Manual Chapter : BIG-IP Administrator guide v2.1: Configuring SNMP

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 2.1.4 PTF-01, 2.1.4, 2.1.3 PTF-04, 2.1.3 PTF-03, 2.1.3 PTF-02, 2.1.3 PTF-01, 2.1.3, 2.1.2 PTF-02, 2.1.2 PTF-01, 2.1.2, 2.1.1, 2.1.0
Manual Chapter


7

Configuring SNMP



Working with SNMP on the BIG/ip Controller

This chapter covers the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the BIG/ip Controller.

Warning: The SNMP agent must be configured on the BIG/ip Controller in order to use the F5 Networks see/IT Network Manager.

The BIG/ip SNMP agent and MIBs allow you to manage the BIG/ip Controller by configuring traps for the SNMP agent or polling the controller with your standard network management station (NMS).

You can configure the BIG/ip SNMP agent to send traps to your management system with the F5 Configuration utility. You can also set up custom traps agent setup by editing several configuration files.

Security options are available that let you securely manage information collected by the BIG/ip SNMP agent, including:

  • Community names
  • TCP wrappers
  • View access control mechanism (VACM)

Preparing the BIG/ip Controller for SNMP

The BIG/ip platform includes a private BIG/ip SNMP MIB. This MIB is specifically designed for use with the BIG/ip Controller. You can configure the SNMP settings in the the F5 Configuration utility, or on the command line.

Downloading the MIBs

SNMP management software requires that you use the MIB files associated with the device. You may obtain two MIB files from the BIG/ip directory /usr/contrib/f5/mibs, or you can download the files from the Additional Software Downloads section of the F5 Configuration utility home page.

  • LOAD-BAL-SYSTEM-MIB.txt This is a vendor MIB that contains specific information for properties associated with specific F5 functionality (load balancing, NATs, and SNATs)
  • UCD-SNMP-MIB.txt This is a MIBII ( RFC 1213) that provides standard management information.

    For information about the objects defined in the LOAD-BAL-SYSTEM-MIB.txt, refer to the descriptions in the object identifier (OID) section of the MIB file. For information about the objects defined in UCD-SNMP-MIB.txt, refer to RFC 1213.

Understanding configuration file requirements

You need to make changes to several configuration files on the BIG/ip Controller before you use the SNMP agent. Once you change these configuration files, you need to restart the SNMP agent.

/etc/hosts.deny

This file must be present to deny by default all TCP connections to the SNMP agent. The contents of this file are as follows:

ALL : ALL

/etc/hosts.allow

The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access the the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in an IP address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.

For a specific list of address, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:

daemon: <IP address> <IP address> <IP address>

For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:

bigsnmpd: 128.95.46.5 128.95.46.6 128.95.46.7

For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access:

daemon: IP/MASK

For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 128.95.46.0/255.255.255.0 address:

bigsnmpd: 128.95.46.0/255.255.255.0

The example above allows the 256 possible hosts from the network address 128.95.46.0 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.

/etc/snmpd.conf

The /etc/snmpd.conf file controls most of the SNMP daemon. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:

  • System Contact Name
    The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. This is set by the syscontact key.
  • Machine Location (string)
    The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. This is set by the syslocation key.
  • Community String
    The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access, it is limited to only one group.
  • Trap Configuration
    Trap configuration is controlled by these entries in the /etc/snmpd.conf file:
    • trapsink <host>
      This sets the host to receive trap information. The <host> is an IP address.
    • trapport <port>
      This sets the port on which traps are sent. There must be one trapport line for each trapsink host.
    • trapcommunity <community string>
      This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0).
    • authtrapenable <integer>
      Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it.
    • data_cache_duration <seconds>
      This is the time in seconds data is cached. The default value for this setting is one second.

Note: To change the trap port, the trapport line must precede the trapsink line. If you use more then one trapport line, then there must be one trapport line before each trapsink line. The same follows for trapcommunity. If you use more then one trapcommunity line, then there must be one trapcommunity line before each trapsink line.

/etc/rc.local

The following entry in the /etc/rc.local automatically starts up the SNMP agent when the system boots up (Figure 7.1).

# BIG/ip SNMP Agent

if [ -f /etc/snmpd.conf ]; then

/sbin/bigsnmpd -c /etc/snmpd.conf

fi

Figure 7.1 Starting the SNMP agent in the /etc/rc.local file.

