Enter Cisco Systems' Network Analysis Module (NAM). The NAM is a Catalyst "blade" designed for the 5000, 6000, and 6500 series of Cisco switches. It is a protocol analyzer, latency meter, QoS (Quality of Service) tool and proactive monitoring device all rolled into one. Using the NAM, administrators can select ports, Etherchannels or VLANs on the switch to monitor, and send data directly to the NAM blade for inspection. The NAM is unique because the monitored traffic moves directly onto the blade from the Catalyst backplane, is analyzed, and can then be viewed simply by using the embedded Web interface. A built-in, browser-based sniffing device capable of doing packet decodes is downright slick, and that's just the tip of the iceberg.
Easy to Deploy, Intuitive to Use
I deployed the NAM in our Chicago Neohapsis partner labs on one of our Catalyst 6509 switches. The NAM occupies one slot in the Catalyst chassis and appears to be based on the same hardware that drives the Cisco IDS blade.
Once the blade was installed in the switch, I was able to use the Catalyst's "session" command to perform the essential IP configuration tasks necessary to make the NAM accessible via the Web interface. The command-line NAM interface has a stripped down set of commands whose syntax differs from that of IOS. However, after a few minutes with the online help (use the "?" key!), I was able to figure it out. After I assigned the NAM an IP address and supplied a default route, I was ready to start using the Web interface. No software installation is required on the end user's workstation -- a pleasing feature.
The NAM's embedded Web server, which runs on the blade, can be used to configure the NAM, monitor real-time traffic, set capture options, and inspect captured traffic. I configured a few span ports on the switch using the NAM's Web interface and began capturing traffic immediately. Configuring span ports through the Web interface is a lot easier than using the normal Catalyst OS command-line routine, or maybe it's just that drop-down menus are a lot more fun.
Once traffic was captured, I used the built-in packet decoder to take a more detailed look at our packet dumps. I was pleasantly surprised at how useful an HTML-based packet decoder could be. While not as "graphically stimulating" as some Win32-based packet decoders, the NAM's packet-decode Web interface satisfied my decode needs nicely. The Web interface also will let you save your captured traffic to a file for downloading. For example, I pulled one of our capture sessions down to a local workstation and had no problems opening it up in the popular open-source protocol analyzer, Ethereal. This type of flexibility is incredibly powerful, and I'm thankful Cisco has committed to supporting open standards on this front.
Network Analysis Module (NAM) for Catalyst 6500 and 6000 Series, $14,995. Available: Now. Cisco Systems, (800) 326-1941, (408) 526-4000; fax (408) 526-4100.
Going beyond basic monitoring, Cisco has introduced some VoIP (voice over IP) QoS monitoring options in version 2.1 of the NAM software. Using this version, network managers can analyze voice traffic for network utilization, track round-trip delay times, monitor quality degradation and measure general device-to-device latency. Using the Web interface, I was able to monitor latency levels between both network devices and VoIP phones.
Administrators also can view statistics, such as MAC (Media Access Control) history tables, application-utilization levels and network-utilization levels, broken down by application protocols (FTP versus HTTP, SSH, SMTP for example).
But the NAM can do more then simply monitor. Using the NAM's threshold alarm settings, I set alarm conditions for network jitter, H.323 latency and other possible problems. Alarms can be viewed from the Web interface or redirected to syslog servers. This redirect capability is incredibly helpful for getting a heads-up warning before the trouble begins, and tying these types of alerts into larger network frameworks should be a simple thing to do.
Finally, Cisco claims that because of the architecture behind the Catalyst 5000 and 6000 series switches the NAM has very little affect on the switch's processing overhead. While I was able to monitor CPU and memory utilization of the NAM blade, I ran out of time and was unable to test whether Cisco's "no impact" claims are indeed accurate.
If you have free slots in your Catalyst switches and are in need of a strong VoIP-aware network-analysis tool, it's going to be hard to find a more feature-rich, cost-effective solution than the Cisco NAM.
Greg Shipley works for Chicago-based security consultancy Neohapsis. Please send your comments on this article to him at email@example.com.