remote monitoring (rmon) rfc 2819 remote network monitoring management information base (rmoni) rfc...

112
Remote Monitoring (RMON) Remote Monitoring (RMON) RFC 2819 Remote network monitoring RFC 2819 Remote network monitoring management information base (RMONI) management information base (RMONI) RFC 2021 Remote network monitoring RFC 2021 Remote network monitoring management information base II management information base II (RMON2) (RMON2) RFC 2613 RMON MIB Extension for RFC 2613 RMON MIB Extension for Switched Network SMON Switched Network SMON RFC3577 Introduction to RMON family RFC3577 Introduction to RMON family of MIB Modules of MIB Modules

Upload: adam-perry

Post on 21-Jan-2016

243 views

Category:

Documents


7 download

TRANSCRIPT

Page 1: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Remote Monitoring (RMON)Remote Monitoring (RMON)

• RFC 2819 Remote network monitoring RFC 2819 Remote network monitoring management information base (RMONI)management information base (RMONI)

• RFC 2021 Remote network monitoring RFC 2021 Remote network monitoring management information base II (RMON2)management information base II (RMON2)

• RFC 2613 RMON MIB Extension for RFC 2613 RMON MIB Extension for Switched Network SMONSwitched Network SMON

• RFC3577 Introduction to RMON family of RFC3577 Introduction to RMON family of MIB ModulesMIB Modules

Page 2: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Goals (RFC2819) (1)Goals (RFC2819) (1)

• Offline Operation Offline Operation – AA n attempt to lower communications costs n attempt to lower communications costs

(especially when communicating over a W (especially when communicating over a W AN or dialup link), or by accident as networ AN or dialup link), or by accident as networ

k failures affect the communications betw k failures affect the communications betw een the management station and the prob een the management station and the prob

e. e.– MIB allows a probe to be configured to perf MIB allows a probe to be configured to perf

orm diagnostics and to collect statistics co orm diagnostics and to collect statistics continuouslyntinuously , ,

Page 3: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Goals (RFC2819) (2)Goals (RFC2819) (2)

• Proactive Monitoring Proactive Monitoring – II t is potentially helpful to t is potentially helpful to run diagnostics run diagnostics

and to log network performance and to log network performance . .– It can notify the management station of t It can notify the management station of t

he failure and can he failure and can store historical statistic store historical statistic al information about the failure al information about the failure . .

– This historical information can be played This historical information can be played back by the management station in an at back by the management station in an at

tempt to perform further diagnosis into th tempt to perform further diagnosis into th e cause of the problem. e cause of the problem.

Page 4: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Goals (RFC2819) (3)Goals (RFC2819) (3)

• Problem Detection and Reporting Problem Detection and Reporting – The monitor can be configured to recogni The monitor can be configured to recogni

ze conditions, most notably error conditi ze conditions, most notably error conditions,ons, and continuously to check for them. and continuously to check for them.

– When one of these conditions occurs, the When one of these conditions occurs, the event may be logged, and management event may be logged, and management

stations may be notified in a number of w stations may be notified in a number of w ays. ays.

Page 5: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Goals (RFC2819) (4)Goals (RFC2819) (4)

• Value Added Data Value Added Data– TT he remote network monitoring device h he remote network monitoring device h

as the opportunity to add significant valu as the opportunity to add significant valuee to the data it collects. to the data it collects.

– For instance, by highlighting those hosts For instance, by highlighting those hosts on the network that generate the most tr on the network that generate the most tr

affic or errors, the probe can give the ma affic or errors, the probe can give the ma nagement station precisely the informati nagement station precisely the informati

on it needs to solve a class of problems. on it needs to solve a class of problems.

Page 6: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Goals (RFC2819) (5)Goals (RFC2819) (5)

• Multiple Managers Multiple Managers – EE nvironments with multiple managemen nvironments with multiple managemen

t stations are common t stations are common , the remote netwo , the remote netwo rk monitoring device has to deal with mo rk monitoring device has to deal with mo re than own management station, potent re than own management station, potent

ially using its resources concurrently. ially using its resources concurrently.

Page 7: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.1Fig 8.1

Page 8: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Control of Remote Monitor Devices Control of Remote Monitor Devices (1)(1)

• ConfigurationConfiguration– Each MIB group consists of one or more Each MIB group consists of one or more

control tablescontrol tables and and data tablesdata tables•Control table – read/write contains Control table – read/write contains

parameters that describe the data in data parameters that describe the data in data tabletable

•Data table – read only contains information Data table – read only contains information that is defined by control table that is defined by control table

• Action invocationAction invocation– Use Use SET operationSET operation to issue a command to issue a command – RMON MIB defines objects to be RMON MIB defines objects to be

represented several commands represented several commands

Page 9: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Control of Remote Monitor Devices Control of Remote Monitor Devices (2)(2)

• Modifying ParametersModifying Parameters– First, iFirst, invalidatenvalidate the control entry, causing its deleti the control entry, causing its deleti

on and the deletion of any associated data entries on and the deletion of any associated data entries– TThenhen,, create a new control entry create a new control entry with the proper p with the proper p

arameters. arameters.

• Start ProcessStart Process– Some objects in this MIB provide a mechanism to e Some objects in this MIB provide a mechanism to e

xecute an action on the remote monitoring device. xecute an action on the remote monitoring device.– These objects may These objects may execute an action as a result of execute an action as a result of

a change in the state a change in the state of the object. of the object.

Page 10: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Multiple Manager - ProblemsMultiple Manager - Problems

• Potential conflicts Potential conflicts– Two Two or more or more management stations wish to management stations wish to

simultaneously use resources that together simultaneously use resources that together would would exceed the capability of the device exceed the capability of the device . .

