1626 lines
60 KiB
Plaintext
1626 lines
60 KiB
Plaintext
-- *****************************************************************
|
|
-- CISCO-ACL-MIB
|
|
--
|
|
-- Definitions of managed objects describing Cisco Access Control
|
|
-- Lists.
|
|
--
|
|
-- March 2013, Kapil Jain, Jorge Serpa
|
|
--
|
|
-- Copyright (c) 2013 by Cisco Systems, Inc.
|
|
-- All rights reserved.
|
|
-- *****************************************************************
|
|
|
|
CISCO-ACL-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
Counter64,
|
|
Unsigned32,
|
|
Integer32
|
|
FROM SNMPv2-SMI
|
|
TEXTUAL-CONVENTION,
|
|
RowStatus
|
|
FROM SNMPv2-TC
|
|
MODULE-COMPLIANCE,
|
|
OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
SnmpAdminString
|
|
FROM SNMP-FRAMEWORK-MIB
|
|
InetAddressType,
|
|
InetPortNumber,
|
|
InetAddress
|
|
FROM INET-ADDRESS-MIB
|
|
ifIndex
|
|
FROM IF-MIB
|
|
CiscoIpProtocol
|
|
FROM CISCO-TC
|
|
ciscoMgmt
|
|
FROM CISCO-SMI;
|
|
|
|
|
|
ciscoACLMIB MODULE-IDENTITY
|
|
LAST-UPDATED "201303270000Z"
|
|
ORGANIZATION "Cisco Systems, Inc."
|
|
CONTACT-INFO
|
|
"Cisco Systems
|
|
Customer Service
|
|
|
|
Postal: 170 West Tasman Drive
|
|
San Jose, CA 95134
|
|
USA
|
|
|
|
Tel: +1 800 553-NETS
|
|
|
|
E-mail: cs-snmp@cisco.com"
|
|
|
|
DESCRIPTION
|
|
"This MIB module defines objects that describe Cisco Access
|
|
Control Lists (ACL).
|
|
|
|
This MIB describes different objects that enable the
|
|
network administrator to remotely configure ACLs, apply them
|
|
to interfaces and monitor their usage statistics.
|
|
|
|
A typical application of this MIB module will facilitate
|
|
monitoring of ACL match (sometimes referred as hit) counts.
|
|
However, by no means does the definition of this MIB module
|
|
prevent other applications from using it.
|
|
|
|
An ACL is an ordered list of statements that deny or permit
|
|
packets based on matching fields contained within the packet
|
|
header (layer 3 source and destination addresses, layer 4
|
|
protocol, layer 4 source and destination port numbers, etc.) In
|
|
addition there is an implicit *Deny All* at the end of the ACL.
|
|
ACLs are used to perform packet filtering to control
|
|
which packets are allowed through the network. Such control
|
|
can help limit network traffic, and restrict the access of
|
|
applications and devices on the network. Each one of these
|
|
statements is referred to as an Access List Control Entry
|
|
(ACE).
|
|
Here is an example of an ACL configuration.
|
|
ipv4 access-list V4Example
|
|
10 permit tcp any any
|
|
!
|
|
ipv6 access-list V6Example
|
|
10 permit tcp any any
|
|
!
|
|
|
|
The mechanism for monitoring ACL usage is by configuring, in
|
|
the desired ACEs a counter label. A counter label is a name
|
|
that is given to a counter and is defined in any ACE. ACEs
|
|
that share the same Counter label name will have their counters
|
|
aggregated into the same label.
|
|
Here is an example of how to use counter labels.
|
|
ipv4 access-list V4CounterExample
|
|
10 permit tcp any any counter CountPermits
|
|
20 permit udp any any counter CountPermits
|
|
|
|
The same applies to IPv6 ACLs.
|
|
|
|
This MIB consists of following tables:
|
|
* caAclCfgTable
|
|
Defines the ACLs configured in the device.
|
|
* caAclIPV4ACECfgTable
|
|
Defines the ACEs that make up an IPV4 ACL.
|
|
* caAclIPV6ACECfgTable
|
|
Defines the ACEs that make up an IPV6 ACL.
|
|
* caAclAccessGroupCfgTable
|
|
Defines the Access Control Groups (ACG) applied to
|
|
interfaces on the device.
|
|
* caAclLabelIntfStatsTable
|
|
Defines the statistics for a specific ACE with counter
|
|
labels attached to interfaces on the device.
|
|
"
|
|
REVISION "201303270000Z"
|
|
DESCRIPTION
|
|
"The initial version of this MIB module."
|
|
::= { ciscoMgmt 808 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- * Top-Level Trees *
|
|
-- ********************************************************************
|
|
|
|
caAclMIBObjects OBJECT IDENTIFIER ::= { ciscoACLMIB 1 }
|
|
caAclMIBConformance OBJECT IDENTIFIER ::= { ciscoACLMIB 2 }
|
|
|
|
caAclConfiguration OBJECT IDENTIFIER ::= { caAclMIBObjects 1 }
|
|
caAclStats OBJECT IDENTIFIER ::= { caAclMIBObjects 2 }
|
|
|
|
caAclMIBACEConform OBJECT IDENTIFIER ::= { caAclMIBConformance 1 }
|
|
|
|
caAclMIBACECompliances OBJECT IDENTIFIER ::= { caAclMIBACEConform 1 }
|
|
|
|
caAclMIBCfgGroups OBJECT IDENTIFIER ::= { caAclMIBACEConform 2 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- * Textual Conventions *
|
|
-- ********************************************************************
|
|
|
|
CaAclTrafficDirection ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enumeration value indicating the direction of the ACL
|
|
ingress - in the ingress (input) direction,
|
|
egress - in the egress (output) direction."
|
|
SYNTAX INTEGER {
|
|
ingress(1),
|
|
egress(2)
|
|
}
|
|
|
|
CaAclACLIndex ::= TEXTUAL-CONVENTION
|
|
DISPLAY-HINT "d"
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A unique value, greater than zero, for each ACL name in the
|
|
managed system. It is recommended that these values be assigned
|
|
contiguously starting from 1. The value for each ACL name must
|
|
remains constant at least from one re-initialization of the
|
|
entity's network management system to the next
|
|
re-initialization."
