SNMP Support in Avi Vantage

Avi Vantage supports SNMP v2c, and as of 17.2.3, the administrator can choose to use SNMP v3 instead. SNMPv3 support only enables user authentication with the server and payload encryption for the messages exchanged with the Avi Controller.

The MIB file, AVI-NETWORKS-MIB.my, is the same for both SNMP v2c and v3 implementations, and is available for download at the following location: https://github.com/avinetworks/sdk/tree/master/mibs. It contains a description of the Avi Vantage SNMP configuration objects and notifications. Alternate download locations for MIBs are listed at the end of this article.

This article shows the MIB definitions for the Avi Vantage objects and the definitions for the notifications (traps). An example of how to configure a custom alert based on an SNMP notification also is provided.

Responding to SNMP Queries

To fetch SNMP objects from Avi Vantage, an external host needs to query the SNMP daemon, which only runs on the Controller cluster leader. It is therefore best to configure the external host to direct queries to the cluster IP of the Avi Controller cluster. Absent a cluster IP, the external host must know the IP addresses of each Controller, and try as many as three times before it finds the current leader’s SNMP daemon.

Firewall rules should be configured to give that external host access to port 161 on the cluster IP or each of the Controller IPs.

During the brief period of time (1-4 minutes) that a Controller cluster is recovering from the failure of its leader, queries to the cluster IP will fail, which the external host may interpret as “Avi Vantage is down.” That is only true in the narrow sense that the control plane is down; the data plane (i.e., the SEs) are likely up and delivering virtual services to clients.

SNMP System Configuration

You can configure the common system parameters (e.g., sysName, sysLocation and sysContact) in the Avi Vantage Platform. In a Controller cluster, sysName is configured for each Controller node as the node name in the Cluster object. sysLocation and sysContact are specified in SystemConfiguration object. Because the SNMP configuration is specified at the SystemConfiguration object level, it applies to all clouds overseen by the Controller cluster.

API to Configure SNMP System Parameters

Note: In the three REST API examples that follow, for sake of brevity, we have excluded the portions of the PUT that apply to aspects of the system other than SNMP. Their absence is indicated by a series of three vertical dots.

API SNMP v2 Configuration for 17.2.2 and Prior

Note: No SNMP version number parameter is present (or needed) in configurations of Avi Vantage 17.2.2 Controller clusters or prior, as SNMP v2 is assumed.

PUT api/systemconfiguration
{
    .
    .
    .
    "snmp_configuration": {
        "sys_contact": "jdoe@acme.com",
        "sys_location": "San Jose, CA"
    },

    .
    .
    .
}

}

API SNMP v2 Configuration for 17.2.3

Note: With 17.2.3, the version parameter is introduced. For backward compatibility, omission of the version parameter causes Avi Vantage to default to “SNMP_VER2.”

PUT api/systemconfiguration
{
    .
    .
    .
    "snmp_configuration": {
        "version": "SNMP_VER2", "sys_contact": "jdoe@acme.com",
        "community": "public", "sys_location": "San Jose, CA"
    },

    .
    .
    .
}

}

API SNMP v3 Configuration for Avi Vantage 17.2.3

Note: With Avi Vantage 17.2.3 and thereafter, if other than SNMP v2 is desired, the version parameter must be explicitly included. It is explicitly set to “SNMP_VER3” in the below example.

As of SNMP v3,

  • The possible values for auth_type are “SNMP_V3_AUTH_MD5” and “SNMP_V3_AUTH_SHA”.
  • The possible values for priv_type are “SNMP_V3_PRIV_AES” and “SNMP_V3_PRIV_DES”.

The “snmpv3user” and “0x8000000001020304” values are merely representative of what would appear for the username and engine_id parameters.

PUT api/systemconfiguration
{
    .
    .
    .
    "snmp_configuration": {
            "version": "SNMP_VER3", "sys_contact": "jdoe@acme.com",
            "snmp_v3_config": {
            "user":
            { "username": "snmpv3user", "auth_type": "SNMP_V3_AUTH_MD5",
             "priv_passphrase": "<sensitive>", "auth_passphrase": "<sensitive>",
              "priv_type": "SNMP_V3_PRIV_AES" },
              "engine_id": "0x8000000001020304"
              }
        },