– A management station A management station uses a significant a uses a significant a mount of resources for a long period mount of resources for a long period of tim of tim

e.e.– A management station uses resources and A management station uses resources and

then crashes, then crashes, forgetting to free the resourc forgetting to free the resourceses so others may use them so others may use them

Page 11: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Multiple Manager – SolutionMultiple Manager – Solution

• Ownership labelOwnership label is used for a particular is used for a particular row of the tablerow of the table– A management station may A management station may recognize recognize

resources its ownsresources its owns and no longer need and no longer need– A A network operator can identifynetwork operator can identify and negotiate and negotiate

the management station to free the resourcesthe management station to free the resources– A A network operator may have the authority network operator may have the authority

unilaterally to free resourcesunilaterally to free resources another network another network operator has reservedoperator has reserved

– If a management station experiences a If a management station experiences a reinitializationreinitialization , it can recognize resources it , it can recognize resources it had reserved in the past and free those it no had reserved in the past and free those it no longer needslonger needs

Page 12: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Ownership conceptOwnership concept

• Ownership label contains one or more of Ownership label contains one or more of the following:the following:– IP address, management station name, network IP address, management station name, network

manager’s name, location or phone numbermanager’s name, location or phone number

• However, the ownership label does not act However, the ownership label does not act as a password or access-control as a password or access-control mechanism mechanism

• Therefore, a row can be read-write by the Therefore, a row can be read-write by the management station who does not own the management station who does not own the row row

Page 13: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Note (1)Note (1)

• DD efault functionality efault functionality– - The resources are intended to be long lived - The resources are intended to be long lived

process should beprocess should be set the relevant owner object set the relevant owner object to a string starting with to a string starting with 'monitor'.'monitor'.

– Indiscriminate Indiscriminate -modification of the monitor owne -modification of the monitor ownedd configuration by network management statio configuration by network management statio

ns ns is discouraged. is discouraged.– In fact, a network management station should In fact, a network management station should oo

nly modify these objects under the direction of t nly modify these objects under the direction of t he administrator of the probe he administrator of the probe . .

Page 14: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Note (2)Note (2)

• When a network management station wis When a network management station wis hes to utilize a function in a monitor, it is hes to utilize a function in a monitor, it is

encouraged to encouraged to first scan the control table first scan the control table of that function to find an instance with si of that function to find an instance with si

milar parameters to share milar parameters to share . .• If a management station decides to share If a management station decides to share

an instance owned by another managem an instance owned by another managem ent station, it should understand that the ent station, it should understand that the

management station that owns the insta management station that owns the insta nce may indiscriminately modify or delet nce may indiscriminately modify or delet

e it. e it.

Page 15: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Row Addition for Multiple Row Addition for Multiple ManagerManager

• When more than one manager simultaneous When more than one manager simultaneous ly attempts to create the same ly attempts to create the same conceptual r conceptual r

ow,ow, only the first can succeed. only the first can succeed. The others wil The others wil l receive an error l receive an error

• When a manager wishes to create a new con When a manager wishes to create a new con trol entry, it needs to trol entry, it needs to choose an index choose an index for tha for tha

t row. t row.– Examples of schemes to choose index values incl Examples of schemes to choose index values incl

ude ude random selection or scanning the control tabl random selection or scanning the control tablee looking for the first unused index. looking for the first unused index.

– If the index is If the index is in use in use , , agent sends agent sends an erroran error

Page 16: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.3Fig 8.3

Page 17: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

RMON Row AdditionRMON Row Addition

• If a management attempts to create a new row If a management attempts to create a new row and and the index object value does not exist, the row the index object value does not exist, the row is created with a status of createRequest(2)is created with a status of createRequest(2)

• After completing the create operation, the agent After completing the create operation, the agent sets the status object value to sets the status object value to underCreationunderCreation (3) (3)

• After management station is finished creating all After management station is finished creating all of the rows that it desires for its configuration, of the rows that it desires for its configuration, the the management station sets the status object management station sets the status object value tovalue to valid valid (1)(1)

• It an attempt is made to create a new row and It an attempt is made to create a new row and the row already exists (duplicate index) an error the row already exists (duplicate index) an error will be returned will be returned

Page 18: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Control StatusControl Status

Page 19: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Good PacketsGood Packets

• RFC 2819RFC 2819

• - Good packets are error free packets th - Good packets are error free packets th at have a valid frame length at have a valid frame length..

– For example, on Ethernet, good packets ar For example, on Ethernet, good packets ar - e error free packets that are between - e error free packets that are between 6464 o o

ctets long and ctets long and 15181518 octets long. octets long.

Page 20: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Bad PacketsBad Packets

• Bad packets are packets that have pr Bad packets are packets that have pr oper framing and are therefore recog oper framing and are therefore recog nized as packets, but contain errors nized as packets, but contain errors within the packet or have an invalid l within the packet or have an invalid l

engthength . .– For example, on Ethernet, bad packets h For example, on Ethernet, bad packets h

ave a valid preamble and SFD, but have ave a valid preamble and SFD, but have a bad CRC, or are either shorter a bad CRC, or are either shorter

Page 21: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

The RMON MIBThe RMON MIB

• RMON (v1) MIB is incorporated into RMON (v1) MIB is incorporated into MIB-II with a subtree identifier of 16 MIB-II with a subtree identifier of 16 (10 groups)(10 groups)

• statisticsstatistics: maintains low-level : maintains low-level utilization and error statistics for each utilization and error statistics for each subnetwork monitored by the agentsubnetwork monitored by the agent

• HistoryHistory: record periodic statiscal : record periodic statiscal samples from information available in samples from information available in the statistic groupthe statistic group

Page 22: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 23: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

RMON MIB GroupRMON MIB Group

• alarmalarm: allow the management console : allow the management console user to set a sampling interval and user to set a sampling interval and alarm threshold for any counter or alarm threshold for any counter or integer recorded by the RMON probeinteger recorded by the RMON probe

• hosthost:contains counter for various types :contains counter for various types of traffic to and from hosts attached to of traffic to and from hosts attached to the subnetwork the subnetwork

• hostTopNhostTopN: contains sorted host : contains sorted host statistics that report that top a list statistics that report that top a list based on some parameter in the host based on some parameter in the host tabletable

Page 24: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• matrixmatrix: show error and utilization : show error and utilization information in matrix form information in matrix form

• filterfilter:allow the monitor to observe packet :allow the monitor to observe packet that match a filter that match a filter

• (Packet) (Packet) capturecapture: governs how data is sent : governs how data is sent to a management consoleto a management console

• eventevent: gives a table of all events : gives a table of all events generated by RMON probegenerated by RMON probe

• tokenRingtokenRing:maintains statistics and :maintains statistics and configuration information for token ring configuration information for token ring subnetworkssubnetworks

Page 25: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Important note 1Important note 1

• All groups in the RMON MIB are optional All groups in the RMON MIB are optional but there are some dependenciesbut there are some dependencies

• The The alarmalarm group require the group require the implementation of the implementation of the eventevent group group

