SNMP Traps – Complete Guide

1. What Is an SNMP Trap?

An SNMP Trap is an unsolicited, asynchronous message sent by a network device (the SNMP Agent) to an SNMP Manager whenever a predefined event occurs — such as an interface going down, a device rebooting, or CPU utilisation exceeding a threshold.

Unlike polling (where the manager periodically asks "how are you?"), traps are pushed immediately by the agent the moment the event happens. This makes them ideal for real-time alerting with minimal network overhead.

  SNMP Agent (Router/Switch)                SNMP Manager (SolarWinds/PRTG)
        |                                         |
        |  [Interface Gi0/1 goes DOWN at 14:32]   |
        |                                         |
        |-- TRAP: linkDown, Gi0/1 [UDP 162] ------>|  Immediate alert — no polling needed
        |                                         |
        |  [Device reboots at 14:45]              |
        |                                         |
        |-- TRAP: coldStart [UDP 162] ------------>|

Related pages: show logging (Syslog) | ACL Overview | Applying ACLs | show running-config | NTP Synchronisation | Common Port Numbers | Step-by-Step: SNMP Configuration | Syslog Configuration Lab

2. SNMP Trap vs. Polling (GET Requests)

Understanding the difference between trap-based and poll-based monitoring is essential for both the CCNA exam and real-world network design.

FeatureSNMP TrapSNMP Polling (GET)
DirectionAgent → Manager (unsolicited)Manager → Agent (requested)
TriggerEvent-based — sent when something happensScheduled/timed interval (e.g., every 5 min)
Network LoadVery low — only sent on eventsHigher — continuous periodic polling
LatencyImmediate — sub-second alertUp to one polling interval delay
ReliabilityNo acknowledgement — fire and forgetConfirmed response from agent
Best ForReal-time critical alerts (link failures, reboots)Trending, capacity planning, baseline metrics

In practice, both are used together: polling provides regular metrics, traps provide instant event notification.

3. SNMP Trap Types

A. Generic Traps (Defined in RFC 1157)

These are standard traps defined in the base SNMP MIB, supported by virtually all SNMP-capable devices:

Trap NameTriggerSeverity
coldStartDevice has rebooted (full power cycle or crash)Critical
warmStartDevice has re-initialised without power cycling (software restart)Warning
linkDownA network interface has transitioned to the "down" stateCritical
linkUpA network interface has transitioned to the "up" stateInformational
authenticationFailureAgent received a request with an unrecognised community stringWarning
egpNeighborLossAn EGP peer has gone down (legacy, rarely used)Critical

B. Specific (Enterprise) Traps

Vendor-defined traps extending beyond the generic set, defined in proprietary MIBs. Examples include:

  • Cisco: ciscoEnvMonTemperatureNotification (temperature alarm), cpmCPUTotalHigh (high CPU), bgpEstablished / bgpBackwardTransition (BGP state changes)
  • Juniper: jnxLinkDown, jnxOspfNbrStateChange
  • Generic server: hrDiskFull (disk space critical), hrProcessorLoad (CPU overload)

4. SNMP Trap Message Format

Every SNMP trap carries a standard set of fields that the manager uses to identify, log, and react to the event:

FieldDescriptionExample
Agent IP AddressSource IP of the device sending the trap192.168.1.1
Trap OIDObject Identifier identifying the trap typeIF-MIB::linkDown
Timestamp (sysUpTime)Device uptime at the moment the trap was generated3 days, 14:32:05
Variable Bindings (varbinds)Additional context data — what interface, what value, etc.ifIndex.1 = 1
Community StringSNMPv1/v2c only — identifies the "community" for the managerMyROString
Enterprise OIDSNMPv1 only — OID of the enterprise that defined the trapenterprises.9 (Cisco)

Example SNMPv2c linkDown trap as seen on the manager:

SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifDescr.1 = STRING: GigabitEthernet0/0
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.1 = INTEGER: down(2)

5. Configuring SNMP Traps on Cisco IOS

Step 1 — Define the SNMP Trap Receiver (Manager)

Router(config)# snmp-server host 192.168.1.100 traps MyROString

This tells the router to send all enabled traps to the manager at 192.168.1.100 using community string MyROString over UDP port 162.

