- More comprehensive network fault diagnosis, planning, and performance tuning functionality.
- Seamless multivendor interoperability between SNMP management stations and monitoring agents.
The Remote Network Monitoring Management Information Base (RMON
MIB) defines the next generation of network monitoring with more
comprehensive network fault diagnosis, planning, and performance
tuning features than any current monitoring solution. It uses
SNMP and its standard MIB design to provide multivendor interoperability
between monitoring products and management stations, allowing
users to mix and match network monitors and management stations
from different vendors.
The RMON MIB enhances the features of typical remote monitoring agents with several new features, such as:
- additional packet error counters;
- more flexible historical trend graphing and statistical analysis;
- an Ethernet level traffic matrix;
- more comprehensive alarms;
- more powerful filtering to capture and analyze individual packets.
RMON MIB software agents can be located on a variety of devices: Network interconnects such as bridges, routers, or hubs; dedicated or non-dedicated hosts; or customized platforms specifically designed as network management instruments. An organization may employ many devices with RMON MIB agents, one or more per network segment or wide area link, to manage its enterprise network. Each solution may offer different portions of the RMON MIB with unique price and performance characteristics.
- Comprehensive Monitoring
- RMON MIB agents are a comprehensive and independent view of network performance. RMON MIB agents enhance and complement the management information available from typical hubs, bridges, or hosts. Depending upon implementation, the RMON MIB agent may be located on one of these devices to enhance its management information.
- Multivendor Interoperability
- RMON MIB remote monitoring agents can be easily integrated into the environment of most SNMP management consoles, allowing the user to mix and match vendor products.
- Extended Management
- Many devices, especially older or non-IP products, do not include network management agents and cannot communicate with SNMP consoles except through echo packets. RMON MIB agents monitor every network device and are often the only way to determine the performance of such unmanageable devices.
- Proxy Management
- Many SNMP management stations periodically send echo packets to check the status of each device. this large number of echo packets may impact the performance of the network and the SNMP console. The proxy management capability of an RMON MIB remote monitor is especially useful when the remote network is connected over a wide area link where periodic polls of devices would consume an unacceptably large percentage of bandwidth.
- The creators of the RMON MIB planned for its future growth by designing its format for easy extensibility to other types of local area networks (such as Token Ring and FDDI) and wide area networks. this extensibility protects the investment in RMON MIB management products and speeds the development of new monitoring standards.
- Multiple Management Stations
- Because an organization may have several management stations and there can be multiple individuals managing a single network, the remote monitoring agent must often deal with several management stations concurrently. Using the RMON MIB each management station identifies the resources it is using in the agent, allowing other managers to reallocate the remaining resources for timely tasks.
- Superior Performance
- The RMON MIB structures data to
deliver optimal performance in the interaction between the SNMP
management station and RMON MIB agent. This improved performance
results in faster presentations of agent data on the enterprise
manager and less SNMP traffic on the network.
An understanding of this performance improvement requires an understanding of the operation of SNMP. Each row in a table of MIB values must include an index, or a value which uniquely identifies the row. For example, the RMON MIB host table includes traffic statistics for each host on the network and this table is indexed by the MAC address of each host. When the management station does not know the index value, as in the case when several MAC addresses have been discovered for the first time, the management station is limited to serial queries using the SNMP GetNext command to retrieve host information one address at a time. The RMON MIB specifies that row indexes in many tables start with the integer one and increase sequentially. Since the management station can usually predict the range of desired indexes, a single SNMP packet can include not just one but many data requests - improving speed and efficiency.
The RMON MIB was developed by a working group of the Internet Engineering Task Force (IETF). The working group included leading SNMP management station and monitoring agent vendors and editorial support from Carnegie-Mellon University. After final approval as a Proposed Standard the RMON MIB will be placed in the Management portion of the Internet MIB with other standard MIBs. The RMON MIB is organized into nine groups; compliance with the RMON MIB standard does not require every MIB group, but does require support for every object within a selected group (RFC 1213). Each group can be enabled or disabled as desired in order to dedicate a number of RMON MIB agents to different purposes; one to tracing, one to maintaining a large host table, etc. Thus, customers of RMON MIB agents need to carefully determine the features they desire and seek to verify the existence of those features in actual products. An understanding of these groups will be fundamental to the user of an RMON MIB-compliant product.
