TRAP forwarder, SNMPv2c to SNMPv3#

In this configuration SNMP Proxy Forwarder receives SNMPv2c TRAP PDU and forwards it as SNMPv3 TRAP PDU.


When forwarding SNMP notifications, server part receives TRAPs from SNMP agents, while client part forwards them towards Managers. This is opposite to SNMP commands forwarding where server parts is directed towards SNMP managers and client part talks to SNMP agents.

This means that if you want to forward both SNMP command and notification packets, you’d need to run at least two pairs of servers and clients forwarding packets in opposite directions.

You could test this configuration by running:

$ snmptrap -v2c -c public 12345 sysDescr s myagent

Server configuration#

Server is configured to:

  • listen on UDP socket at localhost

  • expect SNMP TRAP packets sent over SNMPv2c, community name “public”

  • forward all queries to snmpfwd client through an unencrypted trunk connection running in client mode

# SNMP TRAP forwarder: Manager part configuration

config-version: 2
program-name: snmpfwd-server

snmp-credentials-group {

  snmp-engine-id: 0x0102030405070809

  snmp-community-name: public
  snmp-security-name: public

  snmp-security-model: 2
  snmp-security-level: 1

  snmp-credentials-id: snmp-credentials

context-group {
  snmp-context-engine-id-pattern: .*?
  snmp-context-name-pattern: .*?

  snmp-context-id: any-context

content-group {
  snmp-pdu-type-pattern: (TRAPv1|TRAPv2)
  snmp-pdu-oid-prefix-pattern-list: .*?

  snmp-content-id: trap-content

peers-group {
  snmp-bind-address-pattern-list: .*?
  snmp-peer-address-pattern-list: .*?

  snmp-peer-id: 100

trunking-group {
  trunk-ping-period: 60
  trunk-connection-mode: client

  trunk-id: trunk-1

routing-map {
  matching-snmp-credentials-id-list: snmp-credentials
  matching-snmp-context-id-list: any-context
  matching-snmp-content-id-list: trap-content
  matching-snmp-peer-id-list: 100

  using-trunk-id-list: trunk-1

Download server configuration file.

Client configuration#

Client is configured to:

  • listen on server-mode unencrypted trunk connection

  • place inbound TRAP PDUs into SNMP v3 messages and forward them to public SNMP manager running at


Since SNMP TRAP is always a one-way communication, SNMPv3 parties can’t negotiate authoritative SNMP engine ID automatically which is used for authentication and encryption purposes.

When SNMPv3 authentication or encryption services are being used, snmp-engine-id of the client SNMP engine becomes the authoritative SNMP engine ID for the purpose of sending SNMPv3 TRAP. If the snmp-security-engine-id is configured, it overrides snmp-engine-id for the purpose of sending SNMP v3 notifications.

The USM user table at the receiving end must be configured to accept messages from snmp-engine-id or snmp-security-engine-id.

# SNMP TRAP forwarder: Agent part configuration

config-version: 2
program-name: snmpfwd-client

peers-group {
  # Our SNMP engine ID becomes authoritative for the purpose of
  # sending SNMPv3 TRAPs
  snmp-engine-id: 0x8000000001020304

  # SNMPv3 TRAP would pick up security-engine-id instead of snmp-engine-id
#  snmp-engine-id: 0x80000000FFFFFFFF
#  snmp-security-engine-id: 0x8000000001020304


  # time out SNMP request in 1 second
  snmp-peer-timeout: 100
  snmp-peer-retries: 0

  snmp-security-model: 3
  snmp-security-level: 3

  snmp-security-name: usr-md5-des
  snmp-usm-user: usr-md5-des
  snmp-usm-auth-protocol: md5
  snmp-usm-auth-key: authkey1
  snmp-usm-priv-protocol: des
  snmp-usm-priv-key: privkey1

  snmp-peer-id: snmplabs-v3

trunking-group {
  trunk-ping-period: 60
  trunk-connection-mode: server

  trunk-id: <discover>

original-snmp-peer-info-group {
  orig-snmp-bind-address-pattern: .*?
  orig-snmp-context-name-pattern: .*?

  orig-snmp-pdu-type-pattern: TRAPv2
  orig-snmp-oid-prefix-pattern: .*?

  orig-snmp-engine-id-pattern: .*?
  orig-snmp-context-engine-id-pattern: .*?

  orig-snmp-transport-domain-pattern: .*?
  orig-snmp-peer-address-pattern: .*?

  orig-snmp-security-level-pattern: .*?

  orig-snmp-security-name-pattern: .*?
  orig-snmp-security-model-pattern: .*?

  orig-snmp-peer-id: agent-1

server-classification-group {
  server-snmp-credentials-id-pattern: .*?
  server-snmp-context-id-pattern: .*?
  server-snmp-content-id-pattern: .*?
  server-snmp-peer-id-pattern: .*?

  server-classification-id: any-classification

routing-map {
  matching-trunk-id-list: trunk-1
  matching-orig-snmp-peer-id-list: agent-1
  matching-server-classification-id-list: any-classification

  using-snmp-peer-id-list: snmplabs-v3

Download client configuration file.