Step 2 — Enable Specific Trap Categories

Router(config)# snmp-server enable traps                   ! Enable all trap categories
Router(config)# snmp-server enable traps snmp linkdown     ! Interface link-down traps only
Router(config)# snmp-server enable traps snmp linkup       ! Interface link-up traps
Router(config)# snmp-server enable traps bgp               ! BGP state-change traps
Router(config)# snmp-server enable traps config            ! Configuration change traps

Step 3 — Verify the Configuration

Router# show snmp host
Router# show snmp
Router# show running-config | include snmp

Expected output of show snmp host:

Notification host: 192.168.1.100  udp-port: 162  type: trap
user: MyROString  security model: v2c

Configuring SNMPv3 Traps (Recommended for Production)

Router(config)# snmp-server group SNMPGROUP v3 priv
Router(config)# snmp-server user SNMPUSER SNMPGROUP v3 auth sha AuthPass priv aes 128 PrivPass
Router(config)# snmp-server host 192.168.1.100 version 3 priv SNMPUSER

6. SNMP Trap Ports & Protocols

PortProtocolDirectionPurpose
UDP 161UDPManager → AgentStandard SNMP polling (GET, SET, GETBULK)
UDP 162UDPAgent → ManagerSNMP Traps and Informs received by the manager

Why UDP? SNMP uses UDP (connectionless) because SNMP operations are simple request-response messages. UDP adds no connection overhead — if a response is needed, the application layer handles retries. For traps, UDP is acceptable because traps are best-effort; if reliability is needed, use Informs instead (see Section 9).

Ensure UDP 162 is open inbound on the SNMP Manager's firewall from your managed devices. See ACL/Firewall and Applying ACLs for guidance.

7. Trap Severity Levels

While SNMP traps do not have built-in severity levels like Syslog, Network Management Systems typically classify them by impact:

SeverityExample TrapsTypical NMS Action
CriticallinkDown, coldStart, bgpBackwardTransitionPage on-call engineer, open ticket, trigger failover
WarningauthenticationFailure, cpmCPUTotalHighEmail/Slack alert, log for investigation
InformationallinkUp, configChange, warmStartLog only, dashboard indicator

8. SNMPv1 vs v2c vs v3 Traps

FeatureSNMPv1SNMPv2cSNMPv3
AuthenticationCommunity StringCommunity StringUser-based (SHA/MD5)
EncryptionNoneNoneAES or DES
Trap FormatBasic — uses generic/enterprise trap PDUEnhanced — uses snmpV2-trap PDU with varbindsSame as v2c + security wrapper
AcknowledgementNoNo (Inform adds acknowledgement)No (Inform adds acknowledgement)
RecommendedLegacy/lab onlyAcceptable for internal-only management networksAll production environments

The key structural difference: SNMPv1 traps use a legacy PDU type with fixed fields (generic-trap, specific-trap, time-stamp). SNMPv2c and v3 use the snmpV2-trap PDU which carries all information as variable bindings — more flexible and extensible.

9. SNMP Trap vs. Inform

SNMPv2c introduced Inform messages as a more reliable alternative to traps for critical events:

FeatureTrapInform
AcknowledgementNo — fire and forgetYes — manager must send a GetResponse
ReliabilityLow — if manager is busy or packet is lost, trap is goneHigh — agent retries until acknowledged or retry limit reached
Network LoadLowerHigher (retransmissions)
Use CaseNon-critical notifications, high-frequency eventsCritical events where guaranteed delivery is required
SNMP Versionv1, v2c, v3v2c and v3 only

Configuring Informs on Cisco IOS:

Router(config)# snmp-server host 192.168.1.100 informs MyROString

10. MIBs for Traps

Every SNMP trap is identified by an OID defined in a MIB (Management Information Base). The manager must have the correct MIB loaded to decode and display the trap meaningfully.

