in Index   Prev   Next

RFC 2819

Remote Network Monitoring Management Information Base

Pages: 98
Internet Standard: 59
Obsoletes:  1757
Part 1 of 4 – Pages 1 to 11
None   None   Next

Top   ToC   RFC2819 - Page 1
Network Working Group                                       S. Waldbusser
Request for Comments: 2819                            Lucent Technologies
STD: 59                                                          May 2000
Obsoletes: 1757
Category: Standards Track

         Remote Network Monitoring Management Information Base

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing remote network monitoring devices. This memo obsoletes RFC 1757. This memo extends that specification by documenting the RMON MIB in SMIv2 format while remaining semantically identical to the existing SMIv1-based MIB.
Top   ToC   RFC2819 - Page 2

Table of Contents

1 The SNMP Management Framework .............................. 2 2 Overview ................................................... 3 2.1 Remote Network Management Goals .......................... 4 2.2 Textual Conventions ...................................... 5 2.3 Structure of MIB ......................................... 5 2.3.1 The Ethernet Statistics Group .......................... 6 2.3.2 The History Control Group .............................. 6 2.3.3 The Ethernet History Group ............................. 6 2.3.4 The Alarm Group ........................................ 7 2.3.5 The Host Group ......................................... 7 2.3.6 The HostTopN Group ..................................... 7 2.3.7 The Matrix Group ....................................... 7 2.3.8 The Filter Group ....................................... 7 2.3.9 The Packet Capture Group ............................... 8 2.3.10 The Event Group ....................................... 8 3 Control of Remote Network Monitoring Devices ............... 8 3.1 Resource Sharing Among Multiple Management Stations ... 9 3.2 Row Addition Among Multiple Management Stations .......... 10 4 Conventions ................................................ 11 5 Definitions ................................................ 12 6 Security Considerations .................................... 94 7 Acknowledgments ............................................ 95 8 Author's Address ........................................... 95 9 References ................................................. 95 10 Intellectual Property ..................................... 97 11 Full Copyright Statement .................................. 98

1. The SNMP Management Framework

The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], RFC 2579 [6] and RFC 2580 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC
Top   ToC   RFC2819 - Page 3
      1906 [10]. The third version of the message protocol is called
      SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574

   o  Protocol operations for accessing management information. The
      first set of protocol operations and associated PDU formats is
      described in STD 15, RFC 1157 [8]. A second set of protocol
      operations and associated PDU formats is described in RFC 1905

   o  A set of fundamental applications described in RFC 2573 [14] and
      the view-based access control mechanism described in RFC 2575

   A more detailed introduction to the current SNMP Management Framework
   can be found in RFC 2570 [22].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2. A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations. The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64). Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process.  However, this loss of machine
   readable information is not considered to change the semantics of the

2. Overview

Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. Often these remote probes are stand-alone devices and devote significant internal resources for the sole purpose of managing a network. An organization may employ many of these devices, one per network segment, to manage its internet. In addition, these devices may be used for a network management service provider to access a client network, often geographically remote. The objects defined in this document are intended as an interface between an RMON agent and an RMON management application and are not intended for direct manipulation by humans. While some users may tolerate the direct display of some of these objects, few will
Top   ToC   RFC2819 - Page 4
   tolerate the complexity of manually manipulating objects to
   accomplish row creation.  These functions should be handled by the
   management application.

   While most of the objects in this document are suitable for the
   management of any type of network, there are some which are specific
   to managing Ethernet networks.  These are the objects in the
   etherStatsTable, the etherHistoryTable, and some attributes of the
   filterPktStatus and capturBufferPacketStatus objects.  The design of
   this MIB allows similar objects to be defined for other network
   types.  It is intended that future versions of this document and
   additional documents will define extensions for other network types.

