-- ************************************************************************** -- * * -- * * -- * Hirschmann Automation and Control GmbH * -- * * -- * PLATFORM SNMP PRIVATE MIB * -- * * -- * Usergroup * -- * * -- * * -- %************************************************************************* -- * * -- * Dies ist eine SNMP MIB fuer Hirschmann Platform Geraete. * -- * * -- * Sollten Sie weitere Fragen haben, wenden Sie sich bitte an ihren * -- * Hirschmann-Vertragspartner. * -- * * -- * Aktuelle Hirschmann-Infos zu unseren Produkten erhalten Sie ueber * -- * unseren WWW-Server unter http://www.hirschmann.com * -- * * -- * This is a SNMP MIB for the Hirschmann Platform devices. * -- * * -- * If you have any further questions please contact your * -- * Hirschmann contractual partner. * -- * * -- * You can access current information about Hirschmann products * -- * via our WWW server on http://www.hirschmann.com * -- * * -- ************************************************************************** USERGROUP-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, OBJECT-IDENTITY, TEXTUAL-CONVENTION, IpAddress, Integer32 FROM SNMPv2-SMI DisplayString FROM SNMPv2-TC hmConfiguration FROM HMPRIV-MGMT-SNMP-MIB; hmUserGroup MODULE-IDENTITY LAST-UPDATED "200709131200Z" -- 13 Sep 2007 12:00:00 GMT ORGANIZATION "Hirschmann Automation and Control GmbH" CONTACT-INFO "Customer Support Postal: Hirschmann Automation and Control GmbH Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany Tel: +49 7127 14 1981 Web: http://www.hicomcenter.com/ E-Mail: hicomcenter@hirschmann.com" DESCRIPTION "The Hirschmann Private Usergroup MIB definitions for Platform devices." -- Revision history. REVISION "200709131200Z" -- 13 Sep 2007 12:00:00 GMT DESCRIPTION "First release in SMIv2" ::= { hmConfiguration 3 } MemberID ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "mac address in canonical byte order." SYNTAX OCTET STRING (SIZE (6)) -- -- hmUserGroupTable -- -- This table holds one instance for each user group -- hmUserGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF HmUserGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A list of user group definitions." ::= { hmUserGroup 1 } hmUserGroupEntry OBJECT-TYPE SYNTAX HmUserGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "user group definition" INDEX { hmUserGroupID } ::= { hmUserGroupTable 1 } HmUserGroupEntry ::= SEQUENCE { hmUserGroupID Integer32, hmUserGroupDescription DisplayString, hmUserGroupRestricted INTEGER, hmUserGroupSecAction INTEGER } hmUserGroupID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The user group number identifying this instance." ::= { hmUserGroupEntry 1 } hmUserGroupDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "A textual description of the user group instance." ::= { hmUserGroupEntry 2 } hmUserGroupRestricted OBJECT-TYPE SYNTAX INTEGER { true(1), false(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If set to true(1) any member of this group is restricted to ports - which have hmPortSecPermission set to group(2) and - the group is in hmPortSecAllowedGroupIDs. If set to false(2) the user may also connect to a port if permitted by other hmPortSecPermission settings, e.g. known(3) or world(4). The following access restrictions apply: UserRestr. UserGroupRestr. PortSecPermission access allowed -------------------------------------------------------------------- false false user hmPortSecAllowedUserID false false group hmPortSecAllowedGroupIDs false false known any user group member false false world yes true false/true user hmPortSecAllowedUserID true false/true group no true false/true known no true false/true world no false true user hmPortSecAllowedUserID false true group hmPortSecAllowedGroupIDs false true known no false true world no " ::= { hmUserGroupEntry 3 } hmUserGroupSecAction OBJECT-TYPE SYNTAX INTEGER { none(1), trapOnly(2), portDisable(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the action which is taken if a user tries to connect to the given port when he is not allowed to do so. Setting the variable to none(1) disables any action. A value of trapOnly(2) generates a trap. Setting the value to portDisable(3) will send a trap, and additionally disable the port until it is re-enabled by management." ::= { hmUserGroupEntry 4 } -- -- hmUserGroupMemberTable -- -- This table lists the members of a given user group. -- Members may be added or removed using this table. -- hmUserGroupMemberTable OBJECT-TYPE SYNTAX SEQUENCE OF HmUserGroupMemberEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A list of users which are members of a given user group." ::= { hmUserGroup 2 } hmUserGroupMemberEntry OBJECT-TYPE SYNTAX HmUserGroupMemberEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An user group member entry." INDEX { hmUserGroupMemberGroupID, hmUserGroupMemberUserID } ::= { hmUserGroupMemberTable 1 } HmUserGroupMemberEntry ::= SEQUENCE { hmUserGroupMemberGroupID Integer32, hmUserGroupMemberUserID MemberID } hmUserGroupMemberGroupID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "user group id of this member." ::= { hmUserGroupMemberEntry 1 } hmUserGroupMemberUserID OBJECT-TYPE SYNTAX MemberID MAX-ACCESS read-only STATUS current DESCRIPTION "user ID of this member." ::= { hmUserGroupMemberEntry 2 } -- -- hmUserTable -- -- This table contains all members of all user groups. -- hmUserTable OBJECT-TYPE SYNTAX SEQUENCE OF HmUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of all user group members." ::= { hmUserGroup 3 } hmUserEntry OBJECT-TYPE SYNTAX HmUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An user entry." INDEX { hmUserID } ::= { hmUserTable 1 } HmUserEntry ::= SEQUENCE { hmUserID MemberID, hmUserRestricted INTEGER } hmUserID OBJECT-TYPE SYNTAX MemberID MAX-ACCESS read-only STATUS current DESCRIPTION "User ID." ::= { hmUserEntry 1 } hmUserRestricted OBJECT-TYPE SYNTAX INTEGER { true(1), false(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If set to true(1) the user may only connect to ports which have hmPortSecPermission set to user(1) and hmPortSecAllowedUserID set to hmUserID. If set to false(2) the user may also connect to a port if permitted by other hmPortSecPermission settings, e.g. group(2), known(3) or world(4). The following access restrictions apply: UserRestr. UserGroupRestr. PortSecPermission access allowed --------------------------------------------------------------------- false false user hmPortSecAllowedUserID false false group hmPortSecAllowedGroupIDs false false known any user group member false false world yes true false/true user hmPortSecAllowedUserID true false/true group no true false/true known no true false/true world no false true user hmPortSecAllowedUserID false true group hmPortSecAllowedGroupIDs false true known no false true world no " ::= { hmUserEntry 2 } -- -- hmPortSecurityTable -- -- This table defines which security features are to be enabled. -- There is one instance for each port in the switch. -- hmPortSecurityTable OBJECT-TYPE SYNTAX SEQUENCE OF HmPortSecurityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of port security entries." ::= { hmUserGroup 4 } hmPortSecurityEntry OBJECT-TYPE SYNTAX HmPortSecurityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A single port security entry." INDEX { hmPortSecSlotID, hmPortSecPortID } ::= { hmPortSecurityTable 1 } HmPortSecurityEntry ::= SEQUENCE { hmPortSecSlotID Integer32, hmPortSecPortID Integer32, hmPortSecPermission INTEGER, hmPortSecAllowedUserID MemberID, hmPortSecAllowedGroupIDs OCTET STRING, hmPortSecConnectedUserID MemberID, hmPortSecAction INTEGER, hmPortSecAutoReconfigure INTEGER, hmPortSecPortStatus INTEGER, hmPortSecAllowedUserIPID IpAddress, hmPortSecDynamicLimit Integer32, hmPortSecDynamicCount Integer32 } hmPortSecSlotID OBJECT-TYPE SYNTAX Integer32 (1..1) MAX-ACCESS read-only STATUS current DESCRIPTION "Slot number the switch unit is plugged in." ::= { hmPortSecurityEntry 1 } hmPortSecPortID OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS read-only STATUS current DESCRIPTION "Port number within the group." ::= { hmPortSecurityEntry 2 } hmPortSecPermission OBJECT-TYPE SYNTAX INTEGER { user(1), group(2), known(3), world(4), uplink(5) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the security level of the port. If set to user(1) only the user defined by hmPortSecAllowedUserID may connect to this port. In group(2) mode only members of the user group specified by hmPortSecAllowedGroupIDs are allowed. known(3) means that all users belonging to any user group (all known users) are accepted. Setting the value to world(4) disables the security features, i.e. any user is permitted. For backbone ports the value uplink(5) should be used. If a user does not match the allowed permission he is not able to connect to the network over this port, additionally the actions configured through hmPortSecAction are taken." ::= { hmPortSecurityEntry 3 } hmPortSecAllowedUserID OBJECT-TYPE SYNTAX MemberID MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the allowed user