WebApps/Observium_CE
1
0
Fork 0
Code Pull Requests Activity
Observium_CE/mibs/lancom/LANCOM-ACL-MGMT-MIB

292 lines
12 KiB
Plaintext
Raw Permalink Blame History

LANCOM-ACL-MGMT-MIB DEFINITIONS ::= BEGIN
-- Broadcom Fastpath Management ACL MIB
-- Copyright 2016 Broadcom.
-- This SNMP Management Information Specification
-- embodies Broadcom's confidential and proprietary
-- intellectual property. Broadcom retains all title
-- and ownership in the Specification including any revisions.
-- This Specification is supplied "AS IS", Broadcom
-- makes no warranty, either expressed or implied,
-- as to the use, operation, condition, or performance of the
-- Specification.
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,
IpAddress, Integer32, Unsigned32 FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TruthValue
FROM SNMPv2-TC
DisplayString FROM RFC1213-MIB
fastPath FROM LANCOM-REF-MIB;
aclMgmtGroup MODULE-IDENTITY
LAST-UPDATED "201512110000Z" -- 11 December 2015 12:00:00 GMT
ORGANIZATION "Broadcom "
CONTACT-INFO
"Customer Support
Postal: Broadcom
1030 Swabia Court
Suite 400
Durham, NC 27703
Tel: +1 919 865 2700"
DESCRIPTION
"The MIB definitions for Management ACL component."
-- Revision history.
REVISION
"201512110000Z" -- 11 Dec 2015 12:00:00 GMT
DESCRIPTION
"Added ACL management support."
::= { fastPath 62 }
--*********************** Management ACLs ***********************
-- This group defines the set of objects required to define the
-- access control for the various management interfaces supported
-- by the switch. This includes control for the SNMP, CLI(via telnet/ssh),
-- and Web based (http/https) management interfaces.
-- Additionally control over tftp and sntp is supported.
--
-- In order to enable management ACL, the user must configure access list and
-- set it as active. A set of rules can be created within access list to be checked
-- when granting access to the management interface of the system.
-- The user may define multiple management ACL rule set, but only one may be
-- active at any given point. There is a limit to the number of ACL rules
-- and rule set which may be specified. This limit is per switch type so
-- that the system will fail to create new rules or rule set when the system
-- limit is reached.
-- In order to permit switch management only via console, "console-only" option
-- is used for aclMgmtActiveListName.
-- Each rule set is given a name and rules within the rule set are given
-- priorities. Priority 1 is the highest priority. Rules
-- are checked from highest priority so that:
-- * the first rule to deny permission to the system will result in denied
-- access with no further checking.
-- * only if all the rules permitted access to the system would success the
-- management request will be granted.
---------------------------------------------------------------------------
AclMgmtServiceType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Management ACL Service type to be configured."
SYNTAX INTEGER {
allType(0),
telnet(1),
http(2),
https(3),
snmp(4),
ssh(5),
tftp(6),
sntp(7)
}
AclMgmtActionType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Management ACL Action definition."
SYNTAX INTEGER {
permit(0),
deny(1)
}
aclMgmtEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The variable specifies if Management ACL functionality is enabled.
This parameter value is TRUE, which means that management
ACL is checked when granting access to the system."
::= { aclMgmtGroup 1 }
aclMgmtActiveListName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Activate a particular management ACL rule-set.
If no management ACL rule-set is specified (by setting this parameter
to a NULL string) then the system assumes that management ACL is disabled.
If the user attempts to set this parameter to the name of an
invalid or non-existing ACL rule-set, the configuration will fail.
If the user deletes a management ACL rule-set to which this
parameter references, the parameter will be set to a NULL
string and the system will assume that management ACL checking
has been disabled.
'console-only' access list is used to permit switch management only via console and
deny management via network. Note that this action will immediately block SNMP access."
::= { aclMgmtGroup 2 }
aclMgmtListTable OBJECT-TYPE
SYNTAX SEQUENCE OF AclMgmtListEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines all management ACL rule-set as well as the rules
within the rule-set. To activate a specific ACL rule-set, please
refer to the 'aclMgmtActiveListName' parameter above."