   There are a number of companion documents to the RMON MIB. The Token
   Ring RMON MIB [19] provides objects specific to managing Token Ring
   networks. The RMON-2 MIB [20] extends RMON by providing RMON analysis
   up to the application layer. The SMON MIB [21] extends RMON by
   providing RMON analysis for switched networks.

2.1. Remote Network Management Goals

o Offline Operation There are sometimes conditions when a management station will not be in constant contact with its remote monitoring devices. This is sometimes by design in an attempt to lower communications costs (especially when communicating over a WAN or dialup link), or by accident as network failures affect the communications between the management station and the probe. For this reason, this MIB allows a probe to be configured to perform diagnostics and to collect statistics continuously, even when communication with the management station may not be possible or efficient. The probe may then attempt to notify the management station when an exceptional condition occurs. Thus, even in circumstances where communication between management station and probe is not continuous, fault, performance, and configuration information may be continuously accumulated and communicated to the management station conveniently and efficiently. o Proactive Monitoring Given the resources available on the monitor, it is potentially helpful for it continuously to run diagnostics and to log network performance. The monitor is always available at the onset of any failure. It can notify the management station of the failure and can store historical statistical information
Top   ToC   RFC2819 - Page 5
        about the failure.  This historical information can be played
        back by the management station in an attempt to perform further
        diagnosis into the cause of the problem.

   o  Problem Detection and Reporting
        The monitor can be configured to recognize conditions, most
        notably error conditions, and continuously to check for them.
        When one of these conditions occurs, the event may be logged,
        and management stations may be notified in a number of ways.

   o  Value Added Data
        Because a remote monitoring device represents a network resource
        dedicated exclusively to network management functions, and
        because it is located directly on the monitored portion of the
        network, the remote network monitoring device has the
        opportunity to add significant value to the data it collects.
        For instance, by highlighting those hosts on the network that
        generate the most traffic or errors, the probe can give the
        management station precisely the information it needs to solve a
        class of problems.

   o  Multiple Managers
        An organization may have multiple management stations for
        different units of the organization, for different functions
        (e.g. engineering and operations), and in an attempt to provide
        disaster recovery.  Because environments with multiple
        management stations are common, the remote network monitoring
        device has to deal with more than own management station,
        potentially using its resources concurrently.

2.2. Textual Conventions

Two new data types are introduced as a textual convention in this MIB document, OwnerString and EntryStatus.

2.3. Structure of MIB

The objects are arranged into the following groups: - ethernet statistics - history control - ethernet history - alarm - host
Top   ToC   RFC2819 - Page 6
         - hostTopN

         - matrix

         - filter

         - packet capture

         - event

   These groups are the basic unit of conformance.  If a remote
   monitoring device implements a group, then it must implement all
   objects in that group.  For example, a managed agent that implements
   the host group must implement the hostControlTable, the hostTable and
   the hostTimeTable. While this section provides an overview of
   grouping and conformance information for this MIB, the authoritative
   reference for such information is contained in the MODULE-COMPLIANCE
   and OBJECT-GROUP macros later in this MIB.

   All groups in this MIB are optional.  Implementations of this MIB
   must also implement the system group of MIB-II [16] and the IF-MIB
   [17].  MIB-II may also mandate the implementation of additional

   These groups are defined to provide a means of assigning object
   identifiers, and to provide a method for implementors of managed
   agents to know which objects they must implement.

2.3.1. The Ethernet Statistics Group

The ethernet statistics group contains statistics measured by the probe for each monitored Ethernet interface on this device. This group consists of the etherStatsTable.

2.3.2. The History Control Group

The history control group controls the periodic statistical sampling of data from various types of networks. This group consists of the historyControlTable.

2.3.3. The Ethernet History Group

The ethernet history group records periodic statistical samples from an ethernet network and stores them for later retrieval. This group consists of the etherHistoryTable.
Top   ToC   RFC2819 - Page 7

2.3.4. The Alarm Group

The alarm group periodically takes statistical samples from variables in the probe and compares them to previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. A hysteresis mechanism is implemented to limit the generation of alarms. This group consists of the alarmTable and requires the implementation of the event group.

