MrMeeb/snmp_mib_archive
1
0
Fork 0
mirror of https://github.com/hsnodgrass/snmp_mib_archive.git synced 2025-04-17 16:03:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
snmp_mib_archive/CISCO-IPSEC-POLICY-MAP-MIB.my
Heston Snodgrass 89bf4b016e initial commit
2016-12-15 15:03:18 -07:00

380 lines
12 KiB
Plaintext
Raw Blame History

--
-- * $Source$
-- *------------------------------------------------------------------
-- *
-- CISCO-IPSEC-POLICY-MAP-MIB.my: IPSec Tunnel-to-Policy
-- Mapping MIB.
--
-- * April 2000, S Ramakrishnan
-- *
-- * Copyright (c) 2000 by cisco Systems, Inc.
-- * All rights reserved.
-- *
-- *------------------------------------------------------------------
CISCO-IPSEC-POLICY-MAP-MIB DEFINITIONS ::= BEGIN
-- PREFACE:
-- CISCO-IPSEC-POLICY-MAP-MIB Module is an enterprise
-- specific appendage to the IPSEC-MONITOR-MIB
-- that has been proposed to IETF. The only function
-- of this MIB is to map the dynamically instantiated
-- protocol structures (tunnels, SAs) to the policy
-- entities that gave rise to them (policy definitions,
-- cryptomaps, transforms etc).
-- RELATIONSHIP TO COMMAND LINE INTERFACE (CLI):
-- Information contained in all the MIB elements
-- defined in this module are affected by CLI
-- operations, EXCEPT where it is explicitly noted
-- to the contrary.
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32
FROM SNMPv2-SMI
DisplayString
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
ciscoMgmt
FROM CISCO-SMI;
ciscoIpSecPolMapMIB MODULE-IDENTITY
LAST-UPDATED "200008171257Z"
ORGANIZATION "Tivoli Systems and Cisco Systems"
CONTACT-INFO
"Tivoli Systems
Research Triangle Park, NC
Cisco Systems
Enterprise Business Management Unit
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-ipsecurity@cisco.com"
DESCRIPTION
"The MIB module maps the IPSec
entities created dynamically to the policy entities
that caused them. This is an appendix to the
IPSEC-MONITOR-MIB that has been proposed to
IETF for monitoring IPSec based Virtual Private
Networks.
Overview of Cisco IPsec Policy Map MIB
MIB description
There are two components to this MIB:
#1 a table that maps an IPSec Phase-1
tunnel to the Internet Security Association
and Key Exchange (ISAKMP) Policy
and
#2 a table that maps an IPSec Phase-2
tunnel to the corresponding IPSec Policy
element - called 'cryptomaps' - in IOS
(Internet Operating System)
The first mappin (also called Internet Key Exchange
or IKE mapping) yields, given the index of
the IKE tunnel in the ikeTunnelTable
(IPSEC-MONITOR-MIB), the ISAKMP policy definition
defined using the CLI on the managed entity.
The IPSec mapping yields, given the index
of the IPSec tunnel in the ipSecTunnelTable
(IPSEC-MONITOR-MIB), the IPSec transform and
the cryptomap definition that gave rise to
this tunnel.
In implementation and usage, this MIB cannot
exist independent of the IPSEC-MONITOR-MIB. "
::= { ciscoMgmt 172 }
-- Root under ciscoMgmt currently is tentative
-- IPSec Policy Map MIB Object Groups
--
-- This MIB module contains the following groups:
-- 1) IPSec Policy Map Group
-- (a) IPSec Phase-1 Policy Map Group
-- (b) IPSec Phase-1 Policy Map Group
-- 2) IPSec Policy Map Notifications Group (empty)
-- 3) IPSec Policy Map Conformance Group
ciscoIpSecPolMapMIBObjects OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 1}
ciscoIpSecPolMapMIBNotifPrefix OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 2}
ciscoIpSecPolMapMIBConformance OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 3}
ipSecPhaseOnePolMap OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBObjects 1}
ipSecPhaseTwoPolMap OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBObjects 2}
--
-- The IPSec Phase-1 Policy Map Table
--
ikePolMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkePolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IPSec Phase-1 Internet Key Exchange Tunnel
to Policy Mapping Table. There is one entry in
this table for each active IPSec Phase-1
Tunnel."
::= { ipSecPhaseOnePolMap 1 }
ikePolMapEntry OBJECT-TYPE
SYNTAX IkePolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains the attributes associated
with mapping an active IPSec Phase-1 IKE Tunnel
to it's configured Policy definition."
INDEX { ikePolMapTunIndex }
::= { ikePolMapTable 1}
IkePolMapEntry ::= SEQUENCE {
ikePolMapTunIndex Integer32,
ikePolMapPolicyNum Integer32
}
ikePolMapTunIndex OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of the IPSec Phase-1 Tunnel to Policy
Map Table. The value of the index is the number
used to represent this IPSec Phase-1 Tunnel in
the IPSec MIB (ikeTunIndex in the
ikeTunnelTable)."
::= { ikePolMapEntry 1 }
ikePolMapPolicyNum OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the locally defined ISAKMP policy
used to establish the IPSec IKE Phase-1 Tunnel.
