Simple Network Management Protocol (SNMP)

This chapter describes how to enable SNMP to monitor and manage your network.

The following topics are covered:

     SNMP Support on the ACOS Device

     SNMP Views and Community Strings

     Configure SNMP Groups

     Configure AES or DES Encryption for SNMPv3 Users

     Enable SNMP Traps

     Configure SNMP

     Configure the Source Interface for SNMP Notifications

     SNMP MIB Information

SNMP Support on the ACOS Device

ACOS devices support the following SNMP versions: v1, v2c, v3. SNMP is disabled by default.

You can configure the ACOS device to send SNMP traps to the Syslog and to external trap receivers. You also can configure read (GET) access to SNMP Management Information Base (MIB) objects on the ACOS device by external SNMP managers.

NOTE:                               SNMP access to the ACOS device is read-only. SET operations (write access) are not sup­ported.

The following list of items clarifies the current implementation of SNMP:

     Limit the number of SNMP polling requests to two or three instances. Several concurrent “snmpwalk” requests, will result in delays, unfinished requests, time out, or error messages.

     Certain SNMP objects, such as the “CPU Per Partition” value, might not work in the current release.

     Since the ACOS device generates the SNMP community string for private partitions, you are not allowed to configure or change the community string.

     The SNMP process may consume 100% of the Control CPU cycles.

SNMP Views and Community Strings

You can allow external SNMP managers to access the values of MIB objects from the ACOS device. To allow remote read-only access to ACOS MIB objects, configure one or both of the following types of access:

     SNMP Views

     SNMP Community Strings

SNMP Views

An SNMP view is like a filter that permits or denies access to a specific OID or portions of an OID. You can configure SNMP user groups and individual SNMP users, and allow or disallow them to read specific portions of the ACOS MIBs using different views.

When you configure an SNMP user group or user, you specify the SNMP version. SNMP v1 and v2c do not support authenti­cation or encryption of SNMP packets. SNMPv3 does. You can enable authentication, encryption, or both, on an individual SNMP user-group basis when you configure the groups. You can specify the authentication method and the password for individual SNMP users when you configure the users.

Use the GUI to Configure SNMP Views

To configure an SNMP view using the GUI:

1.     Hover over System in the menu bar, then select Monitoring.

2.     Select SNMP, then select SNMP Views from the drop-down menu.

3.     Click Create.

4.     Enter a name for the view in the Viewname field.

5.     Enter the MIB view family name or OID in the Oid field, then specify whether this OID should be included or excluded in the view.

6.     Click Create.

Use the CLI to Configure SNMP Views

Use the snmp-server view command to configure an SNMP view from the CLI. The following example creates a view called “exampleview” which includes OID 1.2.3:

ACOS(config)# snmp-server view exampleview 1.2.3 included

 

 

SNMP Community Strings

An SNMP community string is a string that an SNMP manager can present to the ACOS device when requesting MIB values.

Community strings are similar to passwords. You can minimize security risk by applying the same principles to selecting a community name as you would to selecting a password. Use a hard-to-guess string and avoid use of commonly used com­munity names such as “public” or “private”.

You also can restrict access to specific Object IDs (OIDs) within the MIB, on an individual community basis. OIDs indicate the position of a set of MIB objects in the global MIB tree. The OID for A10 Networks Thunder Series objects is 1.3.6.1.4.1.22610.

Use the GUI to Configure an SNMP Community String

To configure an SNMP community string using the GUI:

1.     Hover over System, then select Monitoring.

2.     Select the SNMP tab, then select SNMP from the drop-down menu.

3.     Enter the community string in the Community Read field, then click Add.

4.     Click Configure SNMP.

Use the CLI to Configure an SNMP Community String

This section contains the following examples:

     CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users

     CLI Example—Configure a Community String for SNMPv3 Users

     CLI Example—Restrict Access to Specific Remote Hosts

     CLI Example—Restrict Access to Specific OIDs

CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users

The following example shows how to configure an SNMP community string using the CLI for SNMPv1 or SNMPv2c users:

ACOS(config)# snmp-server SNMPv1-v2c user u1

ACOS(config-user:u1)# community read examplestring

ACOS(config-user:u1)# show running-config | sec snmp

snmp-server enable service

snmp-server enable traps all

snmp-server SNMPv1-v2c user u1

 community read encrypted mGXzd9xrcGiMBaDQuY/jnDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjL­jV2wDn

snmp-server host 10.6.7.22 version v2c public

 

Note that the community string is encrypted in the show running-config output for security purposes. Each SNMP v1-v2c user has a community string. You can change the value of this string by using the community read command and entering a new community string.

