TRAP forwarder, SNMPv3 to SNMPv1#

In this configuration SNMP Proxy Forwarder receives SNMPv3 TRAP PDU and forwards it as SNMPv1 TRAP PDU.

Note

When forwarding SNMP notifications, server part receives TRAPs from SNMP agents, while client part forwards them towards Managers. This is opposite to SNMP commands forwarding where server parts is directed towards SNMP managers and client part talks to SNMP agents.

This means that if you want to forward both SNMP command and notification packets, you’d need to run at least two pairs of servers and clients forwarding packets in opposite directions.

You could test this configuration by running:

$ snmptrap -v3 -e 0x090807060504030201 -l authPriv -u test-user -a MD5 -A authkey1 -x DES -X privkey1 \
    127.0.0.1:1162 12345 1.3.6.1.2.5 sysDescr s myagent

Server configuration#

Server is configured to:

listen on UDP socket at localhost
expect SNMP TRAP packets sent over SNMPv3, USM user “test-user”
forward all queries to snmpfwd client through an unencrypted trunk connection running in client mode

Warning

Since SNMP TRAP is always a one-way communication, SNMPv3 parties can’t negotiate authoritative SNMP engine ID automatically which is used for authentication and encryption purposes.

When SNMPv3 authentication or encryption services are being used, it is required to statically configure snmp-security-engine-id (also known as authoritative SNMP engine ID) to match SNMP engine ID of the SNMP engine sending SNMP TRAP message.

#
# SNMP TRAP forwarder: Manager part configuration
#

config-version: 2
program-name: snmpfwd-server

snmp-credentials-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address: 127.0.0.1:1162

  snmp-engine-id: 0x0102030405070809

  snmp-security-model: 3
  snmp-security-level: 3

  snmp-security-name: test-user
  snmp-usm-user: test-user
  snmp-usm-auth-protocol: md5
  snmp-usm-auth-key: authkey1
  snmp-usm-priv-protocol: des
  snmp-usm-priv-key: privkey1

  # SNMP engine ID of SNMP entity sending SNMPv3 TRAPs
  snmp-security-engine-id: 0x090807060504030201

  snmp-credentials-id: snmp-credentials
}

context-group {
  snmp-context-engine-id-pattern: .*?
  snmp-context-name-pattern: .*?

  snmp-context-id: any-context
}

content-group {
  snmp-pdu-type-pattern: (TRAPv1|TRAPv2)
  snmp-pdu-oid-prefix-pattern-list: .*?

  snmp-content-id: trap-content
}

peers-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address-pattern-list: .*?
  snmp-peer-address-pattern-list: .*?

  snmp-peer-id: 100
}

trunking-group {
  trunk-bind-address: 127.0.0.1
  trunk-peer-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: client

  trunk-id: trunk-1
}

routing-map {
  matching-snmp-credentials-id-list: snmp-credentials
  matching-snmp-context-id-list: any-context
  matching-snmp-content-id-list: trap-content
  matching-snmp-peer-id-list: 100

  using-trunk-id-list: trunk-1
}

Download server configuration file.

Client configuration#

Client is configured to:

listen on server-mode unencrypted trunk connection
place inbound TRAP PDUs into SNMP v1 messages and forward them to public SNMP manager running at demo.pysnmp.com

#
# SNMP TRAP forwarder: Agent part configuration
#

config-version: 2
program-name: snmpfwd-client

peers-group {
  snmp-engine-id: 0x0102030405070809

  snmp-transport-domain: 1.3.6.1.6.1.1.1
  snmp-bind-address: 0.0.0.0:0

  # time out SNMP request in 1 second
  snmp-peer-timeout: 100
  snmp-peer-retries: 0

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 1
  snmp-security-level: 1

  snmp-peer-address: 104.236.166.95:162
  snmp-peer-id: snmplabs-v1
}

trunking-group {
  trunk-bind-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: server

  trunk-id: <discover>
}

original-snmp-peer-info-group {
  orig-snmp-bind-address-pattern: .*?
  orig-snmp-context-name-pattern: .*?

  orig-snmp-pdu-type-pattern: TRAPv2
  orig-snmp-oid-prefix-pattern: .*?

  orig-snmp-engine-id-pattern: .*?
  orig-snmp-context-engine-id-pattern: .*?

  orig-snmp-transport-domain-pattern: .*?
  orig-snmp-peer-address-pattern: .*?

  orig-snmp-security-level-pattern: .*?

  orig-snmp-security-name-pattern: .*?
  orig-snmp-security-model-pattern: .*?

  orig-snmp-peer-id: agent-1
}

server-classification-group {
  server-snmp-credentials-id-pattern: .*?
  server-snmp-context-id-pattern: .*?
  server-snmp-content-id-pattern: .*?
  server-snmp-peer-id-pattern: .*?

  server-classification-id: any-classification
}

routing-map {
  matching-trunk-id-list: trunk-1
  matching-orig-snmp-peer-id-list: agent-1
  matching-server-classification-id-list: any-classification

  using-snmp-peer-id-list: snmplabs-v1
}

Download client configuration file.