20.1.7 RMON MIB
RMON (Remote Network Monitoring) functionality includes the provision of Ethernet statistics, generation of an event from the checking of threshold values in the collected statistics, and the capture of packets. RMON is defined in RFC 1757.
This section provides an overview for the statistics, history, alarm, and event groups of the RMON MIBs.
- <Structure of this section>
(1) Statistics study
The statistics group collects basic statistics about monitored subnetworks. Examples include the total number of packets in a subnetwork, the number of packets for each packet type such as broadcast packets, and the number of errors, which includes CRC errors and collision errors. The statistics group provides statistics about subnetwork traffic conditions and line status.
(2) History study
The history group samples statistics that are almost the same as the information collected by the statistics group, and retains the sampled information as history information.
A history group has a control table named historyControlTable and a data table named etherHistoryTable. historyControlTable is a MIB used to set the sampling interval and the number of history records, among other items.
etherHistoryTable is a MIB of history information about the sampled statistics. The history group retains statistics on the switch for a certain period of time. Compared to regular polling by an SNMP manager to collect statistics, network load is lower and continuous statistics for a certain period can be obtained.
(3) Alarm study
This MIB is used to set the monitoring interval, thresholds, etc. of MIB to be monitored, and to specify logging when that MIB reaches the threshold, or sending a SNMP notification to SNMP Manager. When you use the alarm group, you must configure the event group.
MIB monitoring by alarm grouping has a delta method that compares MIB differences (variations) and thresholds, and a absolute method that directly compares MIB and thresholds.
Threshold-checking using delta method can, for example, collect logs or send SNMP notifications to SNMP Manager when CPU utilization fluctuates by more than 50%. Threshold-checking using absolute method can, for example, collect logs or send SNMP notifications to SNMP Manager when CPU usage reaches 80%.
This Switch checks the threshold value multiple times during alarmInterval (MIB representing a time interval for MIB value monitoring in units of seconds) to minimize detection failure due to inappropriate threshold value check timing. The following table describes the number of threshold value check attempts for different alarmInterval values.
|
alarmInterval (in seconds) |
Number of threshold check attempts |
|---|---|
|
1 |
1 |
|
2~5 |
2 |
|
6~10 |
3 |
|
11~20 |
4 |
|
21~50 |
5 |
|
51~100 |
6 |
|
101~200 |
7 |
|
201~400 |
8 |
|
401~800 |
9 |
|
801~1300 |
10 |
|
1301~2000 |
11 |
|
2001~4294967295 |
12 |
The value calculated by dividing alarmInterval by the number of threshold value check attempts will roughly be the intervals of the threshold value check (in seconds). For example, if alarmInterval is 60 seconds, the number of threshold value check attempts will be 6, meaning that the threshold value check is performed every 10 seconds.
The following diagram shows an example in which the upper threshold value is set to 50, the lower threshold value is set to 20, alarmInterval is 60, and the delta method is used to monitor the CPU usage MIB value.
|
|
![[Figure Data]](./GRAPHICS/ZU151250.GIF)
- T1
-
An upper threshold or higher is detected because the value compared to the threshold value is 50 (MIB value of 80-T (sec.) for T+60 (sec.)), which is 30.
- T2
-
The threshold is not detected because the value compared with the threshold is 30 (MIB value of T+70 (seconds) is 60-T + 10 (seconds)) (30).
- T3
-
Because the value compared with the threshold is-10 (MIB value of T+80 (seconds)), 20-T + 20 (seconds)), a value below the lower threshold is detected (30).
The following diagram shows an example in which the upper threshold value is set to 80 and the lower threshold value is set to 20, alarmInterval is 60, and the absolute method is used to monitor the CPU usage MIB value.
|
|
![[Figure Data]](./GRAPHICS/ZU151260.GIF)
- T1
-
Because the value compared with the threshold value is 80 (MIB value of T + 60 (sec)), an upper-threshold violation is detected.
- T2
-
Because the value compared with the threshold value is 60 (MIB value of T + 70 (sec)), no threshold violation is detected.
- T3
-
Because the value compared with the threshold value is 20 (MIB value of T + 80 (sec)), a below-threshold violation is detected.
(4) Event study
The event group consists of the eventTable group MIB, which specifies the behavior when a MIB threshold value set in the alarm group is exceeded, and the logTable group MIB, which logs information when a threshold value is exceeded.
EventTable grouping MIB is a MIB to configure whether or not to log when thresholds are reached, send SNMP notifications to SNMP Manager, or both.
The logTable group MIB logs information on the switch when logging is specified by the eventTable group MIB. Because the number of log entries on a switch is fixed, if the limit is exceeded, new information replaces old information in the log. Note that if you do not save log information regularly to the SNMP manager, some logged information might be lost.