll.The brow scrdisplaysan en'
orInessagc,stlcl)as:%t-l
-lle Page orthe contentcan
notbe displayctl.''
w ForFTP.tlleCatalyst6500 ScricsFW SM alterstlle FTP return code to show tllatthe
connection wasdcnicd.Forcxalnplc,thc Catalyst6500 SeriesFW SM changcscodc 250 to
codc550.f)?'
!'(
.
'f.'
/t
'
??'3'not/4?//?t:
/.
* ForScctlre Conlptltillg SlnartFilter(forlnerly N2I-12,)if-yotlcnablcd uscratlthcnticaliollon
thcCatalyst6500 ScriesFW-SM forIITTP,HTTPS.orFTP,tlle FW SM also sendsthe
tlsel'llaTlle to the filtcring scrvcr.Thctiltering scrvcrcalltllclltlsc user-specific tiltcring
settings.orprovidcenhanccd rcportillg pcr-user.W ebscllse supportsfiltering by IP addrcss
ollly.

Note Fil
tering appl
ies onl
y to outbound connecti
ons.

Ifuseratlthenticatiol)iscnablcd on thc Catalyst6500 SericsFW SM ,tlle FW SM also sendsthe


uscnlalne to tlle filtering servcr.The liltering servercan usctlscnlam etiltering settingsor
providc cnhanccd rcporting rcgarding usagc.

@ 2008 Ci
sco Systems,fnc, lmplementing FWSM f
ora Data CenterNetworklnfrastructure 2-191
C onf1gur1ng U R L F1Itering

Filering
7 w..
*
-''
.
:. Server
x.
k1 1O.0.10.45

Intem et
Y x.7
*

url-server (perimeter) vendor websense hoat 10.0.10.45


filter url http 10.0.0.0 255.0.Q.0 0 0 allow
l
+
url-server (perimeter) vendor n2h2 hoat 10.0.10.45
filter url http l0.0.Q.9 255,0.0.0 0 0 allow

U RL Gltcring iscontigured Grstby identifying tht tilteringscrvers. *

Configuring W ebsense Server


+
To idclltify a W cbscnsc Enterprisc sclwer.cntcrthe url-server venderw ebsense colnmand.
url-server(if a:7,r?t?)vendorwebsensehostip addressgtimeout.
%ecllntl%jgprotocoltcp
(version llt4tltudp)
url-servervendorw ebsense Param eters

Param eter Descrlptlon


+
f name Theinterface through whi
chthe FW SM com muni
cateswiththe
server.
host ip address The W ebsense serverIP address.
timeout seconds The numberofseconds between 10 and 120 before the FW SM
stopstrying toconnecttotheserverand attemptsto connectto
thenextserverinthe Iist(lfavail
able).The defaultvalueis30
seconds.
protocol tcp (version Specifi
esthatcomm unicationbetweenthe FW SM andthe
(l 1 4); WebsenseserverusesT'CP.whichisthedefaul
tprotocol.
Version 4 is recomm ended although version 1 is the default.
Version 4 allows the FW SM to send authenticated usernames to
the W ebsense serverand to suppod URL caching. +

protocol udp Specises UDP which has greaterthroughput,butwhich does not


suppod I
ong URLS.

Y r

2-192 lmplementngCiscoDataCenterNet
worklnfrastructure1(DCNI-!)v2.O @ 2008Ci
scoSystems,Inc.
C onfiguring Secure Com puting Sm ad Filter
To idclltify :11)N2H2 Scntiill)serveraelttct'thc url-servervendor n2h2 colllnland.

url-seN ervendor1-12112 Param eters

Param eter Description


if naze The interface through whi
ch the FW SM com municateswith the
server.
host ip address The W ebsense serverIP address.
port number Specifi
es the portused to comm unicate with the N2F12 server.
The defaultis 4005 forTCP orUDP.
timeout seconds The numberofseconds belween 10 and 120 before the FW SM
stops trying to connectto the server and attemptsto connectto
the nextserverinthe I
ist(ifavail
able).The defaultvalue i
s30
seconds.
protocol tcp Specifi
es thatcom munication between the FW SM and the
W ebsense serveruses TCP whi ch is the defaul
tprotocoj.
protocol udp Speciges UDP which has greaterthroughput.butwhich does not
suppo!'
tIong URLS.

Enabl1ng 'Iffering
By def -
atllt u'llen a uscrisstlesa reqtlestto colpncctto a wcbsitc orFTP servcrvthe Catalyst
6500 Serics FSVSM sendstllc reqtlestto tllttvveb orFTP scrvcr.alltlto tllc fiItcring serverattllc
salnc1illlc.If'llpe tiltering selwcrdoes llotl' espolld beforc tlpc web orFTP scl w cr.thc rcply lirln
tlle web orFTP scrverisdnpplq led.To avoid dropping tral' t
ic.yotlcan colll igtlrc tlleCatalys!
6500 Serics I''h/SN1to btll 'lrrcplies froln wcb alltlFTP sers'crs.svllen tllfztiltering scn'cr
cN'cllttlally rcspollds,tlle C'alalyst6.500 ScricsF' SVSM can allt)w'tlle collllcctikpn.

url-block block Param eters


Param eter Description
il-
locg
k-bl'ffer-.
1.flzltr Sets the amountofmemory assigned to lhe bufterfrom 0 to 128
bl
ocks.Each block is 1550 bytes.

Enabling C aching

@ 2008 Cisco System s,fnc. lm pfementingFVV'SM foraOata CenterNetwork lnfrastructure 2-193


Note Requestsforcached IP addressesare notpassedtothefilteringserverandare notIogged.
As a resul
t,this activity does notappearin any repods.

To cnablecaching.cntcrthe url-cache com mand.


url-cache 4dstIsrc dsttL'bb'
le.
%
url-cache Param eters

Param eter Descrlptlon


dst Configures the FW SM to cache the destinati
on serveraddress for
any userthataccesses the sen/er
src- dst Configures the FW SM to cache the source and destinati
on server
address,so accessisonl y cached fora given useratthe source
address.
kby-tres Specifiesthe cache size between 1 and 128 KB,

Identi ing Traffic


*
To identify HTTP traftic to be tiltercd by a fiitcring scrvcr.enterthc filterurlcommand.
filterur1Ehttp I#(pl./g-r(?r/1(
l.
voltt' e ip 't?lfrcc r?.
(L' - - ltlk
$
;/(tlest ip dest 1??t7.$.
/(Eallow)(proxy-block)
Ilongurl-truncate1longurl-deny)(egl-truncatel
filterurIParam eters
Param eter Descrlptlon
http I por:E-port:q Speci
fiestheporttowhichtheHTTprequestissent.wi
ththe
http keyword specifying port80.
source- ip source- mask Speci fythesource addressandm askforrequeststhatareto be
fil
tered.Speci
fy00 foral1addresses.
dest- ip dest- mask Specifythedestination serveraddressand mask.Specl
fy0 0for
ajjaddresses.
*
allow Configures the FW SV to allow connecti ons to pass wi
thout
sl
tering ifthe fil
tering serverisunavailable.Connectionsare
droppedwithoutthisoption.
proxy -block Preventsusersfrom connectingto anHTTP proxy server.
longurl-truncate 1 SpecifylheprocessingforURLSthatareIongerthanthe
longurl-deny maximum length of1159 bytes.By defaus t,the FW SM drops the
packetifthe requeslis a I
ong URL.Ifyou specifythe Iongurl-
truncate option.the FW SM sends the hostname orIP address
porti
on ofthe URL forevaluation to the filtering server.The
Iongurl-deny option denies the URL and forwards tbe userto
the block page.
cgi-truncate Confi
gures the FW SM to truncate Comm on Gateway Interface
(CG1)URLSto i
ncludeonl
ytheCGIscriptIocati
onandthescript
name,butnotthe parameters.

Note The maxim um Iength of1159 bytescanbe increasedforW ebsenseservers,

To cxcmpttratlic from being filtered,cnterthefilter urIexceptcolnm and.

2-194 tmplementing Gisco Data CenterNetwork lnfrastructure 1(DCNI


-!)v2.
0 ()2001$Cisco Bystems,lnc.
url-server (perimeter) vendor websense host 10.0 .10 .45
filter ur1 http 10.0 .0.0 255.0 .0 .0 0 0 allow
?
url-server (perimeter) vendor n2142 host 10 .0 .10 .45
http 10.0.0.0 255.0.0 .0 O 0 allow

@ 2008 Cisco System s.Inc. Im plementing FW SM fora Data CenterNetwork Infrastructure 2-195
S um m ary
Thistopic summ arizesthc key pointsthatw ere discussed in thislcsson.

S um m ary
. Deep packetinspection exam ines and modi fies application data
payload.
* Deep packetinspection fixes applicati onsbroken bythe Cisco
Catalyst6500 Series FW SM .
* URLfi ltering is used in combination with an externalserver.
. Trafficfrom blacklisted URLS isdenied bythe Catalyst6500
Series FW SM .

2-196 ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008CiscoSystemsllnc.


M odule S um m ary
Tl)is topic stllnmarizesthc kcy ptaints thatvcre discussed in 1.12islnodule.

M odule Stlm m ary


' The Cisco Catalyst6500 Series FW SM analyzes and m odifies
fields in the lP,UDP,and TCP headers,using statefulpacket
filtering to controltragic between two ormore networks.
. VLANS are used to connectthe Catalyst6500 Series FW SM to
the network in eitherrouted ortransparentmode.
m The Catalyst6500 Series FW SM usesTCP connection
m anagem ent,NAT policies and deep packetinspection to detect
and mitigate attacks.
K The Catalyst6500 Series FW SM supportsm ultiple security
contextsto im plementvirtualfirewallsand provide centralized
services underdi stributed control.
* The Catalyst6500 Series FW SM supportsb0th active-standby
and Matefulactive-active failover,in eitherintra-chassis or
interchassis configurations.

@ 2008Ci
scoSystems.lnc. lmplementing FW SM fora DataCenterNetworklnfrastructure 2-197
M odule Self-c heck
Usc tllcqucstionshcre to review w hatyou learned in thism odule.The correctanswersand
solutionsare found in the M odule Self-chcck AnswerKey.

Q 1) lIow lnanyCatalyst6500SeriesFW SM modulesaresupportcd inaCiscoCatalyst


6509 sw itch chassis? (Source:Ilnplcm cnting Traftic Flows)
AJ 2
B) 4
C*) 7
DJ 8
W llich statem cntistrue regarding Catalyst6500 SeriesFW SM transparentl'
node?
(Sourcc:lmplelncnting TrafficFlows)
A) Each interface hasaunique IP address.
%
B) Only oneV LAN isrcqtlircd pcrcontext.
C) Transparentm ode t'irewallspassonly routed traftic.
D) Transparentmode tirewallspassm ulticasttraftic
In whatordcrdoestheCatalyst6500 ScriesFW SM match rcaladdrcssesto NAT
colnmands?(Source:lm plem enling Traffic Flows)
A) StaticNAT andPAT,policy dynamicNAT.regtllardyllalnicNAT,NAT
exem ption
B) NAT cxemption.static NAT and PAT.policy dynam icN AT,regulardynalnic
N AT
Policy dynam ic NAT,regtllardynamic NAT.staticNAT and PAT.N AT
exclnption
DJ NAT exemption,policy dynam icNAT,regulardynam icN AT.static NAT and
PAT
Q4) W hatfcaturcpreventsmaliciotlstlscrsfrom impcrsonatinghostsorrotlters?(Source:
IlnplcmentingACLs)
A) A RP inspection
B) Etllertype ACLS
C) Extcnded ACLS
D) N AT exem ption
()5) W hathastobeconfiguredpriortoenabling theSSH rcmotcacccssto theCatalyst6500
Serics FW SM ? (Source:Im plclncllling M anagem entAccess)
A) AAA scrver
B) RSA kcy
C) Routeroperationalnledc
D) Adlnin contcxt
W hich routing protocolsdoestllcCatalyst6500 SeriesFW SM activcly participatc in?
(Sourcc:Im plementing Routing)
A) BG P and R1P
B) If;RP and BG P
C) OSPF and RlP
D) OSPF and EIGRP

2-198 SmplementipgCirmoDataCenterNetworkInfrastructu'e1(DCNI-I)42.0 Q 2908 Cisco Systems. 1nc


Aj Dccp packetinspcctioll
B) Dynalnic PAT
C) SYN cookics
D) U R.
L l'
ilteri1)g

A) Destination '
VLAN alld dcstillatiol'
iI1*
'atltlress
.
IE
.
I) Destination VLAN and stltlrce IP adtlrcss
C) Source V LAN antldeslillatiolllP atltlrcss
D) SotlrceVLAN and sotlrcc lP atltlrcss

(
i
D 2008Cfsco Systems,fnc. lmplemerlting FW SM fora DataCenterNetkvorklnfraslructtzra 2-199
M odule Self-c heck A nsw erKey
B

()
'
D

2-200 lmplementing Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)72.


0 @ 2008Cisco Systems, lnc.
Mpdule31

Im plem enting N etw ork


A nalysis w ith C isco N A M

O verview

Module Objectives
*

3-2 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)12.0 @ 2008Cisco Systems. Inc.
Lesson1I

Iptoducing C isco N A M

O verview

Objectives
N etw ork Traffic M onitoring O verview
+
This zopicdescribesllctwork traffic m ollitoring,thcm otive,and thcbenefits.
'

lm portance of M onitoring Traffic


+

Challenges: Benefi
ts:
. Insuretraffic flow andopti
m um Ease deploymentofnew
performancefrom one poi ntto technol ogies
another Im Prove utilizati
onofnetwork
w Receive information before an resources
outage orservicedegradation . Efschentplanning fornetworkgrowth
. Understand the cause forslow * Reduce networkdowntimeand
networkltraffic,orapplication failures
* Gainfactstojustifyexpendituresand +
ROI
* Proacti
ve moni
toring
r-uu-fu :';xl p-tw-.x..
.-. -.!
--
....-. -cr---'
::7
-E
q'y:
.2 ra.2
. -.1 f- .,*@
*t*
;*
=- .:

'
:-
-H 5.
-
;.i:
. ,.
. .
. 'iI . . ! :
1 z.
1, k *
Z
? 1
*
.F-
r.uli .
-
.y.
..
,
:.
v
P.
'
.
-
j,
..
-
.u...,
.i...
; ,k .
21.
k - tJ.
- 5 ;!q 4.
+ ! E
' -
,.:.
, ., S.
t#.t
r.

C hallenges
Network adm inistratorsand corporate cxccutivesundcrstand thatmanaging thc network is
im portantand vitalto businessopcrations. Itissilnply notenotlgh to know ifa deviccisdown
orthe tletwork isslow.You necd to be proactive by m onitoring thc dcvicesand thenetwork
and watehing fortrendsordeviationsfrom an established bascline.
W hcn there isanetwork problem,you m ustlyavctherightinformation to make dccisionsto
rcsolve thcprobleln quickly. You can obtain thisinformation only by m onitoring thc
application trafficand knowing who i5generating thctraffic and wherc thc traftic isgoing. lf
morebandwidthiswal-rantcd,recommcndationsneedto bejustiticd. Network monitoring can
providcthecostjustitication.Visibility intotheperfonnanccofnctworks, and thc system sand
applications thatrullon thcm , isessential. By gaining visibility into thc nctwork.youcan
proactively rcsolve problem s.plan forchangcsin resotlrce usage, and fnanagc valtlable network
resourccs.

Benefits
Cisco lnakcsmanaging thc network easy by providing visibiIity into the nctwork and btlilding
intclligcnce illto the dcvices.
Can nctworksrun withoutpcrformancc m anagemcnt?Can network cnginccrsredcsign
networkswithoutunderstanding how theexisting nctwork isbeing uscd? Can new applications
be dcployed overcxisting networkswithoutunderstanding the im gactoftheapplication traftic
on thc performance ofthe application orthcperform ance ofothercxisting applications? By
levcraging pcrfonnance data, you can perfonn tasks lnore cfficiently and effcctivcly.

3-4 Implementlng CiscoData CenterNetworkInfrastrudure 1(DCN1-1):2.0 @ 2008 Cisco Systems.Inc.


+
M onitoring networksllclps you t
o Inaximizc investrncntsin the following w ays:
K lmprovc utiIization ofllctwork rcsources
w Facilitatc deploymclltofncw tcchllologics,sucl!asvoiee
M ultiprotocolLabelSwitching(M PLS) , qual
ity ofscrvice(Qt)S). and
. Enablceffieientplanning forfuture
nctworkgrowth
* Reduce network downtilne and failures

@ 2008 Ci
sco Systems, Inc. I
m pl
ementi
ng NetworkAnal
ysiswith Gi
sco NAM 3-5
'

Netw ork Perform ance M anagem ent


Campus tt*. QJ 4
BCanp
eh 47
: W#N
T:
O., ,
'
Js.
** E*ev &
z
.
-f -z.
- --..A.
-k,. -
vu *;.
.
W AN . .. . .

Rr ' .. '
.

Variousdata collection sources


Device interfaces '
;
.
'j .
..
spannedtraffi cfrom portsand '
VLANS Datac.nter ..
NetFlow data exports d.a.. k
* Collectionpurm se:
Appl ication response tlmes . . .. . . .
(serverfarm) '' x
'' ' ''
Bandwidth usage .
Troubleshooting q w r r
.
x..,j ,y.j 4

Data can be gathcrcd and analyzcd from variotlsdata sourccs;


* Routerand switch interfaces
* Trarfic spanned orforwarded from portsand V LANS
* NetFlow Data Exports(NDES)
K Packctheadcrs(Diffserv andTypcofServiceETOSIbits)
* Nctwork-Bascd Application Rccognition (NBAR)
+
Port-levelorinterfacestatisticsm ay bethe tirstalarln when issuesarise. Thcsestatisticsare
available mostofthetilnc by sim ply querying thc rotltcrorsw itch. ltmay only bcneccssary to
monitorthcsc statisticsatcriticalpoints in the network and notatallacccsspoints. v

Collectingstatisticsatuppcr-laycrprotocols(lletworkthroughapplication)wouldrequircthe
useofNetFlow oraRemotcMonitoring vcrsion2(RM ONZ)probeoranalyzer, such asCisco
NAM .NctFlow and Cisco NAM can providevisibility inte what(applications, hosts.
conversations)isusing valuablcW A N orLAN rcsourcesatthc core ordistribution layers and
attheW AN edge oraccesslayer. >
To gathcrintbnnation aboutthc traffic travcrsing the :etwork. the packetslleed to be analyzed.
Packetson an interfaceorNetFlow statisticscan be copied, spanncd,orforwarded from other
dcvicesorinterfaccs.The information in tlpepackctheaderscan providca wcalth of
illformation on how the network isbcing uscd. (How thigoccursisdiscussed lateri n this
lesson.)
Butthc traftic cannotbcanalyzed ifitisnotscen. Tllerctbrc wherc you gatherthc dataand
w hy you are gatherillg thc data should be abig partofCisco NAM deploym cntplanning.
Thclecation ofw'hcre you gatherthc data dependson yotlrcollcction purpose:
* Application responsc timcs(server farm )
. Bandwidtl)usage
* Troublesllooting

3-6 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0 @ 2008Gisco Systems, lnc.
W hat D ata to C ollect
' Port-levelstati
stics- utilization, collisions,and fragm ents:
Basic physicalstatistics are good forusagetrending and
baselining
Usefulanm here in the network
.

NotnecessaryforaIluserports
e Detailed physical-,network-,and application-layerdata:
CollectLayer2-7 statistics forunderstanding traffic breakdown
Valuable forW AN aggregation links
ValuableforLAN aggregationlinks(building-to-buil
ding,
distribution-to-core,serverfarm-to-core)
. W hatcollection intervals?
Shorterintervals forreal-time monitoring and troubleshooting
(5-30 seconds)
.
Longerintervalsforhistoricaltrendgng(5-15 minutes)

@ 2008Cfsco Systenls.lnc. lrnplementi


ng NetworkArtalysiswithtlisco NAM 3-7
'

N etw ork Perform ance M etrics


N;''t'v4zchrk P eI1ornlarl('e : ;; 4. *
q'
$.lf>lrIf:
Response Tlme * Time elapsed between theend ofa queryonone endof
a conversati on pai
rand thebeginning ofa resm nse
from the otherendofa pair
m Latency'afunctlon ofresponseti m elisany
characteristicofa networkorsystem thatlncreases the
response tlme
Reliabili
ty * A measurementofthe consistencyofperformance of
any nete rk.system,orapplicati
on.according to i
ts
specifications
Deviceorlnterface * The amountofdata moved successfull yfrom one place
Uti
lizations to anotherin agiven timewith a speci
sed amountof
bandwldth
NetworkUtiti
zat
l-
on *HowthenetworkIsbelngused,includingprotocolsand
Pattem s users,and how thepatterns are& anging

M easuring the health ofanetwork istypically done with businesspcrfbrmance m etrics, such as
thc following:
* Response tim e:Thcelapsed tim cbctween the cnd ofa query on oneend ofaconvcrsation
pairand thcbeginning ofa response from the otllcrend ofa pair. Latency isany
charactcristic ofa nctwork orsysteln thatincreasesthc rcsponsc time.
*
* Reliability:A m casurem entoftheconsistcncy ofany network, system ,orapplication in
performing accordingto itsspecitications.
* Utilization:The pcrcentage oftotalbandwidth tlscd fortransporting data. Utilization is
ohcn monitorcd on an ongoing basisto evaluateusageofthe network ovcrtim cfor
capacity-planlling purposes.
Tllcse mctricscal)be uscd to evaluatchow wcllnetwork, systcm .and application resotlrccsare
pcrform ing and how these resourccsaffcctthedelivcry ofnctwork senziccs, both forprescnt
analysisantlftlture planning.

3-8 lmplementing Cisco Data CenterNetworkInfrastruclure 1 (DCNI-I)v2.0 @ 2008 Cisco Syslems. Inc.
D eployincl M on itoring per P urposo
Branch Campus u
' A : .
= .
.. j
eu swAz.
x
.
.
,
z Reaul
-
jT
yji
me
zatjT
j or
nafrc
,
4
.
'-.
,' t
ua/
'a.
'''''
v c. .. . - . >
.. .
y .r .'#
. (C
Uon
ti
ll
zalp
verontions
sa Erccr
sol
PrTalker
ccol s
s)
. J .L
< .yy .
4
( 7* Htstorical
Reportsng
'8 '
;
i (StaljstlcsoverTl
me)
W AN Edge , 4
Datacenter FaugtIsolation and
* '4 Troubleshooting
(Thresholds Alarms
PacketDecode)
7
11
: 1i d
'd1' '
>. 'i
'
eerformance
.-; . ,.y . M onjtorlng
# y# a,
.# :
4 (x
'.o
#K-qv# ,
?.
,
$
#,q . .....
jaesyj
ouseyimes.
#j r),j ot

t-
,
t-
k.tt4 Hea
s1
wth
'tcVoI
. h/qP,
ollQoS)
ler

NA M D eploym entDependenton M onitoring Purposes

* 2008 Cssco Systems.l


nc. lmpl
ementing NetworkAnahystswith Cisco NAM 3-9
* Troubleshooting:Dcterm ining thecatlse ofnetwork issucscan be aidcd by the use of
packetcapturesorpacketdccodcs,orby sctting thrcshold conditionson statisticscollccted
and alarm ing on thcconditionswhen a threshold isreachcd.
. Perform anceanalytics:Evaluating thc experience ofthe end userwith using thcnetwork
can empoweryourorganization to be more proactive in responding to application rcsponse
tim csorvoice orvidco quality issues.Also,monitoring 1he trafficperdifferentiated
sers'icescodcpoint(DSCP)valucscan hclp withfine-tuningQoS settings.

3-10 lmplementi
ngCiscoDataCenterNetworkIpfrastructure 1(DCNI-I)72.0 @ 2008 Ci
sco Systems, lnc.
The B ig Picture Defined

(
l)2008 Cisco Systemsllnc. Implementing NetworkAnalysiswith Ci
sco NAM 3-11
Interface Statistics
. lnterfaces store pedormance statistics on the traflic received and +
sent:
- Statistics overtim e
- Can be obtained via SNM P
- Can tri ggeran eventupon threshold reached
. Typicalinterface statistics include:
.
Utilization
- Packet
- s in and out
-
B/esinand out
-
Multicastpackets in and out
+
-
Errors

Thc Cisco Catalyst6500 SeriesSwitchescollectstatisticson thc amountoftraflicornumbcrof


errorso11each ofitsinterfaces.These statisticsarcstored in an M 1B il1thc deviccand can bc
rctrievcd by applicationsusing SNM P.
Mostdeviccsalsosupportlnini-RemoteM onitoring(mini-RM ON)statistics, which supplies
morcthanjustthesc intcrfacestatistics.
'italsoprovidelhesestatisticsand featurcs:
* Hoststatistits:Byle and packetcountslo and froln ahost(by M AC addressatthe data-
link laycr,network adtlress atthe network laycr. and nctwork addressatthe application
laycr).
* Conversation statistics:Bytcandpackctcountsfrom onehosttoanother(byM AC
addressatthe data-link layer,nctwork addressatthe network laycr, and nctwork addressat
theapplicationlayer).
* Thresholdsand alarms:RM ON cal)sctup thrcsholdstolookforvariousconditions(for
cxample.Iinkutilizationgrcatcrthan70percentfor60 seconds)and inform amanagemellt
statiol)with an SNM P trap w hen thecondition occurs.

3-12 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.O @ 2008Cisco Systems. Inc,
'

S N M P M IB s
. u IBr
Variablesdefiningdevice status (e.g..temperature = 85degrees)
Justfacts,notwhetheritis good orbad
Defined according to SMIrules :.118 Iand N!IB h,
A managed objectisdescri
bed using a unique01 ' Syst
e
. Deqf
mI D
'nption
. MIB 1and MIB 11: . xosocref
Standard M IB fordevlces I
nlectaces
' FkcltltllA(1tz!L)Ie
. MIB extensions' . Tfaf
sccauots
'
VLAN statistics'VoIP,SMO N.DSMON M lBs Frro
rcf
xlnts
. 6!c
RMON Iand 11 MlBs
Vendorspeci
fic.Ci
sco M IB d q) ()
! ;
1.:alrl
g6k
yq!e>'2)aI
;
ISzt
l
c!t;
'es I hnt edaoes
ART MIB pQ I
l Intexaoes
l !
i j jsherf
aces
I cotp
r.
l
ers oa.lpeq 'z ht
yl
es I. r
ners FIlesi

C)2008 Ci
sco Systems.lnc. lmpl
ementing NetworkAnalysiswith Cisco NAM 3-13
R M O N M IB C ontents
. RMON l(stati sti
cson Layers 1and2): uIcd.RMoNcaobe
A Traffic rates errors,and packetsize
. # e
.
cn
aa
tb
all
edte
ys sn
wj
lh
tp
ci
:Ch
ps
oc
ro
t
s
distri
bution
+ Short-and Iong-term histofy ofstatistics
overtime
+.Thresholdconditi
onsseton statistics
+ Eventforreachingthresholds(alarms) ..,.....
Hosts and conversations p.,z's'. .'.*siaf
:
Packetfil
ters and captures 6 - -'' ; L*
. RMON.II
. RMON 11(statisti
cson Layers3 through7): 5 '.
e'
.*' sondar
d
. Masterlistofprotocols seen on data 4 : '.*
source 3 z .
.. Statistics on these protocols 2 :
'''.''.'
.
Hostsand conversations (networkand . RM
nnO
St dN'
d'
ar
applicationlayers) 1 - i

Thc figure show's the contentsofthe RM ON M IB. The RM ON M IB isastandard M IB


included asa sllbtrcc offthe M 1B2 stlbtrec.
RM ON,in bricf,collcctsthc follow ing:
* Basic Iayerstatistics:Linc utilization. packcts,and errors,and protocolutilization and
packcts
. H oststatistics:Byte and packetcountsto and from a hostby M AC addrcssatLaycr2.
nctwork addrcss atLayer3,and nctwork addrcssatthe application laycr
w Conversation statistics:Byte and packetcountsfrom one hostto anotherby M AC addrcss
atLayer2,network addressatLayer3 and network addressatthc application layer
w Packetcapture:To capture asubsetofnctwork traffic fordetailed protocolanalysis
w Thresholdsand alarm s:To setup thrcsholdsto look forvariousconditions, such as
cxceeding a spcciticd bytc rate orpackctratc. and to inform am anagcmcntstation withan *
SNM P trap w hcn thc condition occurs
Due to thc largc nulnberofstatisticsgathercd pcrinterfacc, lnostRM ON implelnentationsare
in standalone network dtviccs, often callcd RM ON analyzcrs, such astbe Netw ork Analysis
M odtlle (NAM ).Thcexception to this isthc usc ofa sm allsubsctofRM ON implemcnted on a
sw itch to collectbasicdata-link layerstatisticsand a bricfhistory ofthese statistics, and to be *
ablcto sctthrcsholdsagainstthestatisticss aIlon a per-portbasis.ThissubsetofRM ON is
known asm ini-RM oN (statistics. history.alarms.andcvents).
RM ON 11offerscxtensiollsto the RM ON lstandard by providing statisticsbcyond the data-
link layer.Statisticsare availablc o1)thc network layerthrough theapplicalion laycr. Basically,
RM ON 11looksdecpcrinto cvcry packetitanalyzcsto dctailwhich nctwork layeraddressesare
constlming the mostbandwidth,whicllnctwork layeraddressesarc talking to each othcr and
which applicatiolls-identitied by portllumbers, arcconsum ing bandwidth.

3-14 Impl
ementingGiscoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 Q 2008 Ci
sco Systems, lnc.
N etFlow Statistics
. NetFlow isused to analyze packets sentthrough a NetFlow-
enabled device
. Inspectsthe packetand stores statistics perflow
. Flow isdeterm ined bythe protocoland conversation information
* Statistics can be expoded via ND6 to collectors

*
., f
. ; . :;'.i' ' i .. v A c;t4

NetFlow Engine
;.. r' .,vp4t)!tt
.
L'*, .y.
-------1:' .
...--.+ '. 't j
I
j
f.

'
7
v
?2
pji
4 l:qy i
jj.4
).;
)u ?
J
f
t
,/
'
L,
jd
7
yt
jk:$
r>
y
..'- . .
FE
55
)
)ht
i,
65.
-.
-..
..
-1
..:y
J.
xW
1.
,
;ql-
)jt
i
, r.
. :#y.
,
p
h j
l$
,,
.iy y .
'j .1:j
k
jjpjjyk j
j
jj
.

I
() l
e .-
- w r$
y.
t
.
)I
jl
k
tl
; ;
.
k
s,
b
- yy
lj
yy
q
tvvzs
kL
.
cjj
tqj :);
...-... . vk ?..'
.-. .-,
.xz?
.
.
.
z
, u

g
.j f
p
,.-,sj,.
&.
; .
7
.
.,
.;3.k
.
;. .j:
..
**
.
.....j..)j
,.'
5
'
;f
alr;) 1Yl)'
.X; $t.f;tj112)r
rl
z @
. '. .
.,, .. .
'
.h ..
, . ...... f. . .

Q 2008Clsco Systems,Inc.
' lmplemenbng NetworkAnalysiswilh Cisco NAM 3-15
C isco N A M S ervice M odule
Tllistopic describesthc Cisco Catalyst6500 ScricsSwitch NAM servicem odtlles.

C isco NA M Service odule O verview

Flow Monitorlng Anapytics * Baseline metrlcsto measure business impact


Monitorsongoingoperatlons
Processes NetFlow information togain insighlinto tramcfrom
both Iocaland remoteswitcl'es
ApplcatponResponseTime e Measeresappl
icationtransecii'
onIirnes
Plnpointsproblemstothe networkorth:application
Ofrerscrlticalinsightirdeapplscationbehavlor
voi
ceQuali
ty Ds
scover:actl
vecall
s
. providesinslgl:tintobothVo1Psignallngandtramc
AssessesVcIP verformancelevels
Troubleshootlng ComprehensiveRaoketrzpturecapabilitlestoplnpolntarld
resolv problems
. Trigger-basedcaptures
Remcdestorageandanalysis
lntelllgentfiptersand decodes

W'itl:Cisco NAM ,Cisco offersa soltltion thatprovidcscnd-to-cnd nctwork visibility while also
addressing nlany ofthenetwork and pcrfonnancc lnonitoring isstlesthathavc bcen raised.
By analyzing the traft
ic fonvardcd to it,Cisco NAM can analyze the sourceofthe traft ic.its
dcstination.thcprotocol.and thc amotlntoftrafticperhost.perconversation,and pcr *
application.Thetablc categorizcstllecapabilitiesofCisco NAM .Hcre are somccom mon
applicationstbrCisco NAM and related fcattlresto stlppo!lthcsem onitoring applications.
Flow Inonitoring analytics:
* Dclivcrsbasclincm ctricsto m castlre busincssimpactand monitorongoing opcrations
* ProccssesNetFlow infonnatiollto gail)insightinto traffic from both localand remote
routcrsand switches
Application responsc time:
w M easuresapplication transaction tim cs
. Pinpointsproblcm sto thenctwork orthc application
. Offerscriticalinsightinto application behavior
+
Voiccqtlality:
* Discovcrsactive calls
w Providcsinsightinto botl:VOIP signaling and traffic
* AssesscsVOIP pcrfonnallcc levcls

3-16 lmplementi
ngCiscoDataCenterNetworklpfrastructure 1(DCNl-1)v2.0 Q 2008Ci
scoSystems.Inc.
()2008 Cisco Systems.lnc. Implementing NetworkAnalysiswith Cisco NAM 3-17
NA M -I and N A M -2 M odules
. Embedded seNice m odules
w Provide dedicated hardware to deliveradvanced perform ance
analytics and end-to-end visibility
. Digerentperformance m onitoring Ievels
@ Em bedded trafficanalyzersoftware
w Webinte#aceaccess(HTTP and HTTPS)

Qj
= -
j'
-. - !?-.;;
w
-
-., . .
->-.rC-.
-=g w.w .r.
=- srj .

