SNMP integration

Bonders and aggregators do not have SNMP enabled by default. The following steps can be taken to install and configure SNMP.

Update list of trusted networks

Contact technical support and send the IP address or subnet of your SNMP server.

To temporarily add the SNMP server to the list of trusted hosts before sending the server IP address to technical support, add a new line to the file /etc/firewall.d/known_ips on each managed device, then run service firewall restart.

For example, to allow traffic from the SNMP manager at 203.0.113.55, you would add the following line to /etc/firewall.d/known_ips, then run service firewall restart:

iptables -A $CHAIN -s 203.0.113.55 -j ACCEPT # <Partner name> SNMP manager

To allow SNMP traffic from this host, while blocking all other applications, use a rule such as:

iptables -A $CHAIN -s 203.0.113.55 -p udp --dport 161 -j ACCEPT # <Partner name> SNMP manager

Install SNMP agent and related packages

To install the SNMP agent, run:

apt-get update
apt-get install snmpd

To install an SNMP manager so that you can perform SNMP queries locally, run the following command to install additional packages:

apt-get install snmp snmp-mibs-downloader

Configure SNMP agent

By default, snmpd has very restrictive access control, allowing requests only from the local system. Replace the standard configuration file with a more permissive one.

First, move the default configuration file to a safe place.

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Then edit the file /etc/snmp/snmpd.conf as follows:

/etc/snmp/snmpd.conf

agentAddress       udp:161,udp6:[::1]:161 # Listen on all IPv4 and IPv6 addresses
rocommunity public default                # Allow read-only access to all hosts using the community string "public"
sysServices        12                     # Report that this system offers routing (IP layer) and end-to-end (TCP layer) services
includeAllDisks    10%                    # Monitor all disks for at least 10% free space

This enables SNMP 1 and 2 requests from any host. For more information on the configuration options and syntax of this file, refer to the default configuration file (now called snmpd.conf.orig) or http://www.net-snmp.org/docs/man/snmpd.conf.html.

SD-WAN does not currently offer monitoring of its own metrics, such as number of bonded connections or TCP proxy sessions. However, the above configuration offers access to all Linux-standard metrics, such as interface bytes and running applications.

Access control in snmpd

Nodes have a firewall restricting connections to the SNMP agent from only the networks listed in /etc/firewall.d/known_ips, so configuring snmpd itself to allow connections from any host is not a significant security concern. If you require more fine-grained access control, replace the rocommunity configuration with a restrictive one such as:

rocommunity private 203.0.113.55
rocommunity private 198.51.100.0/24

This configuration would allow only the host 203.0.113.55 and anything in the 198.51.100.0/24 subnet to contact the agent. They would also use the community string “private”. You probably want to use a more secure community string.

For more details, refer to the SNMP documentation at www.net-snmp.org.

Loading of MIB files

If you previously installed the snmp-mibs-downloader package, enable loading of MIB files. The following lines comment out the default configurations that disable loading of MIB files.

sed -i -e 's/^mibs \:/\#mibs \:/g' /etc/snmp/snmp.conf
sed -i -e 's/^export MIBS=/\#export MIBS=/g' /etc/default/snmpd

Restart and test

Finally, restart the snmp agent.

service snmpd restart

If you installed the snmp package, you can make a query to the local agent:

snmpwalk -v2c -c public 127.0.0.1

This should return a long list of management values from the agent.