RMON

Catalyst Workgroup Switch

Customer Profile: Synopsys, Inc.

Summary

As network administrators deploy LAN switches to improve network performance, many are finding that the solution is a double-edged sword. The same switches that improve network performance also prevent network administrators from monitoring traffic across the switched LAN. This lack of network visibility makes it difficult for managers to tune workgroup network performance and could prevent them from troubleshooting problems in a switched network.

The recently announced software enhancements to the Catalyst(tm) workgroup switch make it the industry's first LAN switch to support embedded Remote Monitoring Specification (RMON) monitoring software. Cisco has partnered with Frontier Software to produce the industry's most advanced traffic analysis and troubleshooting capabilities for switched networks in this newest release (3.0) of Catalyst. With its embedded RMON software, Catalyst now provides network administrators enhanced visibility of their switched network traffic and offers them more powerful and cost-effective ways to troubleshoot and tune switched network performance.

Complementing Catalyst's enhanced monitoring capabilities is NETScout Manager, a graphical user interface (GUI)-based RMON console manager. Its powerful RMON filtering and monitoring functions help network administrators manage the complex information available from the RMON Management Information Base (MIB). A collection of tools provides extensive graphing, alarm, logging, and reporting capabilities.

Background

For years, network administrators have used network analyzers to proactively monitor network usage and troubleshoot network-related problems. To ensure accurate reading of network traffic data, the first network analyzers had to be physically attached to the target network to avoid missing important information that might be filtered by bridges or routers. To help facilitate remote monitoring and troubleshooting of network traffic, subsequent network analyzers were enhanced to relay network traffic data to centralized consoles.

Over time, the user community with the help of the Internet Engineering Task Force (IETF) defined a standard monitoring specification that allows various network monitors and console systems to exchange network monitoring data. This RMON specification defines a set of statistics and functions that can be exchanged between RMON-compliant console managers and network probes. RMON offers network administrators more freedom in selecting network monitoring probes and consoles whose features meet their particular networking needs.

RMON

RMON became a standard in 1992 as RFC 1271 (for Ethernet). The RMON specification provides network administrators with comprehensive network fault diagnosis, planning, and performance tuning information. It delivers this information in nine groups of monitoring elements, each providing specific sets of data to meet common network monitoring requirements. Each group is optional, so that vendors do not need to support all the groups within the MIB. Some RMON groups require the support of other RMON groups to function properly. (See the appendix later in this document for a description and explanation of the RMON MIB.)

A basic RMON system can provide such data as:

Information enabling administrators to perform analysis of network utilization, including data and error statistics
Historical information for network trend and statistical analysis
Matrix information describing communications between systems and the quantity of data exchanged

Most RMON providers implement enough of the RMON specification (usually the first seven groups) to support these data link and traffic flow analysis functions.

A fully instrumented RMON probe offers additional packet capture capabilities that allow it to be used as a data collection mechanism for more extensive network analysis and accounting applications. RMON groups eight and nine deliver the information needed to support sophisticated protocol analyzer and network accounting functions such as:

Packet traps to provide network alarms
Packet capture for network traffic decoding and analysis
Source data to support network accounting/billing applications

RMON Switches Deliver Powerful, Economical Management

Although LAN switching is being embraced as a cost-effective means of improving network performance, it has also brought its own set of management problems to network administrators. Since most LAN switches behave like bridges or routers, network managers must reassess the way they monitor the traffic on a LAN. Using conventional methods, a network administrator would be forced to deploy a network analyzer to each switched LAN segment to maintain the same coverage obtained from one LAN analyzer on a shared network.

As seen in the following diagram, as switch usage grows, the cost of maintaining the same level of network visibility can also grow at a geometric pace.

WP_RMON_fig1

For this reason switch vendors are offering different methods of simultaneously providing full network traffic visibility and minimizing cost. One approach is to copy traffic from a selected segment of the LAN switch to a port attached to a network analyzer. This port-monitoring function helps recoup visibility within a switched network but has a few drawbacks. First, the remote monitor may not accurately collect certain data-link statistics (errors, giants, and runts for example) because the switch may filter these events before they are passed to the network analyzer. Another drawback is that the remote monitoring tool can still monitor only one LAN segment at a time. This could create difficulties for a network administrator who is trying to diagnose a problem that spans multiple segments of the LAN switch.

Cisco offers a unique solution by integrating monitoring functions into its LAN switching platform. Because of the Catalyst switch's multiprocessor design (one processor dedicated exclusively for management), it can simultaneously perform as both a LAN switch and a multisegment RMON network probe.

To provide both network monitoring and switching performance optimally, Catalyst can be configured to collect network traffic data in two ways. In standard RMON mode, Catalyst can collect and forward comprehensive network traffic information from multiple Ethernet segments simultaneously. This allows the network administrator to obtain all the information necessary to help tune or troubleshoot a switched LAN. The benefit of concurrently collecting multiple traffic feeds is obvious for network administrators who attach workgroup servers to dedicated Ethernet segments to improve network performance. If network administrators need to troubleshoot client/server applications, the task is greatly simplified through Catalyst's ability to simultaneously record traffic from both the server's and the client's segments.