• The The hostTopNhostTopN group requires the group requires the implementation of the implementation of the hosthost group group

• The packet The packet capture capture group require the group require the implementation of theimplementation of the filter filter group group

Page 26: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Important note 2Important note 2

• Collection of traffic statistics for one Collection of traffic statistics for one or more subnetworksor more subnetworks– statistics, history, host, hostTopN, statistics, history, host, hostTopN,

matrix, tokenRingmatrix, tokenRing

• Various alarm conditions and filtering Various alarm conditions and filtering with user-definedwith user-defined– alarm, filter, capture, eventalarm, filter, capture, event

Page 27: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Statistics Group (1)Statistics Group (1)

• Fig 8-6Fig 8-6

Page 28: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Statistics Group (2)Statistics Group (2)

• Table 8.2Table 8.2

Page 29: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Statistics Group (3)Statistics Group (3)

Page 30: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Statistics Group (4)Statistics Group (4)

• The statistics group provides useful The statistics group provides useful information about the load and information about the load and overall health of the subnetwork overall health of the subnetwork

• Various error conditions are counted Various error conditions are counted such as CRC or alignment error, such as CRC or alignment error, collision, undersized and oversized collision, undersized and oversized packetspackets

Page 31: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

History GroupHistory Group

• The history group is used to define The history group is used to define sampling functions for one or more of sampling functions for one or more of the interfaces of the monitorthe interfaces of the monitor

• 2 tables2 tables– historyControltablehistoryControltable – specify the – specify the

interface and detail of sampling functioninterface and detail of sampling function– etherHistorytableetherHistorytable – record data – record data

Page 32: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.7Fig 8.7

Page 33: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 34: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

historyControlTablehistoryControlTable

• historyControlIndexhistoryControlIndex: index of entry which is : index of entry which is the same number as used in etherhistoryTable the same number as used in etherhistoryTable

• historyControlDataSourcehistoryControlDataSource: identify interface to : identify interface to be sampledbe sampled

• historyControlBucketsRequestedhistoryControlBucketsRequested: the : the requested number of discrete sampling requested number of discrete sampling interval, a default value is 50interval, a default value is 50

• historyControlBucketsGrantedhistoryControlBucketsGranted: the actual : the actual number of discrete sampling interval number of discrete sampling interval

• historyControlIntervalhistoryControlInterval: interval in second, : interval in second, maximum is 3600 (1 hour) ,default value is maximum is 3600 (1 hour) ,default value is 1800 1800

Page 35: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Sampling schemeSampling scheme

• Consider by Consider by historyControlBucketGranted and historyControlBucketGranted and historyControlIntervalhistoryControlInterval

• Ex. Use the default value of bothEx. Use the default value of both– the monitor would take a sample once the monitor would take a sample once

every 1800 seconds ( 30 min) each sample every 1800 seconds ( 30 min) each sample is stored in a row of etherHistoryTable is stored in a row of etherHistoryTable

– The most 50 rows are retainedThe most 50 rows are retained

Page 36: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Utilization Utilization

• It calculates on the two It calculates on the two counters :ehterStatsOctets and counters :ehterStatsOctets and etherStatsPktsetherStatsPkts

• Utilization=100% x [(Packets x (96+64)))Utilization=100% x [(Packets x (96+64)))+(Ocetsx8)/interval x 10+(Ocetsx8)/interval x 1077] ]

• 64 bit – preamble 64 bit – preamble

• 96 bit – interframe gap96 bit – interframe gap

• Assume that interface data rate is 10MbpsAssume that interface data rate is 10Mbps

Page 37: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 38: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Host GroupHost Group

• To gather statistics about specific hosts To gather statistics about specific hosts on the LAN by observing the source on the LAN by observing the source and destination MAC addresses in good and destination MAC addresses in good packetspackets

• Consists of 3 tables:Consists of 3 tables:– one control table (HostControlTable) one control table (HostControlTable) – two data tables (hostTable,hostTimeTable) two data tables (hostTable,hostTimeTable)

same information but index differently same information but index differently

Page 39: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostControlTablehostControlTable

• hostControlIndexhostControlIndex: : – identify a row in the hostControlTable ,refering identify a row in the hostControlTable ,refering

to a unique interface of the monitorto a unique interface of the monitor

• hostControlDatasourcehostControlDatasource: : – identify the interface (the source of the data)identify the interface (the source of the data)

• hostControlTablesizehostControlTablesize: : – the number of rows in hostTable the number of rows in hostTable

(hostTimeTable)(hostTimeTable)

• hostControlLastDeleteTimehostControlLastDeleteTime: the last time : the last time that an entry (hostTable) was deleted that an entry (hostTable) was deleted

Page 40: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.9Fig 8.9

Page 41: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 42: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

A simple RMON A simple RMON configurationconfiguration• Fig8.10Fig8.10

Page 43: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTablehostTable

• hostAddresshostAddress: MAC address of this : MAC address of this hosthost

• hostCreationOrderhostCreationOrder: an index that : an index that defines the relative ordering of the defines the relative ordering of the creation time of hosts (index takes creation time of hosts (index takes on a value 1-N)on a value 1-N)

• hostIndexhostIndex : the same number as : the same number as hostControlIndexhostControlIndex

Page 44: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Counter in hostTableCounter in hostTable

Page 45: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.11Fig 8.11

Page 46: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopN Group (1)hostTopN Group (1)

• To maintain statistics about the set To maintain statistics about the set of hosts on one subnetwork that of hosts on one subnetwork that top top a lista list based on some parameters based on some parameters

• Statistics that are generated for this Statistics that are generated for this group are derived from data in the group are derived from data in the hosthost group group

• The set of statistics for one object The set of statistics for one object collected during one sampling collected during one sampling interval is referred as interval is referred as reportreport

Page 47: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopN Group (2)hostTopN Group (2)

• Each report contains the results for Each report contains the results for only one variableonly one variable– The variable represents The variable represents amount of changeamount of change

in a host group object over the sampling in a host group object over the sampling intervalinterval

• So, the report lists the hosts on a So, the report lists the hosts on a particular subnetwork with the greatest particular subnetwork with the greatest rate of change in a particular variablerate of change in a particular variable

Page 48: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopNControlTablehostTopNControlTable (1)(1)

