1406 lines
51 KiB
Plaintext
1406 lines
51 KiB
Plaintext
BAYSTACK-IPV6-FIRST-HOP-SEC-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Integer32
|
|
FROM SNMPv2-SMI
|
|
MacAddress, TruthValue, TEXTUAL-CONVENTION, RowStatus, DisplayString
|
|
FROM SNMPv2-TC
|
|
bayStackMibs
|
|
FROM SYNOPTICS-ROOT-MIB
|
|
InterfaceIndex
|
|
FROM IF-MIB
|
|
Ipv6Address
|
|
FROM IPV6-TC;
|
|
|
|
bayStackIpv6FirstHopSecMib MODULE-IDENTITY
|
|
LAST-UPDATED "201611030000Z"
|
|
ORGANIZATION "Avaya"
|
|
CONTACT-INFO "avaya.com"
|
|
DESCRIPTION
|
|
"This MIB module is used for IPv6 First Hop Security configuration.
|
|
The purpose of First Hop Security feature is to take care of the treats
|
|
caused by the immediate node to another immediate node attached to the same
|
|
First Hop Security device."
|
|
|
|
REVISION "201611030000Z" -- November 3, 2016
|
|
DESCRIPTION
|
|
"Ver 10: Added objects bsIpv6FHSSourceGuardDropCount and bsIpv6FHSSourceGuardClearDropCount."
|
|
|
|
REVISION "201507020000Z" -- July 02, 2015
|
|
DESCRIPTION
|
|
"Ver 9: Added value none(3) for FhsRaGuardDeviceRole and
|
|
FhsDhcpv6GuardDeviceRole.
|
|
Requested by Amit Choudhary (submit 24712)
|
|
for FHS on VOSS (Prem)."
|
|
|
|
REVISION "201506300000Z" -- June 30, 2015
|
|
DESCRIPTION
|
|
"Ver 8: Added bsIpv6FHSPolicyPortMapDhcpv6gDeviceRole and
|
|
bsIpv6FHSPolicyPortMapRagDeviceRole
|
|
Requested by Amit Choudhary (submit 24712)
|
|
for FHS on VOSS (Prem)."
|
|
|
|
REVISION "201506090000Z" -- June 9th, 2015
|
|
DESCRIPTION
|
|
"Ver 8: Added bsIpv6FHSTrapNotificationObjects, which consists of bsIpv6FHSTrapClientMACAddr,
|
|
bsIpv6FHSTrapInterfaceIndex, bsIpv6FHSTrapClientIpv6Address and bsIpv6FHSTrapVlanID.
|
|
Also added bsIpv6FHSTrapMsgType, bsIpv6FhsTrapPktDropReason, as well as new trap
|
|
notification types for FHS: bsIpv6NDNotificationSBTTableFull, bsIpv6NDNotificationUntrustedPort,
|
|
bsIpv6RAGuardNotification and bsIpv6DHCPGuardNotification.
|
|
|
|
The following objects have thus become obsolete: bsIpv6NDTrapNotificationObjects,
|
|
bsIpv6NDInspectionNotificationClientMACAddr, bsIpv6NDInspectionNotificationMsgType,
|
|
bsIpv6FHSNDInterfaceIndex, bsIpv6FHSNDIpv6Address, bsIpv6FHSNDVlanID, bsIpv6NDSBTTableFull and
|
|
bsIpv6NDNotificationsUntrustedPort."
|
|
|
|
REVISION "201504080000Z" -- April 8, 2015
|
|
DESCRIPTION
|
|
"Ver 7: Added bsIpv6FHSSourceGuardIntfConfigTable and bsIpv6FHSSourceGuardBindingTable for Feature Ipv6 Source Guard."
|
|
|
|
REVISION "201403200000Z" -- March 20, 2014
|
|
DESCRIPTION
|
|
"Ver 6: Changed the MAX-ACCESS of some indices from read-only to not-accessible."
|
|
|
|
REVISION "201401170000Z" -- January 17, 2014
|
|
DESCRIPTION
|
|
"Ver 5: Added notification object bsIpv6FHSNDVlanID, changed trap names from
|
|
bsIpv6SBTTableFull to bsIpv6NDSBTTableFull and from bsIpv6NDTrapNotificationUnTrustedPort
|
|
to bsIpv6NDNotificationsUntrustedPort, extended range of bsIpv6FHSSbtVlan from 1..1094 to
|
|
1..4094 and made minor changes in the descriptions of both bsIpv6NDSBTTableFull and
|
|
bsIpv6NDNotificationsUntrustedPort traps. Also, both traps now have the same notification
|
|
objects: bsIpv6NDInspectionNotificationClientMACAddr, bsIpv6NDInspectionNotificationMsgType,
|
|
bsIpv6FHSNDInterfaceIndex, bsIpv6FHSNDIpv6Address and bsIpv6FHSNDVlanID."
|
|
|
|
REVISION "201311180000Z" -- November 18, 2013
|
|
DESCRIPTION
|
|
"Ver 4: Added mibs for ND Inspection."
|
|
|
|
REVISION "201310110000Z" -- October 11, 2013
|
|
DESCRIPTION
|
|
"Ver 3: Changed FhsDhcpv6GuardDeviceRole values. Added types to IMPORTS."
|
|
|
|
REVISION "201308200000Z" -- August 20, 2013
|
|
DESCRIPTION
|
|
"Ver 2: Extend range of bsIpv6FHSRagHopLimitMin, bsIpv6FHSRagHopLimitMax,
|
|
bsIpv6FHSDhcpv6gPrefLimitMin and bsIpv6FHSDhcpv6gPrefLimitMax from 1..255 to 0..255.
|
|
Enumerations are starting from 1 instead on 0."
|
|
|
|
REVISION "201305270000Z" -- May 27, 2013
|
|
DESCRIPTION
|
|
"Ver 1: Initial version."
