Nov 9, 2006 IT 4333, Fall 2006 1

IT 4333 – Network Admin & Management

RMON From: Byte Magazine, Javvin.com,

Cisco.com, Wikipedia, and IETF

Nov 9, 2006 IT 4333, Fall 2006 2

Part 1, from Cisco.com

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rmon.htm

Nov 9, 2006 IT 4333, Fall 2006 3

Defintion: RMON

Remote Monitoring (RMON) is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data.

Two versions: RMON1 RMON2

Nov 9, 2006 IT 4333, Fall 2006 4

Definition

The RMON specification defines a set of statistics and functions that can be exchanged between RMON-compliant console managers and network probes.

An extension of SNMP MIBs.

As such, RMON provides network administrators with comprehensive network-fault diagnosis, planning, and performance-tuning information.

Nov 9, 2006 IT 4333, Fall 2006 5

Standards (RFC)

RMON was defined by the user community with the help of the Internet Engineering Task Force (IETF).

It became a proposed standard in 1992 as RFC 1271 (for Ethernet). RMON then became a draft standard in 1995 as RFC 1757, effectively obsoleting RFC 1271.

Nov 9, 2006 IT 4333, Fall 2006 6

An RMON Probe Can Send Statistical Information to an RMON Console

Nov 9, 2006 IT 4333, Fall 2006 7

RMON Groups

RMON delivers information in nine RMON groups of monitoring elements, each providing specific sets of data to meet common network-monitoring requirements.

Each group is optional so that vendors do not need to

support all the groups within the Management Information Base (MIB).

Some RMON groups require support of other RMON groups to function properly.

Nov 9, 2006 IT 4333, Fall 2006 8

RMON Group: Statistics

Function: Contains statistics measured by the probe for each monitored interface on this device.

Elements of MIB:Packets dropped, packets sent, bytes sent (octets), broadcast packets, multicast packets, CRC errors, runts, giants, fragments, jabbers, collisions, and counters for packets ranging from 64 to 128, 128 to 256, 256 to 512, 512 to 1024, and 1024 to 1518 bytes.

Nov 9, 2006 IT 4333, Fall 2006 9

RMON Group: History

Function: Records periodic statistical samples from a network and stores them for later retrieval.

Elements of MIB:Sample period, number of samples, items sampled

Nov 9, 2006 IT 4333, Fall 2006 10

RMON Group: Alarm

Function: Periodically takes statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated.

Elements of MIB:Includes the alarm table and requires the implementation of the event group. Alarm type, interval, starting threshold, stop threshold.

Nov 9, 2006 IT 4333, Fall 2006 11

RMON Group: Host

Function: Contains statistics associated with each host discovered on the network.

Elements of MIB:Host address, packets, and bytes received and transmitted, as well as broadcast, multicast, and error packets.

Nov 9, 2006 IT 4333, Fall 2006 12

RMON Group: HostTopN

Function: Prepares tables that describe the hosts that top a list ordered by one of their base statistics over an interval specified by the management station. Thus, these statistics are rate-based.

Elements of MIB:Statistics, host(s), sample start and stop periods, rate base, duration.

Nov 9, 2006 IT 4333, Fall 2006 13

RMON Group: Matrix

Function: Stores statistics for conversations between sets of two addresses. As the device detects a new conversation, it creates a new entry in its table.

Elements of MIB:Source and destination address pairs and packets, bytes, and errors for each pair.

Nov 9, 2006 IT 4333, Fall 2006 14

RMON Group: Filters

Function: Enables packets to be matched by a filter equation. These matched packets form a data stream that might be captured or that might generate events.

Elements of MIB:Bit-filter type (mask or not mask), filter expression (bit level), conditional expression (and, or not) to other filters.

Nov 9, 2006 IT 4333, Fall 2006 15

RMON Group: Packet Capture

Function: Enables packets to be captured after they flow through a channel.

Elements of MIB:Size of buffer for captured packets, full status (alarm), number of captured packets.

Nov 9, 2006 IT 4333, Fall 2006 16

RMON Group: Events

Function: Controls the generation and notification of events from this device.

Elements of MIB:Event type, description, last time event sent.

Nov 9, 2006 IT 4333, Fall 2006 17

Huh?

I'm lost….

Let's try Wikipedia…

Nov 9, 2006 IT 4333, Fall 2006 18

Definition from Wikipediahttp://en.wikipedia.org/wiki/RMON RMON stands for Remote Monitoring. It is a standard used in telecommunications

equipment e.g. in routers, which implement a MIB (Management Information Base) which allows for remote monitoring and management of network equipment.

RMON uses an agent running on the device being monitored to supply information over SNMP to a management workstation (or some other system).

Nov 9, 2006 IT 4333, Fall 2006 19

??

… that doesn't help much…

Nov 9, 2006 IT 4333, Fall 2006 20

Let's try a 1995 article from BYTE http://www.byte.com/art/9506/sec13/art4.htm

Recognizing that managers need to somehow see what's going on at distant locations, the IETF (Internet Engineering Task Force) has developed specifications for an RMon (remote monitoring) system that keeps tabs on the state of distant networks.

RMon is an extension of the IETF's SNMP, which is commonly used to manage large networks.

The idea behind RMon is to distribute, throughout a network, probes that collection information about the traffic on that network.

Nov 9, 2006 IT 4333, Fall 2006 21

Difference between SNMP and RMON

The difference between SNMP and RMon is that SNMP monitors and manages network devices like hubs and bridges, while RMon monitors LAN traffic!

