-- ***************************************************************** -- CISCO-ACL-MIB -- -- Definitions of managed objects describing Cisco Access Control -- Lists. -- -- March 2013, Kapil Jain, Jorge Serpa -- -- Copyright (c) 2013 by Cisco Systems, Inc. -- All rights reserved. -- ***************************************************************** CISCO-ACL-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter64, Unsigned32, Integer32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetPortNumber, InetAddress FROM INET-ADDRESS-MIB ifIndex FROM IF-MIB CiscoIpProtocol FROM CISCO-TC ciscoMgmt FROM CISCO-SMI; ciscoACLMIB MODULE-IDENTITY LAST-UPDATED "201303270000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO "Cisco Systems Customer Service Postal: 170 West Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-snmp@cisco.com" DESCRIPTION "This MIB module defines objects that describe Cisco Access Control Lists (ACL). This MIB describes different objects that enable the network administrator to remotely configure ACLs, apply them to interfaces and monitor their usage statistics. A typical application of this MIB module will facilitate monitoring of ACL match (sometimes referred as hit) counts. However, by no means does the definition of this MIB module prevent other applications from using it. An ACL is an ordered list of statements that deny or permit packets based on matching fields contained within the packet header (layer 3 source and destination addresses, layer 4 protocol, layer 4 source and destination port numbers, etc.) In addition there is an implicit *Deny All* at the end of the ACL. ACLs are used to perform packet filtering to control which packets are allowed through the network. Such control can help limit network traffic, and restrict the access of applications and devices on the network. Each one of these statements is referred to as an Access List Control Entry (ACE). Here is an example of an ACL configuration. ipv4 access-list V4Example 10 permit tcp any any ! ipv6 access-list V6Example 10 permit tcp any any ! The mechanism for monitoring ACL usage is by configuring, in the desired ACEs a counter label. A counter label is a name that is given to a counter and is defined in any ACE. ACEs that share the same Counter label name will have their counters aggregated into the same label. Here is an example of how to use counter labels. ipv4 access-list V4CounterExample 10 permit tcp any any counter CountPermits 20 permit udp any any counter CountPermits The same applies to IPv6 ACLs. This MIB consists of following tables: * caAclCfgTable Defines the ACLs configured in the device. * caAclIPV4ACECfgTable Defines the ACEs that make up an IPV4 ACL. * caAclIPV6ACECfgTable Defines the ACEs that make up an IPV6 ACL. * caAclAccessGroupCfgTable Defines the Access Control Groups (ACG) applied to interfaces on the device. * caAclLabelIntfStatsTable Defines the statistics for a specific ACE with counter labels attached to interfaces on the device. " REVISION "201303270000Z" DESCRIPTION "The initial version of this MIB module." ::= { ciscoMgmt 808 } -- ******************************************************************** -- * Top-Level Trees * -- ******************************************************************** caAclMIBObjects OBJECT IDENTIFIER ::= { ciscoACLMIB 1 } caAclMIBConformance OBJECT IDENTIFIER ::= { ciscoACLMIB 2 } caAclConfiguration OBJECT IDENTIFIER ::= { caAclMIBObjects 1 } caAclStats OBJECT IDENTIFIER ::= { caAclMIBObjects 2 } caAclMIBACEConform OBJECT IDENTIFIER ::= { caAclMIBConformance 1 } caAclMIBACECompliances OBJECT IDENTIFIER ::= { caAclMIBACEConform 1 } caAclMIBCfgGroups OBJECT IDENTIFIER ::= { caAclMIBACEConform 2 } -- ******************************************************************** -- * Textual Conventions * -- ******************************************************************** CaAclTrafficDirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration value indicating the direction of the ACL ingress - in the ingress (input) direction, egress - in the egress (output) direction." SYNTAX INTEGER { ingress(1), egress(2) } CaAclACLIndex ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A unique value, greater than zero, for each ACL name in the managed system. It is recommended that these values be assigned contiguously starting from 1. The value for each ACL name must remains constant at least from one re-initialization of the entity's network management system to the next re-initialization." SYNTAX Unsigned32 (1..4294967295) CaAclSequenceNumber ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A unsigned 32-bit integer value." SYNTAX Unsigned32 (1..4294967295) CaAclPortOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention represents the operator that will be applied on the transport layer source/destination ports. The port in packets to be filtered and the port (or port range in case of range(5)). lt(1) - match ports that are small than the configured value. gt(2) - match ports that are greater than the configured value. eq(3) - match ports that are equal to the configured value. neq(4) - match ports that are not equal to the configured value. range(5) - match ports in the range of configured values, inclusive." SYNTAX INTEGER { lt(1), gt(2), eq(3), neq(4), range(5) } CaAclAction ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration value indicating the action to be taken on packets that match the ACE. permit(1) the packet will be considered for further processing. deny(2) the packet will be dropped without any further processing." SYNTAX INTEGER { permit(1), deny(2) } CaAclLogOption ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Enumeration value indicating the log option that is to be applied to an ACE. Currently the options are log-input and log. The difference between log and logInput is that logInput logs all the information as in log, with the addition of ingress interface as well as the MAC address of the device that last handled the packet." SYNTAX INTEGER { log(1), logInput(2) } CaAclTcpFlagsMatch ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration value indicating the type of matching that is to be done on the TCP flags field of the packet, providing that the packet being filtered is a TCP packet. matchAny(1) - take caAclAction if any of TCP flags in the packet match the configured value. matchAll(2) - take caAclAction only if all the TCP flags in packet match the configured value. matchNone(3) - take caAclAction only if none of the TCP flags in the packet match the configure value. " SYNTAX INTEGER { matchAny(1), matchAll(2), matchNone(3) } CaAclPrecedenceValue ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration value indicating the value of the precedence field. It is specified as a number between 0 and 7, as defined in RFC-791." SYNTAX INTEGER { routine(0), priority(1), immediate(2), flash(3), flashOverride(4), critical(5), internet(6), network(7) } -- ******************************************************************** -- ACL entry table * -- ******************************************************************** caAclCfgTable OBJECT-TYPE SYNTAX SEQUENCE OF CaAclCfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of ACL definitions. Each entry in this table defines a unique IPV4 or IPV6 ACL." ::= { caAclConfiguration 1 } caAclCfgTableEntry OBJECT-TYPE SYNTAX CaAclCfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row in the caAclTable. Each entry of this table consists of acl index and the address type. This is so that the table may contain both IPV4 and IPV6 ACLs." INDEX { caAclIndex, caAclAddressType } ::= { caAclCfgTable 1 } CaAclCfgTableEntry ::= SEQUENCE { caAclIndex CaAclACLIndex, caAclAddressType InetAddressType, caAclName SnmpAdminString, caAclRowStatus RowStatus } caAclIndex OBJECT-TYPE SYNTAX CaAclACLIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary (system assigned) index for each ACL name. The index is unique for each ACL name in the device, but is further qualified by the address family. For example, consider the following configuration: ipv4 access-list ACL1 10 permit ipv4 any any ! ipv6 access-list ACL1 10 permit ipv6 any any In this case the caAclIndex value for both ACLs will be the same." ::= { caAclCfgTableEntry 1 } caAclAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines the address family of the ACL." ::= { caAclCfgTableEntry 2 } caAclName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "A string that identifies the ACL name." ::= { caAclCfgTableEntry 3 } caAclRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify, or delete an entry in the caAclTable. A row can be created using the 'CreateAndGo' option. When the row is successfully created, the RowStatus will be set to active by the agent. Once a row becomes active, values in any other column within the row cannot be modified. A row may be deleted by setting the RowStatus for 'destroy'." ::= { caAclCfgTableEntry 4 } -- ******************************************************************** -- IPV4 ACE entry table * -- ******************************************************************** caAclIPV4ACECfgTable OBJECT-TYPE SYNTAX SEQUENCE OF CaAclIPV4ACECfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of IPV4 ACE definitions. The ACE definition controls whether packets are accepted or rejected. The access control may be applied before sending the packet to the forwarding engine, or may be applied after the packet is processed by the forwarding engine. If two ACE entries with the same sequence number are configured the latter will overwrite the former." ::= { caAclConfiguration 2 } caAclIPV4ACECfgTableEntry OBJECT-TYPE SYNTAX CaAclIPV4ACECfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row in the caAclIPV4ACLTable. Each entry of this table consists of a set of match criteria for a given ACL." INDEX { caAclIndex, caAclAddressType, caAclIPV4ACESequenceNumber } ::= { caAclIPV4ACECfgTable 1 } CaAclIPV4ACECfgTableEntry ::= SEQUENCE { caAclIPV4ACESequenceNumber CaAclSequenceNumber, caAclIPV4ACEAction CaAclAction, caAclIPV4ACEProtocol CiscoIpProtocol, caAclIPV4ACESourceAddress InetAddress, caAclIPV4ACESourceWildCardMask InetAddress, caAclIPV4ACESourceNetworkGroup SnmpAdminString, caAclIPV4ACESourcePortOperator CaAclPortOperator, caAclIPV4ACESourcePort InetPortNumber, caAclIPV4ACESourcePortUpper InetPortNumber, caAclIPV4ACESourcePortGroup SnmpAdminString, caAclIPV4ACEDestinationAddress InetAddress, caAclIPV4ACEDestinationWildCardMask InetAddress, caAclIPV4ACEDestinationNetworkGroup SnmpAdminString, caAclIPV4ACEDestinationPortOperator CaAclPortOperator, caAclIPV4ACEDestinationPort