The user name u1 is a system-specific name and cannot be used to retrieve any SNMP data. Instead, the encrypted commu­nity string configured under this user should be used to retrieve data. This community string can also be used by any remote host to access the ACOS device, assuming there are no access restrictions configured.

CLI Example—Configure a Community String for SNMPv3 Users

The following example shows how to configure an SNMP community string for SNMPv3 users. An SNMP view and group must be configured prior to configuring the SNMPv3 user.

ACOS(config)# snmp-server view exampleview 1.2.3 included

ACOS(config)# snmp-server group examplegroup v3 auth read exampleview

ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 example­password1 priv aes examplepassword2

ACOS(config)# show running-config | sec snmp

snmp-server enable service

snmp-server enable traps all

snmp-server view exampleview 1.2.3 included

snmp-server group examplegroup v3 auth read exampleview

snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 encrypted IrrqRoL9DI2HGP3wipS0lDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn priv aes encrypted 6D2AC0vBjbGHGP3wipS0lLD/mjXR6wFMPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn

snmp-server host 10.6.7.22 version v2c public

 

CLI Example—Restrict Access to Specific Remote Hosts

The following example shows how to restrict access to allow only specific remote hosts to access SNMP data. From the SNMP v1-v2c user configuration level specify which remote hosts are allowed to access the ACOS device using the community string:

ACOS(config-user:u1)# remote 192.168.20.1 /24

ACOS(config-user:u1)# remote 192.168.30.1 /24

 

CLI Example—Restrict Access to Specific OIDs

The following example shows how to restrict access so that only a specific OID (1.2.3) can be accessed by the specified hosts (subnets 192.168.30.x and 192.168.40.x). From the SNMPv1-v2c user configuration level:

ACOS(config-user:u1)# oid 1.2.3

ACOS(config-user:u1-oid:1.2.3)# remote 192.168.40.1 255.255.255.0

ACOS(config-user:u1-oid:1.2.3)# remote 192.168.50.1 255.255.255.0

 

Configure SNMP Groups

SNMP users can be organized into groups, which can be configured to allow or disallow users access to read specific SNMP views.

Use the GUI to Configure SNMP Groups

To configure an SNMP group using the GUI:

1.     Hover over System in the menu bar, then select Monitoring.

2.     Select SNMP, then select SNMP Groups from the drop-down menu.

3.     Click Create.

4.     Enter a name for the group in the Groupname field.

5.     Select the desired SNMPv3 packet authentication level.

6.     Select a read-only view for accessing MIB objects.

7.     Click Create.

Use the CLI to Configure SNMP Groups

Use the snmp-server group command to configure an SNMP group from the CLI. The following example creates a group called “examplegroup”:

ACOS(config)# snmp-server group examplegroup v3 priv read exampleview

 

 

Configure AES or DES Encryption for SNMPv3 Users

Advanced Encryption Standard (AES) or Data Encryption Standard (DES) encryption can be added at the SNMP “user” level. This feature extends overall security with support for SNMPv3 notifications (traps). SNMPv3 traps are authenticated and encrypted, using the same options already supported for SNMPv3 in previous releases.

     Authentication is performed by using the user’s authentication key to sign the message being sent. This can be done using either MD5 or SHA encryption; the authentication key is generated using the specified encryption method and the specified password.

     Encryption is performed by using a user’s privacy key to encrypt the data portion of the message being sent. This can be done using either AES or DES encryption; the authentication key is generated using the specified encryption method and the specified password.

NOTE:                               After changing the encryption for an SNMP user, SNMP must be restarted in order to reload the configuration. This process will take some time before the SNMP service becomes available.

