MrMeeb/snmp_mib_archive
1
0
Fork 0
mirror of https://github.com/hsnodgrass/snmp_mib_archive.git synced 2025-04-18 00:13:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
snmp_mib_archive/CISCO-IP-PROTOCOL-FILTER-MIB.my
Heston Snodgrass 89bf4b016e initial commit
2016-12-15 15:03:18 -07:00

1405 lines
57 KiB
Plaintext
Raw Blame History

-- *****************************************************************
-- CISCO-IP-PROTOCOL-FILTER-MIB.my: Cisco IP Protocol Filter MIB
-- file
--
-- June 2002, Francis Pang
--
-- Copyright (c) 2002 , 2005 by Cisco Systems, Inc.
-- All rights reserved.
-- *****************************************************************
--
CISCO-IP-PROTOCOL-FILTER-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Integer32,
Unsigned32 ,
Counter64
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
InetAddressType,
InetAddress,
InetPortNumber
FROM INET-ADDRESS-MIB
RowStatus,
TruthValue,
TEXTUAL-CONVENTION
FROM SNMPv2-TC
ifIndex
FROM IF-MIB
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
SyslogSeverity
FROM CISCO-SYSLOG-MIB
CfgFilterGroupName
FROM CISCO-FILTER-GROUP-MIB
ciscoMgmt
FROM CISCO-SMI;
ciscoIpProtocolMIB MODULE-IDENTITY
LAST-UPDATED "200504200000Z"
ORGANIZATION "Cisco System Inc."
CONTACT-INFO
" Cisco Systems
Customer Service
Postal: 170 West Tasman Drive,
San Jose CA 95134-1706.
USA
Tel: +1 800 553-NETS
E-mail: cs-dot11@cisco.com"
DESCRIPTION
"The MIB module is for management of information
to support packet filtering on IP protocols.
The cippfIpProfileTable allows users to create
delete, and get information about filter profiles.
Filter profiles are uniquely identified by the
profile names. Filter profiles can either be of
Simple or Extended usage types, and the usage type
cannot be changed once it has been created.
The cippfIfIpProfileTable applies the filtering
profiles to device interfaces running IP. A filter
profile can be applied to multiple interfaces.
The cippfIpFilterTable contains ordered lists of
IP filters for all the filtering profiles.
Filters and profiles are related if they are of
the same filter profile name. Filters can only
be created if their associated filter profiles
already exist in the cippfIpProfileTable.
Filters of the same profile name belongs to a
common profile.
The cippfIfIpProfileTable can be configured with
information independent from the other. However,
if the name of a profile in the cippfIfIpProfileTable
matches that of any profile in the
cippfIpProfileTable and the profile name of any
filter entry in the cippfIpFilterTable, the profile
is 'active' and the filter entry is being applied
to IP traffic passing through the attached device
interfaces. Therefore, any change to the filters
in the cippfIpFilterTable or the profile itself in
the cippfIpProfileTable will affect all the
attached interfaces."
REVISION "200504200000Z"
DESCRIPTION
"- Added 'extendedIPv6' enumeration in
cippfIpProfileType.
- Added following enumerations in
cippfIfIpProfileDirection.
inboundIPv6 (3)
outboundIPv6 (4).
- Added following objects in cippfIpFilterTable:
cippfIpFilterSrcIPGroupName
cippfIpFilterDstIPGroupName
cippfIpFilterProtocolGroupName
cippfIpFilterSrcServiceGroupName
cippfIpFilterDstServiceGroupName
cippfIpFilterICMPGroupName.
- Added following tables
cippfIpFilterExtTable.
cippfIpFilterStatsTable."
REVISION "200306160000Z"
DESCRIPTION
"Added following objects to cippfIpFilterTable:
cippfIpFilterICMPType,cippfIpFilterEstablished,
cippfIpFilterFragments,cippfIpFilterICMPCode.
Updated the conformance statement."
REVISION "200207110000Z"
DESCRIPTION
"Initial version of this MIB module."
::= { ciscoMgmt 278 }
ciscoIpProtocolFilterMIBNotifs OBJECT IDENTIFIER
::= { ciscoIpProtocolMIB 0 }
ciscoIpProtocolFilterMIBObjects OBJECT IDENTIFIER
::= { ciscoIpProtocolMIB 1 }
ciscoIpProtocolFilterMIBConform OBJECT IDENTIFIER
::= { ciscoIpProtocolMIB 2 }
cippfIpFilterConfig OBJECT IDENTIFIER
::= { ciscoIpProtocolFilterMIBObjects 1 }
cippfIpFilterStats OBJECT IDENTIFIER
::= { ciscoIpProtocolFilterMIBObjects 2 }
-- Textual Conventions
CippfIpFilterProfileName ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Objects defined with this textual convention are
used to identify IP protocol filter profiles.