|
|
::= { bayStackMibs 45 }
|
|
|
|
bsIpv6FirstHopSecNotifications
|
|
OBJECT IDENTIFIER ::= { bayStackIpv6FirstHopSecMib 0 }
|
|
bsIpv6FirstHopSecObjects
|
|
OBJECT IDENTIFIER ::= { bayStackIpv6FirstHopSecMib 1 }
|
|
|
|
|
|
-- Start Local Definition
|
|
|
|
FhsRaGuardDeviceRole ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating a role of ra-guard device."
|
|
SYNTAX INTEGER {
|
|
router(1),
|
|
host(2),
|
|
none(3)
|
|
}
|
|
|
|
FhsRaManagedConfigFlag ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating ra-guard managed config flag."
|
|
SYNTAX INTEGER {
|
|
none(1),
|
|
on(2),
|
|
off(3)
|
|
}
|
|
|
|
FhsRaRouterPrefMax ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating ra-guard router max preference."
|
|
SYNTAX INTEGER {
|
|
none(1),
|
|
high(2),
|
|
medium(3),
|
|
low(4)
|
|
}
|
|
|
|
FhsDhcpv6GuardDeviceRole ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating dhcp-guard device role."
|
|
SYNTAX INTEGER {
|
|
server(1),
|
|
client(2),
|
|
none(3)
|
|
}
|
|
|
|
FhsListName ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"First Hop Security list name."
|
|
SYNTAX DisplayString (SIZE(1..64))
|
|
|
|
FhsAccessType ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating an access-type."
|
|
SYNTAX INTEGER {
|
|
allow(1),
|
|
deny(2)
|
|
}
|
|
|
|
FhsSbtState ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating state of SBT entry"
|
|
SYNTAX INTEGER {
|
|
incomplete(1),
|
|
reachable(2),
|
|
stale(3),
|
|
down(4)
|
|
}
|
|
|
|
FhsSbtType ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value indicating SBT entry learn type"
|
|
SYNTAX INTEGER {
|
|
static(1),
|
|
nd(2),
|
|
dhcp(3)
|
|
}
|
|
|
|
-- End Local Definition
|
|
|
|
|
|
-- Start Definition for First Hop Security scalar variable
|
|
|
|
bsIpv6FHSScalVar
|
|
OBJECT IDENTIFIER ::= { bsIpv6FirstHopSecObjects 1 }
|
|
|
|
bsIpv6FHSAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "First Hop Security Global Admin status"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSScalVar 1 }
|
|
|
|
bsIpv6FHSRagAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "RA guard Global Admin status"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSScalVar 2 }
|
|
|
|
bsIpv6FHSDhcpv6gAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "DHCPv6 guard Global Admin status"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSScalVar 3 }
|
|
|
|
bsIpv6FHSNdInspectAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "ND Inspection Global Admin status"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSScalVar 4 }
|
|
|
|
bsIpv6FHSMaxDynSbtEntries OBJECT-TYPE
|
|
SYNTAX Integer32 (0..1024)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Maximum Dynamic SBT entries allowed"
|
|
DEFVAL { 1024 }
|
|
::= { bsIpv6FHSScalVar 5 }
|
|
|
|
bsIpv6FHSSbtReachLifeTime OBJECT-TYPE
|
|
SYNTAX Integer32 (0..864000)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "SBT Reachable state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer"
|
|
DEFVAL { 300 }
|
|
::= { bsIpv6FHSScalVar 6 }
|
|
|
|
bsIpv6FHSSbtStaleLifeTime OBJECT-TYPE
|
|
SYNTAX Integer32 (0..86400)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "SBT Stale state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer"
|
|
DEFVAL { 86400 }
|
|
::= { bsIpv6FHSScalVar 7 }
|
|
|
|
bsIpv6FHSSbtDownLifeTime OBJECT-TYPE
|
|
SYNTAX Integer32 (0..86400)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "SBT Down state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer"
|
|
DEFVAL { 86400 }
|
|
::= { bsIpv6FHSScalVar 8 }
|
|
|
|
bsIpv6FHSSbtTblOverFlow OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "SBT Table Overflow due to the maximum SBT entry restriction"
|
|
::= { bsIpv6FHSScalVar 9 }
|
|
|
|
|
|
-- End Definition for First Hop Security scalar variable
|
|
|
|
|
|
-- Start Definition for First Hop Security IPv6 access list
|
|
-- This table contains list of IP Access List. With the
|
|
-- ability to assign the range of the IP address using
|
|
-- bsIpv6FHSIpAccessListMaskLenFrom and
|
|
-- bsIpv6FHSIpAccessListMaskLenTo variable
|
|
-- IP access list table contains the following
|
|
-- elements
|
|
-- IPv6 Access List Name
|
|
-- IPv6 Prefix
|
|
-- IPv6 Prefix Mask Len
|
|
-- IPv6 Prefix Mask Len From
|
|
-- IPv6 Prefix Mask Len To
|
|
-- Access Type (Allow or Deny)
|
|
|
|
bsIpv6FHSIpv6AccessListTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSIpv6AccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
IPv6 Access List used for Frist
|
|
Hop Security Feature."
|
|
::= { bsIpv6FirstHopSecObjects 2 }
|
|
|
|
bsIpv6FHSIpv6AccessListEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSIpv6AccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
IPv6 Access List used for Frist
|
|
Hop Security Feature."