ID if hmPortSecPermission has been set to user(1)." ::= { hmPortSecurityEntry 4 } hmPortSecAllowedGroupIDs OBJECT-TYPE SYNTAX OCTET STRING (SIZE(128)) MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the allowed user groups if hmPortSecPermission has been set to group(2). Each group is represented by a single bit. If a group does not exist the value of the bit is ignored." ::= { hmPortSecurityEntry 5 } hmPortSecConnectedUserID OBJECT-TYPE SYNTAX MemberID MAX-ACCESS read-only STATUS current DESCRIPTION "This variable reflects the user ID of a connected user actually seen on this port. If there is no user connected the value will be 0x00:00:00:00:00:00." ::= { hmPortSecurityEntry 6 } hmPortSecAction OBJECT-TYPE SYNTAX INTEGER { none(1), trapOnly(2), portDisable(3), autoDisable(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the action which is taken if a user tries to connect to the given port when he is not allowed to do so. Setting the variable to none(1) disables any action. A value of trapOnly(2) generates a trap. Setting the value to portDisable(3) will send a trap, and additionally disable the port until it is re-enabled by management. Setting the value to autoDisable(3) will send a trap, and additionally auto-disable the port for the amount of time specified per port." DEFVAL { none } ::= { hmPortSecurityEntry 7 } hmPortSecAutoReconfigure OBJECT-TYPE SYNTAX INTEGER { true(1), false(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable controls whether the agent should re-configure the port when another user with an incompatible user group setting has been detected. The default setting, true(1), should be used if a single user is connected to the port. The value false(2) might be useful if more than one user is connected to the port (workgroup mode)." ::= { hmPortSecurityEntry 8 } hmPortSecPortStatus OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2), enabledWithWrongAddr(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This variable shows the current status of the port with respect to port security. If the address seen on the port is allowed, the status is enabled(1), if it is not allowed, the status is disabled(2) if hmUserGroupSecurityAction is portDisable(3), or enabledWithWrongAddr(3) if hmUserGroupSecurityAction is none(1) or trapOnly(2)." ::= { hmPortSecurityEntry 9 } hmPortSecAllowedUserIPID OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the allowed user IP ID if hmPortSecPermission has been set to user(1)." ::= { hmPortSecurityEntry 10 } hmPortSecDynamicLimit OBJECT-TYPE SYNTAX Integer32(0..50) MAX-ACCESS read-write STATUS current DESCRIPTION "This variable signifies the limit of dynamically learned allowed MAC addresses for a specific port." DEFVAL { 0 } ::={ hmPortSecurityEntry 11 } hmPortSecDynamicCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of dynamically learned allowed MAC addresses on this port." ::={ hmPortSecurityEntry 12 } -- -- The following MIB variables control the actions that will be taken -- when an illegal MAC address is discovered on a switch port. -- hmUserGroupSecurityAction OBJECT-TYPE SYNTAX INTEGER { none(1), trapOnly(2), portDisable(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the action which is taken if a user tries to connect to the given port when he is not allowed to do so. Setting the variable to none(1) disables any action. A value of trapOnly(2) generates a trap. Setting the value to portDisable(3) will send a trap, and additionally disable the port until it is re-enabled by management." ::= { hmUserGroup 5 } -- -- The following MIB variables control the mode of the hmPortSecurityTable -- hmUserGroupPortSecurityMode OBJECT-TYPE SYNTAX INTEGER { macAddressBased(1), ipAddressBased(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the mode of the hmPortSecurityTable." ::= { hmUserGroup 8 } -- -- hmPortSecExtendedGroup -- -- This group defines which security features are to be enabled. -- There is one instance for each port in the switch and multiple -- instances for each adress. -- hmPortSecExtendedGroup OBJECT IDENTIFIER ::= { hmUserGroup 10 } hmPortSecExtendedTable OBJECT-TYPE SYNTAX SEQUENCE OF HmPortSecExtendedEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of extended port security entries." ::= { hmPortSecExtendedGroup 1 } hmPortSecExtendedEntry OBJECT-TYPE SYNTAX HmPortSecExtendedEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A single extended port security entry." INDEX { hmPortSecExtSlotID, hmPortSecExtPortID } ::= { hmPortSecExtendedTable 