Use the GUI to Configure Encryption for SNMPv3 Users

To configure encryption for SNMPv3 users from the GUI:

1.     Hover over System, then select Monitoring.

2.     Select the SNMP tab, then select SNMP User from the drop-down menu.

3.     Click Create to create a new user.

4.     Specify the user name and group.

5.     In the Authentication field, select the Enable checkbox.

This displays the authentication options for the SNMP user configuration.

gui_snmp_user_authentication.PNG

a.     Specify the authentication algorithm you want to use (MD5 or SHA) and password.

b.     Specify the Encryption type (DES or AES) and encryption passphrase.

6.     Click Create.

 

Use the CLI to Configure Encryption for SNMPv3 Users

To add encryption at the snmp “user” level, use the snmp-server command at the global config level.

The following example shows how to configure an SNMPv3 user “exampleuser”, who is a member in “examplegroup”, which is part of “exampleview”:

ACOS(config)# snmp-server view exampleview 1.2.3 included

ACOS(config)# snmp-server group examplegroup v3 auth read exampleview

ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 example­password1 priv aes examplepassword2

 

The auth md5 examplepassword1 portion of the command will generate a user key using MD5 encryption and the string “examplepassword1”. The priv aes examplepassword2 portion of the command will encrypt the message using a key with AES encryption and the string “jonpassword2”:

More information about the snmp-server command can be found in the Command Line Interface Reference.

Enable SNMP Traps

In order to start receiving SNMP traps, you must enable SNMP traps on a configured SNMP server. You can enable any of the individual traps, or a category of new SNMP traps. Follow the steps below to enable SNMP traps. All traps are disabled by default.

For more information about SNMP CLI commands used for enabling SNMP traps, along with a list of available traps, see the Command Line Interface Reference.

For information about configuring SNMP traps on L3V partitions, see the Configuring Application Delivery Partitions guide.

Take note of the following:

     In order to begin receiving ssl-cert-expire SNMP traps, you must enable email notification of SSL certificate expiration. To do so, use the logging email-address command from the global configuration level in the CLI. For more information, refer to the Command Line Interface Reference.

     In order to begin receiving resource-usage-warning SNMP traps, you must set resource utilization thresholds for partitions.

     If you have a DNS anycast configuration, all ports of a given virtual server must to be down before an SNMP trap will be sent.

Use the GUI to Enable SNMP Traps

To enable SNMP traps:

1.     Hover over System in the navigation bar, and select Monitoring.

2.     Click SNMP on the menu bar, and then select SNMP from the drop-down menu that appears.

3.     Click Trap List to display the traps you can add, sorted by category.

4.     Select the checkbox next to any SNMP traps you want to enable.

5.     Click Configure SNMP to save your changes.

Use the CLI to Enable SNMP Traps

The snmp-server enable traps command allows you to enable SNMP traps.

The following CLI command enables SNMP traps for all SLB events. Note that using the ? allows you to see all SNMP traps within the category before activating that category.

ACOS(config)# snmp enable traps slb ?

  all                       Enable all SLB traps

 application-buffer-limit  Enable application buffer reach limit trap

 server-conn-limit         Enable SLB server connection limit trap

 server-conn-resume        Enable SLB server connection resume trap

 server-down               Enable SLB server-down trap

 server-selection-failure  Enable SLB server selection failure trap

 server-up                 Enable slb server up trap

 service-conn-limit        Enable SLB service connection limit trap

 service-conn-resume       Enable SLB service connection resume trap

 service-down              Enable SLB service-down trap

 service-up                Enable SLB service-up trap

 vip-connlimit             Enable the virtual server reach conn-limit trap

 vip-connratelimit         Enable the virtual server reach conn-rate-limit trap

 vip-down                  Enable SLB virtual server down trap

 vip-port-connlimit        Enable the virtual port reach conn-limit trap

 vip-port-connratelimit    Enable the virtual port reach conn-rate-limit trap

 vip-port-down             Enable SLB virtual port down trap

 vip-port-up               Enable SLB virtual port up trap

 vip-up                    Enable SLB virtual server up trap

ACOS(config)# snmp enable traps slb

 

The following CLI command enables SNMP traps for all SLB changes. An SNMP trap will be sent whenever a change has been made to the SLB configuration. This includes the creation or deletion of virtual or real servers or ports, and changes to or near expiration of SSL certificates.