|
|
INDEX { bsIpv6FHSIpv6AccessListName,
|
|
bsIpv6FHSIpv6AccessListPrefix,
|
|
bsIpv6FHSIpv6AccessListPrefixMaskLen}
|
|
::= { bsIpv6FHSIpv6AccessListTable 1 }
|
|
|
|
BsIpv6FHSIpv6AccessEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSIpv6AccessListName FhsListName,
|
|
bsIpv6FHSIpv6AccessListPrefix Ipv6Address,
|
|
bsIpv6FHSIpv6AccessListPrefixMaskLen Integer32,
|
|
bsIpv6FHSIpv6AccessListMaskLenFrom Integer32,
|
|
bsIpv6FHSIpv6AccessListMaskLenTo Integer32,
|
|
bsIpv6FHSIpv6AccessListAccessType FhsAccessType,
|
|
bsIpv6FHSIpv6AccessListRowStatus RowStatus
|
|
}
|
|
|
|
bsIpv6FHSIpv6AccessListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "IPv6 Access List Name"
|
|
::= { bsIpv6FHSIpv6AccessListEntry 1 }
|
|
|
|
bsIpv6FHSIpv6AccessListPrefix OBJECT-TYPE
|
|
SYNTAX Ipv6Address
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "IPv6 Prefix attached to this IPv6 access list Id"
|
|
::= { bsIpv6FHSIpv6AccessListEntry 2 }
|
|
|
|
bsIpv6FHSIpv6AccessListPrefixMaskLen OBJECT-TYPE
|
|
SYNTAX Integer32 (0..128)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "IPv6 Prefix mask length attached to this IPv6 access list Id"
|
|
::= { bsIpv6FHSIpv6AccessListEntry 3 }
|
|
|
|
bsIpv6FHSIpv6AccessListMaskLenFrom OBJECT-TYPE
|
|
SYNTAX Integer32 (0..128)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "IPv6 Prefix mask length range from"
|
|
DEFVAL { 0 }
|
|
::= { bsIpv6FHSIpv6AccessListEntry 4 }
|
|
|
|
bsIpv6FHSIpv6AccessListMaskLenTo OBJECT-TYPE
|
|
SYNTAX Integer32 (0..128)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "IPv6 Prefix mask length range to"
|
|
DEFVAL { 0 }
|
|
::= { bsIpv6FHSIpv6AccessListEntry 5 }
|
|
|
|
bsIpv6FHSIpv6AccessListAccessType OBJECT-TYPE
|
|
SYNTAX FhsAccessType
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "IPv6 IP Access Type
|
|
Allow or Deny"
|
|
DEFVAL { allow }
|
|
::= { bsIpv6FHSIpv6AccessListEntry 6 }
|
|
|
|
bsIpv6FHSIpv6AccessListRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "IPv6 IP Access List row status"
|
|
::= { bsIpv6FHSIpv6AccessListEntry 7 }
|
|
|
|
-- End Definition for First Hop Security IPv6 access list
|
|
|
|
|
|
-- Start Definition for First Hop Security MAC access list
|
|
-- This table contains list of
|
|
-- MAC list name
|
|
-- MAC Addresses
|
|
-- MAC Access Type (Allow or Deny)
|
|
|
|
bsIpv6FHSMacAccessListTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSMacAccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
MAC Access List used for Frist
|
|
Hop Security Feature."
|
|
::= { bsIpv6FirstHopSecObjects 3 }
|
|
|
|
bsIpv6FHSMacAccessListEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSMacAccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
MAC Access List used for Frist
|
|
Hop Security Feature."
|
|
INDEX { bsIpv6FHSMacAccessListName,
|
|
bsIpv6FHSMacAccessListMac }
|
|
::= { bsIpv6FHSMacAccessListTable 3 }
|
|
|
|
BsIpv6FHSMacAccessEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSMacAccessListName FhsListName,
|
|
bsIpv6FHSMacAccessListMac MacAddress,
|
|
bsIpv6FHSMacAccessListAccessType FhsAccessType,
|
|
bsIpv6FHSMacAccessListRowStatus RowStatus
|
|
}
|
|
|
|
bsIpv6FHSMacAccessListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "MAC Access List Name"
|
|
::= { bsIpv6FHSMacAccessListEntry 1 }
|
|
|
|
bsIpv6FHSMacAccessListMac OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "MAC address attached to this MAC access list Id"
|
|
::= { bsIpv6FHSMacAccessListEntry 2 }
|
|
|
|
bsIpv6FHSMacAccessListAccessType OBJECT-TYPE
|
|
SYNTAX FhsAccessType
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "MAC Access Type
|
|
Allow or Deny"
|
|
DEFVAL { allow }
|
|
::= { bsIpv6FHSMacAccessListEntry 3 }
|
|
|
|
bsIpv6FHSMacAccessListRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "MAC Access List row status"
|
|
::= { bsIpv6FHSMacAccessListEntry 4 }
|
|
|
|
-- End Definition for First Hop Security MAC access list
|
|
|
|
|
|
-- Start Definition for First Hop Security - port Vs policy mapping
|
|
-- This table consist of the mapping between physical port and
|
|
-- different First Hop Security policy name
|
|
--
|
|
-- At present there would be RA-guard and DHCP-guard per interface
|
|
-- This Table consists of
|
|
-- interface index
|
|
-- DHCPv6-guard policy name - BsIpv6FHSDhcpv6gPolicyEntry
|
|
-- RA-guard policy name - BsIpv6FHSRagPolicyEntry
|
|
-- ND-inspection Enable/Disable
|
|
-- SBT dynamic learning Enable/Disable
|
|
-- DHCPv6 Packet Received
|
|
-- DHCPv6 dropped due to the FHS security
|
|
-- RA Packet Received
|
|
-- RA Packet dropped due to the FHS security
|
|
-- ND Packet Received
|
|
-- ND Packet dropped due to the FHS security
|
|
-- Clear Stats for DHCPv6 counters
|
|
-- Clear Stats for RA counters
|
|
-- Clear Stats for ND counters
|
|
|
|
bsIpv6FHSPolicyPortMapTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSPolicyPortMapEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
First Hop security Policies
|
|
attached to the interface."
|
|
::= { bsIpv6FirstHopSecObjects 4 }
|
|
|
|
bsIpv6FHSPolicyPortMapEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSPolicyPortMapEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
First Hop security Policies
|
|
attached to the interface."
