-- File Name : ZTE-DSL-DEV-SECURITY-ACL-MIB.mib -- Date : 2006-07-25 -- Author : Wan Guanghua ZTE-DSL-DEV-SECURITY-ACL-MIB DEFINITIONS ::= BEGIN IMPORTS zxDsl FROM ZTE-DSL-MIB MODULE-IDENTITY, OBJECT-TYPE, IpAddress, NOTIFICATION-TYPE, Integer32 FROM SNMPv2-SMI InetAddress,InetAddressPrefixLength,InetAddressType FROM INET-ADDRESS-MIB RowStatus, MacAddress FROM SNMPv2-TC; zxDslDevSecurityAclMib MODULE-IDENTITY LAST-UPDATED "200607250000Z" ORGANIZATION "ZTE Corporation" CONTACT-INFO "Wan Guanghua Tel: 021-68896253 email: wan.guanghua@zte.com.cn" DESCRIPTION "This MIB defines the managed objects of ZTE DSLAM security access control policy. And it is used to configure what kind of packets can access the DSLAM." ::= { zxDsl 24 } zxDslDevSecurityAclObjects OBJECT IDENTIFIER ::= { zxDslDevSecurityAclMib 1 } zxDslDevSecurityAclEnable OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enable or disable the ACL rules for the DSLAM. the default value is disable, which means all packets are permit to access the DSLAM." DEFVAL { disable } ::= { zxDslDevSecurityAclObjects 1 } zxDslDevSecurityAclTable OBJECT-TYPE SYNTAX SEQUENCE OF ZxDslDevSecurityAclEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to define what kind of packets should be permitted or denied. It can help us to prevent our devices from some vicious attackes, such as virus. By default, when the packet isn't coincident with any rules, it's permitted. We can define all other packets to be permitted or denied by setting source IP and source mask to 0.0.0.0." ::= { zxDslDevSecurityAclObjects 2 } zxDslDevSecurityAclEntry OBJECT-TYPE SYNTAX ZxDslDevSecurityAclEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in zxDslDevSecurityAclTable." INDEX { zxDslDevSecAclIndex } ::= { zxDslDevSecurityAclTable 1 } ZxDslDevSecurityAclEntry ::= SEQUENCE { zxDslDevSecAclIndex INTEGER, zxDslDevSecAclSrcIp IpAddress, zxDslDevSecAclSrcMask IpAddress, zxDslDevSecAclProtocolType INTEGER, zxDslDevSecAclSrcPortStart INTEGER, zxDslDevSecAclSrcPortEnd INTEGER, zxDslDevSecAclDestPortStart INTEGER, zxDslDevSecAclDestPortEnd INTEGER, zxDslDevSecAclAccessLevel INTEGER, zxDslDevSecAclRuleMatchTimes Integer32, zxDslDevSecAclRowStatus RowStatus, ZxDslDevSecAclSrcMac MacAddress, ZxDslDevSecAclDestMac MacAddress, zxDslDevSecAclSrcIpType InetAddressType, zxDslDevSecAclSrcIpv6Ip InetAddress, zxDslDevSecAclSrcIpv6IpPfxLen InetAddressPrefixLength, zxDslDevSecAclDestIpType InetAddressType, zxDslDevSecAclDestIp InetAddress, zxDslDevSecAclDestIpMask IpAddress, zxDslDevSecAclDestIpv6PfxLen InetAddressPrefixLength, zxDslDevSecAclEtherType INTEGER, zxDslDevSecAclVlan INTEGER, zxDslDevSecAclPktRateLimit INTEGER } zxDslDevSecAclIndex OBJECT-TYPE SYNTAX INTEGER ( 1 .. 16 ) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index in the ACL rule table, which is the ACL rule number." ::= { zxDslDevSecurityAclEntry 1 } zxDslDevSecAclSrcIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The source Ipv4 IP of the ACL rule. 0.0.0.0 means not configured." ::= { zxDslDevSecurityAclEntry 2 } zxDslDevSecAclSrcMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The source IPv4 mask of the ACL rule. 0.0.0.0 means not configured." ::= { zxDslDevSecurityAclEntry 3 } zxDslDevSecAclProtocolType OBJECT-TYPE SYNTAX INTEGER { all(0), icmp(1), tcp(2), udp(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "Protocol type of the packets. The default value is ALL (0), which means all protocol types. " DEFVAL { all } ::= { zxDslDevSecurityAclEntry 4 } zxDslDevSecAclSrcPortStart OBJECT-TYPE SYNTAX INTEGER ( 0 .. 65535 ) MAX-ACCESS read-create STATUS current DESCRIPTION "Beginning source port of the packets. The default value is 0, which means all source ports. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 5 } zxDslDevSecAclSrcPortEnd OBJECT-TYPE SYNTAX INTEGER ( 0 .. 65535 ) MAX-ACCESS read-create STATUS current DESCRIPTION "Ending source port of the packets. The default value is 0, which means all source ports. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 6 } zxDslDevSecAclDestPortStart OBJECT-TYPE SYNTAX INTEGER ( 0 .. 65535 ) MAX-ACCESS read-create STATUS current DESCRIPTION "Beginning destination port of the packets. The default value is 0, which means all destination ports. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 7 } zxDslDevSecAclDestPortEnd OBJECT-TYPE SYNTAX INTEGER ( 0 .. 65535 ) MAX-ACCESS read-create STATUS current DESCRIPTION "Ending destination port of the packets. The default value is 0, which means all destination ports. