SNMP Traps - Complete Guide

1. What is an SNMP Trap?

An SNMP Trap is an unsolicited, asynchronous message sent by a network device (SNMP Agent) to an SNMP Manager whenever a predefined event occurs.

Unlike polling (where the manager asks for data), traps are pushed immediately from the device, making them ideal for real-time alerts such as:

Interface failure (e.g., link down)
Device reboot
High CPU or memory utilization

2. SNMP Trap vs. Polling (GET Requests)

Feature	SNMP Trap	SNMP Polling (GET)
Direction	Agent → Manager	Manager → Agent
Trigger	Event-based	Scheduled/Timed
Network Load	Low	Higher
Latency	Immediate	Based on interval

3. SNMP Trap Types

A. Generic Traps

coldStart – Device restarted
linkDown – Interface failure
authenticationFailure – Unauthorized SNMP access

B. Specific (Enterprise) Traps

Vendor-specific traps like Cisco’s high CPU or BGP flaps, defined in proprietary MIBs.

4. SNMP Trap Message Format

A standard trap includes:

Agent IP Address
Trap OID (Object Identifier)
Timestamp
Variable Bindings (contextual data)

Example:

SNMPv2-MIB::snmpTrapOID.0 = IF-MIB::linkDown
IF-MIB::ifIndex.1 = 1   (Interface GigabitEthernet0/0)

5. Configuring SNMP Traps (Cisco IOS)

Router(config)# snmp-server host 192.168.1.100 traps MyROString
Router(config)# snmp-server enable traps
Router(config)# snmp-server enable traps snmp linkdown
Router# show snmp host

6. SNMP Trap Ports & Protocols

UDP 162: Used by managers to receive traps
UDP 161: Used for standard SNMP polling

7. Trap Severity Levels

Level	Example Trap
Critical	linkDown, bgpBackwardTransition
Warning	highCpuThreshold
Informational	configChange

8. SNMPv1 vs v2c vs v3 Traps

Version	Authentication	Encryption	Trap Format
v1	Community String	None	Basic, limited
v2c	Community String	None	Enhanced (varbinds)
v3	User-based (SHA, MD5)	Yes (AES, DES)	Secure, reliable

9. SNMP Trap vs. Inform

Feature	Trap	Inform
Acknowledgment	No	Yes
Reliability	Low	High (retries supported)
Use Case	Non-critical alerts	Critical events

Example (Cisco):

Router(config)# snmp-server host 192.168.1.100 informs MyROString

10. MIBs for Traps

Standard: SNMPv2-MIB, IF-MIB
Vendor: CISCO-PROCESS-MIB, JUNIPER-BGP-MIB, etc.

11. Testing SNMP Traps

From Agent (Linux)

snmptrap -v 2c -c public 192.168.1.100 '' IF-MIB::linkDown ifIndex.1 i 1

On Receiver

snmptrapd -f -Lo

12. Security Considerations

✅ Use SNMPv3 with encryption
✅ Allow UDP 162 only from trusted devices
✅ Apply ACLs to limit trap sources

Router(config)# access-list 10 permit 192.168.1.100
Router(config)# snmp-server host 192.168.1.100 traps MyROString 10

13. Use Cases

Network Devices

Interface down (linkDown)
BGP peer failure (bgpStateChange)

Servers

High CPU usage (hrProcessorLoad)
Disk full alert (diskFull)

14. Monitoring Traps in NMS

SolarWinds: Trap viewer & alert generation
PRTG: Custom trap sensors
ELK Stack: Integrate traps via syslog/logstash

15. Troubleshooting

❌ Not receiving traps? → Verify snmp-server host and port 162 access
❌ Invalid community string? → Match it with your NMS
❌ MIB error? → Import vendor-specific MIBs into your NMS

16. Summary

SNMP Traps = Real-time, event-driven alerts
Setup: Define snmp-server host and enable trap types
Security: Use SNMPv3 and ACLs
Test: Use snmptrap and snmptrapd

SNMP Traps Quiz

1. What is an SNMP Trap?

A. A periodic SNMP request sent by the manager B. A command sent from manager to agent C. A response to a polling request D. An asynchronous alert sent by the agent to the manager

Correct answer is D. An SNMP Trap is an event-driven alert pushed by the agent to notify the manager immediately.

2. Which UDP port is used by SNMP managers to listen for traps?

A. UDP 162 B. UDP 161 C. TCP 80 D. TCP 443

Correct answer is A. SNMP traps are sent to UDP port 162, where the manager listens for asynchronous notifications.

3. What is the key difference between SNMP Trap and SNMP Polling (GET)?

A. Trap requests data periodically; polling is event-driven B. Trap uses TCP; polling uses UDP C. Trap is event-driven, sent by agent; polling is periodic requests by manager D. Trap encrypts messages; polling does not

Correct answer is C. Traps are asynchronous alerts pushed by the agent; polling involves periodic manager requests.

4. Which SNMP trap indicates that a device has rebooted?

A. linkDown B. coldStart C. authenticationFailure D. bgpStateChange

Correct answer is B. The coldStart trap signals that the device has rebooted.

5. What command enables SNMP traps globally on a Cisco router?

A. snmp-server enable traps B. snmp-server trap receiver C. snmp-server host D. snmp trap enable all

Correct answer is A. This command globally enables the sending of SNMP traps.

6. Which SNMP trap type includes vendor-specific information?

A. coldStart B. linkDown C. authenticationFailure D. Specific (Enterprise) Traps

Correct answer is D. Enterprise traps are vendor-specific events defined in vendor MIBs.

7. Which SNMP version supports secure traps with authentication and encryption?

A. SNMPv1 B. SNMPv3 C. SNMPv2c D. SNMPv2u

Correct answer is B. SNMPv3 provides authentication and encryption for secure traps.

8. What is the difference between SNMP Trap and Inform?

A. Trap requires acknowledgment; Inform does not B. Both have the same reliability C. Inform requires acknowledgment and retries if lost; Trap does not D. Trap can carry more data than Inform

Correct answer is C. Inform messages are reliable because they require acknowledgment; traps are not.

9. Which command on a Cisco device configures an SNMP trap receiver?

A. snmp-server host 192.168.1.100 traps MyROString B. snmp-server enable traps C. snmp-server community public RO D. snmp-server view

Correct answer is A. This command sets the manager IP and community string to receive traps.

10. What is the recommended SNMP version for security when configuring traps?

A. SNMPv1 B. SNMPv3 C. SNMPv2c D. SNMPv2u

Correct answer is B. SNMPv3 supports authentication and encryption for secure trap communication.

← Back to Home