Configuring SNMP
This article describes how to enable SNMP on a Viptela device.
Enabling SNMP
By default, SNMP is disabled on Viptela devices. To enable it and provide support for SNMP Versions 1, 2, and 3:
Viptela(config)# snmp
Viptela(config-snmp)# no shutdown
Enabling SNMP allows the device to use MIBs, generate traps, and respond to requests from an SNMP walk application.
Configuring an SNMP View
To create an SNMP view, along with an OID, so that SNMP information is available to the SNMP server, configure an SNMP view and its corresponding OID subtree:
Viptela(config-snmp)# view string
Viptela(config-snmp)# oid oid-subtree
In the OID subtree, you can use the wildcard * (asterisk) in any position to match any value at that position.
The following example creates a view of the Internet portion of the SNMP MIB:
Viptela(config)# snmp view v2 oid 1.3.6.1
The following example creates a view of the private portion of the VIptela MIB:
Viptela(config)# snmp view viptela-private oid 1.3.6.1.4.1.41916
Configuring Access to an SNMP View
To require authentication privileges to access an SNMP view, configure SNMPv3. To do this, you configure authentication credentials for SNMPv3 users, and you configure groups of SNMP views and the authentication credentials required to access the views.
To configure authentication credentials for an SNMPv3 user, create a user and assign them an authentication level and a privacy level, depending on the authentication type you configure for the SNMP group (with the snmp group command, described below):
Viptela(config)# snmp user username
Viptela(config-user)# auth authentication
Viptela(config-user)# auth-password password
Viptela(config-user)# priv privacy
Viptela(config-user)# priv-password password
The username can be a string from 1 to 32 characters.
The authentication commands enable authentication privileges for the user. authentication can be either message digest 5 (md5) or SHA-2 message digest (sha). You can enter the password as a cleartext string or as an AES-encrypted key.
The privacy commands enable a privacy mechanism for the user. privacy can be either the Advanced Encryption Standard cipher algorithm used in cipher feedback mode, with a 128-bit key (aes-cfb-128) or the data encryption standard algorithm (des). You can enter the password as a cleartext string or as an AES-encrypted key.
Then associate the SNMPv3 user with an SNMP group:
Viptela(config-user)# group group-name
group-name is the name of a group of views that you configure with the snmp group command.
To configure a group of views:
Viptela(config)# snmp group group-name authentication
Viptela(config-group)# view view-name
The group name can be a string from 1 to 32 characters.
The authentication to use to for the group can be one of the following:
- auth-no-priv—Authenticate using the HMAC-MD5 or HMAC-SHA algorithm. When you configure this authentication, users in this group must be configured with an authentication and an authentication password (with the snmp user auth and auth-password commands).
- auth-priv—Authenticate using the HMAC-MD5 or HMAC-SHA algorithm, and provide CBC DES 56-bit encryption. When you configure this authentication, users in this group must be configured with an authentication and an authentication password (with the snmp user auth and auth-password commands) and a privacy and privacy password (with the snmp user priv and priv-password commands).
- no-auth-no-priv—Authenticate based on a username. When you configure this authentication, you do not need to configure authentication or privacy credentials.
The view name is the name of a SNMP view that you configure with the snmp view command.
Here is an example configuration for SNMP users and groups:
vEdge(config-snmp)# show full-configuration snmp no shutdown view v2 oid 1.3.6.1 ! community private view v2 authorization read-only ! group private-community auth-priv view v2 ! user noc-staff auth md5 auth-password $4$aCGzJjtS3/czj4BgLEFXKw== group private-community ! !
Configuring Contact Parameters
For each Viptela device, you can configure its SNMP node name, physical location, and contact information for the person or entity responsible for the device:
Viptela(config)# snmp
Viptela(config-snmp)# name string
Viptela(config-snmp)# location string
Viptela(config-snmp)# contact string
If any of the strings include spaces, enclose the entire string in quotation marks (" ").
Configuring an SNMP Community
The SNMP community string defines the relationship between an SNMP server system and the client systems. This string acts like a password to control the clients' access to the server. To configure a community string, use the community command:
Viptela(config-snmp)# community name
Viptela(config-community-name)# authorization read-only
Viptela(config-community-name)# view string
The community name can be 1 through 32 characters long. It can include angle brackets (< and >). If the name includes spaces, enclose the entire name in quotation marks (" ").
Use the view command to specify the portion of the MIB tree to view. string is the name of a view record configured with the snmp view command, as described below.
The Viptela software supports the standard interfaces MIB, IF-MIB, and the system MIB (SNMPv2-MIB), which are automatically loaded onto the Viptela device when you install the Viptela software. For a list of enterprise MIBs, see the System and SNMP Overview. The MIBs supported by the Viptela software do not allow write operations, so you can configure only read-only authorization (which is the default authorization).
Configuring View Records
To configure a portion of an SNMP MIB to view, use the view command:
Viptela(config-snmp)# view string
Viptela(config-view)# oid oid-subtree [exclude]
For example, to view the Internet portion of the SNMP MIB configure the OID 1.3.6.1:
Viptela(config-snmp)# view v2 oid 1.3.6.1
To view the private portion of the Viptela MIB, configure the OID 1.3.6.1.4.1.41916.
Configuring SNMP Traps
SNMP traps are asynchronous notifications that a Viptela device sends to an SNMP management server. Traps notify the management server of events, whether normal or significant, that occur on the Viptela device. By default, SNMP traps are not sent to an SNMP server. Note that for SNMPv3, the PDU type for notifications ie either SNMPv2c inform (InformRequest-PDU) or trap (Trapv2-PDU).