::= { aclMgmtGroup 3 }
aclMgmtListEntry OBJECT-TYPE
SYNTAX AclMgmtListEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in the table is a single rule within a given rule-set.
The rules within a rule-set are grouped together via a common
name 'aclMgmtListName'. Each rule has a specific priority
within the rule-set given by 'aclMgmtListPriority', where
priority 1 is the highest priority of the given set.
Each rule may be applied to a specific interface within the switch
or to all interfaces (specified by setting the ifIndex to 0)."
INDEX { aclMgmtListName, aclMgmtListPriority }
::= { aclMgmtListTable 1 }
AclMgmtListEntry ::= SEQUENCE {
aclMgmtListName DisplayString,
aclMgmtListPriority Unsigned32,
aclMgmtListIfIndex Unsigned32,
aclMgmtListIpAddr IpAddress,
aclMgmtListIpNetMask IpAddress,
aclMgmtListService AclMgmtServiceType,
aclMgmtListAction AclMgmtActionType,
aclMgmtListRowStatus RowStatus,
aclMgmtListVlanId Unsigned32,
aclRuleIsConflict TruthValue
}
aclMgmtListName OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of a given rule-set."
::= { aclMgmtListEntry 1 }
aclMgmtListPriority OBJECT-TYPE
SYNTAX Unsigned32 (1..64)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The priority value of a given rule within the rule-set."
::= { aclMgmtListEntry 2 }
aclMgmtListIfIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The IfIndex to which this rule applies. By setting this to a
specific ifIndex, the rule will only apply if the management
access is coming over the given interface. If the ifIndex is
set to 0, then this rule applies to all interfaces."
::= { aclMgmtListEntry 3 }
aclMgmtListIpAddr OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The IP address associated with this entry. The IP address may be set
to 0, which means that the rule applies to all IP addresses.
Otherwise, the rule applies to all management requests which come
from a given IP address."
::= { aclMgmtListEntry 4 }
aclMgmtListIpNetMask OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The subnet mask associated with the IP address of this entry. The
value of the mask is an IP address with all the network bits set
to 1 and all the hosts bits set to 0. Using this in conjunction
with the ipAddress given above, it is possible to make the rule
applies to a subnet instead of a specific address (to force the
rule to apply to a single address, use a netmask with all bits
set to 1 (i.e. 255.255.255.255 netmask)."
::= { aclMgmtListEntry 5 }
aclMgmtListService OBJECT-TYPE
SYNTAX AclMgmtServiceType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The type of services that this rule applies to. By setting this
to a specific service type, the rule will only apply if the
request is coming to the switch using the particular protocol
type specified. The Service type address can be configured to
be 0, which means any of the supported protocols or services
are applicable."
::= { aclMgmtListEntry 6 }
aclMgmtListAction OBJECT-TYPE
SYNTAX AclMgmtActionType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The action to apply to the given traffic matching the rule. The
action may be to permit or deny the requested management access."
::= { aclMgmtListEntry 7 }
aclMgmtListRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The row status variable, used according to row creation and
deletion conventions.
active(1) - Management ACL instance is active
createAndGo(4) - set to this value to create an instance
destroy(6) - set to this value to delete an instance
"
::= { aclMgmtListEntry 8 }
aclMgmtListVlanId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The VLAN ID which can be applied to this rule. Valid VLAN ID range is 1-4093.
By setting this to a specific VLAN ID, the rule will only applies if the management
access is coming over the given interface."
::= { aclMgmtListEntry 9 }
aclRuleIsConflict OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Read-only object, which indicates whether the specified ACL rule conflicts with any other rule.
If the rule conflicts then it is recommended to remove it."
::= { aclMgmtListEntry 10 }
aclMgmtTrapInfo NOTIFICATION-TYPE
OBJECTS { aclMgmtTrapReason }
STATUS current
DESCRIPTION
"Specifies protocol type that was blocked by Management ACL feature.
The aclMgmtTrapInfo should indicate which management interface
is violated and the source IP address of the request."
::= { aclMgmtGroup 4 }
aclMgmtTrapReason OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This text string may be used to provide additional information
regarding the trap being sent."
::= { aclMgmtGroup 5 }
--**************************************************************************************
END
View Git Blame Copy Permalink