Skip navigation
Cisco Learning Home > Network Sheriff > 2009 > March > 05
Currently Being Moderated

I am certainly not the smartest Dude on the planet by a loooonnnnggg shot. On my walk thru life I have learned a few things the just seemed to make sense to me. Things like:

- My Mother In Law has no idea how to make good chili

- The same fishing baits that work in Tennessee do not work in Wisconsin

- How to count

When looking at nearly any data sheet out there today on a managed switch, they will almost always list support for RMON groups 1,2,3 and 9. I feel like I get ripped off if they do not top off my Ice Tea at restaurant and same goes if I do not get my RMON groups 4-8. When I do a presentation on secure code/script writing, when RMON comes up I always get the question; "What happened to groups 4-8?"


I can almost hear a Star Trek alien say; "Tell me more of this...RMON" RMON is a cool topic so lets dive into RMON and see where we come out on the other side. First off, lets get down to the basics.


- RMON (Remote Monitoring) is not a protocol. It is a complex MIB (Management Information Base) extension that is queried by the SNMP protocol. A MIB is basically a database in charge of monitoring/recording/setting features in a device. Way back when, MIBs where mainly for monitoring nodes. RMON added the network component.

- RMON ain't for you! Sorta... RMON was not designed to be manipulated by network admin types so the data is hard to read and understand. You need to use a NMS to make heads or tails of this data.

- RMON is a umbrella term for five different types of MIB based monitoring. Each of them are separate from each other.

- RMON 1 monitors layer two of the OSI model

- RMON 2 monitors layer three and above of the OSI model

- SMON was designed for monitoring switched networks

- DSMON is for monitoring Diff Serv

- ART/APM is for monitoring end to end communication.

Inside of each RMON type there are various Group types that drill down on a specific measurement. For example RMON 1 has groups 1-10 (10 is for Token Ring. Ah the days of beacon chasing and balens creating loops in the network and crashing it...Token Ring is missed like a bill to the IRS ) RMON 2 has groups 11-20 for its specific monitoring. Each group can give you a different metric based upon what it is you are looking for. Many folks in the cool world of RMON do not say "RMON 1 group 2" they just say RMON 4 or RMON 15 since the anything Group 10 and below is RMON 1 and Group 11-20 is RMON 2. Be cool and flip it out there to your RMON cats; "My RMON 12 tells me that HTTP is on the heavy side yo"


So why do many vendors just implement RMON 1 groups 1,2,3 and 9? As a former ASIC programmer the answer is simple; it's easier to code up. Consider that every single process on a ASIC eats up some resources in time and memory. When we turn off Star Trek NG reruns and put down the pizza to start coding, we have to allocate resources very strictly. Mainly because most ASIC coders develop based the Weibull Curve which looks kinda like a bathtub. Where version 1.0 is buggy and as time moves it gets more and more stable until it is towards its end of life then it just starts failing more and more. The longer we can stay in the flat part of the bathtub, the happy customers are going to be. Network work load always increases with time so we will need those ASIC resources later on to remain competitive.


Now with RMON 1 groups 1,2,3 and 9 it is a piece of cake to embed these in the ASIC because switch media access controllers actually have counters built into them that embedded RMON can mine rather than actually processing the packets themselves. As a result, the switch does not need to burn CPU cycles to perform RMON packet processing for groups 1,2,3. Group 9 is just a action monitor that normally says, log all events. Simple right? Most of time it is rarely even coded at base, cut copy past or it is in the SDK by default.


Now check out SMON. Doesn't it seem weird to have a MIB for switched networks? Does that mean that RMON 1 and 2 where not designed for switches? It kinda does, when RMON 1 and 2 were standardized in the IETF, VLANS where not invented yet, so that give you an idea as to the age of RMON 1-2. This is VERY important to remember when looking at purchasing a switch for your network. RMON 1 and 2 have 32 bit counters which is fine for 10Meg ports but go to 100Meg and above and your data is hosed. Make sure that if a switch supports any form of RMON that supports the newer 64 bit counters as specified in RFC 4502 or RFC 3273.


You may be thinking, "Hey Jimmy Ray, 4 groups out of 19 (Token Ring doesn't count) plus ART, SMON and DSMON how do I monitor these?" Normally, this is where you cross the line into hardware based network management. Anything above Mini-RMON adds a measurable amount of overhead to the ASIC/CPU. This just rips a hole in the space-irony continuum doesn't it? A solution to manage network slow downs actually slows the network down when used. ADVIL!!!! This where a network probe designed specifically for the task comes into play here. We are lucky in Cisco land because we have the Network Analysis Module (NAM) for this purpose. If you have not used one of these awesome Dudes take a look at one and remember that this is not protocol based, this is data that has always been then just waiting to be mined Of course there are other RMON probes out there from various vendors that do a nice job. The key in deploying a RMON based probe is how much data and what type it can mine PLUS how clear and easy to use is the NMS software that goes along with it.


Hey folks, go out and have some fun with RMON. It is cool and gives you a great look into your network. Something else I have learned, that nothing ends the day quiet like a cool Newcastle and a Warm Cohiba....


Jimmy Ray Purser


Trivia File Transfer Protocol

The number 1.618 is often referred to as the Golden Ratio and is coupled tightly with the Fibonacci sequence. These two numbers are found in paintings, buildings, ASICs and even nature. Try this, each section of your index finger, from the tip to the base of the wrist, is larger than the preceding one by about the Fibonacci ratio of 1.618, also fitting the Fibonacci numbers 2, 3, 5 and 8. (By this scale, your fingernail is 1 unit in length) Curiously enough, you also have 2 hands, each with 5 digits, and your 8 fingers are each comprised of 3 sections. All Fibonacci numbers! Look around and you'll be amazed where you find this!

Comments (0)