1 Jim Binkley Remote Monitoring (RMON) Network Manglement.

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Introduction to Network Analysis and Sniffer Pro
Implementing a Highly Available Network
REMOTE MONITORING RMON1 (RFC DRAFT) TOKEN RING EXTENSIONS TO RMON (RFC PROPOSED) RMON2 (RFC PROPOSED) SMON (RFC PROPOSED) Copyright.
1 Pertemuan 08 Remote Monitoring Matakuliah: H0372/Manajemen Jaringan Tahun: 2005 Versi: 1/0.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
MJ07/07041 Session 07 RMON Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management course.
Chapter 8  Remote Monitoring (RMON1) 1 Chapter 8 Overview  RMON1 is a MIB o Also known as RMON  Recall that mib-2 gives info on devices  RMONs provide.
Ethernet Frame PreambleDestination Address Source Address Length/ Type LLC/ Data Frame Check Sequence.
Ourmon and Network Monitoring Performance Jim Binkley Bart Massey Portland State University Computer Science.
Remote Network Monitoring (RMON)
Nov 9, 2006 IT 4333, Fall IT 4333 – Network Admin & Management RMON From: Byte Magazine, Javvin.com, Cisco.com, Wikipedia, and IETF.
Chapter 8 RMON - Remote Monitoring Yen-Cheng Chen IM, NCNU June, 2006.
Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Ch. 31 Q and A CS332 Spring Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.
1 Network Management Computer Networks. 2 OSI Network Management Model Performance Management e.g. utilization Fault Management e.g. SNMP traps Configuration.
Chapter 6 Overview Simple Network Management Protocol
Connecting LANs, Backbone Networks, and Virtual LANs
1.  TCP/IP network management model: 1. Management station 2. Management agent 3. „Management information base 4. Network management protocol 2.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
Chapter Six NetworkingHardware. Agenda Questions about Ch. 11 Midterm Exam Ch.6 Cable kit.
Chapter 4: Managing LAN Traffic
Characterizing the Existing Internetwork PART 1
Chapter 1 Overview Review Overview of demonstration network
– Chapter 5 – Secure LAN Switching
1. There are different assistant software tools and methods that help in managing the network in different things such as: 1. Special management programs.
1 SNMP Simple network management protocol Group: Techno Presented by: Karthik Gottiparthy Gautami Parulkar Neeraj Sharma Jigar Patel Hariharan Venkataraman.
1 © 1999 BMC SOFTWARE, INC. 2/10/00 SNMP Simple Network Management Protocol.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Oppenheimer.
ECE Prof. John A. Copeland Office: Klaus or call.
BAI513 - PROTOCOLS SNMP BAIST – Network Management.
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
Remote Network Monitoring (RMON) * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
Chapter 8 SNMP Management: RMON Network Management: Principles and Practice © Mani Subramanian Chapter 8 SNMP Management: RMON.
1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring statistics Collection.
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
POSTECH DP&NM Lab 1 Remote Network Monitoring (RMON)
Chapter 6 – Connectivity Devices
Remote Monitoring (RMON)
Standards for Network Administration Week-5. Standards for Network Administration 1. Management Information Base A structured database about a network.
1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring Alarms and Filters.
Network Management Protocols and Applications Cliff Leach Mike Looney Danny Mar Monty Maughon.
Syslog The purpose of syslog is to write system messages to a log Syslog messages can include everything from critical alarm conditions to ordinary debugging.
Remote Monitoring (RMON) RMON specification is primarily a definition of a MIB RMON specification is primarily a definition of a MIB RFC 1757/2819 Remote.
Remote Monitoring (RMON) RMON specification is primarily a definition of a MIB RFC 1757/2819 Remote network monitoring management information base (RMON)
RMON (alarms and filtering). Alarm group It is used to define a set of threshold for network performance. If a threshold is crossed in the appropriate.
1 Kyung Hee University RMON Overview  RMON MIB specification to include monitoring of protocol traffic above the MAC level  An RMON probe can.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
RMON 1. RMON is a set of standardized MIB variables that monitor networks. Even if RMON initially referred to only the RMON MIB, the term RMON now is.
Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information.
Network Management Mechanisms Two major network management protocols: Simple Network Management Protocol (SNMP) Common Management Information Protocol.
Ch. 31 Q and A IS 333 Spring 2016 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Topic 11 Network Management. SNMPv1 This information is specific to SNMPv1. When using SNMPv1, the snmpd agent uses a simple authentication scheme to.
Presented by: Ambily Asha Rashmi Shruthi RMON Remote Monitoring.
1 Remote Monitoring (RMON) These slides are based in parts upon slides of Prof. Dssouli (Concordia university )
Manajemen Jaringan, Sukiswo ST, MT 1 Remote Network Monitoring (RMON) Sukiswo
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
or call for office visit, or call Kathy Cheek,
SNMP Simple network management protocol
Karl Quinn 23rd November 2004 NDS M.Sc.
RMON.
2017 Jan 30, IETF/IEEE liaison meeting
Network Management Computer Networks.
Network and Services Management
Network Administration CNET-443
Remote Monitoring (RMON)
Chapter 8: Monitoring the Network
Presentation transcript:

1 Jim Binkley Remote Monitoring (RMON) Network Manglement

2 Jim Binkley Outline u general introduction –overview –rmon 1 and 2 groups –control theory u rmon 1 groups (some) u conclusion/summary

3 Jim Binkley RMON – means what u remote monitoring –aggregate stats for a network –aggregate stats for a host –for host X talking to host Y –layer 1 and layer 2 –and more u question: do we have the right information? u related question: how are networks evolving? u one more question: is SNMP the right approach?

4 Jim Binkley bibliography u rfc1513, token-ring extensions u rfc1757, 1995, MIB 1 u rfc2021, 1997, MIB 2 u rfc2074, 1997, protocol identifiers (directory) u David Perkin’s RMON book u SNMP, v2, v3, RMON1/2, Stallings

5 Jim Binkley org(3) iso(1) dod(6) internet(1) system(1) directory(1) X.500 mgmt(2) mib-2(1) rmon and OID tree rmon(16)... rmon1 & 2

6 Jim Binkley rmon intro u rmon - remote monitoring u rmon I - stats at ethernet layer (MAC addresses, but not upstairs) u rmon II - stats at network and transport layers (IP addresses and tcp/udp ports)

7 Jim Binkley network analysis picture (trad) router (or switch) A B analyzer: in promiscous mode analyzer: can hear A,B, to/from router traffic on traditional 10BASE shared link

8 Jim Binkley manager/probe probe get database item (OID) MIBS (sampled data) manager sends probe sends response

9 Jim Binkley basic idea/s: u all kinds of stats - but gathered on per link basis as aggregate –not by manager from every host on link u ethernet focus (token-ring support too) u rmon probe can run SOMEWHAT by itself and gather information –however manager needed for more complex functions (may have to suck out data on periodic basis due to lack of space)

10 Jim Binkley rmon 1 functions - overview u sample stats for all devices on ethernet link –ethernet level - e.g., how many collisions –basic and history u derived statistics –for each host –top N talkers (who sent most bytes?) –matrix of conversations SRC x RCV

11 Jim Binkley rmon 1, cont u threshold events –look for N events in elapsed time T –if found, send trap to manager –e.g., N errors in one minute (too many) u packet data capture –filtering mechanism + capture –must work with higher level GUI in manager –goal: capture packets of interest/nice decode display

12 Jim Binkley rmon 1 - { mib-2 16 } u statistics(1) - ethernet stats > interface, roughly equal to dot3 (but global) u history(2) - snapshots based on stats(1) u alarm(3) - ability to set threshold, generate alarm on interesting event u host(4) - per i/f host stats (global interface) u hostTopN(5) - store/sort by top N hosts u matrix(6) - X talks to Y ( a few stats )

