Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10
19
Configuring SNMP
- Introducing SNMP administration
- Downloading the MIBs
- Configuring SNMP using the Configuration utility
- SNMP configuration files
- Configuring snmpd to send responses out of different ports or addresses
Introducing SNMP administration
This chapter describes management and configuration tasks for version 2.0 of the simple network management protocol (SNMP) agent. The chapter also describes tasks for the management information bases (MIBs) available with the BIG-IP system.
With the BIG-IP system SNMP agent and MIBs, you can manage the BIG-IP system by configuring traps for the SNMP agent or polling the BIG-IP system with your standard network management station (NMS).
You can use the Configuration utility to configure the BIG-IP system SNMP agent to send traps to your management system. You can also set up custom traps by editing several configuration files.
You can use SNMP security options to securely manage access to information collected by the BIG-IP system SNMP agent, including Community names, TCP wrappers, and View Access Control Mechanism (VACM).
This chapter is divided into four parts:
- Downloading the MIBs
This section shows how to download the SNMP MIBs. - Configuring SNMP using the Configuration utility
This section shows how to set up SNMP for a remote administrative host. - SNMP configuration files
This section describes the SNMP configuration files and their syntax. - Configuring snmpd to respond out of different ports and addresses
This section describes how to configure snmpd to respond out of different ports and addresses
Downloading the MIBs
To set up SNMP for a remote network management station, you must download and install the product-specific MIB files. All BIG-IP systems have the following product-specific MIB files:
- LOAD-BAL-SYSTEM-MIB.txt.
This is an enterprise MIB that contains specific information for properties associated with specific BIG-IP system functionality (load balancing, NATs, and SNATs). - UCD-SNMP-MIB.txt.
This is an enterprise MIB that contains information and metrics about memory, disk utilization and other information regarding the BIG-IP operating system. It is fully documented in RFC 1213. - Etherlike-MIB.txt
This is a standard MIB which describes statistics for the collection of ethernet interfaces attached to the system. It is fully documented in RFC-2665. - If-MIB.txt
This MIB supports an extended version of the ifTable including 64-bit counters. - RMON-MIB.txt
This is a standard MIB that describes real-time and historical statistics for the ethernet systems in the interface. This MIB also allows the setting of alerts and traps based on user-defined thresholds of available metrics in the system. It is fully documented in RFC 2819s. - rfc1525.mib
This is a standard MIB which describes objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area Network (LAN) segments. It is fully documented in RFCs 1463 and 1525. - PLATFORM-MIB.txt
This MIB contains CPU-related information for the platform, such as the number of CPUs, CPU temperature, and fan speed, including chassis fan speed.
For a BIG-IP system with the 3-DNS module there are two additional product-specific MIB files:
- RFC1611.my
This is the DNS MIB (for the 3-DNS module only). - 3dns.my
This is an enterprise MIB which describes information and properties of objects associated with the functioning of 3-DNS (for the 3-DNS module only).
You can download these files from the Additional Software Downloads section of the Configuration utility home page, where they appear as the following hypertext entries:
- BIG-IPMIB (LOAD-BAL-SYSTEM-MIB.txt and UCD-SNMP-MIB.txt)
- Interface MIB (If-MIB.txt)
- RMON MIB (RMON-MIB.tx)
- BRIDGE (rfc1525.mib)
You can also download these files directly from /usr/local/share/snmp/mibs on the BIG-IP system to your remote host using ssh and scp (crypto version) telnet and ftp (non-crypto version).
Configuring SNMP using the Configuration utility
To configure SNMP for a remote network management station, you must perform the following tasks:
- Set up client access
Configure the BIG-IP system to allow administrative access to the SNMP agent. - Configure system information
Set the system information variables. - Configure Traps
Enable traps and specify by community, port, and sink.
All three tasks are performed using the SNMP Administration screen, shown in Figure 19.1 . To access this screen, simply click System Admin in the navigation pane, then click the SNMP Administration tab.
