Network Working Group S. Waldbusser Request for Comments: 2819 Lucent Technologies STD: 59 May 2000 Obsoletes: 1757 Category: Standards Track Remote Network Monitoring Management Information Base Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing remote network monitoring devices. This memo obsoletes RFC 1757. This memo extends that specification by documenting the RMON MIB in SMIv2 format while remaining semantically identical to the existing SMIv1-based MIB. Waldbusser Standards Track [Page 1] RFC 2819 Remote Network Monitoring MIB May 2000 Table of Contents 1 The SNMP Management Framework .............................. 2 2 Overview ................................................... 3 2.1 Remote Network Management Goals .......................... 4 2.2 Textual Conventions ...................................... 5 2.3 Structure of MIB ......................................... 5 2.3.1 The Ethernet Statistics Group .......................... 6 2.3.2 The History Control Group .............................. 6 2.3.3 The Ethernet History Group ............................. 6 2.3.4 The Alarm Group ........................................ 7 2.3.5 The Host Group ......................................... 7 2.3.6 The HostTopN Group ..................................... 7 2.3.7 The Matrix Group ....................................... 7 2.3.8 The Filter Group ....................................... 7 2.3.9 The Packet Capture Group ............................... 8 2.3.10 The Event Group ....................................... 8 3 Control of Remote Network Monitoring Devices ............... 8 3.1 Resource Sharing Among Multiple Management Stations ... 9 3.2 Row Addition Among Multiple Management Stations .......... 10 4 Conventions ................................................ 11 5 Definitions ................................................ 12 6 Security Considerations .................................... 94 7 Acknowledgments ............................................ 95 8 Author's Address ........................................... 95 9 References ................................................. 95 10 Intellectual Property ..................................... 97 11 Full Copyright Statement .................................. 98 1. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], RFC 2579 [6] and RFC 2580 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC Waldbusser Standards Track [Page 2] RFC 2819 Remote Network Monitoring MIB May 2000 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [22]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2. Overview Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. Often these remote probes are stand-alone devices and devote significant internal resources for the sole purpose of managing a network. An organization may employ many of these devices, one per network segment, to manage its internet. In addition, these devices may be used for a network management service provider to access a client network, often geographically remote. The objects defined in this document are intended as an interface between an RMON agent and an RMON management application and are not intended for direct manipulation by humans. While some users may tolerate the direct display of some of these objects, few will Waldbusser Standards Track [Page 3] RFC 2819 Remote Network Monitoring MIB May 2000 tolerate the complexity of manually manipulating objects to accomplish row creation. These functions should be handled by the management application. While most of the objects in this document are suitable for the management of any type of network, there are some which are specific to managing Ethernet networks. These are the objects in the etherStatsTable, the etherHistoryTable, and some attributes of the filterPktStatus and capturBufferPacketStatus objects. The design of this MIB allows similar objects to be defined for other network types. It is intended that future versions of this document and additional documents will define extensions for other network types. There are a number of companion documents to the RMON MIB. The Token Ring RMON MIB [19] provides objects specific to managing Token Ring networks. The RMON-2 MIB [20] extends RMON by providing RMON analysis up to the application layer. The SMON MIB [21] extends RMON by providing RMON analysis for switched networks. 2.1. Remote Network Management Goals o Offline Operation There are sometimes conditions when a management station will not be in constant contact with its remote monitoring devices. This is sometimes by design in an attempt to lower communications costs (especially when communicating over a WAN or dialup link), or by accident as network failures affect the communications between the management station and the probe. For this reason, this MIB allows a probe to be configured to perform diagnostics and to collect statistics continuously, even when communication with the management station may not be possible or efficient. The probe may then attempt to notify the management station when an exceptional condition occurs. Thus, even in circumstances where communication between management station and probe is not continuous, fault, performance, and configuration information may be continuously accumulated and communicated to the management station conveniently and efficiently. o Proactive Monitoring Given the resources available on the monitor, it is potentially helpful for it continuously to run diagnostics and to log network performance. The monitor is always available at the onset of any failure. It can notify the management station of the failure and can store historical statistical information Waldbusser Standards Track [Page 4] RFC 2819 Remote Network Monitoring MIB May 2000 about the failure. This historical information can be played back by the management station in an attempt to perform further diagnosis into the cause of the problem. o