Page 1 of 16 - Avi Networks...SSL_CERT_EXPIRE aviSSLCertificateExpired All other alerts aviSystemAlert Notes: * aviSystemAlert is a generic trap notification and can be associated

Page 1 of 16

Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage

Copyright © 2019 Avi Networks, Inc. Page 2 of 16

view onlineSNMP Support in Avi Vantage

Avi Vantage supports SNMP v2c, and as of 17.2.3, the administrator can choose to use SNMP v3 instead. SNMPv3 support only enables user authentication with the server and payload encryption for the messages exchanged with the Avi Controller.

The MIB file, , is the same for both SNMP v2c and v3 implementations, and is available for download AVI-NETWORKS-MIB.my

at the following location: . It contains a description of the Avi Vantage https://github.com/avinetworks/sdk/tree/master/mibsSNMP configuration objects and notifications. Alternate download locations for MIBs are listed at the .end of this article

This article shows the MIB definitions for the Avi Vantage objects and the definitions for the notifications (traps). An example of how to configure a also is provided.custom alert based on an SNMP notification

Responding to SNMP QueriesTo fetch SNMP objects from Avi Vantage, an external host needs to query the SNMP daemon, which only runs on the Controller cluster leader. It is therefore best to configure the external host to direct queries to the cluster IP of the Avi Controller cluster. Absent a cluster IP, the external host must know the IP addresses of Controller, and try as many as eachthree times before it finds the current leader's SNMP daemon.

Firewall rules should be configured to give that external host access to port 161 on the cluster IP or each of the Controller IPs.

During the brief period of time (1-4 minutes) that a Controller cluster is recovering from the failure of its leader, queries to the cluster IP will fail, which the external host may interpret as "Avi Vantage is down." That is only true in the narrow sense that the control plane is down; the data plane (i.e., the SEs) are likely up and delivering virtual services to clients.

SNMP Polling ConfigurationTo configure the community string for SNMP polling, log into the UI and navigate to Administration > Settings > Access Settings.

Click on the edit icon. Enter the relevant community string under in the section.SNMP Community SNMP Settings

https://avinetworks.com/docs/17.2/snmp-support-in-avi-vantage/

https://github.com/avinetworks/sdk/tree/master/mibs



SNMP System ConfigurationYou can configure the common system parameters (e.g., , and ) in the Avi Vantage sysName sysLocation sysContact

Platform. In a Controller cluster, is configured for each Controller node as the node name in the object. sysName Cluster

and are specified in object. Because the SNMP configuration is sysLocation sysContact SystemConfiguration

specified at the SystemConfiguration object level, it applies to all clouds overseen by the Controller cluster.

API to Configure SNMP System Parameters

Note: In the three REST API examples that follow, for sake of brevity, we have excluded the portions of the PUT that apply to aspects of the system other than SNMP. Their absence is indicated by a series of three vertical dots.

API SNMP v2 Configuration for 17.2.2 and Prior

Note: No SNMP version number parameter is present (or needed) in configurations of Avi Vantage 17.2.2 Controller clusters or prior, as SNMP v2 is assumed.

PUT api/systemconfiguration

{

.

.

.

"snmp_configuration": {

"sys_contact": "[email protected]",

"sys_location": "San Jose, CA"

},

.

.

.

}

}

API SNMP v2 Configuration for 17.2.3

Note: With 17.2.3, the parameter is introduced. For backward compatibility, omission of the version

parameter causes Avi Vantage to default to "SNMP_VER2."version


{

.

.

.


"version": "SNMP_VER2", "sys_contact": "[email protected]",

"community": "public", "sys_location": "San Jose, CA"

},



.

.

.

}

}

API SNMP v3 Configuration for Avi Vantage 17.2.3

Note: With Avi Vantage 17.2.3 and thereafter, if other than SNMP v2 is desired, the parameter version

must be explicitly included. It is explicitly set to "SNMP_VER3" in the below example.

