Manual Chapter :
Configuring SNMP
Applies To:
Show Versions
BIG-IP APM
- 11.4.1, 11.4.0
Simple Network Management Protocol (SNMP) is an industry-standard protocol that gives a standard SNMP management system the ability to remotely manage a device on the network. One of the devices that an SNMP management system can manage is a Access Policy Manager system. The SNMP versions that the Access Policy Manager system supports are: SNMP v1, SNMP v2c, and SNMP v3. The Access Policy Manager system implementation of SNMP is based on a well-known SNMP package, Net-SNMP, which was formerly known as UCD-SNMP.
A standard SNMP implementation consists of an SNMP manager, which runs on a management system and makes requests to a device, and an SNMP agent, which runs on the managed device and fulfills those requests. SNMP device management is based on the standard management information base (MIB) known as MIB-II, as well as object IDs and MIB files.
| The MIB defines the standard objects that you can manage for a device, presenting those objects in a hierarchical, tree structure. |
| Each object defined in the MIB has a unique object ID (OID), written as a series of integers. An OID indicates the location of the object within the MIB tree. |
| A set of MIB files resides on both the SNMP manager system and the managed device. MIB files specify values for the data objects defined in the MIB. This set of MIB files consists of standard SNMP MIB files and enterprise MIB files. Enterprise MIB files are those MIB files that pertain to a particular company, such as F5 Networks, Inc. |
Typical SNMP tasks that an SNMP manager performs include polling for data about a device, receiving notifications from a device about specific events, and modifying writable object data.
Reviewing the Access Policy Manager system SNMP implementation
To comply with the standard SNMP implementation, the Access Policy Manager system includes both an SNMP agent, a set of standard SNMP MIB files, and a set of enterprise MIB files (those that are specific to the Access Policy Manager system). The enterprise MIB files typically reside on both the Access Policy Manager system, and on the system running the SNMP manager. Fortunately, you can use the browser-based Configuration utility to download the enterprise MIB files to your SNMP manager.
Using the Access Policy Manager system implementation of SNMP, the SNMP manager can perform these distinct functions:
The last item in the list refers to the ability of an SNMP manager system to enable or disable various Access Policy Manager system objects such as virtual servers and nodes. Specifically, you can use SNMP to:
Before an SNMP manager can manage a Access Policy Manager system remotely, you must perform a few configuration tasks on the Access Policy Manager system, using the Access Policy Manager systems Configuration utility. After you have performed these configuration tasks, you can use standard SNMP commands on the remote manager system to manage the Access Policy Manager system.
 | Configuring the SNMP agent There are a number of things you can do to configure the SNMP agent on the Access Policy Manager system. For example, you can allow client access to information that the SNMP agent collects, and you can configure the way that the SNMP agent handles SNMP traps. Traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur. |
| | Downloading MIB files You can download two sets of MIB files to your remote manager system: the standard SNMP MIB files and the enterprise MIB files. From the navigation pane, expand Overview, and click Welcome. From the Welcome screen, scroll down to Downloads. |
To configure the SNMP agent on the Access Policy Manager system, you can use the Configuration utility. Configuring the SNMP agent means performing the following tasks:
| Configuring Access Policy Manager system information Specify a system contact name and the location of the Access Policy Manager system. |
| Configuring client access to the SNMP agent Configure the Access Policy Manager system to allow access to the SNMP agent from an SNMP manager system. |
| Controlling access to SNMP data Assign access levels to SNMP communities or users, to control access to SNMP data. |
| Configuring Traps Enable or disable traps and specify the destination SNMP manager system for SNMP traps. |
| Contact Information The contact information is a MIB-II simple string variable defined by almost all SNMP boxes. The contact name usually contains a user name, as well as an email address. |
| Machine Location The machine location is a MIB-II variable that almost all machines support. It is a simple string that defines the location of the machine. |
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. The SNMP Agent Configuration screen opens. |
| 2. | In the Global Setup area, fill in the boxes. For more information, see the online help. |
| 3. | Click Update. |
An SNMP client refers to any system running the SNMP manager software for the purpose of remotely managing the Access Policy Manager system. To set up client access to the Access Policy Manager system, you specify the IP or network addresses (with netmask as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the Access Policy Manager system loopback interface, 127.0.0.1.)