The object value shall be an alphanumeric string."
SYNTAX OCTET STRING (SIZE (1..64))
cippfIpProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF CippfIpProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the existing IP protocol
filter profiles. These filter profiles contain
protocol filters used to filter IP traffic
through the device interfaces. The IP protocol
filters associated with these profiles are
defined in the cippfIpFilterTable.
For profiles to be associated with filters, the
object value of the cippfIpProfileName of a
profile must matches that of the cippfIpProfileName
of a filter entry in the cippfIpFilterTable.
Filters of the same profile name belong to a
common filter profile and are of the same usage
type of the profile.
This table can only be used to create or delete
filter profiles. Deleting any profile in this
table will also delete all the associated filters
in the cippfIpFilterTable and cause the state of
the associated 'active' filter profile in the
cippfIfIpProfileTable to be changed to 'notReady'.
All of these deleted or changed entries are
associated by virtue of the same profile name."
::= { cippfIpFilterConfig 1 }
cippfIpProfileEntry OBJECT-TYPE
SYNTAX CippfIpProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry defines the type, state, and the last
object index assigned to a filter of the filter
profile."
INDEX { cippfIpProfileName }
::= { cippfIpProfileTable 1 }
CippfIpProfileEntry ::= SEQUENCE {
cippfIpProfileName CippfIpFilterProfileName,
cippfIpProfileType INTEGER,
cippfIpProfileLastFilterIndex
Unsigned32,
cippfIpProfileStatus RowStatus }
cippfIpProfileName OBJECT-TYPE
SYNTAX CippfIpFilterProfileName
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is the unique IP protocol filter profile
identifier. If this value is the same as the
cippfIpProfileName in the cippfIpFilterTable
and the cippfIfIpProfileName in
cippfIfIpFilterTable, they are all referring
to the same filter profile."
::= { cippfIpProfileEntry 1 }
cippfIpProfileType OBJECT-TYPE
SYNTAX INTEGER {
simple (1),
extended (2),
extendedIPv6 (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object determines the usage type this filter
profile. This usage type cannot be changed after
the profile has been created.
The usage type simple(1) implies that the valid
objects of each filter entry in the profile in
the cippfIpFilterTable only include:
cippfIpFilterIndex,
cippfIpFilterOrderPosition,
cippfIpFilterAction,
cippfIpFilterAddressType,
cippfIpFilterSrcAddress,
cippfIpFilterSrcMask,
cippfIpFilterLogEnabled,
cippfIpFilterStatus.
This means that only the above objects will be
used to create the protocol filter, and all
other objects will be ignored during filter
creation.
The usage extended(2) implies that all objects
defined in the cippfIpFilterTable are valid
for any filter entry in the corresponding
profile.
The usage extendedIPv6(3) implies that this
is a IPv6 profile and all objects defined
in the cippfIpFilterTable are valid for any
filter entry in the corresponding profile."
DEFVAL { extended }
::= { cippfIpProfileEntry 2 }
cippfIpProfileLastFilterIndex OBJECT-TYPE
SYNTAX Unsigned32 (0..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value is the same as the last
cippfIpFilterIndex value assigned to a filter of
this profile."
::= { cippfIpProfileEntry 3 }
cippfIpProfileStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object controls and reflects the status of rows
in this table. To create a filter profile of a
particular usage type, the NMS must do a multivarbind
set containing both cippfIpProfileStatus and
cippfIpProfileType.
Creation of rows must be done via 'createAndGo' for
all profiles. When the agent successfully creates the
filter profile, this object is set to 'active' by the
agent.
To delete a row, set this object value to 'destroy'."
::= { cippfIpProfileEntry 4 }
cippfIfIpProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF CippfIfIpProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the IP protocol filter
profiles being applied to IP traffic on the
device interfaces. An IP protocol filter profile
can be shared by multiple interfaces. The filter
profiles are defined in the cippfIpProfileTable,
and filters of these profiles are defined in the
cippfIpFilterTable.
Protocol filter profiles and their associated
filters can be 'attached to' or 'removed from'
in-bound or out-bound interfaces. Both existing
and non-existing protocol filter profiles can be
'attached to' the interfaces. However, the
cippfIfIpProfileStatus will only become 'active'
if the filter profile exists in the
cippfIpProfileTable, and the filters will then
be applied to the IP traffic through the interface.
Modification of any filters associated with a
shared profile will affect all interfaces sharing
that profile.
Each interface can only be attached with one protocol
filter profile on the in-bound direction and one on
the out-bound direction."
::= { cippfIpFilterConfig 2 }
cippfIfIpProfileEntry OBJECT-TYPE
SYNTAX CippfIfIpProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry attaches an IP traffic filter profile
to a particular device interface and a specific
traffic direction. The interface can be of any
ifType supporting and running IP."