As of SNMP v3, * The possible values for are "SNMP_V3_AUTH_MD5" and "SNMP_V3_AUTH_SHA". * The auth_type

possible values for are "SNMP_V3_PRIV_AES" and "SNMP_V3_PRIV_DES".priv_type

The "snmpv3user" and "0x8000000001020304" values are merely representative of what would appear for the username

and parameters.engine_id


{

.

.

.


"version": "SNMP_VER3", "sys_contact": "[email protected]",

"snmp_v3_config": {

"user":

{ "username": "snmpv3user", "auth_type": "SNMP_V3_AUTH_MD5",

"priv_passphrase": "<sensitive>", "auth_passphrase": "<sensitive>",

"priv_type": "SNMP_V3_PRIV_AES" },

"engine_id": "0x8000000001020304"

}

},

.

.

.

}

}

CLI views of SNMP system parameters

version = SNMP_VER2

[admin:10-10-24-96]: > show systemconfiguration

+----------------------------------+----------------------------------+

| Field | Value |



+----------------------------------+----------------------------------+

| uuid | default |

| dns_configuration | |

| search_domain | |

| ntp_configuration | |

| ntp_servers[1] | |

| server | 0.us.pool.ntp.org |







| portal_configuration | |

| enable_https | True |

| redirect_to_https | True |

| enable_http | True |

| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |

| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |

| use_uuid_from_input | False |

| sslprofile_ref | System-Standard |

| enable_clickjacking_protection | True |

| allow_basic_authentication | True |

| password_strength_check | False |

| disable_remote_cli_shell | False |

| global_tenant_config | |

| tenant_vrf | False |

| se_in_provider_context | True |

| tenant_access_to_provider_se | True |

| email_configuration | |

| smtp_type | SMTP_LOCAL_HOST |

| from_email | [email protected] |

| mail_server_name | localhost |

| mail_server_port | 25 |

| docker_mode | False |

| snmp_configuration | |

| community | <sensitive> |

| sys_location | San Jose, CA |

| sys_contact | [email protected] |

| version | SNMP_VER2 |

+----------------------------------+----------------------------------+

[admin:10-10-24-96]: >

version = SNMP_VER3

[admin:10-10-24-96]: > show systemconfiguration

+----------------------------------+----------------------------------+

| Field | Value |

+----------------------------------+----------------------------------+

| uuid | default |



| dns_configuration | |

| search_domain | |

| ntp_configuration | |









| portal_configuration | |

| enable_https | True |

| redirect_to_https | True |

| enable_http | True |

| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |

| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |

| use_uuid_from_input | False |

| sslprofile_ref | System-Standard |

| enable_clickjacking_protection | True |

| allow_basic_authentication | True |

| password_strength_check | False |

| disable_remote_cli_shell | False |

| global_tenant_config | |

| tenant_vrf | False |

| se_in_provider_context | True |

| tenant_access_to_provider_se | True |

| email_configuration | |

| smtp_type | SMTP_LOCAL_HOST |

| from_email | [email protected] |

| mail_server_name | localhost |

| mail_server_port | 25 |

| docker_mode | False |

| snmp_configuration | |

| sys_location | San Jose, CA |

| sys_contact | [email protected] |

| version | SNMP_VER3 |

| snmp_v3_config | |

| user | |

| username | snmpv3user |

| auth_type | SNMP_V3_AUTH_SHA |

| auth_passphrase | <sensitive> |

| priv_type | SNMP_V3_PRIV_AES |

| priv_passphrase | <sensitive> |

| engine_id | 0x123456789ABCDEF |

+----------------------------------+----------------------------------+

[admin:10-10-24-96]: >

Avi UI SNMP Configuration for Avi Vantage 17.2.3

For SNMP v2:



For SNMP v3:

MIB ObjectsThe following are the Avi Vantage configuration objects exposed through the AVI-NETWORKS-MIB.my:

Avi ControllerService EngineVirtual Service



Avi Controller

AviControllerEntry ::=

SEQUENCE {

aviControllerIndex Integer32,

aviControllerUUID SnmpAdminString,

aviControllerName DisplayString,

aviControllerAddrType InetAddressType,

aviControllerAddr InetAddress,

aviControllerStatus INTEGER

}

aviControllerUUID : Unique UUID of the Avi Controller VM

aviControllerName : Name assigned to the Avi Controller (defaults

to the IP address of the Avi Controller)

aviControllerAddr : Management v4 IP address of the Avi

Controller

aviControllerStatus : Runtime status of the Avi Controller

Service Engine

AviServiceEngineEntry ::=

SEQUENCE {

aviServiceEngineIndex Integer32,

aviServiceEngineUUID SnmpAdminString,

aviServiceEngineName DisplayString,

aviServiceEngineAddrType InetAddressType,

aviServiceEngineAddr InetAddress,

aviServiceEngineStatus INTEGER

}

aviServiceEngineUUID : Unique UUID of the Avi Service Engine VM

aviServiceEngineName : Name of the Service Engine VM

assigned in the Virtual Infrastructure

aviServiceEngineAddr : Management v4 IP address of the Avi Service

Engine VM

aviServiceEngineStatus : Runtime status of the Avi Service Engine

Virtual Service

AviVirtualServiceEntry ::=

SEQUENCE {

aviVirtualServiceIndex Integer32,

aviVirtualServiceUUID SnmpAdminString,

aviVirtualServiceName DisplayString,

aviVirtualServiceAddrType InetAddressType,

aviVirtualServiceAddr InetAddress,

aviVirtualServiceStatus INTEGER

}



aviVirtualService UUID : Unique UUID of the virtual service

aviVirtualServiceName : Name assigned to the virtual service

aviVirtualServiceAddr : Virtual IP (v4) address of the virtual service

aviVirtualServiceStatus : Runtime status of the virtual service

Notifications (Traps)The Controller cluster leader can issue SNMP trap notifications based on system events. For SNMP trap notifications to reach an external SNMP server:

Since the leadership role can change from time to time, the external SNMP server should be configured to allow traffic from any one of the three Controllers in the cluster, i.e., all three addresses should be in the SNMP server's allowed-access list.The firewall rules should be configured to allow UDP traffic destined to port 162 on the SNMP trap server from any of the three cluster member's IP addresses.

System events related to the Avi Controller cluster, Avi Service Engines, virtual services and SSL certification expiry can be classified into their respective SNMP traps. Other system events use the generic SNMP trap notification to generate traps.

Only the alerts generated for the following events are fed into the specific SNMP traps.

Events SNMP trap

, VS_DOWN VS_UP aviVirtualServiceStatusChanged

, SE_DOWN SE_UP aviServiceEngineStatusChanged

, CONTROLLER_NODE_JOINED CONTROLLER_NODE_LEFT aviControllerStatusChanged

SSL_CERT_EXPIRE aviSSLCertificateExpired

All other alerts aviSystemAlert

Notes: * is a generic trap notification and can be associated with any of the system events generated by aviSystemAlert

the Avi Controller. * Avi Vantage release 17.2.13 supports large trap payload (a maximum of 4096 bytes) in SNMP trap notifications. Prior to this, the length of the SNMP trap payload was restricted to 256 bytes.

Example: Viewing the Trap Server Profiles

In the below window, a Controller with IP address 10.10.24.96 reveals its v2 and v3 trap server profiles by responding to the HTTP request: https://10.10.24.96/api/snmptrapprofile

{

"count": 2,

"results": [

{

"uuid": "snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",

"url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",

"tenant_ref": "https://10.10.24.96/api/tenant/admin",

"name": "SnmpTrap-2",

"trap_servers": [

{

"version": "SNMP_VER2",

"ip_addr": {



"type": "V4",

"addr": "10.10.0.235"

},

"community": "<sensitive>"

}

],

"_last_modified": "1509670261022622"

},

{

"uuid": "snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",

"url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",

"tenant_ref": "https://10.10.24.96/api/tenant/admin",

"name": "SnmpTrap-1",

"trap_servers": [

{

"version": "SNMP_VER3",

"ip_addr": {

"type": "V4",

"addr": "10.10.3.1"

},

"user": {

"username": "snmpv3trapuser",

"auth_type": "SNMP_V3_AUTH_MD5",

"priv_passphrase": "<sensitive>",

"auth_passphrase": "<sensitive>",

"priv_type": "SNMP_V3_PRIV_AES"

}

}

],

"_last_modified": "1509670185831024"

}

]

}

aviControllerStatusChanged

aviControllerStatusChanged NOTIFICATION-TYPE

OBJECTS {

aviControllerStatus,

aviOperStatusReason

}

STATUS current

DESCRIPTION

"This alert is generated when controller status

Changes."