To configure SNMP traps, you define the traps themselves and you configure the SNMP server that is to receive the traps.
To configure groups of traps to be collected on a Viptela device, use the trap group command:
Viptela(config-snmp)# trap group group-name Viptela(config-group)# trap-type level severity
The group-name is a name of your choosing.
The trap-type can be one of those listed in the table below.
The severity level can be one or more of critical, major, and minor.
|
|
Severity Level |
||
|
Trap Type |
Critical |
Major |
Minor |
|
all |
All critical traps listed below. |
All major traps listed below. |
All minor traps listed below. |
| app-route | SLA_Change | ||
|
bfd |
|
BFD_State_Change |
|
| bridge | Bridge_Creation Bridge_Deletion Max_MAC_Reached |
||
|
control |
No_Active_vBond |
Connection_Auth_Fail |
|
|
dhcp |
|
Server_State_Change |
Address_Assigned |
|
hardware |
|
EMMC_Fault |
|
|
omp |
|
Data_Policy |
|
| policy | Access_List_Association_Status Data_Policy_Association_Status SLA_Violation_Pkt_Drop |
SLA_Violation | |
|
routing |
|
BGP_Peer_State_Change |
|
|
security |
|
Clear_Installed_Certificate |
Certificate_Installed |
|
system |
|
AAA_Admin_Pwd_Change |
Domain_ID_Change |
|
vpn |
|
Interface_State_Change |
Route_Install_Fail |
| wwan | Bearer_Change Domain_State_Change Reg_State_Change SIM_State_Change |
||
A single trap group can contain multiple trap types. In the configuration, specify one trap type per line, and each trap type can have one, two, or three severity levels. See the configuration example below for an illustration of the configuration process.
To configure the SNMP server to receive the traps, use the trap target command:
Viptela(config-snmp)# trap target vpn-id ipv4-address udp-port Viptela(config-target)# group-name name Viptela(config-target)# community-name community-name Viptela(config-target)# source-interface interface-name
For each SNMP server, specify the identifier of VPN where the server is located, the server's IPv4 address, and the UDP port on the server to connect to. When configuring the trap server's address, you must use an IPv4 address. You cannot use an IPv6 address.
In the group-name command, associate a previously configured trap group with the server. The traps in that group are sent to the SNMP server.
In the community-name command, associate a previously configure SNMP community with the SNMP server.
In the source-interface command, configure the interface to use to send traps to the SNMP server that is receiving the trap information. This interface cannot be a subinterface.
The following configuration example sends all traps to one SNMP server and only critical traps to another SNMP server. We configure two SNMP trap groups and the two target SNMP servers:
vEdge# config Entering configuration mode terminal vEdge(config)# snmp vEdge(config-snmp)# view community-view vEdge(config-view-community-view)# exit vEdge(config-snmp)# community public vEdge(config-community-public)# authorization read-only vEdge(config-community-public)# view community-view vEdge(config-community-public)# exit vEdge(config-snmp)# trap group all-traps vEdge(config-group-all-traps)# all level critical major minor vEdge(config-group-all)# exit vEdge(config-group-all-traps)# exit vEdge(config-snmp)# trap group critical-traps vEdge(config-group-critical-traps)# control level critical vEdge(config-group-control)# exit vEdge(config-group-critical-traps)# exit vEdge(config-snmp)# trap target 0 10.0.0.1 162 vEdge(config-target-0/10.0.0.1/162)# group-name all-traps vEdge(config-target-0/10.0.0.1/162)# community-name public vEdge(config-target-0/10.0.0.1/162)# exit vEdge(config-snmp)# trap target 0 10.0.0.2 162 vEdge(config-target-0/10.0.0.2/162)# group-name critical-traps vEdge(config-target-0/10.0.0.2/162)# community-name public vEdge(config-target-0/10.0.0.2/162)# exit vEdge(config-snmp)# show full-configuration snmp view community-view ! community public view community-view authorization read-only ! trap target 0 10.0.0.1 162 group-name all-traps community-name public ! trap target 0 10.0.0.2 162 group-name critical-traps community-name public ! trap group all-traps all level critical major minor ! ! trap group critical-traps bfd level critical ! control level critical ! hardware level critical ! omp level critical ! ! ! vEdge(config-snmp)#
For each trap generated by a Viptela device, the device also generates a notification message. Use the show notification stream viptela command to display these messages. Here is an example of the command output. The first line of the output shows the time when the message was generated (the SNMP eventTime). The time is shown in UTC format. not in the device's local time. The second line of the notification contains a description of the event, and the third line indicates the severity level.
vEdge# show notification stream viptela notification eventTime 2015-04-17T14:39:41.687272+00:00 bfd-state-change severity-level major host-name vEdge system-ip 1.1.4.2 src-ip 192.168.1.4 dst-ip 108.200.52.250 proto ipsec src-port 12346 dst-port 12406 local-system-ip 1.1.4.2 local-color default remote-system-ip 1.1.9.1 remote-color default new-state down ! ! notification eventTime 2015-04-17T15:12:20.435831+00:00 tunnel-ipsec-rekey severity-level minor host-name vEdge system-ip 1.1.4.2 color default ! ! notification eventTime 2015-04-17T16:56:50.314986+00:00 system-login-change severity-level minor host-name vEdge system-ip 1.1.4.2 user-name admin user-id 9890 !
Additional Information
OID Repository
System, Interface, and SNMP CLI Reference
System and SNMP Overview
For Viptela enterprise MIBs, see the Release Overview article in the release notes for your software release.