Problem Detection and Reporting The monitor can be configured to recognize conditions, most notably error conditions, and continuously to check for them. When one of these conditions occurs, the event may be logged, and management stations may be notified in a number of ways. o Value Added Data Because a remote monitoring device represents a network resource dedicated exclusively to network management functions, and because it is located directly on the monitored portion of the network, the remote network monitoring device has the opportunity to add significant value to the data it collects. For instance, by highlighting those hosts on the network that generate the most traffic or errors, the probe can give the management station precisely the information it needs to solve a class of problems. o Multiple Managers An organization may have multiple management stations for different units of the organization, for different functions (e.g. engineering and operations), and in an attempt to provide disaster recovery. Because environments with multiple management stations are common, the remote network monitoring device has to deal with more than own management station, potentially using its resources concurrently. 2.2. Textual Conventions Two new data types are introduced as a textual convention in this MIB document, OwnerString and EntryStatus. 2.3. Structure of MIB The objects are arranged into the following groups: - ethernet statistics - history control - ethernet history - alarm - host Waldbusser Standards Track [Page 5] RFC 2819 Remote Network Monitoring MIB May 2000 - hostTopN - matrix - filter - packet capture - event These groups are the basic unit of conformance. If a remote monitoring device implements a group, then it must implement all objects in that group. For example, a managed agent that implements the host group must implement the hostControlTable, the hostTable and the hostTimeTable. While this section provides an overview of grouping and conformance information for this MIB, the authoritative reference for such information is contained in the MODULE-COMPLIANCE and OBJECT-GROUP macros later in this MIB. All groups in this MIB are optional. Implementations of this MIB must also implement the system group of MIB-II [16] and the IF-MIB [17]. MIB-II may also mandate the implementation of additional groups. These groups are defined to provide a means of assigning object identifiers, and to provide a method for implementors of managed agents to know which objects they must implement. 2.3.1. The Ethernet Statistics Group The ethernet statistics group contains statistics measured by the probe for each monitored Ethernet interface on this device. This group consists of the etherStatsTable. 2.3.2. The History Control Group The history control group controls the periodic statistical sampling of data from various types of networks. This group consists of the historyControlTable. 2.3.3. The Ethernet History Group The ethernet history group records periodic statistical samples from an ethernet network and stores them for later retrieval. This group consists of the etherHistoryTable. Waldbusser Standards Track [Page 6] RFC 2819 Remote Network Monitoring MIB May 2000 2.3.4. The Alarm Group The alarm group periodically takes statistical samples from variables in the probe and compares them to previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. A hysteresis mechanism is implemented to limit the generation of alarms. This group consists of the alarmTable and requires the implementation of the event group. 2.3.5. The Host Group The host group contains statistics associated with each host discovered on the network. This group discovers hosts on the network by keeping a list of source and destination MAC Addresses seen in good packets promiscuously received from the network. This group consists of the hostControlTable, the hostTable, and the hostTimeTable. 2.3.6. The HostTopN Group The hostTopN group is used to prepare reports that describe the hosts that top a list ordered by one of their statistics. The available statistics are samples of one of their base statistics over an interval specified by the management station. Thus, these statistics are rate based. The management station also selects how many such hosts are reported. This group consists of the hostTopNControlTable and the hostTopNTable, and requires the implementation of the host group. 2.3.7. The Matrix Group The matrix group stores statistics for conversations between sets of two addresses. As the device detects a new conversation, it creates a new entry in its tables. This group consists of the matrixControlTable, the matrixSDTable and the matrixDSTable. 2.3.8. The Filter Group The filter group allows packets to be matched by a filter equation. These matched packets form a data stream that may be captured or may generate events. This group consists of the filterTable and the channelTable. Waldbusser Standards Track [Page 7] RFC 2819 Remote Network Monitoring MIB May 2000 2.3.9. The Packet Capture Group The Packet Capture group allows packets to be captured after they flow through a channel. This group consists of the bufferControlTable and the captureBufferTable, and requires the implementation of the filter group. 2.3.10. The Event Group The event group controls the generation and notification of events from this device. This group consists of the eventTable and the logTable. 3. Control of Remote Network Monitoring Devices Due to the complex nature of the available functions in these devices, the functions often need user configuration. In many cases, the function requires parameters to be set up for a data collection operation. The operation can proceed only after these parameters are fully set up. Many functional groups in this MIB have one or more tables in which to set up control parameters, and one or more data tables in which to place the results of the op