=================
SNMP integration
=================

Bonders and aggregators do not have SNMP enabled by default. The
following steps can be taken to install and configure SNMP.

Update list of trusted networks
--------------------------------

Contact `technical support <../spaces/technical-support.html>`__ and send
the IP address or subnet of your SNMP server.

To temporarily add the SNMP server to the list of trusted hosts before
sending the server IP address to technical support, add a new line to
the file ``/etc/firewall.d/known_ips`` on each managed device, then run
``service firewall restart``.

For example, to allow traffic from the SNMP manager at 203.0.113.55, you
would add the following line to ``/etc/firewall.d/known_ips``, then run
``service firewall restart``:

::

    iptables -A $CHAIN -s 203.0.113.55 -j ACCEPT # <Partner name> SNMP manager

To allow SNMP traffic from this host, while blocking all other
applications, use a rule such as:

::

    iptables -A $CHAIN -s 203.0.113.55 -p udp --dport 161 -j ACCEPT # <Partner name> SNMP manager

Install SNMP agent and related packages
----------------------------------------

To install the SNMP agent, run:

::

    apt-get update
    apt-get install snmpd

To install an SNMP manager so that you can perform SNMP queries locally,
run the following command to install additional packages:

::

    apt-get install snmp snmp-mibs-downloader

Configure SNMP agent
---------------------

By default, ``snmpd`` has very restrictive access control, allowing
requests only from the local system. Replace the standard configuration
file with a more permissive one.

First, move the default configuration file to a safe place.

::

    mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Then edit the file ``/etc/snmp/snmpd.conf`` as follows:

**/etc/snmp/snmpd.conf**

::

    agentAddress       udp:161,udp6:[::1]:161 # Listen on all IPv4 and IPv6 addresses
    rocommunity public default                # Allow read-only access to all hosts using the community string "public"
    sysServices        12                     # Report that this system offers routing (IP layer) and end-to-end (TCP layer) services
    includeAllDisks    10%                    # Monitor all disks for at least 10% free space

This enables SNMP 1 and 2 requests from any host. For more information
on the configuration options and syntax of this file, refer to the
default configuration file (now called ``snmpd.conf.orig``) or
http://www.net-snmp.org/docs/man/snmpd.conf.html.

SD-WAN does not currently offer monitoring of its own metrics,
such as number of bonded connections or TCP proxy sessions. However, the
above configuration offers access to all Linux-standard metrics, such as
interface bytes and running applications.

Access control in snmpd
++++++++++++++++++++++++

Nodes have a firewall restricting connections to the SNMP agent from
only the networks listed in ``/etc/firewall.d/known_ips``, so
configuring ``snmpd`` itself to allow connections from any host is not a
significant security concern. If you require more fine-grained access
control, replace the ``rocommunity`` configuration with a restrictive
one such as:

::

    rocommunity private 203.0.113.55
    rocommunity private 198.51.100.0/24

This configuration would allow only the host 203.0.113.55 and anything
in the 198.51.100.0/24 subnet to contact the agent. They would also use
the community string "private". You probably want to use a more secure
community string.

For more details, refer to the SNMP documentation at
`www.net-snmp.org <http://www.net-snmp.org/docs/man/snmpd.conf.html>`__.

Loading of MIB files
+++++++++++++++++++++

If you previously installed the ``snmp-mibs-downloader`` package, enable
loading of MIB files. The following lines comment out the default
configurations that *disable* loading of MIB files.

::

    sed -i -e 's/^mibs \:/\#mibs \:/g' /etc/snmp/snmp.conf
    sed -i -e 's/^export MIBS=/\#export MIBS=/g' /etc/default/snmpd

Restart and test
-----------------

Finally, restart the snmp agent.

::

    service snmpd restart

If you installed the snmp package, you can make a query to the local
agent:

::

    snmpwalk -v2c -c public 127.0.0.1

This should return a long list of management values from the agent.