..
(1'IIL1' !,
'' i
1 !
E-b
. g1''- j
-;:q .
I = H . '
l. . .h-L
. .. !h:c
.
' ..
.. I A z .
' <.i:*=''

Cisco NAM -Iand N AM -2 areem bcdded service modulesthatprovide dcdicatetlhardwareto


dclivcradvanccd perform ance analyticsand cnd-to-cnd visibility.
Cisco hasdeveloped a second generation of -N AM SforCisco Catalyst6500 Serics Sw itchcs
and Cisco 7600 Series rotlters.Thc second-gcncration Cisco NA M Sare intcgrated and powerful
traftic-m onitorillg servicesmodulesthatocctlpy a singlc slotin thechassisand cnablcyou to
gail)application-levclvisibility into nctwork trafficto improvcpcrfonnance, reduce
failures and m axim izereturnson netw ork investm ents.
Thc Cisco NAM Sare available in two hardwarc versions, N AM -1 and NAM -Z,and offcrlligh-
pcrformancemonitoringand crossbar(fabric)connectivity tomcctdiversenctwork-analysis
needsin scalableswitching and routing environm cntsrunning atgigabitspceds. lncltlded with
tlle Cisco NAM Sisan cm bcdded.web-based TrafficA nalyzer. which providesfull-scale
relnote monitoring and troubleshooting thatisacccssiblcthrotlgh aweb browser.
ThcCisco N AM Sprovide visibility into al1layersofnetwork traft' icby using RM ON 11and
othcradvallced M IBs.Cisco N AM accessesthc built-in remotc monitoring (m ini-RM ON)
fkaturesofthe Cisco Catalyst6500 SericsSwitchcsand Cisco 7600 Scriesroutcrsto providc
port-leveltram c statistics atthe M AC ordata-link Iaycr. Cisco NAM also delivcrsthc
intclligcllce requircd to analyzc traftic flowsforapplicationss llosts conversations and
nctwork-bascdserviccs.suchasQoS and VoIP.

3-18 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0 @ 2008Cisco Systems, Inc.
C 1sco N A H ardw are S pecif1catio n
4:
Fabrlc and Bus Stlpport Yes CYes
srocessor Dtlal 'Dual
' + Accelerator
BAM 512 MB 1GB
Hard Dlsk 20 GB i29 GB
Capture Buffer 125 MB 6300 MB
Pedormance Sub-gfgabit Gigablt
Monstonng Appplcations FastEthemet Highcapacdy GE
Low capacdyGE
NtlmberofSPAN and VACL 1 2
Sesslons E
Num berofNetFiow Sesslfm s 1 1
. . .. .... . .. t . .
DeploymentScenanos Dlstributpon ServerFarm
Access IDataGenter
SmallCore lDi
sl
ri
buti
on
BranchOfEce lV/ANEdge.

ko 2008 Cl
sco Systems.lnc. I
m pl
ementing NetworkAnalyslswlth Clsco NAM 3.19
The following topologiesand data sourcesare supported!
* LAN-SPAN.RclnoteSwitched PortAnalyzer(RSPAN).VAfl--bascdcapturcs,NctFlow
(vcrsions1,5.6.7,8.and9)
. w AN-NetlJlow (versions ls5,6,7.8,and9)from localand rcmotedeviccs,VAcl--bascd
capturcsforFIeXW AN andOpticalServicesM odule(OSM )interfaces(CiscolOS
Soflwarconly) +

3-20 ImplementingCi
scoDataGenterNetwork'nfrastructure1(DCNI-I)v2() @ 2(08CiscoSystems. lnc.
Il1te 1-l1c
aI o l-n u r1icc
at1o n
I-ITTP

rs
4
12
*'' ujni
t.Rer
nt ulojj
acepo
y V
.. HTTPS

! .. r . . sjkvp w eb Browser
t

W eb Sexer
DatnfCom . ' It <.
'
ERSPAN
NDE MonitorlnterfaceforNDE ...;.J
Sources j
! PollProcess
#
yLJ'
Y
'Zt%.
'
*
;,*,
.
J#
. i
'
,./-.:.
.b f'
..
kKt'
.#$') 1
*v4'*'+*''.v'
. . 'z .. RMON Prx ess
f)j '';. . 't 1e

DataVACL
from S
Sparlned or Not e'The NAM-2 cansupporltwc)
ources
ssmullaneousSPAN arpd VACL sessloos

Tlle ligure showsllow'data tlows lhrougllthc variousproccsses iI1Cisct)NA M .

(()2008 Clsco System sllnc. lm plementing NehvorkAnalysiswithCisco NAM 3-21


'

Em bedded Traffic A nalyzerSoftw are


. Configuration ofthe Cisco * LL::-'
NAM : L-!..''
-t- x-
c

.. setupnetworkparameters ,
i.
r
:kF''i.
F. 'r
' .m.
y.%
,c
=-==
-.
.
-.
@
g
:j
jj
Selec
j
lk
j
a72
7 u, i.j . jjjjj
,
a
g
j .
.
jj
ttionoftrafficto I:EE r:jk...= *121:
- '.
.. .j
moni or -.
.
E@1
.I :.
E1
-
Tm es ofstatisticsto Reports:
gather . VLANandswp tchportmonl toring
Appficatlon.hosts.and conversatlon
w Real-tim e and historical monitorfng
reports switchheal thmonitoring
. Performance analytics QoS(D, ffSe>)monl toring
Reat-tlme NetFlow monitoring
* Troubleshooting Appli
cationresponsetlmemoni
tori
ng
volp and video monitoring
URLmonitoring
Packelc-apture anddecode
Hlstorfcaltrend reportpng

Tlpe figurcshowsthcTraffic Analyzcrsoftwarc thatiselnbeddcd in theCisco Catalyst6500


SeriesSwitchand Cisco 7600 SericsrouterNAM Sand acccssiblc with HTTP and HTTPS from
a web browscr.Thc Traftic Analyzersoftware notonly allow sthe uscrto configureCisco
NAM fbrm onitoring,butalso providesm any real-tim cand historicalreportson LAN and
W AN traflic and nctwork-bascd serviccs.
The Traff- ic Allalyzcrsoftware isembedded in the NAM -1and NAM -2 and accessibleusing
HTTP/S from a wcb browser.TlleTraffic Analyzersoftwarenotonly allowstheuserto
contigtlre Cisco NAM formonitoring,butalso m onitorstraftic forvariousnetwork usagc
+
sittlationsalpd providesmany reportson how the nctwork isbeing used.
. Use Cisco N AM forreal-tim eorIivc network monitoring and analysisofthcintcrfaceson
the hosting switch (application protocols,hosts.and conversation usagc)and ovcrallhcalth
(CPU.rrlemofy).
* UseCisco N AM forllistoricalreporting and trending ofthese statistics.
w Use C'isco NAM foranalyzing theperforlnance ofapplications from thc perspectivcofthc
tlser(application rcsponsctimc.voiccquality monitoring, URL hits.and so on)
w Also.usc Cisco NAM forproaclivetroublcshooting by triggcring alannsbased on det-
ined
conditionsortriggering packetcapturcsto gathcrm ore cvidcnce.

Note The TrafficAnalyzerisem bedded in Cisco NAM software 2.2,and Ialer.Access to the
Traffic Anal
yzeris through a web interface. The web inte#ace requires MicrosoftInternet
Explorer6.0 (minimum)orNetscape 7.0 (minimum).and supportsboth Engli
sh and
Japanese versions ofthe browsers.

Note Forenhanced securi ty, theTraffi


cAnalyzersupporlsSecure SonkelsLayer(SSL)securily
with up to 168-bitencryption and offers role-based userauthorization and authentication
locall
y orusing TACACS+.

3-22 Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008 Ci
sco Systems. lnc.
Note The Traffic Analyzersuppods Cisco NAM-I and NAM-2 and does notsuppod the first-
generati
on NAM Italso suppodsthe Cisco branch routersseri
es NAM (NM-NAM)(not
coveredin thiscourse).
Note Ttle Traffic Analyzerissuppoded with Cisco lO S Software ReTease 12.1(13)E (minimum)or
CiscoCatatystoperatingsystem Release 7.3(1)(minimum)onthe Cisco Catalyst6500
SeriesSwitchsupem isorengines.

(D 2008Ci
scoSystems,lnc. lmplementing Network Analysiswith Ctsco NAM 3-23
'

Live etw ork o n itoring :Po tatistics


$I'#1,111*:
N A h1 T 1.afflc ...
k.:1t'lyR.ey'
.
m j
? &*''''*tL:
<e' #t
)''t'6 :ttT'1.t
Flr:ftt*
#- .- *=''- #% sAz> al:l>;latlrG.
. r.)a -
' '
t'e...@@.*-*. t?#.@.eh./ '''-'-----...
Viewtraffi
canderror fM T- Tpesd
crk/t
e&v e''-- Jt-el1tT
*41
StatlstlcgfOra11 ' *' +M '''ez5 ''''''
c. ,. . ErlolReteg . . . . .
l
nterfaces. k sl .'
k ,
#b/i '
-z x'iiwkt'w'iu hi.
w kwxtw-q:
a n!1 o 5.-5s: elw dm zx l.ez eal
Selectan lnterface Z 3 ' 0X 3.<097 2B* 923 Bfo 1: etf
and dnlldown in the r,4 .!,'. .''.r''.?;3 ,sc ..' v' ettp w kt a l.zr tlql vx ()x
lnlerfacetoobtaln .q' . . . . . Qal > @, .!w ;x ntm pn ex
moredetalls ' ...+.......w.....w....
m.......-..-.-.-..w--.,-
. Pod-l eveistati sticsincltldewtil
ization.packets. 444(**- ! gt!. y.yI
errors,andcollisions.
a Can al so monitorselected portsfor ' ' j
applcatl ons1hosts.and conversations ! le.x.
1o M+at
.- - . . -
4
- -
utso..$
-7
tpe! ).1Af
.7 -UQ

Switch m onitoring and reporting isavailable forevery porton the Cisco Catalystswitch
regardlcssoftheNAM configuration.In othcrwords, switch portmonitoring isalways
available becausc itisthe very foundation ofperformance monitoring and troublcshooting,
Thc M onitor> Switch tab providesstatisticson the hosting switcll. The PortStats> Current
Ratestablc allowsyou to view the datacollected forthe sw itch. Thc information displayed
rcprescntsthc datacollected pcrsecond ovcrthe lasttim e interval. On Cisco NAM .the mini-
RM ON statisticspulled froln the hostsw itch provide utilization and errorstatisticsforeach
activc port.
Using pol4 statistics.you can galhcrimportantinformation aboutthe switch pcrform ance as
wcllasutilizationpatterns.Sw iteh portstatisticsincludcpacketand bytccotlntsaswcllasport
tltilization.Sw itcl:portstatisticsalso includescn'orstatistics, such ascyclicrcdundancy check
(CRC)and alignmenterrors.oversizcd and undersizcd fram cs. fragments,jabbers,and
collisions.They also providc intbrlnation on broadcastand m ulticastactivity. You can
configurcCisco NA M to notify you when any ofthese valucsexccedsthresholdsyou havc
defincd forthcm ,
Cisco NA M gathersthese statisticsfrom thc mini-RM ON agentin the Cisco Catalystswitch.
No overhcad isaddcd by collccting thestatistics, and you can use thc statisticseven whcn you
configure othcrdata sourcesforCisco N AM . such asVLAN SorCisco Etherchanncltunncls. lf
you wantmore inforlnation than thc m ini-RM ON statisticsprovidc. such asnetwork layerhost,
convcrsalion pairdata,orapplication protocoldata, you can copy traffic from any combination
ofportson the sw itch to Cisco NAM to provitlc morc insight. You can configtlrea sw itch to
copy ormirrorportorVLAN trafficand selld itto a SPA N portforfurtheranalysis. This
proccdurciscalled spanning.
Sclecting aportand clicking Detailsprovidesintbrm ation aboutthesclccted portandalso
prescntsapackctsizedistribution value.

3-24 Implementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008 Ci
sco Systems, Inc.
Live N etw o rk M o nitorinq :Port D riII-D ow n
. Drilldown to view packetsize distributionfora selected port

* Cqfe- e a e- m> r $l2)tnc

n =r* gee ee l ' W 'lM ef


4wh K ,?e.M5- e.
weu lsale .. ' . ase-s,,a ew
r.r.,.. lrmr/vxywkl.vh..-.. '* K 547.1*3* .*
1*f1*# Ae'- * * 29* 9:* 3'Y' ' O
A- St*la; tm ''*
Cr- *txe Qe . tp 2.> -
2.*>
1.% '
t.*
4.Nh '

i :

Q 2008Cisco Systems.Inc. Impl


ementing Network Analyslswilh Clsco NAM 3-25
'

Ll
've et ork onitoring. '
PP Iication and rotocol on ito ring
ProtocolDi
stribution Convef
sation Pairstatistics
11
*xSG- &tISc/'rk +'
. '
.. . ..
SM COYI OL'tets *
. . .. . ..
1x@wue.4/.LLqpAp.*
. w.kwvv
(
.-*r
..
>
j
*Iw'm .
eup'1-,.. twvxw..-
1' '
. ''
$-.'#' - -..
* -'' '-' -' ' , '
qh
zn
4
.

I IM e* !I 4 '' ' k ''i . ' . :r3


! t:'# 11 *dp z $fl2 % S*.:
. 3'..'l..- t A:)
I t5. 11 4,p e ''%+-'=''> * * 'L '''''''''''' '' i
P d*'1 .s.sx...l>
t.0' I$4 a,I
v',... I
' inmp .-.. -..u..a,
....w .. .
.. .. .
-.
......
..m . .I.
*.5' : '

,. A' I
.. - --- - . fN,..
c
!r r '. u.- .....
- Obtainvisibllltylrltotheupper-layer .'' I
.**
= ;)-
:-
Q ... ..- .'
...*. -
....-...
protocol
sandappli
cat
lonsforthe / l> 2;
*:
.:
*:.,
.. ......
-. ,
..ue
> ''.
conggureddatasource l
S px, r..w' ....... . .w.
.- .
.. m
...
- Drilldown to the protocols andobtaln 'k ' -m@'''* 'N n-'<'''v
lnformationOnhost:andX nversatiorl: jj'?
10Cooting the traffic '*=
Detai
led Hostan Conversation Statisti
cs +

W hen lraffic isforwarded to the NAM -land N AM -2 foranalysis,tlsing SPAN orexporting


N ctFlow statistics.Cisco NAM can providc insightinto nctwork traft'
ic and provide statistics
on TopN hosts,applications,and convcrsations.
<
W hen trktftic is spanned to thc NAM -1and NAM -Z.Cisco NAM can (ook insidt the llve
packetsto gatllcrinformation from itspacketheader.Application m onitoring identificscvery
application thathasconsulncd bandwidth by how m uch and dctectsw llich hostsarcusing
wllich applications.Hostand conversation-pairmonitoring providcsbandwidth consumption
pcrhostand show syou which hostsare talking to each otheralong w ith thc amountoftraffic
cach hostisgcncrating.In addition,responsctimcspcrapplication w ithin each application
scrvcrcan bc meastlred and reported.
W hel:NctFlow statisticsare cxported to Cisco NAM , thc tlow statistics also provide
applicatiollahost,and conversation monitoring. (Servcrresponsc tilncsarc notavailable for
NetFlow data sources.)
M oniloring applications.hosts.conversations, and serverresponsetimescan htlp you
proactively spotbottlcnccksbefore yournctwork stlffersblowsto pcrform allce and availabjlity.
Itcan also hclp you im prove trafticperformance since these m etricsrevealusagcpatternsfor
usersaswellasforrouterand switclA.intcrfacc, scrvcr.and application rcsources.

3-26 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-!)v2.0 Q 2008 Cisco Systems, Inc.
'

L-1ve N etw o rk r'


Jo I11to r1n (
J:
Sw itch Hea Ith M o n 1to 1-1nc
x g
(Ilr1!TIIIy1
1.:51 3FIaffir &lI)
d1vze1.
pj'.
LL
*-1-
'j;
7
f.
'?
1-
T(
.qjA
p4.uyl
a
pi
z
ls
'.'
)'l
rj/
ttt
;.
K1(.
'. 'a' '
..' sz ' . '.1 .
z j.''
j;
j;
jk
v;j-
j
*:,
>m-

. (! : .col- 1 ..... .. -.

e0 ! -- -- .
50
w 10
2(
10, j
()t) 1
4 3 7 1 t, 4 ) 2 t t)

pzx- eloomw- (m. ax r+e.T- Tte ym ?xtf'23JtFJ


- T* ''' Y *e''*
Gf 4fI * >
e
Prote&*oe :1e3 (08FNk 3F036 fB7#N. ?37e9
1C1 ;F (7)%: 5517 tlb!T9k SS$;

@ 2008 CiscoSystems,lnc. lmplemerlting NetworkAnafysfs with Ciscc&AM 3-27


Perform ance A nalytics'
.A RT M onitoring
Cisco NAM Scould be eitherNAM-I,NAM-Z,orNM-NAM,
depending on network equipment

DeployNAMSclosest
to theapplicatpon
' serversacd clients
):
'
z Q Q *'#
yj:. ,
2ZQ ' . .. 1
R% #
w
.(!.
) ' $'
, .* V ''- h '
ServerFarm ClientPCs

ServerResponse Time
7.27 - +
Serverand Nelwork Response Time
6. 1j#1't. --.
'(j
: $:
j.!
..
j)i
.= p;t,
! j w py.- j
:. ..1jt

Cisco NAM providesessentialijlfonnation on application perfonnanceasexperienccd by thc


end user.W ith itsncw transaction-awarcapplication responsc-time feature.Cisco NAM can
isolatc application performance problcm sto thc nctwork,theapplication,ortheserver.W hy is
thisiTnportant? Having m easurementstllatretlectthe network perforlnancethatthe users
expcriencehdpsyou to do thc follow ing:
. Quickly idcntify thcsourceofperfonnancctlegradationand rcsolveproblemsbeforeuscrs
even Iloticc
* U nderstand application behaviorovertim c to supportthc planning forchange
w Ilnplcmcntnew networkresources.applyQoS.and soo11
* Deploy and vcrify W AN optilnization scrvices +

K Understand userexpcctationsto supportthe dcvclopmcntofsea iceslevels


Cisco NAM collcctsrcsponsc-timc statisticsforTcp-bascd clicntand servcrrequestsand +
acknowlcdgcmelttsto providc im portantlatency data. Thisdata can also be trcndedovcrtim e.
Thus,changes in nctwork and application usagccan be correlatcd with fluctuationsin rcsponse
tim esto predicthow changesin userpopulations, network rcsources,and W AN bandwidth
lnanagemcntw illaffcctapplication pcrform ance.

3-28 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v20 . @ 2008CiscoSystems. lnc.
'

Perforllla.nce A naIytics :
D 1fferent1ate d S erv1c(!
)s M o I',1to r1ng
* Validates planning assum ptions and QoS -- '--'
- '''-'.
-
allocations ' - ''
'
. DeteGts inGorfectly m arked Orunauthorized '''
. l t- :
traffic ;z'
;.
; :
1... k
1-' .
1- -

z ..*.. . . ....w . y

t
j.ii q # C '' c > ' .

*> * ,1 '' '


l
j
t.
,':c%.' :
't' & . :..e.* i . y *'
.: & **. 1f;MP26)
(Dscp %uAj
**-f':1
'

111esscncc.()'isco NA M aggregatesstatisticsby DSCP ajptlitalso stlpportsgrotlpillg ofDSC-PS


illtoclllsses()1
-serviccthatl'napontolllc(?()S 17()1iciestllatyotlhavciluplenacntcd.Thisenklblcs
ytltlt()l'
tllly ctlstolnizehow (-'isco NAM rcportsIlit'
lserv slatisticsso thatitl'
natchcsyotlr
cllvirolllllellt.

C)2008CiscoSystem s,Irc. Implem enting NetworkAnalystswith Cisco NAM 3-29


Perform ance A naIytics:U R L M onitoring
. Hitson top URL sites x.- ...... ua. . ,.,..-fc ..'
,.
'

CollectURL host,path, #' ... .


*, ,. . S
M. * '*'9 *
..t;.;.1. '''('.'''
*'*-
'% /.
and Content c j xo/nwlxtzr41 ,
* Coll ectusage * ZO'O'T? * ** '
E)t,tisytitlsy'
. * mo 1%4Tr >* !
-
Packetand byte c'$ -p'a:z'e
''z', '*. '
rates C $ > el
o1 l3T o
C ; > knqp1M ,37 eegm zi.r- repo lv zz- ex d
-
Hostand c'. > v' wfxfaz -'
*> ls
Convorsation O $ *' d?2'*f3?4 ***'' ''C1* 2
StatjStjcs e $9 ' *.mR:$*'yz . -'
- - - .- .
.'-'
*'-<t
-
*#
--
,e
.- ..- - --- .--.

. Filtering ofURL by - -,.,


-. .;.--
- 'c-v. --- -.-- 14<oow- f'-f- s,: ).yl
.
cs-w sr- s..j.c
host path and content ''9...'..1-..*0.
**...- -. c'e-e- ...-...s,.,
.n

Cisco NAM canalso becont


igurcd to listento HTTP traftic(TCP port80)onaselecteddata
sourcc to collcctURL information.
A URL,forcxalnple,http://host.domaill.com/intro'
?idm l23,consistsofa hostpart
(host.domain.com).apathpart(intro).alld anargumcntspart(?id=l23).Thecollectioncanbe
contigurcd to collectallpartsoritcan bc contigtlred to collectonly som eofthepartsand
igllore othcrs.
W llcn the URL statisticsarccollected.you can view the URL and the numberofhitsto it. This
URL collection list,illustrated in thc figurc.can be tiltered to Iook forany partofthe URL,
llost,patll,orargulncnt.
To obtain addtionalstatisticson the HTTP traffic,you can create an URl--based application.
TllisallowsCiscoNAM tocollectapplication-basedstatistics(packetorbytestoand from).
hosts.and conversations.

3-30 lmplementing ClscoData CenterNetworklnfrastructure 1(DCN1-1)v2.D @ 2008 Cisco Systems,lnc.


Cisco NA M can be used to scttllresholtlsand alannson variotlsnetwork param eterssuch as
increased utilization,severe application responscdclays.and voiccqtlality dcgradation-and to
gcncratc alertson potentialproblcms.W hen a potel,tialproblcm isidelltitiedsone()fthem ost
powerjklcapabilitiesofCisco NAM isthc capability to vicw thccontcntsofpacketsto drill
dowl)deeperinto thcsource ofa problem.
W llellapotentialproblcm area isidentificd,thcpackctcan beatltomatically capturetland
decoded to hclp resolve theproblem bcfore itaffcctsusers.Capttlrescan bc pcrform cd tlsillg a
web brewserfrom any dcsktop-alld dccodcscan bcvicwed throtlgh the TraflicAnalyzcrGU1
whilctlle data isstillbeing caplurcd.
'
l'hc capttlrc and decode capability ofNAM provitlesdepth and insightinto data analysistlsing
triggcr-based cdpttlrcs,filtcrssdecedes,and a capture analysislclolsettlaquckly pilzpf
aintarld
resolvcprobleln areas.
CapturedpackctscanbcsavcdonarclnoteIllternetSmallComptlterSystcmsIllterf -
acc(iSCSI)
drivcorNetwol'kFilcSysteln (NFS)diskto extendthedatastoragccapabilityofCiscoNAM .
NA M allalyzesand dccodcsthe capturesstored relnotcly,performs systcln administration,and
providesinform ation on available disk space.

(Q 2008Cisco SystemslInc. im plementing Network AnalysiswithCisco NAM 3-31


'

H istoricalReporting and Trend1ng


* Store and retrieve up to 100 days ofhistoricaldata
w Reportgranularity- detectanomalies thatwould otherwise be
m asked overa Iongerrepoding intewal
. Live reporting by setting granulari
ty to 1 minute
. TopN r epod granularity m inimum is 5 m inutes
ll
d,du NAD<TrarfitA**1zKer
1:@ . .. .. .

,-. .. , o .u jse...x,.
,.e.m -

1r.j:..r
7*.
1-,s .,,.,.ox j.xs
I: !
:
..;
okq
., j
( (
iC
E;
T
W.
=1

I .1.t ID.CY.
. ....-- . -...-..-.....- --

Thc Cisco N AM offersan cnhanced historicalreporting capability thatprovideshighly granular


visibility (onc-m inutc granularity)into network traffic.including individualapplicationsand
cnd uscrs.Helping enable operations staffto identify issucsthatcan disruptbusiness
opcrations.tlle live reporting capability ofCisco NAM cxposcsproblcm sthatwould otherwise
bc nlasked ifcriticalreportupdatesoccurrcd lcssfrcquently.This infonnation facilitatcsthe
qtlick idcntificatiolland vcritication oftraffic allomalics so thatim pcnding problemscan be
rapidly rcsolvcd.

3-32 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 (
l)2008CiscoSystems.lnc.
C isco N A M D ata So urces
Tllistopic describesCisco NAM data sources.

Data Sources forA naiysis

NAM-Em bedded Traffic Analyzer

&! ! k g
'
Y s x
% <! I
oj 1
i a:v
; s
.
:
a t
'k c cz,j =& = y.
Metlqo- '''T: M#Ii.RMON NerFlow NBAR MIB.II
' jm 4

Note:AIIfeatures mightnotbe availableon al1CiscoCatalystswitchesand routers

1!isinlptrtantto l 'nanagctl'le data sourcesstlpplying datato Cisco N AM .You 1 nt1stunderstalld


how Cisco N AM and itsdata sotlrcesarecontigtlrcd in ordcrto inlcrprctthc variousNAM
reports,Cisco NAM l' nakcsuse ofn' lultipledata sotlrcesto provide visibility into thelletwork.
incltldil'
lg thc follow ing:
* M ini-RM ON :Forper-switch portLayer2 statistics
* VAC IUSand Cist!o ExpressForwarding:To copy actualpackctstraversing tlle switch
fabric and routcrintcrfaccsto Cisco N AM foranalysis
* NIIB 11:Forpcr-rotltcrillterface statistics
* NetFlow :To providc application,hest,alld collversatiollilpl
-orlnation from a num bcrof
rem ote alld localtrafl
ic tlows
II1sonc SPAN configurations.nltlltiplecopiesofthc salnc sotlrcepackctcan bcscntto tllc
SPAN dcstillationport.Forexa,zlple.a bidirectional(both lransmitand receivc)SPAN scssioll
iscoltfigtlrcd forsourcesaIand :12 to a destinatiollportdl.Ifa packetentcrsthc sNvitch
tllrotlgl!alalld getsswvitclled to a2.botl)incolnillg (t-
roll'
la1)and otltgoing (to a2)packetsare
scntto dcstillation portdl.Botllpacketsare tllesalue (ifa Layer3 rewritcocctlrs.tlle packcts
arc differcllt).Silnilarly.forRSPAN scssiollsw itl)sourcesdistribuled in l'
ntlltiplc switchcs.tllc
dcstillatiol)portsl'niglltfblavard Intlltip1ecopiesofthe salnc packet.The same istrtle for
VLANS:lfapacketisboth sentand rcccivcd by twoports thatarc pal4ofthe sal' ne V LAN,itis
counted tw ice.To avoid cotlnting packctstw ice witl)VLANS,tllc dcfaultdircction forspanning
VI-ANSissetto receiveonly.Thc two dataportsavailableNvith a NAM -2 can also bc tlsed
cffectivcly to lnollitortllc reccivedirection on one dataportand tlle translnitdirection on tllc
other.Silnilarly,ifCisco ExpressForwarding isfonvardillg packetsf' roln allrouterillterfaces,
tllcn tllc packetis seel)tqvice:onccol1thc ingress ilterfaceand once on thc cgrcssintcrface.

(l)2008Cisco Systems,lnc. lm plementing NetworkAnalysis withCisco NAM 3-33


Yotlm usttlnderstand thc exactnaturcofthedata source to properly interpretthe traftic analysis
rcports.

Note 7he NBAR M 1B has notyetbeen im plemented within the Cisco Catalyst6500 Series Switch
and Cisco 7600 Series router.W hen these devices include supportfor!he NBAR M IB , the
Cisco Catalyst6500 SeriesSwitchand Cisco 7600 SeriesrouterNAM willsupportNBAR-
protocoldiscovery on those devices as well

Note The NME-NAM ls1heNAM available forCisco branch seri


esroutersand provi
desaddi
tional
visibili
ty atthe W AN interfaces.

3-34 Implementing Ci
sco DataCenterNetwork lnfrastructure 1(DCN1
-1)72.
0 @ 2008Cisco Systems.Inc.
'n'
l l-R N ,SP N,and RS P N
#C . Mi
npauox
j.L
f . .
'

$ . . ,
. . use SPAN to copy porl.
y; vo x,or
gt
f. a ': t)
m EtherchannekTraffic
/.
k (u 2 o toNAM
.
k ac:
. #
'
MrnI-RMON Traffic
f .. . collected byInternas
cpscocalalyst65 NAM Irlterface
Sert
esSwlt
cl' I spanned
spanoedTrafic -
1: '
rrt
affi. Traffi
cPassesoverProducti
onLi
nks
senttoNAM Data X' '''
-''-' wbenUslngRSPAN t
o Monitor
F'ort ED l Traffi
conaRemot
e switch
V:
.J
f
< x .x.'..
. ..
.. .' Note The NAM-2 hastwo mtmitoror
4 destination portstosuppod two
j
$.1 ' '. . f srm uI
taneousSPAN/RSPANsesslons
CisooCatalystSwitch

TlleIniIi-RM ON isan interface tlscd to gatlpcrl'


nini-RM (.
)N statistics frol
n each ofthcenabled
portso,lthehostdevice.Thisallowsyotlto view basic Laycr2 statistics forcach portand to
decide iffurtheranalysisisnecessary forany ofthcpol-ts.Iffurtlleranalysisisncccssary,Cisco
NANfanalyzcsactualtrafticpassed to itwith thc SPAN orVACL Incchanisln oftlle Cisco
Catalystswritcll.
Spallning isthe tcrlz:tlscd to klcfinc thc configuration thatisrequircd to copy trafsc froln
sourccports,VLANS.oraCisco Etherchannelttlnnelto adcstilation ssvitcllplll-t(SPAN port)
foranalysis.A SPAN sessiol)isan association ofadcstination nlonitorportwith oneorlnorc
sotlrccsoftraftic.Sourcescal'lbe pllysicalporls,VLAN S,ora Cisco Etllcrt-llanllcltunnel.
svhcn Cisco N AM isillstallcd.the hostswitch recognizesitasa SPAN tlcstination.Thc tlser
sclcctsoncorInorc portsaV LANS.orEtllerchallnels and lheswitch copicstllc trafiic froln tlle
sclcctcd sotlrcesto Cisco NAM tbrallalysis and rcporting.
A useroften Ilasa need tt)analyzctraftic llowscapttlred by SPAN on abox diflkrentfroln
wllcre they arecaplured.Sw itchcsthatstlpportRclnotc SPAN (RSPAN)allow tlle tlscrto
capttlre them onitored traffic and trallsm ititto a relnote switch thathasanembcddcd N AM ,
using an RSPAN VLAN.Howcvcr.RSPAN analyzcstraftic only on the same Laycr2dom ail)
froln where itissotlrccd.A lsostlle Laycr2 dom ain iscollfined to Cisco switchcsdue to spccial
propel-tiesol-the RSPA N VLAN thatarcsuppol' ted by Cisco swilchesonly.