|
|
INDEX { bsIpv6FHSPolicyPortMapIfIndex}
|
|
::= { bsIpv6FHSPolicyPortMapTable 1 }
|
|
|
|
BsIpv6FHSPolicyPortMapEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSPolicyPortMapIfIndex InterfaceIndex,
|
|
bsIpv6FHSPolicyPortMapDhcpv6gPolicyName FhsListName,
|
|
bsIpv6FHSPolicyPortMapRagPolicyName FhsListName,
|
|
bsIpv6FHSPolicyPortMapNDAdmin TruthValue,
|
|
bsIpv6FHSPolicyPortMapSbtDynLearnAdmin TruthValue,
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv Counter32,
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped Counter32,
|
|
bsIpv6FHSPolicyPortMapTotRaPktRcv Counter32,
|
|
bsIpv6FHSPolicyPortMapTotRaPktDropped Counter32,
|
|
bsIpv6FHSPolicyPortMapTotNdPktRcv Counter32,
|
|
bsIpv6FHSPolicyPortMapTotNdPktDropped Counter32,
|
|
bsIpv6FHSPolicyPortMapClearDhcpGuardStats TruthValue,
|
|
bsIpv6FHSPolicyPortMapClearRaGuardStats TruthValue,
|
|
bsIpv6FHSPolicyPortMapClearNDInspectStats TruthValue,
|
|
bsIpv6FHSPolicyPortMapRowStatus RowStatus,
|
|
bsIpv6FHSPolicyPortMapDhcpv6gDeviceRole FhsDhcpv6GuardDeviceRole,
|
|
bsIpv6FHSPolicyPortMapRagDeviceRole FhsRaGuardDeviceRole
|
|
}
|
|
|
|
bsIpv6FHSPolicyPortMapIfIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Interface index number"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 1 }
|
|
|
|
bsIpv6FHSPolicyPortMapDhcpv6gPolicyName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "DHCPv6 guard policy name"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 2 }
|
|
|
|
bsIpv6FHSPolicyPortMapRagPolicyName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "RA guard policy name"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 3 }
|
|
|
|
bsIpv6FHSPolicyPortMapNDAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enable/Disable ND-inspection"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 4 }
|
|
|
|
bsIpv6FHSPolicyPortMapSbtDynLearnAdmin OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enable/Disable learning dynamic SBT entry"
|
|
DEFVAL { true }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 5 }
|
|
|
|
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of Dhcpv6
|
|
packets Received"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 6 }
|
|
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of Dhcpv6
|
|
packets dropped"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 7 }
|
|
|
|
bsIpv6FHSPolicyPortMapTotRaPktRcv OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of RA
|
|
packets Received"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 8 }
|
|
|
|
bsIpv6FHSPolicyPortMapTotRaPktDropped OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of RA
|
|
packets dropped"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 9 }
|
|
|
|
bsIpv6FHSPolicyPortMapTotNdPktRcv OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of ND Packets Received"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 10 }
|
|
|
|
bsIpv6FHSPolicyPortMapTotNdPktDropped OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Total Number of ND Packets Dropped"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 11 }
|
|
|
|
bsIpv6FHSPolicyPortMapClearDhcpGuardStats OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "First Hop security clear stats:
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv and
|
|
bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 12 }
|
|
|
|
bsIpv6FHSPolicyPortMapClearRaGuardStats OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "First Hop security clear stats:
|
|
bsIpv6FHSPolicyPortMapTotRaPktRcv and
|
|
bsIpv6FHSPolicyPortMapTotRaPktDropped"
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 13 }
|
|
|
|
bsIpv6FHSPolicyPortMapClearNDInspectStats OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "First Hop security clear stats:
|
|
bsIpv6FHSPolicyPortMapTotNdPktRcv,
|
|
bsIpv6FHSPolicyPortMapTotNdPktDropped and
|
|
bsIpv6FHSPolicyPortMapTotSbtEntDropped "
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 14 }
|
|
|
|
bsIpv6FHSPolicyPortMapRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "First Hop security row status"
|
|
::= { bsIpv6FHSPolicyPortMapEntry 15 }
|
|
|
|
bsIpv6FHSPolicyPortMapDhcpv6gDeviceRole OBJECT-TYPE
|
|
SYNTAX FhsDhcpv6GuardDeviceRole
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the device role of the received port. If
|
|
the device role is client and if it receives DHCPv6
|
|
reply then those packets should be dropped.
|
|
This object is currently used in VOSS platforms only
|
|
and is equivalent to bsIpv6FHSDhcpv6gDeviceRole object
|
|
in other platforms."
|
|
DEFVAL { server }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 16 }
|
|
|
|
bsIpv6FHSPolicyPortMapRagDeviceRole OBJECT-TYPE
|
|
SYNTAX FhsRaGuardDeviceRole
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the device role to the received port. If the
|
|
device role is host and if it receives RAs then those
|
|
packets should be dropped.
|
|
This object is currently used in VOSS platforms only
|
|
and is equivalent to bsIpv6FHSRagDeviceRole object
|
|
in other platforms."
|
|
DEFVAL { router }
|
|
::= { bsIpv6FHSPolicyPortMapEntry 17 }
|
|
|
|
-- End Definition for First Hop Security port Vs policy mapping
|
|
|
|
|
|
-- Start Definition for First Hop Security DHCPv6-guard-policy
|
|
-- This table contains DHCPv6-guard Policy List
|
|
-- Informations are
|
|
-- policy-name
|
|
-- device-role
|
|
-- server-acces-list - BsIpv6FHSIpAccessEntry
|
|
-- Relay-access-list - BsIpv6FHSIpAccessEntry
|
|
-- Router-Pref-lim-min
|
|
-- Router-pref-lim-max
|
|
|
|
|
|
bsIpv6FHSDhcpv6gPolicyListTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSDhcpv6gPolicyEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
DHCPv6 guard Policies used for
|
|
Hop Security Feature."
|
|
::= { bsIpv6FirstHopSecObjects 5 }
|
|
|
|
bsIpv6FHSDhcpv6gPolicyListEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSDhcpv6gPolicyEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
DHCPv6 guard Policies used for
|
|
Hop Security Feature."