INDEX {
ifIndex,
cippfIfIpProfileDirection }
::= { cippfIfIpProfileTable 1 }
CippfIfIpProfileEntry ::= SEQUENCE {
cippfIfIpProfileDirection INTEGER,
cippfIfIpProfileName CippfIpFilterProfileName,
cippfIfIpProfileStatus RowStatus }
cippfIfIpProfileDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound (1),
outbound (2),
inboundIPv6 (3),
outboundIPv6 (4)
}
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object determines whether this filter
profile is applied to inbound or outbound
traffic of a particular interface.
The possible value(s) are:
inbound - inbound traffic.
outbound - outbound traffic.
inboundIPv6 - IPv6 inbound traffic.
outboundIPv6 - IPv6 outbound traffic."
::= { cippfIfIpProfileEntry 1 }
cippfIfIpProfileName OBJECT-TYPE
SYNTAX CippfIpFilterProfileName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the unique IP protocol filter profile
identifier. This value must be the same as one of
the existing cippfIpProfileName object values
in the cippfIpProfileTable for this profile and the
cippfIfIpProfileStatus of value 'createAndGo' to
become 'active'.
If this object value does not match any existing
cippfIpProfileName, an entry of this table
can only be created with cippfIfIpProfileStatus in
'createAndWait' state. The entry can only be made
'active' by the agent when the corresponding
cippfIpProfileName is added to the
cippfIpProfileTable."
::= { cippfIfIpProfileEntry 2 }
cippfIfIpProfileStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object controls and reflects the status of rows
in this table. To apply this filter profile or remove
this filter profile, the NMS must do a multivarbind
set containing both cippfIfIpProfileStatus and
cippfIfIpProfileName.
Creation of rows may be done via 'createAndGo' for
profiles already exist in the cippfIpProfileTable,
and the filter profile will only be effective when this
object is set to 'active' by the agent.
Creation of rows may also be done via 'createAndWait'
for profiles do not exist in the cippfIpProfileTable.
This object will be set by the agent to 'notReady', and
the filter profile will not participate in IP filtering.
This object will only be set to 'active' when there is
a corresponding 'active' profile in the
cippfIpProfileTable.
To remove a row, set this object value to 'destroy'."
::= { cippfIfIpProfileEntry 3 }
cippfIpFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF CippfIpFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains ordered lists of filters for
all the IP protocol filter profiles. Device traffic
filtering system applies filters of a filter profile
according to the filter order position. IP packets
matching any filter will be processed according to
the matching action specified by the filter or they
will be discarded if they do not match any filters.
Any IP packet through an interface can theoretically
match multiple filters or rows of this table of the
same filter profile. When applying a filter to a
packet, the cippfIfIpProfileTable is used to first
identify the filter profile to use, then this table
is scanned according to filter profile name and
filter order position. If the packet matches all
criteria for that row, the action defined in the
cippfIpFilterAction object of the row will be taken.
If the action for the matching filter is deny(1),
the packet is discarded and the processing is
completed. If the action for the matching filter is
permit(2), the packet is accepted and permitted to
be processed by the bridging or routing logic. If
the packet matches no filter in this table, the
packet is always deny(1) and will be dropped.
To create a filter, the cippfIpProfileName must
already exists in the cippfIpProfileTable. No filter
can be created without an existing filter in the
cippfIpProfileTable. If the filter profile is
deleted from the cippfIpProfileTable, all the
associated filters in this table will also be
deleted."
::= { cippfIpFilterConfig 3 }
cippfIpFilterEntry OBJECT-TYPE
SYNTAX CippfIpFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry is an IP Protocol traffic filter within
an IP filter profile. Entries with the same
cippfIpProfileName belong to the same IP filter
profile."
INDEX {
cippfIpProfileName,
cippfIpFilterIndex }
::= { cippfIpFilterTable 1 }
CippfIpFilterEntry ::= SEQUENCE {
cippfIpFilterIndex Unsigned32,
cippfIpFilterOrderPosition Unsigned32,
cippfIpFilterAction INTEGER,
cippfIpFilterAddressType InetAddressType,
cippfIpFilterSrcAddress InetAddress,
cippfIpFilterSrcMask InetAddress,
cippfIpFilterDestAddress InetAddress,
cippfIpFilterDestMask InetAddress,
cippfIpFilterProtocol Integer32,
cippfIpFilterSrcPortLow InetPortNumber,
cippfIpFilterSrcPortHigh InetPortNumber,
cippfIpFilterDestPortLow InetPortNumber,
cippfIpFilterDestPortHigh InetPortNumber,
cippfIpFilterPrecedence INTEGER,
cippfIpFilterTos Integer32,
cippfIpFilterLogEnabled TruthValue,
cippfIpFilterStatus RowStatus,
cippfIpFilterICMPType Integer32,
cippfIpFilterTCPEstablished TruthValue,
cippfIpFilterFragments TruthValue,
cippfIpFilterICMPCode Integer32,
cippfIpFilterSrcIPGroupName CfgFilterGroupName,
cippfIpFilterDstIPGroupName CfgFilterGroupName,
cippfIpFilterProtocolGroupName CfgFilterGroupName,
cippfIpFilterSrcServiceGroupName CfgFilterGroupName,
cippfIpFilterDstServiceGroupName CfgFilterGroupName,
cippfIpFilterICMPGroupName CfgFilterGroupName
}
cippfIpFilterIndex OBJECT-TYPE
SYNTAX Unsigned32 (0..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This index uniquely identifies the IP protocol filters
within this table and among all filter profiles. When
a new filter is added and if this value is '0', the
filter will be appended as the last entry for the
corresponding profile in this table.
