Manual Chapter : BIG-IP Reference Guide version 4.2: Configuring SNMP

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
Manual Chapter


8

Configuring SNMP



Introduction

This chapter covers the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the BIG-IP.

Note: On a BIG-IP with a 3-DNS module installed, you must configure the SNMP agent in order to use the SEE-IT Network Manager.

The BIG-IP SNMP agent and MIBs allow you to manage the BIG-IP by configuring traps for the SNMP agent or polling the BIG-IP with your standard network management station (NMS).

You can use the Configuration utility to configure the BIG-IP SNMP agent to send traps to your management system. You can also set up custom traps by editing several configuration files.

You can use SNMP security options to securely manage access to information collected by the BIG-IP SNMP agent, including Community names, TCP wrappers, and View Access Control Mechanism (VACM).

This chapter is divided into three parts:

  • Downloading the MIBS
    This section shows how to download the SNMP MIBs.
  • Configuring SNMP using the Configuration utility
    This section shows how to set up SNMP for a remote administrative host.
  • SNMP configuration files
    This section describes the SNMP configuration files and their syntax.
  • Configuring snmpd to respond out of different ports and addresses
    This section describes how to configure snmpd to respond out of different ports and addresses

Downloading the MIBs

To set up SNMP for a remote network management station, you must download and install the product-specific MIB files. For all BIG-IP units there are the following product-specific MIB files:

  • LOAD-BAL-SYSTEM-MIB.txt.
    This is an enterprise MIB that contains specific information for properties associated with specific BIG-IP functionality (load balancing, NATs, and SNATs).
  • UCD-SNMP-MIB.txt.
    This is an enterprise MIB that contains information and metrics about memory, disk utilization and other information regarding the BIG-IP operating system. It is fully documented in RFC 1213.
  • Etherlike-MIB.txt
    This is a standard MIB which describes statistics for the collection of ethernet interfaces attached to the system. It is fully documented in RFC-2665.
  • If-MIB.txt
    This MIB supports an extended version of the ifTable including 64-bit counters.
  • RMON-MIB.txt
    This is a standard MIB that describes real-time and historical statistics for the ethernet systems in the interface. This MIB also allows the setting of alerts and traps based on user defined thresholds of available metrics in the system. It is fully documented in RFC 2819s.
  • rfc1525.mib
    This is a standard MIB which describes objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area Network (LAN) segments. It is fully documented in RFCs 1463 and 1525.

    For a BIG-IP with the 3-DNS module there are two additional product-specific MIB files:

  • RFC1611.my
    This is the DNS MIB (for the 3-DNS module only).
  • 3dns.my
    This is an enterprise MIB which describes information and properties of objects associated with the functioning of 3-DNS (for the 3-DNS module only).

You can download these files from the Additional Software Downloads section of the Configuration utility home page, where they appear as the following hypertext entries:

  • BIG-IPMIB (LOAD-BAL-SYSTEM-MIB.txt and UCD-SNMP-MIB.txt)
  • Interface MIB (If-MIB.txt)
  • RMON MIB (RMON-MIB.tx)
  • BRIDGE (rfc1525.mib)

You can also download these files directly from /usr/local/share/snmp/mibs on the BIG-IP to your remote host using ssh and scp (crypto version) telnet and ftp (non-crypto version).

Configuring SNMP using the Configuration utility

To configure SNMP for a remote network management station, you must perform the following tasks:

  • Set up client access
    Configure the BIG-IP to allow administrative access to the SNMP agent.
  • Configure system information
    Set the system information variables.
  • Configure Traps
    Enable traps and specify by community, port, and sink.

All three tasks are performed using the SNMP Administration screen, shown in Figure 8.1. To access this screen, simply click System Admin in the navigation pane, then click the SNMP Administration tab.

Figure 8.1 SNMP Administration screen

Setting up client access

To set up client access, you enable access and specify the IP or network addresses (with netmasks as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the BIG-IP loopback interface 127.0.0.1.)

To allow access to the SNMP agent using the Configuration utility

  1. In the top of the SNMP Administration screen, check the Enable box to allow access to the BIG-IP SNMP agent.
  2. In the Client Access Allow List section, type the following information:

    • IP Address or Network Address
      Type in an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask.
    • Netmask
      If you type a network address in the IP Address or Network Address box, type the netmask for the network address in this box.
  3. Click the Add (>>) button to add the network address to the Current List.

Configuring system information

System information includes certain traps, passwords, and general SNMP variable names. There are three main variables:

  • System Contact name
    The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address.
  • Machine Location (string)
    The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box.
  • Community String
    The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access, it is limited to just one group.

To set system information properties using the Configuration utility

You use the System Information section of the SNMP Administration screen to set the system information properties.

  1. In the System Contact box, type the contact name and email address for the person to contact regarding issues with this BIG-IP.
  2. In the Machine Location box, type a machine location, such as First Floor, or Building 1, that describes the physical location of the BIG-IP.
  3. In the Community String box, type a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage.

Configuring traps

To configure traps, you provide three pieces of information:

  • trapcommunity <community string>
    This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0).
  • trapport <port>
    This sets the port on which traps are sent. There must be one trapport line for each trapsink host.
  • authtrapenable <integer>
    Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it.

To set trap configuration properties using the Configuration utility

You use the Trap Configuration section of the SNMP Administration screen to set trap properties.

