-
Cisco IOS Network Management Configuration Guide, Release 12.4T
- Basic System Management
- System Monitoring and Logging
- Troubleshooting, Fault Management, and Logging
- Cisco IOS Scripting with Tcl
- Cisco Networking Services (CNS)
- Cisco Discovery Protocol (CDP)
-
DistributedDirector
-
End of Life of DistributedDirector
-
DistributedDirector Enhancements for Cisco IOS Release 12.1(5)T
-
DistributedDirector Configurable Cache
-
DistributedDirector Cache Auto Refresh" in Distributed Director Configuration of 12.4 NM CG
-
DistributedDirector Boomerang Support
-
DistributedDirector MIB Support
-
DNS Server Support for NS Records
-
Configuring a DRP Server Agent
-
- Embedded Event Manager (EEM)
- Embedded Menu Manager (EMM)
- Embedded Resource Manager (ERM)
- Embedded Syslog Manager (ESM)
- HTTP Services
- RMON Support
- SNMP Support
- SNMP MIBs
- TR-069 Agent
- VPN Device Manager for XSM
- Web Services Management Agent (WSMA)
- XML-PI
Table Of Contents
Configuring RMON Alarm and Event Notifications
Monitoring and Verifying RMON Configuration
Feature Information for Configuring RMON Support
Configuring RMON Support
First Published: July 27, 1999Last Updated: Feburary 27, 2009This module describes the Remote Monitoring (RMON) MIB agent specification, and how it can be used in conjunction with Simple Network Management Protocol (SNMP) to monitor traffic using alarms and events.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring RMON Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Configuring RMON Support
The RMON option identifies activity on individual nodes and allows you to monitor all nodes and their interaction on a LAN segment. Used in conjunction with the SNMP agent in a router, RMON allows you to view both traffic that flows through the router and segment traffic not necessarily destined for the router. Combining RMON alarms and events (classes of messages that indicate traffic violations and various unusual occurrences over a network) with existing MIBs allows you to choose where proactive monitoring will occur.
Note
Full RMON packet analysis (as described in RFC 1757) is supported only on an Ethernet interface of Cisco 2500 series routers and Cisco AS5200 series universal access servers. RMON requires that SNMP be configured (you must be running a version of SNMP on the server that contains the RMON MIB). A generic RMON console application is recommended in order to take advantage of the RMON network management capabilities. This feature supports RFCs 1757 and 2021.
RMON can be very data and processor intensive. You should measure usage effects to ensure that router performance is not degraded by RMON and to minimize excessive management traffic overhead. Native mode in RMON is less intensive than promiscuous mode.
The high-capacity (HC) Alarm MIB, which is an extension of RMON Alarm group table objects, supports polling of RMON variables up to 64 bit values.
All Cisco IOS software images ordered without the explicit RMON option include limited RMON support (RMON alarms and event groups only). Images ordered with the RMON option include support for all nine management groups (statistics, history, alarms, hosts, hostTopN, matrix, filter, capture, and event). As a security precaution, support for the capture group allows capture of packet header information only; data payloads are not captured.
In Cisco IOS 12.1, the RMON agent was rewritten to improve performance and add some new features. Table 1 highlights some of the improvements implemented.
RMON MIB features include the following:
•
•
Configuring RMON Alarm and Event Notifications
To enable RMON on an Ethernet interface, use the following command in interface configuration mode:
In native mode, RMON monitors only the packets normally received by the interface. In promiscuous mode, RMON monitors all packets on the LAN segment.
The default size of the queue that holds packets for analysis by the RMON process is 64 packets. To change the size of the queue, use the following command in global configuration mode:
To set an RMON alarm or event, use the following commands in global configuration mode, as needed:
To set an RMON high-capacity alarm, use the following command in global configuration mode:
You can set an alarm on any MIB object in the access server. To disable an alarm, you can use the no form of this command on each alarm you configure. You cannot disable all the alarms you configure at once. The delta value tests the change between MIB variables, which affects the alarmSampleType in the alarmTable of the RMON MIB. The absolute value tests each MIB variable directly, which affects the alarmSampleType in the alarmTable of the RMON MIB.
Refer to RFC 1757 to learn more about alarms and events and how they interact with each other. Refer to RFC 3434 to learn more about high-capacity alarms.
Thresholds allow you to minimize the number of notifications sent on the network. Alarms are triggered when a problem exceeds a set rising threshold value. No more alarm notifications are sent until the agent recovers, as defined by the falling threshold value. This means that notifications are not sent each time a minor failure or recovery occurs.
The RMON MIB defines two traps, the risingAlarm trap which is the rising threshold value and fallingAlarm trap which is the falling threshold value.
The HC-ALARM-MIB defines two traps, the hcRisingAlarm which provides the rising threshold value and hcFallingAlarm which provides the falling threshold value.
Configuring RMON Groups
RMON tables can be created for buffer capture, filter, hosts, and matrix information. The buffer capture table details a list of packets captured off a channel or a logical data or events stream. The filter table details a list of packet filter entries that screen packets for specified conditions as they travel between interfaces. The hosts table details a list of host entries. The matrix table details a list of traffic matrix entries indexed by source and destination MAC addresses.
To gather RMON statistics for these data types, use the following commands in interface configuration mode, as needed:
To specifically monitor these commands, use the show rmon capture, show rmon filter, show rmon hosts, and show rmon matrix EXEC commands listed in the following table.
Monitoring and Verifying RMON Configuration
To display the current RMON status, use one or more of the following commands in EXEC mode:
RMON Configuration Examples
This section provides the following examples:
Alarm and Event Example
The following example shows how to enable the rmon event global configuration command:
Router(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner owner_aThis example creates RMON event number 1, which is defined as High ifOutErrors, and generates a log entry when the event is triggered by an alarm. The user owner_a owns the row that is created in the event table by this command. This example also generates an SNMP trap when the event is triggered.