For any set operation, the cippfIpFilterIndex value
must match the index of an existing 'active' filter
for the set operation to be successful."
::= { cippfIpFilterEntry 1 }
cippfIpFilterOrderPosition OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to order the IP protocol filters
within a filter profile. The filter with the lowest
order position number is applied first, that is
cippfIpFilterOrderPosition '1'. The order position
number among all filters of a profile is always
consecutive. The agent will automatically arrange
the order position to a consecutive manner for the
filter entries within the profile after each addition
(when the created entry moves to 'active' state) and
modification or deletion (when the active entry moves
out from 'active' state) of any filter.
For example, a new filter is added to an empty
profile with the cippfIpFilterOrderPosition '2' ,
the filter will be actually positioned to
cippfIpFilterOrderPosition '1' by the agent.
Moreover, if there are 3 filters in the profile
and their order positions are 1, 2, and 3. Adding
a new filter with any cippfIpFilterOrderPosition
greater than '3' will produce the same effect. The
new filter will actually be in position '4' because
the agent maintains the filters in consecutive order.
When a filter is removed from a profile, the filters
following this filter will be moved forward and
decrement their order position numbers. For example,
if there are 6 filters in the profile and their
order positions are 1, 2, 3, 4, 5, 6. Deleting
the filter of cippfIpFilterOrderPosition '4' will
cause the existing filters of
cippfIpFilterOrderPosition '5' and '6' to change
to '4' and '5' respectively.
When a filter is added to the order position of an
existing filter of the same profile, the existing
filter entry and all subsequent entries following it
will increment their cippfIpFilterOrderPosition.
This essentially move the existing filters towards
the end of the filter profile.
For example, if there are 6 filters in the profile,
and their cippfIpFilterOrderPosition values are 1,
2, 3, 4, 5, 6. If the user would like to add a new
one and specifies '4' to be the
cippfIpFilterOrderPosition of the new filter, the
existing filters of cippfIpFilterOrderPosition
values 4, 5, 6 will become 5, 6, 7.
The cippfIpFilterOrderPosition value '0' is a
special number meaning to append the filter
to the last filter of the profile. Continue with
our previous example, if another new filter is added
and the user specifies the cippfIpFilterOrderPosition
to be '0'. The new filter will actually be created
with cippfIpFilterOrderPosition equal to 8.
Finally, moving a filter within a profile will have
the same effect of first deleting and then adding the
filter to the new position. For example, if the
filter of cippfIpFilterOrderPosition 2 is moved to 4,
the filters originally at the
cippfIpFilterOrderPosition 3 and 4 will be moved
forward to 2 and 3 respectively and filters of all
other cippfIpFilterOrderPosition values will remain
unchanged."
DEFVAL { 0 }
::= { cippfIpFilterEntry 2 }
cippfIpFilterAction OBJECT-TYPE
SYNTAX INTEGER {
deny(1),
permit(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If it is set to deny(1), all packets matching
this filter will be discarded and scanning of the
remainder of the filter list will be aborted. If
it is set to permit(2), all packets matching this
filter will be allowed for further bridging or
routing processing."
DEFVAL { deny }
::= { cippfIpFilterEntry 3 }
cippfIpFilterAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the IP address type of for the
cippfIpFilterSrcAddress, cippfIpFilterSrcMask,
cippfIpFilterDestAddress, and cippfIpFilterDestMask."
::= { cippfIpFilterEntry 4 }
cippfIpFilterSrcAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The source IP address to be matched for this filter.
A value of zero causes all source address to match.
The object value has to be consistent with the type
specified in cippfIpFilterAddressType."
DEFVAL { "0" }
::= { cippfIpFilterEntry 5 }
cippfIpFilterSrcMask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the wildcard mask for the
cippfIpFilterSrcAddress bits that must match. 0 bits
in the mask indicate the corresponding bits in the
cippfIpFilterSrcAddress must match in order for the
matching to be successful, and 1 bits are don't care
bits in the matching. A value of zero causes only IP
packets of source address the same as
cippfIpFilterSrcAddress to match. This object value
has to be consistent with the type specified in
cippfIpFilterAddressType."
