RMON
Configure R2 to generate local logs and SNMP traps to 10.1.2.1 using community string CISCO123 when the following occurs:
When the output packets count (ifOutUcastPkts) on Gi2.12 exceed 100 over a 5 second interval
When the output packets count on Gi2.12 then falls below 10 over a 5 second interval
Use RMON to accomplish this.
Answer
#R2
snmp-server host 10.1.2.1 CISCO123
! Find the ifindex using show snmp mib ifmib ifindex
rmon event 1 log trap CISCO123 description "Above 100"
rmon event 2 log trap CISCO123 description "Below 10"
rmon alarm 1 ifOutUcastPkts.6 5 delta rising-threshold 100 1 falling-threshold 10 2Explanation
RMON Background
RMON is a standardized monitoring specification that we can use with SNMP to generate SNMP traps based on crossed thresholds of SNMP MIB values.
RMON is only configurable on IOS-XE. It uses alarm groups (which determine when an alarm is generated), and event groups (which determine what to do when the alarm is generated).
The RMON alarm group periodically measures the values of MIB variables. Two values are defined: a rising-threshold and a falling-threshold. Once a risingAlarm is generated, a fallingAlarm isn’t generated until the value falls below the falling-threshold. When configuring the threshold, you must specify whether it is absolute or a delta value. An absolute value means that the value has changed by a specific amount (i.e. CPU utilization went above 50%). A delta value means that the value has changed by more than the specified amount (i.e. a packet counter when from 100 to 151 and the delta value is 50).
The alarm group is only used for 32-bit objects. To use 64-bit objects you must use the high capacity alarm (HC-alarm).
The RMON event group is referenced by the alarm, and determines whether a log, SNMP trap, or both are generated.
Solution
First we must enable SNMP traps to the host 10.1.2.1. Note that we don’t need to use the command “snmp-server enable traps” when we are generating traps using RMON.
Once the snmp agent is running, we can find the ifIndex number of Gi2.12:
This will be used to obtain the value of the output packets on that interface. We’ll use the MIB object ifOutUcastPkts.6.
Next we define the RMON events which is fairly straight forward. The router appears to automatically associate the trap community CISCO123 with the host 10.1.2.1 which is configured with the same community.
rmon event 1 log trap CISCO123 description "Above 100"
rmon event 2 log trap CISCO123 description "Below 10"Now we define the alarm. The sample interval is 5 seconds. The rising threshold is a delta of 100, and the falling threshold is a delta of 10. The rising threshold triggers event 1, and the falling threshold triggers event 2.
rmon alarm 1 ifOutUcastPkts.11 5 delta rising-threshold 100 1 falling-threshold 10 2The alarm looks at the ifInUcastPkts for the interface with ifIndex 11. The value is taken every 5 seconds.
If the delta value is over 100, the rising alarm is generated, and event 1 is executed
If the delta value falls under 10, the falling alarm is generated and event 2 is executed
To test this out we can simply ping between the two devices:
A pcap on the Gi2.12 interface shows that the SNMP traps are being sent:
Last updated