::= { aviNotificationsObjects 1 }

This trap is generated when the Avi Controller status changes.



The following Controller-state-change system events can initiate the trap:aviControllerStatusChange

Controller-Node-LeftController-Node-Joined

For each of the above Avi Controller status-change events, there is a default system alert configuration and for it a default alert action.

aviServiceEngineStatusChanged

aviServiceEngineStatusChanged NOTIFICATION-TYPE

OBJECTS {

aviObjectURL,

aviServiceEngineStatus,

aviOperStatusReason

}

STATUS current

DESCRIPTION

"This alert is generated when Service Engine status

Changes."


This trap is generated when the Avi SE status changes.

The following Avi SE status-change events can initiate the trap:aviServiceEngineStatusChanged

Se-UpSe-Down

For each of the above Avi SE status-change events, there is a default system alert configuration.

aviVirtualServiceStatusChanged

aviVirtualServiceStatusChanged NOTIFICATION-TYPE

OBJECTS {

aviObjectURL,

aviVirtualServiceStatus,

aviVirtualServiceStatusReason

}

STATUS current

DESCRIPTION

"This alert is generated when virtual service status

changes."


This trap is generated when the virtual service status changes.

The following virtual service status-change events can initiate the trap:aviVirtualServiceStatusChanged

Vs-Down



Vs-Up

To configure SNMP traps for the Avi Controller status-change events, .click here

aviSSLCertificateExpired

aviSSLCertificateExpired NOTIFICATION-TYPE

OBJECTS {

aviObjectURL,

aviSSLCertificateInfo

}

STATUS current

DESCRIPTION

"This alert is generated when SSL Certificate

Expires."


This trap is generated when an SSL certificate expires. The virtual service event can initiate the Ssl-Cert-Expire

trap. aviVirtualServiceStatusChanged

To configure SNMP traps for the Avi Controller status-change events, .click here

aviSystemAlert

aviSystemAlert NOTIFICATION-TYPE

OBJECTS {

aviSystemAlertInfoDesc

}

STATUS current

DESCRIPTION

"This is a generic system alert"


This is a generic trap notification. It can be associated with any of the system events generated by the Avi Controller.

Configuration for SNMP Event-based TrapThis section shows the configuration for generating an SNMP trap when a Vs-Down event occurs. The workflow is described here, and also shown here:



In the following example from the Avi Controller web interface, the Vs-Down event is shown associated with a new alert action named "my-SNMP-alert-action." The default alert action could be modified instead. System-Alert-Level-High

However, it is best practice to leave the system default alert action unchanged, and instead create a new, custom alert action.

In the Alert Configuration editor, the alert action is configured:



In the Alert Action editor, the named action is associated with just type of notification, an SNMP trap. The notification is onegiven the name "my-SNMP-trap-notification.?

The named notification is defined in the notification editor.

Note: Multiple SNMP servers are supported. (Click the green + box to add.)



The above UI screen has evolved for Avi Vantage 17.2.3+ as shown below.

For SNMP v2:

For SNMP v3:



To confirm that the SNMP trap notification is defined:

Alternate Download Locations for MIBsAVI-NETWORKS-MIB.myINET-ADDRESS-MIB.mySNMP-FRAMEWORK-MIBSNMP-VIEW-BASED-ACM-MIBSNMPv2-CONF.mySNMPv2-SMI.mySNMPv2-TC.my

Documents

Page 1 of 16 - Avi Networks...SSL_CERT_EXPIRE aviSSLCertificateExpired All other alerts aviSystemAlert Notes: * aviSystemAlert is a generic trap notification and can be associated