DEFVAL { 'ffffffff'H } -- 255.255.255.255
::= { cippfIpFilterEntry 6 }
cippfIpFilterDestAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The destination IP address to be matched for this
filter. A value of zero causes all source address
to match. The object value has to be consistent
with the type specified in cippfIpFilterAddressType."
DEFVAL { "0" }
::= { cippfIpFilterEntry 7 }
cippfIpFilterDestMask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the wildcard mask for the
cippfIpFilterDestAddress bits that must match. 0
bits in the mask indicate the corresponding bits
in the cippfIpFilterDestAddress must match in order
for the matching to be successful, and 1 bits are
don't care bits in the matching. A value of zero
causes only IP packets of source address the same as
cippfIpFilterSrcAddress to match. This object value
has to be consistent with the type specified in
cippfIpFilterAddressType."
DEFVAL { 'ffffffff'H } -- 255.255.255.255
::= { cippfIpFilterEntry 8 }
cippfIpFilterProtocol OBJECT-TYPE
SYNTAX Integer32 (-1..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This filter protocol object matches the Internet
Protocol Number in the packets. These IP numbers
are defined in the Network Working Group Request
for Comments (RFC) documents. For example,
Cisco commonly used protocol includes:
1 - Internet Control Message Protocol
2 - Internet Gateway Message Protocol
4 - IP in IP tunneling
6 - Transmission Control Protocol
9 - Cisco's IGRP routing protocol
17 - User Datagram Protocol
47 - Cisco's GRE tunneling
50 - Encapsulation Security Payload
51 - Authentication Header Protocol
88 - Cisco's EIGRP routing protocol
89 - OSPF routing protocol
94 - KA9Q NOS compatible IP over IP tunneling
103 - Protocol Independent Multicast
108 - Payload Compression Protocol
Setting this object to '-1' will make the
filtering match any IP number."
REFERENCE
"RFC-790, ASSIGNED NUMBERS, September 1981, Section
ASSIGNED INTERNET PROTOCOL NUMBERS."
DEFVAL { -1 }
::= { cippfIpFilterEntry 9 }
cippfIpFilterSrcPortLow OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cippfIpFilterProtocol is udp or tcp, this is
the inclusive lower bound of the transport-layer
source port range that is to be matched, otherwise
it is ignored during matching. This value must be
equal to or less than the value specified for this
entry in cippfIpFilterSrcPortHigh."
DEFVAL { 0 }
::= { cippfIpFilterEntry 10 }
cippfIpFilterSrcPortHigh OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cippfIpFilterProtocol is udp or tcp, this is
the inclusive upper bound of the transport-layer
source port range that is to be matched, otherwise
it is ignored during matching. This value must be
equal to or greater than the value specified for
this entry in cippfIpFilterSrcPortLow. If this
value is '0', the udp or tcp port number is
ignored during matching."
DEFVAL { 65535 }
::= { cippfIpFilterEntry 11 }
cippfIpFilterDestPortLow OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cippfIpFilterProtocol is udp or tcp, this is
the inclusive lower bound of the transport-layer
destination port range that is to be matched,
otherwise it is ignored during matching. This
value must be equal to or less than the value
specified for this entry in
cippfIpFilterDestPortHigh."
DEFVAL { 0 }
::= { cippfIpFilterEntry 12 }
cippfIpFilterDestPortHigh OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cippfIpFilterProtocol is udp or tcp, this is
the inclusive upper bound of the transport-layer
destination port range that is to be matched,
otherwise it is ignored during matching. This
value must be equal to or greater than the value
specified for this entry in
cippfIpFilterDestPortLow. If this value is '0',
the udp or tcp port number is ignored during
matching."
DEFVAL { 65535 }
::= { cippfIpFilterEntry 13 }
cippfIpFilterPrecedence OBJECT-TYPE
SYNTAX INTEGER {
any(-1),
routine(0),
priority(1),
immediate(2),
flash(3),
flashOverride(4),
critical(5),
internet(6),
network(7) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IP traffic precedence parameters in each packet
are used to guide the selection of the actual
service parameters when transmitting a datagram
through a particular network. Most network treats
high precedence traffic as more important than other
traffic. The IP Precedence value ranges from '0' to
'7', with '7' the highest precedence and '0' the
lowest precedence.
This object sets criteria for matching the IP packet
precedence parameter. The object value '-1' means to
match packets of any IP precedence. In other words,
the IP precedence parameter will not to checked if
this object is '-1'. The precedence level are:
routine(0) - Routine traffic precedence
priority(1) - Priority traffic precedence
immediate(2) - Immediate traffic precedence
flash(3) - Flash traffic precedence
flashOverride(4) - Flash-override traffic
precedence
critical(5) - Critical precedence
internet(6) - Internetwork control traffic
precedence
network(7) - Network control traffic precedence."
