RMON
Encyclopedia
The Remote Network MONitoring (RMON) MIB
was developed by the IETF
to support monitoring and protocol analysis of LAN
s. The original version (sometimes referred to as RMON1) focused on OSI Layer 1
and Layer 2
information in Ethernet and Token Ring networks. It has been extended by RMON2 which adds support for Network-
and Application-layer
monitoring and by SMON which adds support for switched networks. It is an industry standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers.
, RMON is designed to operate differently than other SNMP-based systems:
In short, RMON is designed for "flow-based" monitoring, while SNMP is often used for "device-based" management. RMON is similar to other flow-based monitoring technologies such as NetFlow
and SFlow
because the data collected deals mainly with traffic patterns rather than the status of individual devices. One disadvantage of this system is that remote devices shoulder more of the management burden, and require more resources to do so. Some devices balance this trade-off by implementing only a subset of the RMON MIB groups (see below). A minimal RMON agent implementation could support only statistics, history, alarm, and event.
The RMON1 MIB consists of ten groups:
The RMON2 MIB adds ten more groups:
Management information base
A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model...
was developed by the IETF
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
to support monitoring and protocol analysis of LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
s. The original version (sometimes referred to as RMON1) focused on OSI Layer 1
Physical layer
The physical layer or layer 1 is the first and lowest layer in the seven-layer OSI model of computer networking. The implementation of this layer is often termed PHY....
and Layer 2
Data link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
information in Ethernet and Token Ring networks. It has been extended by RMON2 which adds support for Network-
Network Layer
The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
and Application-layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
monitoring and by SMON which adds support for switched networks. It is an industry standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers.
Overview
An RMON implementation typically operates in a client/server model. Monitoring devices (commonly called "probes" in this context) contain RMON software agents that collect information and analyze packets. These probes act as servers and the Network Management applications that communicate with them act as clients. While both agent configuration and data collection use SNMPSimple Network Management Protocol
Simple Network Management Protocol is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more." It is used mostly in network management systems to monitor...
, RMON is designed to operate differently than other SNMP-based systems:
- Probes have more responsibility for data collection and processing, which reduces SNMP traffic and the processing load of the clients.
- Information is only transmitted to the management application when required, instead of continuous polling.
In short, RMON is designed for "flow-based" monitoring, while SNMP is often used for "device-based" management. RMON is similar to other flow-based monitoring technologies such as NetFlow
Netflow
NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported by platforms other than Cisco IOS and NXOS such as Juniper routers, Enterasys Switches, vNetworking in version 5 of...
and SFlow
SFlow
sFlow is a technology for monitoring network, wireless andhost devices.The sFlow.org consortium is the authoritative source for the sFlow protocol specifications: previous version of sFlow, including RFC 3176, have been deprecated.- Operation :...
because the data collected deals mainly with traffic patterns rather than the status of individual devices. One disadvantage of this system is that remote devices shoulder more of the management burden, and require more resources to do so. Some devices balance this trade-off by implementing only a subset of the RMON MIB groups (see below). A minimal RMON agent implementation could support only statistics, history, alarm, and event.
The RMON1 MIB consists of ten groups:
- Statistics: real-time LAN statistics e.g. utilization, collisions, CRCCyclic redundancy checkA cyclic redundancy check is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data...
errors - History: history of selected statistics
- Alarm: definitions for RMON SNMP traps to be sent when statistics exceed defined thresholds
- Hosts: host specific LAN statistics e.g. bytes sent/received, frames sent/received
- Hosts top N: record of N most active connections over a given time period
- Matrix: the sent-received traffic matrix between systems
- Filter: defines packet data patterns of interest e.g. MAC address or TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
port - Capture: collect and forward packets matching the Filter
- Event: send alerts (SNMP traps) for the Alarm group
- Token Ring: extensions specific to Token Ring
The RMON2 MIB adds ten more groups:
- Protocol Directory: list of protocols the probe can monitor
- Protocol Distribution: traffic statistics for each protocol
- Address Map: maps network-layer (IP) to MAC-layer addresses
- Network-Layer Host: layer 3 traffic statistics, per each host
- Network-Layer Matrix: layer 3 traffic statistics, per source/destination pairs of hosts
- Application-Layer Host: traffic statistics by application protocol, per host
- Application-Layer Matrix: traffic statistics by application protocol, per source/destination pairs of hosts
- User History: periodic samples of user-specified variables
- Probe Configuration: remote configure of probes
- RMON Conformance: requirements for RMON2 MIB conformance
Important RFCs
- RMON1: RFC 2819 - Remote Network Monitoring Management Information Base
- RMON2: RFC 2021 - Remote Network Monitoring Management Information Base Version 2 using SMIv2
- SMON: RFC 2613 - Remote Network Monitoring MIB Extensions for Switched Networks
- Overview: RFC 3577 - Introduction to the RMON Family of MIB Modules
See also
- SNMPSimple Network Management ProtocolSimple Network Management Protocol is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more." It is used mostly in network management systems to monitor...
- MIBManagement information baseA management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model...
- Network performance managementNetwork performance management- Factors affecting network performance :Not all networks are the same. As data is broken into component parts for transmission, several factors can affect their delivery....
- Network tapNetwork tapA network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...
- NetFlowNetflowNetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported by platforms other than Cisco IOS and NXOS such as Juniper routers, Enterasys Switches, vNetworking in version 5 of...
- SFlowSFlowsFlow is a technology for monitoring network, wireless andhost devices.The sFlow.org consortium is the authoritative source for the sFlow protocol specifications: previous version of sFlow, including RFC 3176, have been deprecated.- Operation :...