InetPortNumber, caAclIPV4ACEDestinationPortUpper InetPortNumber, caAclIPV4ACEDestinationPortGroup SnmpAdminString, caAclIPV4ACEDscpValue Unsigned32, caAclIPV4ACETcpFlagsValue Unsigned32, caAclIPV4ACETcpFlagsMask Unsigned32, caAclIPV4ACETcpFlagsMatchType CaAclTcpFlagsMatch, caAclIPV4ACETosValue Unsigned32, caAclIPV4ACEPrecedenceValue CaAclPrecedenceValue, caAclIPV4ACELogOption CaAclLogOption, caAclIPV4ACECounterLabel SnmpAdminString, caAclIPV4ACERemark SnmpAdminString, caAclIPV4ACERowStatus RowStatus } caAclIPV4ACESequenceNumber OBJECT-TYPE SYNTAX CaAclSequenceNumber MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object uniquely identifies an ACE within an ACL. Sequence numbers are assigned to each permit/deny statement, causing the system to insert the statement in that numbered position within the ACL. If two ACE entries with the same sequence number are configured, the latter one will overwrite the former." ::= { caAclIPV4ACECfgTableEntry 1 } caAclIPV4ACEAction OBJECT-TYPE SYNTAX CaAclAction MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the type of action to be taken if the packet matches the given criteria. If it is set to permit(1), all packets matching this ACE will be allowed for further processing. If it is set to deny(2), all packets matching this ACE will be discarded." ::= { caAclIPV4ACECfgTableEntry 2 } caAclIPV4ACEProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the layer 3 protocol type to be filtered by the ACE. Protocol numbers are defined in the Network Working Group Request For Comment documents." REFERENCE "RFC-790, Assigned Numbers, September 1981, Section Assigned Internet Protocol Numbers." ::= { caAclIPV4ACECfgTableEntry 3 } caAclIPV4ACESourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the address of the network or host from which the packet is being sent. If this object value is 0.0.0.0 and the value of caAclIPV4ACESourceWildCardMask object in the same entry is 255.255.255.255, this entry matches any source address. If this object value is not 0.0.0.0 and the value of caAclIPV4ACESourceWildCardMask is 0.0.0.0, this entry matches specific host address defined in this object." ::= { caAclIPV4ACECfgTableEntry 4 } caAclIPV4ACESourceWildCardMask OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the mask of wild card address bits for caAclIPV4ACESourceAddress. Wild card masking is to indicate to the system whether to check or ignore the corresponding IP address bits when comparing the address bits in an ACL to a packet being submitted to the ACL. The default wild card mask is 0.0.0.0. The wild card mask is the inverse of a regular subnet mask. If the mask value 0.0.0.255 is applied to 1.2.3.0." ::= { caAclIPV4ACECfgTableEntry 5 } caAclIPV4ACESourceNetworkGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Network Object Group from which the packet is being sent." ::= { caAclIPV4ACECfgTableEntry 6 } caAclIPV4ACESourcePortOperator OBJECT-TYPE SYNTAX CaAclPortOperator MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the operation to be performed to the layer source port field. Source port fields are present only for IGMP, ICMP, SCTP, TCP, and UDP protocols. If caAclIPV4ACEProtocol is none of the ones listed above, this field should set to noOperator(1), which means not comparison is to be performed. If this field is set to range(5) then two port numbers are necessary. I.e., Both caAclIPV4ACESourcePort and caAclIPV4ACESourcePortUpper need to be provided." ::= { caAclIPV4ACECfgTableEntry 7 } caAclIPV4ACESourcePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the source port number of the layer 4 protocol. This is the field to be matched with the specified source port based on the caAclIPV4ACESourcePortOperator. If caAclIPV4ACESourcePortOperator is range(5) then this object will have the inclusive lower bound of the source port range that is to be matched." ::= { caAclIPV4ACECfgTableEntry 8 } caAclIPV4ACESourcePortUpper OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the inclusive upper bound of the layer 4 source port range that is to be matched." ::= { caAclIPV4ACECfgTableEntry 9 } caAclIPV4ACESourcePortGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Port Object Group from which the packet is being sent." ::= { caAclIPV4ACECfgTableEntry 10 } caAclIPV4ACEDestinationAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the address of the network or host to which the packet is being sent. If this object value is 0.0.0.0 and the value of caAclIPV4ACLDestinationWildCardMask object in the same entry is 255.255.255.255, this entry matches any source IP address. If this object value is not 0.0.0.0 and the value of caAclIPV4ACLDestinationWildCardMask is 0.0.0.0, this entry matches the specific host address defined in this object." ::= { caAclIPV4ACECfgTableEntry 11 } caAclIPV4ACEDestinationWildCardMask OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the mask of wild card address bits for caAclIPV4ACLDestinationAddress. Wild card masking is to indicate to the system whether to check or ignore the corresponding IP address bits when comparing the address bits in an ACE to a packet being submitted to the ACE. The default wild card mask is 0.0.0.0. The wild card mask is the inverse of a regular subnet mask. If the mask value 0.0.0.255 is applied to the address 1.2.3.4, it will match all traffic from subnet 