19

Configuring SNMP

• Working with SNMP
• Getting started with SNMP
• Configuring SNMP settings

Working with SNMP

This chapter covers the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the BIG-IP Controller.

Note: The SNMP agent must be configured on the BIG-IP Controller with the 3-DNS module in order to use the SEE-IT Network Manager.

The BIG-IP SNMP agent and MIBs allow you to manage the BIG-IP Controller by configuring traps for the SNMP agent or polling the controller with your standard network management station (NMS).

You can configure the BIG-IP SNMP agent to send traps to your management system with the Configuration utility. You can also set up custom traps by editing several configuration files.

You can use SNMP security options to securely manage access to information collected by the BIG-IP SNMP agent, including Community names, TCP wrappers, and View access control mechanism (VACM).

This chapter is divided into two parts:

• Getting started with SNMP
  This section shows how to set up SNMP for a remote administrative host in order to use it in its default configuration.
• Configuring SNMP
  This section shows how to create a custom configuration, including custom traps and enhanced security.

Getting started with SNMP

By default, SNMP is enabled only for the BIG-IP Controller loopback interface (IP address 127.0.0.1). To set up SNMP for a remote network management station, you must perform the following tasks:

• Download the MIBs
  Download the BIG-IP MIBs and load them into your network management station.
• Set up administrative access
  Configure /etc/hosts.allow to allow administrative access to the SNMP agent.

Downloading the MIBs

To configure your remote host, you must download and install the product-specific MIB files. For all BIG-IP Controllers there are two product-specific MIB files:

• LOAD-BAL-SYSTEM-MIB.txt.
  This is a vendor MIB that contains specific information for properties associated with specific BIG-IP Controller functionality (load balancing, NATs, and SNATs).
• UCD-SNMP-MIB.txt.
  This is a MIB-II (RFC 1213) that provides UCD-specific management information.
  
  

  For a BIG-IP Controller with the 3-DNS module there are two additional product-specific MIB files:

• RFC1611.my
  This is the DNS MIB. (For the 3-DNS module only.)
• 3dns.my
  This is the 3-DNS MIB (For the 3-DNS module only)
  
  

  You can download these files from the Additional Software Downloads section of the Configuration utility home page, or copy them directly from /usr/local/share/snmp/mibs on the BIG-IP Controller to your remote host using ssh and scp (crypto version) telnet and ftp (non-crypto version).

Allowing access

Set up access to your remote host by modifying the /etc/hosts.allow file on the BIG-IP Controller. You can do this using the Configuration utility or by editing the file directly using an editor like vi or pico.

To allow access to the SNMP agent using the Configuration utility

1. In the navigation pane, click System Admin.
   The System Admin screen opens.
2. Click the SNMP Administration tab.
   The SNMP Administration screen opens.
3. In the SNMP Administration screen, check Enable to allow access to the BIG-IP SNMP agent.
4. In the Client Access Allow list section, type the following information:
   
   

   · IP Address or Network Address
   Type in an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask.

   · Netmask
   If you type a network address in the IP Address or Network Address box, type the netmask for the network address in this box. Click the Add (>>) button to add the network address to the Current List.

5. Click the Apply button.

To allow access to the SNMP agent by editing the /etc/hosts.allow file

The basic syntax for allowing access in /etc/hosts.allow is:

<daemon>: <IP address> ...

For SNMP, the daemon is bigsnmpd. For example, to set the SNMP agent to accept connections from the IP address 128.95.46.5, you would type:

bigsnmpd: 128.95.46.5

You may also specify multiple addresses or a range, using a subnet mask. For more information about the /etc/hosts.allow file, refer to /etc/hosts.allow, on page 19-6.

Configuring SNMP settings

There are seven basic configuration tasks associated with SNMP on the BIG-IP Controller, each corresponding to a specific configuration file or files:

• Download the MIBs
  Download the BIG-IP MIBs and load them into your network management station.
• Set up administrative access
  Configure /etc/hosts.allow to allow administrative access to the SNMP agent.
• Configure snmpd.conf
  This file configures the SNMP agent. You can configure this file with the Configuration utility, or by editing it directly with a text editor.
• Configure snmptrap.conf
  For the BIG-IP Controller, the configuration in /etc/snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
• Configure 3dns_snmptrap.conf
  For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
• Configure syslog.conf
  Configure /etc/syslog.conf to pipe specified message types through checktrap.pl.
• Enable the SNMP port
  Enable port 161 using the open_snmp_port global variable.
  
  

  Note: Except in the case of /etc/hosts.allow and /etc/snmpd.conf, once you change a configuration file, you need to restart the SNMP agent using the bigstart restart bigsnmpd command.

Downloading the MIBs

The BIG-IP platform includes a private BIG-IP SNMP MIB. This MIB is specifically designed for use with the BIG-IP Controller. You can configure the SNMP settings in the Configuration utility, or on the command line.

SNMP management software requires that you use the MIB files associated with the device. You may obtain two MIB files from the BIG-IP directory /usr/local/share/mibs, or you can download the files from the Additional Software Downloads section of the Configuration utility home page.

• LOAD-BAL-SYSTEM-MIB.txt. This is a vendor MIB that contains specific information for properties associated with specific F5 functionality (load balancing, NATs, and SNATs)
• UCD-SNMP-MIB.txt. This is a MIB-II (RFC 1213) that provides UCD-specific management information.
  
  

  For information about the objects defined in the LOAD-BAL-SYSTEM-MIB.txt, UCD-SNMP-MIB.txt, or 3dns.my file, refer to the descriptions in the object identifier (OID) section of the file. For information about the RFC1611.my file, refer to RFC1611.