13 Jim Binkley rmon 1, cont. u filter(7) - filter pkts and capture/or cause event u capture(8) - traditional packet analyzer u event(9) - table of events generated by probe u tokenRing(10) - never mind, but like ethernet stats

14 Jim Binkley rmon2, still { mib-2 16} u protocolDir(11) - protocols understood by probe u protocolDist(12) - per protocol stats (bytes/pktcnt) u addressMap(13) - ip/mac mappings u nlHost(14) - per host octet/byte counts u nlMatrix(15) - host X talks to host Y u alHost(16) - per host application octet/byte counts u alMatrix(17) - application Z/X to Z/Y u usrHistory(18) - sampling of any INT OID u probeConfig(19) - info for manager on probe setup/config

15 Jim Binkley rmon2: notes u application means “above the network layer” u both matrix groups have top N functions as well u note both protocol directory and probe configuration are there to help odds on manager/probe interoperability

16 Jim Binkley do we need a manager? u mostly... u simpler stats in rmon1 could be gathered via net-snmp say but u higher level functions require complex manager with better than average GUI –rmon-2 in general (you want graphical histograms) –packet capture facilities in probe are lower- level and need higher level manager sw function

17 Jim Binkley examples: u commercial (just one example, others exist) –cisco traffic director on workstation (manager) –cisco netscout probe on link –cisco mini-rmon in some switches u freeware versions ?! –BTNG (it’s dead Jim) –there aren’t any. is this a surprise? –ourmon …(not SNMP-based)

18 Jim Binkley software complexity notes: u higher-level functions (e.g., rmon2 or rmon1 data packet capture) –require copious memory/CPU –100mbit ethernet link... lots of data u easy to ask too much of system u probably best to not assume that manager A will interoperate with probe B

19 Jim Binkley possible rmon uses u what kind of questions might you ask? –how much IP vs IPX traffic? –how much traffic is web/news/ftp, whatever? –how utilized (full) is the pipe? –who talks to server X? –we have a problem with DHCP, we need to capture the packets and look? –global ethernet errors on this link are what?

20 Jim Binkley rmon control theory u in general rmon groups (except for stats group) consists of control rows and per control row data rows u e.g., one interface might have a control row that specifies HOW to sample data on a delta T time basis (every 30 secs make a snapshot) u one or more data rows will be built up and stored in the probe, associated with that control row u note control row per i/f and possible to have more than one (different sample times)

21 Jim Binkley control rows(tables)/data rows(tables) owner status index i/f time abstract control row: associated data samples: index data #1 data #2 data #3 index more data, etc...

22 Jim Binkley notes: u index mechanism must exist to tie together control and data rows u in snmpv2, one may have index that is not in table (an array of structures say with an integer index and no such int in table) (true of RMON2 groups) u view mechanism exists in RMON to allow additional time-based table thus –manager need only suck out NEW samples plus efficient access as index is creation time u manager must sometimes insert/enable control row (this is what status field is for)

23 Jim Binkley notes, cont: u memory needs can be quite large u in some cases, samples will wrap u control tables limit # of buckets (number of sample sizes) u manager may need to show up and suck out data in a timely fashion

24 Jim Binkley statistics {rmon 1} u etherStatsTable/etherStatsEntry u etherStatsIndex u etherStatsDataSource - which i/f u etherStatsDropEvents u etherStatsOctets - byte count, includes bad pkts u etherStatsPkts, includes bad pkts u etherStatsBroadcastPkts u etherStatsMulticastPkts u etherStatsCRCAlignErrors u etherStatsUndersizePkts (runts)

25 Jim Binkley stats, cont u etherStatsOversizePkts (giants) u etherStatsFragments u etherStatsJabbers - giants with problems (e.g., CRC errs) u etherStatsCollisions - estimate of # of collisions u etherStatsPkts64Octets u etherStatsPkts65to127Octets u etherStatsPkts128to255Octets u etherStatsPkts256to511Octets u etherStatsPkts512to1023Octets u etherStatsPkts1024to1518Octets

26 Jim Binkley stats, cont. u etherStatsOwner u etherStatsStatus

27 Jim Binkley statistics, notes: u simplest rmon group u note histogram mechanism for counts u one entry per interface on probe u no separate control table u similar to dot3 in some ways, but dot3 is per interface, not per network –can approximate by adding values together in hub or switch (?)