REFERENCE
"RFC-791, INTERNET PROTOCOL DARPA INTERNET PROGRAM
PROTOCOL SPECIFICATION, September 1981, Section 3.1,
Internet Header Format."
DEFVAL { any }
::= { cippfIpFilterEntry 14 }
cippfIpFilterTos OBJECT-TYPE
SYNTAX Integer32 (-1..15)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the value to match to the Type of
Service (TOS) of the packet. The TOS values
ranges from '0' to '15'. The value '-1' matches
any TOS value."
DEFVAL { -1 }
::= { cippfIpFilterEntry 15 }
cippfIpFilterLogEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies whether filtered packets
will be logged by the filtering subsystem or not.
If it is true(1), then all packets will be logged.
If it is false(2), then no packet will be logged."
DEFVAL { false }
::= { cippfIpFilterEntry 16 }
cippfIpFilterStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object controls and reflects the status of
rows in this table. Creation of rows must be done
via 'createAndGo' and this object will become 'active'
if the NMS performs a multivarbind set containing
this object and the cippfIpFilterOrderPosition. The
default matching action of a new filter is deny(1).
Any object in a row can be modified any time when
the row is in the 'active' state.
Removal of a row can be done via setting this
object to 'destroy'."
::= { cippfIpFilterEntry 17 }
cippfIpFilterICMPType OBJECT-TYPE
SYNTAX Integer32 (-1..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This filter specifies the ICMP message type to be
matched. Setting this object to '-1' will make the
filtering match any ICMP message type."
REFERENCE
"RFC-792 INTERNET CONTROL MESSAGE PROTOCOL"
DEFVAL { -1 }
::= { cippfIpFilterEntry 18 }
cippfIpFilterTCPEstablished OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This filter if 'true' specifies that for TCP protocol,
in an established connection, a match occurs if the TCP
datagram has the ACK,FIN,PSH,RST,SYN or URG control
bits set. If 'false' a match will occur for any TCP
datagram. "
DEFVAL {false}
::= { cippfIpFilterEntry 19 }
cippfIpFilterFragments OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If 'true', this filter applies only to the second
and further fragments of fragmented packets.
If 'false', the filter will only match head
fragments or unfragmented packets.
Note: Second and subsequent fragments do not contain
source or destination ports info, therefore cannot
be filtered on that basis."
DEFVAL {false}
::= { cippfIpFilterEntry 20 }
cippfIpFilterICMPCode OBJECT-TYPE
SYNTAX Integer32 (-1..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This filter specifies the ICMP message code to be
matched. Setting this object to '-1' will make the
filtering match any ICMP code."
REFERENCE
"RFC-792 INTERNET CONTROL MESSAGE PROTOCOL"
DEFVAL { -1 }
::= { cippfIpFilterEntry 21 }
cippfIpFilterSrcIPGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group
containing information about source IP
addresses and masks that need to be matched
for this filter. This value must match an entry
in cfgFilterGroupTable whose cfgFilterGroupType
value is set to 'network' and must match an entry
in cfgFilterNetworkGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterSrcAddress
cippfIpFilterSrcMask.
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterNetworkGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 22 }
cippfIpFilterDstIPGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group
containing information about destination IP
addresses and masks that need to be matched
for this filter. This value must match an entry
in cfgFilterGroupTable whose cfgFilterGroupType
value is set to 'network' and must match an entry
in cfgFilterNetworkGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterDestAddress
cippfIpFilterDestMask.
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterNetworkGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 23 }
cippfIpFilterProtocolGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group
containing information about internet protocol
numbers. This value must match an entry
in cfgFilterGroupTable whose cfgFilterGroupType
value is set to 'service' and must match an entry
in cfgFilterServiceGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterProtocol.
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterProtocolGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 24 }
cippfIpFilterSrcServiceGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group
containing information about port(TCP/UDP)
numbers. This value must match an entry
in cfgFilterGroupTable whose cfgFilterGroupType
value is set to 'service' and must match an entry
in cfgFilterServiceGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterSrcPortLow
cippfIpFilterSrcPortHigh
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterServiceGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 25 }
cippfIpFilterDstServiceGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group
containing information about port(TCP/UDP)
numbers. This value must match an entry
in cfgFilterGroupTable whose cfgFilterGroupType
value is set to 'service' and must match an entry
in cfgFilterServiceGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterDestPortLow
cippfIpFilterDestPortHigh
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterServiceGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 26 }
cippfIpFilterICMPGroupName OBJECT-TYPE
SYNTAX CfgFilterGroupName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies the filter group containing
information about ICMP message. This value must
match an entry in cfgFilterGroupTable whose
cfgFilterGroupType value is set to 'icmp' and must
match an entry in cfgFilterICMPGroupTable.
