Network Management Functions RMON1, RMON2 Network Management 30.5.2013 1
Lectures Schedule Week Week 1 Topic Computer Networks - Network Management Architectures & Applications Week 2 Network Management Standards Architectures & Applications Week 3 Simple Network Management Protocol - SNMP v1, ASN, MIB, BER Week 4 Network Management Functions - Fault Week 5 Simple Network Management Protocol - SNMP v2 - Configuration Week 6 Network Management Functions - Accounting Week 7 Midterm Week 8 Simple Network Management Protocol - SNMP v3 - Performance Week 9 Network Management Functions Security 1 Week 10 Network Management Functions Security 2 Week 11 Remote Network Monitoring RMON 1, RMON 2 Week 12 SLA Week 13 Management Tools, Systems and Applications Week 14 NM Project Presentations Week 15 NM Project Presentations 2
RMON means what remote monitoring aggregate stats for a network aggregate stats for a host for host X talking to host Y layer 1 and layer 2 and more question: do we have the right information? related question: how are networks evolving? one more question: is SNMP the right approach?
Remote Monitoring (RMON) An extension of the network manager s operation. Monitor the data flowing on the remote network using probe or RMON agents. Overcomes degradation of lower operating rate WAN bandwidth when monitoring geographically separated networks. Reduces the amount of information required to be transmitted to NMS. Reduces the potential bandwidth saturation of the WAN circuit. 4
bibliography rfc1513, 1993 - token-ring extensions rfc1757, 1995, MIB 1 rfc2021, 1997, MIB 2 rfc2074, 1997, protocol identifiers (directory) David Perkin s RMON book SNMP, v2, v3, RMON1/2, Stallings
The Remote Network MONitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANS. The original version (sometimes referred to as RMON1) focused on OSI LAYER 1 and LAYER 2 information in Ethernet and Token Ring networks. 30.5.2013 6
It has been extended by RMON2 which adds support for NETWORK- and APPLICATION-LAYER monitoring and by SMON which adds support for switched networks. It is an industry standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers. 30.5.2013 7
rmon and OID tree iso(1) directory(1) X.500 org(3) mgmt(2) mib-2(1) dod(6) internet(1)... system(1) rmon(16) rmon1 & 2
rmon intro rmon - remote monitoring rmon I - stats at ethernet layer (MAC addresses, but not upstairs) rmon II - stats at network and transport layers (IP addresses and tcp/udp ports)
network analysis picture (trad) analyzer: in promiscous mode A router (or switch) B analyzer: can hear A,B, to/from router traffic on traditional 10BASE shared link
manager/probe manager sends get database item (OID) probe sends response MIBS (sampled data) probe
RMON Principle Operation Network Management Station RMON Agent/Probe WAN circuit RMON-MIBs There were 9 groups defined RMON: Statistic Group, History Group, Host Group, Host Top N Group, Traffic Matrix Group, Alarms Group, Filters Group, Packet Capture Group, and Events Group. Agent MIB 12
RMON Probe PROTOCOL ANALYZER SNMP Traffic Router BACKBONE NETWORK Router SNMP Traffic RMON Probe Communication between probe and analyzer is using SNMP Data gathered Figure and 12.14 stored Protocol for Analyzer an with extended RMON Probeperiod of time and analyzed later Used for gathering traffic statistics and used for configuration management for performance tuning LAN
Network Monitoring with RMON Probe Protocol Analyzer Ethernet Probe Ethernet LAN Router FDDI LAN Router Backbone Network FDDI Probe Router Backbone Probe Token Ring Probe Token Ring LAN
basic idea/s: all kinds of stats - but gathered on per link basis as aggregate not by manager from every host on link ethernet focus (token-ring support too) rmon probe can run SOMEWHAT by itself and gather information however manager needed for more complex functions (may have to suck out data on periodic basis due to lack of space)