Figure 19.1 SNMP Administration screen
Setting up client access
To set up client access, you enable access and specify the IP or network addresses (with netmasks as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the BIG-IP system loopback interface 127.0.0.1.)
To allow access to the SNMP agent using the Configuration utility
- In the top of the SNMP Administration screen, check the Enable box to allow access to the BIG-IP system SNMP agent.
- In the Client Access Allow List section, type the following information:
- IP Address or Network Address
Type in an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask. - Netmask
If you type a network address in the IP Address or Network Address box, type the netmask for the network address in this box.
- IP Address or Network Address
- Click the Add (>>) button to add the network address to the Current List.
The /etc/hosts.allow file must contain the following entry, which is in the file by default: snmpd : 127.0.0.1. If you remove this entry, the 3-DNS Controller cannot properly poll using SNMP. When you use the Configuration utility to configure the systems's SNMP properties, this address is already listed in the Allow List box.
Configuring system information
System information includes certain traps, passwords, and general SNMP variable names. There are three main variables:
- System Contact name
The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. - Machine Location (string)
The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. - Community String
The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access, it is limited to just one group.
To set system information properties using the Configuration utility
You use the System Information section of the SNMP Administration screen to set the system information properties.
- In the System Contact box, type the contact name and email address for the person to contact regarding issues with this BIG-IP system.
- In the Machine Location box, type a machine location, such as First Floor, or Building 1, that describes the physical location of the BIG-IP system.
- In the Community String box, type a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage.
Configuring traps
To configure traps, you provide three pieces of information:
- trapcommunity <community string>
This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0). - trapport <port>
This sets the port on which traps are sent. There must be one trapport line for each trapsink host. - authtrapenable <integer>
Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it.
To set trap configuration properties using the Configuration utility
You use the Trap Configuration section of the SNMP Administration screen to set trap properties.
- Check the Auth Trap Enabled box to allow traps to be sent for authentication warnings.
- In the Community box, type the community name to which this BIG-IP system belongs. Traps sent from this box are sent to the management system managing this community.
- In the Service box, type the service name on which the BIG-IP system sends traps. Traps sent from the BIG-IP system are sent to the management system on through this port.
- In the Sink box, type the host that should be notified when a trap is sent by the BIG-IP system SNMP agent.
- Click the Add (>>) button to add it to the Current List. (To remove a trap sink from the Current List, click the trap sink you want to remove, and click the Remove (<<) button.)
- Click the Apply button.
SNMP configuration files
The SNMP options that you specify in the SNMP Administration screen are written to one or more of the following configuration file or files. If you prefer, you can configure SNMP by directly editing the appropriate files with a text editor rather than using the Configuration utility.
- hosts.deny
This file denies all UDP connections to the SNMP agent. - hosts.allow
This file specifies which hosts are allowed to access the SNMP agent. - snmpd.conf
This file configures the SNMP agent. - snmptrap.conf
For the BIG-IP system, the configuration in /etc/snmptrap.conf determines which messages generate traps, and what those traps are. Edit this file only if you want to add traps. - 3dns_snmptrap.conf
For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps. - syslog.conf
Configure /etc/syslog.conf to pipe specified message types through checktrap.pl.
/etc/hosts.deny
This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:
ALL : ALL
/etc/hosts.allow
The /etc/hosts.allow file is used to specify which hosts are allowed to access the SNMP agent. There are two ways to configure access to the SNMP agent with the /etc/host.allow file. You can type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.
For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:
daemon: <IP address> <IP address> <IP address>
For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified:
snmpd: 128.95.46.5 128.95.46.6 128.95.46.7
For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address:
daemon: IP/MASK
For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 128.95.46.0/255.255.255.0 network:
snmpd: 128.95.46.0/255.255.255.0
The preceding example allows the 254 possible hosts from the network address 128.95.46.0 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.
192.168.1/24 CIDR syntax is not allowed.
The /etc/hosts.allow file must contain the following entry, which is in the file by default: snmpd : 127.0.0.1. If you remove this entry, the 3-DNS Controller cannot properly poll using SNMP.
