Network Administration CNET-443 Chapter – 6 RMON (Remote Monitoring)

What is Remote Monitoring It refers to the using of a tool that “sniffs” every packet that is going across a local area network (LAN), opens it, and analyzes it. It is a passive operation and does nothing to the packets, which continue to proceed to their destinations. It is also called probes and it has two parts, Physical object that is connected to the transmission medium Processor, which analyzes the data.

RMON RMON is a set of standardized MIB variables that monitor networks. RMON initially referred to only the RMON MIB, the term RMON now is often used to refer to the concept of remote monitoring and to the entire series of RMON MIB extensions.

RMON Goal Goals of RMON: Monitor network traffic in a local-area network (LAN) environment To provide comprehensive information for network fault diagnosis, planning, and performance tuning to network administrators.

RMON approach RMON implements a passive collection approach that measures specific aspects of the traffic without interfering by adding monitoring traffic.

RMON devices RMON can be implemented in network elements, such as Cisco routers and switches, or it can be deployed using dedicated RMON probes. RMON Probe Data gatherer - a physical device Data analyzer Processor that analyzes data

Network Configuration with RMONs Note that RMON is embedded monitoring remote FDDI LAN Analysis done in NMS ( Network Monitoring System)

RMON Benefits Monitors and analyzes locally and relays data. Less load on the network Needs no direct visibility by NMS. More reliable information Permits monitoring on a more frequent basis and hence faster fault diagnosis Increases productivity for administrators

RMON 2 RMON 2 focuses on the layers of traffic above the Media Access Control (MAC) layer. The main enhancement of RMON 2 is the capability to measure Layer 3 network traffic and application statistics. RMON2 extends the monitoring capability to the upper layers, from the network layer to the application layer.

RMON MIB Group for RMON1 and RMON2

RMON MIB Group for RMON1 and RMON2 RMON1: Ethernet RMON groups (rmon 1 - rmon 9) RMON1: Extension: Token ring extension (rmon 10) RMON2: Higher layers (3-7) groups (rmon 11 - rmon 20)

Relationship between Control and Data tables The data table contains rows (instances) of data. The control table defines the instances of the data rows in the data table and is settable to gather and store different instances of data. We can collect data based on source and destination addresses appearing in the packets on a given interface using the matrixSDTable.

RMON 1 Group number OID Group name 1 rmon 1 Statistics 2 rmon 2 History 3 rmon 3 Alarms 4 rmon 4 Hosts 5 rmon 5 HostTopN 6 rmon 6 Traffic Matrix 7 rmon 7 Filters 8 rmon 8 Packet Capture 9 rmon 9 Events 10 rmon 10 Token Ring

RMON 1 Ethernet Groups Group name Super group Statistics Statistics groups History Hosts HostTopN Traffic Matrix Token Ring Alarms Event reporting groups Events Filters Filter and packet capture groups Packet Capture

RMON 1 statistics groups RMON 1 Group Function Elements Statistics Contains statistics measured by the RMON probe for each monitored interface on this device. Packets dropped, packets sent, bytes sent (octets), broadcast packets, multicast packets, CRC errors, runts, giants History Records periodic statistical samples from a network and stores them for later retrieval. Sample period, number of samples, items sampled Hosts Contains statistics associated with each host discovered on the LAN. Host MAC address, packets, and bytes received and transmitted. HostTopN It describes the hosts that top a list ordered by one of their base statistics over an interval specified by the management station. Statistics, host(s), sample start and stop periods, rate base, and duration.

RMON 1 Statistics groups RMON 1 Group Function Elements Traffic Matrix Stores statistics for conversations between sets of two MAC addresses. As the device detects a new conversation, it creates a new entry in its table. Source and destination MAC address pairs and packets, Token Ring Provides additional statistics for Token Ring networks. MAC layer statistics, promiscuous statistics, MAC layer history, alarms, events.

RMON 1 Event reporting groups RMON 1 Group Function Elements Alarms Periodically takes statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Includes the alarm table: alarm type, interval, starting threshold, stop threshold.Note: The Alarms group requires the implementation of the Events group. Events Controls the generation and notification of events from this device. Event type, description, the last time the event was sent.

RMON 1 Filter and packet capture groups RMON 1 Group Function Elements Filters Enables packets to be matched by a filter equation. These matched packets form a data stream that might be captured or that might generate events Bit-filter type (mask or not mask), filter expression (bit level), conditional expression (and, or, not) to other filters. Packet Capture Enables packets to be captured Size of buffer for captured packets, full status (alarm), and number of captured packets.

ATM RMON

ATM RMON ATM protocol IDs for RMON2 define additional objects needed at the higher-level layers. Particular attention needs to be paid to the following issues: high speed, cell vs. frames, and connection-oriented nature of ATM. There are four different collection perspectives that are possible for ATM RMON.

RMON summary The principles of RMON are as follows: It is a set of standardized MIB variables monitoring networks. It offers information that lets administrators analyze network utilization, including data and error statistics. RMON 1 includes only data link layer (Layer 2) details. RMON 2 offers network layer to application layer details (Layer 3 and up). Collection data is accessible via SNMP. The MIB objects are intended as an interface between a network agent and a management application; they are not intended for direct manipulation by humans. These functions should be handled by the network management application.