MIBDefinesCommon Traps
SNMPv2-MIBCore SNMP objectscoldStart, warmStart, authenticationFailure
IF-MIBNetwork interfaceslinkDown, linkUp
BGP4-MIBBGP routing protocolbgpEstablished, bgpBackwardTransition
CISCO-PROCESS-MIBCisco CPU/process statscpmCPUTotalHigh
HOST-RESOURCES-MIBServer resourceshrDiskFull, hrProcessorLoad

Import vendor-specific MIBs into your NMS (SolarWinds, PRTG, Zabbix) to ensure enterprise traps are decoded correctly. Without the MIB, the NMS will display raw OIDs rather than readable trap names.

11. Testing SNMP Traps

Sending a Test Trap from Linux

snmptrap -v 2c -c public 192.168.1.100 '' IF-MIB::linkDown ifIndex.1 i 1
  • -v 2c — SNMP version
  • -c public — Community string
  • 192.168.1.100 — Manager IP (trap destination)
  • IF-MIB::linkDown — Trap OID
  • ifIndex.1 i 1 — Variable binding: interface index 1

Listening for Traps on the Manager (Linux)

snmptrapd -f -Lo

This runs snmptrapd in the foreground (-f) with output logged to stdout (-Lo). Press Ctrl+C to stop. Incoming traps will be printed in real time.

Triggering a Real Trap on a Cisco Device

! Shut down an interface to generate a linkDown trap
Router(config)# interface GigabitEthernet0/1
Router(config-if)# shutdown

12. Security Considerations

SNMP traps carry sensitive operational data about your network. Without proper controls, traps can be intercepted, spoofed, or used to flood a manager.

  • ✅ Use SNMPv3 with authPriv — traps are authenticated and encrypted
  • ✅ Apply ACLs to restrict which devices can send traps to your manager: only permit UDP 162 from known agent IPs
  • ✅ Apply ACLs on the Cisco device to restrict which manager IPs receive traps
  • ✅ Monitor for excessive authenticationFailure traps — a spike may indicate a brute-force or misconfiguration
! Restrict which manager receives traps using an ACL
Router(config)# access-list 10 permit 192.168.1.100
Router(config)# snmp-server host 192.168.1.100 traps MyROString

13. Common Use Cases

Device / SystemTrapBusiness Value
Core router / switchlinkDown, coldStartImmediate awareness of network outages
BGP edge routerbgpBackwardTransitionDetect ISP or peer connectivity failure in seconds
ServerhrDiskFull, hrProcessorLoadPrevent service outages from resource exhaustion
Any deviceauthenticationFailureDetect SNMP brute-force or misconfigured manager
Any deviceconfigChangeAudit trail for configuration changes

14. Monitoring Traps in Popular NMS Platforms

  • SolarWinds NPM: Built-in Trap Viewer with alert generation, filtering, and escalation rules. Supports MIB import for enterprise traps.
  • PRTG: SNMP Trap Receiver sensor — configure a sensor on the manager to receive and classify traps by OID pattern.
  • Zabbix: Native SNMP trap support via snmptrapd integration. Trap-to-trigger mapping using OID patterns.
  • ELK Stack: Integrate traps via Logstash SNMP input plugin, store in Elasticsearch, visualise in Kibana for historical analysis.

15. Troubleshooting SNMP Traps

ProblemLikely CauseFix
Manager not receiving trapssnmp-server host not configured, UDP 162 blockedVerify show snmp host; open UDP 162 on manager firewall
Traps received but unreadable OIDsMIB not loaded in NMSDownload and import the vendor MIB file into your NMS
Wrong community string on trapString mismatch between agent and managerMatch the string in snmp-server host with NMS configuration
Authentication failure traps flooding managerMonitoring tool using wrong community stringVerify the NMS community string; update as needed

