SNMP Traps & Alerts: Setting Up Trap Receivers and Alerting Workflows
A complete guide to configuring SNMP traps on network devices, setting up trap receivers with snmptrapd, Zabbix, and LibreNMS, and building automated alerting workflows for instant fault detection.
SNMP Polling vs. Traps: Why You Need Both
Most SNMP monitoring relies on polling — the NMS periodically asks each device "how are you?" at fixed intervals (every 60-300 seconds). This works well for trending and capacity planning, but it has a critical gap: if something breaks between polls, you won't know until the next poll cycle.
SNMP traps solve this by flipping the model — the device proactively sends an alert to the NMS the instant something happens.
| Feature | Polling | Traps | |---------|---------|-------| | Direction | NMS → Device | Device → NMS | | Timing | Fixed interval (60-300s) | Instant on event | | Network load | Continuous | Only on events | | Discovery | Yes (find new OIDs) | No | | Reliability | Guaranteed response | UDP, can be lost | | Use case | Trending, capacity | Fault detection |
Best practice: Use polling for continuous metrics (CPU, traffic, temperature) and traps for event-based alerts (link down, power failure, threshold crossed).
How SNMP Traps Work
┌──────────────┐ ┌──────────────────┐
│ Network │ UDP port 162 │ NMS / Trap │
│ Device │ ─────────────────→│ Receiver │
│ │ SNMP Trap PDU │ │
│ (Agent) │ │ (snmptrapd / │
│ │ │ Zabbix / │
│ │ │ LibreNMS) │
└──────────────┘ └──────────────────┘
Trap vs. Inform
SNMP provides two notification mechanisms:
| | Trap (SNMPv1/v2c/v3) | Inform (SNMPv2c/v3) | |---|---|---| | Transport | UDP (fire and forget) | UDP with acknowledgement | | Reliability | Can be lost silently | Retries until confirmed | | Overhead | Low | Higher (ACK required) | | Recommendation | Use for non-critical | Use for critical alerts |
# Trap — device sends and forgets
Device → NMS: Trap PDU (no response expected)
# Inform — device expects acknowledgement
Device → NMS: Inform PDU
NMS → Device: Response PDU (ACK)
# If no ACK within timeout, device retransmitsRecommendation: Use SNMP Informs for critical alerts (power failure, security events) and standard traps for informational events (link up/down).
Common SNMP Trap Types
Standard Traps (Generic)
These are defined in the SNMP standards and sent by virtually all devices:
| Trap OID | Name | Triggered When | |----------|------|----------------| | 1.3.6.1.6.3.1.1.5.1 | coldStart | Device rebooted (full restart) | | 1.3.6.1.6.3.1.1.5.2 | warmStart | Device restarted (soft restart) | | 1.3.6.1.6.3.1.1.5.3 | linkDown | Network interface went down | | 1.3.6.1.6.3.1.1.5.4 | linkUp | Network interface came up | | 1.3.6.1.6.3.1.1.5.5 | authenticationFailure | Wrong SNMP credentials used |
Enterprise-Specific Traps
Vendors define custom traps for their hardware:
Cisco:
1.3.6.1.4.1.9.9.13.3.0.x— Environmental alerts (fan failure, temp)1.3.6.1.4.1.9.9.41.2.0.1— Syslog message trap
APC UPS:
1.3.6.1.4.1.318.0.5— UPS on battery1.3.6.1.4.1.318.0.9— UPS battery low1.3.6.1.4.1.318.0.24— UPS overload
Moxa Industrial Switch:
1.3.6.1.4.1.8691.7.x— Power supply failure, ring topology change
Part 1: Configuring Devices to Send Traps
Cisco IOS Switch/Router
! Enable SNMP traps globally
snmp-server enable traps
! Or enable specific trap categories
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps config
snmp-server enable traps entity
! Configure trap destination (SNMPv3)
snmp-server host 10.0.0.100 version 3 priv trapUser
! Configure trap destination (SNMPv2c)
snmp-server host 10.0.0.100 version 2c myCommunity
! Set trap source interface
snmp-server trap-source Loopback0