The Statistics group provides segment-level Ethernet statistics.
These statistics are packets, octets (or bytes), broadcasts,
multicasts and collisions on the local segment, as well as the
number of occurrences of dropped packets by the agent. Each statistic
is maintained in its own 32-bit cumulative counter. A real-time
packet size distribution is also provided.
The number of collisions detected by the agent depends upon the capability of its internal or externally attached transceiver. Most agents will utilize external transceivers (sometimes failed media access units, or MAUs) supplied by the user. In these cases, the characteristics of the MAU are very important for an accurate count of collisions. The MAU should be receiver-based, meaning that it can detect all collisions on the segment. Transmit-based MAUs can detect collisions only when transmitting. Since network monitoring agents transmit very rarely, a transmit-based MAU would hide most of the collisions on the segment from view of the agent. Most MAUs made in the last 2 or 3 years are receiver-based and will provide the user an accurate count of all collisions. Check with your manufacturer for details.
The RMON MIB includes error counters for five different types of packets: Undersizes, fragments, CRC/Alignment errors, jabbers, and oversizes. These counters were defined to provide useful network management information beyond that provided by typical interface cards. For example, industry standard cards will provide only two separate counts of CRC and alignment errors which the card receives, and will not count well formed packets that are either too small or two large. These Undersize and Oversize packets are counted by the RMON MIB agent because they usually indicate communication software configuration problems in the transmitting station. Such packets will usually not be passed from the receiving card driver, resulting in failed transmissions.
< 64 Bytes 64-1518 Bytes >1518 Bytes Good Pkts Undersize Good Packets Oversize Bad CRC(s) Fragment CRC or Alnmt Err Jabber
[Figure: The five RMON MIB categories for error packets.]
The History group provides historical views of the statistics
provided in the Statistics group, with the exception of packet
size distribution which is provided only on a real-time basis.
The History group features user-defined sample intervals and
bucket counters for complete customization of trend analysis.
The RMON MIB recommends two trend analyses. The first recommendation is for 50 buckets (or samples) of 30 second sample intervals, for a total time interval of 25 minutes. the second recommendation ifs for 50 buckets of 30 minute intervals, for a total time interval of 25 minutes. The second recommendation is for 50 buckets of 30 minute intervals, for a total time interval of 25 hours. Of course, users can modify either of these or add additional historical time interval studies; the total number of such studies is limited only by the resources of the specific agent. The sample interval can range from 1 second to 1 hour, creating the opportunity for long historical studies. Node traffic statistics from the Hosts group or user-defined packet match counters are not available for historical analysis in the standard RMON MIB.
A host table is a standard feature of most current monitoring devices. The RMON MIB specifies a host table which includes node traffic statistics: Packets sent and received, octets sent and received, as well as broadcasts, multicasts, and error packets sent. In the host table, the classification "error sent" is the combination of undersizes, fragments, CRC/Alignment errors, jabbers, and oversizes sent by each node. In addition, the RMON MIB includes a host time table which shows the relative order each host was discovered by the agent. This data is not only useful for network management purposes, but also assists in uploading to the management station only those nodes of which it is not aware rather than the entire host table. this index entry improves performance and reduces necessary SNMP traffic on the network.
The Top N group extends the host table by providing sorted host statistics, such as the top 20 nodes sending packets or an ordered list of all nodes according to the errors they sent over the last 24 hours. Both the data selected and the duration of the study is defined by the user at the network management station and the number of studies is limited only by the resources of the monitoring device. When a set of statistics is selected and a study begun, only the selected statics are maintained in the Host Top N counters, other statistics over the same time intervals are not available for later study. This extensive processing performed remotely in the RMON MIB agent reduces SNMP traffic on the network and the processing load on the management station, which would otherwise need to use SNMP to get the entire host table and sort it locally.