|
|
INDEX { bsIpv6FHSDhcpv6gPolicyName}
|
|
::= { bsIpv6FHSDhcpv6gPolicyListTable 1 }
|
|
|
|
BsIpv6FHSDhcpv6gPolicyEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSDhcpv6gPolicyName FhsListName,
|
|
bsIpv6FHSDhcpv6gDeviceRole FhsDhcpv6GuardDeviceRole,
|
|
bsIpv6FHSDhcpv6gServerAccessListName FhsListName,
|
|
bsIpv6FHSDhcpv6gReplyPrefixListName FhsListName,
|
|
bsIpv6FHSDhcpv6gPrefLimitMin Integer32,
|
|
bsIpv6FHSDhcpv6gPrefLimitMax Integer32,
|
|
bsIpv6FHSDhcpv6gPolicyListRowStatus RowStatus
|
|
}
|
|
|
|
|
|
bsIpv6FHSDhcpv6gPolicyName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "This is the DHCPv6
|
|
guard Policy Name"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 1 }
|
|
|
|
bsIpv6FHSDhcpv6gDeviceRole OBJECT-TYPE
|
|
SYNTAX FhsDhcpv6GuardDeviceRole
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the device role of
|
|
the received port. If the
|
|
device role is client and if
|
|
it receives DHCPv6 reply then
|
|
those packets should be
|
|
dropped"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 2 }
|
|
|
|
bsIpv6FHSDhcpv6gServerAccessListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the IPv6 access list which
|
|
will be validating source
|
|
IPv6 address of the DHCPv6 Reply
|
|
packet from the server"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 3 }
|
|
|
|
bsIpv6FHSDhcpv6gReplyPrefixListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Validate the prefix
|
|
information in the DHCPv6
|
|
reply against the configured
|
|
reply prefix list. "
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 4 }
|
|
|
|
bsIpv6FHSDhcpv6gPrefLimitMin OBJECT-TYPE
|
|
SYNTAX Integer32 (0..255)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is check against the
|
|
DHCPv6 server / relay
|
|
router preference. If
|
|
the received router
|
|
preference is less
|
|
than the configured
|
|
router preference than
|
|
drop the packet"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 5 }
|
|
|
|
bsIpv6FHSDhcpv6gPrefLimitMax OBJECT-TYPE
|
|
SYNTAX Integer32 (0..255)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is check against the
|
|
DHCPv6 server / relay
|
|
router preference. If
|
|
the received router
|
|
preference is greater
|
|
than the configured
|
|
router preference than
|
|
drop the packet"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 6 }
|
|
|
|
bsIpv6FHSDhcpv6gPolicyListRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "DHCPv6 guard policy row status"
|
|
::= { bsIpv6FHSDhcpv6gPolicyListEntry 7 }
|
|
|
|
-- End Definition for First Hop Security DHCPv6-guard-policy
|
|
|
|
|
|
-- Start Definition for First Hop Security RA-guard-policy
|
|
-- This table contains RA guard Policy List
|
|
-- Information is
|
|
-- policy-name
|
|
-- device-role
|
|
-- ipacces-list - BsIpv6FHSIpAccessEntry
|
|
-- ip-prefix-name - BsIpv6FHSIpAccessEntry
|
|
-- mac-list-name - BsIpv6FHSMacAccessEntry
|
|
-- manage-config-flag
|
|
-- ra-router-pref-max
|
|
-- ra-router-pref-max
|
|
-- router pref Max
|
|
|
|
bsIpv6FHSRagPolicyListTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSRagPolicyEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
RA guard Policies used for
|
|
Hop Security Feature."
|
|
::= { bsIpv6FirstHopSecObjects 6 }
|
|
|
|
bsIpv6FHSRagPolicyListEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSRagPolicyEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
RA guard Policies used for
|
|
Hop Security Feature."
|
|
INDEX { bsIpv6FHSRagPolicyName}
|
|
::= { bsIpv6FHSRagPolicyListTable 1 }
|
|
|
|
BsIpv6FHSRagPolicyEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSRagPolicyName FhsListName,
|
|
bsIpv6FHSRagDeviceRole FhsRaGuardDeviceRole,
|
|
bsIpv6FHSRagIpv6AccessListName FhsListName,
|
|
bsIpv6FHSRagIpv6PrefixListName FhsListName,
|
|
bsIpv6FHSRagMacListName FhsListName,
|
|
bsIpv6FHSRagManagedConfigFlag FhsRaManagedConfigFlag,
|
|
bsIpv6FHSRagRouterPrefMax FhsRaRouterPrefMax,
|
|
bsIpv6FHSRagHopLimitMin Integer32,
|
|
bsIpv6FHSRagHopLimitMax Integer32,
|
|
bsIpv6FHSRagPolicyListRowStatus RowStatus
|
|
}
|
|
|
|
bsIpv6FHSRagPolicyName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "RA guard policy Name"
|
|
::= { bsIpv6FHSRagPolicyListEntry 1 }
|
|
|
|
bsIpv6FHSRagDeviceRole OBJECT-TYPE
|
|
SYNTAX FhsRaGuardDeviceRole
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the device role to
|
|
be checked against"
|
|
DEFVAL { router }
|
|
::= { bsIpv6FHSRagPolicyListEntry 2 }
|
|
|
|
bsIpv6FHSRagIpv6AccessListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the IPv6 access list which
|
|
will be validating the source
|
|
IPv6 address of the RA packet"
|
|
::= { bsIpv6FHSRagPolicyListEntry 3 }
|
|
|
|
bsIpv6FHSRagIpv6PrefixListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the IPv6 access list which
|
|
will be validating the Prefix
|
|
present in the RA packet"
|
|
::= { bsIpv6FHSRagPolicyListEntry 4 }
|
|
|
|
bsIpv6FHSRagMacListName OBJECT-TYPE
|
|
SYNTAX FhsListName
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the MAC access list which
|
|
will be validating the source
|
|
MAC of the received RA packet"
|
|
::= { bsIpv6FHSRagPolicyListEntry 5 }
|
|
|
|
bsIpv6FHSRagManagedConfigFlag OBJECT-TYPE
|
|
SYNTAX FhsRaManagedConfigFlag
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "In the RA packets, there is an M flag
|
|
(Managed Address configuration Flag)
|
|
which is set indicating that the address
|
|
assignments are available via DHCPv6.