1.2.3.0." ::= { caAclIPV4ACECfgTableEntry 12 } caAclIPV4ACEDestinationNetworkGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Destination Network Object Group to which the packet is being sent." ::= { caAclIPV4ACECfgTableEntry 13 } caAclIPV4ACEDestinationPortOperator OBJECT-TYPE SYNTAX CaAclPortOperator MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the operation to be performed to the layer destination port field. Source port fields are present only for IGMP, ICMP, SCTP, TCP, and UDP protocols. If caAclIPV4ACLProtocol is none of the ones listed above, this field should set to noOperator(1), which means not comparison is to be performed. If this field is set to range(5) then two port numbers are necessary. I.e., Both caAclIPV4ACEDestinationPort and caAclIPV4ACEDestinationPortUpper need to be provided." ::= { caAclIPV4ACECfgTableEntry 14 } caAclIPV4ACEDestinationPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the destination port number of the layer 4 protocol. This is the field to be matched with the specified destination port based on the caAclIPV4ACLSourceOperator. If caAclIPV4ACLDestinationOperator is range(5) then this object will have the inclusive lower bound of the destination port range that is to be matched." ::= { caAclIPV4ACECfgTableEntry 15 } caAclIPV4ACEDestinationPortUpper OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the inclusive upper bound of the layer 4 destination port range that is to be matched." ::= { caAclIPV4ACECfgTableEntry 16 } caAclIPV4ACEDestinationPortGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Port Object Group to which the packet is being sent." ::= { caAclIPV4ACECfgTableEntry 17 } caAclIPV4ACEDscpValue OBJECT-TYPE SYNTAX Unsigned32 (0..63) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the dscp value that will be considered in the match criteria against the value in the packet." ::= { caAclIPV4ACECfgTableEntry 18 } caAclIPV4ACETcpFlagsValue OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the value of the TCP flags which will be considered in the match criteria based on caAclIPV4ACLTcpFlagsMatchType. Users can select any desired combination of the TCP flags on which to filter TCP packets." ::= { caAclIPV4ACECfgTableEntry 19 } caAclIPV4ACETcpFlagsMask OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the mask value of the TCP flags field." ::= { caAclIPV4ACECfgTableEntry 20 } caAclIPV4ACETcpFlagsMatchType OBJECT-TYPE SYNTAX CaAclTcpFlagsMatch MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the type of matching to be done on the TCP flags field." ::= { caAclIPV4ACECfgTableEntry 21 } caAclIPV4ACETosValue OBJECT-TYPE SYNTAX Unsigned32 (0..16) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the value of the TOS field to be filtered. Packets can be filtered by the TOS level as specified by a number from 0 to 15. Use the value 16 to indicate that the TOS field should be ignored during matching." ::= { caAclIPV4ACECfgTableEntry 22 } caAclIPV4ACEPrecedenceValue OBJECT-TYPE SYNTAX CaAclPrecedenceValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the value of the precedence field to be filtered." REFERENCE "RFC-791, Internet Protocol Darpa Internet Program Protocol Specification, September 1981." ::= { caAclIPV4ACECfgTableEntry 23 } caAclIPV4ACELogOption OBJECT-TYPE SYNTAX CaAclLogOption MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the value of the log option field to be applied to packets that match this ACE entry." ::= { caAclIPV4ACECfgTableEntry 24 } caAclIPV4ACECounterLabel OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the counter label name for this ACE. ACEs that share the same counter label name will have their hit counts aggregated into the same counter label name." ::= { caAclIPV4ACECfgTableEntry 25 } caAclIPV4ACERemark OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..100)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines a comment in the ACL. It helps the user to define some meaningful comment to identify the ACE quickly, or to know the purpose of a set of ACEs. This field is not used during packet matching." ::= { caAclIPV4ACECfgTableEntry 26 } caAclIPV4ACERowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify, or delete an entry in the caAclIPV4ACLTable. A row can be created using the 'CreateAndGo' option. When the row is successfully created, the RowStatus will be set to active by the agent. A row may be deleted by setting the RowStatus for 'destroy'. The minimum objects required to delete a row in this table is simply the sequence number (caAclIPV4ACESequenceNumber)." ::= { caAclIPV4ACECfgTableEntry 27 } -- ******************************************************************** -- IPV6 ACE entry table * -- ******************************************************************** caAclIPV6ACECfgTable OBJECT-TYPE SYNTAX SEQUENCE OF CaAclIPV6ACECfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of IPV6 ACE definitions. The ACE definition controls whether packets are accepted or rejected. The access control may be applied before sending the packet to the forwarding engine, or may be applied after the packet is processed by the forwarding engine." ::= { caAclConfiguration 3 } caAclIPV6ACECfgTableEntry OBJECT-TYPE SYNTAX CaAclIPV6ACECfgTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row in the caAclIPV6ACLTable. Each