The RMON MIB includes a traffic matrix at the Ethernet MAC layer. A traffic matrix shows the amount of traffic and number of errors between pairs of nodes, one source and one destination address per pair. For each pair, the RMON MIB maintains counters for the number of packets, number of octets, and error packets between the nodes. Users can sort this data either by source or destination address.
The Alarms group provides a versatile general mechanism for setting
thresholds and sampling intervals to generate events on any counter
or integer maintained by the agent, such as segment statistics,
node traffic statistics defined in the host table or any user-defined
packet match counter defined in the Filters group. both rising
and falling thresholds may be set, and both can indicate network
faults. For example, crossing a high threshold can indicate network
performance problems; crossing a low threshold may point out the
failure of a network backup scheduled to occur at midnight.
Thresholds can be established on both the absolute value of a statistic or its delta value, in order to be notified of rapid spikes or drops in a monitored value. Notice on the above graph that rising and falling thresholds work together in an alternating fashion. After a rising threshold is crossed, another rising event is not generated until the matching falling threshold is crossed.
The Filters group features a generic filter engine which activates
all packet capture functions and events. Judging by the number
of other groups which depend upon the Filters group, it is indeed
critical to many of the advanced functions of an RMON MIB agent.
The filter engine fills the packet capture buffer with packets that match filters installed by the user. Any individual packet match filter can serve as a start or stop trace trigger. The contents of the trace buffer are controlled by any combination of user-selected filters. the conditions within a single filter can be combined in either boolean "and" or "not", multiple filters are combined with the boolean "or" function. Users can choose to capture packets that are valid or invalid, or are one of the five error packet types. With the proper protocol decoding capability at the management station, this sophisticated filtering will essentially provide distributed protocol analysis to supplement the use dispatched protocol analyzers.
The monitor also maintains counters of each packet match for statistical analysis. Either an individual packet match or a multiple number of packet matches through Alarms can trigger an event to the long or the umbrella manager using an SNMP trap. Although these counters are not available to the History group for trending, a management station may trend these counters through regular polling of the monitor.
Of course, the Packet Capture group depends upon the Filter group. The Packet Capture group includes the capability for users to create a multiple number of capture buffers and to control whether the trace buffers will wrap when full or stop capturing. Depending on the agent, the user may expand or contract the size of the buffer to fit immediate needs for packet capturing without permanently committing memory that will not be needed later. The network manager can specify a packet match as a start trigger for a trace and depend upon the monitor to collect the trace without further manager intervention. The RMON MIB includes configurable capture slice sizes to store either the first few bytes of a packet where the various protocol headers are located or, at the limit, to store the entire packet. the default slice setting specified by the RMON MIB is the first 100 octets.
Finally, the Events group provides the capability for users to
create entries in the monitor log and/or SNMP traps from the agent
to the management station on any event of the user's choice.
Events can originate from a crossed threshold on any integer or
counter or from any packet match count. Vendors may add other
notification capability to include administrative events from
the agent, such as a power failure or reset.
The log includes the time of day for each event and a description of the event written by the vendor of the monitor. The log wraps when full so events may be lost if not uploaded to the management station periodically. The rate which the log fills depends upon the resources the monitor dedicates to the log and the number of notifications the user has sent to the log.
Traps can be delivered by the agent to a multiple number of management stations that each match the single community name destination specified for the trap. An RMON MIB agent will support each of the five traps required by the MIB II, RFC 1213: Link up, link down, warm start, cold start, and authentication failure. Three additional traps are specified in the RMON MIB: Rising threshold, falling threshold, and packet match.
While one of the primary purposes of the RMON MIB is to standardize the basic features of distributed network monitoring products and insure interoperability, it will certainly not eliminate product differentiation. Each RMON MIB vendor will seek to provide unique solutions based on memory and CPU resources available in monitoring devices, value-added features above and beyond the standard, quality management applications, price, customer service and support, and availability.