|
|
This means that DHCPv6 would take care
|
|
of the interface address assignment
|
|
in that LAN segment. If filtering policy
|
|
is enabled then all the RA packets with
|
|
M flag not set will be dropped.
|
|
By default this check will be ignored"
|
|
|
|
::= { bsIpv6FHSRagPolicyListEntry 6 }
|
|
|
|
bsIpv6FHSRagRouterPrefMax OBJECT-TYPE
|
|
SYNTAX FhsRaRouterPrefMax
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "In the RA packet there is router
|
|
preference information is available
|
|
in the Flags. This could be HIGH
|
|
or LOW or MEDIUM. This filtering
|
|
policy option would verify that
|
|
the advertised default router
|
|
preference parameter value is lower
|
|
than or equal to a specified limit"
|
|
DEFVAL { none }
|
|
::= { bsIpv6FHSRagPolicyListEntry 7 }
|
|
|
|
bsIpv6FHSRagHopLimitMin OBJECT-TYPE
|
|
SYNTAX Integer32 (0..255)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the minimum value check for
|
|
the hop limit value present in the
|
|
RA packet. If the value is less
|
|
than configured minimum value then drop
|
|
the RA packet"
|
|
DEFVAL { 0 }
|
|
::= { bsIpv6FHSRagPolicyListEntry 8 }
|
|
|
|
bsIpv6FHSRagHopLimitMax OBJECT-TYPE
|
|
SYNTAX Integer32 (0..255)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "This is the maximum value check for
|
|
the hop limit value present in the
|
|
RA packet. If the value is greater
|
|
than configured maximum value then drop
|
|
the RA packet"
|
|
DEFVAL { 0 }
|
|
::= { bsIpv6FHSRagPolicyListEntry 9 }
|
|
|
|
bsIpv6FHSRagPolicyListRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "RA guard policy row status"
|
|
::= { bsIpv6FHSRagPolicyListEntry 10 }
|
|
|
|
-- End Definition for First Hop Security RA-guard-policy
|
|
|
|
-- Start Definition for First Hop Security Security Binding Table (FHSSBT)
|
|
-- This table contains list of SBT entries.
|
|
-- SBT Table contains the following elements
|
|
-- Interface Index (unit/port)
|
|
-- Vlan ID
|
|
-- Source IPv6 Address
|
|
-- Link Layer Address
|
|
-- SBT Entry Type
|
|
-- SBT Entry Priority
|
|
-- SBT Entry State
|
|
-- SBT Entry Age in seconds
|
|
|
|
|
|
bsIpv6FHSSbtTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSSbtEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Table contains the list of
|
|
SBT entries learnt
|
|
Dynamically and statically
|
|
configure."
|
|
::= { bsIpv6FirstHopSecObjects 7 }
|
|
|
|
bsIpv6FHSSbtListEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSSbtEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Entry contains the list of
|
|
SBT entries."
|
|
INDEX { bsIpv6FHSSbtInterfaceIndex,
|
|
bsIpv6FHSSbtVlan,
|
|
bsIpv6FHSSbtSrcIp}
|
|
::= { bsIpv6FHSSbtTable 1 }
|
|
|
|
BsIpv6FHSSbtEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSSbtInterfaceIndex InterfaceIndex,
|
|
bsIpv6FHSSbtVlan Integer32,
|
|
bsIpv6FHSSbtSrcIp Ipv6Address,
|
|
bsIpv6FHSSbtLinkLayerAddress MacAddress,
|
|
bsIpv6FHSSbtLearnType FhsSbtType,
|
|
bsIpv6FHSSbtLearnPriority Integer32,
|
|
bsIpv6FHSSbtLearnState FhsSbtState,
|
|
bsIpv6FHSSbtLearnAge Integer32,
|
|
bsIpv6FHSSbtRowStatus RowStatus
|
|
}
|
|
|
|
bsIpv6FHSSbtInterfaceIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Derive unit and port number from this ifindex"
|
|
::= { bsIpv6FHSSbtListEntry 1 }
|
|
|
|
bsIpv6FHSSbtVlan OBJECT-TYPE
|
|
SYNTAX Integer32 (1..4094)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "VLAN"
|
|
::= { bsIpv6FHSSbtListEntry 2 }
|
|
|
|
bsIpv6FHSSbtSrcIp OBJECT-TYPE
|
|
SYNTAX Ipv6Address
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "Source IPv6 Address"
|
|
::= { bsIpv6FHSSbtListEntry 3 }
|
|
|
|
bsIpv6FHSSbtLinkLayerAddress OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Link Layer MAC address"
|
|
::= { bsIpv6FHSSbtListEntry 4 }
|
|
|
|
bsIpv6FHSSbtLearnType OBJECT-TYPE
|
|
SYNTAX FhsSbtType
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "SBT Entry Type"
|
|
::= { bsIpv6FHSSbtListEntry 5 }
|
|
|
|
bsIpv6FHSSbtLearnPriority OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "SBT Entry priority"
|
|
::= { bsIpv6FHSSbtListEntry 6 }
|
|
|
|
bsIpv6FHSSbtLearnState OBJECT-TYPE
|
|
SYNTAX FhsSbtState
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "SBT Entry state"
|
|
::= { bsIpv6FHSSbtListEntry 7 }
|
|
|
|
bsIpv6FHSSbtLearnAge OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Time Elapsed after being in this state"
|
|
::= { bsIpv6FHSSbtListEntry 8 }
|
|
|
|
bsIpv6FHSSbtRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "SBT entry row status"
|
|
::= { bsIpv6FHSSbtListEntry 9 }
|
|
|
|
-- End Definition for First Hop Security SBT table
|
|
|
|
-- Start Definition for First Hop Security Source Guard Interface Configuration
|
|
|
|
bsIpv6FHSSourceGuardInterfaceConfigTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSSourceGuardInterfaceConfigEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IPv6 Source Guard Interface table."
|
|
::= { bsIpv6FirstHopSecObjects 9 }
|
|
|
|
bsIpv6FHSSourceGuardInterfaceConfigEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSSourceGuardInterfaceConfigEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry of this table."
|
|
INDEX { bsIpv6FHSSourceGuardIfIndex }
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigTable 1 }
|
|
|
|
BsIpv6FHSSourceGuardInterfaceConfigEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSSourceGuardIfIndex InterfaceIndex,
|
|
bsIpv6FHSSourceGuardInterfaceState TruthValue,
|
|
bsIpv6FHSSourceGuardMaxAddr Integer32,
|
|
bsIpv6FHSSourceGuardOverflowCount Counter32,
|
|
bsIpv6FHSSourceGuardClearOverflowCount TruthValue,
|
|
bsIpv6FHSSourceGuardDropCount Counter32,
|
|
bsIpv6FHSSourceGuardClearDropCount TruthValue
|
|
}
|
|
|
|
bsIpv6FHSSourceGuardIfIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Interface index number."