Note The NAM-2 hardware includestwo destinations to allow increased flexibili


ty fornetwork
m onitoring.

Note The abili


ty to use SPAN VI-ANS allows you to achieve additionalmonitoring flexibili
ty.
Rem ote switches can be confi
gured to exportdata on a specialuser-dehned VLAN.Cisco
NAM can then span this rem ote VLAN effectively spanning data from a remote switch.This
capabilityisknownasRemote SPAN (RSPAN).

((
7 2008 Ci
sco Systems.Inc. lmplementing NetworkAnalysiswi
thCisco NAM 3-35
Note RSPAN data traverses producti on Iinks.This addi
tionaltraffic can have an adverse
perform ance impacton yournetwork.Please consi derthese impl icati
onsbefore
implem enting remote monitoring using RSPAN.

Note RSPAN and SPAN are m utual ly exclusive,thatis.i


fyou use RSPAN,you Iose the ability to
SPAN data to thatport.Considerusing a NAM-2 with its second data pod to allow Cisco
NAM to use bothSPAN and RSPAN together.

<

3-36 lmplementingCi
sco DataCenterNetworkInfrastructure1(DCNI
-I)72.
0 ()2008CiscoSystems,Inc,
E:
- 67 14
' ' Use ERSPAN to
'
j
il
y'
.
((t
,
.o ,..,,., t
6r
6o7u10
bs
l
esshj
ojx
y ots
pj
r
y
ojj
j bol
e
jj
m
yj
s
yay
to send personnelto the
ay
t
jyy
g
Y.
': .. .4 . . siteorhauIingarounda
j
'
t... . rtaj)
jeana1yzer
/'
#)'.
PO
j< ' . E'RSF'AN Trafric
;. cojjected by NAM
; Management
CPS.tXICldalyst6500 lrltoufacp
SOICYSvs
Gh I ERSPAN
I Traffic TralficPassesoverProductionLinks
W hen Uslng ERSPAN to Monitor
I TrafficonaRemoteSwltch

' y!lj h.tf ' Packets are encapsulated In GRE


F . .
headeranddlrectedtoIPaddressof
z. . .4 ERSPAN destlnntlon
Cls= CataiystSwitch

ERSPAN (Encapstllatcd RSPAN)providesasoltltionto tllcIimitationsjustdescribcd.The


I@RSPAN featurcallowsthc tlserto capture traft'
ic and encapstllatc itin aGclleric Rotlting
Encapstllation(GRE)IPpacket.Tlliselpcapsulatedpackctcantllenbcscnltllrougl)al
ly Laycr3
nctwork asa GRE ttlnncled packet.
ERSPAN increasestlle deploylnenttlcxibility ofCisco NAM .cnablilg itto lnonitortraffic
(koln rcm otc partsofthe network.Cisco NAM tan rcccive ERSPAN traffic throtlgh thc internal
nlanagelnclltport(salncused by NetFlow trafiic).Altelmativcly.thcERSPAN trafliccanbc
directed to the switcll,alld tllclltlle receiving portcan bc spallncd to Cisco NAM foranalysis.
ERSPAN traffic scntdircctly to Cisco NAM is treatcd asa separate data sotlrcc indcpelldcntof
tlle spanned traftic.ERSPAN isstlpportcd ol1Supervisor720 with Cisco lOS Sohwarc Rclease
I2.2(l8ISXE orlater,and PFC3B.

Note Sending excessive ERSPAN frarfic directly to NAM willslow GUlresponse time.

@ 2008CiscoSystems.Inc. Implementing NetworkAnal


ysiswith Ci
sco NAM 3-37
V A C LS
Usea VACLfortrafficanalysisl
To analyzeW AN interfaces thatcanno!be spanned
I
fno more SPAN sessionsare avallabl e foruse
To pre-filterspecifictypesoftrafficforanalysi
s
VACLtraffi
csenttotheCi
scoNAM dataportIooksjustlikeSPAN datatothe
Cisco NAM
Cisco Catalyst6500 Seri
esSe tch
Eyamppa A VLAN ACL can be
usedto capturew AN traffic
and forward Itto Clsco NAM
asan Ethernetframe
. s .

!
o1!
1!
-

#
. VACLTraffic Sent
to NAM Data Pod
CopiedTraffic

VLAN accesscolltrolIists(VA CLS)can bca valuablc sotlrcc oftraftic foranalysisby Cisco


NAM .VACLScan bc used in thefollow ing ways.
The Cisco Catalystsw itch SPAN capability islim itcd to tw'
o SPAN sessionsand LAN ports.
You can analyze W AN linksusing the NAM -land NAM -2 by using oneoftwo methods:
* VACLS:You can use aVACL to configure thc W AN portdata to bccaptured and
forwarded to Cisco NAM asEthernetfram es.Thisfeatureonly worksforIP traftic overthe
W AN intcrfacc.
w N DE :
VACLScan be used with LAN porlsand arc useftllifno more SPAN sessionsare
11vaiIab1e.
VACLS can bc used to help filterspccit
ic typcsoftraftic forfurthcranalysisby
Cisco NAM .

3-38 lmplementlngClscoDataCenterNetworklnprastructure 1(DCNI-I)v2.O @ 2008CiscoSystems,lnc.


'
d

N etFlow D ata Expo rt


tfu
T c .. . ' .. MInLRMON
'
': ..
NDE Tralfic from Local
' HostDevicecarlbe
/
j ' <t'y..
' . , cojpedtoCi
scoNAM
j,
T
.'*
.
j)
j
y

'
..
O
.:l::
r,..
j
v
d
',p
z ku
&t
J NDE TrafficCollected by
a Sing1e InternalCksco
cisco catalyst65/0 NAM Interface
seriesswilch
NDEtrafficforenabl edpnterfaceson 1 NDE Packets
remoteNetFl
ow-enabdeddevices . I
passesoverproducti
onlinkstoCisco .&j
NAM on UDPpcd 3000 ED 1
NctFiow. . , NetFlow suppods menitoring ol
Enabled apRlications.hosts'conversations,
Dewce and Diffserv

The l' igurc showsllow the NDE feature istlsed f


brW AN lnollitoring.In addition to tllc intcnlal
illterlccsofCiseo NA M forSPAN .VACL.and IHiIIi-RM ON.tllere isalso an intcrface for
NDE packetsarrivingtoCiscoNAM with UserDatagram Protocol(UDP)port3000.NDE
packetscontain information abotttone orInorepacketflows forcnlcornlore intert -accson a
localorrcmoterotltcrthatcan be parscd andatlded to thcRM ON M IB and rcported on by
Cisco NAM traffic analysissoftware.NetFlow allows forthe m onitorillg ofapplications,llosts.
conversations,and Diffserv (remotc).
Thc tlowsarcconfigured on thc remotetlevicc,possibly by illterface,and cxpol -tcd to Cisco
NAM with UDP port3()00.The tlowsreprcscntdatacom ing into olle interface on thc rcmote
dcviee alld cxitillg outofanotheril3terfacc.Aslong asthedevice iscapable ofnlnning NctFlow
and cxpol'ting collectcd traftic statistics.Cisco NAM can receivcand processsuch tlata.

Note Detailed monitoring forvoice,VLAN,ART Di


ffserv(Iocal),and packetcapturesand
decodes are notavailable on NDE data sources.

@ 2008 CiscoSystems.Inc. Implementing NetworkAnal


ysiswi
th Cl
sco NAM 3-39
Plan for C isco NA M D eploym ent
Thistopicdescribeshow to plan forNAM dvployment.

C isco N A M D eploym ent O verview


Placement ...-.-
Proactive Alerts
of Clsco *$.- wI
NAMS Qrl- resAcceptable
wn seti
mes? 'r
4-*.. !. - nqppte
ca urda?ta
res
'' @ Acceptabln
a .: .x. ulillticm?
/*7*t . '.,
.<,-

Data Sources :
'- .- ' .
- E'rnai
lexpoq?
NetFlow dala
j.j
'
0. Schedule?
exporl
KIIB.IIinlerface SpannedsAtch j .- . . orasujarj.t
?yoj
stats rxlrlsanciVLAN!I
Reporting
supervisorrroduleVACLource Requirem ents
.
9!1

Thc data thatCisco NAM collccts.and thereportsthatitgcncrates, willonly bc asgood asthc


cffortand consideration you ptltinlo thc planning stagcs.You m ustbring yourknow ledge of
yotlrnetwork and busincss,and how thcbusiness uscsthcnetwork,into the planning stages
whcn deploying Cisco NAM to enstlrc tllatyou collecttlhe datayou wantfrom thc sourcesthat
make them ostsensc,and to prcsentthedata in the m ostproductive way.
Thc Cisco NA M Inodule nccdsto view the network traffic to providetrafficvisibility and
analysis.Thcrefore,the network adm inistralorm ustfirstdeterm ine whatinfonnation isdesired
*
from thc analysissotlwarc,and whatdata mtlstbe collected to gctthedesired rcports. Properly
dctennining thc data to collectto obtain the reporting rcquirem ents isperhapsthe very crux of
nctwork m anagcment.The succcssofyourNAM implementation dcpendson a clear
tlllderstanding ofthc reporting rcquircmentsand how to obtain thedata tlsing Cisco NAM .
To gain a bcttcrundcrstanding ofthisissuc,considcrthc following questions:
. Are there bandwidth and rcsponsc time reqtlircm cntsorpoliciesthatyourcom pany
requireslnonitoring otP
. W hatbtlsinessortccllnicalproblclnsarc you trying to solvc with Cisco NAM ?A specitic
application orresponse-timeprobtcm?Voiccordataqualityofscrvice(QoS)detivel'
y?
M onitoril:g forrcal-tilncorhistoricalperformance?Acuteproblemsorfaultisolation?
Somc combination ofthese?
w Nvhattypesofreportsare necdcd (utilization,hosts.convcrsations, applications protocol
usage.response time.and so 011).wllatshould the granularity ofthe databe and when
should the rcportsbe schcdulcd?

3-49 kmplementingCiscoDataCenterNetworklnlrastructure1(DCNI-!):2.
9 @ 22*8CiscoSystems.lnc.
. llow w illCisco NAM vicw thc traftic to analyze? W illtllepacketsbe spanncd to tlle
interfacc ofCisco NAM orexported by NctFlow,orcan tlle switcl)portstatisticsbe used?
w Arc NAM modtllesin thc appropriatelocationsto collectthisdata'
?
Thcsc planning alld dcploymentisstlesarc highliglltcd in thisscenario and rcpcated in tllc
tlpcom ing scellarios.Eacllscenario w illlook atdiffcrentwaysto deploy-conligtlre,alld tlsc
Cisco NAM to solvc rcal-world problelns.

@ 2008C isco Systems,Inc. lm plementing NetworkAnalysiswith Clsco NAM 3-41


+

Yotlm ay need to det-


inc diffbrcntlevclsofsecurity to mcetthevarying needsofyourusers.
Forexalnplc,in-deplh contiguration and custom ization ofCisco NAM to deliverthe
monitoring needed requiresa ccrtain lcvclofaccess.Butthe monitoring and rcporting features Y
ofCisco NA M ot-tcn servc abroad rangc ofuserswho have differentsecurity requirem ents.
This situation lnay apply to the Cisco NAM in yourenvironmentbecauseyou may w antto givc
Inany usersaccessto som c partsofCisco NAM and securc otherparts.However,giving
tlnlim itcd acccssto aIlthe Cisco NAM features could tlndennine the vcry purpose for
deployillg N AM S in tlle Grstplace.Thc problem isthis:Asdiscussed earlicr, thedatayouget
from Cisco N AM isollly asgood asyourplanlling forand contiguration ofit. So,ifyou give
configtlration accessto al1yourusers,you wilinotbe ablc to guarantecthatthe collectionsthat
you configurcd a wcck ago w illstillbc the salne when you go to review the performanceof *
yournetwork.Forcxalnplc,lctussay you have configtlred Cisco NAM foralarm ing and event
notification on adata sourcc forhistoricalrcporting.Ally changesm ade to Cisco NAM may
disablcthe alarm syou rely on fornotiticatiollorthc data sourccsyou areusing formonitoring.
So.whcn plalllling forCisco NA M dcploymcnt.considcrwho should haveaccessto its
contiguration utilities at
ld who sim ply necdsacccssto the reports.Doing so witlhelp ensure
thatCisco NAM willcolltinuc lo deliverthc datayotlnccd.

342 lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.
D ()2008Cisco Systems.lnc.
D eploym ent of C isco NA M in D ata C enter

I Q
h;
k
.
'
; '
(
;
.
'.y
i,
.
(, )
i? ,

*4,# bh v# . **
,,
# *
,'
,.
l
....
-,gup::l...ep.g.....--.-. . 3'f z ,,v...
!
) . .... ktjlfjy,
.q
z .
.

)
(.

( ,.
.
:
,;y
.
.
.
.)
t
'4,/<
) .;
.
:k
't i'
i
? J.
;
'
)' h
k
pj.-..:zj
'
'
1s'
I zf-'D' Deploycisco NAMSa#
-- 'h
#
tcriticaland aggregation pointsinthe data
j .
center

Collecting thc datayou need is lnade casierby the tlcxibility ofCisco NAM to be placed wllcrc
itisnecded and whcrc itcan gatherdata froln eithcriocalorrcmotc switcllcsand rotltcrs.
TypicaldcploymentplacesforCisco N AM incltlde LAN aggregatiol)poilltswhere itcan
collectthemostdataascrvicepoints(serverfarlns datacentcrs,andso011)wherepcrfonnancc
iscritical-and importantaccesspoints.Acttlalplacem entdcpendsonthe problcms you arc
trying to solvcw ith Cisco NAM .Asshown in thc Ggurc,tlle Cisco Catalyst6500 SeriesSwitch
NAM can becom plemented w itllthe C'isco branch routersscriesNAM and theNM -N AM for
lllollitoring W ANS.

C isco Catalyst 6500 Series Sw itch NA M S


Thc Cisco Catalyst6500 SeriesSwitchescan hostNAM -1orN AM -Z.These NAM Scan collect
antldisplayper-portLaycr2 statisticsinconjunctionwith thclni11i-RM ON oneveozilpterfacc.
You cal)acllicve m ore ill-depth analysisofI-AN portsby spannillg orcopying traffic from
portssVLANS,orEtherf-llallnelsto the embeddcd NAM ,orby tlsillg VACLSto m irrordata to
Cisco NAM if'no spannillg scssionsare availablc.
Yotlcan analyzercnlote switcllcstlsing thc RSPAN fcature ofCisco Catalystswitcllcs.You
can achicve adetailed analysisot-W AN ports by tlsing VACLSon a Iocaldcvice orby
fbrw arding NetFlow data from eitherthe localora rcmotedcvice.
Tlle Cisco Catalyst6500 SericsSwitch N AM Sarc vitaltoolsthatprovide higl:perform ancc to
lnonitortraflicrunningatsub-gigabitspeeds(NAM -l)andgigabitspceds(NAM-2).Cisco
NAM scan bc dcploycd in tllefollow ing arcas:
K Distributiol:orcorc Iaycrtl
-unk pol-
ts
* Service points(forexal npie.in tlata centcrsascrvcrfarm s.orCisco Unilietl
Colnlntlnications M allagcrcItlstersil)IP tclcpllony)wherepcrfonnancc iscritical
. CriticalaccesspoiI lts
Placeluelltalld intcnded tlsccalldictatc the need fbrthehighcr-pcrftlrfnancc NA&f-2.

@ 2008 Ci
sco Systems.Inc. I
m pl
ementi
ng NetworkAnalysiswi
th Cisco NAM 3-43
P Ian n 1ng C heckl1st
1'')t;S1;,'., @;.4 4 4
Identi
fythe problems orneedsyou are trying to sol
ve with Cisco NAM.
ldenti
fywhatdatacolectionandmonltori
ngneedscanhelpresolveproblems
orneeds.
Determine how manyCisco NAMSyou need to depl
oyand where youneed
to deploylhem.
Identl
fy the approprlate SPAN sources:port.VLANIorCl
sco Ethec hannel
tunnelforeach Cisco NAM.
Deflneeccesspollcl
es.datacollecii-
onandreKrting,andalarrnconfiguratlon
requirements foreach Cisco NAM to match needs.
Configure security,moni
toring,and alarming asdefi
ned Inthe prevlous
steps.
Revl
ewCiscoNA system resourcestoensurelhatCiscoNAMconti
nuqsto
suppod yourcollectlon and monitori
ng needs.
Vi
ew.modi
fy.andmonitortheconfi
gurationasnecessary.

The tigure shows aplanning checklistofitemsthatyou should considcrwhen deploying Cisco


NAM .
Therc isno easy formulafordeterm ining how m any N AM Syouw illneed,whereCisco NAM S Y
should be deployed.and how'thcy should be configured,Itdependson whatbusincssor
technicalproblcmsyou are trying to solvc.Following are some gtlidclinestbrplanning and
implclncnting Cisco NAM .
* ldentify thc problem sorneedsyou wantto resolvewith Cisco NAM .
* Idcntify whatdata and reportswillhclp rcsolvetheproblclnsorllceds.
m Deterlnille how many NAM Syou necd and whcreyou need to dcploy thcm .
* ldcntify the appropriate data sources(portalld illterface,scgmcnt,V LAN,orCisco
Ethcrchannclttlnnel)foreach NAM .
K Dcfinc whatacccsspolicies,data collcction and reporting.oralan'n fcaturesarenecdcd for
cach N AM .
K Configtlre sccurity,m onitoring.and alarlnsto meetthe ncedsthatwcredetined.
. Rcvicw NAM system resourcesto ensurcthatNAM resoklrccsrcmain low enough to
supportyourdatacollcction and monitoring nceds.
* View and modify yourreportsand contiguration asnecessary.

3-44 lmplementing Cisco Data CenterNetwork lnfrastructure 1(DCNI


-I):2,
0 Q 20D8 Cisco Systems.lnc.
Frequently A sked Q uestions
w W hatare the busy parts ofmy network?
Are these parts ofthe network experi encing a temporary bottleneck or
operating atfullcapaci ty and saturation?
. W ho is sending orreceiving the mosttraffic?
W hich hostshould 1isolate to determine ifi tis being used fora DoS
attack orforexcessi ve file downloads?
. W hatare m ytraffic patterns?
W hen should Ischedule operations to avoi d the busy periods orto
examine problem sthatrecentl y occurred?
. W hatare 1he appl ication traffi
c characteristics?
W hateffectdoes deployi ng a new apppication have on my network?
. How is traffic flowing through the neM ork from a QoS pointofvi ew?
is there a porti on ofthe traffic thatrequires specialper-hop behavior
because itIsvoice orotherspecialtraffic?

Q 2008 CiscoSystem s,Inc lm plementing NetworkAnalysiswith Cisco NAM 3-45


Frequently Asked Questions (Cont.)
* W hati s the status ofVo1P traffic?
..
Isgoodcallquali tybeing provided to users?
* Arethereanyundesirable applicationsbeing runonthe network?
...
Are my resources being used forbusiness pum oses?
* Can speci fic characteristicsofthe traffi
c be detected fortroubleshooting
by using sophisticated fil tering?
* How do Iknow ifa usercomplaintaboutslowness is legitimate?
How can Iidentify whetherthe cause ofa problem i s the network orthe
server?
. How can Ibe al erted to potentialservice degradation before itoccurs?

Thc figure showsmore f-


rcquently askcd questionsaboutthe deploymcntofthe Cisco Catalyst
6500 Scrics Sw itch NAM :
w W hatisthc statusoj-Vo1P traftic? Isgood callquality bcing provided to users?
. Arc there any undcsirablc applicationsbeing run on thc nctwork? Are my resourcesbeing
uscd forbusinesspurposcs?
w Can specitic characteristicsofthe traftic bedetected fortroubleshootingby using
sophisticated liltering?
w I'
low do lknow ifa tlsercomplaintaboutslownessislegitimatc?
K How can Iidentify whethcrthe cause ofaproblcm isthe nctwork orthc server?
v e
* How can lbc alerted to potcntialscrvice degradation beforc itocctlrs'?

3-46 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.


0 @ 2008CiscoSystemsllpc.
(32008Cisco Systems.Inc. Implementing Network Analysi
s with CiscoNAM 3-4T
S um m ary
Tllistopic summ arizcs thc kcy pointsthatwere discusscd in this Icsson.

S um m ary
* Networktraffic should be m onitored proactively in managing the
overallnetwork.
. Real -tim e monitoring statistics provi
de imm ediate data onthe
currenttrafficfortroubleshooting.
w Historicalstatistics provide valuable trending and capacity-
planning information fornetwork pl anners.
. The RM ON 11M 1B provides extensive visibility into applicati
on
traffic,including hostand conversions.OtherMlBs(DSMON,
SMON,VoIP,andART)providemoredetailsforanalyzingQoS.
. Data sources used foranalysis include SPAN,RSPAN,VACL
and NetFlow.

3.
48 l
mplementingCiscoDataCenerNetworklnfrastructure1(DCNI-!)v2.
() ()2908CiscoSyslems,tnc,
Lesson2I

Im plem enting Initial


C onfiggration

O verview

Objectives
l11,
1(11)colllplcting thislessoll-yotl'w i11btrablelt)tlcscribc tllc Cisco Catalyst6500 Serics
Ssvitcl'lNA NIillstallation and il1itiaIcontigtlraliollstcpsTllis incltldesbcing able to Illcctthcsc
objcctivcs:
* Describe the Cisco NAYIillstallalion
w Explai1,
1tleCisco N ANIinitialscttlp
* Ilcscribevariouswaysto acccsstllcL'isco N A N1
C isco N A M Installation
This topicdcscribesCisco NAM installation.

N A M -I and N A M -2 R equirem ents


. Configure SNM P agentand SNM P read comm uni ty string to allow
the Cisco NAM to read the m ini
-RMON portstatistics
* Referto notes forspecific Cisco lOS requirem entsforthe SPAN
and ERSPAN features

('riC;t2(.)(
'M,;l!
)I
j?R
rtk)C$()()Fr(?ri
t?F;f
lsAzi!
.t
ihl 4'
Fql1(J!.Ary/I'qt'
)r .; t .

Supewisor32 Rel
ease 12.2(14)SX1orIater
Supervisor720withPFC3A/B/BXL Rel
ease 12.2(18)SXF orIater
Supervisor720-10G withPFC3C/CXL Release 12.2(33)SXH1orlater

NA M -land NAM -2 have minimtlm operating systcm softwareversion and supervisorengine


colnbination rcquircments.
Thc hostdevice requiresno additionalconfigtlration to hostCisco NAM otherthan the
hardwarcand softwarerequirementsjustdiscusscd.Howcvcr,evcry (7
.isco Catalystswitch is
capable oI-gathcring a subsetofRemotc M onitoring (RM O N)statisticson aper-portbasis
knownasmini-RMON (Layer2 statistics,history oftllosestatistics.alarlns.andevents).
Typicallyethcse statistics areused to providc generalportstatusand hcalth.To utilizethis Y
capability.you m tlstdetine the Sim plc Network M anagclncntProtocol(SNM P)comm unity
stringsto cllable data collection by Cisco NAM (and/orathird-party managem entapplication).
You shotlld alwaysconsulttheproductreleasc notesthatare included with thc productforthe
mostup-to-datc lpardwareand software requircments.

3-50 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0 @ 2098CiscoSystems. lnc.
o.b B row ser R'eq u 1rem ents
* Configuration:
EnableJava and Javascript
AcceptaI1cookles
Checkfornewerversions ofpageseverytime itIoadsa page
M ernoryand diskcache size m tlstbe atleasl6 MB
* Afthough lhe TrafffcAnalyzerdoesnolreqtlireit.aJava plug-rnmi
ghtbe required
to use a JVM

' MicrosogW indows2000


lnternetExplorer I
I 6.0 MicrosoftW pnclowsXP Pfofe&slonal
! MlcrosoftW lndows2000
Mozlrla 17 MlcrosoftW indowsXP Professional
Solaris 2RE Version 5.0 Update 6
MlcrosoftW pndows2000
MlcrosoftW pndowsXP Professional
Flrefox Solacs
RedHatEnterprlse Llnux

Note Itis always a good idea lo check the Iatestrelease notes forup-to-date information
regarding system requirements.

Note Clients notconform ing to lhese requirem ents can al


so work butthey have notbeen tested
and certifi
ed by Ci
sco and,therefore.are notsuppoded i fproblems arise.

@ 2008CiscoSystems.Inc. lm plem entsng NetworkAnaiysiswith Cisco NAM 3-51


N A M Hardw are Installation *
Aftcryou havc identifed the appropriate locationsforCisco NAM and you have determ ined
thattlle Cisco Catalystswitch hosting Cisco NA M Inectsa11requircmcnts, you can installthe
NAM bladc and configure itforbasic m anagcmcnt(forusc with thc Traftic Analyzersoftware
thatiscm bcddcd in Cisco NAM ora third-party application)and forany additionalmonitoring,
data sourcc,oratltostartoptions.
You can installCisco NAM in any sloton the hostCisco Catalystswitch exceptslotsthatare
K serk'ed forthe supervisorm odules.
Cisco NAM isa com plex piece ofelectricalhardware and should betrealed carefully. lnstallers
sllotlld fbllow a1lsafety precautionswhen handling and installillg any elcctricalcomponcnt. +
Follow alIrccolnlncndationsIisted in the installation guidc to cnsurc the bestoperating
environmcntforCisco NA M .

Cautlon Cisco NAM m ustbe properlyshutdownbeforeremoving itfrom the switchorserious


damageto Cisco NAV canoccur.Review NAM maintenanceinformation priorto removing
the NAM blade.

3-52 SmplementingCiscoDataGenterNetworklnfrastructure1(DCNl-1)92.0 @ 2t*8CzscoSystems, lnc.


Verifying NA M Installation

@ 2008Clsco Systems.(nc. lmptementing Network Anat


ysiswith Cisco NAM 3-53
C isco NA M InitialC onfiguratio n
Thistopic describesCisco NAM initialcontiguration.

InitialSetup
AccessCLlofhostingdevice('
Telnetorconsoleport)
Establish console session to Cisco NAM m odule
Log intoCiscoNAM (defaultIogin:root,password:root)
EnterIP configuration:
IP address,subnetmask,and broadcastaddress
IP hostname and dom ain name -
Defaultgateway ..PA
.
,
N/WAN -'
..
s.; ...yjy v
.

DNS nameserver(ifapplicable)
5 Verify IP configurati
on
6 Mj Telnet
.. .
-y .
ConsolePort

You mustprovide Cisco NA M with an initialIP contiguration to enablccomm unication with


otherdeviccs,whethcrformanagementpurposes(Tclnet)orforretrievingdata.
To contigurethe IP settings,accessthe CLIofthe hosting device with Telnetorthrough the
consolepol-t,and then session to the slotnum berwhere Cisco N AM resideswith one ofthc
+
t-
ollowing com mands:
(sstltliksession slot slot number proceasor l

Note The syntax differs slightly forCisco 1OS and Cisco CatalystOperating System Software
devi
ces.

The login promptfortheNAM CLIisdisplayed. By default,the adm inistrative Iogin is ttrootf'


w ith the password also setto i'root.''Itisimportantto changethispassword forsecurity
purposesby tlsing the password com m and.TheNAM bannermessage indicatesifthe default
passw ord hasnotbeen changcd.

3-54 lmptementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
O @ 2008ClscoSystems, lnc.
IP Settings and eb Server
* Access Cisco NAM and setIP to enable remote access
6500#session slot slot num proceasor l
Root@localhost#ip address ip-address subner-maak
ip broadcast broadcase-addre//
ip host host-name
ip gateway defauze-gate-ay
ip domain domafn-name
ip nameserver ip -address (fp -addresal

. Before using Cisco NAM Traffic Analyzersoftware.enable the


web seweron the Cisco NAM
Root@localhost.#ip http server enable Youarepromptedfocthe
Enter a web username : Web Usornameand
Enter a password : password whenIoggtng
pn to the weblnlerface or
theClsco NAM
e, *#
7L-. HTTP or -<-' ,
HTTPS -
k '.e '

lnitialIF)i;ettirl(;s
-I'1'c tigtll'
c alltltllc tablc showrlhcsyntax antlcolnl
nalldsto con(igtlrcl11t
Jllcccssal'
y IP scttillgs.

NAM IP Settings Syntax and Com m ands


Com m and Description
root''
loca lhosttlip address Configuresthe IP address and subnetmask
ip -addz-ess subne tr-wask
rootr
loca lhost#ip broadcast Configures the IP broadcastaddress
broadcast -address
root'
aloca lhost .localdomain# Configuresthe IP hostname used in the CLlprompt show
ip host hostr-name com mands and 1og messages
roott
a'naml .localdoma in#ip Configures the defauf
lgateway
gateway defaul:-ga rew' a.y-
root'
a'loca lhost#ip domain Consgures !he dom ain nam e forthe NAM
doma.
1:-nanle
z'oottc'localhost .localdomain# Configuresoneormore IP addressesasdom ain nam e
ip nameserver ip-addwess system (DNS)name servers
(ip -addz'essl
rtoott
f
bloca lhost .localdomain# Verifiesthe NAV IP confi
guration
show ip

Note The configuring ofone orm ore IP addresses as DNS nam e sewers step is optionalbut
hi
ghly recom nlended.Unexpected deiays can occurifa name serveri s notset.

tll2008ClscoSyslems.Inc. lm ptem entdrlg NetworkAnalysiswlth Cisco NAM 3-55


Enabling W eb Server
Aftcryou configure Cisco NAM w ith an IP address,you can com municatc with Cisco NAM
overthe network.Bcforc you can acccssCisco NAM through a web browser.you m ustcnable
tlpcN AM web Servcrusing the CLI.
To enablethew eb servcr,choosc cithcrHTTP orHTTPS asthe accessprotocol.By dcfault, the
IITTPS com mandsare disablcd.
ForIITTP.tlse the ip http serverenablecomm and.ForHTTPS,usethcip http secure server
enablecomm and.
Yotlcan also chooseto nln thc scrvcron a portotherthan TCP 80.Ifyou cllangc thcIITTP
pol1,yotllntlstrestartthe servcr.

Note Afterentering the command to enable the sem er you are then queried fora web
administration username and password.This isthe accountinform ation used to accessthe
Cisco NAM TrafficAnalyzersoftwarewitha browser.Rem em berthatthe CL1accountfor
Cisco NAV isnota webaccountand cannotbeused toaccessCi sco NAM witha web
browser.

To cnable theHTTP sccurc scrver,installa strong crypto patch. Ifyou prcfcrto t15cSccurc
SllellProtocol(SSH)rathcrthanTclnct.youmtlstalsoinstallastrongcryptopatch.
To installa strong crypto patch.follow thcse stcps:
step 1 Download the patch from Cisco.com and ptlblish the patch on an FTP scrver.
step2 Installthepatchby cntering thcfellowing command (wherehp-llrlisthcFTP
locationand thcnamcofthestrongcryptopatch):
root@localhost#patch ftp -uvl

Note These steps are genericto aiiNAM S.

3-56 lmplemenling CiscoDataCenterNetworklnfrastruNure 1 (DCNI-!)v2.Q @ 2008Cisco Syslernsl lnc.


V LA N and S N M P C onfiguration
6500(conftg)#
analysis module szo e management-port access-vlan mgme-vlan

. Definesthe m anagementVLAN
K Before using third-pady network managementapplications
to com m unicate with C isco NA M ,firstenable SNM P attributes:
SNMP system variables(name.Iocation,contact)
Communitystrings(read-only,read-write)
Via the CLIorwith Cisco NAM web intedace

e *4. -
SNMP -- '
, ,e

V LA N Configuration

@ 2008ClscoSystem s.lnc. lmplem enting NetworkAnalysiswith Cisco NAM 3-57


During installation ofCisco NA M .Cisco N AM ism ade awareofthc SN M P com m unity strings
ofthehostswitch thatare already set.Forcxam ple. to configure SN M P comm unity stringson
the hostsw'itch,use the t-
ollow ing comm ands:
root*localhost .localdomain#s= p co--unity communey -srrng rw
root@localhost.localdomain#aM p community communty-srrng ro
TheNAM isnow ready to usefortraffic monitoring.

