Remote network monitoring

Remote Network Monitoring
Speaker: Yousef Emami
December 22th,2013
Yousef.emami@ieee.org
30 March 2016 Shiraz University of Technology,CE&IT Faculty,Network Management 1

Agenda
 RMON: Remote Network Monitoring
 RMON1
 RMON1 groups
 The RMON1 MIB
 Brief Notes
 Capabilities of RMON1
 How Does RMON2 Work?
 Mission
 Diagram of the RMON2 MIB
 The RMON2 MIB
 Capabilities of RMON2
 Salient Feature
 RMON Components
 RMON Probe
 RMON Support in Ethernet switches
 NAM Traffic Analyzer
 Case Study
 RMON 2 in catalyst 5000
 HC RMON
 ATM RMON
 Monitor Gigabit Communication from the Edge to the Core
 SMON
 LoriotPro
 Reference
30 March 2016 Shiraz University of Technology,CE&IT Faculty,Network Management
2

RMON: Remote Network Monitoring
 The most important addition to the basic set of SNMP standards is the
RMON (Remote Network MONitoring) standard, RFC 1271.
 RMON is a major step forward in internetwork management.
 It defines a remote-monitoring MIB that supplements MIB-II and provides
the network manager with vital information about the internetwork.
 RMON1 focused on OSI Layer 1 and Layer 2 information in Ethernet and
Token Ring networks. It has been extended by RMON2 which adds support
for Network-and Application-layer monitoring and by SMON (Oracle
System MONitor) which adds support for switched networks.

RMON1
With the RMON1 MIB, network managers can collect information from re-mote
network segments for the purposes of troubleshooting and performance
Monitoring.
The RMON1 MIB provides:
 Current and historical traffic statistics for a network segment, for a
specific host on a segment, and between hosts (matrix).
 A versatile alarm and event mechanism for setting thresholds and noti-fying the
network manager of changes in network behavior.
 A powerful, flexible filter and packet capture facility that can be used
to deliver a complete, distributed protocol analyzer.

RMON1 groups

The RMON1 MIB :
1.Statistics: real-time LAN statistics, e.g., utilization, collisions, CRC errors.
2. History: history of selected statistics.
3. Alarm: definitions for RMON SNMP traps to be sent when statistics exceed defined thresholds.
4. Hosts: host specific LAN statistics, e.g., bytes sent/received, frames sent/received.
5. Hosts top N: record of N most active connections over a given time period.
6. Matrix: the sent-received traffic matrix between systems.
7. Filter: defines packet data patterns of interest, e.g., MAC address or TCP port.
8. Capture: collect and forward packets matching the Filter.
9. Event: send alerts (SNMP traps) for the Alarm group.
10. Token Ring: extensions specific to Token Ring.

Brief Notes
 An RMON implementation typically operates in a client/server model.
 Monitoring devices (commonly called “probes” in this context) contain RMON
software agents that collect information and analyze packets. These probes act as
servers and the Network Management applications that com-municate with them
act as clients.
 Probes have more responsibility for data collection and processing, which
reduces SNMP traffic and the processing load of the clients.
 Information is only transmitted to the management application when re-quired,
instead of continuous polling.

Brief Notes
 RMON is designed for “flow-based” monitoring, while SNMP
is often used for “device-based” management.
 RMON is similar to other flow-based monitoring technologies such as
NetFlow and SFlow because the data collected deals mainly with traffic
patterns rather than the status of individual devices.
 One disadvantage of this system is that remote devices shoulder more of
the management burden and require more resources to do so. Some devices
balance this trade-off by implementing only a subset of the RMON MIB
groups (see below). A minimal RMON agent implementation could
support only statistics, history, alarm, and event.

Capabilities of RMON1
 Without leaving the office, a network manager can watch the traffic on
a LAN segment, whether that segment is physically located around the
corner or around the world.
 Deploying network management staff resources more efficiently means
that one expert at a central site can be working on several problems by
getting information from several probes at remote sites.
 Network managers desperately need tools that can leverage their re-sources
and increase their scope of control. RMON1 does just that.

How Does RMON2 Work?
 RMON2 follows client/server model
 Applications communicating to the "server" agents using the Simple
Network Management Protocol (SNMP).
 RMON2 agents will be found in dedicated devices and/or embedded in
network infrastructure devices.
 With the increased volume of traffic statistics being collected by RMON2,
the processor power and memory of the agent will be very important
considerations.

Remote Monitoring in the ISO Model Going Up-the-stack With RMON2

Mission

Diagram of the RMON2 MIB
30 March 2016
Shiraz University of Technology,CE&IT Faculty,Network Management
13

The RMON2 MIB
1. Protocol Directory: list of protocols the probe can monitor.
2. Protocol Distribution: traffic statistics for each protocol.
3. Address Map: maps network-layer (IP) to MAC-layer addresses.
4. Network-Layer Host: layer 3 traffic statistics, per each host.
5. Network-Layer Matrix: layer 3 traffic statistics, per source/destination
pairs of hosts
6. Application-Layer Host: traffic statistics by application protocol, per host.
7. Application-Layer Matrix: traffic statistics by application protocol, per
source/destination pairs of hosts.
8. User History: periodic samples of user-specified variables.
9. Probe Configuration: remote config of probes.
10. RMON Conformance: requirements for RMON2 MIB conformance

LoriotPro Source Destination Matrix

Capabilities of RMON2
 Higher Layer Statistics
 Address Translation
 User-Defined History
 Improved Filtering
 Probe Configuration

Salient Feature
 The TimeFilter mechanism allows an NMS to reduce the number
transactions required for a 'table-update' operation, by retrieving only the
rows that have changed since a specified time (usually the last poll time).
 No direct way in SNMP, but RMON2 has a mechanism
 Value Added Data

RMON Components
18
 RMON Probe
Data gatherer :A physical device
 RMON Probe are built into many high-end switches and routers.
 Data analyzer
Processor that analyzes data
Figure 4:RMON Components

RMON Probes
 The RMON probe also called RMON agent is a dedicated device
including hardware or software or it can be software embedded into
a network device like a router or a switch.
 RMON probe can also be software running on a standard operating
system like Windows or Linux. The application and the agent
communicate across the network using the Simple Network
Management Protocol (SNMP).