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 8 } zxDslDevSecAclAccessLevel OBJECT-TYPE SYNTAX INTEGER { permit (1), deny (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The level of access to DSLAM, which means permit or deny this kind of packets. " ::= { zxDslDevSecurityAclEntry 9 } zxDslDevSecAclRuleMatchTimes OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times that packets match this rule." ::= { zxDslDevSecurityAclEntry 10 } zxDslDevSecAclRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create a new row or delete an existing row in this table. Set it 4 to add, and 6 to delete the ACL rule. " ::= { zxDslDevSecurityAclEntry 11 } zxDslDevSecAclSrcMac OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "Source MAC of the packets." ::= { zxDslDevSecurityAclEntry 12 } zxDslDevSecAclDestMac OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "Destination MAC of the packets." ::= { zxDslDevSecurityAclEntry 13 } zxDslDevSecAclSrcIpType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Source IP address. The value is unknown(0) means that source IP address is not configured (include IPv4 and IPv6)." DEFVAL{ ipv4 } ::= { zxDslDevSecurityAclEntry 14 } zxDslDevSecAclSrcIpv6Ip OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The source IPv6 IpAddress of the ACL rule. Zero-length string means not configured." ::= { zxDslDevSecurityAclEntry 15 } zxDslDevSecAclSrcIpv6IpPfxLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "The prefix length of the IPv6 IP address. 0 means not configured." ::= { zxDslDevSecurityAclEntry 16 } zxDslDevSecAclDestIpType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of destination IP address. The value is unknown(0) means that destination IP address is not configured (include IPv4 and IPv6)." DEFVAL{ ipv4 } ::= { zxDslDevSecurityAclEntry 17 } zxDslDevSecAclDestIp OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The destination IP address of the ACL rule. Zero-length string means not configured. " ::= { zxDslDevSecurityAclEntry 18 } zxDslDevSecAclDestIpMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The destination IPv4 mask of the ACL rult. 0.0.0.0 means not configured. " ::= { zxDslDevSecurityAclEntry 19 } zxDslDevSecAclDestIpv6PfxLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "The prefix length of the destination IPv6 IP address. 0 means not configured. " ::= { zxDslDevSecurityAclEntry 20 } zxDslDevSecAclEtherType OBJECT-TYPE SYNTAX INTEGER { any(1), arp(2), ipv4(3), ipv6(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "Ethernet type of the ACL rule. any(1) means that the acl rule filters all packets that ethernet type is ARP, IPv4 or IPv6. arp(2) means that the acl rule filters all packets that ethernet type is ARP. ipv4(3) means that the acl rule filters all packets that ethernet type is IPv4. ipv6(4) means that the acl rule filters all packets that ethernet type is IPv6. " DEFVAL { any } ::= { zxDslDevSecurityAclEntry 21 } zxDslDevSecAclVlan OBJECT-TYPE SYNTAX INTEGER (0..4094) MAX-ACCESS read-create STATUS current DESCRIPTION "VLAN ID of the ACL rule. 0 means not configured. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 22 } zxDslDevSecAclPktRateLimit OBJECT-TYPE SYNTAX INTEGER(0..2048) UNITS "pps" MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the rate limit of the packet filtered by the ACL rule. 0 means the packet rate is unlimited. " DEFVAL { 0 } ::= { zxDslDevSecurityAclEntry 23 } zxDslDevSecurityAclGlobalObjects OBJECT IDENTIFIER ::= { zxDslDevSecurityAclObjects 3 } zxDslDevSecurityAclActionScope OBJECT-TYPE SYNTAX INTEGER { allMgmtPacket(1), onlyPacketToMgmtIp(2) } MAX-ACCESS read-write STATUS current DEFVAL { allMgmtPacket } DESCRIPTION "The effect scope of device security acl. Possible values are: allMgmtPacket(1) - all packet received will be filter by ACL list. onlyPacketToMgmtIp(2)- only packet to managment IP will be filter by ACL list. " ::= { zxDslDevSecurityAclGlobalObjects 1 } zxDslAclPktRateLimitTrapEnable OBJECT-TYPE SYNTAX INTEGER { enable(1), disable(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables the zxDslDevAclPktOverRateLimitTrap and zxDslDevAclPktUnderRateLimitTrap. " DEFVAL { disable } ::= { zxDslDevSecurityAclGlobalObjects 2 } zxDslDevSecurityAclTrapObjects OBJECT IDENTIFIER ::= { zxDslDevSecurityAclMib 2 } zxDslDevAclPktOverRateLimitTrap NOTIFICATION-TYPE OBJECTS { zxDslDevSecAclPktRateLimit } STATUS current DESCRIPTION "ACL packet rate is over zxDslDevSecAclPktRateLimit and the zxDslDevAclPktOverRateLimitTrap will be sent. " ::= { zxDslDevSecurityAclTrapObjects 1 } zxDslDevAclPktUnderRateLimitTrap NOTIFICATION-TYPE OBJECTS { zxDslDevSecAclPktRateLimit } STATUS current DESCRIPTION "ACL packet rate is lower than zxDslDevSecAclPktRateLimit and the zxDslDevAclPktOverRateLimitTrap will be restored. " ::= { zxDslDevSecurityAclTrapObjects 2 } END