entry of this table consists of a set of match criteria for a given ACL." INDEX { caAclIndex, caAclAddressType, caAclIPV6ACESequenceNumber } ::= { caAclIPV6ACECfgTable 1 } CaAclIPV6ACECfgTableEntry ::= SEQUENCE { caAclIPV6ACESequenceNumber CaAclSequenceNumber, caAclIPV6ACEAction CaAclAction, caAclIPV6ACEProtocol CiscoIpProtocol, caAclIPV6ACESourceAddress InetAddress, caAclIPV6ACESourcePrefixLength Integer32, caAclIPV6ACESourceNetworkGroup SnmpAdminString, caAclIPV6ACESourcePortOperator CaAclPortOperator, caAclIPV6ACESourcePort InetPortNumber, caAclIPV6ACESourcePortUpper InetPortNumber, caAclIPV6ACESourcePortGroup SnmpAdminString, caAclIPV6ACEDestinationAddress InetAddress, caAclIPV6ACEDestinationPrefixLength Integer32, caAclIPV6ACEDestinationNetworkGroup SnmpAdminString, caAclIPV6ACEDestinationPortOperator CaAclPortOperator, caAclIPV6ACEDestinationPort InetPortNumber, caAclIPV6ACEDestinationPortUpper InetPortNumber, caAclIPV6ACEDestinationPortGroup SnmpAdminString, caAclIPV6ACETrafficClassValue Unsigned32, caAclIPV6ACETcpFlagsValue Unsigned32, caAclIPV6ACETcpFlagsMask Unsigned32, caAclIPV6ACETcpFlagsMatchType CaAclTcpFlagsMatch, caAclIPV6ACELogOption CaAclLogOption, caAclIPV6ACECounterLabel SnmpAdminString, caAclIPV6ACERemark SnmpAdminString, caAclIPV6ACERowStatus RowStatus } caAclIPV6ACESequenceNumber OBJECT-TYPE SYNTAX CaAclSequenceNumber MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object uniquely identifies an ACE within an ACL. Sequence numbers are assigned to each permit/deny statement, causing the system to insert the statement in that numbered position within the ACL." ::= { caAclIPV6ACECfgTableEntry 1 } caAclIPV6ACEAction OBJECT-TYPE SYNTAX CaAclAction MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the type of action to be taken if the packet matches the given criteria. If it is set to permit(1), all packets matching this ACE will be allowed for further processing. If it is set to deny(2), all packets matching this ACE will be discarded." ::= { caAclIPV6ACECfgTableEntry 2 } caAclIPV6ACEProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the protocol type to be filtered by the ACE. Protocol numbers are defined in the Network Working Group Request For Comment (RFC) documents." REFERENCE "RFC-790, Assigned Numbers, September 1981, Section Assigned Internet Protocol Numbers." ::= { caAclIPV6ACECfgTableEntry 3 } caAclIPV6ACESourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the address of the network or host from which the packet is being sent. If this object value is 0::0 and the value of caAclIPV6ACLSourcePrefixLength is 0 then this matches any source address. If this object value is not 0::0 and the value of caAclIPV6ACLSourcePrefixLength is less than 128, this entry matches the all the addresses that are in the sub-net. If this object value is 0::0 and the value of caAclIPV6ACLSourcePrefixLength is also 0, this entry matches all hosts." ::= { caAclIPV6ACECfgTableEntry 4 } caAclIPV6ACESourcePrefixLength OBJECT-TYPE SYNTAX Integer32 (0..128) MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the number of bits in the field caAclIPV6ACLSourceAddress to be checked. If the value of this object is 0, then the source address in the packet must match caAclIPV6ACESourceAddress exactly for the ACE action to be taken." ::= { caAclIPV6ACECfgTableEntry 5 } caAclIPV6ACESourceNetworkGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Network Object Group from which the packet is being sent." ::= { caAclIPV6ACECfgTableEntry 6 } caAclIPV6ACESourcePortOperator OBJECT-TYPE SYNTAX CaAclPortOperator MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the operation to be performed to the layer source port field. Source port fields are present only for IGMP, ICMP, SCTP, TCP, and UDP protocols. If caAclIPV6ACLProtocol is none of the ones listed above, this field should set to noOperator(1), which means not comparison is to be performed. If this field is set to range(5) then two port numbers are necessary. I.e., Both caAclIPV6ACLSourcePort and caAclIPV6ACLSourcePortUpper need to be provided." ::= { caAclIPV6ACECfgTableEntry 7 } caAclIPV6ACESourcePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the source port number of the layer 4 protocol. This is the field to be matched with the specified source port based on the caAclIPV6ACLSourceOperator. If caAclIPV6ACLSourceOperator is range(5) then this object wail have the inclusive lower bound of the source port range that is to be matched." ::= { caAclIPV6ACECfgTableEntry 8 } caAclIPV6ACESourcePortUpper OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the inclusive upper bound of the layer 4 source port range that is to be matched." ::= { caAclIPV6ACECfgTableEntry 9 } caAclIPV6ACESourcePortGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Port Object Group from which the packet is being sent." ::= { caAclIPV6ACECfgTableEntry 10 } caAclIPV6ACEDestinationAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the address of the network or host to which the packet is being sent. If this object value is 0::0 and the value of caAclIPV6ACLSourcePrefixLength is 0 then this matches any source address. If this object value is not 0::0 and the value of caAclIPV6ACLSourcePrefixLength is less than 128, this entry matches the all the addresses that are in the sub-net. If this object