Simple Network Management Protocol (SNMP) is an industry-standard protocol that gives a standard SNMP management system the ability to remotely manage a device on the network. One of the devices that an SNMP management system can manage is a Access Policy Manager system. The SNMP versions that the Access Policy Manager system supports are: SNMP v1, SNMP v2c, and SNMP v3. The Access Policy Manager system implementation of SNMP is based on a well-known SNMP package, Net-SNMP, which was formerly known as UCD-SNMP.
A standard SNMP implementation consists of an SNMP manager, which runs on a management system and makes requests to a device, and an
SNMP agent, which runs on the managed device and fulfills those requests. SNMP device management is based on the standard management information base (MIB) known as MIB-II, as well as object IDs and MIB files.
| | The MIB defines the standard objects that you can manage for a device, presenting those objects in a hierarchical, tree structure. |
| | A set of MIB files resides on both the SNMP manager system and the managed device. MIB files specify values for the data objects defined in the MIB. This set of MIB files consists of standard SNMP MIB files and enterprise MIB files. Enterprise MIB files are those MIB files that pertain to a particular company, such as F5 Networks, Inc. |
Typical SNMP tasks that an SNMP manager performs include polling for data about a device, receiving notifications from a device about specific events, and modifying writable object data.
To comply with the standard SNMP implementation, the Access Policy Manager system includes both an SNMP agent, a set of standard SNMP MIB files, and a set of enterprise MIB files (those that are specific to the Access Policy Manager system). The enterprise MIB files typically reside on both the Access Policy Manager system, and on the system running the SNMP manager. Fortunately, you can use the browser-based Configuration utility to download the enterprise MIB files to your SNMP manager.
The last item in the list refers to the ability of an SNMP manager system to enable or disable various Access Policy Manager system objects such as virtual servers and nodes. Specifically, you can use SNMP to:
Before an SNMP manager can manage a Access Policy Manager system remotely, you must perform a few configuration tasks on the Access Policy Manager system, using the Access Policy Manager systems Configuration utility. After you have performed these configuration tasks, you can use standard SNMP commands on the remote manager system to manage the Access Policy Manager system.
| | Configuring the SNMP agent
There are a number of things you can do to configure the SNMP agent on the Access Policy Manager system. For example, you can allow client access to information that the SNMP agent collects, and you can configure the way that the SNMP agent handles SNMP traps. Traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur. |
| | Downloading MIB files
You can download two sets of MIB files to your remote manager system: the standard SNMP MIB files and the enterprise MIB files. From the navigation pane, expand Overview, and click Welcome. From the Welcome screen, scroll down to Downloads. |
To configure the SNMP agent on the Access Policy Manager system, you can use the Configuration utility. Configuring the SNMP agent means performing the following tasks:
| | Configuring Traps
Enable or disable traps and specify the destination SNMP manager system for SNMP traps. |
| | Contact Information
The contact information is a MIB-II simple string variable defined by almost all SNMP boxes. The contact name usually contains a user name, as well as an email address. |
| | Machine Location
The machine location is a MIB-II variable that almost all machines support. It is a simple string that defines the location of the machine. |
An SNMP client refers to any system running the SNMP manager software for the purpose of remotely managing the Access Policy Manager system. To set up client access to the Access Policy Manager system, you specify the IP or network addresses (with netmask as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the Access Policy Manager system loopback interface,
127.0.0.1.)
| 2. | For the Client Allow List setting, select Host or Network, depending on whether the IP address you specify is a host system or a subnet. |
| | In the Address box, type an IP address or network address from which the SNMP agent can accept requests. |
| 4. | Click the Add button to add the host or network address to the list of allowed clients. |
There is a default access level for communities, and this access level is read-only. This means that you cannot write to an individual data object that has a read/write access type until you change the default read-only access level of the community or user.
The way to modify this default access level is by using the Configuration utility to grant read/write access to either a community (for SNMP v1 and v2c) or a user (SNMP v3), for a given OID.
When you set the access level of a community or user to read/write, and an individual data object has a read-only access type, access to the object remains read-only. In short, the access level or type that is the most secure takes precedence when there is a conflict. Table
14.1 illustrates this point.
| 5. | In the Community box, type the name of the SNMP community for which you are assigning an access level (in step 8). |
| 6. | In the Source box, type the source IP address. |
| 7. | In the OID box, type the OID for the top-most node of the SNMP tree to which the access applies. |
| 8. | For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the community name you specified in step 6.) |
| 4. | In the User Name box, type a user name for which you are assigning an access level (in step 8). |
| 5. | For the Authentication setting, select a type of authentication to use, and then type and confirm the users password. |
| 6. | For the Privacy setting, select a privacy protocol, and then do either of the following: |
| 7. | In the OID box, type the object identifier (OID) for the top-most node of the SNMP tree to which the access applies. |
| 8. | For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the user name that you specified in step 5). |
When you use the Configuration utility to assign an access level to a community or user, the utility updates the
snmpd.conf file, assigning only a single access setting to the community or user. There might be times, however, when you want to configure more sophisticated access control. To do this, you must edit the
/config/snmp/snmpd.conf file directly, instead of using the Configuration utility.