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 1}
|
|
|
|
bsIpv6FHSSourceGuardInterfaceState OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IPv6 Source Guard Admin state of an interface."
|
|
DEFVAL { false }
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 2 }
|
|
|
|
bsIpv6FHSSourceGuardMaxAddr OBJECT-TYPE
|
|
SYNTAX Integer32(2..10)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Maximum allowed IPv6 Source Addresses on an interface."
|
|
DEFVAL { 4 }
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 3 }
|
|
|
|
bsIpv6FHSSourceGuardOverflowCount OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Number of times the SBT entries could not be added
|
|
to the allowed list."
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 4 }
|
|
|
|
bsIpv6FHSSourceGuardClearOverflowCount OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object clears counter object bsIpv6FHSSourceGuardOverflowCount."
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 5 }
|
|
|
|
bsIpv6FHSSourceGuardDropCount OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Number of dropped packets per port of source guard."
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 6 }
|
|
|
|
bsIpv6FHSSourceGuardClearDropCount OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object clears counter object: bsIpv6FHSSourceGuardDropCount."
|
|
::= { bsIpv6FHSSourceGuardInterfaceConfigEntry 7 }
|
|
|
|
-- End Definition for First Hop Security Source Guard Interface Config
|
|
|
|
-- Start Definition for First Hop Security IPv6 Source Guard binding table
|
|
-- This table consists of the IPv6 binding entries for each port
|
|
-- interface index
|
|
-- IPv6 address
|
|
|
|
bsIpv6FHSSourceGuardBindingTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF BsIpv6FHSSourceGuardBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"List of IPv6 Source Guard binding entries for each
|
|
Source Guard enabled interface."
|
|
::= { bsIpv6FirstHopSecObjects 10 }
|
|
|
|
bsIpv6FHSSourceGuardBindingEntry OBJECT-TYPE
|
|
SYNTAX BsIpv6FHSSourceGuardBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry of this table."
|
|
INDEX
|
|
{ bsIpv6FHSSourceGuardEntryIfIndex,
|
|
bsIpv6FHSSourceGuardEntryIpv6Addr }
|
|
::= { bsIpv6FHSSourceGuardBindingTable 1 }
|
|
|
|
BsIpv6FHSSourceGuardBindingEntry ::=
|
|
SEQUENCE {
|
|
bsIpv6FHSSourceGuardEntryIfIndex InterfaceIndex,
|
|
bsIpv6FHSSourceGuardEntryIpv6Addr Ipv6Address
|
|
}
|
|
|
|
bsIpv6FHSSourceGuardEntryIfIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Interface index number."
|
|
::= { bsIpv6FHSSourceGuardBindingEntry 1 }
|
|
|
|
bsIpv6FHSSourceGuardEntryIpv6Addr OBJECT-TYPE
|
|
SYNTAX Ipv6Address
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IPv6 address allowed on the interface."
|
|
::= { bsIpv6FHSSourceGuardBindingEntry 2 }
|
|
|
|
-- End Definition for First Hop Security Source Guard Interface Config
|
|
|
|
-- ============================================================================
|
|
-- Notification Objects
|
|
-- ============================================================================
|
|
|
|
-- Obsoleted Definitions - Objects
|
|
|
|
bsIpv6NDTrapNotificationObjects
|
|
OBJECT IDENTIFIER ::= { bsIpv6FirstHopSecObjects 8 }
|
|
|
|
|
|
bsIpv6NDInspectionNotificationClientMACAddr OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This value indicates the source MAC Address of a dropped ND inspection packet."
|
|
::= { bsIpv6NDTrapNotificationObjects 1 }
|
|
|
|
|
|
bsIpv6NDInspectionNotificationMsgType OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
ipv6NDNS(1),
|
|
ipv6NDNA(2),
|
|
ipv6NDRS(3),
|
|
ipv6NDRA(4),
|
|
ipv6NDRedir(5)
|
|
}
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This value indicates the message type of a dropped ND packet."
|
|
::= { bsIpv6NDTrapNotificationObjects 2 }
|
|
|
|
bsIpv6FHSNDInterfaceIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This value indicates the unit and port number of a dropped ND inspection packet."
|
|
::= { bsIpv6NDTrapNotificationObjects 3 }
|
|
|
|
bsIpv6FHSNDIpv6Address OBJECT-TYPE
|
|
SYNTAX Ipv6Address
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This value indicates the Ipv6 source address of a dropped ND inspection packet."
|
|
::= { bsIpv6NDTrapNotificationObjects 4 }
|
|
|
|
bsIpv6FHSNDVlanID OBJECT-TYPE
|
|
SYNTAX Integer32 (1..4094)
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This value indicates the Vlan ID of a dropped ND inspection packet."
|
|
::= { bsIpv6NDTrapNotificationObjects 5 }
|
|
|
|
-- End of Obsoleted Definitions - Objects
|
|
|
|
bsIpv6FHSTrapNotificationObjects
|
|
OBJECT IDENTIFIER ::= { bsIpv6FirstHopSecObjects 11 }
|
|
|
|
|
|
bsIpv6FHSTrapClientMACAddr OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates the source MAC Address of a dropped ND/RS/RA/DHCP packet."