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. The SNMP Agent Configuration screen opens. |
| 2. | For the Client Allow List setting, select Host or Network, depending on whether the IP address you specify is a host system or a subnet. |
| In the Address box, type an IP address or network address from which the SNMP agent can accept requests. |
| 4. | Click the Add button to add the host or network address to the list of allowed clients. |
| 5. | Click Update. |
To better control access to SNMP data, you can assign an access level to an SNMP v1 or v2c community, or to an SNMP v3 user.
There is a default access level for communities, and this access level is read-only. This means that you cannot write to an individual data object that has a read/write access type until you change the default read-only access level of the community or user.
The way to modify this default access level is by using the Configuration utility to grant read/write access to either a community (for SNMP v1 and v2c) or a user (SNMP v3), for a given OID.
When you set the access level of a community or user to read/write, and an individual data object has a read-only access type, access to the object remains read-only. In short, the access level or type that is the most secure takes precedence when there is a conflict. Table 13.1 illustrates this point.
| If the access type of an object is... | And you set the access level of a community or user to... | Then access to the object is... |
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. The SNMP Agent Configuration screen opens. |
| 2. | From Agent menu, choose Access (v1, v2c). The SNMP Access screen opens. |
| 3. |
| 5. | In the Community box, type the name of the SNMP community for which you are assigning an access level (in step 8). |
| 6. | In the Source box, type the source IP address. |
| 7. | In the OID box, type the OID for the top-most node of the SNMP tree to which the access applies. |
| 8. | For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the community name you specified in step 6.) |
| 9. | Click Finished. |
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. The SNMP Agent Configuration screen opens. |
| 2. | From Agent menu, choose Access (v3). The SNMP Access screen opens. |
| 3. |
| 4. | In the User Name box, type a user name for which you are assigning an access level (in step 8). |
| 5. | For the Authentication setting, select a type of authentication to use, and then type and confirm the users password. |
| 6. |
| Check the Use Authentication Password box. |
| 7. | In the OID box, type the object identifier (OID) for the top-most node of the SNMP tree to which the access applies. |
| 8. | For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the user name that you specified in step 5). |
| 9. | Click Finished. |
Warning: You must remember to configure both authentication and privacy settings to use SNMPv3. Otherwise, an error occurs and SNMPv3 will not work properly.
When you use the Configuration utility to assign an access level to a community or user, the utility updates the snmpd.conf file, assigning only a single access setting to the community or user. There might be times, however, when you want to configure more sophisticated access control. To do this, you must edit the /config/snmp/snmpd.conf file directly, instead of using the Configuration utility.
For example, Figure 13.1 shows a sample snmpd.conf file when you use the Configuration utility to grant read/write access to a community.
In this example, the string rocommunity identifies a community named public as having the default read only access level (indicated by the strings ro and default). This read only access level prevents any allowed SNMP manager in community public from modifying a data object, even if the object has an access type of read/write.
The string rwcommunity identifies a community named public1 as having a read/write access level (indicated by the string rw). This read/write access level allows any allowed SNMP manager in community public1 to modify a data object under the tree node.1.2.6.1.4.1.3375.2.2.10.1 (ltmVirtualServ) on the local host 127.0.0.1, if that data object has an access type of read/write.
For more information, see the man page for the snmpd.conf file.
On the Access Policy Manager system, traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur on the Access Policy Manager system. Configuring SNMP traps on a Access Policy Manager system means configuring the way that the Access Policy Manager system handles traps, as well as setting the destination for notifications that the alert system and the SNMP agent send to an SNMP manager.
| /etc/alertd/alert.conf Contains default SNMP traps. |
| /config/user_alert.conf Contains user-defined SNMP traps. |
You use the Configuration utility to configure traps, that is, enable traps and set trap destinations. When you configure traps, the Access Policy Manager system automatically updates the alert.conf and user_alert.conf files.
You can configure the SNMP agent on the Access Policy Manager system to send, or refrain from sending, notifications when the following events occur:
| The SNMP agent on the Access Policy Manager system stops or starts. By default, this trap is enabled. |
| The Access Policy Manager system receives an authentication warning, generated when a client system attempts to access the SNMP agent. By default, this trap is disabled. |
| The Access Policy Manager system receives any type of warning. By default, this trap is enabled. |
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. This opens the SNMP Agent Configuration screen. |
| 2. | From the Traps menu, choose Configuration. This displays the SNMP Trap Configuration screen. |
| 3. | To send traps when someone starts or stops the SNMP agent, verify that the Agent Start/Stop box is checked. |
| 4. | To send notifications when authentication warnings occur, check the Agent Authentication box. |
| 5. | To send notifications when certain warnings occur, verify that the Device box is checked. |
| 6. | Click Update. |
In addition to enabling certain traps for certain events, you must specify the destination SNMP manager to which the Access Policy Manager system should send notifications. For SNMP versions 1 and 2c only, you specify a destination system by providing the community name to which the Access Policy Manager system belongs, the IP address of the SNMP manager, and the target port number of the SNMP manager.