3-58 lmplementngClscoDataCenterNetworklnfrastructure1(DCNI-!)K .
() (
l)2(98CiscoSystems.lnc.
'

-
Logq 1I'Icj In ,,

http'//<N/lM IP addtessv

:;
:;N.
t
l
:tiT:2i
48I9:I!
%(
&t
'Nogep
Ao N'kulGo *'
.t i ..I
NA 51 7*1.$1!fl(' AItEAI)'ze1.
i
' '. ahyo!$7..,*ts '=q'.n.x'<z:J'rv-.vrzss.pwm..rvvjvjj.s.Jx.y..---m.---u.-.. c
x.- ....

i ZeH*WWX
> ; edmln ygeb Usernaore and
F*ee-@#* ***@.* PaSSWOfd
'
1.,.
1
)I.j
Logglng in to the Cisco
NAM web Interface brings
?ou Sothe Syslerri
Overwew openlng screen

Tlle figtlrc sllowsthcstcpsto acccssthc wcb scrvcrand log i1 to tlle elnbcddcd Traflic
Alllllyztlrsoftware,

Q 2008Cisco Systems,Inc. Im plem enting Network Analysiswith Cisco NAM 3.59


'

S 9stem verview

,k11d1I1' s.
ksj .r1.affl(.A 11a1yze1.
t l$c0 ' .

, . .,. -

pAAIU F 1H l* l* tm
G k- M- .1'e- *?- 1-

< - 4-
A1Iofyourconfiguratsonoptions -- T*tM R**
wlllaffectthe resource utilization R* :- t) am fj
and performartce oflhe Cisco c,- fgm F!M ezl- M
NAM- penodlcalky monltorthese t- 1$elo f075o
slatistics

The firstscrcen thatappearsafteryou log in to Cisco NA M isthe Systcln Overview.This


screcn illustratesthc hostnam c and IP addressoftheN AM .how long theNAM hasbeen up.
alld the amountofCPU,m emory,and disk spacc thatisbcing utilizcd.
Kccp in m ind thatCisco NAM hasGxcd resourcesand al1ofthe m onitoring.alarm ssand packet
capttlrcsyou detinc are stored in NAM lnemory.Bc awarc thatthel' nore traftsc you analyze,
thc m oreNA M resotlrcesyou consum c.So,chooscyourdata sourcesand yourcollcction of
statisticswiscly to ensurethatyou m aintain the validity ofyourdata.A good practicc i5to
slowly and incrcmentally add data collcction and monitoring optionsand thcn understand thcir
inlpacton Cisco NAM by view ing thc system resourcctltilizationsshown onthisscrecn.

3-60 Imps
ementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008CiscoSystems.I
nc.
@ 2008 Ci
sco Systems.Inc l
m plementi
ng NetworkAnalysiswi
thCisco NAM 3-61
Configuring isco N Netw ork Param eters
ToconqgureClscoNAM nel/orKRara- tee
selectlheAdnxn>System >Network
Paralneterssub> nu
CIsf@ ..
. . 9 ' go

>PethlhC#!X!+ :$M ' * ' EGXV'P*#*HZM


.. . . e...... 1:21sg1s621,
. , <n1E> a4

> ..I...$ . +fe *


Fo*ewv 1821681:6J17 e lx:dx
ge vv.o lAel
l*et''''- h9.37..c'e$:.nrri:

NetworkaccesscorisguTation
oplionstbatweredesnedduring
jrlstallatlonalthe CLIcant:e

You m ustcontigure Cisco NA M network accessparamcters initially from the CLIbeforeyou


can acccsstheN AM by way ofthe nctwork.Afteryou havc setthesc parameters,you can thcn
change thcm wilh thc web interface.
Tlhc tigtlre show sthe nctwork param etersthatcan bc changed on Cisco NAM ,including the
following:
* IP address
* IP broadcast
w Stlblpetm ask
* IP gateway
. Hostand domain names
* Name servcrs

3-62 lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.9 @ 2998CiscoSystems.lnc.


C o 13f1g u r1ng S ecur1ty and U s()r A ccess
* Useraccountmanagement' .
W hich users should have access to which features?
Define securi ty polici
esthatm eetyoursecurity needsand the
functi
onalreguirements ofCisco NAM users
. Define security policies to protectyourdata requirements
* Enable third-party managem entsystems to comm uni cate with Cisco
NAM wi th SNM P com munity slrings
UserAccountManagement

ho1e.' 'j :
''*' L
-... .
' '

1r.
e-.d
'seteeot
e.arxm.'Ic.
f.:''(rd*II' .. .

; . ': 4
/ ( i
' ..s
. NAM e/'
.
y.x
j i...: .
!: .
.
l $.
'
t'
p#?tI?(y .
.
X'

@ 2008 Cisco System s.lnc. lm plementlng NetworkAnalysiswithCisco NAM 3-63


'

reating N ew Users
.I14'1It, s'.
:.,$1 'rraffjv A ua1'vzk1.
CI5C@

1e*:*
9t- Qdee.
' '
. - m 'm, - - -

Toaccesstheuseraccount
s. '''*- .- - t
e e*> ..# tee.
#*17' ' 'r
' ' G tG .
'''' 'V
selecttDat
heAc
ablarqi
sensu
>Use rs>Lcu l
bc-nc ' N*>F quee!

Ve -
Th
ace tabp
coun tsean
dlsdNpy
accs
eeg
ssd
stinWs
pn geus er
ges C'olxeMF*
r w- c-
qw
ClickCreate 10at18new us@r f-Awowc-
UselheNew Userpop upb0xtoconqgtlre r- - m -
tbepass- e andprivilegesoflhenew usef VQ** *
;s
.,...51..x-(

The NAM cnablesyou to add variouslevclsofsecurity to useraccounts.You can secure acccss


to Cisco NA M and itsdata by crcating diffkrentuseraccotlntsin thelocaldatabaseasshown in
thcGgurc.The tirstlevelofsccurity isassigning passwords to uscraccounts.Thcsccond lcvcl
ot-security isto contigure tlseraccountsto limitaccessbased on the NAM lkature set.Thc
NAM feattlrcs include the following:
* Accountmanagement
* Systcm contiguration
w Packctcapturesand dccoding
. Alarm configuration
* Collection configuration
* Collection vicwing
These configuration optionscnableyou to limitaccessto Cisco NAM based on the functional
necdsoftllc user.Forexamplc,cnginecrsrcsponsible forfaultm anagclnentsystemscan bc
given acccssto collection and alarm configtlration to define alarmsand notit-
ication.Enginecrs
responsible fortroubleshooting can be given collection view and captureaccessprivilcgcs.
Nctwork planners can be given collection configuration and view acccssprivilcgcs.You m ight
w'antto considcrassigning a1lacccssto oncpcrson w ho isrcsponsiblc foroverseeing thc
variousncedsofusersin yourorganizatiol).Itisup to you to dccidc which usersneed acccssto
each ofthe feattlresavailablc.AI1usersby defaulthave thccollcction vicw userprivilegc.
allow ing thcjn to view any rcportforthc collccted data.

3-64 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.
0 @ 2008CiscoSyslems,Inc.
You cal)plxlvitle additionalpassword security by adding TACACS IscrNr crstlpptrlfbr
atlthcnticatillg tlscrswho arct2ollfigtlred forN A N1 tlse.asslloy$'I)i11lllc l'
igtlre.
TACACSI isal)authenticatiol!protocoltllatprtpvides rcnaotc accessatltllclpticatitlll.
atlthorizatioll.alld rclated scrvices.vith TACACS1.tlserpasswordsalld privilegesarc
adlnillistcrcf.
liI)a centraldatabasc to providc scalabiIity.To use 'I-zNt.'ACS+ scrviceswitllthe
NA M .Iirsty()tl117t1stllave.oriIlstall.aTAC'ACS lscrvcrall(1col)iigtlrctheTACACS fserver
to includc :111accoulltfortlle N A M .
A TACAC'S ltlscrgroup sllkltlltlbe crcated Ibreach privilegetypc.NAM privilcgesarc
colptigtlred iI)tllc TACAC'S fscrverasCisco I()S shellcolnlnallds.Sce theCisco NAM tlser
(ltlidc fbrlnorc illfbrm atiol!oI1thc NANITAC'AC'S icolltigtlration options forNAM
privilegcs.Retkrlo yourilltlividtlalTACACS+ illstaIlation and tlscrgt,idcsforillstrtlcliollson
collligtlrillg yotlrTACACS1 servcr.
svllen yotlhavc conlpleted lhe TACACS+ sclarcrcontigtlralion.tlse thc AdInin > Users>
TACACS+ lask to cntertllc 1P addressofthcTAC'ACS #-sclwcrand tlle kcystkatyou assigncd
tbrthe NAM 011theTACAI'S1 sclwer.

@ 2008 Clsco System s,Inc. lm plemenling NetworkAnalysiswlthCisco NAM 3-65


hird- a y ccess
to Isco slng
,:1l1,I1I, x.
I$t@
ksI.
'
rj.arfjr Configure CisooNAM

MIe inforrretionfrom NAM '


bsing SNMP SNVP v1
$:*$4al&: andvzare)ugported
'
li.1 ..ll .> * ...
ax- l- - t- aAe v- :

W* . .
. .. . configurat,opfautitatesthause
ToaccesstheSNMP c.- w.sl.m/Komrn ofciscoNhv forengio- rs
consgurat
iongc c
eeo.sel
ecll
be - NIAM bwborngh
ypilrl
rjbe umng itwdthother
Admln >System >NAM SNMP rrmnagernepnar
.
tstys
yne tn
terwo
srk l
subrr-ntj t''--''RMONL8b BsexistingClscoNAM.ausswBlgrs

C
l
be
lert
lkd'
eathwr
erladi
teorbru
O ton
ead t
o
llyl
.or hoeptpleftBof
on g'
,
)'
ppwjpowv
e
afhdcllckCreateloaddrydelota DisabloSNMPcommunlcgllonby
communjtystrlngs - - delebngSNMP comrxnltysnoqs

r 'r
I j. ''I

You can define SNM P colnmunity stringsto allow accessto Cisco NAM with a network
managemcntsystcln (NM S)othcrthantheelnbcddcdTrafficAnalyzerforaccessingthcdata
collccted by Cisco NAM asshown in the figurc.You can usc SN M P comm unity strings 5o that
othcrapplicationscan send SN M P gct-and-sctrcqueststo Cisco NAM ,sctup collections,poll
t
lata.alld so on,to and from Cisco NAM .
An SNM P com munity isadomain ofoneorm ore SNM P agcntsand one orlnore SN M P
managelncntconsolcsthatshare accessinformation and conligtlration.ln othcrwords.
com mtlnity stringsaresim ilarto passwords,and they cnablc nctwork lnanagcm entagcntsand
consolcsto agrecon whatinfonnation and conliguration optionscan be shared.Forexam plc if
anetw ork m anagemcntconsole wantsto retrievc inform ation from an agcnt,theconsolem ust
be contigurcd w ith the read-only com munity string ofthatagentto read data from it.Ifthc
+
nctwork m anagementconsolealso wantsto setparam eterson theagent.itmustbe configured
with thcread-writecom lnunity string.
W hcn yotlconfigurcyourN AM com munity stringsas shown in the tigure yotlare configuring
colnluullity stringsthatanotherthird-party,cxternalm anagclnentconsolclnustuse to collect
informatiol:from orscnd infonnatiollto Cisco NA M .To do so.click thcC reate button and
add thc com munity stringsforread-only and rcad-write.To prcvcntany outside SNM P access
to Cisco NAM ,do notconfiguretllc SNM P stringsordelele allSNM P strilpgscurrently
contigtlrcd.

Note The NAM suppods SNMP com munication with SNV P version 1 orversion 2.

Note Forswi tches running the Catalystoperating system only,ifthe IP permitIistisenabl ed,
verify thatthe internaladdressofthe NAM i s added to the Iist,using the setIp perm ltsnm p
com mand.

To obtail)theNA M intenlalIP addrcssfrom the Traffic Analyzer.click Testfrom thc Swilch


Com munity String dialog box undcrSetup > Sw itch Paramctcrs.The Switch Com munity String
Testdialog box isdisplaycd.

3-66 ImplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 @ 2008CiscoSystems,Inc.
'

U6l1t T rc
a-
1I
To accessllleAldltTraisscreelh'seletilllle
Ad ToklscAtldllTrallyclu::*1sthrst
rrlirl>Lllaqrlosllcs>Akldp!Tf1Ilslzblierdu enableItbyselec 'tpnqSetdlp > '
Pfeferencesandc. tlefklflHtp4flAtlfjrl
Trallfhefzkbox
. t11.l11.
6I5C*
x'.
I 'r:t1(fIf .4jaaIyzeI.
.
r.
A:y!w
x oA;vW;fY'G' Ii- - 'J
y#
e.
'r
svv:vwttot##,
l
'
gJ
.>t
:.lbkw
t1)
- >
'
>.
4J
'' ' >; '#z# .
Y < 1* . : '
-e%>r''fe '' * ''*
.
''
A.djt &l.I1
' - ';.:1'. .cwy- - wo.rujx w m tae > mc

AI/#JA.,
1wo. ')e.. v..o pyr.yikp
Xkn m .I:D V * 10m 145D8 bve t- bel
te* .attf .0:xkle .r.
- tp761#5zpA Afe%%*-'*dd'*t*
ses- '
,oel..0.,,.vthzclJ+p

> AuditTrailprovidesusefulinformation such as which userIogged in


which IP address the userIogged in from,and whatactiviti
es were
perform ed during thatsession

'
$k'I1e11you have Iillishcd collfigtlring C-isco N ANIforscctlrcand ftlllctiollalacccss,yotlcan
track criticalwcb and C1..Itlseractiviticsin :111auditlog.
To cllable tllc AtlditTrai1.selctztSetup > Preferencesand chcck'rNuditTrail.
7'0 N'icw'the audittraillogxg()to tlle z'
Ndm in > Diagnostics> Audit'rrailtask.Tllcaudittrail
pnlvidcsthc follovving typeo1 'inforlnaliollby tlscri1.
).tiIlle.IP addrcssofaccess point,and
*
bricl'descriptioll:
* A 11CLIcollllnandspcrlbrlllcd
K Llscrlogills.illcltldil'
lg liled attelnpls
. tJllatlthorized access
* Su'itched Pon Analyzcr(SPAN )scttlp cilallgcs
K NctFlow l.
lala E.xport(N DE)data sotlrcccllanges
K Ellablc/disablc data collectitllls
* C'rcatc/dclclc rcports
K Start/stllp capttlrk
'
ls
* Add/delctetlsers

Note The NAM can be contigured to forward audittrailasertsas syslog messages to a remote
system .

(Q 2008 Cisco System s,lnc. lm plementingNetworkAnalysis withCisco NAM 3-67


'

C onf1guring C 1sco N S ystem T1m e


To
thesetrtnhle
Ad nCl
>s
Scos.tNAM
ern >s
NyAst
Mem
Syl
isrr
te
em'sTe1l
ec
rrxlt
y
stlbfnenu
.4 iII 1 4 N A sj T j.ajrj(...$uajvzrj.

Y4eA:e#*ne *A #%r.>L.(t1.).Ntqxf.>rrWrlTe4
Kk:: $#:,*/,TIn,*
. .
. .. . .c-
. . * > * ,tww-l4
-wp.
, . .. .. t- - - r- *w * m .& e 2dN &YM - *
w o kxx
>leM.@orrnklll, *F- #- W*- T**Y t3;*xer f)<*- s-ehAtu--
>... .... m4- --.-u - FWGY WP
.. u- o wx
p .. . , &o eaze
s ' , .i k. tfs v s,,
r- t.Pe @*>
- P8CAC V V ee cemf- e

1 ->
:> M *
Conggure theClsoo NAM system ti- tosynchronizewlth *
the llrrmsetontheNostsMtchchrctxqgurethBClscr
NAM tosetItstirx base onanNTPserver

M ostanalysisofthcdata thatisreportcd by Cisco NAM isdcpendenton thetime thatthc


rcportcd evcntsocctlrred.Thercforc,itisimportantthatthe time ofthcNAM ispropcrly sct.
Tlpc systcm time ofthc NAM can be cithcrsynchronizcd with thetimc seton the hostdeviceor
itcanberetricvcd andsetfrom aNetworkTimeProtocol(NTP)serverthatisresponsiblcfor
sctting thetime on aI1network deviccs.

3-68 lmpp
ementingCiscoDataCenterNetworklntrastructure1(DCNI-!)72.0 ()2008CiscoSystems.lnc.
Usc tllc Adnlin > System > E-m ailContiguration task to dctillctllc cxtcrnallnailscrvcrtpop
orcxchangc)anklc-mailatldress()ftllc recipielltto be tlscd.

@ 2008CiscoSystems,lnc. lmpfem enting NetworkAnafysfswfth Cisco NAM 3-69


'

S ystem dm inistratio n :S ystem


Settings FTP Reports and Iarm s
.Il1'I1$, N.
sAI T 1.afflf.A 11alyze1.
, .
ql5@ . . . . ;
'

Y'
mlA - * %'1efhp'lvl'
ee;PFr?s'
ilsrvczavAe
e1* t>e.Itc*pIIgIze*,lqo

. w. ,. e p
. . .. -m - - -

>Y!.EQ- - ytlkfl
. ; <P
po PG
To
AdcmI
on
nfi>gtl
Sre
ystthpm
eFTP
>FTsPerCo
vern
.sgeur
leat
ctit
ohno Fmw pdlr
subcenu @****N'
Bob
Slrrglartoe.rreiltheCiu NAV canbe M** '* t
conhguredtouse/TPt otransferalarrrsand
rem rtsfrtxntheNAM loanFTP server.iftbig M* - ''
frethod
e'ROflO to the'K eosedFTPserrt
isc t
ms gur
ed al
arms and repo vswillbe
er **:*** e- .
e - . -
f ...- ;1r
I ApI. 1l
-e
.h
d
.-rl
p
w .'
.
-

The NAM also allowsreportsand alarm sto be transferred using FTP.


Use the Adm in > System > FTP Configuration task to add externalFTP scrvers, theiracccss
credentials.and the directory to placc the rcportson the FTP server.

3-70 lmpkementing(
DscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0 @ 2008ClscoSystems. lnc.
'

Gte
v d -
1n -
1strat1o 11: ste''n
Ott-
113 s e u 1-1sh 1n e o rts
T'oconfigtllo 111(%wnl)publscatir.m seliActIlle 11..11I.':.r1'I.:1
Adml
n>Syst
seumbr> We
reptlbPtz
hi
ll
r
atpon kaIt'ze1'

j, .r;. .> - .,
w .
> .. . ...t
. . w p .?k .
'.
1tL '.
, I..'ien- weu a - jsom- -
? .. r.- v:e> - ,*&*14xef,gtx
( * te: **k'SM XM
l.. e - ;v N
feo
jvx!-Tk,eee
t.oev
> . . . A- e ce t- u w.aVW
.. . . . .. >ct(* '
e
r-- pk:: : w c- qx -
1 ' xt
eI(.y. r''e: *#Y rov!

acd !e;l(3rts(:ret?nSA1h()Utei('Nln W et);)t,N1c8t1tln6a!beO;)eIl()r ?*q'*'ed.*'Jtr'e


SCSS11)U1 FeSlflfltt?d!lS1n6)XCU3C1d/Or P
@
13WKlO CW
pl1l)1IGat1r;nC.cld() lo1feT*eTwetvpttrt'et*;e519
rw'A'ewdre @

T()cllablcl11is fbature.selectAdlnin > Systeln > NN'eb Publication.sclectthc rcpol' ttypesto


ptlblish on thc web.and opliollally rcstrictaccessusillg :1Ptlblicatiol)C'ode and/oracccss
trolltrollist(AI-'L ).

(I)2008 Cisco System s.lnc. Implementing NetworkAnalysiswith Cisco NAM 3-71


'

* K *
yste lnlstratlon.
s
P references 11 sers
.,11,111, N Tl.affl:Ajlall.zer
tIsto ' .

c. I... ' :
Y@eA..>*:<@6<'a'*Fr5T1'mJ+A1 Usethisfietcrtocuslom ize Usethis5e1dto cuslornize
'e#'*'**#*: thedefaulknumberofrows how oflentbe CdscoNAM
Toc
thon
efigtl
se tr
tze
ptheuesfeer
>Pr reo
pref
eresnub
ces ces
rre's
r'el
uect inatable fefreshesthse
fgeda
w tathatyou

Checkthls5e1dloenablerP e*e - - fl'1= ) 16 '*'ru:R?4MNR>


hostnarre resolutionforuse AVG ''*'.*10**
ofhostnarresintablesaod **'+ *'**$&M *C' B0 SGOJAYRIAA*
graphs 2***:@/wh@p:(1.1$) 10 rbxkm.
sv- * '
L1
Us0Iher.e5e11s . kjsetusfieldto
toforrrk'l:dataart - t- - L-J custorrizelhed8fault
0ktfnbeFS - - .. . . nurnbecofbarsIca
1.'j> rkf)1qa za1,;!a rl s
G EY- $;e t;oo w e oe
Checklhisfield to Ate Tre r6
enableAudstTraij L* - - LJ
.
f
. xpp/
y ($.
cs.,1

From the Setup > Prefercncesm enu,you can do the following:


. Custom izc how many rowsofatablc are displayed pcrscreen from lto l000)thc dcfault
valuc is l5.
w Configurc the rate atwhich the Traftic Analyzerrefreshesthe data yotlview in M onitor.
froln l5 to 3600 scconds;dcfaultvalue is60 seconds.
*
* Configurc how m alty graph barsare displaycd in Tophlhostgraphs;dcfaultvalue is 10.
* SelectifyotlwantthcTraffic Analyzcrto use IP hostnam esrathertllan an IP addrcssin the
tablcsand graphs.
* Configtlrc how to display largenum bcrs.
* Enable AuditTrailfortracking criticalwcb GUIand CLIuscractivitics.
* Enablc ESP-NUIIHeuristic.which forcesCisco NAM to check aIlpackctsw ith an ESP
hcaderto sce ifitcotlld be using Nullcncryption and parsc contentappropriately.The ESP-
NulllIctlristic featurc addsproccssing overhead.so itisdisabled by dcfatllt.
These settingsare globalpretkrencesscttings and apply to allusersoftllcTraft'
ic Analyzcr
softw areoI1(--isco N A M .

3-72 lmplementingCiscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0 @ 2008Ci


scoSystems,Inc.
'

-
Or1f91n o st 1tc13 o nf-
- 1c tlra.t-
1o n

N T 1$1ffit
'A 11:)Iyzr1'
l@tlp

%eleet;I>'@d*,*.1*n

%........................ 9*12/nM9Shlob:* *omhy*#(1??16:dsgl1e19>t%db(!92f6ed$911/)


t
j.sor pwjN.sacyv.s.pn
#+* e QvXyNeM A- C-er/N FtUCY -

&vdeet- 43e D hxy:D*

Co MI> lnformallorlalhollt1be
p- .eo.,fyrorveta r
.v hostknj%wI((.j1.syjue
%- wr:gtpo+.:rcd Cornrrltkolr'allon arld
YM Tm lwet*r* '''''

f- Ste'n > e ono A!D!$6,N:IM(mrel*'Y5


'
- ra wm- *dtmlw,vwec.

@ 2008 CiscoSystem s.Inc. Implementing NetworkAnalysiswith Cisco NAM 3-73


S um m ary
Thistopic summ arizesthc key pointsthatwere discussed in thislesson.

S um m ary
. Cisco NAM mustbe provided with an initialIP configuration to
enable com munication with otherdevices.
. Cisco NAM access parameters are initially configured from the
CLlto accessthe Ci sco NAM bywayofthe network and can be
changed via the web interface.
m Use a standard web browserforclientaccess to the Cisco NAM
Traffi
c Analyzersoftware.
* SeveralIevels ofsecuritycan be defined forCisco NAM access.

3-74 Implementing Cl
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.0 @ 2008 Cisco Systems.Inc.
uepsop31

M onitoring,V iew ing ,and


S aving D ata

O verv iew

Objectives
S cenario 1: Live N etw ork M onitoring and
A nalysis
This topicdisctlssesthc scenario whcrc NAM isused forlive nctwork monitoring and analysis.
*

Live Netw ork M onitoring and A nalysis


Problem description:
- Severalremote branch offices willopen soon
Ensure thataccess to criticalapplications hosted atthe data
centerfrom the rem ote branch is optim al *

Monitoring plan:
-. Monitorswitch health +
Monitorbasicportstatistics(utilization)
Detailed analysis ofselected interfaces using SPAN feature
. Ci sco NAM m onitoring willprovide:
Hosts,conversations,and application usage
Server-clientresponse time monitoring
.. URL moni toring
.. Packetcapt ures

Problem Description
Thc network monitoring team has metto discusswaysto be morc proactive, espccially with a +
large branch ofticc opening soon.
The goalisto enstlre excellentperform ance acrossthe W AN when the branch officesare
acccssing applicationshostcd atthccom orate scrvcrfarm .

M onitoring Plan +

Thc action plan isto pcrfonn thc following actionsand then reportback on the results:
K M onitorswitch health
. M onitorbasic portstatistics(utilization)
w Detailedallalysisofselccted interfaccsusingSwitched PortAnalyzer(SPAN)feature

<

3-75 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O ()2008CiscoSystems lnc.


A ction 1:Port M onitoring

@ 2008 Clsco System s.Inc lnlplementing NetworkAna6ysiswithCisco NAM 3-77


+

<

Aftcrthcswilch iscontiguredforSimplcNetworkM anagemcntProtocol(SNM P),thcnetwork


lnal:agcmenlteam can look atthcutilization ofcach port.Using theTraffic Analyzcrsoftware,
click M onitor> Switch > PortStats.The Pol' tStatsreportisdisplayed in the figurc.
M ostofthe monitorviewsoftkrthreepcrspectivesby choosing the appropriate radio buttonsat
thetop ofthcdatatablc:
* CurrentRates:Providesstatisticsfortraffic collected dtlring the lastrcfresh cycleonly.
* TopN Chart:Providesa listofportsranked by volum e fordata during the lastrcfresh
cycle only.
K Cum ulative Data:Providesabsolutc valuesfordatacollccted since thc interfacc statistics
counterswcrc lastclcared.
Thc Iletailsbutton providcspacketsizc distribution forthe portsclected,whilctheReal-Time
buttolpprovidcsarcal-timegraphforvariouspcrforlnanccstatistics(thatis.bytespersecond,
packetspcrsecond).
The rcfresh cycle can be m odified by choosing Setup > Preferences.changing the Refresh
Interval,and clicking Apply.Ifthe Auto Refresh check box is sclected on any datascreen,the
tablesand chartsw illbcrcf'reshed as new data iscollccted.
Using these vicws-the network m anagementteam happily notcsthata1lcriticalportsarcbarely
utilizcd.Thctealn canuscthis information to confirm thebandwidth prcdictionsthatwcreused
to dcsign itsnctwork.Ifalpy abnorm ally lligh utilization orerrorconditionshad existed.the
network lnanagelnentteam could usethese viewsto help determ ine the cause.
Alld the bcstway to bcalcrtcd to issucsisto configtlrcthreshold and alannson thesccritical
pol-ts.Thispracticc iscovcrcd in *tscenario 4:Troublesllooting.'' <

3-78 lmplementing Cisco DataCenterNetworkInfrastructure 1(DCNI-I)v2.0 Q 2008Cisco Syslems.lnc.


'

1ew P o rt tat1st1cs eaIT 1l'ne


tI$co m et. .. T'd
17)>
'A' s......k$/', ..#,tsz..'qv'uv(6
e.
!lr6z.
- '.v' !w..Z').<. g
.. > .
7p.'..sir...
u.
1.r.
5b. .
' -
/ .k
'g .P
y
CF
'
4k);va.
w'
14
v- Ar.p- *' '&. .'..' , p. ,':''
Rl'
p.>., s1a1& S/1()rttern)report(Feal.tllnelllllsalf!)
. < ,. ,. avallablefrom InostItlt>llllorlagrtvilorts
>t/LMe4
' Cl rl- M e ''T- c- f, --'=a 'P-
'- ' CM T#%** Tree Te p* *' hFl''-' Sf*-' ''e'' '
- 1.2+ 7:K+*
tt- .e * * PN%r4*l#kv xr**
' d6p It17:!16 !7'k e)hN) CC4 :6*1 0%'
RoalblkM. ,graphthatstarts p #p z,1* vt
p1ottlrt$;whcnwit,dow is = 4e . ' ' ..
displayed.4plirltptesofdata *** E*''b''1 *'64, x 1.. e,f.e
k,p.. '''-II
h/1
Iss/lf'wn ''tG''e* . q h '

'm
jayy
m
Fezr j -x-.2j
hl.w ).
-x.-,K
4x.n '
9
.1*
0x00
1 SelectplrtandcbckRna!rpn:eto
>wgu( vlekv(k)r.se ralemove'tlroe

Q 2008Clsqo Systems.fnc. Impfementing NetworkAnaf


ysiswith Ci
scoNAV 3-:9
'

EnabIe C oIIectio n Core onitoring


,II1,1Ii' s .
xsl'
rrafj.
l.:11alyz.1. .
t I:t2o .'

Y Ae.''''47w1.p >114z'4r''yf%mW.
twyh
er':p '
C@I* M wnlt*II#1g Fult1*rs.
>6,.1.
#..P+ 43*H
. -... ! the:- Seper
vl
rof v f&!
.
)$jf1
..
x
. . Z F-pe f- - l --

' Z K- pwrecs > - <*

The supervlsofrrodulestatpsttc.s(loterface VLAN 8ndNBAR


stalistlcs)areasx rceofdatafortheerrkleddedCisc,oNAM
FN lheChsco NAM loanaiyzeaodreportonlhesestatisbrs
rrxlollonnofthesedatasotircesrtklslbeenabled

I11thiscasc.the supcrvisormodule isproviding the datato Cisco N AM foranalysis. These


statisticsconsistofthc portstatistics.V LAN statistics, and Nctwork-Bascd Application
Recognition(NBAR)protocoldirectory.
Like any NAM data source,when tlle statisticsordata source issetup ordetined, no
proccssing ofstatisticstakesplaceby Cisco NAM untilmonitoring iscnabled forthc individual
data sourccs.asillustrated in the figure.

3-80 lmplementingCiscoDataCenterNelworklnfraslnacture1(DCNI-I)42,0 Q 20(3 CiscoByslems.lnc,


*
-
1e 1tcI3 eaItl'1 S tat-
- 1st1cs
. 1lj.jlj. hz:sjy1
.vffix kltal)zer
**#
'...
..s.xwsaav
. a.
. 'F'
.t. '. .
v .; . .' z..&#L .
v '. ' v.z6.
.
j'z.rv''t'...pJ<2 .)w...'.'e?. .' '..'
V2r?li'-<v'A.'
rT.77
T

l a.. 4cwr- - gaylhutz- xzevzxz:em

S-t%pt11g11111 v

cG ev- . 0 .- t. ..

x
Reap.t
lmeqrajllthatstarts
piottingwelepwlldow is 4 3 .2 I (, )
displayed 4nynlltesofdala t 7 1 l 0
rsqhnwn > - 4 ''O K ' - 3w
'
loql-lqy>.m..<pv @%

Fllrlherdowolhescreen w. 4* rys'x seldl!> zsAz


vlew rryerrxlryosaqe feas - - - < .f - .-.' - '''

@ 2008 Cisco System s,Inc. Implementing NetworkAnalysiswith Cisco NAM 3-81


v

A ctio n 2:D etailed Port M onitoring


Thistopicdescribesdetailed portmonitoring with N AM . <

A vailable Data Sources


* Cisco NAM can analyze and reporton portactivi
ty byviewing
packets,NetFlow records orothersources
+

:):
a1:,63(
n!1r(l6) -. . . *- .
SPAN Session(Pod.VLAN, Dataport
Etherchannel)
Remote SPAN (RSPAN)Session Dataport
+
VACL(WANInterfaceorLANVLAN) iatixort
NetFl
ow DataExpod(NDE) NDEi'
atapoft
SupervisorModule(enableMVi-RMON) SNMPQuerils

Oneofthc keysto a successfulN AM dcploym entisproperly selecting and configuring data


sourccs.Thc uscrmustundcrstand thatthisisa two-stcp process.First.datam ustbe sentto *
Cisco N AM tbranalysissalld second.sevcralm onitoring optionsm ustbcenablcd forvarious
subsetsofthctrafficthatissentto Cisco N AM foranalysis.
DatacanbcsellttotheNAM -landNAM-2 tbranalysisusingthcfollowingmethods(cach
upcom ing scellario m ay usca diffcrenttypc ofdata source):
* SPAN session:Copy packctsfrom ports.VLAN S,orEthcr hannelsto a NAM -Iand
N AM -2 data port;thcN AM -2 hastwo dataports.
* RSPAN session:Copy packetsfroln a remoteswitch:ports,VLANS,orEtherchannclsto a
NAM -land NAM -2 data port;the NAM -2 hastwo data pods.
. VLAN accesscontrollist(VACL):TheVACL hastwopurposcs:
M ollitorIP trafl
scon a W AN interfacc.Bccause W AN interfacesdo notsupportthe
SPAN function,use thesw itcl:CLIto manually configure a VACL in ordcrto
+
monilorW AN trafficw ith Cisco NAM .
UseVACL forVLAN traffic m onitoring on a LAN ;traffic can bcsentto Cisco
NAM by using thc SPAN feattlre of(he switcll.Howcver in instancesw hen a Iarge +
amountofLAN trafficbcing spanncd exceedsthe m onitoring capabilkty ofCisco
NAM ,prefiltcrlhe LAN traffic befbre itisforwarded.Thiscan bc done by using
VAC L.
K NetFlow Data Export(NDE):Forward NetFlow rccordsfrom adeviccto aspccial
interface (N DE Dataport)on thc NAM -land NAM -Z.

