IT 4333

1
IT 4333 Network Admin Management

• RMON From Byte Magazine, Javvin.com, Cisco.com,
  Wikipedia, and IETF

2
Part 1, from Cisco.com

• http//www.cisco.com/univercd/cc/td/doc/cisintwk/i
  to_doc/rmon.htm

3
Defintion RMON

• Remote Monitoring (RMON) is a standard monitoring
  specification that enables various network
  monitors and console systems to exchange
  network-monitoring data.
• Two versions
• RMON1
• RMON2

4
Definition

• The RMON specification defines a set of
  statistics and functions that can be exchanged
  between RMON-compliant console managers and
  network probes.
• An extension of SNMP MIBs.
• As such, RMON provides network administrators
  with comprehensive network-fault diagnosis,
  planning, and performance-tuning information.

5
Standards (RFC)

• RMON was defined by the user community with the
  help of the Internet Engineering Task Force
  (IETF).
• It became a proposed standard in 1992 as RFC 1271
  (for Ethernet). RMON then became a draft standard
  in 1995 as RFC 1757, effectively obsoleting RFC
  1271.

6
An RMON Probe Can Send Statistical Information to
an RMON Console
7
RMON Groups

• RMON delivers information in nine RMON groups of
  monitoring elements, each providing specific sets
  of data to meet common network-monitoring
  requirements.
• Each group is optional so that vendors do not
  need to support all the groups within the
  Management Information Base (MIB).
• Some RMON groups require support of other RMON
  groups to function properly.

8
RMON Group Statistics

• Function Contains statistics measured by the
  probe for each monitored interface on this
  device.
• Elements of MIBPackets dropped, packets sent,
  bytes sent (octets), broadcast packets, multicast
  packets, CRC errors, runts, giants, fragments,
  jabbers, collisions, and counters for packets
  ranging from 64 to 128, 128 to 256, 256 to 512,
  512 to 1024, and 1024 to 1518 bytes.

9
RMON Group History

• Function Records periodic statistical samples
  from a network and stores them for later
  retrieval.
• Elements of MIBSample period, number of
  samples, items sampled

10
RMON Group Alarm

• Function Periodically takes statistical
  samples from variables in the probe and compares
  them with previously configured thresholds. If
  the monitored variable crosses a threshold, an
  event is generated.
• Elements of MIBIncludes the alarm table and
  requires the implementation of the event group.
  Alarm type, interval, starting threshold, stop
  threshold.

11
RMON Group Host

• Function Contains statistics associated with
  each host discovered on the network.
• Elements of MIBHost address, packets, and bytes
  received and transmitted, as well as broadcast,
  multicast, and error packets.

12
RMON Group HostTopN

• Function Prepares tables that describe the
  hosts that top a list ordered by one of their
  base statistics over an interval specified by the
  management station. Thus, these statistics are
  rate-based.
• Elements of MIBStatistics, host(s), sample
  start and stop periods, rate base, duration.

13
RMON Group Matrix

• Function Stores statistics for conversations
  between sets of two addresses. As the device
  detects a new conversation, it creates a new
  entry in its table.
• Elements of MIBSource and destination address
  pairs and packets, bytes, and errors for each
  pair.

14
RMON Group Filters

• Function Enables packets to be matched by a
  filter equation. These matched packets form a
  data stream that might be captured or that might
  generate events.
• Elements of MIBBit-filter type (mask or not
  mask), filter expression (bit level), conditional
  expression (and, or not) to other filters.

15
RMON Group Packet Capture

• Function Enables packets to be captured after
  they flow through a channel.
• Elements of MIBSize of buffer for captured
  packets, full status (alarm), number of captured
  packets.

16
RMON Group Events

• Function Controls the generation and
  notification of events from this device.
• Elements of MIBEvent type, description, last
  time event sent.

17
Huh?

• I'm lost.
• Let's try Wikipedia

18
Definition from Wikipediahttp//en.wikipedia.org/
wiki/RMON

• RMON stands for Remote Monitoring.
• It is a standard used in telecommunications
  equipment e.g. in routers, which implement a MIB
  (Management Information Base) which allows for
  remote monitoring and management of network
  equipment.
• RMON uses an agent running on the device being
  monitored to supply information over SNMP to a
  management workstation (or some other system).

19
??

• that doesn't help much

20
Let's try a 1995 article from BYTE
http//www.byte.com/art/9506/sec13/art4.htm

• Recognizing that managers need to somehow see
  what's going on at distant locations, the IETF
  (Internet Engineering Task Force) has developed
  specifications for an RMon (remote monitoring)
  system that keeps tabs on the state of distant
  networks.
• RMon is an extension of the IETF's SNMP, which is
  commonly used to manage large networks.
• The idea behind RMon is to distribute, throughout
  a network, probes that collection information
  about the traffic on that network.

21
Difference between SNMP and RMON

• The difference between SNMP and RMon is that SNMP
  monitors and manages network devices like hubs
  and bridges, while RMon monitors LAN traffic!