28 Jim Binkley history { rmon 2 } u historyControlTable (1) –historyControlEntry (1) »row entries u etherHistoryTable (2) –etherHistoryEntry (1) »row entries

29 Jim Binkley history { rmon 2 } u historyControlTable/historyControlEntry u historyControlIndex with values in data table u historyControlDataSource - which interface u historycontrolBucketsRequested - request for data slots u historyControlBucketsGranted - how many did you get u historyControlInterval - per bucket sample time, seconds u historyControlOwner u historyControlStatus

30 Jim Binkley notes: u each row when enabled causes sampling to begin on a certain interface –gathering of “buckets” (samples) in associated data table u note you can have more than one sample time on same interface (short period and long period, 1 minute, 1 hour) u samples are stored during Interval, and then new entry is created u once bucketsGranted is used up, the buckets will wrap and start rewriting the oldest buckets (circular buffer scheme)

31 Jim Binkley history data table u etherHistoryTable/etherHistoryEntry u etherHistoryIndex - matches control table u etherHistorySampleIndex - unique per sample u etherHistoryIntervalStart - sysUpTime at start of sample u etherHistoryDropEvents u etherHistoryOctets u etherHistoryPkts u etherHistoryBroadcastPkts u etherHistoryMulticastPkts u etherHistoryCRCAlignErrors

32 Jim Binkley history data table, cont. u etherHistoryUndersizePkts u etherHistoryOversizePkts u etherHistoryFragments u etherHistoryJabbers u etherHistoryCollisions u etherHistoryUtilization - function of etherStatsOctets and etherStatsPkts

33 Jim Binkley utilization u this is fairly common in packet capture systems u roughly over time T, how full was the pipe? u utilization = packet overhead + bytes sent * 100% interval * bits possible on link u on 10BASE, bits possible would be 10**7 u packet overhead due to preamble & interframe gap u packet overhead = packets * (96+64) u bytes sent = octets * 8

34 Jim Binkley utilization question/s: u how long should the period be? u how should this be interpreted with switches –interswitch (or switch to router) –servers –hosts –in light of full-duplex wires? »which should show NO collisions...

35 Jim Binkley hosts { rmon 4 } u hostControlTable –hostControlEntry »control rows u hostTable –hostEntry »data rows u hostTimeTable –hostTimeEntry »data rows

36 Jim Binkley host control table u hostControlTable/hostControlEntry –hostcontrolIndex –hostcontrolDataSource –hostControlTableSize –hostcontrolLastDeleteTime - last time data deleted –hostControlOwner –hostControlStatus

37 Jim Binkley hostTable (data, not time sorted) u hostTable/hostEntry –hostAddress - mac address –hostCreationOrder 1..N, relative creation order –hostIndex –hostInPkts –hostOutPkts - packet count –hostInOctets - byte count –hostOutOctets –hostOutErrors –hostOutBroadcastPkts && hostOutMulticastPkts

38 Jim Binkley time table u hostTimeTable/hostTimeEntry –hostTimeAddress –hostTimeCreationOrder –hostTimeIndex –hostTimeInPkts –hostTimeOutPkts –hostTimeInOctets –hostTimeOutOctets (same as data table... here on out)

39 Jim Binkley notes: u one entry per host (mac) per interface u basically counts of bytes/packets in/out u time table is view (same data underneath) and is simply indexed by creation order –data table indexed by mac address