RMON support in the switch
The RMON probe functions may be present (embedded) in the network
switches (Ethernet) and provide partial or full support of some RMON
groups.
30 March 2016
Shiraz University of Technology,CE&IT Faculty,Network Management
20

Port Mirroing
Port mirroring is used on a network switch to send a copy of all
network packets seen on one switch port (or an entire VLAN) to
a network monitoring connection on another switch port.

In-line taps
In-line taps are inserted directly into network link (copper wire or fiber).
They split or copy the signals from both channels (full duplex) and retransmit
the data streams hack out to the probe.
30 March 2016
Shiraz University of Technology,CE&IT
Faculty,Network Management
22

RMON Support in Ethernet switches

NAM Traffic Analyzer
 The Network Analysis Module (NAM) is an interface card installed in
the Catalyst 6000 and 6500 Series switches and Cisco 3660, 3700
Series, 2800 and 3800 Series routers, and select models of the 2600. The
NAM monitors and analyzes network traffic using remote monitoring
(RMON), RMON Extensions for Switched Networks (SMON), and
other management information bases (MIBs).
 The NAM Traffic Analyzer is software that is embedded in the NAM
that gives you browser-based access to the RMON1, RMON2, SMON,
and voice monitoring features of the NAM.

Case Study
 Catalyst 5000 Family Network Analysis Module
 Fully Integrated RMON/RMON2
 The network analysis module is completely integrated into the Catalyst
5000 Family switch and shares the switch’s management IP address
and Simple Network Management Protocol (SNMP) community
strings for seamless access between mini-RMON and the extended
RMON/RMON2 groups on the network analysis module.
 No external data cables, power cords, or console connections are
required. The network analysis module consumes a single slot and can
be installed into any Catalyst 5000, 5500,5505, or 5509 chassis running
Supervisor Engine software release 4.3 or higher

RMON 2 in catalyst 5000

High-Capacity RMON
The HCRMON system provides:
 A direct, passive link into the data stream, offering an independent,
proven, and trusted view of network traffic.
 Full adherence to all 21 RMON groups, including HCRMON for complete
data collection.
 Compatibility to any RMON management console or collection facility

ATM RMON
 ATM Forum extended RMON to ATM
 ATM RMON provides cell-based (per-host and per-conversation) traffic information.
 ATM devices require cell-based measurements and statistics.
 Probe should be able to handle high speed

Monitor Gigabit Communication from the Edge to the Core

RMON Extensions for Switched Networks (SMON)
 SMON is a plug-in for hosts ,operating systems and hardware.
 The System Monitoring Plug-in for Hosts for Operating System and
Hardware delivers comprehensive monitoring, administration and
configuration management capabilities for Windows, Linux and Unix
servers, significantly reducing the complexity and cost associated with
managing operating system environments.

LoriotPro RMON
Group Description
Protocol Directory
Lists the inventory of protocols that the probe can
monitor
Protocol Distribution
Collects the number of octets and packets for
protocols detected on a network segment
Network Layer Host
Counts the amount of traffic sent from and to each
network address discovered by the probe
Network Layer Matrix
Counts the amount of traffic sent between each pair
of network addresses discovered by the probe
Application Layer Host
Counts the amount of traffic, by protocol, sent from
and to each network address discovered by the probe
Application Layer Matrix
Counts the amount of traffic, by protocol, sent
between each pair of network addresses discovered
by the probe
User History
Periodically samples user-specified variables and logs
the data based on user-defined parameters
Probe Configuration
Defines standard configuration parameters for RMON
probes
Address Map

Thank you for your kind attention
?

Reference
[1] Jianguo Ding ,”Advances in Network Management”, Auerbach
Publications,2013
[2] Remote Monitoring 2, http://tools.ietf.org/html/draft-ietf-rmonmib-rmon2-v2-
05,2013
[3] Catalyst 5000 Family Network Analysis Module
http://www.cisco.com/en/US/products/hw/switches/ps679/products_data_sheet09186a008072ad96.html,
2013
[4] User Guide for Cisco Network Analysis Module Traffic Analyzer,
http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_software/3.6/user/guide/users.html,2013
[5] SMON ,http://docs.oracle.com/cd/B16240_01/doc/nav/plugins.html,2103
[6] Remote Monitoring MIB Extensions for ATM Networks, http://www.broadband-forum.org/,2013
[7] RMON GUI - Remote network MONitoring Administrator handbook http://www.loriotpro.com/Products/RMON_GUI/225-
RMON_Probes_EN.html,2013
[8] Gigabit Network Analysis , www.networkinstruments.co.uk,2013
34

Remote network monitoring

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Remote network monitoring (20)

More from yousef emami (12)

Recently uploaded (20)

Remote network monitoring