This chapter covers the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the BIG-IP.
The BIG-IP SNMP agent and MIBs allow you to manage the BIG-IP by configuring traps for the SNMP agent or polling the BIG-IP with your standard network management station (NMS).
You can use the Configuration utility to configure the BIG-IP SNMP agent to send traps to your management system. You can also set up custom traps by editing several configuration files.
You can use SNMP security options to securely manage access to information collected by the BIG-IP SNMP agent, including Community names, TCP wrappers, and View Access Control Mechanism (VACM).
This chapter is divided into three parts:
To set up SNMP for a remote network management station, you must download and install the product-specific MIB files. For all BIG-IP units there are the following product-specific MIB files:
For a BIG-IP with the 3-DNS module there are two additional product-specific MIB files:
You can download these files from the Additional Software Downloads section of the Configuration utility home page, where they appear as the following hypertext entries:
You can also download these files directly from /usr/local/share/snmp/mibs on the BIG-IP to your remote host using ssh and scp (crypto version) telnet and ftp (non-crypto version).
To configure SNMP for a remote network management station, you must perform the following tasks:
All three tasks are performed using the SNMP Administration screen, shown in Figure 8.1. To access this screen, simply click System Admin in the navigation pane, then click the SNMP Administration tab.
To set up client access, you enable access and specify the IP or network addresses (with netmasks as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the BIG-IP loopback interface 127.0.0.1.)
System information includes certain traps, passwords, and general SNMP variable names. There are three main variables:
You use the System Information section of the SNMP Administration screen to set the system information properties.
To configure traps, you provide three pieces of information:
You use the Trap Configuration section of the SNMP Administration screen to set trap properties.
The SNMP options that you specify in the SNMP Administration screen are written to one or more of the following configuration file or files. If you prefer, you can configure SNMP by directly editing the appropriate files with a text editor rather than using the Configuration utility.
This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:
ALL : ALL
The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access to the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.
For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:
daemon: <IP address> <IP address> <IP address>
For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:
bigsnmpd: 18.104.22.168 22.214.171.124 126.96.36.199
For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address:
For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 188.8.131.52/255.255.255.0 address:
The example above allows the 254 possible hosts from the network address 184.108.40.206 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.
The /etc/snmpd.conf file controls most of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:
Note: A trapport line controls all trapsink lines that follow it until another trapport line appears. Therefore, to change the trap port for a trap sink, the new trapport line must be inserted before the trap sink's trapsink line, with no other trapport lines in between. The same logic follows for trapcommunity lines.
This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the configuration file is shown in Figure 8.2.
# Default traps.
.220.127.116.11.4.1.3318.104.22.168.2.6 (ROOT LOGIN) ROOT LOGIN
.22.214.171.124.4.1.33126.96.36.199.2.5 (denial) REQUEST DENIAL
.188.8.131.52.4.1.33184.108.40.206.2.4 (BIG-IP Loading) SYSTEM RESET
.220.127.116.11.4.1.3318.104.22.168.2.3 (Service detected UP) SERVICE UP
.22.214.171.124.4.1.33126.96.36.199.2.2 (Service detected DOWN) SERVICE DOWN
#.188.8.131.52.4.1.33184.108.40.206.2.1 (error) Unknown Error
#.220.127.116.11.4.1.3318.104.22.168.2.1 (failure) Unknown Failure
Some of the OIDs have been permanently mapped to BIG-IP specific events. The OIDs that are permanently mapped for the BIG-IP include:
You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:
By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.
If you change this file, restart the SNMP agent bigsnmpd as follows:
bigstart restart bigsnmpd
For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
In order to generate traps, you must configure syslog to send syslog lines to checktrap.pl. If the syslog lines make a match to the specified configuration in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file require that the syslog examine information logged, scan the snmptrap.conf file, and determine if a trap should be generated:
local0.* | exec /sbin/checktrap.pl.
local1.* | exec /sbin/checktrap.pl.
auth.* | exec /sbin/checktrap.pl.
local2.* | exec /sbin/checktrap.pl. (for 3-DNS only)
If you change this file, restart the SNMP agent bigsnmpd with the following command:
bigstart restart bigsnmpd
You can configure the snmpd to respond on different ports or bind the daemon to a specific interface. Use the following syntax to configure snmpd:
snmpd -p [(udp|tcp):]port[@address][,...]
Use this command to make the agent list on the specified list of sockets instead of the default port, which is port 161. Separate multiple ports by commas. You can specify transports by prepending the port number with the transport name (udp or tcp) followed by a colon.
To bind to a particular interface, you can specify the address you want it to bind with. For example, you can specify the following command to make the agent listen on UDP port 161 for any address, TCP port 161 for any address, and UDP port 9161 on only the interface associated with the localhost address.
snmpd -p 161,tcp:161,9161@localhost