Catalyst supports a secondary monitoring mode that provides more focused coverage across all of its eight switched Ethernet segments. Called "Roving RMON," this mode allows the network administrator to monitor either of two RMON groups across all eight Catalyst Ethernet segments. Roving RMON can be used to collect historical network traffic data (like total switched data including packets, octets, and errors) per port or even per station. The network manager can use this data for various tasks such as capacity planning analysis or network accounting and billing.

Catalyst's Roving RMON also has a unique, user-definable trap feature that lets it reconfigure itself in case it detects specific network events. Network administrators can preconfigure the Catalyst to look out for potentially threatening conditions such as excessive collisions, corrupted packets, or even excessive traffic from a specific station. If the switch detects one of these predefined conditions, it sends an alert (trap) to the network management console and simultaneously initializes a fully configured RMON probe to monitor traffic on the offending network segment. With this function, network administrators can detect and collect troubleshooting data automatically, thereby extending their management capability while also helping to recognize and rectify network problems before they affect users.

Providing a User-Friendly Interface to RMON

The usefulness of a comprehensive switching and monitoring platform is only as valuable as the accessibility of the information available to the network administrator. The ability to centrally configure, control, and manage these RMON agents with an easy-to-use, GUI-based console becomes a necessity as more RMON-capable systems are deployed throughout the network. Leveraging configuration and monitoring functions with semi-automated network traffic recording, configurable alarms, and accounting functions further simplifies network administrators' duties while improving their ability to maintain reliable, trouble-free networks. The following section describes some of the features needed in an RMON GUI.

RMON Statistics That Are Easy to Use and Understand

The console monitor should present RMON data in a format that is easy to view and understand. The network administrator should be able to create customizable "views" of the RMON traffic information coming from specific segments attached to the network analyzer. With customizable views, network administrators can troubleshoot their network applications more effectively by selecting specific elements from the RMON MIB.

Easy-to-Use RMON Filter and Configuration Tools

Since the RMON MIB can monitor virtually all network traffic, it is also important that the monitor console has the necessary tools to easily manage the myriad bits of information that can be collected from a LAN segment. These tools should let the administrator select specific information provided by the RMON MIB, such as data-link statistics, traffic history, host traffic, and host matrix information. If the RMON agent also supports packet capture for protocol analysis, the console monitor should provide the tools to display the various protocol layers contained in the packet. Protocol filter tools should support popular protocols (like TCP/IP, XNS, Novell IPX, or AppleTalk) and should let the administrator view higher-level services as well (like NFS, SNMP, Apple ARP, and DEC LAT, to name a few). Console monitors with comprehensive filter tools can help network administrators save configuration and troubleshooting time. Flexibility in defining custom filters also ensures the long-term value of the console monitor as new systems and protocols are introduced to the network.

Network Alarm Functions and Automated Data Capture

The RMON console's ability to automatically capture network traffic data and provide alarms is also valuable to the network administrator for network diagnosis and troubleshooting. A well-designed RMON console should allow the network administrator to define alarm conditions from any of the elements available in the RMON MIB. This level of flexibility helps the administrator address virtually any potential network troubleshooting problem. For example, an event-logging feature, working in conjunction with the RMON alarm, could help track the frequency and timing of network events while also providing information that could help the network administrator track down the cause-and-effect relationships of network-related problems.

To help network administrators track and troubleshoot protocol-related network problems, both the RMON probe and the console should also provide the tools to automatically capture network packet data for offline analysis. The console manager should let the network administrator limit packet captures by using predefined or user-defined filters to help tailor the RMON probe functionality to meet specific troubleshooting needs.

Powerful Graphing, Accounting, and Reporting Tools

Finally, since fully instrumented RMON probes provide data to track network usage, a full-featured console manager should offer graphing, reporting, and accounting tools that help the network administrator track the growth and usage of the network. Graphing functions are useful for measuring and representing network traffic or server utilization over extended time periods. These graphs can show interesting trends in growth of network or server usage. Similarly, network administrators can use network accounting tools to show network resource usage by functional department. Reporting tools can help organize accounting data so that network administrators can produce usage information for budgeting or departmental billing purposes.

NETScout Delivers Full-Featured RMON Console Management to Network Administrators

The NETScout RMON console provides an easy-to-use GUI for monitoring RMON statistics and protocol analysis information. NETScout also provides extensive tools that simplify data collection, analysis and reporting. Applications include:

GUI RMON monitor (browser)
Simplified, user-definable RMON configuration and control tools
Sophisticated RMON filter editor (Domain Manager)
Protocol monitor and analyzer
Traffic monitor
Alarm manager (Watchdog) and automated data capture
RMON grapher
Report generator
Event logger and database

These tools allow the administrator to monitor traffic, set thresholds, and capture data on any set of network traffic for any segment. They collect information about all nine RMON groups to isolate and determine problem conditions on the network.