Moxa Industrial Switch
Via web interface:
- Navigate to System → SNMP Settings → Trap
- Enable trap function
- Add trap server IP:
10.0.0.100 - Select SNMP version (v3 recommended)
- Configure SNMPv3 trap user credentials
- Select trap events: Link Change, Power, Topology Change, Dying Gasp
Linux Server (snmpd)
Edit /etc/snmp/snmpd.conf:
# SNMPv3 trap destination
trapsess -v 3 -u trapUser -l authPriv -a SHA -A "AuthPass123" \
-x AES -X "PrivPass456" 10.0.0.100:162
# Send trap on interface down/up
monitor -r 30 -e linkUpDown "Interface Status" ifOperStatus != 1
# Send trap when disk usage exceeds 90%
monitor -r 300 -o dskPath -o dskTotal -o dskUsed \
"Disk Usage" dskPercent > 90Restart the SNMP service:
sudo systemctl restart snmpdAPC UPS (via web/CLI)
- Log into the UPS Network Management Card web interface
- Navigate to Configuration → Notification → SNMP Traps
- Add trap receiver:
10.0.0.100 - Select severity: Informational, Warning, Critical
- Select trap generation: SNMPv3 with user credentials
- Test: click "Send Test Trap"
Part 2: Setting Up Trap Receivers
Option A: snmptrapd (Net-SNMP)
The basic trap receiver from the Net-SNMP toolkit. Good for testing and small deployments.
Installation:
# Ubuntu/Debian
sudo apt install snmptrapd
# RHEL/CentOS
sudo yum install net-snmpConfiguration — edit /etc/snmp/snmptrapd.conf:
# Accept traps from any source (v2c)
authCommunity log,execute,net public
# Accept SNMPv3 traps
createUser -e 0x8000000001020304 trapUser SHA "AuthPass123" AES "PrivPass456"
authUser log,execute trapUser
# Log traps to file
[snmp] logOption f /var/log/snmptrapd.log
# Format output for readability
format2 %V\n% Agent Address: %A\n Enterprise: %N\n Trap: %w (%W)\n Uptime: %T\n Varbinds:\n%v\n
# Execute a script on specific traps
traphandle 1.3.6.1.6.3.1.1.5.3 /usr/local/bin/handle-linkdown.shStart the service:
# Start snmptrapd
sudo systemctl enable snmptrapd
sudo systemctl start snmptrapd
# Or run in foreground for debugging
sudo snmptrapd -f -Lo -c /etc/snmp/snmptrapd.confTest by sending a trap:
# Send a test trap (v2c)
snmptrap -v 2c -c public 10.0.0.100:162 "" \
1.3.6.1.6.3.1.1.5.3 \
ifIndex i 2 \
ifDescr s "GigabitEthernet0/1" \
ifOperStatus i 2
# Send a test trap (v3)
snmptrap -v 3 -u trapUser -l authPriv -a SHA -A "AuthPass123" \
-x AES -X "PrivPass456" 10.0.0.100:162 "" \
1.3.6.1.6.3.1.1.5.1Option B: Zabbix SNMP Trap Receiver
Zabbix can receive and process SNMP traps alongside its regular polling.
Step 1: Install and configure snmptrapd for Zabbix
# Install snmptrapd
sudo apt install snmptrapd
# Edit /etc/snmp/snmptrapd.conf
authCommunity execute public
perl do "/usr/share/zabbix/externalscripts/zabbix_trap_receiver.pl";If using the default Zabbix trap handler, configure /etc/zabbix/zabbix_server.conf:
SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
StartSNMPTrapper=1Step 2: Configure snmptrapd to write Zabbix-formatted output
Edit /etc/snmp/snmptrapd.conf:
# Log format for Zabbix
format2 %T %a %v\n
outputOption sOr use the Zabbix SNMP trap receiver script:
# Create /etc/snmp/snmptrapd.conf
authCommunity log,execute,net public
perl do "/usr/share/zabbix-server-mysql/externalscripts/zabbix_trap_receiver.pl";Step 3: Create Zabbix items for traps
Item type: SNMP trap
Key: snmptrap["linkDown"]
Type of information: Log
Or catch all traps:
Key: snmptrap.fallback
Type of information: Log
Step 4: Create Zabbix triggers for traps
Name: Link Down on {HOST.NAME}
Expression: find(/Template/snmptrap["linkDown"],,"regexp","linkDown")=1
Severity: High
Recovery: find(/Template/snmptrap["linkUp"],,"regexp","linkUp")=1
Option C: LibreNMS Trap Receiver
LibreNMS has built-in SNMP trap handling.