|
|
SYNTAX Unsigned32 (1..4294967295)
|
|
|
|
CaAclSequenceNumber ::= TEXTUAL-CONVENTION
|
|
DISPLAY-HINT "d"
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A unsigned 32-bit integer value."
|
|
SYNTAX Unsigned32 (1..4294967295)
|
|
|
|
CaAclPortOperator ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This textual convention represents the operator that will be
|
|
applied on the transport layer source/destination ports. The
|
|
port in packets to be filtered and the port (or port range in
|
|
case of range(5)).
|
|
lt(1) - match ports that are small than the configured value.
|
|
gt(2) - match ports that are greater than the configured value.
|
|
eq(3) - match ports that are equal to the configured value.
|
|
neq(4) - match ports that are not equal to the configured value.
|
|
range(5) - match ports in the range of configured values,
|
|
inclusive."
|
|
SYNTAX INTEGER {
|
|
lt(1),
|
|
gt(2),
|
|
eq(3),
|
|
neq(4),
|
|
range(5)
|
|
}
|
|
|
|
CaAclAction ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enumeration value indicating the action to be taken on packets
|
|
that match the ACE.
|
|
permit(1) the packet will be considered for further processing.
|
|
deny(2) the packet will be dropped without any further
|
|
processing."
|
|
SYNTAX INTEGER {
|
|
permit(1),
|
|
deny(2)
|
|
}
|
|
|
|
CaAclLogOption ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enumeration value indicating the log option that is to be
|
|
applied to an ACE. Currently the options are log-input and
|
|
log. The difference between log and logInput is that logInput
|
|
logs all the information as in log, with the addition of
|
|
ingress interface as well as the MAC address of the device
|
|
that last handled the packet."
|
|
SYNTAX INTEGER {
|
|
log(1),
|
|
logInput(2)
|
|
}
|
|
|
|
CaAclTcpFlagsMatch ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An enumeration value indicating the type of matching that
|
|
is to be done on the TCP flags field of the packet, providing
|
|
that the packet being filtered is a TCP packet.
|
|
matchAny(1) - take caAclAction if any of TCP flags in the
|
|
packet match the configured value.
|
|
matchAll(2) - take caAclAction only if all the TCP flags in
|
|
packet match the configured value.
|
|
matchNone(3) - take caAclAction only if none of the TCP flags
|
|
in the packet match the configure value.
|
|
"
|
|
SYNTAX INTEGER {
|
|
matchAny(1),
|
|
matchAll(2),
|
|
matchNone(3)
|
|
}
|
|
|
|
CaAclPrecedenceValue ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An enumeration value indicating the value of the precedence
|
|
field. It is specified as a number between 0 and 7, as defined
|
|
in RFC-791."
|
|
SYNTAX INTEGER {
|
|
routine(0),
|
|
priority(1),
|
|
immediate(2),
|
|
flash(3),
|
|
flashOverride(4),
|
|
critical(5),
|
|
internet(6),
|
|
network(7)
|
|
}
|
|
|
|
-- ********************************************************************
|
|
-- ACL entry table *
|
|
-- ********************************************************************
|
|
|
|
caAclCfgTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CaAclCfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table of ACL definitions. Each entry in this table defines
|
|
a unique IPV4 or IPV6 ACL."
|
|
::= { caAclConfiguration 1 }
|
|
|
|
caAclCfgTableEntry OBJECT-TYPE
|
|
SYNTAX CaAclCfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A conceptual row in the caAclTable. Each entry of this table
|
|
consists of acl index and the address type. This is so that
|
|
the table may contain both IPV4 and IPV6 ACLs."
|
|
INDEX {
|
|
caAclIndex,
|
|
caAclAddressType
|
|
}
|
|
::= { caAclCfgTable 1 }
|
|
|
|
CaAclCfgTableEntry ::= SEQUENCE {
|
|
caAclIndex CaAclACLIndex,
|
|
caAclAddressType InetAddressType,
|
|
caAclName SnmpAdminString,
|
|
caAclRowStatus RowStatus
|
|
}
|
|
|
|
caAclIndex OBJECT-TYPE
|
|
SYNTAX CaAclACLIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An arbitrary (system assigned) index for each ACL name. The
|
|
index is unique for each ACL name in the device, but is further
|
|
qualified by the address family.
|
|
|
|
For example, consider the following configuration:
|
|
ipv4 access-list ACL1
|
|
10 permit ipv4 any any
|
|
!
|
|
ipv6 access-list ACL1
|
|
10 permit ipv6 any any
|
|
|
|
In this case the caAclIndex value for both ACLs will be the
|
|
same."
|
|
::= { caAclCfgTableEntry 1 }
|
|
|
|
caAclAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the address family of the ACL."
|
|
::= { caAclCfgTableEntry 2 }
|
|
|
|
caAclName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A string that identifies the ACL name."
|
|
::= { caAclCfgTableEntry 3 }
|
|
|
|
caAclRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is used to create, modify, or delete an entry
|
|
in the caAclTable.
|
|
|
|
A row can be created using the 'CreateAndGo' option. When the
|
|
row is successfully created, the RowStatus will be set to
|
|
active by the agent. Once a row becomes active, values in
|
|
any other column within the row cannot be modified.
|
|
|
|
A row may be deleted by setting the RowStatus for 'destroy'."
|
|
::= { caAclCfgTableEntry 4 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- IPV4 ACE entry table *
|
|
-- ********************************************************************
|
|
|
|
caAclIPV4ACECfgTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CaAclIPV4ACECfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table of IPV4 ACE definitions. The ACE definition controls
|
|
whether packets are accepted or rejected. The access control
|
|
may be applied before sending the packet to the forwarding
|
|
engine, or may be applied after the packet is processed by the
|
|
forwarding engine.
|
|
|
|
If two ACE entries with the same sequence number are configured
|
|
the latter will overwrite the former."
|
|
::= { caAclConfiguration 2 }
|
|
|
|
caAclIPV4ACECfgTableEntry OBJECT-TYPE
|
|
SYNTAX CaAclIPV4ACECfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A conceptual row in the caAclIPV4ACLTable. Each entry of this
|
|
table consists of a set of match criteria for a given ACL."