Important: If you are using SNMP V3 and want to configure a trap destination, you do not use the SNMP screens within the Configuration utility. Instead, you configure the snmpd.conf file. For more information, see the man page for the snmpd.conf file.
| 1. | On the Main tab of the navigation pane, expand System, and click SNMP. The SNMP Agent Configuration screen opens. |
| 2. | From the Traps menu, choose Destination. The SNMP Destination screen opens. |
| 3. |
| 4. | For the Version setting, select an SNMP version number. |
| 5. | In the Community box, type the community name for the SNMP agent running on the Access Policy Manager system. |
| 6. | In the Destination box, type the IP address of the SNMP management system. |
| 7. | In the Port box, type the SNMP management system port number that is to receive the traps. |
| 8. | Click Finished. |
As described earlier, MIB files define the SNMP data objects contained in the SNMP MIB. There are two sets of MIB files that typically reside on the Access Policy Manager system and the SNMP manager system: enterprise MIB files (that is, F5-specific MIB files) and standard SNMP MIB files.
Both sets of MIB files are already present on the Access Policy Manager system, in the directory /usr/share/snmp/mibs. However, you still need to download them to your SNMP manager system. You can download these MIB files from the Welcome screen of the browser-based Configuration utility. For more information, see Downloading SNMP MIB files.
To make MIB-II as clear as possible, we have implemented the SNMP feature so that you use MIB-II for gathering standard Linux data only. You cannot use MIB-II to gather data that is specific to the Access Policy Manager system and instead must use the F5 enterprise MIB files. All OIDS for Access Policy Manager system data are contained in the F5 enterprise MIB files, including all interface statistics (1.3.6.1.4.1.3375.2.1.2.4 (sysNetwork.sysInterfaces)).
Note: All Access Policy Manager system statistics are defined by 64-bit counters. Thus, because only SNMP v2c supports 64-bit counters, your management system needs to use SNMP v2c to query Access Policy Manager system statistics data.
| F5-BIGIP-COMMON-MIB.txt This MIB file contains common information and all notifications (traps). |
| F5-BIGIP-LOCAL-MIB.txt This is an enterprise MIB file that contains specific information for properties associated with specific Access Policy Manager system features related to local traffic manager (such as virtual servers, pools, and SNATs). |
| F5-BIGIP-SYSTEM-MIB.txt. The F5-BIGIP-SYSTEM-MIB.txt MIB file includes global information on system-specific objects. |
| F5-BIGIP-APM-MIB.txt. This MIB file contains specific information for properties associated with viewing and accessing access profile and secure connectivity statistics. |
To view the set of standard SNMP MIB files that you can download to the SNMP manager system, list the contents of the Access Policy Manager system directory /usr/share/snmp/mibs.
| 1. | On the navigation pane, select the About tab. |
| 2. | Scroll to the Downloads section, and locate the SNMP MIBs section. |
Once you have downloaded all of the necessary MIB files, you should familiarize yourself with the contents of the enterprise MIBs, for purposes of managing the Access Policy Manager system and troubleshooting Access Policy Manager system events.
Note: To manage a Access Policy Manager system with SNMP, you need to use the standard set of SNMP commands. For information on SNMP commands, consult your favorite third-party SNMP documentation, or visit the web site http://net-snmp.sourceforge.net.
These MIB files contain information that you can use for your remote management station to poll the SNMP agent for Access Policy Manager system-specific information, receive Access Policy Manager system-specific notifications, or set Access Policy Manager system data.
The F5-BIGIP-COMMON-MIB.txt file is an enterprise MIB file that contains objects pertaining to any common information, as well as the F5-specific SNMP traps.
All F5-specific traps are contained within this MIB file. You can identify the traps within this MIB file by viewing the file and finding object names that show the designation NOTIFICATION-TYPE.
When an F5-specific trap sends a notification to the SNMP manager system, the SNMP manager system receives a text message describing the event or problem that has occurred.