16. Summary

  • SNMP Traps = Real-time, event-driven alerts pushed by the agent to the manager over UDP 162
  • Generic traps (coldStart, linkDown, authenticationFailure) are defined in standard MIBs; enterprise traps are vendor-specific
  • Trap vs Inform: Traps are unreliable (fire-and-forget); Informs add acknowledgement and retry — use Informs for critical events
  • Configuration: Define snmp-server host, enable trap types with snmp-server enable traps
  • Security: Use SNMPv3 with authPriv and ACLs to protect trap delivery
  • Test: Use snmptrap to send and snmptrapd to receive test traps on Linux

SNMP Traps Quiz

1. What is an SNMP Trap?

Correct answer is D. An SNMP Trap is an unsolicited, asynchronous message generated by the SNMP agent (the device) and pushed immediately to the SNMP manager whenever a predefined event occurs — no prior request from the manager is needed. This is the fundamental distinction from polling (GET) operations.

2. Which UDP port does the SNMP manager listen on to receive traps?

Correct answer is A. SNMP traps and Informs are sent to UDP port 162 on the SNMP manager. This is distinct from UDP port 161, which is used by agents to receive GET and SET queries from the manager. Both ports must be permitted through any firewall between agents and the manager.

3. What is the key operational difference between an SNMP Trap and SNMP Polling (GET)?

Correct answer is C. Traps are asynchronous — pushed by the agent immediately on event occurrence. Polling is synchronous — the manager periodically queries the agent on a timed schedule. Both use UDP. Traps have lower network overhead but no reliability guarantee; polling has higher overhead but confirms the agent is responsive.

4. Which generic SNMP trap type indicates that a device has completely rebooted?

Correct answer is B. coldStart signals that the agent has re-initialised from a full power cycle or crash — sysUpTime resets to zero. warmStart indicates a software re-initialisation without a power cycle. linkDown is for interface failures. bgpStateChange is an enterprise (vendor-specific) trap.

5. Which Cisco IOS command globally enables the sending of SNMP traps?

Correct answer is A. snmp-server enable traps globally enables all trap categories on the device. You must also configure snmp-server host <manager-ip> traps <community> to specify where traps are sent. You can enable only specific categories (e.g., snmp-server enable traps snmp linkdown) to reduce trap volume.

6. Which SNMP trap type includes vendor-specific, proprietary event information?

Correct answer is D. Enterprise (specific) traps are vendor-defined events in proprietary MIBs — for example, Cisco's cpmCPUTotalHigh for CPU alarms or Juniper's jnxLinkDown. The NMS must have the vendor MIB file loaded to decode these traps meaningfully, otherwise it will display raw OIDs.

7. Which SNMP version supports secure traps with authentication and encryption?

Correct answer is B. SNMPv3 adds the User-Based Security Model (USM) which provides HMAC-SHA or HMAC-MD5 authentication and AES/DES encryption to all SNMP messages including traps. SNMPv1 and v2c traps carry community strings in plaintext — they can be intercepted and spoofed.

8. What is the key difference between an SNMP Trap and an SNMP Inform?

Correct answer is C. Informs (introduced in SNMPv2c) require the manager to send a GetResponse acknowledgement. If the agent does not receive an acknowledgement within the timeout period, it retransmits the Inform. Traps are sent once with no confirmation — if the packet is lost or the manager is busy, the event is permanently missed. Use Informs for critical events.

9. Which Cisco IOS command configures an SNMP trap receiver (the destination manager)?

Correct answer is A. snmp-server host <ip> traps <community> specifies the manager IP address, the message type (traps or informs), and the community string used in the trap packets. Without this command, even if traps are enabled, the device has no destination to send them to.

10. A network team receives hundreds of authenticationFailure traps from one router over 10 minutes. What is the most likely cause?

Correct answer is B. The authenticationFailure trap is generated each time the SNMP agent receives a request with a community string that does not match any configured string. A burst of these traps almost always means a monitoring tool has been misconfigured with the wrong community string, or a scheduled script is running with outdated credentials. It can also indicate a network scan or brute-force attempt.

← Back to Home