Step 1: Configure snmptrapd for LibreNMS
# /etc/snmp/snmptrapd.conf
authCommunity log,execute,net public
traphandle default /opt/librenms/snmptrap.phpStep 2: Enable trap processing in LibreNMS
Edit /opt/librenms/.env or config:
$config['snmptraps']['eventlog'] = true;
$config['snmptraps']['eventlog_detailed'] = true;Step 3: Start snmptrapd
sudo systemctl enable snmptrapd
sudo systemctl start snmptrapdLibreNMS automatically maps received traps to devices by source IP and creates event log entries. Supported trap types include:
- Link up/down
- BGP state changes
- OSPF neighbour changes
- UPS events
- Equipment sensor thresholds
- Vendor-specific traps (Cisco, Juniper, etc.)
Part 3: Building Alerting Workflows
Email Alerts
Zabbix email action:
- Go to Configuration → Actions → Trigger actions
- Create action: "Send email on High/Critical"
- Conditions: Trigger severity >= High
- Operations: Send message to "Network Team" group via Email
snmptrapd script handler:
#!/bin/bash
# /usr/local/bin/handle-linkdown.sh
# Called by snmptrapd when a linkDown trap is received
read hostname
read ipaddr
read uptime
read trapoid
read payload
SUBJECT="ALERT: Link Down on $ipaddr"
BODY="Device: $ipaddr\nTrap: $trapoid\nDetails: $payload\nTime: $(date)"
echo -e "$BODY" | mail -s "$SUBJECT" network-team@company.comSMS/Phone Alerts
For critical infrastructure (railway, industrial), integrate with SMS gateways:
Zabbix + SMS gateway:
Media type: Script
Script: /usr/lib/zabbix/alertscripts/send_sms.sh
Parameters:
{ALERT.SENDTO}
{ALERT.SUBJECT}
{ALERT.MESSAGE}
#!/bin/bash
# /usr/lib/zabbix/alertscripts/send_sms.sh
PHONE="$1"
SUBJECT="$2"
MESSAGE="$3"
# Using an HTTP SMS gateway API
curl -X POST "https://sms-gateway.company.com/api/send" \
-d "to=$PHONE" \
-d "message=$SUBJECT: $MESSAGE"Webhook Integration (Teams/Slack)
Zabbix webhook to Microsoft Teams:
// Zabbix Media Type: Webhook
var params = JSON.parse(value);
var req = new HttpRequest();
req.addHeader('Content-Type: application/json');
var message = {
"@type": "MessageCard",
"themeColor": params.severity === "Disaster" ? "FF0000" : "FFA500",
"summary": params.subject,
"sections": [{
"activityTitle": params.subject,
"facts": [
{"name": "Host", "value": params.host},
{"name": "Severity", "value": params.severity},
{"name": "Time", "value": params.time}
],
"text": params.message
}]
};
req.post(params.teams_webhook_url, JSON.stringify(message));Escalation Workflow
┌─────────────┐ 5 min ┌─────────────┐ 15 min ┌─────────────┐
│ Trap │ ──────────────→│ No ACK? │ ──────────────→│ No ACK? │
│ Received │ │ Escalate │ │ Escalate │
│ │ │ │ │ │
│ → Email to │ │ → SMS to │ │ → Phone call │
│ NOC team │ │ On-call │ │ to Manager │
└─────────────┘ └─────────────┘ └─────────────┘
In Zabbix, configure this under Action → Operations → Escalation steps:
Step 1 (0 min): Send email to "NOC Team"
Step 2 (5 min): Send SMS to "On-Call Engineer"
Step 3 (15 min): Send SMS + Email to "Network Manager"
Step 4 (30 min): Send to "Department Head"
Trap Filtering and Deduplication
In a large network, you may receive thousands of traps per hour. Filtering is essential:
snmptrapd Filtering
# /etc/snmp/snmptrapd.conf
# Only process traps from specific subnets
authCommunity execute public 10.0.0.0/8
authCommunity execute public 172.16.0.0/12