|
|
::= { bsIpv6FHSTrapNotificationObjects 1 }
|
|
|
|
|
|
bsIpv6FHSTrapInterfaceIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates the unit and port number of a dropped ND/RS/RA/DHCP inspection packet."
|
|
::= { bsIpv6FHSTrapNotificationObjects 2 }
|
|
|
|
bsIpv6FHSTrapClientIpv6Address OBJECT-TYPE
|
|
SYNTAX Ipv6Address
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates the Ipv6 source address of a dropped ND/RS/RA/DHCP inspection packet."
|
|
::= { bsIpv6FHSTrapNotificationObjects 3 }
|
|
|
|
bsIpv6FHSTrapVlanID OBJECT-TYPE
|
|
SYNTAX Integer32 (1..4094)
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates the Vlan ID of a dropped ND/RS/RA/DHCP inspection packet."
|
|
::= { bsIpv6FHSTrapNotificationObjects 4 }
|
|
|
|
bsIpv6FHSTrapMsgType OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
ipv6NDNS(1),
|
|
ipv6NDNA(2),
|
|
ipv6NDRS(3),
|
|
ipv6NDRA(4),
|
|
ipv6NDRedir(5),
|
|
ipv6DHCPReq(6),
|
|
ipv6DHCPReply(7)
|
|
}
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates the message type of a dropped ND/RS/RA/DHCP packet."
|
|
::= { bsIpv6FHSTrapNotificationObjects 5 }
|
|
|
|
bsIpv6FhsTrapPktDropReason OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
ipv6PortRoleMismatch(1),
|
|
ipv6MacMismatch(2),
|
|
ipv6PrefixMismatch(3),
|
|
ipv6IpMismatch(4),
|
|
ipv6ManagedFlagMismatch(5),
|
|
ipv6RouterPrefMismatch(6),
|
|
ipv6HopLimitMismatch(7),
|
|
ipv6LenMismatch(8)
|
|
}
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This value indicates reason for dropped packet in FHS."
|
|
::= { bsIpv6FHSTrapNotificationObjects 6}
|
|
|
|
--
|
|
-- Notifications
|
|
--
|
|
|
|
-- Obsoleted Definitions - Notifications
|
|
|
|
bsIpv6NDSBTTableFull NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6NDInspectionNotificationClientMACAddr,
|
|
bsIpv6NDInspectionNotificationMsgType,
|
|
bsIpv6FHSNDInterfaceIndex,
|
|
bsIpv6FHSNDIpv6Address,
|
|
bsIpv6FHSNDVlanID
|
|
}
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This notification is generated when an attempt is made to add a new
|
|
SBT entry when the Secure Binding Table is full. The value of
|
|
bsIpv6NDInspectionNotificationClientMACAddr represents the MAC address that
|
|
could not be added to the SBT table. This notification also
|
|
indicates that additional packets will not be added to
|
|
the SBT and will be dropped."
|
|
::= { bsIpv6FirstHopSecNotifications 1 }
|
|
|
|
|
|
|
|
bsIpv6NDNotificationsUntrustedPort NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6NDInspectionNotificationClientMACAddr,
|
|
bsIpv6NDInspectionNotificationMsgType,
|
|
bsIpv6FHSNDInterfaceIndex,
|
|
bsIpv6FHSNDIpv6Address,
|
|
bsIpv6FHSNDVlanID
|
|
}
|
|
STATUS obsolete
|
|
DESCRIPTION
|
|
"This notification is generated when an ND message is suspected
|
|
to be generated by the untrusted system/host."
|
|
::= { bsIpv6FirstHopSecNotifications 2 }
|
|
|
|
-- End of Obsoleted Definitions - Notifications
|
|
|
|
bsIpv6NDNotificationSBTTableFull NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6FHSTrapClientMACAddr,
|
|
bsIpv6FHSTrapClientIpv6Address,
|
|
bsIpv6FHSTrapMsgType,
|
|
bsIpv6FHSTrapInterfaceIndex,
|
|
bsIpv6FHSTrapVlanID
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when an attempt is made to add a new
|
|
SBT entry when the Secure Binding Table is full. The value of
|
|
bsIpv6NDInspectionNotificationClientMACAddr represents the MAC address that
|
|
could not be added to the SBT table. This notification also
|
|
indicates that additional packets will not be added to
|
|
the SBT and will be dropped."
|
|
::= { bsIpv6FirstHopSecNotifications 3 }
|
|
|
|
|
|
|
|
bsIpv6NDNotificationUntrustedPort NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6FHSTrapClientMACAddr,
|
|
bsIpv6FHSTrapClientIpv6Address,
|
|
bsIpv6FHSTrapMsgType,
|
|
bsIpv6FHSTrapInterfaceIndex,
|
|
bsIpv6FHSTrapVlanID
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when an ND message is suspected
|
|
to be generated by the untrusted system/host."
|
|
::= { bsIpv6FirstHopSecNotifications 4 }
|
|
|
|
|
|
bsIpv6RAGuardNotification NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6FHSTrapClientMACAddr,
|
|
bsIpv6FHSTrapClientIpv6Address,
|
|
bsIpv6FHSTrapMsgType,
|
|
bsIpv6FHSTrapInterfaceIndex,
|
|
bsIpv6FHSTrapVlanID,
|
|
bsIpv6FhsTrapPktDropReason
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when an RA message comes in that does not
|
|
match the RA Guard configuration"
|
|
::= { bsIpv6FirstHopSecNotifications 5 }
|
|
|
|
bsIpv6DHCPGuardNotification NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
bsIpv6FHSTrapClientMACAddr,
|
|
bsIpv6FHSTrapClientIpv6Address,
|
|
bsIpv6FHSTrapMsgType,
|
|
bsIpv6FHSTrapInterfaceIndex,
|
|
bsIpv6FHSTrapVlanID,
|
|
bsIpv6FhsTrapPktDropReason
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when an DHCPv6 message comes in that does not
|
|
match the DHCPv6 Guard configuration"
|
|
::= { bsIpv6FirstHopSecNotifications 6 }
|
|
|
|
END
|
|
|