This object cannot be set if any of the following
objects are set:
cippfIpFilterICMPType
cippfIpFilterICMPCode.
This object is not instantiated if not applicable."
REFERENCE
"Refer following tables in CISCO-FILTER-GROUP-MIB:
cfgFilterGroupTable
cfgFilterICMPGroupTable."
DEFVAL { "" }
::= { cippfIpFilterEntry 27 }
cippfIpFilterExtTable OBJECT-TYPE
SYNTAX SEQUENCE OF CippfIpFilterExtEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is an extension to cippfIpFilterTable.
This table is used for configuring the objects
that are used for reporting the information about
filters and reporting the logs. These objects
do not change the match criteria for the filter
but assist in troubleshooting the matched criteria."
::= { cippfIpFilterConfig 4 }
cippfIpFilterExtEntry OBJECT-TYPE
SYNTAX CippfIpFilterExtEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in filter extension table. Each entry
contains information on the description of the
filter and logging related objects."
AUGMENTS { cippfIpFilterEntry }
::= { cippfIpFilterExtTable 1 }
CippfIpFilterExtEntry ::= SEQUENCE {
cippfIpFilterExtDescription SnmpAdminString,
cippfIpFilterExtLogLevel SyslogSeverity,
cippfIpFilterExtLogInterval Unsigned32
}
cippfIpFilterExtDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used for configuring
description of the filter."
DEFVAL { "" }
::= { cippfIpFilterExtEntry 1 }
cippfIpFilterExtLogLevel OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used for specifying the log level
(severity) used in syslog for this filter."
DEFVAL { info }
::= { cippfIpFilterExtEntry 2 }
cippfIpFilterExtLogInterval OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used for configuring the time
interval at which the syslog message for this
filter to be generated."
DEFVAL { 300 }
::= { cippfIpFilterExtEntry 3 }
cippfIpFilterStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF CippfIpFilterStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines a set of statistics related to
packet filter. The statistics related to matched
filters are available here."
::= { cippfIpFilterStats 1 }
cippfIpFilterStatsEntry OBJECT-TYPE
SYNTAX CippfIpFilterStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in IP Filter stats table. An entry exists
in this table for every entry in cippfIpFilterTable."
INDEX{
cippfIpProfileName,
cippfIpFilterIndex
}
::= { cippfIpFilterStatsTable 1 }
CippfIpFilterStatsEntry ::= SEQUENCE {
cippfIpFilterHits Counter64
}
cippfIpFilterHits OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the number of packets that
are matched the packet filter configuration in
cippfIpFilterTable."
::= { cippfIpFilterStatsEntry 1 }
-- *****************************************************************
-- Conformance information
-- *****************************************************************
ciscoIpProtocolFilterMIBCompl
OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBConform 1 }
ciscoIpProtocolFilterMIBGroups
OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBConform 2 }
-- *****************************************************************
-- Compliance statements
-- *****************************************************************
ciscoIpProtocolMIBCompliance MODULE-COMPLIANCE
STATUS deprecated -- superceeded by
-- ciscoIpProtocolMIBComplianceRev1
DESCRIPTION
"The compliance statement for entities implementing
the Cisco IP Protocol Filter MIB.
OBJECT cippfIpFilterAddressType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
An implementation is only required to
support IPv4 addresses.
OBJECT cippfIpFilterSrcAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
An implementation is only required to
support IPv4 addresses.
OBJECT cippfIpFilterDestAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
An implementation is only required to
support IPv4 addresses."
MODULE
MANDATORY-GROUPS {
ciscoIpProtocolFilteringGroup }
::= { ciscoIpProtocolFilterMIBCompl 1 }
ciscoIpProtocolMIBComplianceRev1 MODULE-COMPLIANCE
STATUS deprecated -- superceeded by
-- ciscoIpProtocolMIBComplianceRev2
DESCRIPTION
"The compliance statement for entities implementing
the Cisco IP Protocol Filter MIB.
OBJECT cippfIpFilterAddressType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
An implementation is only required to
support IPv4 addresses.
OBJECT cippfIpFilterSrcAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
An implementation is only required to
support IPv4 addresses.
OBJECT cippfIpFilterDestAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
An implementation is only required to
support IPv4 addresses.
OBJECT cippfIpFilterOrderPosition
MIN-ACCESS read-only
DESCRIPTION
Write access is not required.
OBJECT cippfIpProfileType
MIN-ACCESS read-only
DESCRIPTION
Write access is not required. "
MODULE
MANDATORY-GROUPS {
ciscoIpProtocolFilteringGroup }
GROUP ciscoIpProtocolFilterGroup2
DESCRIPTION
"Implementation of this group is optional."