For example, Figure 14.1 shows a sample
snmpd.conf file when you use the Configuration utility to grant read/write access to a community.
In this example, the string rocommunity identifies a community named
public as having the default read only access level (indicated by the strings
ro and
default). This read only access level prevents any allowed SNMP manager in community
public from modifying a data object, even if the object has an access type of read/write.
The string rwcommunity identifies a community named
public1 as having a read/write access level (indicated by the string
rw). This read/write access level allows any allowed SNMP manager in community
public1 to modify a data object under the tree node
.1.2.6.1.4.1.3375.2.2.10.1 (
ltmVirtualServ) on the local host
127.0.0.1, if that data object has an access type of read/write.
On the Access Policy Manager system, traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur on the Access Policy Manager system. Configuring SNMP traps on a Access Policy Manager system means configuring the way that the Access Policy Manager system handles traps, as well as setting the destination for notifications that the alert system and the SNMP agent send to an SNMP manager.
You use the Configuration utility to configure traps, that is, enable traps and set trap destinations. When you configure traps, the Access Policy Manager system automatically updates the
alert.conf and
user_alert.conf files.
You can configure the SNMP agent on the Access Policy Manager system to send, or refrain from sending, notifications when the following events occur:
In addition to enabling certain traps for certain events, you must specify the destination SNMP manager to which the Access Policy Manager system should send notifications. For SNMP versions 1 and 2c only, you specify a destination system by providing the community name to which the Access Policy Manager system belongs, the IP address of the SNMP manager, and the target port number of the SNMP manager.
| 4. | For the Version setting, select an SNMP version number. |
| 5. | In the Community box, type the community name for the SNMP agent running on the Access Policy Manager system. |
| 6. | In the Destination box, type the IP address of the SNMP management system. |
| 7. | In the Port box, type the SNMP management system port number that is to receive the traps. |
As described earlier, MIB files define the SNMP data objects contained in the SNMP MIB. There are two sets of MIB files that typically reside on the Access Policy Manager system and the SNMP manager system: enterprise MIB files (that is, F5-specific MIB files) and standard SNMP MIB files.
Both sets of MIB files are already present on the Access Policy Manager system, in the directory
/usr/share/snmp/mibs. However, you still need to download them to your SNMP manager system. You can download these MIB files from the Welcome screen of the browser-based Configuration utility. For more information, see
Downloading SNMP MIB files, following.
To make MIB-II as clear as possible, we have implemented the SNMP feature so that you use MIB-II for gathering standard Linux data only. You cannot use MIB-II to gather data that is specific to the Access Policy Manager system and instead must use the F5 enterprise MIB files. All OIDS for Access Policy Manager system data are contained in the F5 enterprise MIB files, including all interface statistics (
1.3.6.1.4.1.3375.2.1.2.4 (
sysNetwork.sysInterfaces)).
| | F5-BIGIP-LOCAL-MIB.txt
This is an enterprise MIB file that contains specific information for properties associated with specific Access Policy Manager system features related to local traffic manager (such as virtual servers, pools, and SNATs). |
| | F5-BIGIP-SYSTEM-MIB.txt. The F5-BIGIP-SYSTEM-MIB.txt MIB file includes global information on system-specific objects. |
| | F5-BIGIP-APM-MIB.txt. This MIB file contains specific information for properties associated with viewing and accessing access profile and secure connectivity statistics. |
To view the set of standard SNMP MIB files that you can download to the SNMP manager system, list the contents of the Access Policy Manager system directory
/usr/share/snmp/mibs. Once you have downloaded all of the necessary MIB files, you should familiarize yourself with the contents of the enterprise MIBs, for purposes of managing the Access Policy Manager system and troubleshooting Access Policy Manager system events.
These MIB files contain information that you can use for your remote management station to poll the SNMP agent for Access Policy Manager system-specific information, receive Access Policy Manager system-specific notifications, or set Access Policy Manager system data.
The F5-BIGIP-COMMON-MIB.txt file is an enterprise MIB file that contains objects pertaining to any common information, as well as the F5-specific SNMP traps. All F5-specific traps are contained within this MIB file. You can identify the traps within this MIB file by viewing the file and finding object names that show the designation NOTIFICATION-TYPE. When an F5-specific trap sends a notification to the SNMP manager system, the SNMP manager system receives a text message describing the event or problem that has occurred.
To see all available MIB objects in this MIB file, you can view the F5-BIGIP-COMMON-MIB.txt file in the directory
/usr/share/snmp/mibs on the Access Policy Manager system.
The F5-BIGIP-LOCAL-MIB.txt file is an enterprise MIB file that contains information that an SNMP manager system can access for the purpose of managing local application traffic. For example, you can:
In general, you can use this MIB file to get information on any local traffic manager object (virtual servers, pools, nodes, profiles, SNATs, health monitors, and iRules). You can also reset statistics for any of these objects.