To see all available MIB objects in this MIB file, you can view the F5-BIGIP-COMMON-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.
The F5-BIGIP-LOCAL-MIB.txt file is an enterprise MIB file that contains information that an SNMP manager system can access for the purpose of managing local application traffic. For example, you can:
| Get profile information such as the total number of concurrent authentication sessions. |
In general, you can use this MIB file to get information on any local traffic manager object (virtual servers, pools, nodes, profiles, SNATs, health monitors, and iRules). You can also reset statistics for any of these objects.
To see all available enterprise MIB objects for local traffic manager, you can view the F5-BIGIP-LOCAL-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.
The F5-BIGIP-SYSTEM-MIB.txt file is an enterprise MIB file that describes objects representing common system information. Examples of information in this MIB file are global statistic data, network information, and platform information. Some of the data in this MIB file is similar to that defined in MIB-II, but is not exactly the same.
Table 13.2 shows standard MIB-II objects and the F5-specific objects that approximately correspond to them.
To see all available enterprise MIB system objects, you can view the F5-BIGIP-SYSTEM-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.
One of the MIB files that the Access Policy Manager system provides is the Remote network Monitoring (RMON) MIB file, RMON-MIB.txt. This file is the standard RMON MIB file. However, the implementation of RMON on the Access Policy Manager system differs slightly from the standard RMON implementation, in these ways:
| The Access Policy Manager system implementation of RMON supports four of the nine RMON groups. The four supported RMON groups are: statistics, history, alarms, and events. |
| The RMON-MIB.txt file monitors the Access Policy Manager system interfaces (that is, sysIfIndex), and not the standard Linux interfaces. |
| For hardware reasons, the packet-length-specific statistics in the RMON statistics group offer combined transmission and receiving statistics only. This behavior differs from the behavior described in the definitions of the corresponding object IDs. |
To understand how RMON operates for a Access Policy Manager system, you can view the RMON-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.
As mentioned earlier, this MIB file contains specific information associated with viewing and accessing access profile and secure connectivity statistics.
For a list of the type of objects used to view both access policy and secure connectivity statistics, refer to Chapter 11, Logging and Reporting.
The Configuration utility on the Access Policy Manager system displays graphs showing performance metrics for the system. However, you can also use SNMP to collect the same information.
Each type of metric has one or more SNMP object IDs (OIDs) associated with it. To gather performance data, you specify these OIDs with the appropriate SNMP command.
For example, the following SNMP command collects data on current memory use, where public is the community name and bigip is the host name of the Access Policy Manager system:
For some types of metrics, such as memory use, simply issuing an SNMP command with an OID gives you the information you need. For other types of metrics, the data that you collect with SNMP is not useful until you perform a calculation on it.
For example, to determine the throughput rate of client bits coming into the Access Policy Manager system, you must perform the following calculation on the data that you collect with the OID shown:
This calculation takes the data resulting from specifying the OID sysStatClientBytesIn, multiplies the value by 8, and divides it by the elapsed time.
Note: If an OID that is listed in any of the following sections does not show a calculation, then no calculation is required.
You can use an SNMP command with OIDs to gather data on the number of megabytes of memory currently being used on the Access Policy Manager system. Table 13.3 shows the OIDs that you need to specify to gather data on the current memory use. To collect memory use data, you do not need to perform a calculation on the collected data.
| Performance Graph (Configuration utility) | ||
You can use SNMP commands with various OIDs to gather data on the number of active connections on the Access Policy Manager system. Table 13.4 shows the OIDs that you need to specify to gather data on active connections. In this case, you do not need to perform any calculations on the collected data.
| Performance Graph (Configuration utility) | ||
| Active Connections (summary graph | ||
| Active Connections (detailed graph) | ||
You can use SNMP commands with various OIDs to gather data on the number of new connections on the Access Policy Manager system. Table 13.5 shows the OIDs that you need to specify to gather data on new connections, along with the calculations that you must perform on the collected data.
| Performance Graph (Configuration utility) | ||
| New Connections (summary graph) | ||
| Total New Connections (detailed graph) | ||
| New PVA Connections (detailed graph) | ||
| New SSL Connections (detailed graph) | ( sysClientsslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.9.6) + sysClientsslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.9.9) ) / time | |
| ( sysServersslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.10.6) + sysServersslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.10.9) ) / time | ||
| New Accepts/Connects (detailed graph) | ||
You can use SNMP commands with various OIDs to gather data on the throughput rate on the Access Policy Manager system, in terms of bits per second. Table 13.6 shows the OIDs that you need to specify to gather data on throughput rate, along with the calculations that you must perform on the collected data.