    .
    .
    .
}

}

CLI views of SNMP system parameters

version = SNMP_VER2

[admin:10-10-24-96]: > show systemconfiguration
+----------------------------------+----------------------------------+
| Field                            | Value                            |
+----------------------------------+----------------------------------+
| uuid                             | default                          |
| dns_configuration                |                                  |
|   search_domain                  |                                  |
| ntp_configuration                |                                  |
|   ntp_servers[1]                 |                                  |
|     server                       | 0.us.pool.ntp.org                |
|   ntp_servers[2]                 |                                  |
|     server                       | 1.us.pool.ntp.org                |
|   ntp_servers[3]                 |                                  |
|     server                       | 2.us.pool.ntp.org                |
|   ntp_servers[4]                 |                                  |
|     server                       | 3.us.pool.ntp.org                |
| portal_configuration             |                                  |
|   enable_https                   | True                             |
|   redirect_to_https              | True                             |
|   enable_http                    | True                             |
|   sslkeyandcertificate_refs[1]   | System-Default-Portal-Cert       |
|   sslkeyandcertificate_refs[2]   | System-Default-Portal-Cert-EC256 |
|   use_uuid_from_input            | False                            |
|   sslprofile_ref                 | System-Standard                  |
|   enable_clickjacking_protection | True                             |
|   allow_basic_authentication     | True                             |
|   password_strength_check        | False                            |
|   disable_remote_cli_shell       | False                            |
| global_tenant_config             |                                  |
|   tenant_vrf                     | False                            |
|   se_in_provider_context         | True                             |
|   tenant_access_to_provider_se   | True                             |
| email_configuration              |                                  |
|   smtp_type                      | SMTP_LOCAL_HOST                  |
|   from_email                     | admin@avicontroller.net          |
|   mail_server_name               | localhost                        |
|   mail_server_port               | 25                               |
| docker_mode                      | False                            |
| snmp_configuration               |                                  |
|   community                      | <sensitive>                      |
|   sys_location                   | San Jose, CA                     |
|   sys_contact                    | jdoe@acme.com                    |
|   version                        | SNMP_VER2                        |
+----------------------------------+----------------------------------+
[admin:10-10-24-96]: >

version = SNMP_VER3

[admin:10-10-24-96]: > show systemconfiguration
+----------------------------------+----------------------------------+
| Field                            | Value                            |
+----------------------------------+----------------------------------+
| uuid                             | default                          |
| dns_configuration                |                                  |
|   search_domain                  |                                  |
| ntp_configuration                |                                  |
|   ntp_servers[1]                 |                                  |
|     server                       | 0.us.pool.ntp.org                |
|   ntp_servers[2]                 |                                  |
|     server                       | 1.us.pool.ntp.org                |
|   ntp_servers[3]                 |                                  |
|     server                       | 2.us.pool.ntp.org                |
|   ntp_servers[4]                 |                                  |
|     server                       | 3.us.pool.ntp.org                |
| portal_configuration             |                                  |
|   enable_https                   | True                             |
|   redirect_to_https              | True                             |
|   enable_http                    | True                             |
|   sslkeyandcertificate_refs[1]   | System-Default-Portal-Cert       |
|   sslkeyandcertificate_refs[2]   | System-Default-Portal-Cert-EC256 |
|   use_uuid_from_input            | False                            |
|   sslprofile_ref                 | System-Standard                  |
|   enable_clickjacking_protection | True                             |
|   allow_basic_authentication     | True                             |
|   password_strength_check        | False                            |
|   disable_remote_cli_shell       | False                            |
| global_tenant_config             |                                  |
|   tenant_vrf                     | False                            |
|   se_in_provider_context         | True                             |
|   tenant_access_to_provider_se   | True                             |
| email_configuration              |                                  |
|   smtp_type                      | SMTP_LOCAL_HOST                  |
|   from_email                     | admin@avicontroller.net          |
|   mail_server_name               | localhost                        |
|   mail_server_port               | 25                               |
| docker_mode                      | False                            |
| snmp_configuration               |                                  |
|   sys_location                   | San Jose, CA                     |
|   sys_contact                    | jdoe@acme.com                    |
|   version                        | SNMP_VER3                        |
|   snmp_v3_config                 |                                  |
|     user                         |                                  |
|       username                   | snmpv3user                       |
|       auth_type                  | SNMP_V3_AUTH_SHA                 |
|       auth_passphrase            | <sensitive>                      |
|       priv_type                  | SNMP_V3_PRIV_AES                 |
|       priv_passphrase            | <sensitive>                      |
|     engine_id                    | 0x123456789ABCDEF                |
+----------------------------------+----------------------------------+
[admin:10-10-24-96]: >

Avi UI SNMP Configuration for Avi Vantage 17.2.3

For SNMP v2:

SNMPv2SystemConfig.jpg

For SNMP v3:

SNMPv3SystemConfig.jpg

MIB Objects

The following are the Avi Vantage configuration objects exposed through the AVI-NETWORKS-MIB.my:

  • Avi Controller
  • Service Engine
  • Virtual Service

Avi Controller

AviControllerEntry ::=
   	SEQUENCE {
     	aviControllerIndex      Integer32,
       	aviControllerUUID       SnmpAdminString,
       	aviControllerName       DisplayString,
       	aviControllerAddrType   InetAddressType,
      	aviControllerAddr       InetAddress,
       	aviControllerStatus     INTEGER
	}
aviControllerUUID 	    : Unique UUID of the Avi Controller VM
aviControllerName 	    : Name assigned to the Avi Controller (defaults
                          to the IP address of the Avi Controller)
aviControllerAddr 	    : Management v4 IP address of the Avi
                          Controller
aviControllerStatus 	: Runtime status of the Avi Controller

Service Engine

AviServiceEngineEntry ::=
    SEQUENCE {
       	aviServiceEngineIndex      Integer32,
       	aviServiceEngineUUID       SnmpAdminString,
       	aviServiceEngineName       DisplayString,
       	aviServiceEngineAddrType   InetAddressType,
       	aviServiceEngineAddr       InetAddress,
       	aviServiceEngineStatus     INTEGER
    }
aviServiceEngineUUID	: Unique UUID of the Avi Service Engine VM
aviServiceEngineName	: Name of the Service Engine VM 
                          assigned in the Virtual Infrastructure
aviServiceEngineAddr	: Management v4 IP address of the Avi Service 
                          Engine VM
aviServiceEngineStatus 	: Runtime status of the Avi Service Engine

Virtual Service

AviVirtualServiceEntry ::=
    SEQUENCE {
       	aviVirtualServiceIndex      Integer32,
       	aviVirtualServiceUUID       SnmpAdminString,
       	aviVirtualServiceName       DisplayString,
       	aviVirtualServiceAddrType   InetAddressType,
       	aviVirtualServiceAddr       InetAddress,
       	aviVirtualServiceStatus     INTEGER
    }
aviVirtualService UUID	: Unique UUID of the virtual service
aviVirtualServiceName	: Name assigned to the virtual service
aviVirtualServiceAddr	: Virtual IP (v4) address of the virtual service 
aviVirtualServiceStatus : Runtime status of the virtual service

Notifications (Traps)

The Controller cluster leader can issue SNMP trap notifications based on system events. For SNMP trap notifications to reach an external SNMP server:

  • Since the leadership role can change from time to time, the external SNMP server should be configured to allow traffic from any one of the three Controllers in the cluster, i.e., all three addresses should be in the SNMP server’s allowed-access list.
  • The firewall rules should be configured to allow UDP traffic destined to port 162 on the SNMP trap server from any of the three cluster member’s IP addresses.

System events related to the Avi Controller cluster, Avi Service Engines, virtual services and SSL certification expiry can be classified into their respective SNMP traps. Other system events use the generic SNMP trap notification to generate traps.

The Avi Controller supports the following SNMP notifications (traps), details for which are furnished in subsequent sections.

  • aviControllerStatusChanged
  • aviServiceEngineStatusChanged
  • aviVirtualServiceStatusChanged
  • aviSSLCertificateExpired
  • aviSystemAlert

Note: aviSystemAlert is a generic trap notification and can be associated with any of the system events generated by the Avi Controller.

Example: Viewing the Trap Server Profiles

In the below window, a Controller with IP address 10.10.24.96 reveals its v2 and v3 trap server profiles by responding to the HTTP request: https://10.10.24.96/api/snmptrapprofile


{
  "count": 2,
  "results": [
    {
      "uuid": "snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",
      "url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-aa815f66-2190-4ff4-a20f-0c9fe41deff4",
      "tenant_ref": "https://10.10.24.96/api/tenant/admin",
      "name": "SnmpTrap-2",
      "trap_servers": [
        {
          "version": "SNMP_VER2",
          "ip_addr": {
            "type": "V4",
            "addr": "10.10.0.235"
          },
          "community": "<sensitive>"
        }
      ],
      "_last_modified": "1509670261022622"
    },
    {
      "uuid": "snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",
      "url": "https://10.10.24.96/api/snmptrapprofile/snmptrapprofile-2e28610a-e100-4de7-ae92-20bd7a4ee3b7",
      "tenant_ref": "https://10.10.24.96/api/tenant/admin",
      "name": "SnmpTrap-1",
      "trap_servers": [
        {
          "version": "SNMP_VER3",
          "ip_addr": {
            "type": "V4",
            "addr": "10.10.3.1"
          },
          "user": {
            "username": "snmpv3trapuser",
            "auth_type": "SNMP_V3_AUTH_MD5",
            "priv_passphrase": "<sensitive>",
            "auth_passphrase": "<sensitive>",
            "priv_type": "SNMP_V3_PRIV_AES"
          }
        }
      ],
      "_last_modified": "1509670185831024"
    }
  ]
}

aviControllerStatusChanged

aviControllerStatusChanged NOTIFICATION-TYPE
   	OBJECTS {
   	aviControllerStatus,
   	aviOperStatusReason
   	}
	STATUS     current
	DESCRIPTION
	"This alert is generated when controller status 
   	Changes."
	::= { aviNotificationsObjects 1 }

This trap is generated when the Avi Controller status changes.