value is 0::0 and the value of caAclIPV6ACLSourcePrefixLength is also 0, this entry matches all osts." ::= { caAclIPV6ACECfgTableEntry 11 } caAclIPV6ACEDestinationPrefixLength OBJECT-TYPE SYNTAX Integer32 (0..128) MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the number of bits in the field caAclIPV6ACLDestinationAddress to be checked. If the value of this object is 0, then the source address in the packet must match caAclIPV6ACEDestinationAddress exactly for the ACE action to be taken." ::= { caAclIPV6ACECfgTableEntry 12 } caAclIPV6ACEDestinationNetworkGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Network Object Group to which the packet is being sent." ::= { caAclIPV6ACECfgTableEntry 13 } caAclIPV6ACEDestinationPortOperator OBJECT-TYPE SYNTAX CaAclPortOperator MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the operation to be performed to the layer destination port field. Source port fields are present only for IGMP, ICMP, SCTP, TCP, and UDP protocols. If caAclIPV6ACLProtocol is none of the ones listed above, this field should set to noOperator(1), which means no comparison is to be performed. If this field is set to range(5) then two port numbers are necessary. I.e., Both caAclIPV6ACLDestinationPort and caAclIPV6ACLDestinationPortUpper need to be provided." ::= { caAclIPV6ACECfgTableEntry 14 } caAclIPV6ACEDestinationPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the destination port number of the layer 4 protocol. This is the field to be matched with the specified destination port based on the caAclIPV6ACLSourceOperator. If caAclIPV6ACLDestinationOperator is range(5) then this object will have the inclusive lower bound of the destination port range that is to be matched." ::= { caAclIPV6ACECfgTableEntry 15 } caAclIPV6ACEDestinationPortUpper OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the inclusive upper bound of the layer 4 destination port range that is to be matched." ::= { caAclIPV6ACECfgTableEntry 16 } caAclIPV6ACEDestinationPortGroup OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the Source Port Object Group to which the packet is being sent." ::= { caAclIPV6ACECfgTableEntry 17 } caAclIPV6ACETrafficClassValue OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the traffic class value that will be considered in the match criteria against the value in the packet." ::= { caAclIPV6ACECfgTableEntry 18 } caAclIPV6ACETcpFlagsValue OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the value of the TCP flags which will be considered in the match criteria based on caAclIPV6ACLTcpFlagsMatchType. Users can select any desired combination of the TCP flags on which to filter TCP packets." REFERENCE "RFC-793, Transmission Control Protocol, Darpa Internet Program Protocol Specification, September 1981." ::= { caAclIPV6ACECfgTableEntry 19 } caAclIPV6ACETcpFlagsMask OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the mask value of the TCP flags field." ::= { caAclIPV6ACECfgTableEntry 20 } caAclIPV6ACETcpFlagsMatchType OBJECT-TYPE SYNTAX CaAclTcpFlagsMatch MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the type of matching to be done on the TCP flags field." ::= { caAclIPV6ACECfgTableEntry 21 } caAclIPV6ACELogOption OBJECT-TYPE SYNTAX CaAclLogOption MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the value of the log option field to be applied to packets that match this ACE entry." ::= { caAclIPV6ACECfgTableEntry 22 } caAclIPV6ACECounterLabel OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the counter label name for this ACE. ACEs that share the same counter label name will have their hit counts aggregated into the same counter label name." ::= { caAclIPV6ACECfgTableEntry 23 } caAclIPV6ACERemark OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..100)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines a comment in the ACL. It helps the user to define some meaningful comment to identify the ACE quickly, or to know the purpose of a set of ACEs. This field is not used during packet matching." ::= { caAclIPV6ACECfgTableEntry 24 } caAclIPV6ACERowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify, or delete an entry in the caAclIPV6ACLTable. A row can be created using the 'CreateAndGo' option. When the row is successfully created, the RowStatus will be set to active by the agent. A row may be deleted by setting the RowStatus for 'destroy'. The minimum objects required to delete a row in this table is simply the sequence number (caAclIPV6ACESequenceNumber)." ::= { caAclIPV6ACECfgTableEntry 25 } -- ******************************************************************** -- IP access group entry configuration table * -- ******************************************************************** caAclAccessGroupCfgTable OBJECT-TYPE SYNTAX SEQUENCE OF CaAclAccessGroupCfgEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the ACLs configured on the device and applied on an interface in the ingress or egress direction." ::= { caAclConfiguration 4 } caAclAccessGroupCfgEntry OBJECT-TYPE SYNTAX CaAclAccessGroupCfgEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry describes an ACL configured on the device and applied to an interface." INDEX { ifIndex, caAclAccessGroupCfgAddressType, caAclAccessGroupDirection, caAclAccessGroupSequenceNumber } ::= { caAclAccessGroupCfgTable 1 } CaAclAccessGroupCfgEntry ::= SEQUENCE { caAclAccessGroupACL CaAclACLIndex, caAclAccessGroupCfgAddressType InetAddressType, caAclAccessGroupDirection CaAclTrafficDirection, caAclAccessGroupSequenceNumber CaAclSequenceNumber, caAclAccessGroupRowStatus RowStatus } caAclAccessGroupACL OBJECT-TYPE SYNTAX CaAclACLIndex MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the ACL associated with this entry." ::= { caAclAccessGroupCfgEntry 1 } caAclAccessGroupCfgAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry describes the address family of the access group being applied on the interface." ::= { caAclAccessGroupCfgEntry 2 } caAclAccessGroupDirection OBJECT-TYPE SYNTAX CaAclTrafficDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines the direction in which the ACL is applied." ::= { caAclAccessGroupCfgEntry 3 } caAclAccessGroupSequenceNumber OBJECT-TYPE SYNTAX CaAclSequenceNumber MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object uniquely identifies the order that Access Group applied to a interface. It can be used by platforms that support applying more than one Access List per address family per direction. For example: interface GigabitEthernet 0/0 ipv4 access-group ACL1 ACL2 ACL2 ingress ! " ::= { caAclAccessGroupCfgEntry 4 } caAclAccessGroupRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify, or delete an entry in the caAclAccessGroupCfgTable. A row can be created using the 'CreateAndGo' option. When the row is successfully created, the RowStatus will be set to active by the agent. Once a row becomes active, values in any other column within the row cannot be modified. A row may be deleted by setting the RowStatus for 'destroy'." ::= { caAclAccessGroupCfgEntry 5 } -- ******************************************************************** -- Label interface statistics table * -- ******************************************************************** caAclLabelIntfStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF CaAclLabelIntfStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes the statistics for all ACEs with assigned counter labels, attached to interfaces on the device. An entry in this table is created when an ACL containing an ACE that references the specified counter label name is applied to an interface. An entry in this table is deleted when an ACL containing an ACE that references the specified counter lable name is removed from an interface." ::= { caAclStats 1 } caAclLabelIntfStatsEntry OBJECT-TYPE SYNTAX CaAclLabelIntfStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in this table provides the aggregated counters for all ACEs applied on the given interface/direction that have been assigned the same counter label." INDEX { ifIndex, caAclAccessGroupCfgAddressType, caAclAccessGroupDirection, caAclIntfStatsCounterLabelName } ::= { caAclLabelIntfStatsTable 1 } CaAclLabelIntfStatsEntry ::= SEQUENCE { caAclIntfStatsCounterLabelName SnmpAdminString, caAclIntfStatsPackets Counter64, caAclIntfStatsOctets Counter64 } caAclIntfStatsCounterLabelName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..64)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The counter label index associated with this set of statistics." ::= { caAclLabelIntfStatsEntry 1 } caAclIntfStatsPackets OBJECT-TYPE SYNTAX Counter64 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets that match this counter label." ::= { caAclLabelIntfStatsEntry 2 } caAclIntfStatsOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets that match this counter label." ::= { caAclLabelIntfStatsEntry 3 } -- ******************************************************************** -- Units of Conformance -- ******************************************************************** caAclMIBCfgGroup OBJECT-GROUP OBJECTS { caAclName, caAclRowStatus } STATUS current DESCRIPTION "This group contains objects describing ACLs." ::= { caAclMIBCfgGroups 1 } caAclIPV4ACLMIBACEGroup OBJECT-GROUP OBJECTS { caAclIPV4ACEAction, caAclIPV4ACEProtocol, caAclIPV4ACESourceAddress, caAclIPV4ACESourceWildCardMask, caAclIPV4ACESourceNetworkGroup, caAclIPV4ACESourcePortOperator, caAclIPV4ACESourcePort, caAclIPV4ACESourcePortUpper, caAclIPV4ACESourcePortGroup, caAclIPV4ACEDestinationAddress, caAclIPV4ACEDestinationWildCardMask, caAclIPV4ACEDestinationNetworkGroup, caAclIPV4ACEDestinationPortOperator, caAclIPV4ACEDestinationPort, caAclIPV4ACEDestinationPortUpper, caAclIPV4ACEDestinationPortGroup, caAclIPV4ACEDscpValue, caAclIPV4ACETcpFlagsValue, caAclIPV4ACETcpFlagsMask, caAclIPV4ACETcpFlagsMatchType, caAclIPV4ACETosValue, caAclIPV4ACEPrecedenceValue, caAclIPV4ACELogOption, caAclIPV4ACECounterLabel, caAclIPV4ACERemark, caAclIPV4ACERowStatus } STATUS current DESCRIPTION "This group is a collection of objects providing IPV4 ACE feature." ::= { caAclMIBCfgGroups 2 } caAclIPV6ACLMIBACEGroup OBJECT-GROUP OBJECTS { caAclIPV6ACEAction, caAclIPV6ACEProtocol, caAclIPV6ACESourceAddress, caAclIPV6ACESourcePrefixLength, caAclIPV6ACESourceNetworkGroup, caAclIPV6ACESourcePortOperator, caAclIPV6ACESourcePort, caAclIPV6ACESourcePortUpper, caAclIPV6ACESourcePortGroup, caAclIPV6ACEDestinationAddress, caAclIPV6ACEDestinationPrefixLength, caAclIPV6ACEDestinationNetworkGroup, caAclIPV6ACEDestinationPortOperator, caAclIPV6ACEDestinationPort, caAclIPV6ACEDestinationPortUpper, caAclIPV6ACEDestinationPortGroup, caAclIPV6ACETcpFlagsValue, caAclIPV6ACETcpFlagsMask, caAclIPV6ACETcpFlagsMatchType, caAclIPV6ACETrafficClassValue, caAclIPV6ACELogOption, caAclIPV6ACECounterLabel, caAclIPV6ACERemark, caAclIPV6ACERowStatus } STATUS current DESCRIPTION "This group is a collection of objects providing IPV6 ACE feature." ::= { caAclMIBCfgGroups 3 } caAclMIBAccessGroupCfgGroup OBJECT-GROUP OBJECTS { caAclAccessGroupACL, caAclAccessGroupRowStatus } STATUS current DESCRIPTION "This group contains the objects describing the access group configuration." ::= { caAclMIBCfgGroups 4 } caAclMIBCounterGroup OBJECT-GROUP OBJECTS { caAclIntfStatsPackets, caAclIntfStatsOctets } STATUS current DESCRIPTION "This group contains the objects describing the ACE counter label." ::= { caAclMIBCfgGroups 5 } caAclMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "This compliance statement specifies the minimal requirements that an implementation must meet in order to claim full compliance with the definitions of the C-ACL-MIB." MODULE -- this module MANDATORY-GROUPS { caAclMIBCfgGroup } GROUP caAclMIBAccessGroupCfgGroup DESCRIPTION "This group is mandatory except for systems that do not support filtering IPV4 and or IPV6 packets." GROUP caAclIPV4ACLMIBACEGroup DESCRIPTION "This group is mandatory except for systems that do not support IPV4 ACLs." GROUP caAclIPV6ACLMIBACEGroup DESCRIPTION "This group is mandatory except for systems that do not support IPV6 ACLs." GROUP caAclMIBCounterGroup DESCRIPTION "This group is mandatory except for systems that do not support ACL counter gathering statistics." OBJECT caAclName MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclRowStatus MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEAction MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEProtocol MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourceAddress MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourceWildCardMask MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourceNetworkGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourcePortOperator MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourcePort MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourcePortUpper MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACESourcePortGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationAddress MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationWildCardMask MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationNetworkGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationPortOperator MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationPort MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationPortUpper MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDestinationPortGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEDscpValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACETcpFlagsValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACETcpFlagsMask MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACETcpFlagsMatchType MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACETosValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACEPrecedenceValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACELogOption MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACECounterLabel MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACERemark MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV4ACERowStatus MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEAction MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEProtocol MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourceAddress MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourcePrefixLength MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourceNetworkGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourcePortOperator MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourcePort MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourcePortUpper MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACESourcePortGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationAddress MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationPrefixLength MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationNetworkGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationPortOperator MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationPort MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationPortUpper MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACEDestinationPortGroup MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACETrafficClassValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACETcpFlagsValue MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACETcpFlagsMask MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACETcpFlagsMatchType MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACELogOption MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACECounterLabel MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACERemark MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclIPV6ACERowStatus MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclAccessGroupACL MIN-ACCESS read-only DESCRIPTION "Write-access is not required." OBJECT caAclAccessGroupRowStatus MIN-ACCESS read-only DESCRIPTION "Write-access is not required." ::= { caAclMIBACECompliances 1 } END