ACOS(config)# snmp enable traps slb-change

 

The following CLI commands only enable SNMP traps for the creation or removal of virtual and real servers and ports.

ACOS(config)# snmp enable traps slb-change server

ACOS(config)# snmp enable traps slb-change server-port

ACOS(config)# snmp enable traps slb-change vip

ACOS(config)# snmp enable traps slb-change vip-port

 

Disable SNMP Traps for L3V Partitions

ACOS allows you to enable SNMP traps on shared partitions. The ACOS device can disable traps on L3V partitions while the SNMP traps are still enabled on shared partitions. The default behavior is for both shared and L3V partition traps to be sent out when SNMP traps are enabled on shared partitions.

NOTE:                               GSLB group traps are not partition aware so they cannot be controlled using the snmp-server disable traps gslb command.

To disable SNMP traps on L3V partitions, use the CLI and make sure that you are in the configuration level for an L3V partition.

The example below switches to the private partition named “pl3v,” then disables network and LLDP traps on this partition:

ACOS(config)# active-partition pl3v

ACOS[pl3v](config)# snmp-server disable traps network

ACOS[pl3v](config)# snmp-server disable traps LLDP

Configure SNMP

By default, SNMP service is disabled for all data interfaces. See “Default Management Access Settings” in the Management Access and Security Guide for more information.

To configure SNMP:

1.     If desired, configure location and contact information.

2.     If desired, configure external SNMP trap receivers.

3.     If desired, configure one or more read-only communities.

4.     If desired, configure views, groups, and users.

5.     Enable the SNMP agent and SNMP traps.

6.     Save the configuration changes.

You are not required to perform these configuration tasks in precisely this order. The workflow in the GUI is slightly different from the workflow shown here.

Use the GUI to Configure SNMP

To configure basic SNMP parameters:

1.     Hover over System in the navigation bar, and select Monitoring.

2.     Click SNMP on the menu bar, then select SNMP from the drop-down list.

3.     Configure general SNMP settings, including the system information, Engine ID, and trap host, in the General Fields sec­tion. Refer to the GUI online help for detailed information about each field.

4.     Configure SNMP trap settings by clicking and expanding the Trap List section, then selecting the traps you want to monitor.

5.     Click Create SNMP Server when you are finished making your selections.

Use the CLI to Configure SNMP

All SNMP configuration commands are available at the global configuration level of the CLI.

1.     To configure location information, use the snmp-server location command:

ACOS(config)# snmp-server location example-location

 

2.     To configure contact information, use the snmp-server contact command:

ACOS(config)# snmp-server contact example-contact

 

3.     To configure external SNMP trap receivers, use the snmp-server host command:

ACOS(config)# snmp-server host example-trap-host

 

4.     To configure one or more read-only communities, use the following command:

ACOS(config)# snmp-server community read example-community-string

 

5.     To configure an SNMP view, use the following command:

ACOS(config)# snmp-server view example-view-name example-oid included

 

6.     To configure an SNMP group, specify the group name and security level. For example:

ACOS(config)# snmp-server group example-grou-name v3 auth read example-read-view-name

 

7.     To configure an SNMP user, specify the user name, group name, and authentication method. For example:

ACOS(config)# snmp-server user example-user group example-group v3 auth md5 example-password

 

8.     To enable the SNMP agent and SNMP traps, use the snmp-server enable traps command. For example, to enable all SNMP traps:

ACOS(config)# snmp-server enable traps all

 

For more information about these commands and other SNMP-related commands, refer to the Command Line Interface Ref­erence.

Be sure to use the write memory command to save any configuration changes.

Configure the Source Interface for SNMP Notifications

The current release extends SNMP support by allowing you to specify a data interface to use as the source interface for SNMP traps.

While previous releases sent SNMP traps from the management port of the ACOS device, the SNMP Trap Source feature allows you to select a data interfaces from which to send the traps.

By default, the management interface is the source interface for SNMP traps.

Details:

     This feature does not support IPv6.