The RMON1 MIB consists of ten groups: 1.Statistics: real-time LAN statistics e.g. utilization, collisions, CRC errors 2.History: history of selected statistics 3.Alarm: definitions for RMON SNMP traps to be sent when statistics exceed defined thresholds 4.Hosts: host specific LAN statistics e.g. bytes sent/received, frames sent/received 5.Hosts top N: record of N most active connections over a given time period 6.Matrix: the sent-received traffic matrix between systems 7.Filter: defines packet data patterns of interest e.g. MAC address or TCP port 8.Capture: collect and forward packets matching the Filter 9.Token Ring: extensions specific to Token Ring 10.Event: send alerts (SNMP traps) for the Alarm group The RMON2 MIB adds ten more groups: 1.Protocol Directory: list of protocols the probe can monitor 2.Protocol Distribution: traffic statistics for each protocol 3.Address Map: maps network-layer (IP) to MAC-layer addresses 4.Network-Layer Host: layer 3 traffic statistics, per each host 5.Network-Layer Matrix: layer 3 traffic statistics, per source/destination pairs of hosts 6.Application-Layer Host: traffic statistics by application protocol, per host 7.Application-Layer Matrix: traffic statistics by application protocol, per source/destination pairs of hos 8.User History: periodic samples of user-specified variables 9.Probe Configuration: remote configure of probes 10.RMON Conformance: requirements for RMON2 MIB conformance 30.5.2013 16
rmon 1 functions - overview sample stats for all devices on ethernet link ethernet level - e.g., how many collisions basic and history derived statistics for each host top N talkers (who sent most bytes?) matrix of conversations SRC x RCV
rmon 1, cont threshold events look for N events in elapsed time T if found, send trap to manager e.g., N errors in one minute (too many) packet data capture filtering mechanism + capture must work with higher level GUI in manager goal: capture packets of interest/nice decode display
rmon 1 - { mib-2 16 } statistics(1) - ethernet stats > interface, roughly equal to dot3 (but global) history(2) - snapshots based on stats(1) alarm(3) - ability to set threshold, generate alarm on interesting event host(4) - per i/f host stats (global interface) hosttopn(5) - store/sort by top N hosts matrix(6) - X talks to Y ( a few stats )
rmon 1, cont. filter(7) - filter pkts and capture/or cause event capture(8) - traditional packet analyzer event(9) - table of events generated by probe tokenring(10) - never mind, but like ethernet stats
rmon2, still { mib-2 16} protocoldir(11) - protocols understood by probe protocoldist(12) - per protocol stats (bytes/pktcnt) addressmap(13) - ip/mac mappings nlhost(14) - per host octet/byte counts nlmatrix(15) - host X talks to host Y alhost(16) - per host application octet/byte counts almatrix(17) - application Z/X to Z/Y usrhistory(18) - sampling of any INT OID probeconfig(19) - info for manager on probe setup/config
rmon2: notes application means above the network layer both matrix groups have top N functions as well note both protocol directory and probe configuration are there to help odds on manager/probe interoperability
RMON agents or probe has MIBs RMON1: RFC 2819 - REMOTE NETWORK MONITORING MANAGEMENT INFORMATION BASE RMON2: RFC 2021 - REMOTE NETWORK MONITORING MANAGEMENT INFORMATION BASE VERSION 2 USING SMIV2 SMON: RFC 2613 - REMOTE NETWORK MONITORING MIB EXTENSIONS FOR SWITCHED NETWORKS OVERVIEW: RFC 3577 - INTRODUCTION TO THE RMON FAMILY OF MIB MODULES 30.5.2013 23
possible rmon uses what kind of questions might you ask? how much IP vs IPX traffic? how much traffic is web/news/ftp, whatever? how utilized (full) is the pipe? who talks to server X? we have a problem with DHCP, we need to capture the packets and look? global ethernet errors on this link are what?
Summary RMON 1 RMON 2 30.5.2013 25