This is the number which was used on the crypto
command. For example, if the configuration command
was:
==> crypto isakmp policy 15
then the value of this object would be 15.
If ISAKMP was not used to establish this tunnel,
then the value of this object will be zero."
::= { ikePolMapEntry 2 }
--
-- The IPSec Phase-2 Policy Map Table
--
ipSecPolMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecPolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IPSec Phase-2 Tunnel to Policy Mapping Table.
There is one entry in this table for each active
IPSec Phase-2 Tunnel."
::= { ipSecPhaseTwoPolMap 1 }
ipSecPolMapEntry OBJECT-TYPE
SYNTAX IpSecPolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains the attributes associated
with mapping an active IPSec Phase-2 Tunnel
to its configured Policy definition."
INDEX { ipSecPolMapTunIndex }
::= { ipSecPolMapTable 1}
IpSecPolMapEntry ::= SEQUENCE {
ipSecPolMapTunIndex Integer32,
ipSecPolMapCryptoMapName DisplayString,
ipSecPolMapCryptoMapNum Integer32,
ipSecPolMapAclString DisplayString,
ipSecPolMapAceString DisplayString
}
ipSecPolMapTunIndex OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of the IPSec Phase-2 Tunnel to Policy
Map Table. The value of the index is the number
used to represent this IPSec Phase-2 Tunnel in
the IPSec MIB (ipSecTunIndex in the
ipSecTunnelTable)."
::= { ipSecPolMapEntry 1 }
ipSecPolMapCryptoMapName OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object should be the name of
the IPSec Policy (cryptomap) as assigned by the
operator while configuring the policy of
the IPSec traffic.
For instance, on an IOS router, the if the command
entered to configure the IPSec policy was
==> crypto map ftpPolicy 10 ipsec-isakmp
then the value of this object would be 'ftpPolicy'."
::= { ipSecPolMapEntry 2 }
ipSecPolMapCryptoMapNum OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object should be the priority
of the IPSec Policy (cryptomap) assigned by the
operator while configuring the policy of
this IPSec tunnel.
For instance, on an IOS router, the if the command
entered to configure the IPSec policy was
==> crypto map ftpPolicy 10 ipsec-isakmp
then the value of this object would be 10."
::= { ipSecPolMapEntry 3 }
ipSecPolMapAclString OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the number or
the name of the access control string (ACL)
that caused this IPSec tunnel to be established.
The ACL that causes an IPSec tunnel
to be established is referenced by the
cryptomap of the tunnel.
The ACL identifies the traffic that requires
protection as defined by the policy.
For instance, the ACL that requires FTP
traffic between local subnet 172.16.14.0 and a
remote subnet 172.16.16.0 to be protected
is defined as
==>access-list 101 permit tcp 172.16.14.0 0.0.0.255
172.16.16.0 0.0.0.255 eq ftp
When this command causes an IPSec tunnel to be
established, the object 'ipSecPolMapAclString'
assumes the string value '101'.
If the ACL is a named list such as
==> ip access-list standard myAcl
permit 172.16.16.8 0.0.0.0
then the value of this MIB element corresponding to
IPSec tunnel that was created by this ACL would
be 'myAcl'."
::= { ipSecPolMapEntry 4 }
ipSecPolMapAceString OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the access control
entry (ACE) within the ACL that caused this IPSec
tunnel to be established.
For instance, if an ACL defines access for two
traffic streams (FTP and SNMP) as follows:
access-list 101 permit tcp 172.16.14.0 0.0.0.255
172.16.16.0 0.0.0.255 eq ftp
access-list 101 permit udp 172.16.14.0 0.0.0.255
host 172.16.16.1 eq 161
When associated with an IPSec policy, the second
element of the ACL gives rise to an IPSec tunnel
in the wake of SNMP traffic. The value of the
object 'ipSecPolMapAceString' for the IPSec tunnel
would be then the string
'access-list 101 permit udp 172.16.14.0 0.0.0.255
host 172.16.16.1 eq 161'"
::= { ipSecPolMapEntry 5 }
--
-- Conformance Information
--
ipSecPolMapMIBGroups OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBConformance 1}
ipSecPolMapMIBCompliances OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBConformance 2}
--
-- Compliance Statements
--
ipSecPolMapMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
for IP Security Protocol Tunnels to Policy
definition mappings."
MODULE -- this module
MANDATORY-GROUPS { ipSecPhaseOnePolMapGroup,
ipSecPhaseTwoPolMapGroup
}
::= { ipSecPolMapMIBCompliances 1 }
--
-- Units of Conformance
--
ipSecPhaseOnePolMapGroup OBJECT-GROUP
OBJECTS {
ikePolMapPolicyNum
}
STATUS current
DESCRIPTION
"This group consists of a:
1) IPSec Phase-1 Policy Map Table"
::= { ipSecPolMapMIBGroups 1 }
ipSecPhaseTwoPolMapGroup OBJECT-GROUP
OBJECTS {
ipSecPolMapCryptoMapName,
ipSecPolMapCryptoMapNum,
ipSecPolMapAclString,
ipSecPolMapAceString
}
STATUS current
DESCRIPTION
"This group consists of a:
1) IPSec Phase-2 Policy Map Table"
::= { ipSecPolMapMIBGroups 2 }
END
Reference in New Issue View Git Blame Copy Permalink