• hostTopNControlIndexhostTopNControlIndex : : – identify row in hostTopNControlTable,defining identify row in hostTopNControlTable,defining

one top-N report for one interfaceone top-N report for one interface

• hostTopNHostIndexhostTopNHostIndex::– match the value of match the value of

hostControlIndex ,specifying a particular hostControlIndex ,specifying a particular subnetworksubnetwork

• hostTopNRateBasehostTopNRateBase: : – specify one of seven variables from hostTablespecify one of seven variables from hostTable

Page 49: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopNControlTablehostTopNControlTable (2)(2)

• Variable in hostTopNRateVariable in hostTopNRate– INTEGER { hostTopNInPkts (1),INTEGER { hostTopNInPkts (1),

hostTopNOutPkts (2),hostTopNOutPkts (2), hostTopNInOctets (3), hostTopNInOctets (3), hostTopNOutOctets (4), hostTopNOutOctets (4), hostTopNOutErrors (5),hostTopNOutErrors (5),

hostTopNOutBroadcastPkts (6),hostTopNOutBroadcastPkts (6), hostTopNOutMulticastPkt (7),hostTopNOutMulticastPkt (7),}}

Page 50: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopNControlTablehostTopNControlTable (3)(3)• hostTopNTimeRemaininghostTopNTimeRemaining: :

– time left during report currently being collectedtime left during report currently being collected

• hostTopNDurationhostTopNDuration: : – sampling interval sampling interval

• hostTopNRequestedSizehostTopNRequestedSize: : – maximum number of requested hosts for the top-maximum number of requested hosts for the top-

N reportN report

• hostTopNGrantedSizehostTopNGrantedSize: : – maximum number of hosts for the top-N reportmaximum number of hosts for the top-N report

• hostTopNStartTimehostTopNStartTime: : – the last start time the last start time

Page 51: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

hostTopNTablehostTopNTable

• hostTopNReporthostTopNReport: : – same value as hostTopNControlIndexsame value as hostTopNControlIndex

• hostTopNIndexhostTopNIndex: : – uniquely identify a row uniquely identify a row

• hostTopNAddresshostTopNAddress::– MAC addressMAC address

• hostTopNRatehostTopNRate::– the amount of change in selected variable the amount of change in selected variable

during sampling intervalduring sampling interval

Page 52: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Report preparation (1)Report preparation (1)

• A management station A management station creates a row of creates a row of the control tablethe control table to specify a new report. to specify a new report.

• This control entry instructs the monitor This control entry instructs the monitor to measure to measure the difference between the the difference between the beginning and ending valuesbeginning and ending values of a of a particular host group variable over a particular host group variable over a specific sampling periodspecific sampling period

• The sampling period value is stored in The sampling period value is stored in both both hostTopNDuration (Static) and hostTopNDuration (Static) and hostTopNTimeRemaining (Dynamic)hostTopNTimeRemaining (Dynamic)

Page 53: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Report preparation (2)Report preparation (2)

• The value in hostTopNDuration is static The value in hostTopNDuration is static and the value in and the value in hostTopNTimeRemaininghostTopNTimeRemaining counts second down while preparing reportcounts second down while preparing report

• When When hostTopNTimeRemaining reaches 0 hostTopNTimeRemaining reaches 0 The monitor calculates the final results and The monitor calculates the final results and creates a set of N data rowscreates a set of N data rows

• To generate additional report for a new To generate additional report for a new time period, get the old report and reset time period, get the old report and reset hostTopNTimeRemaininghostTopNTimeRemaining to the value of to the value of hostTopNDurationhostTopNDuration

Page 54: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.12Fig 8.12

Page 55: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.13Fig 8.13

Page 56: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Matrix groupMatrix group

• To record information about the traffic To record information about the traffic between pairs of hosts on a subnetworkbetween pairs of hosts on a subnetwork

• The information is stored in the form of The information is stored in the form of a matrixa matrix

• Consists of 3 tablesConsists of 3 tables– One control tableOne control table - matrixControlTable - matrixControlTable – Two data tableTwo data table – matrixSDTable (traffic from – matrixSDTable (traffic from

one host to all others) , matrixDSTable one host to all others) , matrixDSTable (traffic from all hosts to one particular host (traffic from all hosts to one particular host

Page 57: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

matrixControlTablematrixControlTable

• matrixControlIndexmatrixControlIndex::– identify a row in the matrixControlTableidentify a row in the matrixControlTable

• matrixControlDataSourcematrixControlDataSource: : – identify interfaceidentify interface

• matrixControlTableSizematrixControlTableSize: : – the number of rows in the matrixSDTablethe number of rows in the matrixSDTable

• matrixControlLastDeleteTimematrixControlLastDeleteTime: : – the last time that an entry was deleted the last time that an entry was deleted

Page 58: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 8.14Fig 8.14

Page 59: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

matrixSDTable matrixSDTable (matrixDSTable)(matrixDSTable)

• matrixSDSourceAddressmatrixSDSourceAddress: the source MAC Address : the source MAC Address • matrixSDDestAddressmatrixSDDestAddress: the destination MAC Address : the destination MAC Address • matrixSDIndexmatrixSDIndex: same value as matrixControlIndex : same value as matrixControlIndex • matrixSDPktsmatrixSDPkts: number of packets transmitted from : number of packets transmitted from

this source add. to destination add. including bad this source add. to destination add. including bad packetpacket

• matrixSDOctetsmatrixSDOctets: number of octets contained in all : number of octets contained in all packetspackets

• matrixSDErrorsmatrixSDErrors:number of bad packets transmitted :number of bad packets transmitted from this source add. to destination add. from this source add. to destination add.

Page 60: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

matrixSDTable - operationmatrixSDTable - operation

• Indexed first by matrixSDIndex then Indexed first by matrixSDIndex then source address then by destination source address then by destination address ,for matrixDSTable the address ,for matrixDSTable the source address is the last source address is the last

• The matrixSDTable contains 2 rows The matrixSDTable contains 2 rows for every pair of hosts for every pair of hosts – One row per directionOne row per direction

Page 61: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

RMON (alarms and RMON (alarms and filtering)filtering)

W.lilakiatsakunW.lilakiatsakun

Page 62: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm group Alarm group

• It is used to define It is used to define a set of thresholda set of threshold for for network performance.network performance.