  1. Check the Auth Trap Enabled box to allow traps to be sent for authentication warnings.
  2. In the Community box, type the community name to which this BIG-IP belongs. Traps sent from this box are sent to the management system managing this community.
  3. In the Service box, type the service name on which the BIG-IP sends traps. Traps sent from the BIG-IP are sent to the management system on through this port.
  4. In the Sink box, type the host that should be notified when a trap is sent by the BIG-IP SNMP agent.
  5. Click the Add (>>) button to add it to the Current List. To remove a trap sink from the Current List, click the trap sink you want to remove, and click the Remove (<<) button.
  6. Click the Apply button.

SNMP configuration files

The SNMP options that you specify in the SNMP Administration screen are written to one or more of the following configuration file or files. If you prefer, you can configure SNMP by directly editing the appropriate files with a text editor rather than using the Configuration utility.

  • hosts.deny
    This file denies all UDP connections to the SNMP agent.
  • hosts.allow
    This file specifies which hosts are allowed to access the SNMP agent.
  • snmpd.conf
    This file configures the SNMP agent.
  • snmptrap.conf
    For the BIG-IP, the configuration in /etc/snmptrap.conf determines which messages generate traps, and what those traps are. Edit this file only if you want to add traps.
  • 3dns_snmptrap.conf
    For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
  • syslog.conf
    Configure /etc/syslog.conf to pipe specified message types through checktrap.pl.

/etc/hosts.deny

This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:

ALL : ALL

/etc/hosts.allow

The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access to the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.

For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:

daemon: <IP address> <IP address> <IP address>

For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:

bigsnmpd: 128.95.46.5 128.95.46.6 128.95.46.7

For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address:

daemon: IP/MASK

For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 128.95.46.0/255.255.255.0 address:

bigsnmpd: 128.95.46.0/255.255.255.0

The example above allows the 254 possible hosts from the network address 128.95.46.0 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.

Note: 192.168.1/24 CIDR syntax is not allowed.

/etc/snmpd.conf

The /etc/snmpd.conf file controls most of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:

  • System Contact Name
    The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. This is set by the syscontact key.
  • Machine Location (string)
    The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. This is set by the syslocation key.
  • Community String
    The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access it is limited to only one group.
  • Trap Configuration
    Trap configuration is controlled by these entries in the /etc/snmpd.conf file:

    • trapsink <host>
      This sets the host to receive trap information. The <host> is an IP address.
    • trapport <port>
      This sets the port on which traps are sent. There must be one trapport line for each trapsink host.
    • trapcommunity <community string>
      This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0).
    • authtrapenable <integer>
      Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it.
    • data_cache_duration <seconds>
      This is the time in seconds during which data is cached. The default value for this setting is one second.

    Note: A trapport line controls all trapsink lines that follow it until another trapport line appears. Therefore, to change the trap port for a trap sink, the new trapport line must be inserted before the trap sink's trapsink line, with no other trapport lines in between. The same logic follows for trapcommunity lines.

/etc/snmptrap.conf

This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the configuration file is shown in Figure 8.2.

Figure 8.2 Excerpt from the /etc/snmptrap.conf file

 # Default traps.    
.1.3.6.1.4.1.3375.1.1.110.2.6 (ROOT LOGIN) ROOT LOGIN
.1.3.6.1.4.1.3375.1.1.110.2.5 (denial) REQUEST DENIAL
.1.3.6.1.4.1.3375.1.1.110.2.4 (BIG-IP Loading) SYSTEM RESET
.1.3.6.1.4.1.3375.1.1.110.2.3 (Service detected UP) SERVICE UP
.1.3.6.1.4.1.3375.1.1.110.2.2 (Service detected DOWN) SERVICE DOWN
#.1.3.6.1.4.1.3375.1.1.110.2.1 (error) Unknown Error
#.1.3.6.1.4.1.3375.1.1.110.2.1 (failure) Unknown Failure

Some of the OIDs have been permanently mapped to BIG-IP specific events. The OIDs that are permanently mapped for the BIG-IP include:

  • Root login
  • Request denial
  • System reset
  • Service up
  • Service down

    You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:

  • Unknown error
  • Unknown failure

    By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.

    If you change this file, restart the SNMP agent bigsnmpd as follows:

    bigstart restart bigsnmpd

    For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.

Syslog

In order to generate traps, you must configure syslog to send syslog lines to checktrap.pl. If the syslog lines make a match to the specified configuration in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file require that the syslog examine information logged, scan the snmptrap.conf file, and determine if a trap should be generated:

local0.* | exec /sbin/checktrap.pl.

local1.* | exec /sbin/checktrap.pl.

auth.* | exec /sbin/checktrap.pl.

local2.* | exec /sbin/checktrap.pl. (for 3-DNS only)

Note: If you uncomment these lines, make sure you restart syslogd.

If you change this file, restart the SNMP agent bigsnmpd with the following command:

bigstart restart bigsnmpd

Configuring snmpd to send responses out of different ports or addresses

You can configure the snmpd to respond on different ports or bind the daemon to a specific interface. Use the following syntax to configure snmpd:

snmpd -p [(udp|tcp):]port[@address][,...]

Use this command to make the agent list on the specified list of sockets instead of the default port, which is port 161. Separate multiple ports by commas. You can specify transports by prepending the port number with the transport name (udp or tcp) followed by a colon.

To bind to a particular interface, you can specify the address you want it to bind with. For example, you can specify the following command to make the agent listen on UDP port 161 for any address, TCP port 161 for any address, and UDP port 9161 on only the interface associated with the localhost address.

snmpd -p 161,tcp:161,9161@localhost

Note: The -T flag changes the default transport mapping to use (in the previous example, the default transport mapping is UDP).