The /etc/snmpd.conf file
The /etc/snmpd.conf file controls most of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:
- System Contact Name
The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. This is set by the syscontact key. - Machine Location (string)
The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. This is set by the syslocation key. - Community String
The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access it is limited to only one group. - Trap Configuration
Trap configuration is controlled by these entries in the /etc/snmpd.conf file: - trapsink <host>
This sets the host to receive trap information. The <host> is an IP address. - trapport <port>
This sets the port on which traps are sent. There must be one trapport line for each trapsink host. - trapcommunity <community string>
This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0). - authtrapenable <integer>
Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it. - data_cache_duration <seconds>
This is the time in seconds during which data is cached. The default value for this setting is one second.
A trapport line controls all trapsink lines that follow it until another trapport line appears. Therefore, to change the trap port for a trap sink, the new trapport line must be inserted before the trap sink's trapsink line, with no other trapport lines in between. The same logic follows for trapcommunity lines.
/etc/snmptrap.conf
This configuration file includes OID, trap, and regular expression mappings. The configuration file specifies whether to send a specific trap based on a regular expression. An excerpt of the configuration file is shown in Figure 19.2 .
# Default traps. .1.3.6.1.4.1.3375.1.1.110.2.6 (ROOT LOGIN) ROOT LOGIN .1.3.6.1.4.1.3375.1.1.110.2.5 (denial) REQUEST DENIAL .1.3.6.1.4.1.3375.1.1.110.2.4 (BIG-IP Loading) SYSTEM RESET .1.3.6.1.4.1.3375.1.1.110.2.3 (Service detected UP) SERVICE UP .1.3.6.1.4.1.3375.1.1.110.2.2 (Service detected DOWN) SERVICE DOWN #.1.3.6.1.4.1.3375.1.1.110.2.1 (error) Unknown Error #.1.3.6.1.4.1.3375.1.1.110.2.1 (failure) Unknown Failure |
Some of the OIDs have been permanently mapped to BIG-IP system specific events. The OIDs that are permanently mapped for the BIG-IP system include:
- Root login
- Request denial
- System reset
- Service up
- Service down
You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs:
By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.
If you change this file, restart the SNMP agent bigsnmpd as follows:
bigstart restart snmpd
For the 3-DNS Controller, the configuration in /etc/3dns_snmptrap.conf determines which messages generate traps and what those traps are. Edit this file only if you want to add traps.
Syslog
In order to generate traps, you must configure syslog to send syslog lines to checktrap.pl. If the syslog lines match the specified regular expressions in the snmptrap.conf file, a valid SNMP trap is generated. The following lines in the /etc/syslog.conf file cause syslog to send messages to checktrap.pl:
If you change this file, restart the SNMP agent bigsnmpd with the following command:
bigstart restart snmpd
Also, if you change the syslog.conf file, you must kill the syslogd and checktrap.pl processes, and then restart them.The checktrap.pl process must be restarted first, and then the syslogd process. The following command sequence shows how to kill and restart these processes. Note that <PID> represents the process ID of the syslogd and checktrap.pl processes.
ps -axw | grep syslogd kill <PID> ps -axw | grep checktrap.pl kill <PID> checktrap.pl& syslogd |
If you uncomment these lines, make sure you restart syslogd.
Configuring snmpd to send responses out of different ports or addresses
You can configure the snmpd to respond on different ports or bind the daemon to a specific interface. Use the following syntax to configure snmpd:
snmpd -p [(udp|tcp):]port[@address][,...]
Use this command to make the agent list on the specified list of sockets instead of the default port, which is port 161. Separate multiple ports by commas. You can specify transports by prepending the port number with the transport name (udp or tcp) followed by a colon.
To bind to a particular interface, you can specify the address you want it to bind with. For example, you can specify the following command to make the agent listen on UDP port 161 for any address, TCP port 161 for any address, and UDP port 9161 on only the interface associated with the localhost address.
snmpd -p 161,tcp:161,9161@localhost
The -T flag changes the default transport mapping to use (in the previous example, the default transport mapping is UDP).