This chapter describes management and configuration tasks for version 2.0 of the simple network management protocol (SNMP) agent. The chapter also describes tasks for the management information bases (MIBs) available with the BIG-IP system.
With the BIG-IP system SNMP agent and MIBs, you can manage the BIG-IP system by configuring traps for the SNMP agent or polling the BIG-IP system with your standard network management station (NMS).
You can use the Configuration utility to configure the BIG-IP system SNMP agent to send traps to your management system. You can also set up custom traps by editing several configuration files.
You can use SNMP security options to securely manage access to information collected by the BIG-IP system SNMP agent, including Community names, TCP wrappers, and View Access Control Mechanism (VACM).
This chapter is divided into four parts:
To set up SNMP for a remote network management station, you must download and install the product-specific MIB files. All BIG-IP systems have the following product-specific MIB files:
For a BIG-IP system with the 3-DNS module there are two additional product-specific MIB files:
You can download these files from the Additional Software Downloads section of the Configuration utility home page, where they appear as the following hypertext entries:
You can also download these files directly from /usr/local/share/snmp/mibs on the BIG-IP system to your remote host using ssh and scp (crypto version) telnet and ftp (non-crypto version).
To configure SNMP for a remote network management station, you must perform the following tasks:
All three tasks are performed using the SNMP Administration screen, shown in Figure 19.1 . To access this screen, simply click System Admin in the navigation pane, then click the SNMP Administration tab.
To set up client access, you enable access and specify the IP or network addresses (with netmasks as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the BIG-IP system loopback interface 127.0.0.1.)
To allow access to the SNMP agent using the Configuration utility
System information includes certain traps, passwords, and general SNMP variable names. There are three main variables:
To set system information properties using the Configuration utility
You use the System Information section of the SNMP Administration screen to set the system information properties.
To configure traps, you provide three pieces of information:
To set trap configuration properties using the Configuration utility
You use the Trap Configuration section of the SNMP Administration screen to set trap properties.
The SNMP options that you specify in the SNMP Administration screen are written to one or more of the following configuration file or files. If you prefer, you can configure SNMP by directly editing the appropriate files with a text editor rather than using the Configuration utility.
This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:
ALL : ALL
The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access to the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.
For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:
daemon: <IP address> <IP address> <IP address>
For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:
snmpd: 22.214.171.124 126.96.36.199 188.8.131.52
For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address:
For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 184.108.40.206/255.255.255.0 network:
The preceding example allows the 254 possible hosts from the network address 220.127.116.11 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.
The /etc/snmpd.conf file controls most of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:
This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the configuration file is shown in Figure 19.2 .
# Default traps.
.18.104.22.168.4.1.3322.214.171.124.2.6 (ROOT LOGIN) ROOT LOGIN
.126.96.36.199.4.1.33188.8.131.52.2.5 (denial) REQUEST DENIAL
.184.108.40.206.4.1.33220.127.116.11.2.4 (BIG-IP Loading) SYSTEM RESET
.18.104.22.168.4.1.3322.214.171.124.2.3 (Service detected UP) SERVICE UP
.126.96.36.199.4.1.33188.8.131.52.2.2 (Service detected DOWN) SERVICE DOWN
#.184.108.40.206.4.1.33220.127.116.11.2.1 (error) Unknown Error
#.18.104.22.168.4.1.3322.214.171.124.2.1 (failure) Unknown Failure
Some of the OIDs have been permanently mapped to BIG-IP system specific events. The OIDs that are permanently mapped for the BIG-IP system include:
You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:
By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.
If you change this file, restart the SNMP agent bigsnmpd as follows:
bigstart restart snmpd
For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
In order to generate traps, you must configure syslog to send syslog lines to checktrap.pl. If the syslog lines match the specified regular expressions in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file cause syslog to send messages to checktrap.pl:
# local0.* /var/run/trapper
# local1.* /var/run/trapper
# local2.* /var/run/trapper
# auth.* /var/run/trapper
# kern.* /var/run/trapper
If you change this file, restart the SNMP agent bigsnmpd with the following command:
bigstart restart snmpd
Also, if you change the syslog.conf file, you must kill the syslogd and checktrap.pl processes, and then restart them.The checktrap.pl process must be restarted first, and then the syslogd process. The following command sequence shows how to kill and restart these processes. Note that <PID> represents the process ID of the syslogd and checktrap.pl processes.
ps -axw | grep syslogd
ps -axw | grep checktrap.pl
You can configure the snmpd to respond on different ports or bind the daemon to a specific interface. Use the following syntax to configure snmpd:
snmpd -p [(udp|tcp):]port[@address][,...]
Use this command to make the agent list on the specified list of sockets instead of the default port, which is port 161. Separate multiple ports by commas. You can specify transports by prepending the port number with the transport name (udp or tcp) followed by a colon.
To bind to a particular interface, you can specify the address you want it to bind with. For example, you can specify the following command to make the agent listen on UDP port 161 for any address, TCP port 161 for any address, and UDP port 9161 on only the interface associated with the localhost address.
snmpd -p 161,tcp:161,9161@localhost