|
|
INDEX {
|
|
caAclIndex,
|
|
caAclAddressType,
|
|
caAclIPV4ACESequenceNumber
|
|
}
|
|
::= { caAclIPV4ACECfgTable 1 }
|
|
|
|
CaAclIPV4ACECfgTableEntry ::= SEQUENCE {
|
|
caAclIPV4ACESequenceNumber CaAclSequenceNumber,
|
|
caAclIPV4ACEAction CaAclAction,
|
|
caAclIPV4ACEProtocol CiscoIpProtocol,
|
|
caAclIPV4ACESourceAddress InetAddress,
|
|
caAclIPV4ACESourceWildCardMask InetAddress,
|
|
caAclIPV4ACESourceNetworkGroup SnmpAdminString,
|
|
caAclIPV4ACESourcePortOperator CaAclPortOperator,
|
|
caAclIPV4ACESourcePort InetPortNumber,
|
|
caAclIPV4ACESourcePortUpper InetPortNumber,
|
|
caAclIPV4ACESourcePortGroup SnmpAdminString,
|
|
caAclIPV4ACEDestinationAddress InetAddress,
|
|
caAclIPV4ACEDestinationWildCardMask InetAddress,
|
|
caAclIPV4ACEDestinationNetworkGroup SnmpAdminString,
|
|
caAclIPV4ACEDestinationPortOperator CaAclPortOperator,
|
|
caAclIPV4ACEDestinationPort InetPortNumber,
|
|
caAclIPV4ACEDestinationPortUpper InetPortNumber,
|
|
caAclIPV4ACEDestinationPortGroup SnmpAdminString,
|
|
caAclIPV4ACEDscpValue Unsigned32,
|
|
caAclIPV4ACETcpFlagsValue Unsigned32,
|
|
caAclIPV4ACETcpFlagsMask Unsigned32,
|
|
caAclIPV4ACETcpFlagsMatchType CaAclTcpFlagsMatch,
|
|
caAclIPV4ACETosValue Unsigned32,
|
|
caAclIPV4ACEPrecedenceValue CaAclPrecedenceValue,
|
|
caAclIPV4ACELogOption CaAclLogOption,
|
|
caAclIPV4ACECounterLabel SnmpAdminString,
|
|
caAclIPV4ACERemark SnmpAdminString,
|
|
caAclIPV4ACERowStatus RowStatus
|
|
}
|
|
|
|
caAclIPV4ACESequenceNumber OBJECT-TYPE
|
|
SYNTAX CaAclSequenceNumber
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object uniquely identifies an ACE within an ACL. Sequence
|
|
numbers are assigned to each permit/deny statement, causing the
|
|
system to insert the statement in that numbered position within
|
|
the ACL. If two ACE entries with the same sequence number are
|
|
configured, the latter one will overwrite the former."
|
|
::= { caAclIPV4ACECfgTableEntry 1 }
|
|
|
|
caAclIPV4ACEAction OBJECT-TYPE
|
|
SYNTAX CaAclAction
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the type of action to be taken if the
|
|
packet matches the given criteria.
|
|
|
|
If it is set to permit(1), all packets matching this ACE will
|
|
be allowed for further processing.
|
|
|
|
If it is set to deny(2), all packets matching this ACE will
|
|
be discarded."
|
|
::= { caAclIPV4ACECfgTableEntry 2 }
|
|
|
|
caAclIPV4ACEProtocol OBJECT-TYPE
|
|
SYNTAX CiscoIpProtocol
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies the layer 3 protocol type to be
|
|
filtered by the ACE. Protocol numbers are defined in the
|
|
Network Working Group Request For Comment documents."
|
|
REFERENCE
|
|
"RFC-790, Assigned Numbers, September 1981, Section
|
|
Assigned Internet Protocol Numbers."
|
|
::= { caAclIPV4ACECfgTableEntry 3 }
|
|
|
|
caAclIPV4ACESourceAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the address of the network or host from
|
|
which the packet is being sent. If this object value is 0.0.0.0
|
|
and the value of caAclIPV4ACESourceWildCardMask object in the
|
|
same entry is 255.255.255.255, this entry matches any source
|
|
address.
|
|
|
|
If this object value is not 0.0.0.0 and the value of
|
|
caAclIPV4ACESourceWildCardMask is 0.0.0.0, this entry matches
|
|
specific host address defined in this object."
|
|
::= { caAclIPV4ACECfgTableEntry 4 }
|
|
|
|
caAclIPV4ACESourceWildCardMask OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the mask of wild card address bits
|
|
for caAclIPV4ACESourceAddress. Wild card masking is to indicate
|
|
to the system whether to check or ignore the corresponding
|
|
IP address bits when comparing the address bits in an ACL
|
|
to a packet being submitted to the ACL. The default wild card
|
|
mask is 0.0.0.0. The wild card mask is the inverse of a
|
|
regular subnet mask. If the mask value 0.0.0.255 is applied to
|
|
1.2.3.0."
|
|
::= { caAclIPV4ACECfgTableEntry 5 }
|
|
|
|
caAclIPV4ACESourceNetworkGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Network Object Group from
|
|
which the packet is being sent."
|
|
::= { caAclIPV4ACECfgTableEntry 6 }
|
|
|
|
caAclIPV4ACESourcePortOperator OBJECT-TYPE
|
|
SYNTAX CaAclPortOperator
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the operation to be performed to the layer
|
|
source port field. Source port fields are present only for
|
|
IGMP, ICMP, SCTP, TCP, and UDP protocols.
|
|
|
|
If caAclIPV4ACEProtocol is none of the ones listed above, this
|
|
field should set to noOperator(1), which means not comparison
|
|
is to be performed.
|
|
|
|
If this field is set to range(5) then two port numbers are
|
|
necessary. I.e., Both caAclIPV4ACESourcePort and
|
|
caAclIPV4ACESourcePortUpper need to be provided."
|
|
::= { caAclIPV4ACECfgTableEntry 7 }
|
|
|
|
caAclIPV4ACESourcePort OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the source port number of the layer 4
|
|
protocol. This is the field to be matched with the specified
|
|
source port based on the caAclIPV4ACESourcePortOperator. If
|
|
caAclIPV4ACESourcePortOperator is range(5) then this object
|
|
will have the inclusive lower bound of the source port range
|
|
that is to be matched."
|
|
::= { caAclIPV4ACECfgTableEntry 8 }
|
|
|
|
caAclIPV4ACESourcePortUpper OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the inclusive upper bound of the layer 4
|
|
source port range that is to be matched."