3-82 Implementi
ngClscoDataCenterNeG orkl
nfrastructure1(DCNI-I)v2.0 @ 2008Ci
scoSystems,Inc.
+
Kecp i11lllilltltllatu'hcn ytltldcfiltc a sotlrccofdata.althispoillttllcdata isbcing scntto 'isco
NAN,Ibtltllotyctbcing analyzcd.The sccond stcp isto ellablecolleclion ofstatistics for
diffcrelltstlbselsoftllc forwardcd traftic.Tlle data sourccsprovidc tlle traftic to Cisco N AN1
forallalysis.Thel' lwhen thc collcctiol:ot'statisticsisenablcd.tllctraffic isanalyzed alld brokcll
tlllw'llillto stlbsetsoftraffic (alItraflit!.illdividualVLAN s.iIldividualM tlltiprotocolI-abk!I
Switclli,lg fMPLS)tags,orsubsetsofNDE sources).ThcuserwilltllellcontigurcCisct'NAM
to Illollitorvariotls typesofstatistics(allplicatiolls-protocols.llosts.collversations,allt.
lso oll)
tbrthesc trafiic sotlrces.

(Q 2008C isco System s.Inc Im plementpng NetworkAnalysiswithCiscoNAM 3-83


S panning T raffic to C isco N A M for
D etailed A nalys is

SPAN Session#1coples
cribcalGigabitportto
z. * t. .. Dataportol onthe Ctsco
NAM fodetailed
analysls
. NDE
.z . Datapcd-l Dataport-z Dataport ..
SPAN Session#2 coples
a VoiceVLAN to
'
, - - -. Dataporbz onthe Clsco
. g . jjyi
v or(sjajj
ecj
analysis

Ifnetworkpacketsarccopied(spanned)totheDataportintcrfacesonCiscoNAM .CiscoNAM can


providcdetailcdanalysisofthetrat-fic.By viewing thepackctheadcrs,monitolingtransaction times.
and capturing the cntircpacket,Cisco NAM can providclposts.conversation.and application
slatistics,aswellasprovidcresponse-time lnonitoring-URL monitoring.and packetcapturcs. +

To copy packetsfroln switch ports,V LANS,oran Ethcrchannel.thenctwork m anagemellt


tcam can tlse the SPAN feature to copy tlle packetto a detined Dataporton Cisco NAM .In this
scenario.the network lnanagem clpttealn willuse SPAN to copy thecriticalportsand VLANS
to the Dataportinterfaceon Cisco NAM fordetailed analysis.Keep in m ind thatifpackets
froln multiplcportsarc copicd to thisiltterface.the traflic and statistics arc aggrcgated.
Spallning istheterllluscd to definethecolltiguration reqtlired to copy tram c from sourcc ports,
VLANS.oraCisco Etherchanneltunncltoadestinationswitchport(SPAN port)foranalysis.
A SPAN session isan association ofa destination monitorpol
4 with oncormore sourcesof
traftic.Sourcescan bc physicalports,VLANS.oraCisco Etherchanneltunnel.W hen Cisco
NAM i5installcd.the hostsw itch recognizesitasa SPAN dcstination. Thcuserselcctsoncor *

nlorcpol -ts,VLANS.orEtherchannclsand the switch copiesthetraffic from the selcctcd


sotlrcesto Cisco NA M foranalysisand rcporting.

Note The NAV-2 hardwareincludestwodestinationstoal


low increased flexibilityfornetwork
monitoring.

Note The abili


tyto spanVLANSallowsthe usertoachieve additionalm oni toring flexibility. Rem ote
switches can be configured to exportdata on a specialuser-defined VLAN . The NAM can
then span this rem ote VLAN effectively spanning data from a remote switch.This capabi li
ty
isknown asRSPAN (Remote SPAN).
Note RSPAN data traverses production Iinks'so keep in m ind thatwhen using thisfeature,
RSPAN copies and forwards packets to a remote NAM foranalysis,and thus additional
+
traffic willbe placed on yournetwork.RSPAN and SPAN are m utually exclusive'ifusing
RSPAN then you wi llIose the abilityto span data to thatport.Consi
derusing a NAM-2 wi
th
its second data pod to altow Cisco NAM to do both SPAN and RSPAN together.

3-84 lmplementingCiscoDataCenterNetworklnfrastructuret(DCNI-I)72.0 @ 2008CiscoSystems.Inc.


To span data to tllc NAM -Iand NAM -2 tbranalysis.firstchoosc tllc Setup > Data Sources>
SPAN task.A table willbe displayed show ing the active SPAN sessions.Thisscrccn isalso
uscfulttlrcfcrto whcn Iirstacccssing tlle NAM -1and NAM -2 t()verify w hatthccurrcntNAM -
land N AM -2 data sotlrccsarc,in casc they were changed since you Iasttlscd the Trafl
ic
Analyzersohwarc.
lfa SPAN scssion isalready active.anothcrone callllotbe created (tlnlessa NAM -2 isbcing
tllilized)tlntilthcctlrrcntsession hasbeen dclctcd.Anothcroptiol!isto Editthe ctlrrelltsession,
butonly iftheSPAN type isnotto beclpanged.

Note TheActi
ve SPAN window willdi
splayaIISPAN sessionson the hostswi
tchand notjustthe
NAM-rel
ated SPAN sessi
ons.

SclcctCreate to contigure a new SPAN scssion on lhe switch.

@ 2008 Cisco System s,Inc. lmplementing NelworkAnalysiswilh Cisco NAM 3-85


'

vrR
Onfigure P N ont.
(...k#l)
(l.
?
j.
j,:
t.
bj
.
'.i:2j
.)
1(
.
g
.;.
()
(
))
:u
.t
y:.
... 41
j1(
k11 '$$'
2)'.)(@
r)
kt.
y
r;
1r.)'
)1
..,.
tr
j
:
k:z
jy
;,
L
,.
j
r(((
. 1o
'(
.!
Ilk
rr +
......ovyxay j v connourationscreenforcatioua
svxgsession conngorableopM
tl
ons
$- :> @ she '- CJvt- ('
)''-'-''''' C
Jv AN> Indude
s.k*e,Nqx- Module2 2portsbbusn kczousFrczl v * SPAN ty
Etherclaapnn
e(ept
lm.VLAN
. Rspym i/uAN)
wAN---.-.-.-wlrf= : DV AK RT 7 .,, - switchrx iule(ifspanning ports)
C) O xx :3 a<ei * SPANiestinadoointedace
(DATAPORTIorDATAPORTZ
A $- - ''' ''Qn.- forNAM.2on1Y)
($1271 . . spAjldirection
raj j .k
i i . spAxsources
! ..
.: ,,rt,t ii
!
;
1 111 l. a' :>v: 1
'' t:-.-....-..-zznzzzz?
.
Spansessiooscanconsistofone
4
)
4goswk
vea. j
ormoreporlsorVLAN.
N butnota .
mixofgort
sandVJANS
. .
. jceowlx.
js:qsos
ML

These stepswillconfigure a SPAN session on thelocalswitch: Y

step 1 You can selectSw itch Port.VLAN ,Etherchannel,orRSPAN VLAN forspanning.


In thisscenario,acriticalGigabitportwillbe selected fordetailed analysis. Thus,
click the radio button Sw itch Port,
step2 SelecttheSwitch M odule containing theportorportsto span.
step3 80th directionsoftrafficneed to be monitored.Click thc radio button Both.
step4 Choosc the Gigabitportfrom the Available Sourceslist.M ove to the Selected +
Sourceslistby clicking Add.
step 5 W hen done adding a1ltheportsto span,click Subm it.The SPAN session is created
on the sw itch automatically.
step 6 lfusing nativeCisco IOS Softw are,you mustthen click Save from theprevious
Active SPAN Sessionswindow to cem plete creating the SPAN session and save to
thc startup contiguration.
step 7 Repeatthese stepsto setup a second SPAN sessien forthevoice VLAN . Two active
SPAN sessionsareavailable only w ith aNAM -2 service m odule.

3-86 lmpl
ementingCiscoDataCenterNetworktnfrastructure1(DCNI-I)v2.
O @ 2D08CiscoSystems,lnc.
Bcsitlestlle DATAPORT 1alld DATA P(.)RT2 data sotlrces,tlltlrtru'illbc othcrsto clloosc f'
roll).
asllotctlllcrc.
* AIvIZSPAN :M onitorsal1tnlflitrlbrwarded to the N AM -lalltlNAM -Z by lncal
lsof
spalll)illg scssionsand VACL trallic.
w DATA PIIRT X :M onitorsalIlraffic fbrwarded tt)al)iIltlividtlalNAM -2 data portby
lplttallsofspanlling sessionsClltlVACL traffic(NA M -2 optiollollly),
* %.'Ia.
A N X :M onitorsal1tral'
fic forurardcd to the N A M -1alld N AM -2 by lneallsofspallllillg
sessiollsalld VACL traflic lllatllasnlelnbership in the VLAN sclccted.
* Encapsulated RSP.
A.N (E RSPANI:Nl(nitorsalltntflic rcceiq'cd via ERSPAN .
w 51PI-N TajjX :M onitors:111trallic tkprwrardcd to tlyc N A 51-lalld N AM -2 by lllcallsof
spallllillg scssiollsantlVAQ'L lrill'
lic tllatl'asInelllbersllip iI)tllc NIPLS traftic tlow
selcctcd.
* NDE default:M onitorsal1NtltFltlw traffic sen!by a sillglc NctFlow'device.
* N I)E custom :M onitorsa stlbsctt)fN etFlow traflic j'
r()llltlsillgle device.

to 2008 CiscoSystem s,Inc Im plem entlng NetworkAnalysiswith CiscoNAM 3-87


+
Enabling datacollection inform sCisco NAM ofhow to analyze thedata,including w hattables,
graphs,and chansw illbe gencrated,and how many entrieseach reportwillcontain.
. Application statistics:Enablesthc monitoring ofapplication protocolsobscn'
ed on thc
data sourcc.
w Hoststatistics(network and applicationIayers):Enablesthemonitoringofnetwork- +
layerhostactivity.
* Hoststatistics(M AC Iayer):Enablesthemonitoring ofM Ac-laycrhostsactivity.Also
enablcslnonitoring ofbroadcastand m ulticastcountsforhostdetailscreens.
K Conversation statistics(network and applicatlon layers):Enablcsthemonitoringof
pairsofnetwork-laycrhoststhatare exchanging packets.
K Conversation statistics(M AC Iayer):EnablcsthemonitoringofpairsofM Ac-layer
hoststhatare cxchanging packets.
w VLAN trafficstatistlcs:Enablcsthe m onitoring oftraffic distribution on differentVLANS
forthc data sourcc.
* VLAN priority (classofserviceICoS1)statistics:Enablesthcmonitoringoftraffic
distribution using differenlvaluesofthc 802.lp priority ficld.
K Network-to-M Ac addresscorrelation:Enablesthe monitoring ofM Ac-levelstatislics.
which arc shown in hostdetailw illdows.W ithoutthiscollection.a M AC station cannotbe
associatcd with aparticularnetwork host.

3-88 lmplementingCi
scoDataCenlerNetworklnfrastructure1(DCNI-I)72.
9 @ 20(3 CiscoSystems, lnc.
Sillce packetson tllccriticalsw ilch portsarcbeing colpicd to tlpc Ilkltkll'ort-Iinterface on C-isco
NA M ,usc tllc Data Sourcc drop-down lnclltlto clloosc DATAPIIRT 1.
Tllt!l-
ollosvillg tbtlrgrapllsarcsllowll:
* slostActive Applications:Thisgrapllsllowstllc lltllllbcrofbytt
ascollcctcd pcrsecolld tbr
cach protocol.
* s'
lostActive Ilosts:Tl1isgraph slloqvstle llunlberofbytcscollcctcd persccolld forcach
addrcss.
* Stwrver RespenseTilne:Tllisgraph sllovvsthescla.t
2rrcspol3sc tilnc alld tllc prtltocoltlscd
by the servcr.
* ProtocolSuite:Thispicclla!
'1shows tllcTOPN lletwork prt'ttwols.
Tllcsc grapl'
!ssllou'theTOPN .u' llercN by defatlltis 10,btltcan bc collfigured f-
roln lto 15 il:
tllcglobalprcrerclpcess
'click Setup > Preferences.

@ 2008Cisco Systems,Inc. fmpsementingNetworkAnalysfswf


thCisco NAM 3-89
'

.e I
I .n p jI
.CatI
.O n tatl
-Stl
*CS

.
r, o
!> . .. .. 1 .'
.i'qz
' ' #' . uf *? '.5t '
!. . .
Y* *%* *4.$dJ'? y..r4' F!.':%:.w..t4w-'z't'
;p.$1eAt1*p* Protoctlls8ndlmrrpntr'
etesSef!nOnthe
. j.e-e -- -eIpxz1:& > ,raf4eT DATAPORT interfaceorltheCisco NAM
C)vwr- - . C?Te t- t7
.' ''' -
' '' .'
tee UATAPORT1 * . .pRejJihap'
.
- 1.!0eIN'@r.tl
7 ' : ' /* *w 'c> '

Rt'rnenlber SF'AN wasuseu f'1 2 'e' z.= .*' '.*'*''e'.= a


toforwardthetrafscfrc)m the : ' M 46* 111> 4FA .1%
swltchportsandVLANStothe '
DATAPORT olerfaceOnthe . r 4 m .:,4 &15.,- N .1%
cisooNAu f
orl
h.
stw eof - .-$
v 10 *' k- e$*%v R 4**- 1 #:e :$1
detaledanay s . .. .

Thc Overview graphsprovidcd a quick look.in graphicalfonnat.attheTopN protocolstlites. e


activchosts.and activeapplications.To vicw morc than thcTopN applicationsand the
distributiol:ofpackctsand bytesbased on thc application protocol,click M onitor > Apps>
IndivldualApplications.
Again.since packetson lhe criticalswitch portsarcbeing copicd to thc Dataport-1interfacc on
Cisco NAM .tlse theData Source drop-down menu to choose DATAPO RTI.There arc thrcc
displaysto view :
* CurrentRatesTable(illustrated in the tigure):Thisdisplay enablesyou to view the
Iltllnbcrofpackcts and bytescollected forcach application group thalwasseen on thc data
sotlrce overthe lasttimc intcrval.
* TopN Chart:Thischartenablesyou to vicw the ntlmberofpackclsand bytescollcctcd for
thcTopN applicatiollprotocolsin a graphicaltbrmatoverthe lasttime intelwal.
K Cum ulative Data:Thisdisplay enablcsyottto view the numbcrofpacketsand bytcs
collccted foreach application group seen on the selected data source since the collection
wascrcatcd orsinccCisco NAM wasrestarted.
To drilldown into the application protocoland sce the hostsusing thisprotocol,simply click
the radio button nextto the protocoland click Details.
Followingaresomctipsto consider(appliestootherstatisticreportsaswell):
* To rcfresh thetable.click Refresh.
<
w To qtlickly locate datain atable,entertextin thctextbox.and click Filter.
* To sorta table variable by percentage ofthe total.click on the colum n headcr.Thc variablc
isIistcd in dcscentling ordcraccording to tlle perccntageofthc total.
* To vicw datathatisgroupcd,click the + sign in frontofthe group llamc.
* To change thereportilpg timc inten al.click Setup > Preferences.

3-90 lmplementi
ngCiscoDataCenterNetworklnrastructure1(DCNI-!)v2,
0 @ 2098CiscoSystems.lnc.
@ 2008 Cl
sco Systemsllnc. lmpl
ementlng NetworkAna4ysiswdth Chsco NAM 3-91
'

ie -
1ng ost tatistics
+
.I11.lI
4.
*
yp&
'
hIT1.
arfjt.xnply:ej.
CI$
go

!tw'- - ..wp.'1,.*,- .'riwflen. Hegtsanu curreotratesseenoot:e


,'.v..fJ41..1. DATAPORTSnledace(m lbe Cism NAM

i i
% 1'x-1X '

. .I. . '. w xv ,ol o'as4*, o.vrv J- q'4x> .= zl q


RenvmberSPAN wasused .-.- .. - .- . .-. n ..... .
toforward the trafficfrom the ' '' ' '
swrlch portsaocrVLANS(o:he ' ''
DATAPORTinterfaceonthe ' * JMm3 4R2721 510.M.5* :32.0e1F* 1% *585:
CCSC,ONAh!fOrthistypeof * * *''* '* 'R*' +
. 20 v k. yyp:g 144Ypp. J efge j.jl
detalledanalysps .- ........ = --.- ........w.. w..
t..s- .,- - - . - ..: Selecthosland *..
Iaunchothorreports ..j.
,.!
s.j'
ge.xy4f
;
4j
'1:
.rr
,,
I) '

ortools

Click M onitor> Hoststo vicw thc variousdata collccted foreach hoston the selectcd data
source.The same toolsapply to thismonitoring w indow.Forcxam ple.whcn you selccta host
and click Details.information on the hostisprovided,such asprotocolsuscd,conversations
+
witllthe source host,and so on.

v -

3-92 lmpdementingCtscoDataCenterNetworklnfrastructure 1(DCNl-1)v2.D @ 2008Ci


scoSystems. lnc,
@ 2008Clsco Systems,Inc. Im plem enting Network Analysiswith Cisco NAM 3-93
+

iew ing L N T raffic Statistics

* . .). . fTl '7 x ' .PQ7! '


V* A?***>@ ** r''x *'L%?1#' '#'''
V* '1r''
.
@kAKTra#tle%tall.lit.
b- .- - --& a- > .$RR o G
byrNlMtatdlfil.: (J)

(lhc- = .. t3Te - r'


.- '- -
t- - ALLSPM *
uonlkortrafqc ' *wv'- 1..35',''''-'
ratespervtA.N f
or :. krux/ok tn4o*** .. i/k:'
w''
.r.
. ;=' -
/'
*e.+'*e
k-'lh'
. wveki%
.
theselpcteddata , !1m: ,j,x :jw Nymzras :.7 49&n
SGufce
fgl.1Q$; 22.:2 1'% ::J4F3: Q1, >#/4
''
. ! lpt: 62:4 2F% ,3:e1et p; 23e4
- .-- >) v t- oesp
sv il4twt
o- : -1* )'hl
'
1 ......o - - > . -. .., !I.. ,.,,
j
+

Tllistigurc providesan exam ple ofthcreportsyou willsce ifyou cnablccollectionofthc


VLAN Traftic Statisticsforasclcctcd data source from the Setup > M onitor> Core M onitoring
mcnu.These rcpol- tsprovide traftic distribution statisticsby VLAN numberand can bc useful
tbridentifying resource tlsage pattcnlsby VLAN ID. v'

TheV LAN Traftic StatisticsCurrentRatestablecnablesyou to vicw variousdata collected for


each VLAN ID.Thc infonnation displaytd rcpresentsthedatacollectvd persecond overthe
lasttim c illterval.
TheTopN VLAN Traftic StatisticsChartcnablesyotlto vicw the various data collectcd forthe
TopN VLAN IDs in a graphicalfonnat.The infonnation displayed reprcsentstbedatacollected
persecond ovcrthe lasttim c interval.
The VLAN TrafticStatisticsCulnulativc Data tableenablesyou to vicw variousdata collcctcd Y
forcach VLAN ID .Thc infonnation displayed rcprcsentsthctotaldata collcctcd sincc thc
collection was created orsince Cisco NAM wasrestarted.
M
Forinfonnation on setting thc time interval,referto the GlobalPrcferencc Settings.

3-94 lmplementlngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0 (D2008Ci


scoSystems. Inc.
'

1 In r'l r'l a IS IC S
.lI'.I1'. N .
&11'r1.affie Anal.1'zq,.
CI$C(J ; n
':
4 z.'
,.4 'v?sf .,4 <
?
(/'
$w'z4z
> L
y
'
;lj
.
l
..
evs
s> Iv.
obo ;lzx
v )
zt'
;G7
jw3
*
;
f
.
'
sVp'
. f'
Y
yf
Mks:..
i %.sJ
r, .
'
j
Lo
4'
4'
x.
''
;
''
.%
Lbt
./
x1
.-;.
%' .' .
' r';' '
;
$JiJ4'
-*
k ;'''''
, j'
.%
2'
Jt'
a :'
=(
s'a.
,L '';
fv 2'..
.
.z . .. Jet.
>'w J. .
i>'Lv .g..f

. 'C' ***t.9.4- 4**te:frtm>S MW.fF2I.1>1*T


#P.!.
> 419676.
hC7i
... .. . .1 ca xx- - m. Z..'' )4e oww% $'hc '' tkl>
Monilortrafhcbased on x eRm e.M . 2L'PM '*
dlrferentvalutj:ofthe px- ,.2. areet-
802 1ppnontyfield .y.y.j:#.......;.
s....j '.'.'*<&4a::.:y..
...........
.. ? n. . 4f.ta)xf .
# e-wi- em . '. T4v*- ' o ''''- !c $86:4 l6f:1 106'?1!15

. .. . t' ,.. .'l


i
.. .. . SazakEl
ges/s'e

This figure showsthe rcportsyou willsee il-yotlcnablecollectiol!ofthe VLAN Priority


Statistics froln thc Scttlp > M onitor> Core M onitoring m clltl.Thesc rcportsprovide statistics
by aggregating traftic by thc valtle in tlle 802,lp priority field.Thisillfonnatiollcan bevel' y
tlscfulforvcrifying CoS (col lfigtlrationsand identifying possiblcconl igtlration problcm s).

@ 2008 Ci
sco SystemslInc. l
m ps
ementi
ng NelworkAnalysisw'
ith Cisco NAM 3-95
A ction 3: U sing N D E w ith C isco N A M
Thistopicdescribeshow to usc NDE w ith Cisco NAM .
'

M onitoring NetFlow O verview

Remote Device
(NetFlow-Enabled)

. Datapod-l Dataport-? NDE


Dat
aport .
NetFlow Data
Expod (NDE)

gydefaultthepccal
. . superkcLsorEngineorMsFcE
s
. alwaysavailableasaoNDE
delce

Since a routeratthe sm allerbranch oflicc doesnothavean embcdded N AM -land NAM -Z,thc


NetFlow datacollected atthisroutercan beexported to a remote NAM -1and NA M -2 fbr
storagcand rcporting.
NetFlow data thatisexported from a rcmote device can be received on aremote NAM
illtcrface.Asillustrated,the NDE packctscan bc directed to the NAM -1and NAM -2 NDE
Dataportinterface.

3-96 lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I):2.0 @ 2008CiscoSystems.Inc.


Configuration Steps
Confi
gure NetFlow device to fo- ard to NAM-I orNAM-2 on UDP pod
3000
Use the jistening mode (TrafficAnal
yzersoftware)to see who issending
NDE traffictotheCisco NAM
3.Define the NetFlow device:
NDE data source is auto-created foraIlforwarded traffic
-..

'. Alternati
vely,create custom NDE data source forsubsetofaII
forwarded NDE traffic

unee tacoo
Netrpow ZporlData OE>:
' Q
Traffic z.
..
>e
.
z:
' ' .. .
a.
u..,: ,.yy)
,
*:. '# j;.yk@
Fl
owdataisexportedwhen O6e ()
(;'
enabli
ngsl
elrxwoothis G G
i
ncoml
ngr
nt
erlace %9 %9
Q' @

Thc firststep il1tlsing NDF packetsfbrmonitoring purposes isto configtlre the Ncllrlow device
toforward thcm to aNAM on UscrDatagralllProtocol(U DP)port3000.(Bydefatllt,thclocal
stlpcrvisorellgilleorMultilaycrSwitchFcatureCard (M SFC)isalwaysavailableasanNDE
dcvice.)
Thecollfigtlration colnm andsforNctFlow devicesto exportNDE packetsto Cisco N AM are
plattbrm alld devicespecilic.Tlle exam ple contiguratiol)comlnandsprovided hercarctlle ones
m ostcolnlnollly found fbrdevicesrunning C'isco IOS Software:

Note Form ore detailed information see yourdevice documentation.

Step 1 Selectthc intcrfacc on wlticllyou wisllto turn on routcd flow cachc.Uscthc ip flow
ingresscomm and to cnableN etFlow on a subinterfaccIcvcl.Usc theip route-cache
flow com mand to enablc NetFlow on tlle I nain illterface.
650O (config)#interface type slot/port
6500 (config-if)#ip route-cache flow
Step 2 Exporlroutcd llow caclle elltriesto U DP port3000 ofthc rclnote NAM .
6500 (config)#ip flow-export destination NAM JP address 3000

@ 2008 Cisco System s,Inc. lm plem enting NetworkAnalysiswith Cisco NAM 3-97
'

onh gure Is enlng ode


dIl$,ilt. Nx(sj T x.aff'jr A na1yz.r
.
f1$t* .

Y* Ar:le v*514(.
1 At'#>%v..
n6ez #**l':'
#z..
'p#.kk/rteye'aY.%pr.
I;
**1FI4w t1lt@olog Mpd* USethelisteni +
#k- t- - ' '-/M/- X/ ngrrodetodeterminewhicbdevices
z are forwardinjNDEpacketstolheCtsrm NAM-the
> ''Op ((
..81xuopel
restl uevicesfoundareIistethere

. .a ,.,
. > w a r x w . . n pue *
ac- uu '$G e .- . oee - .

M eranewdewce Isdetectez the 'z?'* $*- 'o Fotrz- atrptm':(qps!


NetFlow (Ievlce Fyendin9NDE ;>3ckel:1t7 -**'''-*' ''- -''- '-' - '-''-*''-
theCisco NAM rrustbeenteredInto the ' *'''''m - *- t- . = '- p 1..1w.. A.&4 l..! '.,s,:q
NAM NDE devicetatiednorderforthe
ClscoNAM locollectdalonlt
View Interfacesrepoded Skartsthe
sendingNDE toCisco NAM lssteningnxydm
Addsselecteddevlce
loNAK!NDEtable
+

Next,Cisco N AM m ustadd the dcvicesthatare scnding NDE beforcN DE packetswillbe


cotlsidered formonitoring.W hen th2 NetFtow devices are added to Cisco N AM ,itcreatesa
dcl-aultNDE data sourcc forcach device.
Butw hatdeviceswcrc conl-igured to send N DE to Cisco NAM ? Usc the NetFlow Listening
M ode task to display al1dcviccsscnding NDE packctsto Cisco NA M ,Launch the NetFlow
Listcning M ode by clicking Setup > Data Sources> NetFlow > Listening slodeand clicking
tlle Startbutton on the Listelling M odc table.A ssum ing Auto Rcfrcsh isselected, thetable will
periedically update(listcning mode willautom atically stop aftcr1hour)to display the dcvices
Cisco NAM isreceiving NDE packcts from .
Highlightoneofthedcvicesand click Detailsto vicw the interfaccsrcported in thepackctsand
w llelllerornotthe dcvicc hasbccn added to theN AM NetFlow table.Ifthe device hasnotbecn
added to theNAM N etFlow tablcshighlightthe device and click the Add button. A new dialog
willquel' y the userfortlledcvice SN M P read com munity string to retricve the textstring
intcrfaccdesignations.Adding thedcvice to thc NDE tablecrcatcsadcfaultNDE data source,
which can be used to monitorthe aggrcgatcofallenablcd tlowson the device.

Note Remem ber to create an NDE data source the device mustbe added to the NAM NetFlow
tllt)I(,.

W hen thedcvice isadded to the NAM NetFlow devicc tablc with theassociated SNM P read
community string.the Detailsw indow willalso display thctextstrillg interface designation and
notjusttheinterfaceindcxnulnbcr.
The dcfaultNDE data sotlrce.crcated whcn a dcvice isadded to tlle NAM NetFlow table, isan
aggregateofthe data on allNetFlow cnabled interfaccsofa devicc.To focusin on a particular
tlow (one ormorc interfaccs),acustom ND E data sourcccan be created thatextractsthe
desired tlowsand trcatsthissubsetasa distinctdatasourccagainstwhich NAM analysisand
rcporting can be perfbnncd.Usc thc Custom Data Source task to crcate an N DE datasourcc for
asubsetot-al1t low s.Formore information on creating Custoln Data Sourccs.referto the
onlinchclporthe IvherGllide/i)?'theNcJu'f
J?'l'Analt'
.
vi.
%A/r?:/l//e'F?Y!//'R'Analtcer,Release3.6. .
<

3-98 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems.Inc,
Besides adding dcviccs from thc Lislening M odew indow.dcvicescan beadded/editetvtlelctcd
atany timc tlsing thc Setup> Data Sourccs> Netlrlow > Dcvicestask.Additionally.if
lnollilorilg reportsarc notshowing any data-firstrcfcrto thislistand lligllliglpttllestlspect
dcvice alld click tlle 'restbutton to verify connectivity.
W llcn NDE packetsarc being fbrwardcd to CiscoNA M by a rcmote deviceand havebecn
atlded to thc NDE Tablc in C isco N AM .Cisco NAM crcatcsadefatlltN DE data sotlrce fora1I
the flows from thisdevice.W hcn thishappens,usc tllcTraftic Analyzcrsoftware to cnable
collection ormonittpring ()fthc NDE datasotlrcc.

@ 2008 Cisco Systems,Inc. Impl


ementing NetworkAnalysiswith Cisco NAM 3-99
'

E nab le C ollection of R em ote N D E


Statistics

l$1l''IlI Na jjIj A nalvzej.


I 'rr1.

1 ' '
Y* .e*1* .* .iz':u'>*x :RtusA>.4.%-#'.!
6@T* @nI1@I1ne !;upe#l*l*
>r
s . , t.:l%qqwr.s : ' . 'x
. j?9
.e,j11
.yir
> EJ - x- - ,- - .) 1cp v
E'
so Ctrrvelz- Re>&(-w11;+e.mI@-:) 90:
rs Tu*ptMw -- -

The NDE statlstlcsavallablefrom theremoteNatFlow.


eoableddevice areagourceofdataforthe CiscoNAM
. FortheCisccNAM to analyzeandreportonthese
statlslics rxnitonngofthesedatasourcesmllstbe
enabled

In thiscascsthc rcm otebranch rotlterisproviding NDE packctsto Cisco NAM foranalysis.


Justlikcany NAM data source,the NDE packcts,ordata sourcc.atthispointareonly being
acccptcd by Cisco NAM .no processing ofstatisticstakesplaceuntilmonitoring isenabled for
lllc individtlaldata sources-asillustrated in the figurc.Rcmote NDE packetsare represented in
tltcdata sourcedrop-down window as:NDE-<rcm otc IP addrcss>.

3-100 lmplemenling Cisco Data CenterNetwork lnfrastructure 1(DCN1-1)v2.O @ 2008 Cisco Systemsvlnc.
V icwing ofApplicatiollstatisticsfronlrelnoteN DE statisticsisavailableby using tlle M onitor
tab antlclicking on thc appropriatc sublnellu.ln thiscascaselectNlE-<rem ote NetFlow
enabled deviceIP address> astlledata source.

Note Rememberthatpacketcaptures and real


-time graphs overtime are notavailable using NDE
asadatasource si
nce the NDESacestafistics from NetRow and notactualpacketsfor
analysis.

@ 2008CiscoSystems.Inc. Implementing NetworkAnal


ysiswith Ci
sco NAM 3-101
'

V iew onversations and H osts via N D E


Q l$@ ' '
'
. . ,. . .
'z.. g.
.. ' .s'.',... '.
1.v..
rfft!J. .k ' .. . ''T .'t,.
t.4 1
' - .
: .;f
.
k..;w
-< ktt7J. .
'.
'.
'a
'''k
$14t.
zit. . . .
?* Are* @*.4 i p''
e
%*f- *:: Ro@1.