Nov 9, 2006 IT 4333, Fall 2006 22

… continued…

With RMon, some of the management intelligence is moved out onto the network, where RMon probes alert a centralized console whenever a threshold, such as number of packets, is exceeded.

Nov 9, 2006 IT 4333, Fall 2006 23

Typical use of RMon

one probe would be located on each LAN segment

The probe would monitor data transmission on that segment and organize the information it collects into a format that makes it easy for a manager at a central site to analyze traffic patterns and diagnose problems at remote sites.

Nov 9, 2006 IT 4333, Fall 2006 24

RMON vs. Protocol Analyzers?

"Naturally, there's some overlap in the functions of an RMon probe and a protocol analyzer. For example, many protocol analyzers can perform trend analysis on the data they collect. "

(Is this true? This is from 1995…)

Nov 9, 2006 IT 4333, Fall 2006 25

Probably still true.

The way the two technologies can work to complement one another is to use RMon to baseline networks, study usage trends, and identify potential problems before they cause

trouble for users. This will help reduce the number of trips to remote

sites that technicians must make to solve problems And when a problem requires higher-level diagnostics

to be performed, use a protocol analyzer.

Nov 9, 2006 IT 4333, Fall 2006 26

Benefits?

The benefit of an RMon system is that it automatically collects information about the traffic on a LAN segment that is in a remote location.

For a manager responsible for many LAN segments that are not all in the same location, that can be a great cost-saving benefit.

Nov 9, 2006 IT 4333, Fall 2006 27

Typical implementation (from Byte)

Nov 9, 2006 IT 4333, Fall 2006 28

We need more details…so let's try Javvin. (Something more up to date..) http://www.javvin.com/protocolRMON.html

Remote Monitoring (RMON) is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data.

RMON provides network administrators with more freedom in selecting network-monitoring probes and consoles with features that meet their particular networking needs.

Nov 9, 2006 IT 4333, Fall 2006 29

Difference between RMON & SNMP

RMON was originally developed to address the problem of managing LAN segments and remote sites from a central location.

The RMON specification, which is an extension of the SNMP MIB, is a standard monitoring specification.

Nov 9, 2006 IT 4333, Fall 2006 30

Difference between RMON & SNMP

Within an RMON network monitoring data is defined by a set of statistics and functions and exchanged between various different monitors and console systems.

Resultant data is used to monitor network utilization for network planning and performance-tuning, as well as assisting in network fault diagnosis.

Nov 9, 2006 IT 4333, Fall 2006 31

Versions of RMON

There are 2 versions of RMON: RMON1 (RMONv1) and RMON2 (RMONv2). RMON1 defined 10 MIB groups for basic network

monitoring, which can now be found on most modern network hardware.

RMON2 (RMONv2) is an extension of RMON that focuses on higher layers of traffic above the medium access-control (MAC) layer.

RMON2 has an emphasis on IP traffic and application-level traffic. RMON2 allows network management applications to monitor packets on all network layers.

Nov 9, 2006 IT 4333, Fall 2006 32

RMON 1 and RMON 2(From www.javvin.com/protocol/RMON.html)

Nov 9, 2006 IT 4333, Fall 2006 33

RMOM Components

Two components: a probe (or an agent or a monitor), and a client, usually a management station.

Agents store network information within their RMON MIB and are normally found as embedded software on network hardware such as routers and switches although they can be a program running on a PC.

Nov 9, 2006 IT 4333, Fall 2006 34

How do agents work?

Agents can only see the traffic that flows through them so they must be placed on each LAN segment or WAN link that is to be monitored.

Clients, or management stations, communicate with the RMON agent or probe, using SNMP to obtain and correlate RMON data.

Nov 9, 2006 IT 4333, Fall 2006 35

RMON 2 MIB groups Protocol Directory: The Protocol Directory is a simple and

interoperable way for an RMON2 application to establish which protocols a particular RMON2 agent implements. This is especially important when the application and the agent are from different vendors

Protocol Distribution: Mapping the data collected by a probe to the correct protocol name that can then be displayed to the network manager.

Address mapping: Address translation between MAC-layer addresses and network-layer addresses which are much easier to read and remember. Address translation not only helps the network manager, it supports the SNMP management platform and will lead to improved topology maps.

Network Layer host" Network host (IP layer) statistics

Nov 9, 2006 IT 4333, Fall 2006 36

RMON 2 MIB groups, continued.. Network layer matrix: Stores and retrieves network layer (IP layer)

statistics for conversations between sets of two addresses.

Application layer host: Application host statistic

Application layer matrix: Stores and retrieves application layer statistics for conversations between sets of two addresses.

User history: This feature enables the network manager to configure history studies of any counter in the system, such as a specific history on a particular file server or a router-to-router connection

Probe configuration: This RMON2, feature enable one vendor's RMON application to remotely configure another vendor's RMON probe.

Nov 9, 2006 IT 4333, Fall 2006 37

Bibliography(Review these articles…)

Byte Magazine Salamone, Salvatore "Simplfying Remote Management", 1995.

http://www.byte.com/art/9506/sec13/art4.htm

Cisco.com http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rmon.htm

The Internet Society (IETF)

Introduction to the Remote Monitoring

(RMON) Family of MIB Modules, 2003 http://www.ietf.org/rfc/rfc3577.txt

Javvin RMON: Remote Monitoring MIBs (RMON1 and RMON2)http://www.javvin.com/protocolRMON.html

Wikipedia http://en.wikipedia.org/wiki/RMON

Nov 9, 2006 IT 4333, Fall 2006 38

Questions?