NETScout is available on a variety of platforms including SunNet Manager, HP OpenView, IBM NetView 6000, and PC Windows. NETScout Manager can run as a complementary application to Cisco's network management applications (CiscoWorks(tm), Workgroup Director(tm)), third-party network management applications (SunNet Manager, HP OpenView), or as a standalone application.

Conclusion

As network administrators rely more on switching to improve network performance, they will also require enhanced manageability and monitoring capabilities to ensure the reliability of their high-performance switched networks. Due to the design limitations of existing network monitoring tools, network managers must look at new ways to collect and interpret network traffic data in a switched environment. One cost-effective method is to use the network switch not only as a network performance enhancer, but as a network monitor. Cisco Systems' Catalyst workgroup switch offers a unique solution, providing high-performance switching, traffic management, and standards-based RMON monitoring functions. Combined with an effective RMON console manager, Cisco's Catalyst switch offers network administrators enhanced management capabilities to ensure high performance and reliability in growing switched workgroup networks.

RMON Monitor and Console Buying Criteria
-----------------------------------------------------------------------------
FEATURE                                            CISCO SYSTEMS CATALYST
=============================================================================
RMON Probe

  Instrumentation of all nine RMON groups          Yes
  (including packet capture and filtering)

  RMON functionality without compromising          Yes
  switching performance

  Simultaneously collect full RMON information     Four-segment capture
  for multiple segments                            without degradation

  Means of monitoring all switched segments        Roving RMON
  simultaneously

RMON Console

  Easy-to-use, GUI-based interface                 Yes

  Preconfigured, user-definable filters for        Yes
  RMON data collection

  Automated RMON console alarms                    Yes

  Semi-automated packet data capture               Yes

  GUI-based protocol decode capability             Yes for 14 protocols

  Graphing functions for network trend analysis    Yes

  Network usage reporting functions                Yes

  RMON console across a variety of                 Yes; Sun, HP 9000/700, IBM
  management platforms                             RS/6000, and PC Windows
-----------------------------------------------------------------------------

Appendix A: Summary of Monitoring Groups in RFC 1271 Ethernet RMON MIB

----------------------------------------------------------------------------- RMON GROUP FUNCTION ELEMENTS ============================================================================= Statistics Contains statistics measured Packets dropped, packets sent, Group by the probe for each monitored bytes sent (octets), broadcast interface on this device. packets, multicast packets, CRC errors, runts, giants, fragments, jabbers, collisions, and counters for packets ranging from 64-128, 128-256, 256-512, 512-1024, and 1024-1518 bytes in size. ----------------------------------------------------------------------------- History Records periodic statistical Sample period, number of Group samples from a network and samples, item(s) sampled. stores them for later retrieval. ----------------------------------------------------------------------------- Alarm Periodically takes statistical Alarm type, interval, starting Group samples from variables in the threshold, stop threshold. probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. A hysteresis mechanism is implemented to limit the generation of alarms. This group includes the "alarmTable" and requires the implementation of the "event" group. ----------------------------------------------------------------------------- Host Contains statistics associated Host address, packets and Group with each host discovered on bytes received & transmitted, the network. tas well as broadcast, multicast, and error packets. ----------------------------------------------------------------------------- HostTopN Prepares tables that describe Statistics, which host(s), Group the hosts that top a list sample start and stop period, ordered by one of their rate base, duration. statistics. The available statistics are samples of one of their base statistics over an interval specified by the management station. Thus, these statistics are rate based. ----------------------------------------------------------------------------- Matrix Stores statistics for Source and destination address Group conversations between sets of pairs and packets, bytes, and two addresses. As the device errors for each pair. detects a new conversation, it creates a new entry in its tables. ----------------------------------------------------------------------------- Filter Allows packets to be matched by Bit filter type (mask or not Group a filter equation. These mask), filter expression (bit packets form a data stream level), conditional expression that may be captured or may (and, or, not) to other generate events. filters. events. ----------------------------------------------------------------------------- Packet Allows packets to be captured Size of buffer for captured Capture captured after they flow packets, full status (alarm), Group through a channel. number of captured packets. ----------------------------------------------------------------------------- Event Controls the generation and Event type, description, last Group notification of events from time event sent. this device. -----------------------------------------------------------------------------

Posted: Dec 21 11:48:46 1994

RMON

Summary

Background

RMON

RMON Switches Deliver Powerful, Economical Management

Providing a User-Friendly Interface to RMON

RMON Statistics That Are Easy to Use and Understand

Easy-to-Use RMON Filter and Configuration Tools

Network Alarm Functions and Automated Data Capture

Powerful Graphing, Accounting, and Reporting Tools

NETScout Delivers Full-Featured RMON Console Management to Network Administrators

Conclusion

Appendix A: Summary of Monitoring Groups in RFC 1271 Ethernet RMON MIB

Copyright 1996 © Cisco Systems Inc.