/etc/hosts.deny

This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:

ALL : ALL

/etc/hosts.allow

The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access to the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.

For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:

daemon: <IP address> <IP address> <IP address>

For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:

bigsnmpd: 128.95.46.5 128.95.46.6 128.95.46.7

For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address:

daemon: IP/MASK

For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 128.95.46.0/255.255.255.0 address:

bigsnmpd: 128.95.46.0/255.255.255.0

The example above allows the 254 possible hosts from the network address 128.95.46.0 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.

Note: 192.168.1/24 CIDR syntax is not allowed.

To allow access to the SNMP agent using the Configuration utility

1. In the navigation pane, click System Admin.
   The System Admin screen opens.
2. Click the SNMP Administration tab.
   The SNMP Administration screen opens.
3. In the SNMP Administration screen, check Enable to allow access to the BIG-IP SNMP agent.
4. In the Client Access Allow list section, type the following information:
   
   

   · IP Address or Network Address
   Type in an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask.

   · Netmask
   If you type a network address in the IP Address or Network Address box, type the netmask for the network address in this box. Click the Add (>>) button to add the network address to the Current List.

5. Click the Apply button.

/etc/snmpd.conf

The /etc/snmpd.conf file controls most of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:

• System Contact Name
  The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. This is set by the syscontact key.
• Machine Location (string)
  The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. This is set by the syslocation key.
• Community String
  The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access it is limited to only one group.
• Trap Configuration
  Trap configuration is controlled by these entries in the /etc/snmpd.conf file:
  
  
  • trapsink <host>
    This sets the host to receive trap information. The <host> is an IP address.
  • trapport <port>
    This sets the port on which traps are sent. There must be one trapport line for each trapsink host.
  • trapcommunity <community string>
    This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0).
  • authtrapenable <integer>
    Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it.
  • data_cache_duration <seconds>
    This is the time in seconds data is cached. The default value for this setting is one second.
    
    

    Note: A trapport line controls all trapsink lines that follow it until another trapport line appears. Therefore, to change the trap port for a trap sink, the new trapport line must be inserted before the trap sink's trapsink line, with no other trapport lines in between. The same follows for trapcommunity lines.

To set SNMP properties using the Configuration utility

1. In the navigation pane, click System Admin.
   The System Admin screen opens.
2. Click the SNMP Administration tab.
   The SNMP Administration screen opens.
3. To enable the SNMP agent, check the Enable box.
4. In the Client Access Allow List, type an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask.
   To remove an IP address or network address from the list, click the address, and click the Move (<<) button.
5. In the System Information section, type the following information:
   
   

   · In the System Contact box, enter the contact name and email address for the person who should be contacted if this BIG-IP Controller generates a trap.

   · In the Machine Location box, enter a machine location, such as First Floor, or Building 1, that describes the physical location of the BIG-IP Controller.

   · In the Community String box, type a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage.

6. In the Trap Configuration section, type the following information:
   
   

   · Check Auth Trap Enabled to allow traps to be sent for authentication warnings.

   · In the Community box, type the community name to which this BIG-IP Controller belongs. Traps sent from this box are sent to the management system managing this community.

   · In the Port box, type the community name to which this BIG-IP Controller belongs. Traps sent from this box are sent to the management system managing this community.

   · In the Trap box, enter the host that should be notified when a trap is sent by the BIG-IP SNMP agent. After you type the Community, Port, and Trap for the trap sink, click the Add (>>) button to add it to the Current List.
   To remove a trap sink from the list, click the trap sink you want to remove, and click the Remove (<<) button.

7. Click the Apply button.

/etc/snmptrap.conf

This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the configuration file is shown in Figure 19.1.

Figure 19.1 Excerpt from the /etc/snmptrap.conf file

 # Default traps.    
   .1.3.6.1.4.1.3375.1.1.110.2.6 (ROOT LOGIN) ROOT LOGIN    
   .1.3.6.1.4.1.3375.1.1.110.2.5 (denial) REQUEST DENIAL    
   .1.3.6.1.4.1.3375.1.1.110.2.4 (BIG-IP Loading) SYSTEM RESET    
   .1.3.6.1.4.1.3375.1.1.110.2.3 (Service detected UP) SERVICE UP    
   .1.3.6.1.4.1.3375.1.1.110.2.2 (Service detected DOWN) SERVICE DOWN    
   #.1.3.6.1.4.1.3375.1.1.110.2.1 (error) Unknown Error    
   #.1.3.6.1.4.1.3375.1.1.110.2.1 (failure) Unknown Failure  

Some of the OIDs have been permanently mapped to BIG-IP specific events. The OIDs that are permanently mapped for the BIG-IP Controller include:

• Root login
• Request denial
• System reset
• Service up
• Service down
  
  

  You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:

• Unknown error
• Unknown failure
  
  

  By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.

  If you change this file, restart the SNMP agent bigsnmpd as follows:

  bigstart restart bigsnmpd

Syslog

In order to generate traps, you must configure syslog to send syslog lines to checktrap.pl. If the syslog lines make a match to the specified configuration in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file require the syslog look at information logged, scan the snmptrap.conf file, and determine if a trap should be generated:

local0.* | exec /sbin/checktrap.pl.

local1.* | exec /sbin/checktrap.pl.

auth.* | exec /sbin/checktrap.pl.

local2.* | exec /sbin/checktrap.pl. (For 3-DNS only)

Note: If you uncomment these lines, make sure you restart syslogd. For more information about working with the Syslog utility, see Working with the Syslog utility on page 18-18.

If you change this file, restart the SNMP agent bigsnmpd as follows:

bigstart restart bigsnmpd

Enable the SNMP port

Enable port 161 to accept traffic as follows:

b global open_snmp_port enable