The following Controller-state-change system events can initiate the aviControllerStatusChange trap:

  • Controller-Node-Left
  • Controller-Warm-Reboot
  • System-Upgrade-Aborted
  • System-Rollback-Aborted
  • License-Expiry-Notif
  • License-Usage-Servers
  • License-Usage-Cores
  • License-Usage-Throughput
  • License-Usage-Vs

For each of the above Avi Controller status-change events, there is a default system alert configuration and for it a default alert action.

aviServiceEngineStatusChanged

aviServiceEngineStatusChanged NOTIFICATION-TYPE
   	OBJECTS {
   	aviObjectURL,
   	aviServiceEngineStatus,
   	aviOperStatusReason
   	}
   	STATUS     current
   	DESCRIPTION
   	"This alert is generated when Service Engine status 
   	Changes."
	::= { aviNotificationsObjects 2 }

This trap is generated when the Avi SE status changes.

The following Avi SE status-change events can initiate the aviServiceEngineStatusChanged trap:

  • Se-Fatal-Error
  • Se-Marked-Down
  • Se-Vm-Deleted
  • Se-Powered-Down
  • Se-Rebooted
  • Se-Down

For each of the above Avi SE status-change events, there is a default system alert configuration.

aviVirtualServiceStatusChanged

aviVirtualServiceStatusChanged NOTIFICATION-TYPE
   	OBJECTS {
   	aviObjectURL,
   	aviVirtualServiceStatus,
   	aviVirtualServiceStatusReason
   	}
   	STATUS     current
   	DESCRIPTION
   	"This alert is generated when virtual service status 
   	changes."
   	::= { aviNotificationsObjects 3 }

This trap is generated when the virtual service status changes.

The following virtual service status-change events can initiate the aviVirtualServiceStatusChanged trap:

  • Vs-Down
  • Vs-Up

To configure SNMP traps for the Avi Controller status-change events, click here.

aviSSLCertificateExpired

aviSSLCertificateExpired NOTIFICATION-TYPE
	OBJECTS {
   	aviObjectURL,
   	aviSSLCertificateInfo
   	}
   	STATUS     current
   	DESCRIPTION
   	"This alert is generated when SSL Certificate 
   	Expires."
   	::= { aviNotificationsObjects 4 }

This trap is generated when an SSL certificate expires. The following virtual service status-change event(s) can initiate the aviVirtualServiceStatusChanged trap: Ssl-Cert-Expire

To configure SNMP traps for the Avi Controller status-change events, click here.

aviSystemAlert

aviSystemAlert NOTIFICATION-TYPE
	OBJECTS {
   	aviSystemAlertInfoDesc
   	}
   	STATUS     current
   	DESCRIPTION
   	"This is a generic system alert"
   	::= { aviNotificationsObjects 5 }

This is a generic trap notification. It can be associated with any of the system events generated by the Avi Controller.

Configuration for SNMP Event-based Trap

This section shows the configuration for generating an SNMP trap when a Vs-Down event occurs. The workflow is described here, and also shown here:

Alert-Workflow

  In the following example from the Avi Controller web interface, the Vs-Down event is shown associated with a new alert action named “my-SNMP-alert-action.” The default alert action System-Alert-Level-High could be modified instead. However, it is best practice to leave the system default alert action unchanged, and instead create a new, custom alert action.

snmp-alertconfig-workflow2

In the Alert Configuration editor, the alert action is configured: snmp-alertconfig-workflow3

In the Alert Action editor, the named action is associated with just one type of notification, an SNMP trap. The notification is given the name “my-SNMP-trap-notification.” snmp-alertconfig-workflow4

The named notification is defined in the notification editor.

Note: Multiple SNMP servers are supported. (Click the green + box to add.)

snmp-alertconfig-workflow5
The above UI screen has evolved for Avi Vantage 17.2.3 as shown below.

For SNMP v2:

SNMPv2Trap.jpg

For SNMP v3:

SNMPv3Trap.jpg

To confirm that the SNMP trap notification is defined:

snmp-alertconfig-workflow6

Alternate Download Locations for MIBs

Updated: 2017-12-15 14:07:14 +0000