• If a If a threshold is crossedthreshold is crossed in the appropriate in the appropriate direction direction

• An alarm is generated and sent to the An alarm is generated and sent to the central consolecentral console

• Ex. An alarm could be generated if there Ex. An alarm could be generated if there are more than 500 CRC errors in any 5 are more than 500 CRC errors in any 5 minutes interval minutes interval

Page 63: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 64: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm table (1) Alarm table (1)

• Each entry specifies Each entry specifies a particular variable to a particular variable to be monitored, a sampling interval, threshold be monitored, a sampling interval, threshold parameterparameter

• The single entry of a variable contains the The single entry of a variable contains the most sampled value (last sampling interval)most sampled value (last sampling interval)– The new value will be stored, so the old is lostThe new value will be stored, so the old is lost

• Objects in the alarmTable:Objects in the alarmTable:

• alarmIndexalarmIndex : an integer that uniquely : an integer that uniquely identifies a row in alarmTableidentifies a row in alarmTable– Each row specifies a sample at a particular Each row specifies a sample at a particular

interval for a particular object in the monitor’s MIBinterval for a particular object in the monitor’s MIB

Page 65: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm table (2)Alarm table (2)

• alarmIntervalalarmInterval: interval : interval in secondsin seconds over which over which data are sampled and compared with the data are sampled and compared with the rising and falling thresholdrising and falling threshold

• alarmVariablealarmVariable: the : the object identifierobject identifier of the of the particular variable in the RMON MIB to be particular variable in the RMON MIB to be sampledsampled– Object type :INTEGER, counter, gauge, TimeTicksObject type :INTEGER, counter, gauge, TimeTicks– Ex. etherstatsUndersizePkts Ex. etherstatsUndersizePkts

• alarmSampleTypealarmSampleType: the method of calculating : the method of calculating the value to be compared to the thresholdthe value to be compared to the threshold– absoluteValue(1) – the value of variable will be absoluteValue(1) – the value of variable will be

compared with the thresholdcompared with the threshold– deltaValue(2) – (the current value – the last value) deltaValue(2) – (the current value – the last value)

,then compare to the threshold,then compare to the threshold

Page 66: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm table (3)Alarm table (3)

• alarmValuealarmValue: the value of the statistic : the value of the statistic during the last sampling periodduring the last sampling period

• alamStartupAlarmalamStartupAlarm: this dictates : this dictates whether an alarm will be generated if whether an alarm will be generated if the first sample is greater than or equal the first sample is greater than or equal to the risingThreshold, less than or to the risingThreshold, less than or equal to the fallingThreshold or bothequal to the fallingThreshold or both– risingAlarm(1), fallingAlarm(2), risingAlarm(1), fallingAlarm(2),

risingOrFalling Alarm(3)risingOrFalling Alarm(3)

Page 67: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm table (4)Alarm table (4)

• alarmRisingThresholdalarmRisingThreshold: the rising : the rising threshold for the sampled statisticthreshold for the sampled statistic

• alarmFallingThresholdalarmFallingThreshold: the falling : the falling threshold for the sampled statisticthreshold for the sampled statistic

• alarmRisingEventIndexalarmRisingEventIndex: index of the : index of the eventEntry that is used when the rising eventEntry that is used when the rising threshold is crossed threshold is crossed

• alarmFallingEventIndexalarmFallingEventIndex: index of the : index of the eventEntry that is used when the falling eventEntry that is used when the falling threshold is crossed threshold is crossed

Page 68: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm operationAlarm operation (1)(1)

• The monitor or a management station can The monitor or a management station can define a new alarm by creating a new row in define a new alarm by creating a new row in the the alarmTablealarmTable

• The combination of variable, sampling The combination of variable, sampling interval and threshold parameters is unique interval and threshold parameters is unique to a given row.to a given row.

• Two thresholds are provided: Two thresholds are provided: a rising a rising threshold and a falling thresholdthreshold and a falling threshold– The rising threshold is crossed if the current The rising threshold is crossed if the current

sampled value is greater or equal to and the last sampled value is greater or equal to and the last sampling value was less than the thresholdsampling value was less than the threshold

Page 69: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Alarm operationAlarm operation (2)(2)

– Similarly, the falling threshold is crossed if the Similarly, the falling threshold is crossed if the current sampled value is less than and equal to current sampled value is less than and equal to and the last sampling value was greater than the and the last sampling value was greater than the threshold threshold

• Two types of values are calculated for alarmsTwo types of values are calculated for alarms– absoluteValueabsoluteValue: the value of an object at the time : the value of an object at the time

of samplingof sampling• Counter , this value is never crossed falling threshold / Counter , this value is never crossed falling threshold /

crossed rising threshold at most oncecrossed rising threshold at most once

– deltaValuedeltaValue: the difference in values for the object : the difference in values for the object over two successive sampling periodover two successive sampling period• Counter/guage ,this can cross both thresholds any Counter/guage ,this can cross both thresholds any

number of timesnumber of times

Page 70: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Rules for rising-alarm Rules for rising-alarm generationgeneration

1 (a) if the first sampled value is less 1 (a) if the first sampled value is less than the rising threshold, then a rising than the rising threshold, then a rising alarm is generated the first time that alarm is generated the first time that the sample value become greater or the sample value become greater or equal to the rising thresholdequal to the rising threshold

(b) if the first sampled value is greater (b) if the first sampled value is greater than or equal to the rising threshold than or equal to the rising threshold and if the value of alarmStartupAlarm and if the value of alarmStartupAlarm is risingAlarm(1) or is risingAlarm(1) or risingOrFallingAlarm(3), then a rising-risingOrFallingAlarm(3), then a rising-alarm event is generatedalarm event is generated

Page 71: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

First alarm event generationFirst alarm event generation

Rising Threshold

Falling Threshold

(a)

alarmStartupAlarm = risingAlarm(1) orrisingOrFallingAlarm(3)

alarmStartupAlarm = FallingAlarm(2)

(b)

(c)

Page 72: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Rules for rising-alarm Rules for rising-alarm generation (cont’)generation (cont’)

(c) if the first sampled value is greater than or (c) if the first sampled value is greater than or equal to the rising threshold and if the value of equal to the rising threshold and if the value of alarmStartupAlarm is fallingAlarm(2) then a alarmStartupAlarm is fallingAlarm(2) then a rising-alarm event is generated the first time rising-alarm event is generated the first time that that the sample value again become greater the sample value again become greater than or equal to the rising threshold after the than or equal to the rising threshold after the fallen below the rising thresholdfallen below the rising threshold