40 Jim Binkley hostTopN { rmon 5 } u hostTopNControlTable –hostTopNControlEntry »rows u hostTopNTable –hostTopNEntry »rows

41 Jim Binkley host control table u hostTopNControlTable/hostTopNControlE ntry –hostTopNControlIndex –hostTopNHostIndex –hostTopNRateBase - one of seven variables (next slide) –hostTopNTimeRemaining - time left in sample period –hostTopNDuration - absolute time of sample period –hostTopNRequestedSize –hostTopNGrantedSize –hostTopNStartTime - when sample time started –owner/status

42 Jim Binkley rateBase - possible variables u hostTopNInPkts u hostTopNOutPkts u hostTopNInOctets u hostTopNOutOctets u hostTopNOutErrors u hostTopNOutBroadcastPkts u hostTopNOutMulticastPkts

43 Jim Binkley data table u hostTopNTable/hostTopNEntry –hostTopNReport - matches hostTopNControlIndex (which report) –hostTopNIndex - per host in report –hostTopNAddress - host mac address –hostTopNRate - amount of change in selected variable for this report period »variable selected in hostTopNRateBase

44 Jim Binkley matrix group (in brief) u basically source by dest mac –count of pkts/octets (pkt count/byte count)

45 Jim Binkley alarm { rmon 3 } u alarmTable/alarmEntry –alarmIndex –alarmInterval - data sample period –alarmVariable - OID of variable being sampled –alarmSampleType - absolute or delta (previous sample) –alarmValue - value during last sample period –alarmStartupAlarm - rising/falling or both –alarmRisingThreshold –alarmFallingThreshold

46 Jim Binkley alarm { rmon 3 } u alarmTable/alarmEntry –... cont.... –alarmRisingEventIndex –alarmFallingEventIndex –alarmOwner –alarmStatus

47 Jim Binkley how this works (overview) u if value (counter/gauge) crosses rising threshold (and rising specified) –then generate alarm u if value crosses falling threshold (and falling specified) –then generate alarm u delta threshold sampled once per period u use to look for too many errors during period X (or your idea here...)

48 Jim Binkley event group (summary) u can generate –traps sent to monitor –events stored in local event table (log history of events) u both packet capture and alarm group can cause events stored here

49 Jim Binkley conclusion - summary of capabilities u remember that measurement may have two poles, relative to length of time samples: –1. baseline of data over time –2. measurement of what is going on NOW u snmp focus generally on set of objects at one node - rmon focus on wire itself u over-generalization, but rmon helps you focus on NOW and the general LINK

50 Jim Binkley and the problem is: SWITCHES u switches, of course and the “death of promiscuous mode” u instead of link focus, we can have all ports on switch focus, or vlan X on switch focus, or ports 1,2,3 on switch focus u however we won’t be able to see all traffic on a broadcast domain u rmon too expensive for cheaper switches at this time u have to focus on key backbone switches

51 Jim Binkley bigger cisco switches u have mini-rmon; e.g., ethernet stats/rmon1 u SPAN function to allow you to hookup external sniffer/rmon probe and suck down packets –aka port mirroring (ports/vlan, etc) –NOT inter-switch

52 Jim Binkley keep in mind: u rmon has LARGE # of function points u other tools exist that may have rmon-like feature sets (but not all of it) u e.g., packet capture freebies –tcpdump, snoop, etherfind (latter 2 on sun) –trafshow, arpwatch (show traffic of various kinds in some kind of real-time display)

53 Jim Binkley some general tools in this area u Cisco netflow –aggregate flow stats, UDP-based collection u HPOV event generation u ntop – open-source tool –like ourmon in some ways but details differ u ourmon – open-source tool –network mgmt/anomaly detection

54 Jim Binkley what is the real problem? u too much data not enough analysis –I don’t want all the flows –networks are evolving »p2p/skype/irc/games etc. »meaning protocols are not IETF-based –security problems are evolving too »today TCP worms rule »agobot/phatbot/rxbot – black hats have tools

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.