To see all available enterprise MIB objects for local traffic manager, you can view the
F5-BIGIP-LOCAL-MIB.txt file in the directory
/usr/share/snmp/mibs on the Access Policy Manager system.
The F5-BIGIP-SYSTEM-MIB.txt file is an enterprise MIB file that describes objects representing common system information. Examples of information in this MIB file are global statistic data, network information, and platform information. Some of the data in this MIB file is similar to that defined in MIB-II, but is not exactly the same.
Table 14.2 shows standard MIB-II objects and the F5-specific objects that approximately correspond to them.
To see all available enterprise MIB system objects, you can view the F5-BIGIP-SYSTEM-MIB.txt file in the directory
/usr/share/snmp/mibs on the Access Policy Manager system.
One of the MIB files that the Access Policy Manager system provides is the Remote network Monitoring (RMON) MIB file,
RMON-MIB.txt. This file is the standard RMON MIB file. However, the implementation of RMON on the Access Policy Manager system differs slightly from the standard RMON implementation, in these ways:
| | The RMON-MIB.txt file monitors the Access Policy Manager system interfaces (that is, sysIfIndex), and not the standard Linux interfaces. |
To understand how RMON operates for a Access Policy Manager system, you can view the
RMON-MIB.txt file in the directory
/usr/share/snmp/mibs on the Access Policy Manager system.
As mentioned earlier, this MIB file contains specific information associated with viewing and accessing access profile and secure connectivity statistics.
The Configuration utility on the Access Policy Manager system displays graphs showing performance metrics for the system. However, you can also use SNMP to collect the same information.
Each type of metric has one or more SNMP object IDs (OIDs) associated with it. To gather performance data, you specify these OIDs with the appropriate SNMP command.
For example, the following SNMP command collects data on current memory use, where
public is the community name and
bigip is the host name of the Access Policy Manager system:
For some types of metrics, such as memory use, simply issuing an SNMP command with an OID gives you the information you need. For other types of metrics, the data that you collect with SNMP is not useful until you perform a calculation on it.
For example, to determine the throughput rate of client bits coming into the Access Policy Manager system, you must perform the following calculation on the data that you collect with the OID shown:
This calculation takes the data resulting from specifying the OID sysStatClientBytesIn, multiplies the value by
8, and divides it by the elapsed time.
You can use an SNMP command with OIDs to gather data on the number of megabytes of memory currently being used on the Access Policy Manager system. Table
14.3 shows the OIDs that you need to specify to gather data on the current memory use. To collect memory use data, you do not need to perform a calculation on the collected data.
You can use SNMP commands with various OIDs to gather data on the number of active connections on the Access Policy Manager system. Table
14.4 shows the OIDs that you need to specify to gather data on active connections. In this case, you do not need to perform any calculations on the collected data.
You can use SNMP commands with various OIDs to gather data on the number of new connections on the Access Policy Manager system. Table
14.5 shows the OIDs that you need to specify to gather data on new connections, along with the calculations that you must perform on the collected data.
You can use SNMP commands with various OIDs to gather data on the throughput rate on the Access Policy Manager system, in terms of bits per second. Table
14.6 shows the OIDs that you need to specify to gather data on throughput rate, along with the calculations that you must perform on the collected data.
You can use SNMP commands with various OIDs to gather data on the number of current HTTP requests on the Access Policy Manager system, in terms of requests per second. Table
14.7 shows the OID that you need to specify to gather data on HTTP requests, along with the calculations that you must perform on the collected data.
You can use an SNMP command with various OIDs to gather data on RAM cache utilization. Table
14.8 shows the OIDs that you need to specify to gather this data.
You can use SNMP commands with various OIDs to gather data on CPU use on the Access Policy Manager system. Specifically, you can gather data for two different graph metrics: TMM CPU Usage and CPU[0-n].
To gather the data for each of these metrics, you must perform some polling and calculations. First, for each metric type (for example,
sysStatTmTotalCycles), you must perform two separate polls, at ten-second intervals. Then, you must calculate the delta of the two polls. Finally, you must use these delta values to perform the calculation shown in Table
14.9. The two sections following the table contain the specific procedures you use to calculate metrics for TMM CPU Usage and CPU[0-n] metric types.
Note: For each OID, perform the polls approximately ten seconds apart.
DeltaCpuNice = sysHos
tCpuNice2 - sysHostCpuNice1
DeltaCpuIrq = sysHos
tCpuIrq2 - sysHostCpuIrq1
Note: For each OID, perform the polls approximately ten seconds apart.
You can use SNMP commands with an OID to gather data on active sessions. Table
14.11 shows the OID that you need to specify to gather data on active sessions.
You can use SNMP commands with an OID to gather data on SSL performance, in terms of transactions per second. Table
14.11 shows the OID that you need to specify to gather data on SSL TPS, along with the calculation that you must perform on the collected data.