2 After a rising alarm event is generated, 2 After a rising alarm event is generated, another such event will not be generated until another such event will not be generated until the sampled value has fallen below the rising the sampled value has fallen below the rising threshold, reached the falling threshold, and threshold, reached the falling threshold, and then reached the rising threshold againthen reached the rising threshold again

Page 73: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Generation of alarm eventsGeneration of alarm events

• Fig 9.2Fig 9.2

Page 74: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Hysteresis mechanismHysteresis mechanism

• The mechanism by which small fluctuations The mechanism by which small fluctuations are prevented from causing alarmsare prevented from causing alarms

Page 75: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter Group (1)Filter Group (1)

• Provide a mean by which a management Provide a mean by which a management station can instruct a monitor to observe station can instruct a monitor to observe selected packets on a particular interfaceselected packets on a particular interface

• Data filterData filter – allow the monitor to screen – allow the monitor to screen observed packets on the basis of a bit observed packets on the basis of a bit pattern that a portion of the packet matches pattern that a portion of the packet matches (or fail to match)(or fail to match)

• Status filterStatus filter – allow the monitor to screen – allow the monitor to screen observed packets on the basis of their status observed packets on the basis of their status (CRC error)(CRC error)

• These filters can be combined using logical These filters can be combined using logical AND and OR operations AND and OR operations

Page 76: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter Group (2)Filter Group (2)

• The stream of packets that pass the The stream of packets that pass the test is referred to as a test is referred to as a channelchannel..– A count of such packets is maintainedA count of such packets is maintained

• In addition, the channel can be In addition, the channel can be configured to configured to generate an eventgenerate an event (defined in the event group)(defined in the event group)

• Finally, the packets passing through a Finally, the packets passing through a channel channel can be captured if the can be captured if the mechanism is defined in the capture mechanism is defined in the capture groupgroup

Page 77: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter logicFilter logic - variables- variables

• inputinput = the incoming portion of the = the incoming portion of the packet to be filteredpacket to be filtered

• filterPktDatafilterPktData = the bit pattern to be = the bit pattern to be tested fortested for

• filterPktDataMaskfilterPktDataMask = the relevant bits = the relevant bits to be tested forto be tested for

• filterPktDataNotMaskfilterPktDataNotMask = indication of = indication of whether to test for a match or a whether to test for a match or a mismatchmismatch

Page 78: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

EX. 1EX. 1 match & mismatch match & mismatch

If (( input = ^ filterPktData) == 0)If (( input = ^ filterPktData) == 0)filterResult = match;filterResult = match;

• We take the bitwise exclusive OR of We take the bitwise exclusive OR of input and filterPktData input and filterPktData

• All bits of input and filterPktData have All bits of input and filterPktData have to be the same, the result is all 0s to be the same, the result is all 0s

If (( input = ^ filterPktData) != 0)If (( input = ^ filterPktData) != 0)filterResult = mismatch;filterResult = mismatch;

• Test for mismatchTest for mismatch

Page 79: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Ex2. match + Don’t care (1)Ex2. match + Don’t care (1)

• Use Use filterPktDataMaskfilterPktDataMask – 1-bits in filterPktDataNotMask – indicate 1-bits in filterPktDataNotMask – indicate

the positions where need to be testedthe positions where need to be tested with filterPktDatawith filterPktData

– 0-bits in filterPktDataMask - indicate the 0-bits in filterPktDataMask - indicate the positions where need not to be tested positions where need not to be tested with with filterPktDatafilterPktData

Page 80: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Ex2. match + Don’t care (2) Ex2. match + Don’t care (2)

if (((input =^ filterPktData) & filterPktDataMask) == 0)if (((input =^ filterPktData) & filterPktDataMask) == 0)

filterResult = match_on_relevant_bits;filterResult = match_on_relevant_bits;

elseelse

filterResult = mismatch_on_relevant_bits;filterResult = mismatch_on_relevant_bits;

• The XOR operation produces a result The XOR operation produces a result that has a 1-bit in every position where that has a 1-bit in every position where there is a mismatchthere is a mismatch

• The AND operation produces a result as The AND operation produces a result as a don’t care a don’t care

Page 81: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Ex.3 more complex (1)Ex.3 more complex (1)

• Use Use filterPktDataNotMaskfilterPktDataNotMask – 0-bits in filterPktDataNotMask – indicate 0-bits in filterPktDataNotMask – indicate

the positions where an exact match is the positions where an exact match is required between the relevant bits of required between the relevant bits of input and filterPktData input and filterPktData (all bits match)(all bits match)

– 1-bits in filterPktDataNotMask - indicate 1-bits in filterPktDataNotMask - indicate the positions where a mismatch is the positions where a mismatch is requiredrequired between the relevant bits of between the relevant bits of input and filterPktData input and filterPktData (at least one bit (at least one bit does not match)does not match)

Page 82: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Ex.3 more complex (2)Ex.3 more complex (2)

• Definition for relevant Definition for relevant relevant_bits_different = (input ^ filterPktData) & relevant_bits_different = (input ^ filterPktData) &

filterPktDataMaskfilterPktDataMask

• Incorporating with filterPktDataNotMask for a Incorporating with filterPktDataNotMask for a matchmatch

If ((relevant_bits_different & ~filterPktDataNotMask)=0) If ((relevant_bits_different & ~filterPktDataNotMask)=0)

filterResult = successful_match;filterResult = successful_match;

• Incorporating with filterPktDataNotMask for a Incorporating with filterPktDataNotMask for a mismatchmismatch

If ((relevant_bits_different & filterPktDataNotMask)!=0) If ((relevant_bits_different & filterPktDataNotMask)!=0)

filterResult = successful_mismatch;filterResult = successful_mismatch;

Page 83: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 84: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter Operations (1)Filter Operations (1)

• TEST1 – the TEST1 – the packet must be long enoughpacket must be long enough so so that there are at least as many as bits in the that there are at least as many as bits in the filterPktData (otherwise fails to filter)filterPktData (otherwise fails to filter)

• TEST2 – TEST2 – each bit set to 0 in each bit set to 0 in filterPktDataNotMaskfilterPktDataNotMask indicates a bit position indicates a bit position in which the relevant bits of the packet in which the relevant bits of the packet portion portion should match filterPktDatashould match filterPktData..– If there is a match in every desired bit position, If there is a match in every desired bit position,

test is passed otherwise test is failedtest is passed otherwise test is failed

Page 85: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter Operations (2)Filter Operations (2)