     This feature supports SNMPv1 but not SNMPv2c or SNMPv3.

The interface can be any of the following types:

     Ethernet

     VLAN / VE

     Loopback

When the ACOS device sends an SNMP trap from the data interface you specify, the “agent-address” in the SNMP trap is the data interface’s IP address.

Use the GUI to Configure the SNMP Source Interface

To configure an Ethernet interface as the source for SNMP traps:

1.     Hover over Network in the navigation bar and select Interface.

2.     On the menu bar, click LAN.

3.     Click Edit in the Actions column for the Ethernet interface.

4.     Select the checkbox next to Trap Source in the General Fields section.

5.     Click Update.

Use the CLI to Configure the SNMP Source Interface

The following command attempts to set a loopback interface as the SNMP trap source. However, the feature has already been enabled on Ethernet port 1, and only one interface can be enabled for SNMP traps, so this example shows that the existing trap source will be overwritten with the new one:

ACOS(config)# interface loopback 1

ACOS(config-if:loopback:1)# snmp-server trap-source

The trap source already exists for interface eth1. Do you want to overwrite? [yes/no]:yes

ACOS(config-if:loopback:1)#

 

SNMP MIB Information

This section contains the following:

     Downloading the MIBs

     AX MIB Groups

     AX MIB Files

     MIB Access

     SNMP RFCs supported

     Note Regarding ifIndex Table Support

 

Downloading the MIBs

The MIB files are available for download through the GUI:

1.     Hover over System on the menu bar, then select Monitoring.

2.     Click on the SNMP tab, then select SNMP MIB Download from the drop-down menu.

3.     Select a target location for the MIB archive file, the click Save.

AX MIB Groups

The AX MIB consists of the groups described in TABLE 2   :

TABLE 2       AX MIB Groups

Group

Description

axSystem

Provides system-level information about the ACOS device, such as the installed software ver­sions, the serial number, and current CPU utilization.

axLogging

Provides configuration information about system logging.

axApp

Provides configuration and operational information for ACOS device features.

AX MIB Files

The AX MIB consists of the files listed in TABLE 3   :

TABLE 3       AX MIB Files

File

Description

A10-COMMON-MIB.txt

Contains common MIB definitions for A10 Networks®, including the A10 enterprise object identifier (OID) and the OIDs for all A10 products.

A10-AX-MIB.txt

Contains ACOS device MIB definitions, including the SNMP notification node.

A10-AX-CGN-MIB.txt

Contains MIB definitions for CGN-related objects.

A10-AX-CGN-NOTIF-V2C.txt

Contains SNMPv2c trap definitions for CGN-related objects.

A10-AX-CGN-TRAP-V1.txt

Contains SNMPv1 trap definitions for CGN-related objects.

A10-AX-NOTIFICATIONS-V2C.txt

Contains SNMPv2c trap definitions for the ACOS device.

A10-AX-TRAPS-V1.txt

Contains SNMPv1 trap definitions for the ACOS device.

The first three files are required; the other files that should be used depend on your SNMP version (v1 or v2c).

If you are using an SNMPv2c manager, use the following MIB files:

     A10-COMMON-MIB.txt

     A10-AX-MIB.txt

     A10-AX-CGN-MIB.txt

     A10-AX-CGN-NOTIF-V2C.txt

     A10-AX-NOTIFICATIONS-V2C.txt

Or, if you are using an SNMPv1 manager, use the following MIB files:

     A10-COMMON-MIB.txt

     A10-AX-MIB.txt

     A10-AX-CGN-MIB.txt

     A10-AX-CGN-TRAP-V1.txt

     A10-AX-TRAPS-V1.txt

MIB Access

SNMP access to the ACOS device is read-only. You can use SNMP managers to retrieve information using GET or GET NEXT requests. SET requests are not supported.

To enable SNMP traps from the CLI, use the snmp-server enable traps command.

The following example enables system start traps:

ACOS(config)# snmp-server enable traps system start

For more information about the SNMP CLI commands, refer to the Command Line Interface Reference.