Datacapluresandreal.tirre graphs
ove:tirre are n0tavallable using ()4- - -' '''1+ e- L'''c ''' -
NDE asadatasoorcesincethe (
I'
NDESarest
atist
icsfromNet
Fl
ow ()e - NDE.19216615124$ v rz.e.
f t.1
.
w.
andn()tpackess W P**1'4el#*
.
a..t o ...G ;
!
.w,
*<ik.* #%- *- y - K4;M.J0 .
-
(7
v 1 '.' ..' * 0 All p J:4a: ,@w o
-: ' !J. ;I43 7a Q J94; e tf5$ ;

- .#.pAa 19 w - ezesv R 4>e*p> ! t,,* >/1


ClickDelaliGtor.ee r r- ''r '- ''''' -
applpcatonprotocY tlsed - pI-. .-- - ..
andIt9Gonversations

Vicwing ofhostand conversation statisticsfrom rclnotc NDE statisticsisavailable by using the


slonitortab and clicking on thc appropriate stlbmenu.1l)thiscasc-choose NDE-<remote
NctFlou'cnabled dcvice IP addrcssm asthcdata Sotlrce.

3-102 dmplementing Clsco Data CenterNetwork Infrastructure 1(DCNI-I)v2.0 @ 2008 Cisco Systems,Inc.
Scenario 2:R esponse-Tim e M onitoring
Thistopicdiscussesthescenario wllereApplicatiollRcspollseTime(ART)isuscd.

A pplication Response T im o M onitoring


> Problem description:
An increase in em ployeesand applicati on usage atthe sel-ver
farm
Response-time moni toring isessentialto ensure productivity of
itsem ployees
> M onitoring plan:
Verify C isco NAM deploym ent
Setup response-tim e m oni toring
View statistics
Configurealarmsforproacti vemonitoring (referto the
troubleshooting scenario)

Nvith theopenillg oflnany ncw oftices,criticalcorporateapplications.locatcd attlleccntralizcd


scrvutrfilrln,arc being hcavily acccssed.Having slow orullavailable accessto tllesc
applicatiollsistlnacceptable.Thtls.the nctwork lnonitoring tcalu hasn'lctttltlisctlsswaysto
lnonitortheapplication rcsponsetilnesofthcscapplications.
Tllc action plan isto perfonn the following actiollsantlthen rcportback on thercstllts:
* Verify thatCisco NAS1isdeploycd in appropriatc locationsformoltitoring response tilne
K Settlp Cisco NAM to Inonitorapplication rcsponsc tilnes
. M onitorthe applicatiollresponse-tilncstatisticscollcctctlby Cisco NAM
K ConfigtlrealannsforproactiveInonitoring (vicNv thcstcpsforcontigtlringresponse-tilne
alannsinsccnario4:Trotlbleshooting.'')
Verify C isco N A M D eploym ent
The NAM can Inonitorapplication responsctil ncsby capttlring packets.tinle-stam pillg thcln.
and lncasurillg tlle tillle betqveel)a clicnlrcqtlestand thc fttltilllnentofthatrequcstby tlle
server.Thisinforlnation hclpsyou idcntify whcrc the applicalion tlclaysare occtlrring attlle
sel-verson thenetwork betwccn tlle clientalld serverswitch.oratthc clicnt.
'neasurelnentscan bca vcr.y uscftllindicatorofscrvcrorIlctwork pcrforlnallcc.
Response-tillle l
Yotlcal)uscthisluonitoring ftlnction to warn yotlwhen a serverorthc nctwork pcrfornlance
dcgratles.ltworksby collecling statisticsbastxlol,uniquctralysactiolls(TCP seqtlencealld
acknowlcdgclnelltIlulnbers)in tllepacketsofconversationsitobservesinyotlrdatasotlrcc.

@)2008 Cisco System s.inc. lm piem enting NetworkAnalysiswith Cisco NAM 3-103
I1)addition to response-tim ereporting,you can also tlsc otherrcporting featuressuch as
application statistics,TopN talkersto thc scrver,conversationsbctwccn the serverand clicntsto
idcntify w'ho the sen'eristalking to and whatitsbandwidth consum ption isfbreach pair, or
utilizatiollorcrrorson the switchportthatthe servcrconncctsto.A lltheseperspectivesand
optionsllclp you both identify trcnds inthe perforlnanccofthe application serverand
trotlblcshootproblcmswhen they arise.
Foracute application ornetwork perfonnance problclns,you can usethe NAM packetdecodc
fcattlrc to vicw traftic on a packct-by-packctbasis.

+'

3-104 ImplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 @ 2008Cisco Systems,Inc.
In thisscenario.theNAM Slocatcd atthc dislribtltion layerarecurrently spanning traftic
to/from tllc variousVLANS.Since tlleNAM SareNAM -2 type scrvicc modtllcs,asccond
SPAN scssion can bc crcated to span traffic fronlthe applicatiol!serverslocatcd atlhcscrver
fann (asetofpllysicalports).Thiswillallow theNAM Sto view al1cliellt/scrvcrtrallsactions.
(NotcthatNDE rccordsgNetlrlow recordslcannotprovidercsponse-tilnel'
nollitoring'
.not
ellotlgh informatiolliscontailled in tlle rccords.)
TheTrafiicAnalyzersoftwarcon Cisco NAM cal lconfigtlre tllcSPAN sessionson the hosting
dcvicc.Thc upcoming sleps span orcopy tllepacketscom ing f' roln and goillg to fourswitch
portsIocatcd on M odule 3.ln thissccnarit),thcsc are thcportscollllccted to tlleapplicatioll
servcrs.Sctting tlp the SPAN scssion willallow tllctraflic goillg to and froln tlle serversto be
analyzcd forrcsponsetim csby Cisco NAM :
Step 1 From tllc Activc SPAN Scssionsw illdow,click Create.Tlle Creatc SPAN Session
window appcars.

@ 2008 Cisco System slInc. Im plementingNetworkAnalysiswith Cisco NAM 3-105


'

et ata ource orts ont.


,1h.fIn 1.ffjr.&xalyzer
C1><@
. .; . j,jj ....... ..... /'.:;w> ' '''
Y4/A1+:*.*'.*: yr'ex'74r ..
gj
j.idF.r?
.: '
r
E''
.
!'
..
/
i
'

,)'
ht.;s
k'
; z''

-J
',.'-k
.$
.J
J
,'
kj
.6
..
.I
F
J''
C'/$ry-'
.3:
.t
f
;t
;
,L
.r .kld'
qii,
i 'iil
k ''''''''*'''''1b
'
?'
/9p
/r
'. p:
v !
,!.
1pt
k ?)'
;1*
. ?'
'
:5
..'
-'
..'
'FF
.. 7
J61.:'r;
.$ J?
.
r7
)

4. s:.. O
$pA:'Ngqtp..w*x ('.Rz C)Tx Lbs.
.. Fa.
'g/ F&)/1t'
gofh) i
1r, 1r )..
,.r
.,,.
IF,.
')/J F41/46(poth) ' ,q.;1
MAM-2sorbice iFe3/'
.l ... .............. F%3/4?(:0*,) '
rt
rdtzeaBows,or '
IF
F/
eX
V5: 7 'hM .1
:.
1 FeN.*(9*)
twopossibpe z.zvvzzz.z.::.;:.:7j
.
SPANsessi ons F ep
:
FaW
fs
? 4S P4OBkv*' '
.......''.'''''....6'
-P ortgtObeSpanpedtot heNAM
(()A.rAeoRw lirlterface
F
Fs
.
e3
l/
/8
g 4SPe*y
'-
''f'
:i'
: .yogswrepoqslatef
ort
hi
str
ac.
F,?/p() thetatasourcetoselectwkllbe
Felp1 ' DATAPORTZ
sravl? +
.
. . ..... . C*8*5t*
.
!yejmvj,Njj
i
mjj spAjjsessi
on +

These stepswillcontigurethe span session,copying the packctscom ing from and going to four
switch portslocated on m odulc3:
step2 You can selectSwitch Port,VLAN ,Ethcrchannel,orRSPAN VLAN forspanning.
In thisscenario,there are fourswitch portsconnected to the application servers.
Click thc radio button Sw itch Port.
step 3 Choosc the Switch M odule containing theportsto span.
step 4 Sincewe alrcady haveone active SPAN session forthe voice VLANS,selectthe
SPAN destinationtobethesecondinterfacconCisco NAM (DATAPORTZ).Two *

SPAN sessionsare only available with aNAM -2 servicc m odule.


step s Both directionsoftraffic need to bem onitored.Click theradio button Both.
Step 6 Choosethe portsconnectcd to the application scrvcrstiom theAvailable Sources
tist.M ove to the Seleded Sourceslistby '
zlickitlg Add.
step7 W hen you are doneadding alIthe portsto span,click Subm it.The SPAN session is
created on the switch autolnatically.
step 8 lfusing nativeCisco lOS Softwarc you mustthen click on Save from the prcvious
Active SPAN Sessionswindow to colnpletecreating theSPAN session and save to
the starttlp configuration.

Note Response--rim e Monitoring needs to see request-acknowledge pairto perform i


ts analysis.
Make sure the selected data sources are capable ofseeing both packets.

3-106 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
0 @ 2008CiscoSystemslInc.
Oncc tlledatasotlrccissctup.continue the settlp forResponse--rinlc M onitoring.Click Setup
> slonitoring > Response Tim eM onitoring.Yotlw illbe givel:thc option to cllooscwhicl)
dala sotlrce you walltto monitor.In thisscenario,itwasDATAPORTZ.
Pditing llle sclcctcd data sotlrce(lpellsa dialog box w' llich allowsytltltc/configtlrelhe
rcsoltltion ofthe response-til ne salnplcsalpd Ilosv tlle salnplesarcrcported.Thcrcportinterval
allowsyotlto dcfinc thc salnpling intervaland tllealnotlnt01-tilnc to collectrcspo,lsc-tilne
salnplcs.Thc nextsevelloptionsarebucketstllatCisco NAM usesto store tlle restlltsofthc
rcsponse-tilue salnplesforrcporting ptlrposcs.Forexanlplcaifa salllple respollse-tilne
lneasurenlentisdctcrnlincd tobcIcssthan 5lnilliscconds(!ns).tllcn CiscoNAM Nvotlld
increlnenttlle RSPTi1ne1btlckctby 1and Cisco NAM willrcporttllatsanlpleasone response-
tin'
le salnplc oflessthan 5 lns.Asyotlcan sce,thescoptionsgivc yotlm tlch controlovcrtllc
grantllarity ofresponse-tilne lneastlrclnentsalpd rcportillg youcallcollt-igurc.

@)2008 Cisco System s,Inc. Im plementing NetworkAnalysiswithCisco NAM 3-107


'

U nderstanding the Statistics


Clpents
e!
pw/
' x.
. /
Cisco
, f+ NAu
! SeFVPC
: <
Ye- or
..
--txet
wo,.
k z s-,-
. ,e-New.rk xv
.aw ,op,
.
--t.---
'2
.- 2
!
!
K,E>
! E ! i
e!*4
.
2
i

i
1
!
' ! i !
V ! ! Appt !
i Cl
i
enrNetwor
iDel
ay 1
. ServerNet
workDelay 1
. Delay 3
.
' : i !
! NetworkDelay ! E
i : i
i vot
aloepay !
.
: :
* Transactponlprrlels the totalamountoftime from tbe firstpacketofa cllentrequestuntiltl7e
cllentrecelves the finalrespclnse packetfrom the server

Brhcn vicwing thc variousstatisticsforresponse-tilne lneastlrcl


nents.you willencountcrthcsc
tcnns:

* ClientNetwork Delay(CND):Thenctwork'roulld-trip time(orflighttilne)betwecna +


clicntand the Cisco NA M sw itch orrouter.
* ServerNetwork Delay(SND):Thenetwork round-trip timc(ortlighttilne)betweena
scrvcrand the NAM switch orrouter.
w Application Delay(AD):Thetime ittakesascrvcrapplication (forexample,aweb scrver
application)to respond to a rcquest.AD isthc tilne bctween tllcclientrequestaniving at
the scrverapplication and the firstrcsponscbeing rcttlrned by the application.
* Network Delay (ND):Thenetwork round-triptimc(flighttime)between aclicntanda
servcrtllrougl)tlle NAM sw itch orrouter.ND iscqualto the sum ofCND and SND.
. TotalDelay (TD):Thelotalamountoftimcfrom thctirstpacketofaclientrequestuntil
thc clielltreceivesthe tirstresponsc packctfrom thc application servcr.TD isthe sum of
tllc ND and the AD.
m TransactionTime(TT):Thetotalamoulltoftilnefroln theGrstpackctofaclientreqtlest
ulltilthc clicntrcccivesthe finalresponsepackctfrom thcscrvcr.

3-108 ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI


-I):2.0 (
I)2008CiscoSystems,Inc.
'

-
1ew -
1ng tl.
1e tc
at-
1st-
1cs
'iI!'I1I' s $T$:1 T j.$.1ff1f .&lka1yze1.
Mfgls
7717:
'
7t
;'
.'
-
'r .
. '
-b
> .
:.
'
't
.p
#dk
1tkt:t
p,
L(;'
f
-
.
k
: '
-
.p.E<';J,'a3w't'
' @
k;
-,'.t
4. k@.;,..
'.
ibpk
.'
$:
f,
.
>'
.
4 t.
' 1
?#:
;u,
k' . '
-.
'
$
7777!.'
lr
t
f
r
Ts)
'
h
,
$
.t#
>*
tr),
' /t
'7
4p
r
Y* AeeI4w@ * '' y!''.'.' m''s'.- : '' 'e ' ''
%*I#*I A pSy1lt!,1*n R*@ptd11@* Tirn*
silt. .J%s'
'1:r.l >' x sewerAppllcation Perserverapplicatpon
Appltcatlon depay.oetworkdelay,totaldepay
Transactlon lkrne
. ServerNetwork
. .
w. sewernetworkdelay
Networkdelay
Server/clioolAppppcatlon Perserverlcrlentpalr
Applpcatpon delay,network delay.totaldelay
Transactlon tlme
Server/cllenlNetwork
Cllentnetwork delay
Servernetwork delay
Networkdelay

Q 2008 Cisco System s.Inc. Im plementlngNetworkAnalysiswilhClsco NAM 3-109


d
'

'
Ie ing tat-
lstics.
- erver p Iication
:1l'''lI' s .A!! 'r1.arflf'..tna1yzer
.
.v.y11
'y
c.4
rrwk.
r
at1 +
& Isdo - .
.
.
,
r: a ;
9'
%tA!@* @*)'>r@@ #R@6T'X'JWJ- $* +4zijg'
xrrm ' . .
$*ev*l #p$)$i@*1i*n :@*p*o** #1m *
#u
, StatisNcspersen/er
>Y ut&*c- - - *'''''- - -- - .cm .qfpxf . applicatiorl
Ze -
#E3A.- Q Te cw- .
- - DATAPORT2%> Sewsl t1F9
>+rJrl
ea'1 .

t
1t
z'x
1
@
zid
it
u
' 'Jjw
j;i
j
v jj/k
Fq
;'
.j)$ '
j.,
,j4 6
fg
#k.t1
; tq><-.h
l '.f..'*.'-''-'l.r '3'
; C'..$ %. '#)e''L *
.
='
...'..
. '-.-
.'
..'.J.x'
.u'''- .''.<-
.n
.o'
.'
1*:'
4'
1
...
. .;.;sf;;
/ t).', k...=.;ma..;
ny
p .,
u.,..
1.
1
,
61
4 ,
.,j
2w
,
j.
. pji
q
r
.
'
:r
>,,
h
. a
t.
.p

t
l.-
. K
. >r ,-
.-'#
.i
d'
. .$
23
-
:'
,
bb
. '
d',#
b
,
i '.t,-
'.y.
'
1.j
j
-
k
.'
g
.'
,
:.t,
b ',
qi'
b',
i
',
@
p''
6rlg9
?%
ar...'
.t
.@
.7
?j
r
;3m
p9
4
.
j!i
;'
t
-:
,'
.
)
-j
j
..;@
:t
.
)
O ? 1r:.'D 1H.D, *- : 4 : ' 4 . . . . - . a # j
.

Fronnthesestalistlcs yeucanjnpointthe $ 94 B @ K ts fK 1% 15 #g :; >$ tF#3


rocationoflhedelay ':
'*'X'*v- - '''-''*''v*v''.
-*-*.'**e'vmt*'
***',,'-*=x-'wv
p Wasitinthedientnetwork? . . ..
* Was't(juetotheapplication? t- ---'

To view response tim eperserverapplication,click M onitor > Response Tim e> Server
Application.
Each row in thetable representsan application perserver.The A11Dataradio button showsal1
applications.Altcrnatively,choosethe TopN Chart,which providesa graph ofthe top
applications.Foreach application,the tableshowshow many clientsuscd thc application,the
application delay,the network dclay,thetotaldelay,and the transaction tim e.
Ifyou selectone application and then click Details,adistribution ofresponsetim esforthat
application isshown.
Ifyou selcctone application and then click Capture,apacketcapture isautomatically started
forthatapplication and server.
And asseen earlier,historicalreportscan easily be started from thiswindow qusing the Report
button.
+

3-110 lmpsementingCsscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
Q @ 201)8CiscoSystemsplnc.
V-1(.
)w ing Stat-1st1cs:
S erver A p p I1cat-1o l3 D 0.tc
a-1Is
*- - - - '' Tl!eDlnt.rilsLxJllonM 11
prowdesprk'el.apppermtlnF.e
11r!e dIS1r1bU!1OrS
1:.*
:5.* V
D:.:1K$K.
D..*
tz*'' W* >* I?2tO 1* Dd

6.* ' (w 4nyev jqv


7.* Seeeet:>% 1r*4A1
,Ke olC<* * 5
4*. q4' . 7 - Ae**fTr ' 1$
Reo - Tl- 1*- '' Inaes) M re% 0
f!*> <5 X** MPd*F6m*3lef#AYW* %'11f*
> A w/fe tetA'een5&!KI15 etwcwkr)mleylrmxlfmei*ve l&xl 14#tr?5
S-ve*fwix:!>*f(m )tetiM #xyl /0/1
1 Rewxm eatetween15e M1 Aoxr- jmn)toajweroxl $4yayjz;
W I*T;KFr.= te KI*xi1* Teeee Fe t&*1IC*/*'PPIX; Q!:0J2*
@ ONKGO - IX R M

2 p- M wm e

($)2008 Clsco System s,Inc lm plementing NetworkAnalysiswlthCisco NAM 3-111


Ifyotlsee som cthing ofconccrn in the rcsponse-tilne tablc,you can click Capture to have a
packetcapture session starlup automalically and collectonly packctswith thesclcctcd
application and scrvcrIP address.To m anagcthe packctcaptures-use1hcCapture tab. M ore
infonnatiollon packetcapttlrcswillbcprovided in tKscenario 4.'Troublcshooting.''
And asscel:earlier.real-tim egrapllsalld Ilistoricalrcportscan easily be started from these
windows.

3-112 lmplementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI-))v2.
D ()2008 Cisco Systems, lnc.
Aslnentionetl,the responsc-tilncdata callbe sllown fbra1Iapplicatiolpscollectctlorfor1hc
TopN servcrs(shonrn in this f'igtlre).Each barin thc graph represcntsan application perserver.
Tllc variable graphed can beehangcd froln thedrop-down l'
nentl.asshowlliI1thetigure.

@ 2008 Cisco System s.Inc. Im plementingNeM orkAnalysiswith Cisco NAM 3-113


Scenario 3:U R L M onitoring
Thistopicdiscttssesthe sccnario where NAM isused forURL m onitoring.

U RL M onitoring
* Problem description:
Understand and trackhow intranetweb servers are used
* Monitoring plan:
Create data sourcesto monitorURL packets atthe core Iayer
Setup URL monitoring
View URL hitstatistics

Asnew productsorapplicationsrollout.thentlmberofhitsto awebsite oftheproductora


URL ofthc applicatiolllnay bc daunting.In ordcrto understand both hitsto thewebsite aswell
asapplication availability,thc network managcmcntteam hasbeen rcqucsted to m onitorthe
W AN forURL hits.Tlle goalisto cnsure thatsufticicntbandw idth hasbeen allocated.
Tlleaction plan isto perfon'
n the follow ing actionsand thcn reportback on thc results:
K Vcrify tllatCisco NAM isdeployed in appropriate locationsformonitoring URLSatthe
corporate headquarters.
* Sctup Cisco N AM to l'
nonitorU RL hits.
K M onitortlle URL statisticscollected by Cisco NAM .

3-114 lmplementlngCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008CiscoSystems,Inc.


ln thisscenario,theN AM Slocatcd althe core layercan bc contigtlrcd to monitorthcoutgoing
traf-
tic011thefiigabitportsconnectcd to theW AN.ThiswillalIow thc NA M sto view allU RL
traflicto the Intcnlct.

Note NDE records(NetFlow records)cannotprovide URL moni


toring.

TllcTraffic Analyzcrsoftwarcon Cisco NAM can conligure 1he SPAN sessionson tllehostillg
device,Thctlpcom ing stepsspan orcopy tltcotltgoing traffic on thcGigabitportscollnected to
tlle W AN.Settillg tlp the SPAN scssion willallow the trafficgoing to thc lntcrllett()be
allalyzed by Cisco NAM forU RL hits.
step 1 From thc Active SPAN Scssionswilldow,click Create.Thc Crcatc SPAN Scssion
window appears.

@ 2008Ctsco Systems.Inc. Impl


ementi
ng NetworkAnalysiswith Cisco NAM 3-115
Set U p D ata S ource S P N Po rts ont.
dlulli. x
, I*rll.4nalyzrr
t1:*
q'.1.......>.Qtu'V..J.W . . < GX..;tXYp
. X.XX.'..
j..
,...k. .;,.. .
. . . .j. s ' l c$
.
RANT- J)s- p- (%u.AM t.$- c-
f (')o aaw,- spaotNerp
wxv or
ou tsscon
ter onnMo
ect
edpeto2the
du

gpe x- - f- DATAO RT? v


, sF>.Tw:lzp..eeax r'1ex rz';:4 f'7eq.&
. . .z A- GM - *- -IY t-

NAM.2servsce j
1 A
kl...j: '
t l .ponst
othespannedtotheNAM
rrctulealowsfor .
1 4! venb' .
- (DATAPORTZ)l
nt
erf
ace
tw
SP opossi
AN ble i 4v--
p.-
vI.,.
v-
..
u-- - TO vleevremrtslaterforthistramc the
sesslons I . tjatasx rcetoselectwillbe '
DATAPORTZ

l. . . createsthe
Ip..?!...kl xIrp!:, SPAN sesslon

Thescstcpsw illconfigurethe SPAN scssion.copying the packetsleaving thcG igabitportsalld


going to thc Internetrouters.
step 2 You can sclcctSwitch Port,VLAN,Etherchannel,orRSPAN VLAN forspanning.
In this sccnario,weare using tlle switch portsconnected to the Internctroutcrs.
Click thcradio btltton Switch Port.
Step 3 Chooscthe Switch M odulecontaining the portsto span.
Step 4 Since wealready havcone activc SPAN session,selectthc SPAN dcstination to be
thcsecondintcrfaceonCiscoNAM (DATAPORTZ).TwoSPAN scssionsarconly
available with a NAM -2 scrvicc m odulc.
step 5 Justthc transm ittrafdic nccdsto be m onitored.Click theTx radio button.
step 6 Choose theports conllecled to the Intcrnetroutersfrom thc Availablc Sources list.
M ove to the Sclccted Sourccslistby clicking Add.
step 7 W hen done adding allthe ports to span.click Subm it.The SPAN session iscrcatcd
on (heswitch autolnatically.
step 8 It-tlsing nativc C isco IO S Sottw are.you m ustthcn click on Save froln thc previous
Active SPA N Sessionsw indow to colnplctecreating the SPAN session and save to
the startup configuration.

3-116 lmplementi
ngClscoDataCenterNetworkInfrastructure 1(DCNl-1)v2.0 @ 2008Ci
scoSystems.I
nc.
'

et ' ollection
.111,il1' x.'.
(;Ist o
k5I T ).affi A 11nlyze1.
z.,.. . .<
,z . .
sxv.......;.....
>:,o'b..,
.,yv.,
.. . . *
..4.:
.
/C-
kk.
t
x.
!
1$
:;k;i
'
.
'..
, s
:'
:
z-
p.
:,..
; y.r
. '
...$'
y... . k
f
.z
3-'
;
) 44.J
.
;1.
tf
.z4o/r
1
;
d
.C
'
..C<
,
s Jd
s.
7
,
yx
'
.),
y.
. >7
y.
s
.
t
44.4vv
t
e
;'vva'
v r...k/
,
d
.
.
vk
or
iz
.,,
-
y ;.
t
7.
'
h#$&!Jk:b'''''1.b''?.J'>'rJ'''11S'fR'$
l'4''' The NAM.2DATAPORTQ i
nterface

s . .. .,. ..f . E '


. . . h

s... y.xeroe, 1gll w nxy(:.:,- t'


s'.
l
Mechre/

'419$.Eb!<:11:64> t'r;coedc- etn.- 'Pe e Nmx- sl


Selec'!wblchpadofthe '''
URLshouldbeccplected ()ct- a)xe pe lmorenz- st
bytheCisco NAM .
r c- pe e -- loxe- )
(' 6* M$(mlv(> el**> ,)
;A$,.l (2
.
I>'mI1j

Onc the data sotlrce issetup.contilpuew itllthe contiguration ofURL mollitoring.I11tllis


sccnario,thcnctwork m anagcnlclpttealn wantsto lnonitorthcotltgoing traflic to the Intenlet.
Tllc prcviousfigtlresillustrated how to configure a SPAN scssion to Iuonitortransnzitpackets
atthe core Iayer.The inlerface on Cisco NA M thatwaslnonitoring thiswasDATAPORTZ.
Tllisistllc DataSotlrce.
A URL,forcxal
mple,llttpr//htlst.dtlmclill.colm intro?id=123scollsistso#'ahostpart
(host.dolnain.colu),apathpal'
t(illtro).and anargunacntspart(.
?id=l23).Thccollcctioncanbe
colltigured to collectal1partsorto collectonly sol'
ncoftllcpartsand ignoreotlers.
ThcM atch Only ficld isan optionalparaluctcrto lilnitcollectiol)ofURLSthatlnatch the
regtlIarexpression oftllistield.
Dcpcllding on svhicllradio btltton option is selccted-the forlllatol-tllcU RL varies.For
cxalnplc.tlc Icadillg bllttp:''partisonly presentifthe shost''partiscollccted.Kccp this
variablc in lnilld whcn col,l iguring a M atch Only expression.

Note URL m oni


toring can occuron a per-data-source basis.

@ 2008Ci
sco Systems,Inc. lmpl
ementi
ng NetworkAnalysiswithCisco NAM 3-117
'

-
1e L 1t tat-
- 1st1
-cs

dII4',lI' N.
&Aj Traff1 ,:.llalxzej'
CI$* ' '
. <,.#: d
..p. -. uv.J. '
kk p.. q.qr .(.'.;2..
.ej 71. - ''' ztpijy' .4
.J
'7.
*.. .
.eir
.'x+,. ' .a '
-'
vAke URLSseenonthe
#c- - -ep--- m ztel*:1m: C'Oosgtlre Ciot8Source
D, AA attvwl .
' t-.- MtA- : kK .' I
4w-$ .(
,.j
. . p4p- $.f:e*qpu I
c $ #erintrzteeI)?14:/ rye '
r 1 * tqm !1*1W l o e
T' 1 * faA7t6e1&?S46.w relo oe 77
r 4 - >w ,* l:z1 <h) .
S'nf;ehlshostaddres:hsagcptllar r 6 * eq7lq:'3!$46****,* '
G1$eto animportaotserb'ef R g > o* '* rzzI- - - oe 1
appllcatlc)n youcao setthe URLto
b0collecledaGanappicatlonor - . .. $
. qs . jg4ooxl> : a,f l yyj
protocc/ theo 11* appicahopcanbe
analyzedIlkeotherapr)s(view bosts' l..
conkersaoons etc) - -e - - -. ... qoyxgu e . .

A ftcra data sotlrcc hasbeen conf-igtlrcd forURL monitoring.thestatisticscan bcvicwcd from


the M onitortab.Click Nlonitor> Apps> URLS.Thcw indow displaysthc collcctcd URLSon
the configurcd data source.
Ifdesired.you can use theFiltcroption to filterthe URLSdisplayed by URL,host,path,or
argulncnt.Chooscthc filteroptiollfrom thedrop-down lncnu.cntcra textstrillg,and thcn click
Filter.

3-118 ImplementingCi
sco DataCenterNetworklnfrastructure1(DCN1-1)1
/2.
0 @ 2008CiscoSystems,Inc.
Ulll
--based applicationsareextcnsionsto thcprotocoldirectory.W hen lhc URL in an I'ITTP
reqtlest(aURL onTCPport80)matchesthecritcriaofaUltt-based application,tllctrafticis
classiiicd asthatprotocol.
A Ul klw-basetlapplication can bc usetlin the same way asany otherprotocolin thc protocol
tlircctory.Forexanlple.a Ultl--based application can bc tlsed iI1collectiolls.capturcs,and
rcports.
AnincoluingURL ismatclled againstthccriteria(illustratedintheligtlrc)ofthcconligured
U Rl--based application-in tlleorderofthc index,tlntila lnatch is fotlnd.W hcn aInatch is
found,tle relnaining Ultl--bascd applicationsarc notconsidered.Therefore,to Iuovea criteria
highcrup in the lnatch list.change the indcx nulnbcrto a lowcrvaluc.

(()2008Cisco Systemsllnc. lm prem enting Network Analysiswith Cisco NAM 3-J19


'

E nable C o llection fo r U R L-B ased


A P pI1cations
'dI'.1I1' sAsf 'r1.aff,f. A&taIyze1.
Cl5t*
l - 'rrRJ ft .'l.'...tAo ' R -'
)

*#.'1re #.AP#!b#-bMd.
Fhr
olocodw lra..'i....'
j
* pe- td 0-

Enebleofdlsabiecollectlonof f : x-s 1 rm z z -
statps:cs(hosls onversatpon ' : . . 6a ! na v e r.
resxnsetirre)(m I*f,new URL.
basedapNlcatlon(M'arlyolhef '' 4 r'c. ' - l >* d' e r
protoolulngthhsrrenu .
: .t . - -

Prcviously.you saw how to crcate a ''URL-''protocolfrom theM onitor> Apps> URLSrcport.


ThcScttlp > ProtocolDircctory > Ulkl--Bascd Applicationstask willletyou m anually crcate,
cdit,alld dclctc URL protocols.Asillustratcd in the figure,sclecting the Settlp > Protocol
Directory > IndividualApplicationstaskw illpresclltyou with a Iistofalready defined
protocols,including thcU ltl--bascd protocol.
Uscthisscreen to crcate proprictary protocolsto m onitoror,in rare circum stances,to editthe
scttingsforwcll-known protocols.

Note ltis recommended thatusers do notm ake changes to the protocoldi rectory from this
screen.T' he NAM is designed to function with defaultprotocols. At
so,modifications that
SNMP m anagem entapplicationssometimesm ake to the protocoldirectorym i ghtconfli
ct
with custompzati
ons made on this screen.

3-120 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)$/20 ()2008CiscoSystems,lnc.


S cenario 4:Tro ubleshooting
Thisttlpic discusscstlle scenario wherc NA M isused forlrotlbleshooting.

Troubloshooting
p Problem description:
The network managementteam wants to ensure thatthey are
proactive to any arising performance conditions atthe data
center
e Monitoring plan:
Selectwhich statisticsto alarm on
Determ ine the appropriate threshold to triggeral
arm s,and
determ ine how to alertthe team
- Conf igure thresholds
- M onitorand forward alarm s
Triggerpacketcaptureswhen conditionsarise
.

ltisobviottslhatthc network lnanagcmenttcam calpnotcolltinuously be looking atstatisticsto


determ ine ifproblem sm ay be occtlrrillg.And to sim ply waitfbrtle pholleto ring froln
cmployeescol nplaining abotltproblem sisnotbeing proactive and thc wrollg approach.Thus,
thcnctwork m anagem cnttealn haslnetto dctcrminewhich statisticscould bcwatched by Cisco
NAM alld tllen havcCisco NAM alertthe team to whcn thc statisticshita tllrcshold condition.
The networkl' nanagcm cnttealn hasdiscussed thc varioustllresholdsand alarlns,which
statisticsto nlollitor,how to collfigtlrc thrcsholds.how to forward alanns.and possibly llosv to
tl'
iggcrpacketcapturesto gatherm orcevidencc on tlleconditioll.

@ 2008 cisco System s,Inc. Im plementing NetworkAnalysiswithCisco NAM 3-121


A ction 1:T hresholds and A larm s
Thistopic discusststhrtsholdsantlalannsand how to eontsgure them on N AM .

U nderstand ing T hresholds and A larm s


T hink B efore Y ou C onfigure

W hatisanalarm ,a
thresholdlan event.a
trap? w hatdo Imoni torand
.
;
:. .h how do ldeflnethe
threshol
ds?

W hatisconsi
dered
normalon my network?
: . I
-l
ow do IIetothersknow
aboutfailures on my
. network?

