Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Page 1 of 16
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 2 of 16
view onlineSNMP Support in Avi Vantage
Avi Vantage supports SNMP v2c, and as of 17.2.3, the administrator can choose to use SNMP v3 instead. SNMPv3 support only enables user authentication with the server and payload encryption for the messages exchanged with the Avi Controller.
The MIB file, , is the same for both SNMP v2c and v3 implementations, and is available for download AVI-NETWORKS-MIB.my
at the following location: . It contains a description of the Avi Vantage https://github.com/avinetworks/sdk/tree/master/mibsSNMP configuration objects and notifications. Alternate download locations for MIBs are listed at the .end of this article
This article shows the MIB definitions for the Avi Vantage objects and the definitions for the notifications (traps). An example of how to configure a also is provided.custom alert based on an SNMP notification
Responding to SNMP QueriesTo fetch SNMP objects from Avi Vantage, an external host needs to query the SNMP daemon, which only runs on the Controller cluster leader. It is therefore best to configure the external host to direct queries to the cluster IP of the Avi Controller cluster. Absent a cluster IP, the external host must know the IP addresses of Controller, and try as many as eachthree times before it finds the current leader's SNMP daemon.
Firewall rules should be configured to give that external host access to port 161 on the cluster IP or each of the Controller IPs.
During the brief period of time (1-4 minutes) that a Controller cluster is recovering from the failure of its leader, queries to the cluster IP will fail, which the external host may interpret as "Avi Vantage is down." That is only true in the narrow sense that the control plane is down; the data plane (i.e., the SEs) are likely up and delivering virtual services to clients.
SNMP Polling ConfigurationTo configure the community string for SNMP polling, log into the UI and navigate to Administration > Settings > Access Settings.
Click on the edit icon. Enter the relevant community string under in the section.SNMP Community SNMP Settings
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 3 of 16
SNMP System ConfigurationYou can configure the common system parameters (e.g., , and ) in the Avi Vantage sysName sysLocation sysContact
Platform. In a Controller cluster, is configured for each Controller node as the node name in the object. sysName Cluster
and are specified in object. Because the SNMP configuration is sysLocation sysContact SystemConfiguration
specified at the SystemConfiguration object level, it applies to all clouds overseen by the Controller cluster.
API to Configure SNMP System Parameters
Note: In the three REST API examples that follow, for sake of brevity, we have excluded the portions of the PUT that apply to aspects of the system other than SNMP. Their absence is indicated by a series of three vertical dots.
API SNMP v2 Configuration for 17.2.2 and Prior
Note: No SNMP version number parameter is present (or needed) in configurations of Avi Vantage 17.2.2 Controller clusters or prior, as SNMP v2 is assumed.
PUT api/systemconfiguration
{
.
.
.
"snmp_configuration": {
"sys_contact": "[email protected]",
"sys_location": "San Jose, CA"
},
.
.
.
}
}
API SNMP v2 Configuration for 17.2.3
Note: With 17.2.3, the parameter is introduced. For backward compatibility, omission of the version
parameter causes Avi Vantage to default to "SNMP_VER2."version
PUT api/systemconfiguration
{
.
.
.
"snmp_configuration": {
"version": "SNMP_VER2", "sys_contact": "[email protected]",
"community": "public", "sys_location": "San Jose, CA"
},
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 4 of 16
.
.
.
}
}
API SNMP v3 Configuration for Avi Vantage 17.2.3
Note: With Avi Vantage 17.2.3 and thereafter, if other than SNMP v2 is desired, the parameter version
must be explicitly included. It is explicitly set to "SNMP_VER3" in the below example.
As of SNMP v3, * The possible values for are "SNMP_V3_AUTH_MD5" and "SNMP_V3_AUTH_SHA". * The auth_type
possible values for are "SNMP_V3_PRIV_AES" and "SNMP_V3_PRIV_DES".priv_type
The "snmpv3user" and "0x8000000001020304" values are merely representative of what would appear for the username
and parameters.engine_id
PUT api/systemconfiguration
{
.
.
.
"snmp_configuration": {
"version": "SNMP_VER3", "sys_contact": "[email protected]",
"snmp_v3_config": {
"user":
{ "username": "snmpv3user", "auth_type": "SNMP_V3_AUTH_MD5",
"priv_passphrase": "<sensitive>", "auth_passphrase": "<sensitive>",
"priv_type": "SNMP_V3_PRIV_AES" },
"engine_id": "0x8000000001020304"
}
},
.
