TRAP forwarder, SNMPv2c to SNMPv3#
In this configuration SNMP Proxy Forwarder receives SNMPv2c TRAP PDU and forwards it as SNMPv3 TRAP PDU.
Note
When forwarding SNMP notifications, server part receives TRAPs from SNMP agents, while client part forwards them towards Managers. This is opposite to SNMP commands forwarding where server parts is directed towards SNMP managers and client part talks to SNMP agents.
This means that if you want to forward both SNMP command and notification packets, you’d need to run at least two pairs of servers and clients forwarding packets in opposite directions.
You could test this configuration by running:
$ snmptrap -v2c -c public 127.0.0.1:1162 12345 1.3.6.1.2.5 sysDescr s myagent
Server configuration#
Server is configured to:
listen on UDP socket at localhost
expect SNMP TRAP packets sent over SNMPv2c, community name “public”
forward all queries to snmpfwd client through an unencrypted trunk connection running in client mode
#
# SNMP TRAP forwarder: Manager part configuration
#
config-version: 2
program-name: snmpfwd-server
snmp-credentials-group {
snmp-transport-domain: 1.3.6.1.6.1.1.100
snmp-bind-address: 127.0.0.1:1162
snmp-engine-id: 0x0102030405070809
snmp-community-name: public
snmp-security-name: public
snmp-security-model: 2
snmp-security-level: 1
snmp-credentials-id: snmp-credentials
}
context-group {
snmp-context-engine-id-pattern: .*?
snmp-context-name-pattern: .*?
snmp-context-id: any-context
}
content-group {
snmp-pdu-type-pattern: (TRAPv1|TRAPv2)
snmp-pdu-oid-prefix-pattern-list: .*?
snmp-content-id: trap-content
}
peers-group {
snmp-transport-domain: 1.3.6.1.6.1.1.100
snmp-bind-address-pattern-list: .*?
snmp-peer-address-pattern-list: .*?
snmp-peer-id: 100
}
trunking-group {
trunk-bind-address: 127.0.0.1
trunk-peer-address: 127.0.0.1:30301
trunk-ping-period: 60
trunk-connection-mode: client
trunk-id: trunk-1
}
routing-map {
matching-snmp-credentials-id-list: snmp-credentials
matching-snmp-context-id-list: any-context
matching-snmp-content-id-list: trap-content
matching-snmp-peer-id-list: 100
using-trunk-id-list: trunk-1
}
Download
server configuration file.
Client configuration#
Client is configured to:
listen on server-mode unencrypted trunk connection
place inbound TRAP PDUs into SNMP v3 messages and forward them to public SNMP manager running at demo.pysnmp.com
Warning
Since SNMP TRAP is always a one-way communication, SNMPv3 parties can’t negotiate authoritative SNMP engine ID automatically which is used for authentication and encryption purposes.
When SNMPv3 authentication or encryption services are being used, snmp-engine-id of the client SNMP engine becomes the authoritative SNMP engine ID for the purpose of sending SNMPv3 TRAP. If the snmp-security-engine-id is configured, it overrides snmp-engine-id for the purpose of sending SNMP v3 notifications.
The USM user table at the receiving end must be configured to accept messages from snmp-engine-id or snmp-security-engine-id.
#
# SNMP TRAP forwarder: Agent part configuration
#
config-version: 2
program-name: snmpfwd-client
peers-group {
# Our SNMP engine ID becomes authoritative for the purpose of
# sending SNMPv3 TRAPs
snmp-engine-id: 0x8000000001020304
# SNMPv3 TRAP would pick up security-engine-id instead of snmp-engine-id
# snmp-engine-id: 0x80000000FFFFFFFF
# snmp-security-engine-id: 0x8000000001020304
snmp-transport-domain: 1.3.6.1.6.1.1.1
snmp-bind-address: 0.0.0.0:0
# time out SNMP request in 1 second
snmp-peer-timeout: 100
snmp-peer-retries: 0
snmp-security-model: 3
snmp-security-level: 3
snmp-security-name: usr-md5-des
snmp-usm-user: usr-md5-des
snmp-usm-auth-protocol: md5
snmp-usm-auth-key: authkey1
snmp-usm-priv-protocol: des
snmp-usm-priv-key: privkey1
snmp-peer-address: 104.236.166.95:162
snmp-peer-id: snmplabs-v3
}
trunking-group {
trunk-bind-address: 127.0.0.1:30301
trunk-ping-period: 60
trunk-connection-mode: server
trunk-id: <discover>
}
original-snmp-peer-info-group {
orig-snmp-bind-address-pattern: .*?
orig-snmp-context-name-pattern: .*?
orig-snmp-pdu-type-pattern: TRAPv2
orig-snmp-oid-prefix-pattern: .*?
orig-snmp-engine-id-pattern: .*?
orig-snmp-context-engine-id-pattern: .*?
orig-snmp-transport-domain-pattern: .*?
orig-snmp-peer-address-pattern: .*?
orig-snmp-security-level-pattern: .*?
orig-snmp-security-name-pattern: .*?
orig-snmp-security-model-pattern: .*?
orig-snmp-peer-id: agent-1
}
server-classification-group {
server-snmp-credentials-id-pattern: .*?
server-snmp-context-id-pattern: .*?
server-snmp-content-id-pattern: .*?
server-snmp-peer-id-pattern: .*?
server-classification-id: any-classification
}
routing-map {
matching-trunk-id-list: trunk-1
matching-orig-snmp-peer-id-list: agent-1
matching-server-classification-id-list: any-classification
using-snmp-peer-id-list: snmplabs-v3
}
Download
client configuration file.