|
|
::= { caAclIPV4ACECfgTableEntry 9 }
|
|
|
|
caAclIPV4ACESourcePortGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Port Object Group from which
|
|
the packet is being sent."
|
|
::= { caAclIPV4ACECfgTableEntry 10 }
|
|
|
|
caAclIPV4ACEDestinationAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the address of the network or host to
|
|
which the packet is being sent. If this object value is 0.0.0.0
|
|
and the value of caAclIPV4ACLDestinationWildCardMask object in
|
|
the same entry is 255.255.255.255, this entry matches any
|
|
source IP address.
|
|
|
|
If this object value is not 0.0.0.0 and the value of
|
|
caAclIPV4ACLDestinationWildCardMask is 0.0.0.0, this entry
|
|
matches the specific host address defined in this object."
|
|
::= { caAclIPV4ACECfgTableEntry 11 }
|
|
|
|
caAclIPV4ACEDestinationWildCardMask OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the mask of wild card address bits
|
|
for caAclIPV4ACLDestinationAddress. Wild card masking is to
|
|
indicate to the system whether to check or ignore the
|
|
corresponding IP address bits when comparing the address
|
|
bits in an ACE to a packet being submitted to the ACE. The
|
|
default wild card mask is 0.0.0.0. The wild card mask is the
|
|
inverse of a regular subnet mask. If the mask value 0.0.0.255
|
|
is applied to the address 1.2.3.4, it will match all traffic
|
|
from subnet 1.2.3.0."
|
|
::= { caAclIPV4ACECfgTableEntry 12 }
|
|
|
|
caAclIPV4ACEDestinationNetworkGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Destination Network Object Group to
|
|
which the packet is being sent."
|
|
::= { caAclIPV4ACECfgTableEntry 13 }
|
|
|
|
|
|
caAclIPV4ACEDestinationPortOperator OBJECT-TYPE
|
|
SYNTAX CaAclPortOperator
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the operation to be performed to the layer
|
|
destination port field. Source port fields are present only for
|
|
IGMP, ICMP, SCTP, TCP, and UDP protocols.
|
|
|
|
If caAclIPV4ACLProtocol is none of the ones listed above, this
|
|
field should set to noOperator(1), which means not comparison
|
|
is to be performed.
|
|
|
|
If this field is set to range(5) then two port numbers are
|
|
necessary. I.e., Both caAclIPV4ACEDestinationPort and
|
|
caAclIPV4ACEDestinationPortUpper need to be provided."
|
|
::= { caAclIPV4ACECfgTableEntry 14 }
|
|
|
|
caAclIPV4ACEDestinationPort OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the destination port number of the layer
|
|
4 protocol. This is the field to be matched with the specified
|
|
destination port based on the caAclIPV4ACLSourceOperator. If
|
|
caAclIPV4ACLDestinationOperator is range(5) then this object
|
|
will have the inclusive lower bound of the destination port
|
|
range that is to be matched."
|
|
::= { caAclIPV4ACECfgTableEntry 15 }
|
|
|
|
caAclIPV4ACEDestinationPortUpper OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the inclusive upper bound of the layer 4
|
|
destination port range that is to be matched."
|
|
::= { caAclIPV4ACECfgTableEntry 16 }
|
|
|
|
caAclIPV4ACEDestinationPortGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Port Object Group to which the
|
|
packet is being sent."
|
|
::= { caAclIPV4ACECfgTableEntry 17 }
|
|
|
|
caAclIPV4ACEDscpValue OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..63)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the dscp value that will be considered
|
|
in the match criteria against the value in the packet."
|
|
::= { caAclIPV4ACECfgTableEntry 18 }
|
|
|
|
caAclIPV4ACETcpFlagsValue OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the value of the TCP flags which will
|
|
be considered in the match criteria based on
|
|
caAclIPV4ACLTcpFlagsMatchType.
|
|
Users can select any desired combination of the TCP flags
|
|
on which to filter TCP packets."
|
|
::= { caAclIPV4ACECfgTableEntry 19 }
|
|
|
|
caAclIPV4ACETcpFlagsMask OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the mask value of the TCP flags field."
|
|
::= { caAclIPV4ACECfgTableEntry 20 }
|
|
|
|
caAclIPV4ACETcpFlagsMatchType OBJECT-TYPE
|
|
SYNTAX CaAclTcpFlagsMatch
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the type of matching to be done on the
|
|
TCP flags field."
|
|
::= { caAclIPV4ACECfgTableEntry 21 }
|
|
|
|
caAclIPV4ACETosValue OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..16)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the value of the TOS field to be filtered.
|
|
Packets can be filtered by the TOS level as specified by a
|
|
number from 0 to 15. Use the value 16 to indicate that the
|
|
TOS field should be ignored during matching."
|
|
::= { caAclIPV4ACECfgTableEntry 22 }
|
|
|
|
caAclIPV4ACEPrecedenceValue OBJECT-TYPE
|
|
SYNTAX CaAclPrecedenceValue
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the value of the precedence field to be
|
|
filtered."
|
|
REFERENCE
|
|
"RFC-791, Internet Protocol Darpa Internet Program Protocol
|
|
Specification, September 1981."
|
|
::= { caAclIPV4ACECfgTableEntry 23 }
|
|
|
|
caAclIPV4ACELogOption OBJECT-TYPE
|
|
SYNTAX CaAclLogOption
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the value of the log option field to be
|
|
applied to packets that match this ACE entry."
|
|
::= { caAclIPV4ACECfgTableEntry 24 }
|
|
|
|
caAclIPV4ACECounterLabel OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the counter label name for this ACE.
|
|
ACEs that share the same counter label name will have their
|
|
hit counts aggregated into the same counter label name."
|
|
::= { caAclIPV4ACECfgTableEntry 25 }
|
|
|
|
caAclIPV4ACERemark OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..100))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines a comment in the ACL. It helps the user
|
|
to define some meaningful comment to identify the ACE
|
|
quickly, or to know the purpose of a set of ACEs.
|
|
This field is not used during packet matching."
|
|
::= { caAclIPV4ACECfgTableEntry 26 }
|
|
|
|
caAclIPV4ACERowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is used to create, modify, or delete an entry
|
|
in the caAclIPV4ACLTable.