.
.
}
}
CLI views of SNMP system parameters
version = SNMP_VER2
[admin:10-10-24-96]: > show systemconfiguration
+----------------------------------+----------------------------------+
| Field | Value |
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 5 of 16
+----------------------------------+----------------------------------+
| uuid | default |
| dns_configuration | |
| search_domain | |
| ntp_configuration | |
| ntp_servers[1] | |
| server | 0.us.pool.ntp.org |
| ntp_servers[2] | |
| server | 1.us.pool.ntp.org |
| ntp_servers[3] | |
| server | 2.us.pool.ntp.org |
| ntp_servers[4] | |
| server | 3.us.pool.ntp.org |
| portal_configuration | |
| enable_https | True |
| redirect_to_https | True |
| enable_http | True |
| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |
| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |
| use_uuid_from_input | False |
| sslprofile_ref | System-Standard |
| enable_clickjacking_protection | True |
| allow_basic_authentication | True |
| password_strength_check | False |
| disable_remote_cli_shell | False |
| global_tenant_config | |
| tenant_vrf | False |
| se_in_provider_context | True |
| tenant_access_to_provider_se | True |
| email_configuration | |
| smtp_type | SMTP_LOCAL_HOST |
| from_email | [email protected] |
| mail_server_name | localhost |
| mail_server_port | 25 |
| docker_mode | False |
| snmp_configuration | |
| community | <sensitive> |
| sys_location | San Jose, CA |
| sys_contact | [email protected] |
| version | SNMP_VER2 |
+----------------------------------+----------------------------------+
[admin:10-10-24-96]: >
version = SNMP_VER3
[admin:10-10-24-96]: > show systemconfiguration
+----------------------------------+----------------------------------+
| Field | Value |
+----------------------------------+----------------------------------+
| uuid | default |
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 6 of 16
| dns_configuration | |
| search_domain | |
| ntp_configuration | |
| ntp_servers[1] | |
| server | 0.us.pool.ntp.org |
| ntp_servers[2] | |
| server | 1.us.pool.ntp.org |
| ntp_servers[3] | |
| server | 2.us.pool.ntp.org |
| ntp_servers[4] | |
| server | 3.us.pool.ntp.org |
| portal_configuration | |
| enable_https | True |
| redirect_to_https | True |
| enable_http | True |
| sslkeyandcertificate_refs[1] | System-Default-Portal-Cert |
| sslkeyandcertificate_refs[2] | System-Default-Portal-Cert-EC256 |
| use_uuid_from_input | False |
| sslprofile_ref | System-Standard |
| enable_clickjacking_protection | True |
| allow_basic_authentication | True |
| password_strength_check | False |
| disable_remote_cli_shell | False |
| global_tenant_config | |
| tenant_vrf | False |
| se_in_provider_context | True |
| tenant_access_to_provider_se | True |
| email_configuration | |
| smtp_type | SMTP_LOCAL_HOST |
| from_email | [email protected] |
| mail_server_name | localhost |
| mail_server_port | 25 |
| docker_mode | False |
| snmp_configuration | |
| sys_location | San Jose, CA |
| sys_contact | [email protected] |
| version | SNMP_VER3 |
| snmp_v3_config | |
| user | |
| username | snmpv3user |
| auth_type | SNMP_V3_AUTH_SHA |
| auth_passphrase | <sensitive> |
| priv_type | SNMP_V3_PRIV_AES |
| priv_passphrase | <sensitive> |
| engine_id | 0x123456789ABCDEF |
+----------------------------------+----------------------------------+
[admin:10-10-24-96]: >
Avi UI SNMP Configuration for Avi Vantage 17.2.3
For SNMP v2:
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 7 of 16
For SNMP v3:
MIB ObjectsThe following are the Avi Vantage configuration objects exposed through the AVI-NETWORKS-MIB.my:
Avi ControllerService EngineVirtual Service
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 8 of 16
Avi Controller
AviControllerEntry ::=
SEQUENCE {
aviControllerIndex Integer32,
aviControllerUUID SnmpAdminString,
aviControllerName DisplayString,
aviControllerAddrType InetAddressType,
aviControllerAddr InetAddress,
aviControllerStatus INTEGER
}
aviControllerUUID : Unique UUID of the Avi Controller VM
aviControllerName : Name assigned to the Avi Controller (defaults
to the IP address of the Avi Controller)
aviControllerAddr : Management v4 IP address of the Avi