Configurillg alarm sisa seriousmatter.This isbccause alarmsarewhatnetwork m anagersand


enginccrsrcly o11to notify them wbcn network ordcvicc performancc fallsbclow expectations.
A larmsrcquirca carefulanalysisofw hatvariablesare slorcd in thc M 1Bsthatwillinform you
ofnctwork and deviccproblem sand an cqually carcfulilnplcm entation ofthose alarms.
W llatisconsidcrcd nonnalon yournetwork? You may wantto considerbaselining your
nctwork to cstablish yourexpectationsofnonzlalbchaviorbcfore you begin defining alarms.
Allothcrrcason to carefully considcrwhalalarrnsyou nced isbecause thcy consum eNAM
rcsources,and uscofresourcesobviously can affectNAM performance.
Befbrcyou learn the detailsofalann configuratioll hcre is a revicw ofsolneterm inology:
Alarm :An alarm isthe condition thatidcntit-
icswhcn nctwork ordevice perform ancc falls
bclow dct
incd ornonnalexpectations.You tlsc thrcsholds(rising,falling,orboth)to dctine
the boundariesofyourexpectations.You sctthresholdsagainstM IB variablesand, with
CisclaN AM .you can sctthresholdsagainstRem ote M olpitoring (RM ON)variablcs.There
arc diftkrcntkindsofvariablesin M IBs.butthcm ostcom mon typc thatyou w illencountcr
ol)C'isco NAM isa countervariablc.Countcrvariableswork by increm enting thevalue in
tlpc M IB N'ariable by oneeach time itsecsa match forthcvariable.Forexamplc.ifyou use
tllc variablc broadcastpackets,thcn evel'y timcCisco NAM rekxivc:sabroadcastpacktt,it
willincrcmenttlle counterby I.One way to tlse alannsw ith countcrvariablesisto
llleastlrcthcdiffcrence (dclta)betw een the value ofthe variablc atthestartand atthe cnd
ofthc sam pling intcrval.thusrcporting ollly the ntlm bcrot-packctsobserved during the
salnpling intcrval.Theotheroption forevaltlating thcdata isby using the absolutevalueof
tllcvariable whcn itwasread.Forexamplc,ifthe M IB variablc forbroadcastspacketshad
an absoltltc valuc of33874 whcn sam pled.thcn Cisco NAM willreport33874 broadcast
packtltssince the M lB variable waslastclearcd.

3-122 ImplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O @ 2008CiscoSystems.Inc.


* Event:An evcntisthe actualoccurrcncc oftllccondition yotlhavc defincd in yotlralarln.
stlch asw l:et)tllc nctwork pcrfonnallce fallsbclow yotlrexpectations.An cvcntoccurrence
isstorcd in thc M IB and isuscd foralarln reporting.
* Trap:A trap isan SNM P Inessagc gencratcd by tleSN M P agcntin thc device that
observetl1he cventand isselltto the managcm cntstation thathasbccn conligured to
rcccivctllcsetraps.A trap ishow Cisco NAM isalertcd to conditions;Cisco NAM can thcll
alcrtpersolllleltlsing allothertrap,asyslog m cssage,oran e-lnail.

@ 2008Ci
sco Systems,Inc. Impl
ementi
ng NetworkAnalysiswith Csco NAM 3-123
'

C onfig u ring T raffic A nalyzer'


.
Def1ne the ThreshoId C onditio ns
()rhr'piJ)'.' . y .

NAM MIB Enablesyou to desnethresholds oral


arms basedon byte
Thresholds orpacketcountsbyprotocolfornetworkand MAC Iayer
hostsand conversations
NAM Voice Enablesyouto defi
nethresholds oral
armsforpacketI
oss
Threshol
ds andjitterforSCCP,H.
3231SIPIandMGCP
NAM RTP Enablesyoutodeflnethresholds oralarmsforpacketloss
Stream stalisticsbasedonthe RTP sequence number
Thresholds
Switch Enabl
esyou todefinethresholds oral
armsforvarlables
Thresholds sted I
n the mInI
-RMON agentoftheswltch;thisincludes
variablessuchasrx)rtutil
izallon,fcagments,jabbea
1ali
gnmenterrorsi lisi
ons1andmore

The Traftic Analyzcralarm feattlresallow you to createalarm stbra varicty ofthe variables
stored in M IBseithcron Cisco NAM oron the switch orroutcr.Thc following featuresallow
you to crealeand customizcalarm sto m eetyournecds.Rcvicw the varioustaskspriorto using
tllc softwarcto conligtlrc.
Use thege taskslo dcfinetlyresholds forlivem onitoring ofdata.voice,and video traffic:
. NAM M lB thresholds:N AM M IB tllresholdsenablc yotlto crcatealarm sand dcfinc
thresholdsbased on byle orpackctcountervariablcsby protocolfornetwork and M AC
laycrhostsand convcrsatiells.Additionally,M lB thrcsholdsalannscan also be creatcd for
serverresponse tilnc,server-clientresponsetime.Diffscrv traftic statistics,Diffserv host
statistics.and Diffscrv application statistics.
. NAM voice thresholds:NAM voice thresholdscnablc yotlto crcatealarm sand detinc
thresholdsforpackctlossalld iittcrforSkinny ClicntControlProtocol(SCCP).11.323,
Session InitiationProtocol(SIP),and MediaGatewayControlProtocol(M GCP).
* NASI RTP stream thresholds:NAM RTP strcam thrcsholdsenablcyou to create alarm s
alld dctinc thrcsholds forpackctlossstatisticsbascd on tllc RTP sequence numbcr.
w Switch thresholds:Switch thresholdsenableyou to crcate alarms and detinethrcsholdsfor
the variables storcd in tllc m ini-puM oN agentofthe localswitch.Thisincludesvariablcs
forportutilization.f'
ragmcnts.jabbers.alignmcnterrors.collisions.andmorc.

3-124 lmplementi
ngCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.O @ 2008CiscoSystems lnc.
C onfigu ring Traffic A nalyzer:
D efine A ction hen Threshold ls M et
(''
1t')()yf'.
' z' ;p.. @c.. :..'
$
.
NAM Sysl og 1
)Enables youto store M1B and voice events, aswellas
!system alertsineitheraIocalorremotesyslogfile
j,,
...........................,.,.,....... ........-....,....,...,.,....-...........-......-.................rr......
-...,.
,.......,............ ..
NAM Alarm MailJEnablesyoutodefinee-mailrecipientsthatshoul dreceive
(notificationofeventsgeneratedbytheTrafficAnalyzer
NAM Trap )
jEnablesyoutod.efinethe IPaddressandUDP portforthe
Destinations imanagementstationsthatshouldreceivenotificationof
d
1eventsgeneratedbytheTrafficAnalyzer
.. .. . .. . .. . . .. .

Use these tasksto dcfine how tllc nctwork mallagelnentteam shotlld bcalerted to thresholtls
thathave been reacllcd.
* NAS' I syslog:Syslog colltiguratiollenablesyou to scnd alcrtsassyslog messagesto either
a Iocalorrem otcsyslog fi1e,
K NA5Ialarm nlail:NA M alarm lnailallowsyou to forward alcrtsase-mailmcssagesto a
listoftlelsncd recipicnts.
. NA M trap flestinations:NAM trap destinationsenable yotlto definethc IP addrcssand
U DP portforthcm allagclnentstationsthatshotlld receivcnotilication ofcventsgcncratcd
by Cisco NAM .

@ 2008Cisco Systemslinc. Implementing Network Analysiswith Cisco NAM 3-125


'

onf1g urin hresholds.


'
isco I hresholds
Exarrplp Morllterthermazpmom appllcallon
response9rre tc tNe gppllcatlonserverIocate
llI1tllj. NAhl'
j'1.ajfjrAnpjyz.1. attbeciorptyratgserverfarrn
f 1SC@ .
a ' . -It..t,;'-,.At. '
i:7 .' %- '-2
'''1-
,.4-:' .
k
:kkk;. -
'
Y* - ''''* 't.= y'ks'''.' :414>4'.. 1ftretl*q'.!g'''
*4.
It 11A* M1: ThI@*h*1d*
:tlhI.Y e le :
, . .' ,.IJ (
Lq
L . ) .e e '.- * .G +
. !-
. - - - r:
. . e ''' 'M e .cmf- e
' '''
> .' Choosetha .
:.......--- . ...#'
gfd
wjw,sjr,e<,j!,!
a.jd,
.w,: .
y. ..r apalysistype
Choosewhat$4113variable
t71#Packelt y0uwantlo cmnitor
nBy-s . ..,. . . .. % .u ,... .)
(xlavses .- hlewols:teyercorxrerseur,s '
Kthctey .tl'fc,vl: Ne-co LtverHo91 *
serxesKda. ylmkpm Keqpon:eTdel. Ktlkcteh'ercnrw rsetlon: V**e .
ses*!Bh.,e$ JkpgllcatonSle:sqc: 1rPtltAel'i '*
crlepld> es '*'-'''''''serv*!Rvtp onseT'nhes
S;erq.qt9111p1@: SeftfencllefdR*vponql' Lrn#': 6*6** IP
Serv*!'rlfneotlt: DLWl@ru/7'reYld9a1: 's
c :'- < . ' . ' '
Dre ervHoll%*$: ' '@ t c
.
.
:111r>ockte: *-
1 Dl#SeN'APPIICG QRStsll . 'v . - '
.
!nPyles
04;BWe:

Thcnctwork managem enttcam hasdccided to closely m onitorthc m axim um application


rcsponsc time to the application scnzcrslocated atthc corporate serverfann.Use these stepsto
configtlrc thc plan:
step 1 Using theTraffic Analyzcrsoftware.chooscSetup > Alarm sto entersetup m ode
tbralarm s.
step 2 Choosc thc NAM M IB Thresholdstask.
Step 3 Click thc Createbutton.
step4 Choosethevariabletomonitor(thatis.ServerResponseTlmes)from thedrop-
down listforthevariablcyotlwantto alarl
n on.
Step 5 Choose thctypcofanalysisyou wanttopcrform on thc variablc.Thetype of
analysisdependson the M IB variablc selccted.Form ostNAM threshold alanns,
you havc theoption ofalanning by the ntllnberofreccivcd packctsorbytesor
transm ittcd packetsorbytes.Forapplication-based alarlns,the selection iseithcr
packcts orbytes,and forthe rcsponse-time alarm s.thc analysisselectionsincludc
avcragc.maximum ,rctrics,timeouts.and bytcs.You can also choosewhich nctwork
protocolyou wanttotilteron(lPsIP version6 glPv6) InternetPacketExchange
(IPXJ.AppleTalk,DEcnctsorBanyan Vil- tualIntegratcdNctworkService
(VINESI).lnthissccnario chooseServerNlaximum RespenseTime.
Step 6 Click Nextto moveto the ncxtconfigtlration scrcen to sctthe threshold parameters,

3-126 lmpiementi
ngCiscoDataCenlerNetworkl
nfrastructureh(DCNI-I)v2.0 @ 2998CiscoSystems,lnc.
Tllistigtlreshosvsyou the relnaining configklralion choicesthatyou 111t1stI
nake to colnpletethe
alan'n setup forthcctln'
clltcxanlple.Theconfigtlration choiceswi11var.y dcpclldillg ol1tlle
variableselected.
The l
irstoption isto selectthe datasotlrce.In tllisscenario,tlle trafficgoing to and com ing
froln theapplication servcrsisbeing spanlled to thcsecond SPAN interface (DATA PORTZ)oI)
Cisco NAM t)n thedistribtltion laycrsw itch;ref'
erto an carlierscellario.(Remcm bcr.bcforc
you can detille aN AM M I13 threshold,you lntlstcnablcdatacollcction tirst.The NA51 M IB
tllreslpold alarmscnableyou to crcatealarlnsforhostsand convcrsations.Thcrcforc,you must
enablc hostand convcrsatiollstatisticsforevery data sotlrccyou wantto configure an alarm
on.)
Next,entcrtheparalnctcrs spcciI ic to thc sclectcd thrcshold typc.Forexalnple,ifServcr
RespollseTilne wassclcctctl,elltcrtheIP atltlrcssofthc scrverfortlpedevice you Avantto alanu
on.Thcn.dctine the intel-val tlle lengtl)oftilne in sccondsoftllc collcction period alld a
descriptive nalnc fortllc alarln.
Forsolllevariables.notresponse tinAe,yotlnztlstalso choosc thc sanlplc typc Absoluteor
Dclta.svhcllyou aretlsillg cotlntcrs,yotlshotlld allnostalsvaysusc Delta bccausc itisused to
lncastlrc thcalzlountthatthc coullterhas illcreased dtlring a sampling interval.
Alwayssctthcva1tle l -ortlle rising and fallillg tllrcsllolds.Klow vvhatisllornlalalld abnorlnal
by Inonitoring and trending thc variables.asseen in tlle prcviotlssccnarios.Settillg both
thrcsllold valtlcsgivcsyou thc option to rcsetlreannltlle alarlu.Thc rcason forthis isbecatlse
alarmsarc likcbinary ssvitches they are citheron or01 -1-Nvhen yotlttlrn al1alarm on.itstays
olltlnlessyotlsctanothcrtllreshold to cllallge thealarl'n tioln on to off.Rising tllrcslpoldsscla,c
to rcann fallillg thresholds.and falling thrcslloldsscrvcto rcann risillg tllresllolds.

@ 2008CiscoSystemslInc. lmpfementing NetworkAnal


ysiswith Ci
sco NAM 3-12T
.
Afteryou havesctyourthresholds.you mustchoosewhich action thealarm should take.
.

K Log theevcntwith syslog m essaging.


* Send a trap m cssage to the lnanagementstation contigured to receivc them . lfyou choosc
to scnd a trap.you m ustenterthecom m tlnity stringofthe m anagcm entstation thatw ill
receivc the trap in thcdialog window.The com munity string mtlstm atch the trap
com lnunity string setin Setup > A larms> NAM Trap Dcstinations.
* Both(log tbeeventand sendtrap).
ThcN AM also givesyou the capability to controlapacketcapture on the data source upon
receiptofthc alarm .(Learn m oreaboutpackctcaptureslaterin this sccllario.)Click Finish to
enablc thc alarm .

3-128 Impl
ementi
ng Cisco Data CenlerNetwork I
nfrastructure 1(DCNI-I):2.0 @ 2008Cisco Systems,I
nc.
Contiguring sNvitch tllresholdson the NA M -land NA M -2 allowsyou to setalannsforthc
variables storcd in thc I'
nini-ltNfohlagentin the Cisco Catalystswitcll.Usillg thisoplion,you
cal)create port-lcvelalannsfortltilization.dropped cvcnls.bytes,packets,broadcasts-
I'
nulticasts.cyclic-l'ctltllldallcy-clzcck(CRC)alignlnenterrors,undersizedfralues.ovcrsized
fral
nes.fraglnents,jabbers,andcollisions.
To contigtlre alarlns forthcscvariables,choose thept -)rtyotlwalltto alarln on-lhe variable.
salupling interval.adescriptivc nalneasalllple type,threshold dctinitionsand valtles.alarln
evcntoraction,and thc colnlntlnity string forthe I'nal:agem entconsolcthatwillreccive traps,if
yotlconfigtlrcd thcalarm to trap on the cvcnt.Rclnelnbcrthatyotllnustcreate a ncw alann for
every Pol4 yotlWllntto ala17n On.
ThcSalnplc Typc isbased ol)thevariable yotlchoosc.Ifyou w'antto conlparc thcdiffcrellce
betw'een a variable atolle tinle intelw'alwith thenexttimc interval,tlpcltusethesalnplctypc
Dclta.Tllisistypicalforcotlntervariabletypes.Tlle deltavaltlcis then eolnpared to tllc
threslpold valtlc.

()2008Cisco Systems,Inc. lmplementing NetwockAnal


ysi
swith Cisco NAM 3-129
'

C o nf1g u ring la rm s .
'
Send Iar s via Syslog
.I1',I11I N.,tsj '.r1.IjIfjc .Ajla1yze1.
1* . .
.. . , t'
)ju'.t :uca .. z -rj.;
.L
r a
kv..
'u.
o .gI
J .z$.. ' .' .
g'
mtArq> *.T'# >'.!@''' &?'*.
uQ !#
KA* AI*4RI* $#'*l@.

, . -
:<:rw*'- k Loe. !'3q..<*. :>Kemh*mffvi.
V* (ik- L1R- 1,-'- *- t*
>I1&M*$Au. Rp oreutm- w-
'- ()kx. ()- .
, $4,'.- (A1t>tw ri-' '. ('i:.:ui
p . . ..... l92Ijap2(j:(j
Sendasyglogmessageto I DBCOO the
oithprthelocalorrerrote <-'''*f- ''--: rornoteSySIOg
syslogsewerlfalarmsare SOFVECShere
generatedzmenviolatlons
occurop MIB voice RTP
Y
AINA 1*2-.

TheNAM Syslog fkattlre enablesyotlto forward messagesgencrated by thc alannsto cithcrthe


NAM syslog orto a rcm ote scrversyslog filc.Thisisaparticularly tlscfulfeaturebccausc you
can revicw thesc t5Iesto help identify pattcrnsand repetition ofproblclnsand cventsonyour
network.CiscoW orks and othcrthird-party systelnssupportthe parsing ofsyslog filesfor
centralizcd cvcntnotification and monitorillg.To enable thisfeattlrc.choose thc syslog 5lc
location,localorrcm ote.foreach ofthe thrce eventtypts:M IB tbrcsholds,voice,and
thresholds and system alerts.Ifyouchoosc Iocal.Cisco NAM w illstore alertm eEsagcsto itS
own syslog filc.Ifyou choose to Iog cvcntsand alertsto rem ote scrvcrs,entcrcitherthe IP
addrcssorIP hoslnam c forup to Gvc rem otc scrvers.You can m ix and match any com bination
ofevcntswitl!locations.Forexample.ifyou have aperson dcdicatcd to lnanaging yourvoicc
systeln.yotlmay choose to forw ard aIlvoicc threshold eventsto a servcrdedicated to voice
m anagemcnt.

3-130 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008CiscoSystems,lnc.


Olle l'
norc stcp isrequired to colzlplete the contiguration ofalarlnsw ithin the Traffic
Analyzcr configtlring itto forward trapsto a net:vork lnanagem cntconsole.Contigtlring traps
isalso asilnple process,A1lyotlneed to do isgathcrsom e illforlnation the IP address.thc
UDP porlnulnber,and tl,ecolnlntlnity string tbrthe lnanagelncntconsole thatyotlhave
designatcd to rcccive the traps.Noticcthatyou can colltigtlre lhcTrafl icAnalyzcrto scnd traps
to n'ltlltiplctlestinations,allw'itlltllcsalne(ordiffcrcnt)U DPportntlluberandcolul
utlnity
strillg.

Note The welf


-known SNMP trap UDP pod numberis port162.

Q 2008Cisco Systems.Inc. Im plementing Network AnalysiswithCisco NAM 3-131


'

*
onflgurl
Kng jarm s.x
S end larm s v1a E - a1l

,
II1d111.
6 I$C*
N'.
k'
sj T rljff1t.'.:,1pIvz
.
' e1.
.;w .o .t;)..
(j ,'. ... .1 ..'.' '''':i.'
r.!'d
'.'.''ka8'''

. . .. .< - . ''.
(
'
,. - A- . !dnetyoscoxmtum:rrvmtpct&cocom t.,.. ., *
me
.b*4*.&'x**.
e@et,cocx
151.
1'
p Ipo..d *ldkeeMu.
>W.- .S-JM- - .EM#
- . OW*
- -
'C* O

En
totermulliplee.rrsaipaddresses ClicktoctlnflgtlfeE.maifserver
rof
ce
orl
vCi
esan
ccig.frehlnobscation (Admln >Systam >Emall
NAM alarrns Configur
ation)

Asa11alternativc to notification viasyslog ortrap.Cisco NAM callbe configured to send an e-


m ailto a Iistofrecipientswhen an alarm oceurs.To contigure,uscthe Setup > Alarm s>
NA SIAlarm M ailtask to enable thc fcaturcand cntcra com ma scparatcd listofrecipients.

3-132 ImplementingCiscoDalaCenterNetworklnfrastructure 1(DCNL-!)v2.D @ 2008Cisco Systems,lnc.


Forthresholdsthatllavc been reaclled and wereconfigurcd to have thcalarm loggcd locally,
yotlcan view tllcalal-
rnsIogged by sclccting tllc Alarlnstab.
FortheN AM -landN AM -2 servicelllodtlles,thisaction allowsyou to vicw thesyslog
m cssageslogged on Cisco NAM .To cleartlle NAM log,click tlle Clearbuttoll.

@ 2008 Cisco System s,Inc. Implem enting NetworkAnalysiswith Cisco NAM 3-133
V iew ing A larm Logs:Sw itch T hresho lds

.I1d.1I1. s.
CI5*
$
'sI 'rrsfjj(..
. :oalyze1.
.
.,.. .i
. . - . . . .. z$I''JD177

#Y :- - a:e!Ta.D + x%*)#&> DG switch


'7)wN- .
kz1'' - ..'1,f
.G 7 22.
7
1 51e D* ,,4241 '% awi- '

Agoo:ldescriptiorlentpred
duringsetllpGanhelp
vinpointtheexac;tnature of
thealarm

Ifyou choose the Sw itch link,you can view thcalarlnsgcncrated by the Cisco Catalystswitch.
Thcsealarms are a resultofthesw itch threshold contiguration choiecsyou m ade under1he
Scttlp > A larm s> Switch Threshold menu.This Iog m aintainsup to 256 entries.
Al1cventis fired when the alarm threshold setism ct.Tllcevcntstoresthe tim eoftheevent.lf
tllatsamc threshold iscrossed again,a llcw cvcntisgenerated and replacesthc previousone in
tlc log.

3-134 ImplementingCi
scoDataCenterNetworkInfrastructure 1(DCNI
-I)v2.0 ()2008CiscoSystems,Inc.
A ction 2:Trigger Packet C aptures
This tlapicdcscribcslllepackctcapturc and dcctlde featurc ()n NAM .
'

Packet apture and Decode verview

. dId.611I N A1
. $I .
I',.affi AIhalyzeI.
l$fQ .##
.. .##;;. '
W,
n)$.
h;
6.JZJJ.
S
.
i.
Ap
l
#>.
?
't
Ji.<.
b6(kt
>Xq
' w''
1%%%$
XX*i
*II
f'
f'
1
**1
e'
X./.
I
VWAV4*
'JJJVXX'
f.
%n'
'.'z''
&.'k.
z'
:
&%:
,..
'I'
W
Yme.* #'* 'ffth'f/
filpstlle
. Setupaodrnanagecapturebuffers(NAM RAMI
Capluresettingsand51ters
' Quickcapture(sia!landslop)
' Decodlng lhecaplures
' SavtngbuffersNAM harddlsk
' Addtporlalrefm lediskslorage
' Managtngcapturefites

. Packetcaptures can also be automaticall


y triggered when a threshol
d is
crossed and an alarm isgenerated

Tllcpacketcapttlrc fcattlre enablcsyou to collectpackctsfroln a data sotlrcethatyotlhavc


del-ined and thcn vicw thc restlltsofyourcollcction.packctby packet.
Thcpackctcapttlrc lnclltloftkrslnany options fortiltering thcpackctsyou w ish to capttlrc,and
tllc lncnu iscasy to tlsc.Tlle optionsyotlnccd to collsidcrwhel'
lcapttlring packetsarchow
Intlcl)oftlle packetyotlwantto capltlre (headcrand payload).aswellasfiltcring optiollsto
lilnitthe nulnberofpacketscapttlrcd.Yotlcan filtcrtraffic ona prc-alld post-capture basis,and
yotllleed to selectyourdata sotlrce.
Nvhen yotlfinish capttlring data.you callcitllcrdecode itby viewing tle capttlrc ordownload
the packctsinto a Glc fbranalysisby othcrthird-party tools,sucl)asapplication prot iling,
luodcling tools.antltoolsthatcan rcad thc .pcap fonnat.Alternativcly,to expcditc the capttlrc
configtlration-n'
lally lnonitorrcportsallosv yotlto sclcct:1table entry alld use thecontelltsasthc
basisfora capttlrc configtlration.

@ 2008 Cisco System s.Inc. Implem enting NetworkAnalysiswith Cisco NAM 3-135
'

a ture uffers
,I1I.tII. s'.
tA1v1.af(1t.zjtal.szr1.
6I%* .

Y@u@ewewmy+ >'o 'lr'lbee' ShOM aIIcapturebuffers


plul* %.:.1
*.. (NAu RAu)apdtjjejr
#C1- **''l.elM - > ,$+ *+ currentstatus
t.'.aazep,otm

''
hq. 1rt.aA kzr- lAtqcjv ;A&I4: 1e >7* L-.*#
''.fp.''Ia !t..1..l.lwpfff CIPOZ'P0OV? toc.*%F 1:C<1240?.yj3$4: 19%:p :314, kwrAe:
' fnuv'.1:t$1&1$x l1p:v;i$I CaPtbre tpc.sAy I0tt:;@F::344J 10::! 0 RsnlnMql

Modifyselectedcapture
buffersettings pause.
cl
ear.andrest
ar
lcaplure Sel
eckbuff
eFand Savebuferto5I
eonharddi
sk Del
et
elel
ectc
xd
decodepackots use Captnre >Fllestoview orap1buKers

ThcNAM allows you to have multiple capturc scssionsrunning atonce.and thereforeitis


neccssary to have a way ofm anaging a1lthc potcntialcapttlrc btlffers.Exectlting the Capture >
Buffcrstask prcscntsyou with a listofallcurrently dcfincd buftbrsand thcirstatus:
* Running:Packetcapture isin progrcss.
* Paused:Packetcapture ispaused.Capturcd packetsrem ain in buffcr,butno new packets
arccapttlrcd.
w Cleared:Capturcisstopped(by user)altdcapturebuffcrisclcared.
* Locked:Captureislocked (stopped)bccauscthebufferisfull.
This inftlrlnation isimportantbecause packetcapttlrc tltilizesmemory and CPU and there isno
scnsc in Icaving a bufferrttnning orallocated ifitisnotnccessary.From thisscreen theuscr
cancrcatenew buffcrs(capturesessions),cditsettingsofabtlfferincludingpausingand
starting,decode collected packcts in abuffcr.savcthc buffcrto the NAM hard drivc,and delete
tlle buffer. +

3-136 ImplementingCi
scoDataCenterNetworklnfrastructuse 1(DCNI
-I)v2.0 @)2008CiscoSystems,Inc,
'

evJ a tu re ettin s
C+'ta*%edirqlw Cleafbufferhrsllo
%.INev- t*m .sGYzfee > .$111r PKT charlgesoltlngs
Statusofcapture c> eIi-- S1.t= wF>
e'Y'4lwltlztls C1**r*: firfl' '*d
Selectdatasource(deine Y #d*C> *K. & H <' COFW
earslerfrolnlheSetop>
DataSotlrcesrrerTgl Cv zrehfe DATAIDCIRT2 v P<'.e>;A5;izejeee:l$0B
savepackctkoeitherlhe '7'3t- M1*tpe ot Ylfeemze(e )10 t'
-'
1&*'
m w- Ftl
NJSM buffer(RAM) t)rtothe X'c- ur.pmvkt F*&re(Ae) nFp.: rdder*.
N8M harddlskora rercole
dlsk
eo *ew-t tr)kvxxe ;'
.,ex-
llefinebow theCiscoNAM A *:*t SJ' IP v P'O*t*''t
handpesrlew packetswhen S- ce' lnfMrfr(eBp-rIUl1j
'
rhebufferisfahl F- ceMaek' 'Ssr'rheslf'
f!e
'slmetlt' nefeemltlll)
Capttlre.filtennqOptions OFRnMZn '
;g
6
8p es nol!
eoableyotltofilLerotitany 1)e.*or.
;# '
unwanledtraflicbyacidress !uNet'
ea :l
''ccp(esp'nuyj) .e
artd/orprolocolbefore11Is
storedinCiscoNAM r7 p.
-v:: Clctxtwm *t.':
n'emoryforanalysls PI:Mrteraerx! Capturecootro1s.c8ptq?femtisL
beStoppedtotnhangesettlngs

.tr
t.
vr
t !j.
;
,.
,
.r
....
1!
'..kis,,.l'f...q.l
$ fj.
,.. '
.

Tlpc tirstalld nlostiInportantconl


iguration option forcapttlring data is sclcctillg yotlrdata
sourceawllich you do froln thc Capttlre Froln licld in tllcCapttlrc> Scttingsdialog.
* Capttlreto Buffer:Aslvith a11protocolallalyzers,tllere isan absoltltc Iilnitto thc ntllnber
ot-packetsthatCisco NAS?Icallcapturc alld store in lnclnol' y,btltitalso hasfeattlresto
optilnizcthc tlse ofNAM resotlrceswllilc nlaxilnizillg the lltllnberofpacketsstored.Thosc
lkattlrcsinclutle:
Svrap when Fu1l:TI1isoption cnablcsyotlto dctinc whataction Cisco NAM should
takcwhelltllebuffer(RAM allocatcd forpackctcapttlre)isftlll.Sllotllditlock tlle
packetcapturesothatnopacketsgetoverwritten'?Orshould itovcnvrite(wrap)the
oltlestpacketswhcn the btlffcrbccom csful1?
BufferSize:lIcrcyou have the option to define how mtlch ofthc NAM m emory
you walltto allocate to packetcapttlre.Obviotlsly,the more yotlclloose llere the
lessyotthave forothcrNAM featurcs and olhcrCapttlrc Btlfj krs.M axilntlll'
tbuffer
sizes are:l25 M B (-
orNAM -1,300 M B forNAM -Z.70 M B tbrN M -NAM .alld I46
M B forNM E-NAM .
w Capture to Disk:Thistkaturc isused to capttlrepacketsto disk instead ofnlemory.Yotl
canselcctcithcrthe localNANIharddiskoranycollt-igured relnotestorageoptions.(Scttlp
ot-lhcrclnotc storagc isdiscussed laterin tl1istopic.)Yotlcan also selecttlle f5Ie size,thc
Iltllnberoftilessand w hethcrornotto rotatc tlle Glesifal1oftllcln fiIlduring capttlreor
silnply to elld tlle capture.Notetllatiftlle ntllnbcroffilcs(No.Filcs)option isgrcatcrthan
I,Iutlltiple tiles willbecrcated on tllchard drive.

@ 2008 Ci
sco Systems,Inc. Impl
ementi
ng NelwofkAnalysiswi
thCisco NAM 3-137
K Capture Filter:W ith thisoption.youcan configureCisco NA M to ignoretraffic beforc it
isstored in mcmory.This isa very usefuloption ifyou havc already narrowed the search
forthe sotlrcc ofthe problem alpd you wantto honc in on aspecific subsetoftraflic. You
can Glterby protocoland/orby M AC orIP address tbrboth source and destination
addresscsand add a mask to define which partofthe addrcssto include and which partto
ignorc.You can also detinc how you wantCisco NA M to apply the filter to include a1l
packetsthatmatchtheGlter(inclusive)orcxcludcallpacketsthatmatchthefilter
(exclusivc).

Note Tochangethe capturesettingsyoum ustfirstclearthecapturebuffer.

Note You can use address and protocolfilterstogether, butnotpod and custom filters,

3-338 lmplemenli
ngCiscoDataCenterNetworklnfraslructure !(DCNI-))v2.Q @ 2D08CiscoSystems,lnc.
The NAM Traflic Analyzersoftvvare allow sfora sllol-tcutto reducethe til' nc and effbl'
treqtlired
i1 settillg tIp a datacapttlre.Dtlring a typicalrcvievv ofm o,litorrcports,you lllay colnc across
an entry thatyotltletcnnine reqtlircsl'norc in-dcpth analysistlsing data capture.Ratllerthan
going to the Capm re> Settingsdialog and hoping you rclnelnbered alIthepertincnt
illlbrnlation to sctup thecapture filters,yotlcan simply sclcctthccntry it)the lnonitorreport
tablc alld click thc Capturc button.Thisaction sets up a data capture tlsing thedata i1 the tablc
entl'y astlle Iiltervaltlcs.Thc collection is il
nlnediately startcd and thetlserisshown thcdecodc
scrcen ofthcpackctscapttlrcd so far.

