LANCOM-ACL-MGMT-MIB DEFINITIONS ::= BEGIN -- Broadcom Fastpath Management ACL MIB -- Copyright 2016 Broadcom. -- This SNMP Management Information Specification -- embodies Broadcom's confidential and proprietary -- intellectual property. Broadcom retains all title -- and ownership in the Specification including any revisions. -- This Specification is supplied "AS IS", Broadcom -- makes no warranty, either expressed or implied, -- as to the use, operation, condition, or performance of the -- Specification. IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, IpAddress, Integer32, Unsigned32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus, TruthValue FROM SNMPv2-TC DisplayString FROM RFC1213-MIB fastPath FROM LANCOM-REF-MIB; aclMgmtGroup MODULE-IDENTITY LAST-UPDATED "201512110000Z" -- 11 December 2015 12:00:00 GMT ORGANIZATION "Broadcom " CONTACT-INFO "Customer Support Postal: Broadcom 1030 Swabia Court Suite 400 Durham, NC 27703 Tel: +1 919 865 2700" DESCRIPTION "The MIB definitions for Management ACL component." -- Revision history. REVISION "201512110000Z" -- 11 Dec 2015 12:00:00 GMT DESCRIPTION "Added ACL management support." ::= { fastPath 62 } --*********************** Management ACLs *********************** -- This group defines the set of objects required to define the -- access control for the various management interfaces supported -- by the switch. This includes control for the SNMP, CLI(via telnet/ssh), -- and Web based (http/https) management interfaces. -- Additionally control over tftp and sntp is supported. -- -- In order to enable management ACL, the user must configure access list and -- set it as active. A set of rules can be created within access list to be checked -- when granting access to the management interface of the system. -- The user may define multiple management ACL rule set, but only one may be -- active at any given point. There is a limit to the number of ACL rules -- and rule set which may be specified. This limit is per switch type so -- that the system will fail to create new rules or rule set when the system -- limit is reached. -- In order to permit switch management only via console, "console-only" option -- is used for aclMgmtActiveListName. -- Each rule set is given a name and rules within the rule set are given -- priorities. Priority 1 is the highest priority. Rules -- are checked from highest priority so that: -- * the first rule to deny permission to the system will result in denied -- access with no further checking. -- * only if all the rules permitted access to the system would success the -- management request will be granted. --------------------------------------------------------------------------- AclMgmtServiceType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Management ACL Service type to be configured." SYNTAX INTEGER { allType(0), telnet(1), http(2), https(3), snmp(4), ssh(5), tftp(6), sntp(7) } AclMgmtActionType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Management ACL Action definition." SYNTAX INTEGER { permit(0), deny(1) } aclMgmtEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "The variable specifies if Management ACL functionality is enabled. This parameter value is TRUE, which means that management ACL is checked when granting access to the system." ::= { aclMgmtGroup 1 } aclMgmtActiveListName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "Activate a particular management ACL rule-set. If no management ACL rule-set is specified (by setting this parameter to a NULL string) then the system assumes that management ACL is disabled. If the user attempts to set this parameter to the name of an invalid or non-existing ACL rule-set, the configuration will fail. If the user deletes a management ACL rule-set to which this parameter references, the parameter will be set to a NULL string and the system will assume that management ACL checking has been disabled. 