2.3.5. The Host Group

The host group contains statistics associated with each host discovered on the network. This group discovers hosts on the network by keeping a list of source and destination MAC Addresses seen in good packets promiscuously received from the network. This group consists of the hostControlTable, the hostTable, and the hostTimeTable.

2.3.6. The HostTopN Group

The hostTopN group is used to prepare reports that describe the hosts that top a list ordered by one of their statistics. The available statistics are samples of one of their base statistics over an interval specified by the management station. Thus, these statistics are rate based. The management station also selects how many such hosts are reported. This group consists of the hostTopNControlTable and the hostTopNTable, and requires the implementation of the host group.

2.3.7. The Matrix Group

The matrix group stores statistics for conversations between sets of two addresses. As the device detects a new conversation, it creates a new entry in its tables. This group consists of the matrixControlTable, the matrixSDTable and the matrixDSTable.

2.3.8. The Filter Group

The filter group allows packets to be matched by a filter equation. These matched packets form a data stream that may be captured or may generate events. This group consists of the filterTable and the channelTable.
Top   ToC   RFC2819 - Page 8

2.3.9. The Packet Capture Group

The Packet Capture group allows packets to be captured after they flow through a channel. This group consists of the bufferControlTable and the captureBufferTable, and requires the implementation of the filter group.

2.3.10. The Event Group

The event group controls the generation and notification of events from this device. This group consists of the eventTable and the logTable.

3. Control of Remote Network Monitoring Devices

Due to the complex nature of the available functions in these devices, the functions often need user configuration. In many cases, the function requires parameters to be set up for a data collection operation. The operation can proceed only after these parameters are fully set up. Many functional groups in this MIB have one or more tables in which to set up control parameters, and one or more data tables in which to place the results of the operation. The control tables are typically read-write in nature, while the data tables are typically read-only. Because the parameters in the control table often describe resulting data in the data table, many of the parameters can be modified only when the control entry is invalid. Thus, the method for modifying these parameters is to invalidate the control entry, causing its deletion and the deletion of any associated data entries, and then create a new control entry with the proper parameters. Deleting the control entry also gives a convenient method for reclaiming the resources used by the associated data. Some objects in this MIB provide a mechanism to execute an action on the remote monitoring device. These objects may execute an action as a result of a change in the state of the object. For those objects in this MIB, a request to set an object to the same value as it currently holds would thus cause no action to occur. To facilitate control by multiple managers, resources have to be shared among the managers. These resources are typically the memory and computation resources that a function requires.
Top   ToC   RFC2819 - Page 9

3.1. Resource Sharing Among Multiple Management Stations

When multiple management stations wish to use functions that compete for a finite amount of resources on a device, a method to facilitate this sharing of resources is required. Potential conflicts include: o Two management stations wish to simultaneously use resources that together would exceed the capability of the device. o A management station uses a significant amount of resources for a long period of time. o A management station uses resources and then crashes, forgetting to free the resources so others may use them. A mechanism is provided for each management station initiated function in this MIB to avoid these conflicts and to help resolve them when they occur. Each function has a label identifying the initiator (owner) of the function. This label is set by the initiator to provide for the following possibilities: o A management station may recognize resources it owns and no longer needs. o A network operator can find the management station that owns the resource and negotiate for it to be freed. o A network operator may decide to unilaterally free resources another network operator has reserved. o Upon initialization, a management station may recognize resources it had reserved in the past. With this information it may free the resources if it no longer needs them. Management stations and probes should support any format of the owner string dictated by the local policy of the organization. It is suggested that this name contain one or more of the following: IP address, management station name, network manager's name, location, or phone number. This information will help users to share the resources more effectively. There is often default functionality that the device or the administrator of the probe (often the network administrator) wishes to set up. The resources associated with this functionality are then owned by the device itself or by the network administrator, and are intended to be long-lived. In this case, the device or the administrator will set the relevant owner object to a string starting with 'monitor'. Indiscriminate modification of the monitor-owned configuration by network management stations is discouraged. In fact, a network management station should only modify these objects under the direction of the administrator of the probe.
Top   ToC   RFC2819 - Page 10
   Resources on a probe are scarce and are typically allocated when
   control rows are created by an application.  Since many applications
   may be using a probe simultaneously, indiscriminate allocation of
   resources to particular applications is very likely to cause resource
   shortages in the probe.

