RMON

Answered Question
Jun 9th, 2009
User Badges:

Getting a bit confused here when to use "delta" or "absolute" during rmon configuration.

What need to be used in the below scenerio........


• In order to help detect possible flood attacks in the future configure R2 to

generate an SNMP trap when the interface input unicast packets

(ifEntry.11.1) value rises more than 15000 per minute, and when the

value falls back below 5000 per minute.

• The sampling interval should be every sixty seconds.

• When the 15000 threshold is breached an event should be generated that

reads “Above 15000 for ifInUcastPkts”.

• When the value falls back to 5000 an event should be generated that

reads “Below 5000 for ifInUcastPkts”.

• The server to send these SNMP traps to is 183.X.17.100.

• This server will be expecting the community string to be XXXX.


Please expalin the diffrence, I will understand.

Correct Answer by Laurent Aubert about 7 years 10 months ago

Hi,


Delta means the difference between when you are reading the data and the value of the previous reading.


Absolute refer to the value of the MIB variable when you read it.


In your case, it's a delta value because you need to send the trap when the counter rise or increase more than 15000 packets. We don't care of its actual value, we just check: actual value - previous value >= 15000


You should have use absolute if the question was more like " send the trap when the counter reach 1000000" for example.


HTH


Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Laurent Aubert Tue, 06/09/2009 - 13:02
User Badges:
  • Cisco Employee,

Hi,


Delta means the difference between when you are reading the data and the value of the previous reading.


Absolute refer to the value of the MIB variable when you read it.


In your case, it's a delta value because you need to send the trap when the counter rise or increase more than 15000 packets. We don't care of its actual value, we just check: actual value - previous value >= 15000


You should have use absolute if the question was more like " send the trap when the counter reach 1000000" for example.


HTH


Laurent.

thotsaphon Wed, 06/10/2009 - 01:24
User Badges:
  • Gold, 750 points or more

Hi,

What I have in mind is as follows:


Normally we use an “absolute” key-word for the value that gets increasing and decreasing. F.e. CPU/Memory utilization.

Normally we use a “delta” key-word for the value that gets only increasing. F.e. Port Utilization. CRC errors.


Toshi

Actions

This Discussion