22
continued

• With RMon, some of the management intelligence is
  moved out onto the network, where RMon probes
  alert a centralized console whenever a threshold,
  such as number of packets, is exceeded.

23
Typical use of RMon

• one probe would be located on each LAN segment
• The probe would monitor data transmission on that
  segment and organize the information it collects
  into a format that makes it easy for a manager at
  a central site to analyze traffic patterns and
  diagnose problems at remote sites.

24
RMON vs. Protocol Analyzers?

• "Naturally, there's some overlap in the functions
  of an RMon probe and a protocol analyzer. For
  example, many protocol analyzers can perform
  trend analysis on the data they collect. "
• (Is this true? This is from 1995)

25
Probably still true.

• The way the two technologies can work to
  complement one another is to use RMon to
• baseline networks,
• study usage trends,
• and identify potential problems before they cause
  trouble for users.
• This will help reduce the number of trips to
  remote sites that technicians must make to solve
  problems
• And when a problem requires higher-level
  diagnostics to be performed, use a protocol
  analyzer.

26
Benefits?

• The benefit of an RMon system is that it
  automatically collects information about the
  traffic on a LAN segment that is in a remote
  location.
• For a manager responsible for many LAN segments
  that are not all in the same location, that can
  be a great cost-saving benefit.

27
Typical implementation (from Byte)
28
We need more detailsso let's try Javvin.
(Something more up to date..)

• http//www.javvin.com/protocolRMON.html
• Remote Monitoring (RMON) is a standard monitoring
  specification that enables various network
  monitors and console systems to exchange
  network-monitoring data.
• RMON provides network administrators with more
  freedom in selecting network-monitoring probes
  and consoles with features that meet their
  particular networking needs.

29
Difference between RMON SNMP

• RMON was originally developed to address the
  problem of managing LAN segments and remote sites
  from a central location.
• The RMON specification, which is an extension of
  the SNMP MIB, is a standard monitoring
  specification.

30
Difference between RMON SNMP

• Within an RMON network monitoring data is defined
  by a set of statistics and functions and
  exchanged between various different monitors and
  console systems.
• Resultant data is used to monitor network
  utilization for network planning and
  performance-tuning, as well as assisting in
  network fault diagnosis.

31
Versions of RMON

• There are 2 versions of RMON RMON1 (RMONv1) and
  RMON2 (RMONv2).
• RMON1 defined 10 MIB groups for basic network
  monitoring, which can now be found on most modern
  network hardware.
• RMON2 (RMONv2) is an extension of RMON that
  focuses on higher layers of traffic above the
  medium access-control (MAC) layer.
• RMON2 has an emphasis on IP traffic and
  application-level traffic. RMON2 allows network
  management applications to monitor packets on all
  network layers.

32
RMON 1 and RMON 2(From www.javvin.com/protocol/RM
ON.html)
33
RMOM Components

• Two components a probe (or an agent or a
  monitor), and a client, usually a management
  station.
• Agents store network information within their
  RMON MIB and are normally found as embedded
  software on network hardware such as routers and
  switches although they can be a program running
  on a PC.

34
How do agents work?

• Agents can only see the traffic that flows
  through them so they must be placed on each LAN
  segment or WAN link that is to be monitored.
• Clients, or management stations, communicate with
  the RMON agent or probe, using SNMP to obtain and
  correlate RMON data.

35
RMON 2 MIB groups

• Protocol Directory The Protocol Directory is a
  simple and interoperable way for an RMON2
  application to establish which protocols a
  particular RMON2 agent implements. This is
  especially important when the application and the
  agent are from different vendors
• Protocol Distribution Mapping the data
  collected by a probe to the correct protocol name
  that can then be displayed to the network
  manager.
• Address mapping Address translation between
  MAC-layer addresses and network-layer addresses
  which are much easier to read and remember.
  Address translation not only helps the network
  manager, it supports the SNMP management platform
  and will lead to improved topology maps.
• Network Layer host" Network host (IP layer)
  statistics

36
RMON 2 MIB groups, continued..

• Network layer matrix Stores and retrieves
  network layer (IP layer) statistics for
  conversations between sets of two addresses.
• Application layer host Application host
  statistic
• Application layer matrix Stores and retrieves
  application layer statistics for conversations
  between sets of two addresses.
• User history This feature enables the network
  manager to configure history studies of any
  counter in the system, such as a specific history
  on a particular file server or a router-to-router
  connection
• Probe configuration This RMON2, feature enable
  one vendor's RMON application to remotely
  configure another vendor's RMON probe.

37
Bibliography(Review these articles)
Byte Magazine Salamone, Salvatore "Simplfying Remote Management", 1995. http//www.byte.com/art/9506/sec13/art4.htm
Cisco.com http//www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rmon.htm
The Internet Society (IETF) Introduction to the Remote Monitoring (RMON) Family of MIB Modules, 2003 http//www.ietf.org/rfc/rfc3577.txt
Javvin RMON Remote Monitoring MIBs (RMON1 and RMON2)http//www.javvin.com/protocolRMON.html
Wikipedia http//en.wikipedia.org/wiki/RMON
38
Questions?