There are two ways to configure events. The easiest way and the least costly to your network is to have the network device check the trigger points and generate the event. It is easier because you don't have to collect the data you need to analyze. The data you want to query already exists in the device on which you are configuring the event. It is less costly to your network because the only traffic that traverses your network is when an event is generated. However, if you rely solely on this method, you risk missing events that can't be delivered for a variety of reasons.
The other method is to collect data at a management station and analyze that data against thresholds there. This method is discussed in more detail in "Setting Triggers by Collecting and Analyzing Data" later in this chapter.
Thresholds on devices, also known as agent-based thresholds, allow your network devices to directly generate events when something interesting happens on your network. One way to set thresholds on devices is with SNMP and the RMON MIB.
RMON supports continuous thresholds on counters and gauges. Although RMON can occasionally be used on discrete objects, see "Setting Continuous Thresholds On Discrete Objects" for details on the limitations of doing this.
Setting an RMON threshold usually means using SNMP to configure devices. Some devices also support setting RMON thresholds through other methods such as a command-line interface (CLI). Cisco IOS devices have supported the alarms and events RMON groups since IOS 11.1 in selected feature sets. Cisco Catalyst devices have supported mini-RMON (the etherStats, history, alarms, and events groups) since version 2.1.
You can set RMON thresholds through SNMP by using a utility that can create SNMP sets or by using a management station that can configure RMON events. Both of these methods require software. Refer to the "Configuring Events" section in Chapter 9 for advice on selecting your tools.
The next three sections cover how to set up RMON thresholds using SNMP, RMON-aware management applications, and the command-line interface on Cisco IOS devices.
Setting RMON Thresholds Using SNMP
To set a threshold using RMON, you need to create a row in two RMON tables: the eventTable and alarmTable. By setting up a row in the alarmTable, you are telling the agent to analyze a specific SNMP MIB object according to your criteria and create an RMON event if the criteria are met. RMON events are not communicated outside of the agent and do not create SNMP notifications. You must set up an entry in the eventTable to take action on the RMON event generated by the alarmTable, such as creating and sending a SNMP notification. If the device you are configuring supports RMON2 and you want to control the destination of any SNMP notifications, you will also want to configure the trapDestTable.
Setting RMON Thresholds Using RMON Managers
In most cases, using a RMON manager to set RMON thresholds is much easier than setting them manually. From reading the previous section, you should understand what information you need to fill in to get the results you want.
Typically, the RMON manager discovers the attributes of the device for you, including the type and speed of all interfaces. Then, it presents you with a list of objects, including interface-specific and other SNMP objects, and allows you to set up the rising and falling thresholds. If you are using an object that refers to an interface, typically the manager computes the number needed, given the speed of the interface and the interval from the percentage value. For other objects, you often can specify the rising and falling rates and have the manager compute the number to set in the rising and falling threshold objects.
A RMON manager can replicate the same settings across all similar interfaces on a device or even across your network. You should have the information about what you want to configure in your knowledge base. Unfortunately, you probably will find it difficult to integrate this information with a RMON manager. If the RMON manager has a command-line utility or API to set thresholds, you may be able to write a simple glue script to implement thresholds to the specifications in your knowledge base.
Setting RMON Thresholds Using the Cisco IOS CLI
The Cisco IOS allows you to set up RMON events and alarms from the command-line utility (CLI.) The following discussion provides the syntax of the commands required, using the same names used for the eventTable and alarmTable. First, here's the syntax for setting up an event:
rmon event eventIndex [log] [trap eventCommunity] [description eventDescription] [owner eventOwner]
If neither the log nor the trap options are specified, then alarmTable object eventType is set to none. If only log is specified, then eventType is set to log. If only trap is specified, then eventType is set to snmp-trap. If both are specified, then eventType is set to log-and-trap.