|
|
|
|
A row can be created using the 'CreateAndGo' option. When the
|
|
row is successfully created, the RowStatus will be set to
|
|
active by the agent.
|
|
|
|
A row may be deleted by setting the RowStatus for 'destroy'.
|
|
|
|
The minimum objects required to delete a row in this table
|
|
is simply the sequence number (caAclIPV4ACESequenceNumber)."
|
|
::= { caAclIPV4ACECfgTableEntry 27 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- IPV6 ACE entry table *
|
|
-- ********************************************************************
|
|
|
|
caAclIPV6ACECfgTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CaAclIPV6ACECfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table of IPV6 ACE definitions. The ACE definition controls
|
|
whether packets are accepted or rejected. The access control
|
|
may be applied before sending the packet to the forwarding
|
|
engine, or may be applied after the packet is processed by the
|
|
forwarding engine."
|
|
::= { caAclConfiguration 3 }
|
|
|
|
caAclIPV6ACECfgTableEntry OBJECT-TYPE
|
|
SYNTAX CaAclIPV6ACECfgTableEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A conceptual row in the caAclIPV6ACLTable. Each entry of this
|
|
table consists of a set of match criteria for a given ACL."
|
|
INDEX {
|
|
caAclIndex,
|
|
caAclAddressType,
|
|
caAclIPV6ACESequenceNumber
|
|
}
|
|
::= { caAclIPV6ACECfgTable 1 }
|
|
|
|
CaAclIPV6ACECfgTableEntry ::= SEQUENCE {
|
|
caAclIPV6ACESequenceNumber CaAclSequenceNumber,
|
|
caAclIPV6ACEAction CaAclAction,
|
|
caAclIPV6ACEProtocol CiscoIpProtocol,
|
|
caAclIPV6ACESourceAddress InetAddress,
|
|
caAclIPV6ACESourcePrefixLength Integer32,
|
|
caAclIPV6ACESourceNetworkGroup SnmpAdminString,
|
|
caAclIPV6ACESourcePortOperator CaAclPortOperator,
|
|
caAclIPV6ACESourcePort InetPortNumber,
|
|
caAclIPV6ACESourcePortUpper InetPortNumber,
|
|
caAclIPV6ACESourcePortGroup SnmpAdminString,
|
|
caAclIPV6ACEDestinationAddress InetAddress,
|
|
caAclIPV6ACEDestinationPrefixLength Integer32,
|
|
caAclIPV6ACEDestinationNetworkGroup SnmpAdminString,
|
|
caAclIPV6ACEDestinationPortOperator CaAclPortOperator,
|
|
caAclIPV6ACEDestinationPort InetPortNumber,
|
|
caAclIPV6ACEDestinationPortUpper InetPortNumber,
|
|
caAclIPV6ACEDestinationPortGroup SnmpAdminString,
|
|
caAclIPV6ACETrafficClassValue Unsigned32,
|
|
caAclIPV6ACETcpFlagsValue Unsigned32,
|
|
caAclIPV6ACETcpFlagsMask Unsigned32,
|
|
caAclIPV6ACETcpFlagsMatchType CaAclTcpFlagsMatch,
|
|
caAclIPV6ACELogOption CaAclLogOption,
|
|
caAclIPV6ACECounterLabel SnmpAdminString,
|
|
caAclIPV6ACERemark SnmpAdminString,
|
|
caAclIPV6ACERowStatus RowStatus
|
|
}
|
|
|
|
caAclIPV6ACESequenceNumber OBJECT-TYPE
|
|
SYNTAX CaAclSequenceNumber
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object uniquely identifies an ACE within an ACL. Sequence
|
|
numbers are assigned to each permit/deny statement, causing the
|
|
system to insert the statement in that numbered position within
|
|
the ACL."
|
|
::= { caAclIPV6ACECfgTableEntry 1 }
|
|
|
|
caAclIPV6ACEAction OBJECT-TYPE
|
|
SYNTAX CaAclAction
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the type of action to be taken if the
|
|
packet matches the given criteria.
|
|
|
|
If it is set to permit(1), all packets matching this ACE will
|
|
be allowed for further processing.
|
|
|
|
If it is set to deny(2), all packets matching this ACE will
|
|
be discarded."
|
|
::= { caAclIPV6ACECfgTableEntry 2 }
|
|
|
|
caAclIPV6ACEProtocol OBJECT-TYPE
|
|
SYNTAX CiscoIpProtocol
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies the protocol type to be filtered by
|
|
the ACE. Protocol numbers are defined in the Network Working
|
|
Group Request For Comment (RFC) documents."
|
|
REFERENCE
|
|
"RFC-790, Assigned Numbers, September 1981, Section
|
|
Assigned Internet Protocol Numbers."
|
|
::= { caAclIPV6ACECfgTableEntry 3 }
|
|
|
|
caAclIPV6ACESourceAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the address of the network or host from
|
|
which the packet is being sent. If this object value is 0::0
|
|
and the value of caAclIPV6ACLSourcePrefixLength is 0 then this
|
|
matches any source address.
|
|
|
|
If this object value is not 0::0 and the value of
|
|
caAclIPV6ACLSourcePrefixLength is less than 128, this entry
|
|
matches the all the addresses that are in the sub-net.
|
|
|
|
If this object value is 0::0 and the value of
|
|
caAclIPV6ACLSourcePrefixLength is also 0, this entry matches
|
|
all hosts."
|
|
::= { caAclIPV6ACECfgTableEntry 4 }
|
|
|
|
caAclIPV6ACESourcePrefixLength OBJECT-TYPE
|
|
SYNTAX Integer32 (0..128)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the number of bits in the field
|
|
caAclIPV6ACLSourceAddress to be checked.
|
|
|
|
If the value of this object is 0, then the source address
|
|
in the packet must match caAclIPV6ACESourceAddress exactly
|
|
for the ACE action to be taken."
|
|
::= { caAclIPV6ACECfgTableEntry 5 }
|
|
|
|
caAclIPV6ACESourceNetworkGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Network Object Group from
|
|
which the packet is being sent."