Controller
aviControllerStatus : Runtime status of the Avi Controller
Service Engine
AviServiceEngineEntry ::=
SEQUENCE {
aviServiceEngineIndex Integer32,
aviServiceEngineUUID SnmpAdminString,
aviServiceEngineName DisplayString,
aviServiceEngineAddrType InetAddressType,
aviServiceEngineAddr InetAddress,
aviServiceEngineStatus INTEGER
}
aviServiceEngineUUID : Unique UUID of the Avi Service Engine VM
aviServiceEngineName : Name of the Service Engine VM
assigned in the Virtual Infrastructure
aviServiceEngineAddr : Management v4 IP address of the Avi Service
Engine VM
aviServiceEngineStatus : Runtime status of the Avi Service Engine
Virtual Service
AviVirtualServiceEntry ::=
SEQUENCE {
aviVirtualServiceIndex Integer32,
aviVirtualServiceUUID SnmpAdminString,
aviVirtualServiceName DisplayString,
aviVirtualServiceAddrType InetAddressType,
aviVirtualServiceAddr InetAddress,
aviVirtualServiceStatus INTEGER
}
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 9 of 16
aviVirtualService UUID : Unique UUID of the virtual service
aviVirtualServiceName : Name assigned to the virtual service
aviVirtualServiceAddr : Virtual IP (v4) address of the virtual service
aviVirtualServiceStatus : Runtime status of the virtual service
Notifications (Traps)The Controller cluster leader can issue SNMP trap notifications based on system events. For SNMP trap notifications to reach an external SNMP server:
Since the leadership role can change from time to time, the external SNMP server should be configured to allow traffic from any one of the three Controllers in the cluster, i.e., all three addresses should be in the SNMP server's allowed-access list.The firewall rules should be configured to allow UDP traffic destined to port 162 on the SNMP trap server from any of the three cluster member's IP addresses.
System events related to the Avi Controller cluster, Avi Service Engines, virtual services and SSL certification expiry can be classified into their respective SNMP traps. Other system events use the generic SNMP trap notification to generate traps.
Only the alerts generated for the following events are fed into the specific SNMP traps.
Events SNMP trap
, VS_DOWN VS_UP aviVirtualServiceStatusChanged
, SE_DOWN SE_UP aviServiceEngineStatusChanged
, CONTROLLER_NODE_JOINED CONTROLLER_NODE_LEFT aviControllerStatusChanged
SSL_CERT_EXPIRE aviSSLCertificateExpired
All other alerts aviSystemAlert
Notes: * is a generic trap notification and can be associated with any of the system events generated by aviSystemAlert
the Avi Controller. * Avi Vantage release 17.2.13 supports large trap payload (a maximum of 4096 bytes) in SNMP trap notifications. Prior to this, the length of the SNMP trap payload was restricted to 256 bytes.
Example: Viewing the Trap Server Profiles
In the below window, a Controller with IP address 10.10.24.96 reveals its v2 and v3 trap server profiles by responding to the HTTP request: https://10.10.24.96/api/snmptrapprofile
{
"count": 2,
"results": [
{
"uuid": "snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",
"url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",
"tenant_ref": "https://10.10.24.96/api/tenant/admin",
"name": "SnmpTrap-2",
"trap_servers": [
{
"version": "SNMP_VER2",
"ip_addr": {
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 10 of 16
"type": "V4",
"addr": "10.10.0.235"
},
"community": "<sensitive>"
}
],
"_last_modified": "1509670261022622"
},
{
"uuid": "snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",
"url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",
"tenant_ref": "https://10.10.24.96/api/tenant/admin",
"name": "SnmpTrap-1",
"trap_servers": [
{
"version": "SNMP_VER3",
"ip_addr": {
"type": "V4",
"addr": "10.10.3.1"
},
"user": {
"username": "snmpv3trapuser",
"auth_type": "SNMP_V3_AUTH_MD5",
"priv_passphrase": "<sensitive>",
"auth_passphrase": "<sensitive>",
"priv_type": "SNMP_V3_PRIV_AES"
}
}
],
"_last_modified": "1509670185831024"
}
]
}
aviControllerStatusChanged
aviControllerStatusChanged NOTIFICATION-TYPE
OBJECTS {
aviControllerStatus,
aviOperStatusReason
}
STATUS current
DESCRIPTION
"This alert is generated when controller status
Changes."