   When a network management station wishes to utilize a function in a
   monitor, it is encouraged to first scan the control table of that
   function to find an instance with similar parameters to share.  This
   is especially true for those instances owned by the monitor, which
   can be assumed to change infrequently.  If a management station
   decides to share an instance owned by another management station, it
   should understand that the management station that owns the instance
   may indiscriminately modify or delete it.

   It should be noted that a management application should have the most
   trust in a monitor-owned row because it should be changed very
   infrequently.  A row owned by the management application is less
   long-lived because a network administrator is more likely to re-
   assign resources from a row that is in use by one user than from a
   monitor-owned row that is potentially in use by many users.  A row
   owned by another application would be even less long-lived because
   the other application may delete or modify that row completely at its

3.2. Row Addition Among Multiple Management Stations

The addition of new rows is achieved using the method described in RFC 1905 [13]. In this MIB, rows are often added to a table in order to configure a function. This configuration usually involves parameters that control the operation of the function. The agent must check these parameters to make sure they are appropriate given restrictions defined in this MIB as well as any implementation specific restrictions such as lack of resources. The agent implementor may be confused as to when to check these parameters and when to signal to the management station that the parameters are invalid. There are two opportunities: o When the management station sets each parameter object. o When the management station sets the entry status object to valid. If the latter is chosen, it would be unclear to the management station which of the several parameters was invalid and caused the badValue error to be emitted. Thus, wherever possible, the implementor should choose the former as it will provide more information to the management station.
Top   ToC   RFC2819 - Page 11
   A problem can arise when multiple management stations attempt to set
   configuration information simultaneously using SNMP.  When this
   involves the addition of a new conceptual row in the same control
   table, the managers may collide, attempting to create the same entry.
   To guard against these collisions, each such control entry contains a
   status object with special semantics that help to arbitrate among the
   managers.  If an attempt is made with the row addition mechanism to
   create such a status object and that object already exists, an error
   is returned.  When more than one manager simultaneously attempts to
   create the same conceptual row, only the first can succeed.  The
   others will receive an error.

   When a manager wishes to create a new control entry, it needs to
   choose an index for that row.  It may choose this index in a variety
   of ways, hopefully minimizing the chances that the index is in use by
   another manager.  If the index is in use, the mechanism mentioned
   previously will guard against collisions.  Examples of schemes to
   choose index values include random selection or scanning the control
   table looking for the first unused index.  Because index values may
   be any valid value in the range and they are chosen by the manager,
   the agent must allow a row to be created with any unused index value
   if it has the resources to create a new row.

   Some tables in this MIB reference other tables within this MIB.  When
   creating or deleting entries in these tables, it is generally
   allowable for dangling references to exist.  There is no defined
   order for creating or deleting entries in these tables.

4. Conventions

The following conventions are used throughout the RMON MIB and its companion documents. Good Packets Good packets are error-free packets that have a valid frame length. For example, on Ethernet, good packets are error-free packets that are between 64 octets long and 1518 octets long. They follow the form defined in IEEE 802.3 section 3.2.all. Bad Packets Bad packets are packets that have proper framing and are therefore recognized as packets, but contain errors within the packet or have an invalid length. For example, on Ethernet, bad packets have a valid preamble and SFD, but have a bad CRC, or are either shorter than 64 octets or longer than 1518 octets.

(next page on part 2)

Next Section