To set up an event to send a trap when triggered, you would enter this command:
rmon event 3 log trap public description 'Event to create log entry and SNMP notification' owner 'RMONman 22.214.171.124 2643'
And here's the syntax for setting up an alarm:
rmon alarm alarmIndex alarmVariable alarmInterval alarmSampleType rising-threshold alarmRisingThreshold [alarmRisingEventIndex] falling-threshold alarmFallingThreshold [alarmFallingEventIndex] [owner alarmOwner]
The alarmVariable is specified as either the entire dotted decimal ASN.1 OID for the object or with the table entry name followed by the table object number and the instance. For example, to specify ifInOctects for the first interface, you would enter ifEntry.10.1.
To set up an alarm to trigger the event we just configured, you would enter the following command:
rmon alarm 2 ifEntry.10.12 30 delta rising-threshold 2400000 3 falling-threshold 1800000 3 owner 'RMONman 126.96.36.199 2643'
Setting Continuous Thresholds on Discrete Objects
RMON only supports continuous thresholds. However, sometimes you will want to use RMON to set thresholds on discrete objects. In some cases, you will be able to get the results you want, depending on the object and the thresholds.
A good example of using RMON to set a threshold on a discrete object is detecting PVC status on ATM networks. The object atmVclOperStatus from the ATM-MIB (RFC 2515) is the one you need to monitor (see "Monitoring PVC Status" in Chapter 14). The object atmVclOperStatus is an enumerated variable that should have a state of up, or 1. Any other state indicates a problem with the PVC.
Because up is the first enumerated variable, you can set a continuous-type absolute threshold against this enumerated variable and get the kind of alarms you want. Just set the rising threshold to 2 and the falling threshold to 1. Be sure to attach the rising threshold to an event because this is the alarm that tells you when your PVC has an abnormal status. You may also want to attach the falling threshold to an event that alerts you to a restoration of the normal state.
This will work only with enumerated variables that have the desired state or states as the first possible value or as the last possible value or values, where you would set the falling threshold to one less than the desired value and the rising threshold to the desired value. In this case, you would attach the falling threshold to an event to alert you to this abnormal condition and the rising threshold to an event to alert you that the normal state has been restored.
Programming Devices to Configure Events
Using RMON is not the only way to configure events. Devices that have facilities to allow administrators to run programs can be programmed to check triggers and generate events. These type of devices include
These devices give you the most flexibility in determining what you want to check for triggers, what type of thresholds you want to implement, and the type of events to generate from the triggering of these settings.
There are two major techniques you can use to take advantage of these facilities. The first is to program the checking of triggers and generation of events yourself. The second is to take advantage of the work of others and obtain an application that is designed to perform these functions. Check out the configuring events section in Chapter 9, "Selecting the Tools," for more information on tools available for this purpose.
You may find it useful to program your own triggers for specialized or unique data objects that your network depends upon to supply services. An example might be instrumenting client/server applications to verify a load on the server and setting thresholds on that load. Other examples might include
You can use any suitable programming language to check thresholds and generate alerts.
Using Applications to Check Triggers
Several types of applications support configuring events, including the following:
You will need to determine what objects you want to monitor and choose the application that allows you the most flexibility in monitoring those objects and generating events.
Chapter 9 provides more details on selecting these applications in the section Configuring events.
Setting Triggers by Collecting and Analyzing Data
Triggers set by collecting and analyzing data are also known as network management system-based triggers. This method of setting triggers and generating events is more flexible than having network devices check triggers and generate events. But it also is more costly to your network and requires more maintenance.
In the previous chapter, we explained how to collect performance data on your network. Although this technique of configuring events has the most flexibility, it can have the highest impact on your network because, instead of transferring data only when an event is triggered, you will be transferring data at your sample rate for each object being monitored. You may also find that polling your devices through SNMP may cost more on those devices in CPU load than setting RMON thresholds directly on the devices.
How you choose to collect this data may help you determine how best to check thresholds and generate events. Many of the techniques listed earlier in this chapter can be used to check thresholds against collected data.
A common belief is that if the threshold requires a calculation, you usually must collect the data and calculate the value at the management station. However, a MIB, known as the expression MIB, allows you to form composite SNMP objects for calculations on other objects. So it is sometimes possible to avoid collecting the data and analyzing the threshold on a management station if you use this MIB.