Trigger EEM applets with SNMP Informs

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Event Manager version 2.4 (first available in Cisco IOS release 12.4(20)T) added the snmp-notification event, which triggers an EEM applet (or Tcl policy) when the router receives a SNMP trap or inform packet. This functionality can be used to trigger execution of EEM applets from a network management workstation.


Router configuration

Use the following steps to trigger an EEM event with a SNMP inform message:

  • Configure a SNMP community that will be used between the remote host and the router. The community does not need RW access (which is required for SNMP SET operations).
snmp-server community String RO
  • Enable processing of incoming SNMP traps and informs with the snmp-server manager global configuration command.
snmp-server manager
  • Define an EEM applet with the snmp-notification event.
event manager applet name 
 event snmp-notification oid numeric-OID oid-val value op eq|ne|gt|lt →
   [src-ip-address ip-address] [dest-ip-address ip-address]
Usage guidelines:
  • The snmp-notification event has to match one of the SNMP variables sent in the SNMP inform message. The SNMP trap type is ignored.
  • The SNMP variable is specified with the oid parameter which only takes the numeric dotted decimal notation. You cannot use symbolic SNMP variable names (although Cisco IOS uses them elsewhere).
  • The source and destination IP address are optional and can be used to limit the EEM event to traps received from a single remote host.
  • The EEM applet is configured after you’ve exited the event manager configuration mode. Debugging the applet while you’re still configuring it will yield invalid results.

Sample router configuration

We want to trigger the HostRequest EEM applet from the remote host with IP address The host will send warmStart trap from the standard SNMP MIB (the trap type is ignored by EEM) with the sysDescr variable set to value Test (you can define multiple applets that test different values of the same variable). SNMP community xText is used between the remote host and the router.

EEM applet triggered by SNMP trap sent by a remote host

snmp-server community xText RO
snmp-server manager
event manager applet HostRequest
 event snmp-notification oid oid-val "test" op eq src-ip-address
 action 1.0 syslog priority informational msg "Trap received" 

The OID of the sysDescr variable can be found with SNMP tools available on Cisco’s web site or with the snmptranslate utility available in Net-SNMP package.

root@unix# snmptranslate -On -IR sysDescr

UNIX host configuration

Most Linux distributions include the Net-SNMP package. The Net-SNMP web site also provides source files, RPM packages and Windows executables. Fedora 10 distribution includes the core net-snmp modules; the command line utilities are available in the net-snmp-utils package and have to be installed manually:

root@fedora# yum install net-snmp-utils

The net-snmp distribution includes numerous standard SNMP MIBs, they are usually stored in /usr/share/snmp/mibs. If you use SNMP traps available in the standard MIBs (our sample code uses the warmStart trap from the SNMPv2 MIB), you don’t have to write your own MIB definition (the trap type is ignored by EEM).

The following command is used to send the SNMP trap to the router:

root@unix# snmptrap -v 2c -c xText -Ci '' SNMPv2-MIB::warmStart sysDescr.0 s 'test'

The command parameters have the following meaning:

Parameter Meaning
-v 2c Use SNMP version 2 trap/inform
-c xText SNMP community
-Ci Use INFORM message (to ensure reliable delivery) Remote IP address
‘’ Uptime parameter of the SNMP trap. If you specify a blank value, the snmptrap command inserts the actual system uptime.
SNMPv2-MIB::warmStart SNMP trap OID
sysDescr.0 s ‘test’ SNMP trap variable. You have to specify variable OID, its data type (s = string) and its value (‘test’).


The debug snmp packet command can be used on the router to verify that the router receives SNMP trap/inform packet and replies to it.

rtr#debug snmp packet
SNMP packet debugging is on
15:36:56: SNMP: Packet received via UDP from on FastEthernet0/1
15:36:56: SNMP: Inform request, reqid 1933144980, errstat 0, erridx 0 
 sysUpTime.0 = 29563722 
 snmpTrapOID.0 = snmpTraps.2 
 system.1.0 = test
15:36:56:  dest ip addr=
15:36:56:  dest if_index = 2
15:36:56: SNMP: Response, reqid 1933144980, errstat 0, erridx 0
15:36:56: SNMP: Packet sent via UDP to

The debug event manager detector snmp-notification command is used to debug EEM detector. The debugging printouts indicate when a trap was received and whether the SNMP values in the incoming packet match the values specified in the event snmp-notification command.

c7200#debug event manager detector snmp-notification 
Debug EEM SNMP NOTIFICATION Event Detector debugging is on
15:38:54: snmp_value_string_compare:op1=test op2=test ret=TRUE
15:38:54: fh_fd_snmp_proxy_trap_msgs:trap received match src ip addr →
  dest I/F FastEthernet0/1, dest ip address oid oid_val test
15:38:54: snmp_proxy_pubinfo_enqueue: xml data size = 1556
15:38:54: snmp_proxy_pubinfo_enqueue: data saved to file = tmpsys:/eem_pub/fh_fd_sp_in_30
15:38:54: fh_send_snmp_proxy_fd_msg: msg_type=64
15:38:54: fh_send_snmp_proxy_fd_msg: sval=0

The –d option of the snmptrap command prints a binary dump of the SNMP packets. It can be used to verify that the router acknowledges the inform message.

[root@fedi snmp]# snmptrap -v 2c -c xText -Ci -d '' SNMPv2-MIB::warmStart sysDescr.0 s 'test'

Sending 89 bytes to UDP: []:162->[]
0000: 30 57 02 01  01 04 05 78  54 65 78 74  A6 4B 02 04    0W.....xText.K..
0016: 48 A8 E9 E0  02 01 00 02  01 00 30 3D  30 10 06 08    H.........0=0...
0032: 2B 06 01 02  01 01 03 00  43 04 01 C3  49 4F 30 17    +.......C...IO0.
0048: 06 0A 2B 06  01 06 03 01  01 04 01 00  06 09 2B 06    ..+...........+.
0064: 01 06 03 01  01 05 02 30  10 06 08 2B  06 01 02 01    .......0...+....
0080: 01 01 00 04  04 74 65 73  74                          .....test

Received 28 bytes from UDP: []:49750->[]
0000: 30 1A 02 01  01 04 05 78  54 65 78 74  A2 0E 02 04    0......xText....
0016: 48 A8 E9 E0  02 01 00 02  01 00 30 00                 H.........0.
Personal tools


Main menu