• TEST3: TEST3: Each bit set to 1 in Each bit set to 1 in filterPktDataNotMaskfilterPktDataNotMask indicates a bit position indicates a bit position in which the relevant bit of the packet in which the relevant bit of the packet portion portion should not match filterPktDatashould not match filterPktData– The test is passed if there is a mismatch in at The test is passed if there is a mismatch in at

least one desired bit positionleast one desired bit position

• A packet passes this filter if it passes all A packet passes this filter if it passes all three teststhree tests

• Ex. If we wish to accept all Ethernet packet Ex. If we wish to accept all Ethernet packet that that have destination address of 0xA5have destination address of 0xA5 and and do not have a source address of 0xBBdo not have a source address of 0xBB

Page 86: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter Operations (3)Filter Operations (3)

filterPktDataOffset = 0filterPktDataOffset = 0

filterPktData = 0x0000000000A5 0000000000BBfilterPktData = 0x0000000000A5 0000000000BB

filterPktDataMask = 0xFFFFFFFFFFFF FFFFFFFFFFFFfilterPktDataMask = 0xFFFFFFFFFFFF FFFFFFFFFFFF

filterPktDataNotMask = 0x000000000000 FFFFFFFFFFFFfilterPktDataNotMask = 0x000000000000 FFFFFFFFFFFF

• filterPktDataOffset filterPktDataOffset indicates that the pattern matching indicates that the pattern matching should start with the first bit of the packetshould start with the first bit of the packet

• filterPktDatafilterPktData indicates that the pattern of interest indicates that the pattern of interest consists of 0xA5 and 0xBB consists of 0xA5 and 0xBB

• filterPktDataMaskfilterPktDataMask indicates that all of the first 96 bits indicates that all of the first 96 bits are relevantare relevant

• filterPktDataNotMaskfilterPktDataNotMask indicates that the test is for a indicates that the test is for a match on the first 48 bits and a mismatch on the match on the first 48 bits and a mismatch on the second 48 bitssecond 48 bits

Page 87: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter statusFilter status

Bit#Bit# ErrorError

00 Packet is longer than 1,518 Packet is longer than 1,518 octetsoctets

11 Packet is shorter than 64 Packet is shorter than 64 octetsoctets

22 Packet experienced a CRC or Packet experienced a CRC or alignment erroralignment error

• EX. An Ethernet fragment would have EX. An Ethernet fragment would have the status value of 6the status value of 6 (2(211 + 2 + 222))

Page 88: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Channel definition (1)Channel definition (1)

• A channel is defined by a set of filtersA channel is defined by a set of filters

• The way in which filters are The way in which filters are combined to whether a packet is combined to whether a packet is accepted depending on the value of accepted depending on the value of the the channelAcceptedTypechannelAcceptedType– acceptedMatched(1)acceptedMatched(1)– acceptedFailed(1)acceptedFailed(1)

Page 89: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Channel definition (2)Channel definition (2)

• If we define a pass as a logical 1 and If we define a pass as a logical 1 and a fail as a logical 0a fail as a logical 0– Data filter & status filter have to be all Data filter & status filter have to be all

passed (AND logic)passed (AND logic)– The overall result for a channel is the OR The overall result for a channel is the OR

of all the filters (at least one of the filter of all the filters (at least one of the filter is passed)is passed)

Page 90: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 9.5Fig 9.5

Page 91: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Channel operation (1)Channel operation (1)

• If the packet is acceptedIf the packet is accepted– The counter The counter channelMatches channelMatches is incremented is incremented

• Several controls are associated with the Several controls are associated with the channelchannel

•channelDataControlchannelDataControl – determine whether the – determine whether the channel is on or off , if off no event is generated channel is on or off , if off no event is generated and no packet is capturedand no packet is captured

•channelEventStatuschannelEventStatus – indicate whether the – indicate whether the channel is enabled to generate an event when a channel is enabled to generate an event when a packet is matchedpacket is matched

•channelEventIndexchannelEventIndex – specify an associated event – specify an associated event

Page 92: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Channel operation (2)Channel operation (2)

• If channelDataControl is onIf channelDataControl is on, then an event , then an event will be generated if two conditions are metwill be generated if two conditions are met1 an event is defined for this channel in 1 an event is defined for this channel in channelEventIndex and channelEventIndex and 2 channelEventStatus has the value 2 channelEventStatus has the value eventReady or eventAlwaysReadyeventReady or eventAlwaysReady– If the event status is If the event status is eventReadyeventReady then each then each

time an event is generated , the event status is time an event is generated , the event status is changed to changed to eventFired (control the flow of eventFired (control the flow of events from a channel to a management events from a channel to a management station)station)

– Not concern about flow control, the event status Not concern about flow control, the event status may set tomay set to eventAlwaysReady eventAlwaysReady

Page 93: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter group (1)Filter group (1)

• Consists of 2 control tablesConsists of 2 control tables– filterTables define the associated filterfilterTables define the associated filter– channelTable define a unique channel channelTable define a unique channel

• channelIfIndexchannelIfIndex – identifies the – identifies the monitor interface to which the monitor interface to which the associated filters are applied to allow associated filters are applied to allow data into this channel data into this channel

Page 94: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig9.7Fig9.7

Page 95: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter group (2)Filter group (2)

• channelAcceptTypechannelAcceptType – controls the action – controls the action of filters associated with this channel.of filters associated with this channel.– acceptedMatched (1) packet will be acceptedMatched (1) packet will be

accepted to this channel if they pass both accepted to this channel if they pass both the packet data match and packet status the packet data match and packet status matches of at least one of associated filter matches of at least one of associated filter

– acceptedFailed (2) packet will be accepted acceptedFailed (2) packet will be accepted to this channel if they fail either the packet to this channel if they fail either the packet data match or packet status matches of data match or packet status matches of every associated filter every associated filter

Page 96: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 97: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter group (3)Filter group (3)

• channelDataControlchannelDataControl– on(1) the data, status and events will on(1) the data, status and events will

flow through this channel flow through this channel – off(2) the data, status and event will not off(2) the data, status and event will not

flow through this channelflow through this channel

• channelEventStatuschannelEventStatus: the event : the event status of this channelstatus of this channel– If the channel is configured to generate If the channel is configured to generate

events when packets are matchedevents when packets are matched

Page 98: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Filter group (4)Filter group (4)