@ 2008 CiscoSystem s,Inc. lm plem enting NetworkAnalysiswith Cisco NAM 3-139


'

usto a ture ilters


Capture>CustonnFdters>CeptureFlllers
E* ** @ L- '' - '

IlaveblankIffillerlsrxolocol
Indeperlderlt

Entsryourdatastring.ycqirntlsl
erlterlhehexadecirnalvalueof
.CI ' pr' ' - jhedatastnngyouwantt0jlter
)-. 0n

pxa.-:
.
1
.
- Thenvsknelds(hexadeonwl)
'1 enableyoutodenoeztich
* * .R'' -- podlonsofthedatustNngare
'
-
relevantforfilteringande ich
portionscan beignored

cx... oo w adtm Theoffsgt(decirrut)andbase


h*l- '''
optionsInstructthefilterwhere in
I r thepackeltobeginsearchingfor
St
al
ugandst atusInaskseoabl eyoutosearchforthe 1wi
stattjsolEthernetframestba!areovefsizedor
qr
,'
.
y1I*e.'
*.
j theuataslring
tlnderslzeclorhave CRC oralignrx nterrors

Ij'thc f'iltcrsincltldcd in thepacketcapture settingsoptionsdo notprovideenough controlto


lneetyotlrnccds.you can create yourown tilterin the Capturc> Custom Filters> Capture
Filters mcntl.
Ctlstoln tsltersenable you to search fordata pattcnpsfound eitherin thcprotocolheadersorin
the data ficld ofthc packet.Thisgivesyou thc ability to rcad the packctasasinglchexadecilnal
data strcam w hcre you can tellCisco NA M to capturcordisrcgard packetsthatmatch thedata
pattcrn thatyotldefined in the custom t ilteroptions.To usc thisfeature,yotlneed to identify a
fcw tl1iIlgs.
. Yotlwillllccd to writcthedata pattcrn you arc Iooking forin hcxadccimal.Referto thc
C'isco NAM UserGttide formore instructionson hexadecim aland datapattern m atching.
K You willalso need to tellitwhereto bcgin thc datapattenlsearch.Ifyou choose absolutc.
yotlarc tclling thefilterto begin looking atthc firstbitof'the packet.Ifyou choose
protocol,you are instructing thc tilterto bcgin looking atthe Grstbitofthe protocolheader.
w Stattlsm asksenableyou to t'ilteron crrorconditions in Ethcrnetfram essuch asoversized
ortllldcrsizcd framesorCRc/alignmenterrors.Thcsc arc dcfincd by Cisco NAM and you
m tlstuscvalucs assigned to each ofthese in ordcrto tilterby status.
Delining yourown custom tiltersisavcry powcrfuland complcx tooltlyatrcquiresthoughtand
prcparation.Rctkrto thcSettiltgs chaptcrofthe Cisco NAM UserGuidc formoredetailcd
il,Ibrm ation and instructiollson defining custoln filtcrs.

3-140 Implementing Ci
sco Data CenterNetwork lnfrastructure 1(DCNI
-I)v2.0 C)2008 CiscoSystems,Inc.
To view and l'iltcrthe resultsofyourdatacapturc.selecttlle buffcrto decodc froln the Capture
> Buffersdialog.and click Decode.The tlppcrportion oftllc screellsllowsyotlstllzlmary
infbrl
uatiollforcacl)packet.Tllissection includesthe folloAving tields:
* Pkt:Thisincludcsthc sequcnccntll
nbcrassigncd by Cisco NAM asitentcred thc switch.
. Tinle:Tllis isa rclative tilncstalnp illdicating how lntlclltilue ltasclapscd since tltecapture
oftllc f'
ilwstdisplayed packettnottheGrstpackctin thc btlffcr).Yottcan also view tilne by
absoltltc tilnc.C'heck lhe C isco NAM UserGtlide l
brl
nore inforlnatioll.
. Size:Tllis (
'icld givestllcsizc ofthe packetiI)bytcs.
* Source:Tllis ficld gives the address(citllcrLayer2 orLayer3)orIP hostnamcofthe
dcvicc transnlitting thepackct.
M Destination:Tllis f -ield givcsthe addrcss(eitherLayer2 orLaycr3)orIP hostnanle ofthc
dcvice rcccivillg the packet.
* Protocol:Tllisfield givcs thchighcstIaycrofprotocoltllatCisco N AM recognizcs.
w lnfo:Thisficld givcsinronnation providing l'
nore detailabotltthc packet.
Tlpe colltents in thc Iowcrllalfofthe screcn provitlcyou with dctailcd inforlnation aboutlhc
packcttllatyou have highliglltcd il)thc tlpperportion ofthe scrccn.TllisdctaiIcd inforlnation
providcsyotlNvith il,form ation in tlle Gcldso1-cach protocolheaderofthepacketasw ellastlle
data ticld.Yotlcan also sec the Layer2 Etllenletlpcadcr illfbrlnation aswellasportionsofthc
Layer3 IP hcadcrinfonnation.Use thc.1/- sylnbo!sto the leftofeach hcadcrto vicw morc
packetdetails.Thebottom pain displaystllehexadecilnaldtllup ofthc packct.whicl)includcs
thcsanle iI1lbnnation as i11thc tlpperportiol!ofthe detailwindow .butvvritlellil1hexadccilnal.
Yotlcallalso apply a filtcroI)tlle colltents in the lkalne to rcl
inc yourviesv ofpackets(Display
Filterbuttoll).Y()tIcan (
'iltcrby IP orM AC addrcss.orby a plaintcxtpattern found in pattkel
stlnllnary,oryotlcan apply a custoln-post-capture tilterby cllotlsing theoption ofyourclloicc
frol'
n thcdrop-down Iistabove thc lnforlnation f-ield.

(D 2008 Ci
sco Systems,lnc. I
m pl
ementi
ng NetworkAnalysiswi
th Cisco NAM 3-141
Packetanalysisis very beneficialfortroubleshooting packct-levclproblem s.TheNA M offers
a11additionalal3alysistoolto enhance thisproccss.theTCP Stream tool.To launch,selecta
TCP packctfrom thc packctdccodew indow',and click thc TC P Stream button.A new'window
isopencd thatfollow sthatTCP stream througl)the packctcapttlre.providing you with every
detailavailable in the TCP packet.incltlding thedata.

3-142 lmpiementing Cisco Qala CenlerNetwork lnfrastructtlre 1(DCNI-!)v2.9 @ 2008 Cisco Systems,lnc.
TheNAM canalsoprovidcyouwithstatisticaldetailsofally captured filc(btlffcrsmustbeol)
tlleNAM localhartldriveoraprcviotlslydel
-illedcxterllaldrive).providingyouwithtraffic
ratesalld llostsand application stals fora givelltimcpcriod.To Iaunch,go to tlleCapture >
Filestask.A listofthe f5lesstored on the localNAM llard drive isdisplayed.Use thc Storage
drop-down lnenu to see tiles stored on onc ot -thc defined cxtcrnaldrivcs.Selectthe filc to
analyzeand click the Analyzebutton.A new wiIldow isdisplaycd thatsllowsstatisticstbrthc
entire capturc.You can fine-tunc which statisticsarc displayed by ellterillg acombination of
tilne,protocol,alld/orhostand clickillg the Drill-llown button.

Note An additionalremote externaldrive can be configured to expand the data storage


capabiliti
es ofCisco NAM .Laterin this topi
c.itwillbe discussed on how to settlp the
additionalstorage.

@ 2008Cisco Systems,Inc. Implementing NetworkAnal


ysi
swith Ci
sco NAM 3-143
'

ave uffered ata to isco ard


1sk LocaI 1sk
Sepectlngthecaplure@om the pislchf
caplure buffersandrrmntraplysavingitto .k Ik
-.1'''l'. s .
k51 'rraffi A.'itlvzel.
. tbeciscoxAMhard(ssk
f15.C* ' '
..xs,
..,
;. $
1:: >x:Jk
) .:4,$$1
.' /. eI ' '
*oAz.ae** mz:q''ppkz'-'
c.p'tut@ &..**i@.n* CrealedbyQU'rA Capture
feat
#<: urefrom rrrnitlngwlnclow
- - --''-*fe I,- m 'AeI.:!G (Caplufebutlon)
21e oee@s9

L- 53t*cm * 1kY lee <- Lte ed

l1 ,15'.r:l..
1.1*4w.-4i k'''*- 1:6- 2*7. (
r* 4e 44 l'te #
n r.... f.. # .a. 1tA:!A!,!1!d . .
t'lee e4
>, ffu t

1r. . .

Atltoomllc CaptureiBtherapturebcler
usedzmeo 'acoohgoredalarm psNetto
lnggerapacketGapture

By dcfault.Cisco NAM storcsthccaptured packctsin abufferin RAM .Saving buffersto the Y


Iocalhard drive ofCisco NAM allow syou to kcep the traffic tiltered and stored foranalysisat
a latertilne aswellas frcctlp lnemory forolhercapturebut-tkrsorNAM m onitoring.
Tllcrcarc basically two waysto store btlftkrsto the localhard driveofCisco NAM :
w The firstm ethod isto selccta buffcrffom the Capturc > Buffers listand click Save to File.
. Thesecond m ethod isto conflgureCisco NAM to Caplure to Disk when thecapture
settingsare defincd.

3-144 lmplementsngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2,O @ 2D()8CiscoSystems,lnc.


Fortlcxibility antlillcreased storagc.Cisco NAM can also storc thc packetscaplured oIla
rcm ote disk.
To use thcrelnotcdisk optionmcolltigtlreCisco N AM with dclailsabouttlle remotedisk,using
tlle Adrnin > System > Capture Data Storage task.
Tllcrelnotestorageselazcrcanbcofeithcrtype'
.Network FilcSystem (NFS)orlnternctSmall
ComputcrSystelnsIllterl-ace(iSCSI).

@ 2008CiscoSystems,lnc. lmplementing NetworkAnal


ysi
swith Ci
sco NAM 3-145
'
*

efin 1ng e ote ata torage F

. .uu%S ' D.; 1 .


YYAI.- * '''4 . ''-': &'
.h,& .*y 1..
4
G*ptM,* #.'. %I@I:*
.. . o o o -ow

> . t. .z. ..k.h:.:............... .! .,..'.kk.) ' (usedtoseleclthedisk


... . reIrnOte'DC 10
Nolo TheNFS > *e pvm.lclscoco'l, Se
dirvor
sk 451eIoceare
tet
dhe
anre
drr
tot
hee
servermuslbe ro yexptjrf/nem cjjrectofy tohckd lhe
ableLogrant ' EapturedpacketlIe
accesstotbe Pr- *':- e
CdscoNAtIin ' &swou(.....-.) .-...-
oruertowrlte to
thedlsk c:;.....-..- > softllmec..zulpclsw,s-3raeos-z NFSOptlonslodeqne
m-vww-wxw--mwwwma-vvov-- - v - - :hOUanXferpfotcfol
!' 'If tjrreoutandre1 ryvaIues
;Gp
,l
!t
I1:j
'jp#..
e.
v j!
'.
s1k.1F '

To tlsc a11NFS remotedisk,click thc Create NFS button to dcfinc it.Provide aname forthe
disk (in ordcrto idcntify itin theN AM uscrintcrfacc).entcrthe hostname ofthc serverthathas
the rcmotc disk,and providethedirecto!' y where thccapttlrcfilcsshould be located.
Note the follow ing:
w Thc NFS servermustbe contigured to grantrcad and writeaccessto Cisco NAM in order
ft'rCisco N AM to beablc to storecapturc tilcson it.Thc following cxample showshow to
settlp an NFS directory(/home/somcuscrName)on aLinux serverforaNAM (atIP
addrcss 1.I.I.2)to store capturedata.
Locate a userID thathasrcad and w rite acccssto thc targetNFS directory.
Forcxalnplc.ifthe targctNFS dircctory is/hom c/solncuscrName,open the
/ctc/passwd fileand search fora userelltl'y thatcontainssomething like the
following:
* Someuserhlame:xiso3:so3::/llolnc/solneuserNam erA ill/tcsll
In thisexam ple,theuserID is503.
Etlitthe/etc/exportsGle and add a lille likc thc fo1low ing:
* /hom c/someuserName l.1.1.2/255.255.255.255(rw.a1l squash.anonuid=so3)
Activatc the change:type:f'
usr/bln/exportfs-a.
w IfthcNFS directory containssubdirectoriesthatare notwritablcby Cisco NAM , thesc
stlbdirectorieswillnotbe Iisted in NAM capturc screcns.

3-146 lmppementiog CiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2 0 Q 2008Cisco Systerns.Inc.


Cllcck tlse existing partition# Svhen tllc rclnote iSCSltargcttlisk llasalrcatly bccn forlnatted
a11d 11:.
1s:
'
1I'
)a1
'tititll'
ltable.

Note Before Cisco NAM can recognize the configured iSCSIdevice.Cisco NAM m ustbe
reslarted so thatitcan load the device drivers.

(()2008Cisco System s.Inc. Im plementlngNetworkAnalysisw ithCiscoNAM 3-147


'

a n a In a tlre l
Capture>F'1109
Selectcaplurelleson
''-' CiscoNAM harddisk
j ...... (jocal)orrerrotadisk
:..).ikl..:( j7 *.4: $>% . . ...j
.

Do& loadselecle 51eto


r) !.., vtqe m.?jqe> .$,avj ystlrcclrnputerIn Sniffer
jjgcjjjejorrrjay

!..s- - :- - - .-'p.4''. '' ' ' ' )' e***e

>. i
I
$- 1- cy woe- xpww l.m l-.vm- ...>
(
'
H*'> 2<'t1(1@isee91)?'e E'o$*th'Bo31o 1!611M
r?ne ...'..v . j - aw j pwupj
q> v.e21'11 Merge5pesllhtocele(from rw -> - -- ..
NurrerofFllesoption)

Likc thc btlftkrsin Cisco N AM memory.itis irnportantto beablc to m anage the capture Glcs
stored on citllcrtheCisco NA M hard drivc orany detincd cxternalstorage dcvices.Several
taskscan be perform cd on these filcsusing thcCapture> Filcstask.which w illlistal15les
found on tlle Cisco NAM hard drive.
* Decode:Selcctthcdesired t
ilcanddecodeittjustlikedecodingbuffers).
. Analyze:Providctraffic.protocol.and hostratesovertimc forthc capturc 5le.
. M erge:Sclectmultiplctilcsand lnerge thcm into a single file.
. Download:Savca sclccted file to yourclicntmachinc in the .cnc Network GeneralSniftkr
forlnat.
. Deleteand DeleteAlI:Delete oncoraI1thc tilesfrom the NAM harddrive.

3.148 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1):2,0 Q 2008CiscoSysyems.Inc.
S um m ary
7'11is tt'picsullllllllrizestlle kcy poillts thatvcrc disctlsscd in this lessoll.

x
'
yLl113l13a3-9
. Switch monitoring and reporting are available forevery porton the
Cisco Catalystswitch,regardless ofthe Cisco NAM configuration.
. Application monitoring notonlyoffers you valuable appli cation
distribution statistics,butitalso gives you the abili
ty to see which
network hosts are using which applications.
. ART m oni toring provides measurem ents thatreflectthe user
experience ofnetwork pedormance so you can quickly identifythe
source ofperform ance degradation and resolve problems before
users even notice.
w You can use Cisco NAM to collecthi tstatistics forevery URL
seen.allow ing youto analyze web traffic.
. You can configure Cisco NAM to capture the packetsfrom a data
source and view and decode them .You can also configure
thresholdsto send alarm s to users forspecific conditions when
they occur.

@ 2006Cisco Systems,lnc. Implementi


ng NetworkAnalysi
s withCisco NAM 3-149
Y

<

3-150 lmplemenlk
ngCscoDataCenterNetworklnfraslructure1(DCNI-I)v2.
() Q 2908CiscoSystems.lnc.
uesson41

C isco N A M M aintenance

O verview

Objectives
C isco NA M Soo w are U pgrade
ThistopicdcscribesCisco NAM m aintcnance options.

C isco N A M Im age U pgrade


.
Application image (hdd:l):
1 ResetCi sco NAM usingthe maintenance image (cf:1)
2 Log in to NAM CL1wi th root
3 Retrieve image from FTP site and upgrade
4.Folfow prompts
ExitNAM CLI
ResetCisco NAM usingtheapplication i
m age (hddrl)
Maintenance image(NAM-Iand NAM-2 = cf:l):
ResetCisco NAM usingtheapplication i
m age (hdd:l)
Log in to NAM CLIwi th root
Retrieve image from FTP site and upgrade
Follow prom pts
ExitNAM CLI
ResetCisco NAM usingtheapplicationimage (hdd:1)

TheN AM -1and NAM -2 cardsttse the following two im ages:


*
w A m aintenance im age:AllowsCisco NAM to be Ioadcd w ith abasic opcrating system to
perforln m aintenancc tasks,such asupgrading thc application im agc.
w An application im age:Containsboth thc Cisco NAM operating systcm and thcCisco
NAM traffic analysissoftware.
Yotlcan tlpdatc eitherofthcseim agesby rcbooting Cisco NAM with thc image you are not <
tlpgrading.I11othcrwords.to update the application image.rcset,orrcboot.Cisco N AM using
the mailttcbtallcc image.W hcn the properilnagc isloaded.connectto the Cisco N AM
com mand-line intcrfacc (CLI)and issucthc update command with thc FTP URL,whcrc the
llew imagc isstored asthc command param etcr.Follow a11prompts,cxitthc CLI,alld resct
CiscoNAM to usetheapplication image(thcdefault).

Note To determ ine which im age Cisco NAM is using you can use the show m odule com mand or
sesslon to Cisco NAM .W hen using the application im age.the show module output
indicatesthe software version thatis being used by Cisco NAM .lfusi
ng the m aintenance
im age,lhe software versionnum berisnotthe NAM releaseversi onand should befollowed
by an Mm .*lfCisco NAM is booted using the m aintenance image.the bannerthati s
displayed when a session to Cisco NAM is created indicates thatthe m aintenance image is
being used.

To upgradc thc NAM applilb ation image.yotlmustbootCisco NA M to tllentaintenanl'e


partitiol).To tlpgrade the NAM maintenaltl' e ilnagc,you IntlstbootCisco NA M to thc
t7/?/?//(':?/f???parlitior1.

3-!52 lmplementingCkscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O @ 2D08CiscoSystems.lnc.


'

P atch InstalIatio n
p Patches are increm entalupdatesto soft
w are releases thatare
installed wi
th the patch NAM CLIcomm and
. Patchesare available onlyforthe Cisco NAM application image

root@localhost#
patch ftp ://user:password@host/full-path/filenr e
> Installs a patch

<- -
* 4

. .E >

NAM-I,NAM -2

Note Before patching Cisco NAM ,make sure thatCisco NAM iscurrently booted with the
applicalion image

(:32008 Clsco System s.Inc. Im plementingNetwerkAnalysiswithCisco NAM 3-153


C isco N A M R eset and S hutdow n
65904: F .
hw-module module NAM szoe reset '
* Resets a Cisco NAM module '
NAv cL1
Uoreachable
6510#hw-module module 1 reaet
Device BOOT varlable for reaet - fempty> -
Warning) Devic. list ie not verifted.
Proceed w1th rlload of module?lconfirm1
% reaet iasued for module 8

Three optionsforNAM-I orNAM-2 shutdown:


' Opt ion 1.
'Issuethe sbutdown commandfcom
NAM CLI statusLED =,.''.
''
Option 2:lsluethe module shutdown command
from supefvl sorCL1
OCt
N M
ion3'
.PresstheShutdownbuttononCi
sco -W'
Do notremove Cisco NAM unti
lshutdown processis
complete

Nonresponding C isco NA M
IfCisco NAM isnotrcsponding.take the following actions:
Step 1 Check to cnsurethatthcsession com mand worksfrom the switch and routerCLI.
step2 Check toensurethatyoucanpingoverEthernetout-of-bandchannel(EOBC),
step 3 Check to ensurethatyou can ping to them anagcmcntIP address.
step4 Collectoutputoftheshow teh-supportcom m and from both Cisco NAM and the
switch orrouter,
step 5 Collcctcore tiles.
step 6 Check whctherCisco NA M isscated correctly in thc chassis,
step 7 ResctCisco N AM .asshown in tllc tigtlre.There are two waysto resetCisco NA M : +

. Ifthc NAM CLIisstillreachable.cnterthe rebootcom m and.


* Ifthc NAM CL1isunrcachable,thcn resctthc module from the CLIofthc host
as fbllow s:
step8 Resctinto m aintenance imageorhelper.
step9 Clearthe collfiguration.
step 1Q Reinstallthe application im age.

3-154 Impl
ementingCi
scoOataCenterNetworkfnfrastructure1(OCNf
-1)v2.
0 @ 2008CiscoSystems.fnc.
Shutting Dow n Cisco NA M

Note The shutdown procedures can take severalmlnutes.

@ 2008 Cisco System s.Inc. lm plemenlingNetworkAnalysiswithCisco NAM 3-155


C isco N A M Troubleshooting
ThistopicdescribesNA M troublcshooting.
'

S ystem R eso urces


F--dr.I:.''
k;...ltI'
ut..J(I
NA SI Traffit'A 1lalyz.1.
. ., . jx w'
L.xcw71 tq.- ..- . - . .. .... ' .' . . . ' - t,zk'
Y e @1'*e*:* *.+'.
rr >. lte''r > ' ee'fIF'e: v':e5
$y*:@nA Oy*4*1*#y
> '.<.1,,141I>x.siq'eu
i)j: G G :r
x e > 11Az> ,D H O UK

P AH - 1R11* 1*.111
Sol Q#--J 4:e e4#Ge: : ' '
Me-yyU/zd*n 46%

Thc NAM offcrsm uch data and many reportsthatgiveyou visibility to yotlrnetwork. You can
choose from among the data sotlrccsavailablc to youand tailortheN AM m onitoring and
reporting t-
unctionsto meetyourspecificneeds.
A lwaysrememberthatCisco NAM hasGxed rcsourcesand thatalIofthc monitoring rcports,
alarm s.and capturcsyou detinearc stored in Cisco NA M m emory,w hich iscurrently 512 M B
forlhe NAM -1and lGB forthc NAM -Z.A llofthcwaysthatCisco NAM dclincatesdata for
them onitoring and reporting tllatyou choosc.and allofthc packctsthatyoucapture for
decode.consum e mcm ory.Thcre isadefinite pointofdim inishing retunzs,bccause the m ore
you collfigure formonitoring,the Inore likely itisthatpackcts willbc dropped.comprolnising
the reliability ofthc dataand reportsthatyou rcly on.So chooscyourdata sourcesand your
Inonitoring and reporting needsw iscly to ensure thatyou maintain thc validity ofyourdata.
A good practice isto slowly and increm entally add datacollcction and monitoring optionsand
thenN'icw theirilnpaclon Cisco NAM by viewing system resource utilization in thcAdm in >
SySt0!11> SyStCITIRllsotlrcesmellu.

3-156 lmplementingCiscoDataCenterNetworklnfraslructure 1(DCNI-I)v2.O @ 2008CiscoSystems,lnc.


'

D 1agnost1cs: heck S ystem 1()rts


. View fai
lures orproblem sthathave occurred

,' Il.$I'. N.
51 'rl''affit .:nalvze1.
.
Cl5CO ' '.
. gl4'e a
*112
.1%*YNY.' L sq ' - *.'rh. k
r
,
.
rfp? s
. 'p
yi
.v ...pt
p-t
. z
ad
p
os u'
t'
.l
k' .
3.
#f7
17$ Fi
A
'
Y Arel* '
e * -.- : ' ' # ''' ''
To4N $../e@lt yv1+>> 81@et.
''
1$.-
Ic''.-- z1,.
11I #Cwpee- eaje ttv et-e xe m @@N*N
.
'.
F2f.
'l'm.u$rJJ.: 'zjAaqswtex:

, 1 '5Yv e'rb zl KgY*le'eG rtr- sl


.. . 2 15Rw e7.* N fm :ope cmsp,#nl 4* 72*
3 !$hkl. (IF(5J;lfmi ..
T311q)rlaee/
4 !5Yv OTtf19 Te#- o pehz
5 1CNo. 0Afl $9 O W$)f- 6* ru 1+ :1*BW'*'e**rylryqeo
B 1$Nkw W (K18 fdl* C:KO tKlru re* 1@5RPCre4tdt4/
? 1%h*.v (/35916 r?!7 LMZ!fmord+5rx!dlq+/to:FWJ'-yestF
: J$*. (* * ,5 K'9%3r'- +1ru 4%*/le3< eeexxsl
q 16N.pg (*$.3IM* SAQ!trrorklf%dru r6rW 102Rr%CterKlertt
ID !5Nog 165:I3 &D Y 1- tklru ee;w * $> r.M tl#

'
'Yotlcan vic' svany tbilurcsorproblclllslllatthe ('isco N A N1Traftic Allalyzcrhasdctcclcd
dtlri1,g 1101'11)111opcratitllls,-1
-11is il'
l(klrlnatiollcal'
lbe '
$icw-ed by goil'lg to tllc Adll)i1)> l'
'
liagnostics
> Systcln A.1eI4sscrecn iI1tlle C isco N A N1TraI'IitrAnalyzcrsoftqvarc.

(D 2008ClscoSystemsllnc. lmpiem enting NetworkAnalyssswith Cisco NAM 3-157


'

D 1agnostics:C heck A uditTra1I


. View acti
vitiesthathave occurred
'o+14I!..p.'tI.Yt.''1
'd1''111' NA5.I 'r1.affl4...klkalyze1.
. .
f 15<@ .
w t 'Qt ' '
?*u* * *A'#em # .N%<''J*.'q>A>y:rAx
Ao#11 TI11
# cee- - e4-e x- xejtexf:err
&1# 1#l ' ''-
n'p
me v .:fixmfiq$1..,.j
i1T- t.'' t
iklt.)J
''' iG .. .77.
+ ..;
.r'C 'k
b ' x w m .ts zsx - ,aktfzAlz us. kw
> > m * f?'4& ''''- Sn * * x ' ''t- e
> * ?(*'(*139 . $A$6:s:: #5 **2*51AeedfM V
' AAlKml* v- w e
V * m * f@> e *l !n *& D t- ko
26* R F01D 28 m- $021I44:3 tllo k>
x - v z.el.tk1* - te> su z: to k.
Is- w * s2% - !7!89sm235 X e =* ' F**
, y- jex ?

Yotlcan vicw a listing ofreccntcriticalactivitiesthathave been recorded in an intcnpalsyslog


Iog file.Syslog m cssagcscan also bc scntto an extcrnallog.The follow ing uscractiviticsare
loggcd in tlleatldittrai1.
K AllCLIcom lnands
K Userlogins(including failed attcmpts)
* Unauthorized accessattelnpts
* SPAN changes
. N DE data sotlrcechangcs
K Enablillg and disablillg data collcctions
* Crealing alld deletillg rcports
* Starting and stopping capturcs
. Adding and dcleting tlsers
This inforlnation can bc viewed by going to the Adm in > Diagnostics> AuditTrailscrecn in
thc Cisco NAM Traffic Analyzersoftwarc,
As illtlstraled in thc figurepeach activity includcsa datc,tlle userID.an IP address(in case ofa
remote accessl.antlanotcdescribing theactivity.The inttrnal!ogtilcsare rotated after
rcaching a certail)size lim it.

3-158 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D @ 2008Ci


scoSystems,lnc.
'

D iag nostics : heck on ito r an d C a


cptu re
C onf1g u ratio n
* Verify how the Cisco NAM is configured forcollecting various statistics

.t 1,,Il1, x.
tsl 'rraffi(' ..&,,al).ze1.
q,
J
.
V 7j.
. t..
' . ap .
t ... . ..
'k '. s .. ..47- 9t F9!/'
Y- A:e1*1*:* 'r' >'x'' &' 'h''' > ' X''''' 'e
'
-.d.'.i 'E''*IL2C11 *ct- o.. a:e> x - w ea3zx)FST

yNltsnwc.jo't;q.:q94t 1'v:ektxl' bv4ez twavk#i.... rlp/aex 4*eu.4,.


t.''lip;l.41$g1 d 9:** $ t'IdP'7PI9C; Ur<*1*P
2A M 1 E1N WM TX/ L
. '
- X e N- rlx
xsoay.1

4 - mo ,em G ?.02 toce


S &eN4 4Q5'0 ter4**7 R
lhery1vdm 'Ce -eQerr
t*ur- '- eRap'
l- 1

(
I)2008 Clsco Systems,l
nc. lmplementing NetworkAnal
ysiswithCi
sco NAM 3-159
'

D'
Iagnostics:Check Logged M essages
'11I*'l!' NA51T1't
vf'
fI(!Anal).zer
C I$C@ . .
'' - . .u21)lp0t
')(Z
'L
'
L3 . . .. ....= '
. - '.
'-
YouApy:*n: @ k'ev.:7+:wv.'%'' 9T@<> GtT4vAm
#@<h.$upp*1l

h!ethGt4:)@l! */A >*# :$ ::.9$'*4 'F' 2@'


Checkforthese words.
. Error
. Failed
xo *wuame- :
Fw:-exMaa z*.4
. Incorrect
tx n- - . Warning
m -- .- ' M - rh x zwo - (- .- ,'
x.x-vxw&7ep--.:(xa)'
wxx-.r- - -- -.eg
w*>-@z..mw.-xw:-..:
- '- :

ThtlNAM hasa tcchnicalsupporloption thatgathersdiagnostic infonnation from thcCisco


NAM hardware and opcrating systcm .Thisinform ation can be viewcd by displaying thc
Adm in > Diagnostics> Tech Supportscreen in the NAM Traffic Analyzcrsoftwareorby
entcring tlpc show tech-supportcom mand in the NAM CLI.In both cases.scrolldown to the
/
'var/log/mcssagesinfonnation (toward thcbottom )and look forkeywordsindicating problcm s
(error,failed,incorrect.warning).Thc inform ation should indicatethe sourccoftheproblcm
and provide you w ilh a starting pointforcorrecting it.
Finally.makcsurc thatyou rcview the relcasc notesforany known issuesand w'orkarounds as
welIastheCataltb xt/65/7/.7Seriem$' /c7?alulC'zw 7600Sel. iesS/&Jtv'Nettb' olk .
,
1z2t#1'
.
$'$.
:bI()(IltIQ,/ll.
:/:7//:??/t?/?:,?;(/(?o3!(lgllt'
a(i()NXp/Ffflraklclititlnaltrout)lesht)otillgtips.

3-160 Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72.0 @ 2008Ci
scoSystems,Inc.
S um m ary

S unnlnary
. Periodically,the firm ware in Cisco NAM mightneed to be
upgraded orpatchesm ightneed to be installed.
Shutdown Cisco NAM before removing itfrom its slot.
e Diagnosticsand reports are available formonitoring the overall
health ofCisco NAM .

@ 2008 Cisco Systems.Inc, Implementi


ngNetworkAnalyslswi
thCisco NAM 3-161
M odule S um m ary
Thistopicsum marizcsthekey pointsthatwercdiscussed in this module.

M odule Sum m ary


. C isco NA M can analyze the source ofthe traffic forwarded to it,its
destination,the protocol,and the am ountoftraffic perhost,per
conversation,and perapplication.
. You can installCisco NAM in anysl oton the hostCisco Catalyst
6500 Series Switch exceptslots thatare reserved forthe
supervisorm odules.
* M ini-R M O N is a sw i
tchfeature thatm ustbe enabled forCisco
NAM to provide usefulinformati on aboutEthernetports. +
. To upgr ade the Cisco NAM application image.you m ustboot
Cisco NAM to the m aintenance parlition.
. To upgr ade the Cisco NAM m aintenance image,you m ustboot
Cisco NAM to the application partiti on.

3-062 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
O @ 2906CiscoSystems.lnc.
M odule Self-c heck

V11icllofthc 1-0llo'
w'iI)g isa vaIid data sotllvc forC isco N A 5.
1servitre Inodt)le?(Sotlrcc.
Illtrodtlcing Cisco NAM )
A) SPAN
B) Laycr2 acccsslist
C) Prclix lisl
1)) lP acccsslist
I
qi) Policy-basctlrotlting

@ 2008 CiscoSystems.Inc. Implemeoting NetworkAnal


ysiswith Ci
sco NAM 3-163
Q7) W hichhastobcenabled to view portstatisticsonCiscoNAM ?(Source:M onitorings
Vicwing,and SavingData)
A) M ini-RM ON forselcctcd intcrfaccs
B) Historicalreporting and trending
C) Core monitoring
D) Switchhcalth statisticscollection
Q8) UndcrwhichoptionisthcSPAN datasourcccreated?(Source:M onitoring.Vicwing,
alld Saving Data)
A) Setup > Data Sources> SPAN
B) Adm in > Data Sources> SPAN
C) M onitor> Data Sources> SPAN
D) Sctup > Sw itch Paramcters> SPAN

3-164 lmplementlngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008CiscoSystems.lnc.


M odule Self-c heck A nsw erKey

@ 2008CiscoSystems,Inc. Implem enting NetworkAnalysiswith Cisco NAM 3-165


3-!66 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 20D8CiscoSystems.lnc.

You might also like