SNMP RFCs supported

The ACOS device supports the SNMP-related RFCs described in TABLE 4   :

TABLE 4       Supported SNMP-related RFCs

RFC

Description and Notes

RFC 1155

Structure and Identification of Management Information for TCP/IP-based Networks.

RFC 1157

A Simple Network Management Protocol (SNMP).

RFC 1212

Concise MIB Definitions: the MIB SET operation is not supported.

RFC 1213

Management Information Base for Network Management of TCP/IP-based Networks: MIB-II.

The following system objects are supported:

  sysDescr

  sysObjectID

  sysUpTime

  sysContact

  sysName

  sysLocation

  sysServices

The sysService object returns a value that indicates the set of services the ACOS device offers. For the ACOS device, the sysService object always returns the value 76. This value indicates that the ACOS device offers the following services (for information about how this value is calculated, refer to the RFC):

  datalink/subnetwork – 0x2

  internet – 0x4

  end-to-end – 0x8

  applications – 0x40

The following interfaces on MIB-II are supported:

  ifNumber

  ifTable

The ipAddrTable on MIB-II are also supported.

RFC 1215

A Convention for Defining Traps for use with the SNMP.

RFC 1850

OSPF Version 2 Management Information Base.

RFC 1901

Introduction to Community-based SNMPv2.

RFC 2233

The Interfaces Group MIB using SMIv2. The ifXTable table is supported.

RFC 2465

 Management Information Base for IP Version 6: Textual Conventions and General Group. The ipv6AddrTable on MIB-II is supported.

RFC 2576

Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Net­work Management Framework.

RFC 2578

Structure of Management Information Version 2 (SMIv2).

RFC 2790

Host Resources MIB. The following subtrees are supported:

  hrSystem: .1.3.6.1.2.1.25.1

  hrStorage: .1.3.6.1.2.1.25.2

  hrDeviceTable: .1.3.6.1.2.1.25.3.2

  hrProcessorTable: .1.3.6.1.2.1.25.3.3

RFC 2863

The Interfaces Group MIB. The following table is supported:

  ifXTable: .1.3.6.1.2.1.31.1.1

RFC 3418

Physical Topology MIB. The following objects are supported:

  lldpV2PortConfigTable

  lldpV2DestAddrTable

  lldpV2LocPortTable

  lldpV2LocManAddrTable

  lldpV2RemTable

  lldpV2RemManAddrTable

  lldpV2LocChassisIdSubtype

  lldpV2LocChassisId

  lldpV2LocSysName

  lldpV2LocSysDesc

  lldpV2LocSysCapSupported

  lldpV2LocSysCapEnabled

RFC 3410

Introduction and Applicability Statements for Internet Standard Management Frame­work.

RFC 3411

An Architecture for Describing Simple Network Management Protocol (SNMP) Manage­ment Frameworks.

RFC 3412

Message Processing and Dispatching for the Simple Network Management Protocol (SNMP).

RFC 3413

Simple Network Management Protocol (SNMP) Applications.

RFC 3414

User-based Security Model (USM) for version 3 of the Simple Network Management Pro­tocol (SNMPv3).

RFC 3415

View-based Access Control Model (VACM) for the Simple Network Management Proto­col (SNMP).

RFC 3416

Version 2 of Protocol Operations for the SNMP.

RFC 3418

MIB for the SNMP.

RFC 3635

Definitions of Managed Objects for the Ethernet-like Interface Types

RFC 4001

Textual Conventions for Internet Network Addresses. The following values for IP address type are supported:

  0 - Unknown

  1 - IPv4

  2 - IPv6

RFC 4273

Definitions of Managed Objects for BGP-4. The following traps are supported:

  bgpEstablishedNotification

  bgpBackwardTransNotification

RFC 4293

Management Information Base for the Internet Protocol. The following tables are sup­ported:

  Ipv4InterfaceTable

  Ipv6InterfaceTable

  IpAddrTable

  Ipv6AddrTable

Note Regarding ifIndex Table Support

The ifInUnknownProtos and ifOutLen objects in the ifIndex table are not implemented on AX interfaces and always return value 0. Likewise, the ifSpecific object is not present and always returns “0.0”.

 

 

Table of Contents

Index

Glossary

-Search-

Back