– eventReady(1) a single event will be eventReady(1) a single event will be generated for a packet matchgenerated for a packet match

– eventFired(2) no event are generatedeventFired(2) no event are generated– eventAlwaysReady(3) every packet match eventAlwaysReady(3) every packet match

generates an eventgenerates an event

• channelMatcheschannelMatches: a counter that : a counter that records the number of packet matches records the number of packet matches

• channelDescriptionchannelDescription: a text description : a text description of the channelof the channel

Page 99: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Packet Capture Group (1)Packet Capture Group (1)

• It is used to set up a buffering It is used to set up a buffering scheme for capturing packets from scheme for capturing packets from one of the channels in the filter one of the channels in the filter groupgroup

• bufferControlTablebufferControlTable – define one – define one buffer that is used to capture and buffer that is used to capture and store packets from one channelstore packets from one channel

• captureBufferTablecaptureBufferTable – data buffered – data buffered

Page 100: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 101: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 102: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

bufferControlTable (1)bufferControlTable (1)

• bufferControlFullStatusbufferControlFullStatus– spaceAvailable(1) : the buffer has room to spaceAvailable(1) : the buffer has room to

accept new packetsaccept new packets– full(2) : depend on the value of full(2) : depend on the value of

bufferControlFullActionbufferControlFullAction

• bufferControlFullActionbufferControlFullAction – lockwhenFull(1) not accept more packet lockwhenFull(1) not accept more packet

when buffer is full when buffer is full – wrapWhenFull(2) act as circular buffer, wrapWhenFull(2) act as circular buffer,

delete the oldest packetsdelete the oldest packets

Page 103: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

bufferControlTable (2)bufferControlTable (2)

• bufferControlCaptureSliceSizebufferControlCaptureSliceSize - - The The maximum number of octets of each p maximum number of octets of each p

acket that will be saved in this captur acket that will be saved in this captur e buffer. e buffer.

– II f a f a 1500-1500- octet packet is received by the octet packet is received by the probe and this object is set to probe and this object is set to 500500 , then o , then o

nlynly500500 octets of the packet will be stored octets of the packet will be stored– If this variable is set to If this variable is set to00 the capture buff the capture buff

er will save as many octets as is possible. er will save as many octets as is possible.– Default is 100Default is 100

Page 104: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

bufferControlTable (3)bufferControlTable (3)

• bufferControlDownloadSlicesizebufferControlDownloadSlicesize - - The maximu The maximu m number of octets of each packet in this captu m number of octets of each packet in this captu re buffer that will be returned in a re buffer that will be returned in a singlesingle SNMP r SNMP r

etrieval of that packet. etrieval of that packet.

• bufferControlDownloadOffset bufferControlDownloadOffset – the offset of – the offset of the first octet of each packet in this buffer that the first octet of each packet in this buffer that will be returned in a single SNMP retrieval of will be returned in a single SNMP retrieval of that packetthat packet

• bufferControlCapturedPacketsbufferControlCapturedPackets: the number of : the number of packets currently in this bufferpackets currently in this buffer

Page 105: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

bufferControlTable (4)bufferControlTable (4)

• bufferControlMaxOctetsRequestedbufferControlMaxOctetsRequested – the – the requested buffer size in octetsrequested buffer size in octets– The value of -1 requests that the buffer be as The value of -1 requests that the buffer be as

large as possiblelarge as possible• bufferControlMaxOctetsGranted bufferControlMaxOctetsGranted – the – the

actual buffer size in octets actual buffer size in octets • bufferControlCapturedPackets – bufferControlCapturedPackets – the the

number of packets currently in this buffernumber of packets currently in this buffer• bufferControlTurnOnTime – bufferControlTurnOnTime – the value of the value of

sysUptime when this buffer was first sysUptime when this buffer was first turned onturned on

Page 106: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information
Page 107: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Event groupEvent group

• An event is triggered by a condition An event is triggered by a condition located elsewhere in the MIB located elsewhere in the MIB – Alarm from risingThreshold (alarm Alarm from risingThreshold (alarm

group) group)

• An event can trigger an action An event can trigger an action defined elsewhere in the MIBdefined elsewhere in the MIB– Trigger turning a channel ON or OFF Trigger turning a channel ON or OFF

(filter group)(filter group)

• 2 tables – eventTable and logTable2 tables – eventTable and logTable

Page 108: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

• Fig 9.10Fig 9.10

Page 109: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

eventTable & logTableeventTable & logTable

• eventTypeeventType: none(1) log(2) snmp-trap(3) : none(1) log(2) snmp-trap(3) log-and-trap(4)log-and-trap(4)– log will be an entry in the log tablelog will be an entry in the log table– Snmp-trap, an SNMP trap is sent to one or Snmp-trap, an SNMP trap is sent to one or

more management stationmore management station

• eventCommunityeventCommunity : specify community of : specify community of management stations to receive the trapmanagement stations to receive the trap

• logTimelogTime: time when this log entry was : time when this log entry was createdcreated

• logDescriptionlogDescription: description: description

Page 110: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Practical issuesPractical issues

• Packet capture overloadPacket capture overload– RMON is very real danger of overloading the RMON is very real danger of overloading the

monitormonitor– Some tests resulted in bad performanceSome tests resulted in bad performance

• Network inventory Network inventory – RMON is useful for this purposeRMON is useful for this purpose

• Hardware platformHardware platform– Dedicated or non-dedicated hostDedicated or non-dedicated host

• InteroperabilityInteroperability– Unreliable in a multivendor environmentUnreliable in a multivendor environment

Page 111: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

RMON probe performanceRMON probe performance

• Fig 9.11Fig 9.11

Page 112: Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information

Security ConsiderationSecurity Consideration

• RR estrict SNMP access to the probe estrict SNMP access to the probe . .– Some statistical data are sensitiveSome statistical data are sensitive

• Restrict SNMP access to some functionsRestrict SNMP access to some functions– Capturing packetCapturing packet

• Should not used by SNMPv1 (not secure)Should not used by SNMPv1 (not secure)– It is recommended that the implementors It is recommended that the implementors

consider the security features as provided by consider the security features as provided by the SNMPv3 framework.the SNMPv3 framework.