The following example shows how to configure an RMON alarm using the rmon alarm global configuration command:
Router(config)# rmon alarm 10 ifEntry.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner owner_aThis example configures RMON alarm number 10. The alarm monitors the MIB variable ifEntry.20.1 once every 20 seconds until the alarm is disabled, and checks the change in the rise or fall of the variable. If the ifEntry.20.1 value shows a MIB counter increase of 15 or more, such as from 100000 to 100015, the alarm is triggered. The alarm in turn triggers event number 1, which is configured with the rmon event command. Possible events include a log entry or an SNMP trap. If the ifEntry.20.1 value changes by 0, the alarm is reset and can be triggered again.
The following example shows how to configure an RMON high-capacity alarm using the rmon hc-alarms global configuration command:
Router(config)# rmon hc-alarms 2 ifInOctets.2 20 delta rising-threshold 2000 2 falling-threshold 1000 1 owner ownThis example configures RMON high-capacity alarm number 2. The alarm monitors the MIB variable ifInOctets.2 once every 20 seconds until the alarm is disabled, and checks the change in the rise or fall of the variable. If the ifInOctets.2 value shows a MIB counter increase of 2000 or more, such as from 100000 to 100015, the alarm is triggered. The alarm in turn triggers event number 2, which is configured with the rmon event command. Possible events include a log entry or a Simple Network Management Protocol (SNMP) trap. If the ifInOctets.2 value changes by 1000 (falling threshold is 1000), the alarm is reset and can be triggered again.
show rmon Command Example
To display the RMON buffer capture table and current configuration, enter the show rmon capture privileged EXEC command (Cisco 2500 series routers and Cisco AS5200 access servers only).
The following is a sample output:
Router# show rmon captureBuffer 1 is active, owned by John SmithCaptured data is from channel 1Slice size is 128, download size is 128Download offset is 0Full Status is full, full action is wrapWhenFullGranted -1 octets out of -1 requestedBuffer has been on since 18:59:48, and has captured 522 packetsCurrent capture buffer entries:Packet 3271 was captured 2018256 ms since buffer was turned onIts length is 184 octets and has a status type of 0Packet ID is 3721, and contains the following data:03 00 00 00 00 01 00 A0 CC 3C 9D DF 00 A6 F0 03Packet 3722 was captured 2018452 ms since buffer was turned onIts length is 64 octets and has a status type of 0Packet ID is 3722, and contains the following data:01 80 C2 00 00 00 00 60 09 FD FE D3 00 26 42 03To view values associated with RMON variables, enter the show rmon matrix privileged EXEC command (Cisco 2500 series routers and Cisco AS5200 access servers only). The following is a sample output:
Router# show rmon matrixMatrix 1 is active and owned byMonitors ifEntry.1.1Table size is 42, last time an entry was deleted was at 11:18:09Source addr is 0000.0c47.007b, dest addr is ffff.ffff.ffffTransmitted 2 pkts, 128 octets, 0 errorsSource addr is 0000.92a8.319e, dest addr is 0060.5c86.5b82Transmitted 2 pkts, 384 octets, 1 errorTo display the contents of the RMON HC alarm table of the router, use the show rmon hc-alarms command in privileged EXEC mode. The following is sample output:Router# show rmon hc-alarmsRouter#show rmon hc-alarmsMonitors ifInOctets.1 every 20 second(s)Taking absolute samples, last value was 0Rising threshold Low is 4096, Rising threshold Hi is 0,assigned to event 0Falling threshold Low is 1280, Falling threshold Hi is 0,assigned to event 0On startup enable rising or falling alarmCommand Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Network Management Command Reference at http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
•
•
•
•
•
•
•
•
•
Feature Information for Configuring RMON Support
Table 3 lists the release history for this feature and provides links to specific configuration information.
For information on a feature in this technology that is not documented here, see the Configuring RMON Features Roadmap.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 3 Feature Information for Configuring RMON Support
RMON Full
11.2
The RMON Full feature identifies activity on individual nodes and helps monitor all nodes and their interaction on a LAN segment. Used in conjunction with the SNMP agent in a router, RMON can be used to view both traffic that flows through the router and segment traffic not necessarily destined for the router.
The following sections provide information about this feature:
•
RMON Events and Alarms
11.2
Cisco IOS XE Release 2.1The RMON Events and Alarms feature introduces the ability to combine RMON alarms and events (classes of messages that indicate traffic violations and various unusual occurrences over a network) with existing MIBs allows you to choose where proactive monitoring will occur.
In Cisco IOS XE Release 2.1, this feature was introduced on Cisco ASR 1000 series routers.
The following sections provide information about this feature:
•
•
The following new commands were introduced: rmon event, rmon queuesize.
Remote Monitoring MIB Update
12.0(5)T
The RMON Rewrite feature updated the Remote Monitoring MIB to improve performance and available features.
The following sections provide information about this feature:
•
•
The following new commands were introduced: rmon capture-userdata, rmon collection history, rmon collection host, rmon collection matrix, rmon collection rmon1, show rmon capture, show rmon filter, show rmon hosts, show rmon matrix.
HC Alarm MIB
12.2(33)SXI
The HC Alarm MIB feature provides an extension to the RMON-1 Alarm group table objects which was used to support counter 32 objects for threshold capabilities. The HC Alarm MIB adds support to threshold capabilities for counter 64 objects.
The following sections provide information about this feature:
•
•
The following new commands were introduced: rmon hc-alarms, show rmon hc-alarms.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 1999-2008 Cisco Systems, Inc. All rights reserved.
