SNMP
The VPN Gateway supports SNMP v1, v2c, and v3 queries via IPv4 or IPv6. Basic support is provided for MIB-II (covered in RFC1213), which addresses most of the standard IP-related statistics. This initial SNMP support was developed for customers requesting to do their own SNMP monitoring through their existing SNMP Monitoring systems running on their private networks.
The following should be noted:
- This can currently only be configured in a No-NAT, source-NAT, or 1-1 NAT environment.
- SNMP v1 and v2c monitoring should be done down-tunnel since there is no encryption. SNMP v3 monitoring can be done down the tunnel or through the Internet interface, but WAN interface monitoring requires additional firewall configuration in the AT&T Administration Server.
- SNMP requests can be initiated on the LAN interface only if enabled in the AT&T Administration Server.
- Works for both Managed VPN Services and ANIRA.
- The customer is responsible for determining and maintaining the mapping of MAC Address to local LAN addresses for the VPN Gateways to be monitored.
- The customer is responsible for determining what parameters to monitor on the VPN Gateway, and for ensuring SNMP traffic volume does not adversely affect other data traffic through the tunnel.
- AT&T Support teams do NOT have access to the customer’s SNMP servers.
- Support can view the current results reported by the VPN Gateway via the installed snmpwalk utility.
- The SNMP server can be configured to use specific VLAN local IP addresses or loopback addresses anchored on the VPN Gateway. This ensures that all requests or responses use the IP addresses configured for the VLAN or loopback interfaces, providing an easier configuration for enterprise firewall management.
The following information must be provided by the customer and will be centrally configured along with the other VPN Gateway parameters in AT&T Administration Server for each SNMP community:
- Community Name (used as the username for SNMP v3)
- Whether or not SNMP v3 is enabled (SNMP v1 or v2c is used if it is not)
- Authentication Password (SNMP v3)
- Authentication Protocol (SNMP v3)
- Privacy Password (SNMP v3) (Optional, authentication password is used if not specified. Used for encryption.)
- Privacy Protocol (SNMP v3)
- Subnets or hosts allowed to poll the VPN Gateway (multiple entries can be specified)
- MIB tree or sub-tree for which to lock down requests (multiple trees are allowed). This is optional and the entire “.iso” tree will be allowed if not specified.
Each VPN Gateway can be profiled for multiple SNMP communities. For example, one SNMP community can be for SNMP v2c polling sent via a VLAN while a different SNMP community can be for SNMP v3 polling sent via the Internet.
The community name and passwords are not case sensitive for SNMP v1 and v2c. For example, a community name of “THECUSTOMER” is profiled in the VPN Gateway’s profile in the AT&T Administration Server. If “theCustomer” is passed as the community name to the VPN Gateway in a polling request it would be considered a match.
SNMP v3 uses encryption that requires that the username and passwords are case-sensitive. The VPN Gateway converts the SNMP v3 username and passwords it is profiled for to lower-case. Therefore the customer sending an SNMP v3 polling request must use a username and passwords that are all lower-case.
Most of the parameters are determined in real-time from the current device state. These OIDs in the “system” MIB will by default be populated by the VPN Gateway with the values in the following table. However, these values may be overridden in the device’s SNMP configuration on the AT&T Administration Server.
Parameter | Example Value | Description |
---|---|---|
sysDescr | U110 6.0.74 | Hardware model and software version of the AT&T VPN Gateway |
sysContact | John Doe | Value from "Contact Name" on the customer info page (via AT&T Administration Server) |
sysName | 00:D0:CF:09:01:03 | WAN MAC Address of the AT&T VPN Gateway |
sysLocation | STORE2078 | Description/ comments field (via AT&T Administration Server) |
sysServices | 79 | "A value which indicates the set of services that this entity may potentially offer." |
VPN Gateway Specific SNMP MIB
The VPN Gateway has its own custom MIB to return information not in the default MIB. The specific OID { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) att-2(74) att-products(1) attVpnGateway(30) } was assigned to the VPN Gateway by AT&T.
The VPN Gateway custom MIB file specifies the name and data type for every object in the “attVpnGateway” subtree returned by the VPN Gateway in an SNMP query. The custom MIB entries return information specific to the VPN Gateway. For example, the current VPN Gateway code version is returned in the attVpnGateway subtree. The custom MIB file allows SNMP pollers to more logically display and parse the returned data.
The VPN Gateway custom MIB file can be retrieved from the Customer Support Information page through the VPN Gateway web interface. After the VPN Gateway is upgraded to a new code version it’s possible that the VPN Gateway custom MIB file was updated as well. If so, please replace the copy your SNMP poller is using with the newer version of the VPN Gateway custom MIB.
Traps/ Informs
The VPN Gateway also supports the sending of SNMP traps and informs (informs are acknowledged traps). The SNMP trap configuration for the device is controlled via the VPN Gateway Device Profile stored in the AT&T Administration Server. The VPN Gateway uses SNMP traps to alert about potential problems (the device has been in backup longer that the specified amount of time, for example) or to report device statistics. The servers that the SNMP traps are sent to can have completely different configurations. For example, the VPN Gateway can be configured to send SNMP traps via SNMP v2c to one server while also sending SNMP informs via SNMP v3 to another server.