Presented by: Ambily Asha Rashmi Shruthi RMON Remote Monitoring

Problem Statement Slowness issue 5 resources per location-24X7 monitoring Manual monitoring No continuous monitoring of the network No proactive alerting mechanism Manual analysis Trend analysis Performance finetuning

RFC 1757 (2819) Layer: 2 (Ethernet) RFC 1513 RFC 2021 Layers: 3-7 RMON MIB SMI: SMIv2 (rfc 1902)

RMON was originally developed to address the problem of managing LAN segments and remote sites from a Central Location There are two versions of RMON, RMON 1 & RMON 2: RMON1- It defines 10 MIB groups for basic monitoring. It allows network monitoring at MAC layer or below RMON1 was only capable of providing information up to the MAC level, RMON2- This is an extension of RMON 1 that focustes on higher layesrs of traffic above the MAC layer It has an emphasis on IP traffic and application level traffic It allows network management applications to monitor packets on all network layers. RMON 2 is capable of monitoring traffic up to the application level.

A typical RMON setup consists of two components:  The RMON probe – An intelligent, remotely-controlled device or software agent that continually collects statistics about a LAN segment or VLAN, and transfers the information to a management workstation on request or when a pre-defined threshold is crossed. It collects information according to the traffic that passes through it, providing information about the health of the network itself, rather than a particular device.  The management workstation - Communicates with the RMON probe and collects the statistics from it. The workstation does not have to be on the same network as the probe and can manage the probe by in-band or out-of-band connections.

RMON Groups RMON delivers information in nine RMON groups of monitoring elements, each providing specific sets of data to meet common network-monitoring requirements. Statistics The Statistics group provides traffic and error statistics showing packets, bytes, broadcasts, multicasts and errors on a LAN segment or VLAN. Information from the Statistics group is used to detect changes in traffic and error patterns in critical areas of your network. History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group. The group is useful for analyzing the traffic patterns and trends on a LAN segment or VLAN, and for establishing the normal operating parameters of your network. Alarms The Alarms group provides a mechanism for setting thresholds and sampling intervals to generate events on any RMON variable. Alarms are used to inform you of network performance problems and they can trigger automated responses through the Events group. Hosts The Hosts group specifies a table of traffic and error statistics for each host (endstation) on a LAN segment or VLAN. Statistics include packets sent and received, octets sent and received, as well as broadcasts, multicasts, and error packets sent. The group supplies a list of all hosts that have transmitted across the network.

Hosts Top N The Hosts Top N group extends the Hosts table by providing sorted host statistics, such as the top 20 hosts sending packets or an ordered list of all hosts according to the errors they sent over the last 24 hours. Matrix The Matrix group shows the amount of traffic and number of errors between pairs of devices on a LAN segment or VLAN. For each pair, the Matrix group maintains counters of the number of packets, number of octets, and error packets between the hosts. The conversation matrix helps you to examine network statistics in more detail to discover, for example, who is talking to whom or if a particular PC is producing more errors when communicating with its file server. Events The Events group provides you with the ability to create entries in an event log and send SNMP traps to the management workstation. Events can originate from a crossed threshold on any RMON variable. In addition to the standard five traps required by SNMP (link up, link down, warm start, cold start, and authentication failure), RMON adds two more: rising threshold and falling threshold. Filters Enables packets to be matched by a filter equation. These matched packets form a data stream that might be captured or that might generate events. Packet Capture Enables packets data such as the size of buffer, no of packets captured after they flow through the channel. Token Ring This is optional for Token Ring Networks.

Router with RMON

Setup: FDDI Backbone network with a local Ethernet LAN, two remote LANS, one is a token ring LAN and the other an FDDI Lan. NMS is on the the local Ethernet LAN Monitoring Ethernet Local LAN is monitored by the Ethernet probe on the LAN. The FDDI backbone is monitored by an FDDI probe via the bridge and Ethernet LAN. Token Rink is monitored by the token ring probe The FDDI LAN is monitored by the built in probe on the router. Both the remote LANs communicate with the NMS via the routers, the WAN and the backbone network, Working RMON devices monitors the local network segment & does the necessary analyses and informs the NMS only when there are exceptions or NMS requests for some info. This reduces the traffic especially on the segment in which the NMS resides, as all the monitoring traffic would otherwise converge there.

