Understanding RMON

Background

The Simple Network Management Protocol (SNMP) is a widely used network management protocol that collects network communication statistics using agent software embedded in managed devices. The management software obtains network management data by sending query signals to the Agent Management Information Base (MIB) in polling mode. Although the MIB counter records data statistics, it cannot analyze data historically. The NMS software continuously queries the managed devices for data in polling mode, which is then used to build an overall picture of network traffic and traffic changes, in order to analyze overall network status.

Two obvious shortcomings of SNMP polling are as follows:

• SNMP occupies significant network resources. In polling, abundant packets are generated on large-size networks, which will cause network congestion or blocking. Therefore, SNMP is not applicable to manage large-size networks or reclaim abundant data, such as the routing table.
• SNMP increases the burden on the network administrator. When polling, the network administrator must manually collect information using the NMS software. If the administrator must monitor more than three network segments, the workload will be unmanageable.

To provide more valuable management information, lighten the NMS workload, and allow the network administrator to monitor multiple network segments, the Internet Engineering Task Force (IETF) developed RMON for monitoring data traffic on a network segment or across an entire network.

• By building on the SNMP architecture, RMON consists of two parts, the NMS and the Agent located on each device. Since RMON is not an entirely new protocol, an SNMP NMS can be used as an RMON NMS, and the administrator does not need to learn a new technology, making RMON easier to implement.
• When an abnormality occurs on the monitored object, the RMON agent uses the SNMP trap packet transmission mechanism to send trap messages to the NMS. The SNMP trap function is usually used to notify the managed device whether a function is running properly and the interface status changes. Therefore, objects monitored, triggering conditions, and information reported differ between RMON and SNMP.
• RMON enables SNMP to monitor remote network devices more efficiently and proactively. Using RMON, managed devices automatically send trap messages when a specific monitored value exceeds the alarm threshold. Therefore, managing devices do not need to obtain MIB variables by continuous polling and comparison. This implementation reduces traffic volume between the managing and managed devices, and allows large-size networks to be more easily and effectively managed.

Related Concepts

• NMS: A workstation that runs the network management software.
• MIB: A specification that defines and organizes a collection of managed objects.
• RMON Agent: A remote monitoring process embedded in managed devices.
• Polling: The NMS queries managed devices by sending SNMP packets.
• RMON MIB: The network management medium of RMON. RMON Agent is embedded in monitored devices that collect data and control the system within a network segment, as defined by the MIB. The NMS obtains the management information from the RMON Agent and controls the network resources. RMON MIB provides data link layer monitoring and diagnosis of device faults. To more easily and effectively monitor network activities, Huawei has implemented four of the nine groups defined in standard RMON MIB specifications, which are the statistics group, the history group, the event group, and the alarm group.

Functions

Statistics function

Ethernet statistics (corresponding to the statistics group in RMON MIB): The system collects the basic statistics of monitored networks. The system continuously collects statistics of traffic and various packets distribution on a network segment, or the number of various error frames and collisions. The statistics include network collisions, CRC error packets, the number of oversize or undersize packets, the number of broadcast or multicast packets, and the number of received bytes or packets.

Historical sampling function (corresponding to the history group in RMON MIB): The system periodically samples network statuses and stores the information for later queries. The system also periodically samples port traffic data, specifically bandwidth usage, the number of error packets, and the number of total packets.

Alarm function

The function to process an event as recording a log or sending trap messages (corresponding to the event group in RMON MIB): The event group controls the events and prompts, and provides all the events generated by the RMON Agent. A log is generated or trap messages are sent to the NMS for notifying an occurred event.

Alarm threshold (corresponding to the alarm group in RMON MIB): The system monitors the objects of a specific alarm type, and a sampled value can be either an absolute value or a difference in values. Once an alarm's upper and lower thresholds are defined, the system will sample at a pre-defined interval. Sampled values above the upper threshold trigger a rising alarm and sampled values below the threshold trigger a falling alarm. The NMS processes them based on the definitions of the events. RMON Agent either records the information as a log or sends trap messages to the NMS.

Benefits

RMON brings the following benefits for users:

• Expanded monitoring range: RMON MIB expands the range of network management to the data link layer to more effectively monitor networks.
• Offline operation: RMON Agent can continuously collect error, performance, and configuration data even when the administrator is not querying network statuses. RMON provides a solution for analyzing the traffic in a specific range without consuming bandwidth resources.
• Data analysis: RMON Agent analyzes the problems occurred on the networks and the consumption of network resources, providing information to diagnose faults and reducing the overall workload of the NMS.