|
|
::= { caAclIPV6ACECfgTableEntry 6 }
|
|
|
|
caAclIPV6ACESourcePortOperator OBJECT-TYPE
|
|
SYNTAX CaAclPortOperator
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the operation to be performed to the layer
|
|
source port field. Source port fields are present only for
|
|
IGMP, ICMP, SCTP, TCP, and UDP protocols.
|
|
|
|
If caAclIPV6ACLProtocol is none of the ones listed above, this
|
|
field should set to noOperator(1), which means not comparison
|
|
is to be performed.
|
|
|
|
If this field is set to range(5) then two port numbers are
|
|
necessary. I.e., Both caAclIPV6ACLSourcePort and
|
|
caAclIPV6ACLSourcePortUpper need to be provided."
|
|
::= { caAclIPV6ACECfgTableEntry 7 }
|
|
|
|
caAclIPV6ACESourcePort OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the source port number of the layer 4
|
|
protocol. This is the field to be matched with the specified
|
|
source port based on the caAclIPV6ACLSourceOperator. If
|
|
caAclIPV6ACLSourceOperator is range(5) then this object wail
|
|
have the inclusive lower bound of the source port range that
|
|
is to be matched."
|
|
::= { caAclIPV6ACECfgTableEntry 8 }
|
|
|
|
caAclIPV6ACESourcePortUpper OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the inclusive upper bound of the layer 4
|
|
source port range that is to be matched."
|
|
::= { caAclIPV6ACECfgTableEntry 9 }
|
|
|
|
caAclIPV6ACESourcePortGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Port Object Group from which
|
|
the packet is being sent."
|
|
::= { caAclIPV6ACECfgTableEntry 10 }
|
|
|
|
caAclIPV6ACEDestinationAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the address of the network or host to
|
|
which the packet is being sent. If this object value is 0::0
|
|
and the value of caAclIPV6ACLSourcePrefixLength is 0 then this
|
|
matches any source address.
|
|
|
|
If this object value is not 0::0 and the value of
|
|
caAclIPV6ACLSourcePrefixLength is less than 128, this entry
|
|
matches the all the addresses that are in the sub-net.
|
|
|
|
If this object value is 0::0 and the value of
|
|
caAclIPV6ACLSourcePrefixLength is also 0, this entry matches
|
|
all osts."
|
|
::= { caAclIPV6ACECfgTableEntry 11 }
|
|
|
|
caAclIPV6ACEDestinationPrefixLength OBJECT-TYPE
|
|
SYNTAX Integer32 (0..128)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object determines the number of bits in the field
|
|
caAclIPV6ACLDestinationAddress to be checked.
|
|
|
|
If the value of this object is 0, then the source address
|
|
in the packet must match caAclIPV6ACEDestinationAddress exactly
|
|
for the ACE action to be taken."
|
|
::= { caAclIPV6ACECfgTableEntry 12 }
|
|
|
|
caAclIPV6ACEDestinationNetworkGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Network Object Group to which
|
|
the packet is being sent."
|
|
::= { caAclIPV6ACECfgTableEntry 13 }
|
|
|
|
|
|
caAclIPV6ACEDestinationPortOperator OBJECT-TYPE
|
|
SYNTAX CaAclPortOperator
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the operation to be performed to the layer
|
|
destination port field. Source port fields are present only for
|
|
IGMP, ICMP, SCTP, TCP, and UDP protocols.
|
|
|
|
If caAclIPV6ACLProtocol is none of the ones listed above, this
|
|
field should set to noOperator(1), which means no comparison
|
|
is to be performed.
|
|
|
|
If this field is set to range(5) then two port numbers are
|
|
necessary. I.e., Both caAclIPV6ACLDestinationPort and
|
|
caAclIPV6ACLDestinationPortUpper need to be provided."
|
|
::= { caAclIPV6ACECfgTableEntry 14 }
|
|
|
|
caAclIPV6ACEDestinationPort OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the destination port number of the layer
|
|
4 protocol. This is the field to be matched with the specified
|
|
destination port based on the caAclIPV6ACLSourceOperator. If
|
|
caAclIPV6ACLDestinationOperator is range(5) then this object
|
|
will have the inclusive lower bound of the destination port
|
|
range that is to be matched."
|
|
::= { caAclIPV6ACECfgTableEntry 15 }
|
|
|
|
caAclIPV6ACEDestinationPortUpper OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the inclusive upper bound of the layer 4
|
|
destination port range that is to be matched."
|
|
::= { caAclIPV6ACECfgTableEntry 16 }
|
|
|
|
caAclIPV6ACEDestinationPortGroup OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the Source Port Object Group to which the
|
|
packet is being sent."
|
|
::= { caAclIPV6ACECfgTableEntry 17 }
|
|
|
|
caAclIPV6ACETrafficClassValue OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the traffic class value that will be
|
|
considered in the match criteria against the value in the
|
|
packet."
|
|
::= { caAclIPV6ACECfgTableEntry 18 }
|
|
|
|
caAclIPV6ACETcpFlagsValue OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the value of the TCP flags which will
|
|
be considered in the match criteria based on
|
|
caAclIPV6ACLTcpFlagsMatchType.
|
|
Users can select any desired combination of the TCP flags
|
|
on which to filter TCP packets."
|
|
REFERENCE
|
|
"RFC-793, Transmission Control Protocol, Darpa Internet
|
|
Program Protocol Specification, September 1981."
|
|
::= { caAclIPV6ACECfgTableEntry 19 }
|
|
|
|
caAclIPV6ACETcpFlagsMask OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the mask value of the TCP flags field."
|
|
::= { caAclIPV6ACECfgTableEntry 20 }
|
|
|
|
caAclIPV6ACETcpFlagsMatchType OBJECT-TYPE
|
|
SYNTAX CaAclTcpFlagsMatch
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the type of matching to be done on the
|
|
TCP flags field."
|
|
::= { caAclIPV6ACECfgTableEntry 21 }
|
|
|
|
caAclIPV6ACELogOption OBJECT-TYPE
|
|
SYNTAX CaAclLogOption
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the value of the log option field to be
|
|
applied to packets that match this ACE entry."
|
|
::= { caAclIPV6ACECfgTableEntry 22 }
|
|
|
|
|
|
caAclIPV6ACECounterLabel OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the counter label name for this ACE.
|
|
ACEs that share the same counter label name will have their
|
|
hit counts aggregated into the same counter label name."
