SNMP Proxy

A very little known feature of SNMP is the proxy. You can configure a good SNMP agent to proxy requests to an other SNMP entity. In this article I want do cast some light on this feature. I use it to request performance data form a switch that speaks only IPv4 while the transport network between the management station and the agents is IPv6.


Why would someone proxy SNMP request? There are some good reasons to do this. You need the proxy function always if no direct communication between the manager and the agent is possible. This happens if hosts are located in a network with private RFC 1918 addresses behind a NAT device or a firewall. The management station can only communicate with one proxy host in that network.

In my case I have a network with some routers, switches and servers at home and a network management station (OpenNMS) in the internet. The providers here in Germany reset your internet connection every 24 hours and you get a new IPv4 address when you reconnect. To access all my internal devices I use IPv6. I have a tunnel from sixxs net and a subnet behind that tunnel. All IPv6 addresses are static and so I do not need any dynamic DNS provider.

The only problem is, that some old devices cannot speak IPv6. So my management system cannot communicate directly with these devices. That is when I found out about the SNMP proxy. I can use it not only for accessing devices behind a fireawall or NAT, but the proxy also works as a translator between IPv6 and IPv4.

Sketch of the network setup.

Sketch of the network setup. The NMS talks to the server with IPv6 and the server pxroxies the request of to the switch with IPv4.

But you can do a lot more weired things with a SNMP proxy. For details see the explanation page of SNMP Research International.

Configuration of the net-snmp Agent

On my server at home I use the open source net-snmp agent. Since I want to proxy the complete requests to an other system I need a criterium what requests to process locally and what requests forward to the remote system. SNMP defines to use the context in this case. The web site of net-snmp documents the proxy configuration.

In the agent I configure a full VACM definition for the proxy access in snmpd.conf:

# com2sec6 [-Cn CONTEXT]   SECNAME          SOURCE    COMMUNITY
com2sec6   -Cn oldswitch   notConfigUser6   default   oldpublic

# group    GROUP           {v1|v2c|usm}     SECNAME
group      OLDSWITCH       v2c              notConfigUser6

# view     VNAME           TYPE             OID   [MASK]
view       all             included         .1

# access   GROUP           CONTEXT          {any|v1|v2c|usm}  LEVEL  PREFX  READ WRITE NOTIFY
access     OLDSWITCH       oldswitch        v2c               noauth exact  all  none  none

This defines the context oldswitch whenever the community string oldpublic is used. Now I can use that context to proxy the request to the old switch

# proxy [-Cn CONTEXTNAME]  [SNMPCMD_ARGS]    HOST         OID
proxy   -Cn oldswitch      -v 2c -c public  .1.3

This configuration line defines that all incomming requests in the context oldswitch are forwarded to my old switch that does not speak IPv6 and only has a private address. In the example above I use a documentation address. Please note that the OID must be .1.3, not just the .1. You will not get any entries from OIDs not in that branch. I.e. the LLDP MIB is found unter 1.0.8802, so with a proxy you will not be able to retrieve LLDP data from your switch.

Accessing the SNMP Data

From my management station I can test the proxy function. First I access the agent on my server without the proxy function:

# snmpgetnext -v 2c -c public udp6:2001:db8::10 sysName
SNMPv2-MIB::sysName.0 = STRING: server01

When I use the community string for the old switch, the request is forwarded to the old switch and I get its answer:

# snmpgetnext -v 2c -c oldpublic udp6:2001:db8::10 sysName
SNMPv2-MIB::sysName.0 = STRING: switch02

SNMP Proxy in OpenNMS

Of course you can configure the proxy also in every good monitoring system. I use OpenNMS. The SNMP proxy is configured in the definition file for the SNMP access. My old switch needs a separate entry:

<snmp-config xmlns="" version="v2c" \
    read-community="public" timeout="1800" retry="1">
  <definition write-community="private" read-community="oldswitch" proxy-host="2001:db8::10" port="161">

Now the management system accesses the SNMP data through the proxy and you get all the data needed.


Comments are closed.