RMON Event and Alarm Notification

RMON is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data.

The RMON specification defines a set of statistics and functions that can be exchanged between RMON-compliant console managers and network probes. RMON provides network administrators with comprehensive network-fault diagnosis, planning, and performance-tuning information.

The RMON feature identifies activity on individual nodes and allows you to monitor all nodes and their interaction on a LAN segment. Used in conjunction with the SNMP agent in a router, RMON allows you to view both traffic that flows through the router and segment traffic that is not necessarily destined for the router. Combining RMON alarms and events (classes of messages that indicate traffic violations and various unusual occurrences over a network) with existing MIBs allows you to choose where proactive monitoring will occur.

RMON delivers information in RMON groups of monitoring elements, each providing specific sets of data to meet common network-monitoring requirements. Each group is optional so that you do not need to support all the groups within the Management Information Base (MIB). Some RMON groups require support of other RMON groups to function properly.

RMON Groups

• Statistics - Contains statistics measured by the probe for each monitored interface on this device.
• History - Records periodic statistical samples from a network and stores them for later retrieval.
• Alarm - Periodically takes statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Requires the implementation of the event group. 
• Host - Contains statistics associated with each host discovered on the network. 
• HostTopN - Prepares tables that describe the hosts that top a list ordered by one of their base statistics over an interval specified by the management station. Thus, these statistics are rate-based.
• Matrix - Stores statistics for conversations between sets of two addresses. As the device detects a new conversation, it creates a new entry in its table.
• Filters - Enables packets to be matched by a filter equation. These matched packets form a data stream that might be captured or that might generate events.
• Packet - Capture Enables packets to be captured after they flow through a channel.
• Events - Controls the generation and notification of events from this device.

Thresholds allow you to minimize the number of notifications sent on the network. The RMON MIB defines two traps, the risingAlarm trap which is the rising-threshold value and fallingAlarm trap which is the falling-threshold value. Alarms are triggered when a problem exceeds a set rising-threshold value. No alarm notifications are sent until the agent recovers, as defined by the falling-threshold value. This means that notifications are not sent each time a minor failure or recovery occurs.

Configuring RMON Event and Alarm Notifications

rmon event eventIndex [log] [trap community] [description string] [owner string]

• eventIndex— Event number (1–65535)
• log—(Optional) Generate an RMON log when the event fires.
• trap community —(Optional) Generate an SNMP trap when the event fires, for the specified SNMP community string.
• description string —(Optional) Specify a WORD or a description of the event.
• owner string  —(Optional) Specify an owner for the event.

rmon alarm alarmIndex alarmVariable alarmInterval {delta | absolute} rising-threshold alarmRisingThreshold [event-number] falling-threshold alarmFallingThreshold [event-number] [owner string]

•  alarmIndex—Alarm number (1–65535)
• alarmVariable—MIB object to monitor (WORD)
• alarmInterval—Sample interval (1–4294967295
• absolute—Test each sample directly.
• delta—Test delta between samples.
• alarmRisingThreshold—Rising threshold value (-2147483648–2147483647)
• event-number —(optional) Event to fire when the rising threshold is crossed (1–65535)
• alarmFallingThreshold—Falling threshold value (-2147483648–2147483647)
• event-number —(optional) Event to fire when the falling threshold is crossed (1–65535)
• owner string —(Optional) Specify an owner for the alarm (WORD).

An absolute sampling threshold is used for variables that increase or decrease over time, and have an upper or lower limit for when a log should be generated (ex: CPU utilization, memory utilization).

A delta sampling threshold is used for variables that either constantly increase (most common) or constantly decrease (ex: interface errors, input packets).

Scenario:

rmon event 1 log description "Traffic exced 500 ppm" owner TEST_RMON
rmon event 2 log description "Traffic less than 200 ppm" owner TEST_RMON
rmon alarm 1 ifInUcastPkts.2 60 delta rising-threshold 500 1 falling-threshold 200 2 owner TEST_RMON

To find out the ifIndex for interface that you want to monitor use next command

R1#show snmp mib ifmib ifindex f1/0
Interface = FastEthernet1/0, Ifindex = 2

Verification: 

R1#show rmon alarms
Alarm 1 is active, owned by TEST_RMON
 Monitors ifInUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 667
 Rising threshold is 500, assigned to event 1
 Falling threshold is 200, assigned to event 2
 On startup enable rising or falling alarm

 *May  5 14:05:09.355: %RMON-5-RISINGTRAP: Rising trap is generated because the value of ifInUcastPkts.2 exceeded the rising-threshold value 500

*May  5 14:06:09.359: %RMON-5-FALLINGTRAP: Falling trap is generated because the value of ifInUcastPkts.2 has fallen below the falling-threshold value 200

 R1#show rmon alarms              
Alarm 1 is active, owned by TEST_RMON
 Monitors ifInUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 6
 Rising threshold is 500, assigned to event 1
 Falling threshold is 200, assigned to event 2
 On startup enable rising or falling alarm