'console-only' access list is used to permit switch management only via console and deny management via network. Note that this action will immediately block SNMP access." ::= { aclMgmtGroup 2 } aclMgmtListTable OBJECT-TYPE SYNTAX SEQUENCE OF AclMgmtListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines all management ACL rule-set as well as the rules within the rule-set. To activate a specific ACL rule-set, please refer to the 'aclMgmtActiveListName' parameter above." ::= { aclMgmtGroup 3 } aclMgmtListEntry OBJECT-TYPE SYNTAX AclMgmtListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the table is a single rule within a given rule-set. The rules within a rule-set are grouped together via a common name 'aclMgmtListName'. Each rule has a specific priority within the rule-set given by 'aclMgmtListPriority', where priority 1 is the highest priority of the given set. Each rule may be applied to a specific interface within the switch or to all interfaces (specified by setting the ifIndex to 0)." INDEX { aclMgmtListName, aclMgmtListPriority } ::= { aclMgmtListTable 1 } AclMgmtListEntry ::= SEQUENCE { aclMgmtListName DisplayString, aclMgmtListPriority Unsigned32, aclMgmtListIfIndex Unsigned32, aclMgmtListIpAddr IpAddress, aclMgmtListIpNetMask IpAddress, aclMgmtListService AclMgmtServiceType, aclMgmtListAction AclMgmtActionType, aclMgmtListRowStatus RowStatus, aclMgmtListVlanId Unsigned32, aclRuleIsConflict TruthValue } aclMgmtListName OBJECT-TYPE SYNTAX DisplayString (SIZE(1..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name of a given rule-set." ::= { aclMgmtListEntry 1 } aclMgmtListPriority OBJECT-TYPE SYNTAX Unsigned32 (1..64) MAX-ACCESS read-only STATUS current DESCRIPTION "The priority value of a given rule within the rule-set." ::= { aclMgmtListEntry 2 } aclMgmtListIfIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The IfIndex to which this rule applies. By setting this to a specific ifIndex, the rule will only apply if the management access is coming over the given interface. If the ifIndex is set to 0, then this rule applies to all interfaces." ::= { aclMgmtListEntry 3 } aclMgmtListIpAddr OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address associated with this entry. The IP address may be set to 0, which means that the rule applies to all IP addresses. Otherwise, the rule applies to all management requests which come from a given IP address." ::= { aclMgmtListEntry 4 } aclMgmtListIpNetMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The subnet mask associated with the IP address of this entry. The value of the mask is an IP address with all the network bits set to 1 and all the hosts bits set to 0. Using this in conjunction with the ipAddress given above, it is possible to make the rule applies to a subnet instead of a specific address (to force the rule to apply to a single address, use a netmask with all bits set to 1 (i.e. 255.255.255.255 netmask)." ::= { aclMgmtListEntry 5 } aclMgmtListService OBJECT-TYPE SYNTAX AclMgmtServiceType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of services that this rule applies to. By setting this to a specific service type, the rule will only apply if the request is coming to the switch using the particular protocol type specified. The Service type address can be configured to be 0, which means any of the supported protocols or services are applicable." ::= { aclMgmtListEntry 6 } aclMgmtListAction OBJECT-TYPE SYNTAX AclMgmtActionType MAX-ACCESS read-write STATUS current DESCRIPTION "The action to apply to the given traffic matching the rule. The action may be to permit or deny the requested management access." ::= { aclMgmtListEntry 7 } aclMgmtListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The row status variable, used according to row creation and deletion conventions. active(1) - Management ACL instance is active createAndGo(4) - set to this value to create an instance destroy(6) - set to this value to delete an instance " ::= { aclMgmtListEntry 8 } aclMgmtListVlanId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The VLAN ID which can be applied to this rule. Valid VLAN ID range is 1-4093. By setting this to a specific VLAN ID, the rule will only applies if the management access is coming over the given interface." ::= { aclMgmtListEntry 9 } aclRuleIsConflict OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "Read-only object, which indicates whether the specified ACL rule conflicts with any other rule. If the rule conflicts then it is recommended to remove it." ::= { aclMgmtListEntry 10 } aclMgmtTrapInfo NOTIFICATION-TYPE OBJECTS { aclMgmtTrapReason } STATUS current DESCRIPTION "Specifies protocol type that was blocked by Management ACL feature. The aclMgmtTrapInfo should indicate which management interface is violated and the source IP address of the request." ::= { aclMgmtGroup 4 } aclMgmtTrapReason OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "This text string may be used to provide additional information regarding the trap being sent." ::= { aclMgmtGroup 5 } --************************************************************************************** END