1 } HmPortSecExtendedEntry ::= SEQUENCE { hmPortSecExtSlotID Integer32, hmPortSecExtPortID Integer32, hmPortSecExtAction INTEGER, hmPortSecExtPortStatus INTEGER } hmPortSecExtSlotID OBJECT-TYPE SYNTAX Integer32 (1..1) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Slot number the switch unit is plugged in." ::= { hmPortSecExtendedEntry 1 } hmPortSecExtPortID OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Port number within the group." ::= { hmPortSecExtendedEntry 2 } hmPortSecExtAction OBJECT-TYPE SYNTAX INTEGER { none(1), trapOnly(2), portDisable(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the action which is taken if a user tries to connect to the given port when he is not allowed to do so. Setting the variable to none(1) disables any action. A value of trapOnly(2) generates a trap. Setting the value to portDisable(3) will send a trap, and additionally disable the port until it is re-enabled by management." DEFVAL {1} ::= { hmPortSecExtendedEntry 3 } hmPortSecExtPortStatus OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2), enabledWithWrongAddr(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This variable shows the current status of the port with respect to port security. If the address seen on the port is allowed, the status is enabled(1), if it is not allowed, the status is disabled(2) if hmUserGroupSecurityAction is portDisable(3), or enabledWithWrongAddr(3) if hmUserGroupSecurityAction is none(1) or trapOnly(2)." DEFVAL {1} ::= { hmPortSecExtendedEntry 4 } hmPortSecMultipleAdressesTable OBJECT-TYPE SYNTAX SEQUENCE OF HmPortSecMultipleAdressesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of port security entries with multiple allowed addresses." ::= { hmPortSecExtendedGroup 2 } hmPortSecMultipleAdressesEntry OBJECT-TYPE SYNTAX HmPortSecMultipleAdressesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A single port security entry with multiple allowed addresses." INDEX { hmPortSecMASlotID, hmPortSecMAPortID, hmPortSecMAExtendedIndex } ::= { hmPortSecMultipleAdressesTable 1 } HmPortSecMultipleAdressesEntry ::= SEQUENCE { hmPortSecMASlotID Integer32, hmPortSecMAPortID Integer32, hmPortSecMAExtendedIndex Integer32, hmPortSecMAAllowedUserIDs MemberID, hmPortSecMAAllowedUserIPIDs IpAddress, hmPortSecMAAllowedUserIDMask Integer32 } hmPortSecMASlotID OBJECT-TYPE SYNTAX Integer32 (1..1) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Slot number the switch unit is plugged in." ::= { hmPortSecMultipleAdressesEntry 1 } hmPortSecMAPortID OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Port number within the group." ::= { hmPortSecMultipleAdressesEntry 2 } hmPortSecMAExtendedIndex OBJECT-TYPE SYNTAX Integer32 (1..50) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Number of adresses." ::= { hmPortSecMultipleAdressesEntry 3 } hmPortSecMAAllowedUserIDs OBJECT-TYPE SYNTAX MemberID MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the allowed user ID if hmPortSecPermission has been set to user(1)." ::= { hmPortSecMultipleAdressesEntry 4 } hmPortSecMAAllowedUserIPIDs OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This variable specifies the allowed user IP ID if hmPortSecPermission has been set to user(1)." ::= { hmPortSecMultipleAdressesEntry 5 } hmPortSecMAAllowedUserIDMask OBJECT-TYPE SYNTAX Integer32 (1..48) MAX-ACCESS read-write STATUS current DESCRIPTION "The number of bits from left ro right, that are used from the MAC address." DEFVAL {48} ::= { hmPortSecMultipleAdressesEntry 6 } -- -- Notifications -- hmUserGroupEvent OBJECT-IDENTITY STATUS current DESCRIPTION "The events of hmUserGroup." ::= { hmUserGroup 0 } hmNewUserTrap NOTIFICATION-TYPE OBJECTS { hmPortSecConnectedUserID } STATUS current DESCRIPTION "This trap is sent if an unknown MAC address is detected on a port." ::= { hmUserGroupEvent 1 } hmPortSecurityTrap NOTIFICATION-TYPE OBJECTS { hmPortSecPermission, hmPortSecAction, hmPortSecConnectedUserID, hmPortSecAllowedUserID, hmPortSecAllowedUserIPID, hmPortSecAllowedGroupIDs } STATUS current DESCRIPTION "This trap is sent if a MAC address / IP address is detected on a port which is not acceptable for the current setting of hmPortSecPermission AND ...SecAction is either set to trapOnly(2) or portDisable(3)." ::= { hmUserGroupEvent 2 } hmPortSecConfigErrorTrap NOTIFICATION-TYPE OBJECTS { hmPortSecConnectedUserID } STATUS current DESCRIPTION "This trap is sent when two or more users with incompatible user group settings have been detected at the port." ::= { hmUserGroupEvent 3 } END