::= { ciscoIpProtocolFilterMIBCompl 2 }
ciscoIpProtocolMIBComplianceRev2 MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities implementing
the Cisco IP Protocol Filter MIB."
MODULE
MANDATORY-GROUPS {
ciscoIpProtocolFilteringGroup,
ciscoIpProtocolFilterStatsGroup
}
OBJECT cippfIpFilterAddressType
-- SYNTAX InetAddressType { ipv4(1) }
SYNTAX INTEGER { ipv4(1) }
DESCRIPTION
"An implementation is only required to
support IPv4 addresses."
OBJECT cippfIpFilterSrcAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
"An implementation is only required to
support IPv4 addresses."
OBJECT cippfIpFilterDestAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
"An implementation is only required to
support IPv4 addresses."
OBJECT cippfIpFilterOrderPosition
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT cippfIpProfileType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. "
GROUP ciscoIpProtocolFilterGroup2
DESCRIPTION
"Implementation of this group is optional."
GROUP ciscoIpProtocolFilterExtGroup
DESCRIPTION
"Implementation of this group is mandatory
for those systems where additional objects
supported for each filter."
GROUP ciscoIpProtocolFilterObjectGroup
DESCRIPTION
"Implementation of this group is mandatory
for those systems where filter groups
are supported in IP filters."
OBJECT cippfIpFilterSrcIPGroupName
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required to be implemented
if filter group is not supported."
OBJECT cippfIpFilterDstIPGroupName
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required to be implemented
if filter group is not supported."
OBJECT cippfIpFilterSrcServiceGroupName
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required to be implemented
if filter group is not supported."
OBJECT cippfIpFilterDstServiceGroupName
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required to be implemented
if filter group is not supported."
OBJECT cippfIpFilterICMPGroupName
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required to be implemented
if filter group is not supported."
::= { ciscoIpProtocolFilterMIBCompl 3 }
-- *****************************************************************
-- Units of conformance
-- *****************************************************************
ciscoIpProtocolFilteringGroup OBJECT-GROUP
OBJECTS {
cippfIpProfileType,
cippfIpProfileLastFilterIndex,
cippfIpProfileStatus,
cippfIfIpProfileName,
cippfIfIpProfileStatus,
cippfIpFilterOrderPosition,
cippfIpFilterAction,
cippfIpFilterAddressType,
cippfIpFilterSrcAddress,
cippfIpFilterSrcMask,
cippfIpFilterDestAddress,
cippfIpFilterDestMask,
cippfIpFilterProtocol,
cippfIpFilterSrcPortLow,
cippfIpFilterSrcPortHigh,
cippfIpFilterDestPortLow,
cippfIpFilterDestPortHigh,
cippfIpFilterPrecedence,
cippfIpFilterTos,
cippfIpFilterLogEnabled,
cippfIpFilterStatus }
STATUS current
DESCRIPTION
"Configuration parameters for IP Protocol filters."
::= { ciscoIpProtocolFilterMIBGroups 1 }
ciscoIpProtocolFilterGroup2 OBJECT-GROUP
OBJECTS {
cippfIpFilterICMPType,
cippfIpFilterTCPEstablished,
cippfIpFilterFragments,
cippfIpFilterICMPCode }
STATUS current
DESCRIPTION
"Configuration parameters for IP Protocol filters. "
::= { ciscoIpProtocolFilterMIBGroups 2 }
ciscoIpProtocolFilterExtGroup OBJECT-GROUP
OBJECTS {
cippfIpFilterExtDescription,
cippfIpFilterExtLogLevel,
cippfIpFilterExtLogInterval
}
STATUS current
DESCRIPTION
"Configuration parameters for logging
packet filters."
::= { ciscoIpProtocolFilterMIBGroups 4 }
ciscoIpProtocolFilterObjectGroup OBJECT-GROUP
OBJECTS {
cippfIpFilterSrcIPGroupName,
cippfIpFilterDstIPGroupName,
cippfIpFilterProtocolGroupName,
cippfIpFilterSrcServiceGroupName,
cippfIpFilterDstServiceGroupName,
cippfIpFilterICMPGroupName
}
STATUS current
DESCRIPTION
"Configuration parameters for filter groups
in a protocol filter."
::= { ciscoIpProtocolFilterMIBGroups 5 }
ciscoIpProtocolFilterStatsGroup OBJECT-GROUP
OBJECTS {
cippfIpFilterHits
}
STATUS current
DESCRIPTION
"This is a group containing objects
related to packet filter."
::= { ciscoIpProtocolFilterMIBGroups 6 }
-- *****************************************************************
-- End of units of conformance
-- *****************************************************************
END
Reference in New Issue View Git Blame Copy Permalink