If the /etc/snmpd.conf is present on your system, the SNMP agent is automatically started.

/etc/snmptrap.conf

This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the config file is shown in Figure 7.2.

 # Default traps.    
.1.3.6.1.4.1.3375.1.1.110.2.6 ROOT LOGIN
.1.3.6.1.4.1.3375.1.1.110.2.5 REQUEST DENIAL
.1.3.6.1.4.1.3375.1.1.110.2.4 SYSTEM RESET
.1.3.6.1.4.1.3375.1.1.110.2.3 SERVICE UP
.1.3.6.1.4.1.3375.1.1.110.2.2 SERVICE DOWN
#.1.3.6.1.4.1.3375.1.1.110.2.1 Unknown Error
#.1.3.6.1.4.1.3375.1.1.110.2.1 Unknown Failure

Figure 7.2 Excerpt from the /etc/snmptrap.conf file

Some of the OIDs have been permanently mapped to BIG/ip specific events. The OIDs that are permanently mapped for the BIG/ip Controller include:

  • Root login
  • Request denial
  • System reset
  • Service up
  • Service down

    You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:

  • Unkown error
  • Unknown failure

    By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.

Syslog

You must configure syslog to send syslog lines to checktrap.pl. If the syslog lines make a match the specified configuration in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file require the syslog look at information logged, scan the snmptrap.conf file, and determine if a trap should be generated:

local0.* | exec /sbin/checktrap.pl.

local1.* | exec /sbin/checktrap.pl.

auth.* | exec /sbin/checktrap.pl.

Configuring the BIG/ip SNMP agent

The F5 Configuration utility allows you to enable the BIG/ip SNMP agent, and it allows you to easily define three aspects of the SNMP agent:

  • Client access
    You can define an address and netmask for a workstation from which SNMP requests are acceptable.
  • System information
    You can name a system contact, a machine location, and a community string.
  • Trap configuration
    You can enter a trap sink, a trap community, or set up an authentication trap.

Configuring SNMP settings

The F5 Configuration utility provides sample SNMP settings for your reference. If you want to use the BIG/ip SNMP MIB, you need to replace these sample settings with settings appropriate to your environment and your specific SNMP management software.

To set SNMP properties in the F5 Configuration utility

  1. Click SNMP in the navigation pane.
    The SNMP Configuration screen opens.
  2. In the BIG/ip SNMP Configuration screen, check Enabled to allow access to the BIG/ip SNMP agent.
  3. In the Allow Address box, enter the IP address, or addresses, of the management system from which the agent can accept requests. This allows you to restrict access to management information to a specific computer or computers running a management system. If you type in a list of addresses, type a comma after the last address.
  4. In the Allow Netmask box, enter the netmask for a range of IP addresses for machines from which the agent can accept requests. If you type a list of IP addresses in the Allow Address box, leave the Allow Netmask box blank.
  5. In the System Contact box, enter the contact name and email address for the person who should be contacted if this BIG/ip Controller generates a trap.
  6. In the Machine Location box, enter a machine location, such as First Floor, or Building 1, that describes the physical location of the BIG/ip Controller.
  7. In the Community String box, enter a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage.
  8. In the Trap Sink box, enter the host that should be notified when a trap is sent by the BIG/ip SNMP agent.
  9. In the Trap Community box, enter the community name to which this BIG/ip controller belongs. Traps sent from this box are sent to the management system managing this community.
  10. Check Auth Trap Enabled to allow traps to be sent for authentication warnings.

Configuring options for the checktrap script

The checktrap.pl script reads a set of lines from standard input. The script checks each line against a set of regular expressions. If a line matches the regular expression, an SNMP trap is sent.

Options for checktrap

snmpd_conf_file=<snmp configuration file>

This is the file that contains the SNMP variables. The checktrap.pl gets trap configuration information from this file. The default is /etc/snmpd.conf.

trapd_conf_file=<snmp trap configuration file>

This is the file that contains the regular expression to SNMP trap OID mappings. It also contains a description string that is added to the trap message. The default is /etc/snmptrap.conf.

trap_program=<snmp trap program>

This is the program that sends the trap. This program should be the snmptrap program included with the BIG/ip Controller. The default is /sbin/snmptrap.

no_date_strip

This turns off automatic date stripping. Normally, each input line is expected to begin with a date. Typically, this date is stripped off before the trap is sent. This option keeps the date information in the trap. By default, the date is stripped from the trap.

usage

Prints a usage string.