| Performance Graph (Configuration utility) | ||
| Throughput (summary graph) | ( (sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3) + sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) )*8 ) / time | |
| ( (sysStatServerBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.10) + sysStatServerBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.12) )*8 /) time | ||
| Throughput (detailed graph) | ||
You can use SNMP commands with various OIDs to gather data on the number of current HTTP requests on the Access Policy Manager system, in terms of requests per second. Table 13.7 shows the OID that you need to specify to gather data on HTTP requests, along with the calculations that you must perform on the collected data.
| Performance Graph (Configuration utility) | ||
You can use an SNMP command with various OIDs to gather data on RAM cache utilization. Table 13.8 shows the OIDs that you need to specify to gather this data.
| Performance Graph (Configuration utility) | ||
| sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47) ) *100 | ||
| sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) / (sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) + sysHttpStatRamcacheMissBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.50) ) *100 | ||
| sysHttpStatRamcacheEvictions (.1.3.6.1.4.1.3375.2.1.1.2.4.54) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47)) *100 |
You can use SNMP commands with various OIDs to gather data on CPU use on the Access Policy Manager system. Specifically, you can gather data for two different graph metrics: TMM CPU Usage and CPU[0-n].
To gather the data for each of these metrics, you must perform some polling and calculations. First, for each metric type (for example, sysStatTmTotalCycles), you must perform two separate polls, at ten-second intervals. Then, you must calculate the delta of the two polls. Finally, you must use these delta values to perform the calculation shown in Table 13.9. The two sections following the table contain the specific procedures you use to calculate metrics for TMM CPU Usage and CPU[0-n] metric types.
| Performance Graph (Configuration utility) | ||
| (DeltaCpuUser + DeltaCpuNice + DeltaCpuSystem) / (DeltaCpuUser + DeltaCpuNice + Delta CpuIdle + DeltaCpuSystem + DeltaCpuIrq + DeltaCpuSoftirq + DeltaCpuIowait) | ||
| (DeltaTmTotalCycles - (DeltaTmIdleCycles + DeltaTmSleepCycles) / DeltaTmTotalCycles) *100 |
Note: For each OID, perform the polls approximately ten seconds apart.
| 2. | For each OID, calculate the delta of the values from the two polls, as shown in the following formulas. Note that in the formulas shown, values such as sysHostCpuUser2 and sysHostCpuUser1 represent the values that result from the two polls you performed in step 1 for that OID. |
DeltaCpuSoftirq = sysHostCpuSoftirq2 - sysHostCpuSoftirq1
| 3. | Using the resulting delta values (for example, DeltaCpuUser), calculate the CPU[0-n] metric, according to the formula shown in table 13.9. |
Note: For each OID, perform the polls approximately ten seconds apart.
| 2. | For each OID, calculate the delta of the values from the two polls, as shown in the following example. Note that in the formula shown, values such as sysStatTmTotalCycles2 and sysStatTmTotalCycles1 represent the values that result from the two polls you performed in step 1 for each OID. |
DeltaTmTotalCycles = sysStatTmTotalCycles2 - sysStatTmTotalCycles1
DeltaTmIdleCycles = sysStatTmIdleCycles2 - sysStatTmIdleCycles1
DeltaTmSleepCycles = sysStatTmSleepCycles2 - sysStatTmSleepCycles1
| 3. | Using the resulting delta values (for example, DeltaTmTotalCycles), calculate the TMM CPU Usage metric, according to the formula shown in table 13.9. |
You can use SNMP commands with an OID to gather data on active sessions. Table 13.11 shows the OID that you need to specify to gather data on active sessions.
| Performance Graph (Configuration utility) | ||
| apmAccessStatCurrentActiveSessions (.1.3.6.1.4.1.3375.2.6.1.4.3) |
You can use SNMP commands with an OID to gather data on SSL performance, in terms of transactions per second. Table 13.11 shows the OID that you need to specify to gather data on SSL TPS, along with the calculation that you must perform on the collected data.
| Performance Graph (Configuration utility) | ||
You can use the following additional SNMP commands to view various statistics, including conducting a simple SNMP walk.