|
|
::= { caAclIPV6ACECfgTableEntry 23 }
|
|
|
|
caAclIPV6ACERemark OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..100))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines a comment in the ACL. It helps the user
|
|
to define some meaningful comment to identify the ACE
|
|
quickly, or to know the purpose of a set of ACEs.
|
|
This field is not used during packet matching."
|
|
::= { caAclIPV6ACECfgTableEntry 24 }
|
|
|
|
caAclIPV6ACERowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is used to create, modify, or delete an entry
|
|
in the caAclIPV6ACLTable.
|
|
|
|
A row can be created using the 'CreateAndGo' option. When the
|
|
row is successfully created, the RowStatus will be set to
|
|
active by the agent.
|
|
|
|
A row may be deleted by setting the RowStatus for 'destroy'.
|
|
|
|
The minimum objects required to delete a row in this table
|
|
is simply the sequence number (caAclIPV6ACESequenceNumber)."
|
|
::= { caAclIPV6ACECfgTableEntry 25 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- IP access group entry configuration table *
|
|
-- ********************************************************************
|
|
|
|
caAclAccessGroupCfgTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CaAclAccessGroupCfgEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table lists the ACLs configured on the device and
|
|
applied on an interface in the ingress or egress direction."
|
|
::= { caAclConfiguration 4 }
|
|
|
|
caAclAccessGroupCfgEntry OBJECT-TYPE
|
|
SYNTAX CaAclAccessGroupCfgEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This entry describes an ACL configured on the device and
|
|
applied to an interface."
|
|
INDEX {
|
|
ifIndex,
|
|
caAclAccessGroupCfgAddressType,
|
|
caAclAccessGroupDirection,
|
|
caAclAccessGroupSequenceNumber
|
|
}
|
|
::= { caAclAccessGroupCfgTable 1 }
|
|
|
|
CaAclAccessGroupCfgEntry ::= SEQUENCE {
|
|
caAclAccessGroupACL CaAclACLIndex,
|
|
caAclAccessGroupCfgAddressType InetAddressType,
|
|
caAclAccessGroupDirection CaAclTrafficDirection,
|
|
caAclAccessGroupSequenceNumber CaAclSequenceNumber,
|
|
caAclAccessGroupRowStatus RowStatus
|
|
}
|
|
|
|
caAclAccessGroupACL OBJECT-TYPE
|
|
SYNTAX CaAclACLIndex
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The name of the ACL associated with this entry."
|
|
::= { caAclAccessGroupCfgEntry 1 }
|
|
|
|
|
|
caAclAccessGroupCfgAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This entry describes the address family of the access group
|
|
being applied on the interface."
|
|
::= { caAclAccessGroupCfgEntry 2 }
|
|
|
|
caAclAccessGroupDirection OBJECT-TYPE
|
|
SYNTAX CaAclTrafficDirection
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object defines the direction in which the ACL is
|
|
applied."
|
|
::= { caAclAccessGroupCfgEntry 3 }
|
|
|
|
caAclAccessGroupSequenceNumber OBJECT-TYPE
|
|
SYNTAX CaAclSequenceNumber
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object uniquely identifies the order that Access Group
|
|
applied to a interface. It can be used by platforms that
|
|
support applying more than one Access List per address
|
|
family per direction.
|
|
For example:
|
|
interface GigabitEthernet 0/0
|
|
ipv4 access-group ACL1 ACL2 ACL2 ingress
|
|
!
|
|
"
|
|
::= { caAclAccessGroupCfgEntry 4 }
|
|
|
|
caAclAccessGroupRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is used to create, modify, or delete an entry in
|
|
the caAclAccessGroupCfgTable.
|
|
A row can be created using the 'CreateAndGo' option. When the
|
|
row is successfully created, the RowStatus will be set to
|
|
active by the agent. Once a row becomes active, values in
|
|
any other column within the row cannot be modified.
|
|
|
|
A row may be deleted by setting the RowStatus for 'destroy'."
|
|
::= { caAclAccessGroupCfgEntry 5 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- Label interface statistics table *
|
|
-- ********************************************************************
|
|
|
|
caAclLabelIntfStatsTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CaAclLabelIntfStatsEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table describes the statistics for all ACEs with assigned
|
|
counter labels, attached to interfaces on the device.
|
|
|
|
An entry in this table is created when an ACL containing an ACE
|
|
that references the specified counter label name is applied to
|
|
an interface.
|
|
|
|
An entry in this table is deleted when an ACL containing an ACE
|
|
that references the specified counter lable name is removed
|
|
from an interface."
|
|
::= { caAclStats 1 }
|
|
|
|
caAclLabelIntfStatsEntry OBJECT-TYPE
|
|
SYNTAX CaAclLabelIntfStatsEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry in this table provides the aggregated counters for
|
|
all ACEs applied on the given interface/direction that have
|
|
been assigned the same counter label."
|
|
INDEX {
|
|
ifIndex,
|
|
caAclAccessGroupCfgAddressType,
|
|
caAclAccessGroupDirection,
|
|
caAclIntfStatsCounterLabelName
|
|
}
|
|
::= { caAclLabelIntfStatsTable 1 }
|
|
|
|
CaAclLabelIntfStatsEntry ::= SEQUENCE {
|
|
caAclIntfStatsCounterLabelName SnmpAdminString,
|
|
caAclIntfStatsPackets Counter64,
|
|
caAclIntfStatsOctets Counter64
|
|
}
|
|
|
|
caAclIntfStatsCounterLabelName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE (1..64))
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The counter label index associated with this set of
|
|
statistics."
|
|
::= { caAclLabelIntfStatsEntry 1 }
|
|
|
|
caAclIntfStatsPackets OBJECT-TYPE
|
|
SYNTAX Counter64
|
|
UNITS "packets"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The total number of packets that match this counter label."
|
|
::= { caAclLabelIntfStatsEntry 2 }
|
|
|
|
caAclIntfStatsOctets OBJECT-TYPE
|
|
SYNTAX Counter64
|
|
UNITS "bytes"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The total number of octets that match this counter label."
|
|
::= { caAclLabelIntfStatsEntry 3 }
|
|
|
|
|
|
-- ********************************************************************
|
|
-- Units of Conformance
|
|
-- ********************************************************************
|
|
|
|
caAclMIBCfgGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
caAclName,
|
|
caAclRowStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This group contains objects describing ACLs."
