Rackpad can poll devices over SNMP, receive SNMP traps, reflect interface link-state, and (optionally) sync VLANs and subnets from network gear into IPAM.
This is the operator/admin guide. For implementation status, phase tracking, and the outstanding backlog, see
SNMP_IMPLEMENTATION_PLAN.md.
- SNMP monitors (v1 / v2c / v3) alongside ICMP / TCP / HTTP / HTTPS checks
- IF-MIB interface monitoring — per-port link state, with
ifHighSpeedused to fill in a port's speed when it's blank - SNMP-verified badges in Ports, the Dashboard, and the Visualizer
- Trap receiver (v1 / v2c) for
linkUp/linkDownwith device auto-learn - Inventory sync (opt-in) — preview/apply VLANs and subnets from a device into IPAM; DHCP scopes are preview-only for now
- Make sure the device has SNMP enabled with a read-only community string.
- In Rackpad, open Monitoring (or a device's Monitoring tab) and add a monitor of type SNMP.
- Choose version v2c, enter the community string and the OID to check
(e.g. an
ifOperStatusOID for a port), pick a match mode, and save. - Run the check. The result and any linked port's link-state update on success.
A read-only community string per monitor. Simple; the community travels in cleartext, so keep SNMP on a trusted management network.
SNMPv3 adds auth + privacy. Credentials are stored per lab, encrypted at rest (AES-256-GCM):
- Set
RACKPAD_SECRET_KEYbefore storing any v3 credential (see env table). Generate one withopenssl rand -hex 32. Without it, saving v3 credentials fails — v1/v2c and the other monitor types still work. - Open a device's Monitoring / SNMP area and add SNMPv3 credentials (security name, auth protocol + key, privacy protocol + key).
- Create an SNMP monitor that uses v3.
Rotating RACKPAD_SECRET_KEY invalidates stored v3 secrets — re-enter them after a
key change.
An SNMP monitor can be linked to a specific port via its ifIndex. When linked,
poll results (and matching traps) drive the port's link-state badge across Ports,
the Dashboard, and the Visualizer. Discover/import reads IF-MIB so a port's speed
can be auto-filled from ifHighSpeed when it isn't set manually.
Rackpad runs a UDP trap receiver at startup.
- Default port: 1162 (unprivileged on purpose, so containers don't need extra capabilities). Forward your network's standard 162 → 1162 upstream, or point agents directly at 1162.
- Docker: publish the port, e.g.
-p 1162:1162/udp(or use host networking). - Incoming v1/v2c
linkUp/linkDowntraps update the matching monitor/port; an unknown source IP is auto-learned to a device when possible. Duplicate traps are de-duplicated within ~30s. - SNMPv3
linkUp/linkDowntraps are supported for authenticated and encrypted USM credentials. Map the trap source, device, or SNMP monitor to the matching lab credential so Rackpad can validate and decrypt the packet.
Configure with SNMP_TRAP_ENABLED, SNMP_TRAP_PORT, SNMP_TRAP_BIND (see table).
Receiver status is reported on /api/health and /api/snmp-traps/status.
Off by default. Set SNMP_INVENTORY_SYNC=1 to enable it, then use the SNMP sync
panel on a device's detail page to preview a diff and apply it.
- Applies: VLANs and subnets read from the device (Q-BRIDGE VLANs, IP-MIB subnets) into the active lab's IPAM.
- Preview only: DHCP scopes (apply is on the roadmap).
- Safety: sync is a merge/mirror that never silently deletes existing assignments — review the preview before applying.
- Profiles: a generic profile set ships today (Q-BRIDGE VLANs + IP-MIB subnets). Vendor-specific profiles (pfSense/OPNsense, UniFi, …) are not in yet.
| Variable | Default | Purpose |
|---|---|---|
RACKPAD_SECRET_KEY |
(unset) | Encrypts SNMPv3 credential secrets. Required only to store v3 credentials. Use a long random value (openssl rand -hex 32). |
SNMP_INVENTORY_SYNC |
0 |
Set 1 to enable VLAN/subnet sync (DHCP preview-only). |
SNMP_TRAP_ENABLED |
1 |
Enable/disable the trap receiver. |
SNMP_TRAP_PORT |
1162 |
UDP port the trap receiver binds. |
SNMP_TRAP_BIND |
0.0.0.0 |
Interface the trap receiver binds to. |
- Keep SNMP on a trusted management network; prefer v3 where possible.
- Treat community strings as secrets — they are read-only but still grant device visibility.
- Store
RACKPAD_SECRET_KEYoutside the repo (env / secrets manager); back it up, since losing it makes stored v3 secrets unreadable.
Not yet available (tracked in the implementation plan → Outstanding work):
- pfSense/OPNsense and other vendor-specific profiles
- DHCP scope sync apply (preview only today)
- Scheduled/automatic sync
- SNMPv3 traps
regexSNMP match mode