::= { aviNotificationsObjects 1 }
This trap is generated when the Avi Controller status changes.
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 11 of 16
The following Controller-state-change system events can initiate the trap:aviControllerStatusChange
Controller-Node-LeftController-Node-Joined
For each of the above Avi Controller status-change events, there is a default system alert configuration and for it a default alert action.
aviServiceEngineStatusChanged
aviServiceEngineStatusChanged NOTIFICATION-TYPE
OBJECTS {
aviObjectURL,
aviServiceEngineStatus,
aviOperStatusReason
}
STATUS current
DESCRIPTION
"This alert is generated when Service Engine status
Changes."
::= { aviNotificationsObjects 2 }
This trap is generated when the Avi SE status changes.
The following Avi SE status-change events can initiate the trap:aviServiceEngineStatusChanged
Se-UpSe-Down
For each of the above Avi SE status-change events, there is a default system alert configuration.
aviVirtualServiceStatusChanged
aviVirtualServiceStatusChanged NOTIFICATION-TYPE
OBJECTS {
aviObjectURL,
aviVirtualServiceStatus,
aviVirtualServiceStatusReason
}
STATUS current
DESCRIPTION
"This alert is generated when virtual service status
changes."
::= { aviNotificationsObjects 3 }
This trap is generated when the virtual service status changes.
The following virtual service status-change events can initiate the trap:aviVirtualServiceStatusChanged
Vs-Down
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 12 of 16
Vs-Up
To configure SNMP traps for the Avi Controller status-change events, .click here
aviSSLCertificateExpired
aviSSLCertificateExpired NOTIFICATION-TYPE
OBJECTS {
aviObjectURL,
aviSSLCertificateInfo
}
STATUS current
DESCRIPTION
"This alert is generated when SSL Certificate
Expires."
::= { aviNotificationsObjects 4 }
This trap is generated when an SSL certificate expires. The virtual service event can initiate the Ssl-Cert-Expire
trap. aviVirtualServiceStatusChanged
To configure SNMP traps for the Avi Controller status-change events, .click here
aviSystemAlert
aviSystemAlert NOTIFICATION-TYPE
OBJECTS {
aviSystemAlertInfoDesc
}
STATUS current
DESCRIPTION
"This is a generic system alert"
::= { aviNotificationsObjects 5 }
This is a generic trap notification. It can be associated with any of the system events generated by the Avi Controller.
Configuration for SNMP Event-based TrapThis section shows the configuration for generating an SNMP trap when a Vs-Down event occurs. The workflow is described here, and also shown here:
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 13 of 16
In the following example from the Avi Controller web interface, the Vs-Down event is shown associated with a new alert action named "my-SNMP-alert-action." The default alert action could be modified instead. System-Alert-Level-High
However, it is best practice to leave the system default alert action unchanged, and instead create a new, custom alert action.
In the Alert Configuration editor, the alert action is configured:
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 14 of 16
In the Alert Action editor, the named action is associated with just type of notification, an SNMP trap. The notification is onegiven the name "my-SNMP-trap-notification.?
The named notification is defined in the notification editor.
Note: Multiple SNMP servers are supported. (Click the green + box to add.)
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 15 of 16
The above UI screen has evolved for Avi Vantage 17.2.3+ as shown below.
For SNMP v2:
For SNMP v3:
Avi Networks — Technical Reference (17.2)SNMP Support in Avi Vantage
Copyright © 2019 Avi Networks, Inc. Page 16 of 16
To confirm that the SNMP trap notification is defined:
Alternate Download Locations for MIBsAVI-NETWORKS-MIB.myINET-ADDRESS-MIB.mySNMP-FRAMEWORK-MIBSNMP-VIEW-BASED-ACM-MIBSNMPv2-CONF.mySNMPv2-SMI.mySNMPv2-TC.my