# Ignore authentication failure traps (noisy)
doNotRetain 1.3.6.1.6.3.1.1.5.5Zabbix Trap Filtering
Use regular expressions in trap items to match only relevant traps:
Key: snmptrap["(linkDown|linkUp|coldStart)"]
Deduplication
Prevent alert storms (e.g., 100 devices sending linkDown when a core switch fails):
- Zabbix correlation: Configure event correlation rules to suppress child alerts when a parent device is down
- Maintenance windows: Schedule maintenance to suppress traps during planned work
- Trap rate limiting: Configure
snmptrapdto rate-limit identical traps from the same source
Testing and Troubleshooting
Verify Trap Delivery
# Listen for traps on the receiver (debug mode)
sudo snmptrapd -f -Lo -d
# Send a test trap from another machine
snmptrap -v 2c -c public RECEIVER_IP:162 "" \
1.3.6.1.6.3.1.1.5.3 \
ifIndex i 1
# Check if traps are arriving
sudo tcpdump -i any port 162 -vvvCommon Problems
| Problem | Cause | Solution | |---------|-------|----------| | No traps received | Firewall blocking UDP 162 | Open UDP 162 inbound on receiver | | Traps received but not processed | Wrong community/user | Match credentials on device and receiver | | Traps in log but no alerts | NMS not configured to process | Check trap item/handler config | | Duplicate alerts | Multiple NMS instances | Designate primary trap receiver | | Trap storm after outage | All devices recovering at once | Configure deduplication/correlation | | SNMPv3 traps failing | Engine ID mismatch | Configure remote engine ID on device |
SNMPv3 Trap Engine ID
SNMPv3 traps require the sender's engine ID to be known by the receiver. This is the most common source of SNMPv3 trap failures.
# Find device's engine ID
snmpget -v3 -u myUser -l authPriv -a SHA -A "AuthPass" \
-x AES -X "PrivPass" 192.168.1.1 1.3.6.1.6.3.10.2.1.1.0
# Configure snmptrapd with the device's engine ID
# /etc/snmp/snmptrapd.conf
createUser -e 0x80000009038000000001 trapUser SHA "AuthPass" AES "PrivPass"
authUser log,execute trapUserFrequently Asked Questions
Can SNMP traps be sent over TCP instead of UDP?
Standard SNMP traps use UDP port 162 and can be lost in transit. SNMP Informs add an acknowledgement mechanism over UDP. For TCP-based alternatives, some NMS platforms support syslog over TCP or streaming telemetry, which provide guaranteed delivery. For critical alerts, always use SNMP Informs instead of traps.
How many traps per second can a receiver handle?
A typical snmptrapd instance can handle 1,000-5,000 traps per second. Zabbix and LibreNMS can process 500-2,000 traps/sec depending on hardware and database performance. For very high-volume environments, use a dedicated trap receiver that writes to a message queue.
Should I disable SNMP polling if I use traps?
No. Traps and polling serve different purposes. Polling provides continuous metrics for trending and capacity planning. Traps provide instant event notification. Use both together for comprehensive monitoring. Polling also serves as a backup — if a trap is lost, the next poll will still detect the issue.
How do I handle trap storms?
Configure event correlation in your NMS to suppress downstream alerts when an upstream device is unreachable. Set rate limits on the trap receiver. Use maintenance windows during planned changes. In Zabbix, use "Cause and symptom" event pairing to automatically link related events.