|
|
::= { caAclMIBCfgGroups 1 }
|
|
|
|
caAclIPV4ACLMIBACEGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
caAclIPV4ACEAction,
|
|
caAclIPV4ACEProtocol,
|
|
caAclIPV4ACESourceAddress,
|
|
caAclIPV4ACESourceWildCardMask,
|
|
caAclIPV4ACESourceNetworkGroup,
|
|
caAclIPV4ACESourcePortOperator,
|
|
caAclIPV4ACESourcePort,
|
|
caAclIPV4ACESourcePortUpper,
|
|
caAclIPV4ACESourcePortGroup,
|
|
caAclIPV4ACEDestinationAddress,
|
|
caAclIPV4ACEDestinationWildCardMask,
|
|
caAclIPV4ACEDestinationNetworkGroup,
|
|
caAclIPV4ACEDestinationPortOperator,
|
|
caAclIPV4ACEDestinationPort,
|
|
caAclIPV4ACEDestinationPortUpper,
|
|
caAclIPV4ACEDestinationPortGroup,
|
|
caAclIPV4ACEDscpValue,
|
|
caAclIPV4ACETcpFlagsValue,
|
|
caAclIPV4ACETcpFlagsMask,
|
|
caAclIPV4ACETcpFlagsMatchType,
|
|
caAclIPV4ACETosValue,
|
|
caAclIPV4ACEPrecedenceValue,
|
|
caAclIPV4ACELogOption,
|
|
caAclIPV4ACECounterLabel,
|
|
caAclIPV4ACERemark,
|
|
caAclIPV4ACERowStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This group is a collection of objects providing IPV4 ACE
|
|
feature."
|
|
::= { caAclMIBCfgGroups 2 }
|
|
|
|
caAclIPV6ACLMIBACEGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
caAclIPV6ACEAction,
|
|
caAclIPV6ACEProtocol,
|
|
caAclIPV6ACESourceAddress,
|
|
caAclIPV6ACESourcePrefixLength,
|
|
caAclIPV6ACESourceNetworkGroup,
|
|
caAclIPV6ACESourcePortOperator,
|
|
caAclIPV6ACESourcePort,
|
|
caAclIPV6ACESourcePortUpper,
|
|
caAclIPV6ACESourcePortGroup,
|
|
caAclIPV6ACEDestinationAddress,
|
|
caAclIPV6ACEDestinationPrefixLength,
|
|
caAclIPV6ACEDestinationNetworkGroup,
|
|
caAclIPV6ACEDestinationPortOperator,
|
|
caAclIPV6ACEDestinationPort,
|
|
caAclIPV6ACEDestinationPortUpper,
|
|
caAclIPV6ACEDestinationPortGroup,
|
|
caAclIPV6ACETcpFlagsValue,
|
|
caAclIPV6ACETcpFlagsMask,
|
|
caAclIPV6ACETcpFlagsMatchType,
|
|
caAclIPV6ACETrafficClassValue,
|
|
caAclIPV6ACELogOption,
|
|
caAclIPV6ACECounterLabel,
|
|
caAclIPV6ACERemark,
|
|
caAclIPV6ACERowStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This group is a collection of objects providing IPV6 ACE
|
|
feature."
|
|
::= { caAclMIBCfgGroups 3 }
|
|
|
|
caAclMIBAccessGroupCfgGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
caAclAccessGroupACL,
|
|
caAclAccessGroupRowStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This group contains the objects describing the access group
|
|
configuration."
|
|
::= { caAclMIBCfgGroups 4 }
|
|
|
|
caAclMIBCounterGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
caAclIntfStatsPackets,
|
|
caAclIntfStatsOctets
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This group contains the objects describing the ACE
|
|
counter label."
|
|
::= { caAclMIBCfgGroups 5 }
|
|
|
|
caAclMIBCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This compliance statement specifies the minimal requirements
|
|
that an implementation must meet in order to claim full
|
|
compliance with the definitions of the C-ACL-MIB."
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
caAclMIBCfgGroup
|
|
}
|
|
GROUP caAclMIBAccessGroupCfgGroup
|
|
DESCRIPTION
|
|
"This group is mandatory except for systems that do not
|
|
support filtering IPV4 and or IPV6 packets."
|
|
GROUP caAclIPV4ACLMIBACEGroup
|
|
DESCRIPTION
|
|
"This group is mandatory except for systems that do not
|
|
support IPV4 ACLs."
|
|
GROUP caAclIPV6ACLMIBACEGroup
|
|
DESCRIPTION
|
|
"This group is mandatory except for systems that do not
|
|
support IPV6 ACLs."
|
|
GROUP caAclMIBCounterGroup
|
|
DESCRIPTION
|
|
"This group is mandatory except for systems that do not
|
|
support ACL counter gathering statistics."
|
|
OBJECT caAclName
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclRowStatus
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEAction
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEProtocol
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourceAddress
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourceWildCardMask
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourceNetworkGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourcePortOperator
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourcePort
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourcePortUpper
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACESourcePortGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationAddress
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationWildCardMask
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationNetworkGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationPortOperator
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationPort
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationPortUpper
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDestinationPortGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEDscpValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACETcpFlagsValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACETcpFlagsMask
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACETcpFlagsMatchType
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACETosValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACEPrecedenceValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACELogOption
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACECounterLabel
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACERemark
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV4ACERowStatus
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEAction
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEProtocol
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourceAddress
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourcePrefixLength
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourceNetworkGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourcePortOperator
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourcePort
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourcePortUpper
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACESourcePortGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationAddress
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationPrefixLength
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationNetworkGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationPortOperator
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationPort
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationPortUpper
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACEDestinationPortGroup
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACETrafficClassValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACETcpFlagsValue
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACETcpFlagsMask
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACETcpFlagsMatchType
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACELogOption
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACECounterLabel
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACERemark
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclIPV6ACERowStatus
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclAccessGroupACL
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
OBJECT caAclAccessGroupRowStatus
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write-access is not required."
|
|
|
|
::= { caAclMIBACECompliances 1 }
|
|
|
|
END
|
|
|
|
|
|
|
|
|