etherStatsTable etherStatsEntryetherStatsIndex etherStatsDataSource etherStatsDropEvents etherStatsOctets etherStatsPkts etherStatsBroadcastPkts etherStatsMulticastPkts etherStatsCRCAlignErrors etherStatsUndersizePkts etherStatsOversizePkts etherStatsFragments etherStatsJabbers etherStatsCollisions etherStatsPkts64Octets etherStatsPkts65to127Octets etherStatsPkts128to255Octets etherStatsPkts256to511Octets etherStatsPkts512to1023Octets etherStatsPkts1024to1518Octets etherStatsOwner etherStatsStatus statistics

etherStatsPkts etherStatsBroadcastPkts etherStatsMulticastPkts etherStatsDropEvents

etherStatsPkts64Octets etherStatsPkts65to127Octets etherStatsPkts128to255Octets etherStatsPkts256to511Octets etherStatsPkts512to1023Octets etherStatsPkts1024to1518Octets

etherHistoryTable etherHistoryEntryetherHistoryIndexetherHistorySampleIndex etherHistoryIntervalStart etherHistoryDropEvents etherHistoryOctets etherHistoryPkts etherHistoryBroadcastPkts etherHistoryMulticastPkts etherHistoryCRCAlignErrors etherHistoryUndersizePkts etherHistoryOversizePkts etherHistoryFragments etherHistoryJabbers etherHistoryCollisions etherHistoryUtilization history

Alarm Group Set thresholds on a variety of items affecting network performance When the thresholds are crossed, events are reported. In general, the values of thresholds are determined according to past experience.

Alarms Threshold Rearm time util% Rising Threshold Falling Threshold * * * * RisingAlarm 

event eventTable eventEntryeventIndex eventDescription eventType eventCommunity eventLastTimeSent eventOwner eventStatus logTable logEntrylogEventIndexlogIndex logTime logDescription

eventTable logTable

hostTopN hostTopNControlTable hostTopNControlEntryhostTopNControlIndex hostTopNHostIndex hostTopNRateBase hostTopNTimeRemaining hostTopNDuration hostTopNRequestedSize hostTopNGrantedSize hostTopNStartTime hostTopNOwner hostTopNStatus hostTopNTable hostTopNEntryhostTopNReporthostTopNIndex hostTopNAddress hostTopNRate *

Host Top N Group

Benefits Centralized monitoring of the entire network Few skilled resources requirement Continuous monitoring Online reporting Proactive alert mechanism is available Better trouble shooting & reduced time for troubleshooting Historical trend analysis Decision making-performance tuning

It improves your efficiency -Using RMON probes allows you to remain at one workstation and collect information from widely dispersed LAN segments or VLANs. This means that the time taken to reach a problem site, set up equipment, and begin collecting information is largely eliminated. It allows you to manage your network in a more proactive manner- If they are configured correctly, RMON probes deliver information before problems occur. This means that you can take action before they affect users. It reduces the load on the network and the management workstation Traditional network management involves a management workstation polling network devices at regular intervals to gather statistics and identify problems or trends. As network sizes and traffic levels grow, this approach places a strain on the management workstation and also generates large amounts of traffic. An RMON probe, however, autonomously looks at the network on behalf of the management workstation without affecting the characteristics and performance of the network. The probe reports by exception, which means that it only informs the management workstation when the network has entered an abnormal state. Increases Productivity for administrators. Permits monitoring on a more frequent basis and hence faster fault diagnosis. Needs no direct visibility by NMS; more reliable information.

The amount of information it provides is insufficient for network managers and administrators who need to solve complex problems, often at a distance. The mechanism employed for data retrieval to a central management console are slow and very bandwidth inefficient. RMON values are stored in 32 bit registers which limit the count value to 4,294,967,295. Although a seemingly large value, this is actually quite small. In a 100 Mbps fast Ethernet network running at just 10% loading, the counters will be reset to zero after just one hour of acitivity. Full RMON support in hardware typically requires dedicated RISC processor technology and this is achievable in sub -$1,000 routers, hubs etc.