-- HP-ICF-ARP-PROTECT DEFINITIONS ::= BEGIN IMPORTS hpSwitch FROM HP-ICF-OID ifIndex FROM IF-MIB InetAddressType FROM INET-ADDRESS-MIB InetAddress FROM INET-ADDRESS-MIB VlanIndex FROM Q-BRIDGE-MIB OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF Counter32, OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue, MacAddress FROM SNMPv2-TC; -- 1.3.6.1.4.1.11.2.14.11.5.1.37 hpicfArpProtect MODULE-IDENTITY LAST-UPDATED "200708290000Z" -- August 29, 2007 at 00:00 GMT ORGANIZATION "Hewlett-Packard Company ProCurve Networking Business" CONTACT-INFO "Hewlett-Packard Company 8000 Foothills Blvd. Roseville, CA 95747" DESCRIPTION "This MIB module contains HP proprietary objects for managing Dynamic ARP Protection." REVISION "200708290000Z" -- August 29, 2007 at 00:00 GMT DESCRIPTION "Added hpicfArpProtectNotification and associated objects." REVISION "200605030027Z" -- May 03, 2006 at 00:27 GMT DESCRIPTION "Initial revision." ::= { hpSwitch 37 } -- -- Node definitions -- -- 1.3.6.1.4.1.11.2.14.11.5.1.37.0 hpicfArpProtectNotifications OBJECT IDENTIFIER ::= { hpicfArpProtect 0 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.0.1 hpicfArpProtectErrantReply NOTIFICATION-TYPE OBJECTS { hpicfArpProtectErrantCnt, hpicfArpProtectErrantSrcMac, hpicfArpProtectErrantSrcIpType, hpicfArpProtectErrantSrcIp, hpicfArpProtectErrantDestMac, hpicfArpProtectErrantDestIpType, hpicfArpProtectErrantDestIp } STATUS current DESCRIPTION "An hpicfArpProtectErrantReply notification signifies that the ARP protection entity is enabled and has detected an errant ARP reply packet. The source and destination addresses from the packet header are included in the notification." ::= { hpicfArpProtectNotifications 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1 hpicfArpProtectObjects OBJECT IDENTIFIER ::= { hpicfArpProtect 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1 hpicfArpProtectConfig OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1 hpicfArpProtectGlobalCfg OBJECT IDENTIFIER ::= { hpicfArpProtectConfig 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.1 hpicfArpProtectEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The administrative status of the ARP Protection feature." ::= { hpicfArpProtectGlobalCfg 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.2 hpicfArpProtectVlanEnable OBJECT-TYPE SYNTAX OCTET STRING (SIZE (512)) MAX-ACCESS read-write STATUS current DESCRIPTION "The administrative status for Dynamic ARP Protection on each VLAN. There will be one bit in this string for each possible VLAN ID. Each octet within this value specifies a set of eight VLANs, with the first octet specifying VLAN IDs 1 through 8, the second octet specifying VLAN IDs 9 through 16, etc. Within each octet, the most significant bit represents the lowest numbered VLAN ID, and the least significant bit represents the highest numbered VLAN ID. Thus, each possible VLAN ID of the bridge is represented by a single bit within the value of this object. If that bit has a value of '1', then Dynamic ARP Protection is enabled on that VLAN; Dynamic ARP Protection is not enabled on the VLAN its bit has a value of '0'." ::= { hpicfArpProtectGlobalCfg 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.3 hpicfArpProtectValidation OBJECT-TYPE SYNTAX BITS { srcMac(0), dstMac(1), ip(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Additional validation checks to perform on ARP packets during Dynamic ARP Protection. srcMac - Drop any ARP request or response packet where the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet. dstMac - Drop any unicast ARP response packet where the destination MAC address in the Ethernet header does not match the target MAC address in the body of the ARP packet. ip - Drop any ARP packet where the sender IP address is invalid. Drop any ARP response packet where the target IP address is invalid. Invalid addresses include 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all class E IP addresses. These checks are only performed for ARP packets received on untrusted ports in VLANs that are enabled for Dynamic ARP Protection. ARP packets received on trusted ports, and ARP packets in VLANs for which Dynamic ARP Protection is disabled, are forwarded without validation." ::= { hpicfArpProtectGlobalCfg 3 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.4 hpicfArpProtectErrantNotifyEnable OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Provides operational control of hpicfArpProtectErrantReply." ::= { hpicfArpProtectGlobalCfg 4 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2 hpicfArpProtectPortTable OBJECT-TYPE SYNTAX SEQUENCE OF HpicfArpProtectPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Per-interface configuration for Dynamic ARP Protection." ::= { hpicfArpProtectConfig 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1 hpicfArpProtectPortEntry OBJECT-TYPE SYNTAX HpicfArpProtectPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Dynamic ARP Protection configuration information for a single port." INDEX { ifIndex } ::= { hpicfArpProtectPortTable 1 } HpicfArpProtectPortEntry ::= SEQUENCE { hpicfArpProtectPortTrust TruthValue } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1.1 hpicfArpProtectPortTrust OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates whether this port is trusted for Dynamic ARP Protection." ::= { hpicfArpProtectPortEntry 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2 hpicfArpProtectStatus OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1 hpicfArpProtectVlanStatTable OBJECT-TYPE SYNTAX SEQUENCE OF HpicfArpProtectVlanStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Per-VLAN statistics for Dynamic ARP Protection." ::= { hpicfArpProtectStatus 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1 hpicfArpProtectVlanStatEntry OBJECT-TYPE SYNTAX HpicfArpProtectVlanStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Dynamic ARP Protection statistics for a single VLAN." INDEX { hpicfArpProtectVlanStatIndex } ::= { hpicfArpProtectVlanStatTable 1 } HpicfArpProtectVlanStatEntry ::= SEQUENCE { hpicfArpProtectVlanStatIndex VlanIndex, hpicfArpProtectVlanStatForwards Counter32, hpicfArpProtectVlanStatBadPkts Counter32, hpicfArpProtectVlanStatBadBindings Counter32, hpicfArpProtectVlanStatBadSrcMacs Counter32, hpicfArpProtectVlanStatBadDstMacs Counter32, hpicfArpProtectVlanStatBadIpAddrs Counter32 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.1 hpicfArpProtectVlanStatIndex OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "This variable uniquely identifies the VLAN that the counters in this entry apply to. The VLAN identified by this object is the same VLAN as identified by the identical value in the dot1qVlanIndex object." ::= { hpicfArpProtectVlanStatEntry 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.2 hpicfArpProtectVlanStatForwards OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of ARP packets received on untrusted ports in this VLAN that were successfully validated and forwarded. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.3 hpicfArpProtectVlanStatBadPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of ARP packets received on untrusted ports that were dropped because they were malformed in some way. This may include an unrecognized opcode, an unrecognized protocol type, an unrecognized hardware type, an invalid protocol address length, or an invalid hardware address length. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 3 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.4 hpicfArpProtectVlanStatBadBindings OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of ARP packets received on untrusted ports that were dropped because they advertized a source IP-to-MAC binding that did not match a known, valid binding. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 4 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.5 hpicfArpProtectVlanStatBadSrcMacs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of ARP packets received on untrusted ports that were dropped because the source MAC address in the Ethernet header did not match the sender MAC address in the body of the ARP packet. This count does not increment when source MAC validation is not enabled. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 5 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.6 hpicfArpProtectVlanStatBadDstMacs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of unicast ARP response packets received on untrusted ports that were dropped because the destination MAC address in the Ethernet header did not match the target MAC address in the body of the ARP packet. This count does not increment when destination address validation is not enabled. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 6 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.7 hpicfArpProtectVlanStatBadIpAddrs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of ARP packets received on untrusted ports that were dropped because they contained an invalid sender IP address, or they contained an invalid target IP address in an ARP response. This count does not increment when IP address validation is not enabled. This count does not increment for VLANs for which Dynamic ARP Protection is not enabled." ::= { hpicfArpProtectVlanStatEntry 7 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.3 hpicfArpProtectErrantCnt OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A count of hpicfArpProtectErrantReply sent from the ARP Protection entity to the SNMP entity. This count may differ from the count of notifications transmitted due to rate limiting or configuration." ::= { hpicfArpProtectObjects 3 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.4 hpicfArpProtectErrantSrcMac OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Errant source MAC address included in a hpicfArpProtectNotification." ::= { hpicfArpProtectObjects 4 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.5 hpicfArpProtectErrantSrcIpType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "IP Address type reported in hpicfArpProtectErrantSrcIp." ::= { hpicfArpProtectObjects 5 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.6 hpicfArpProtectErrantSrcIp OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Errant source IP address included in a hpicfArpProtectNotification." ::= { hpicfArpProtectObjects 6 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.7 hpicfArpProtectErrantDestMac OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Errant destination MAC address included in a hpicfArpProtectNotification." ::= { hpicfArpProtectObjects 7 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.8 hpicfArpProtectErrantDestIpType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "IP Address type reported in hpicfArpProtectErrantDestIp." ::= { hpicfArpProtectObjects 8 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.9 hpicfArpProtectErrantDestIp OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Errant destination IP address included in a hpicfArpProtectNotification." ::= { hpicfArpProtectObjects 9 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2 hpicfArpProtectConformance OBJECT IDENTIFIER ::= { hpicfArpProtect 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1 hpicfArpProtectGroups OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.1 hpicfArpProtectBaseGroup OBJECT-GROUP OBJECTS { hpicfArpProtectEnable, hpicfArpProtectVlanEnable, hpicfArpProtectValidation, hpicfArpProtectPortTrust, hpicfArpProtectVlanStatForwards, hpicfArpProtectVlanStatBadPkts, hpicfArpProtectVlanStatBadBindings, hpicfArpProtectVlanStatBadSrcMacs, hpicfArpProtectVlanStatBadDstMacs, hpicfArpProtectVlanStatBadIpAddrs, hpicfArpProtectErrantSrcMac, hpicfArpProtectErrantSrcIp, hpicfArpProtectErrantDestMac, hpicfArpProtectErrantSrcIpType, hpicfArpProtectErrantDestIpType, hpicfArpProtectErrantDestIp, hpicfArpProtectErrantCnt, hpicfArpProtectErrantNotifyEnable } STATUS current DESCRIPTION "A collection of objects for configuring and monitoring the base Dynamic ARP Protection functionality." ::= { hpicfArpProtectGroups 1 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.2 hpicfArpProtectionNotifications NOTIFICATION-GROUP NOTIFICATIONS { hpicfArpProtectErrantReply } STATUS current DESCRIPTION "A group of Notifications whose implementation is mandatory when HP-ICF-ARP-PROTECTION is implemented." ::= { hpicfArpProtectGroups 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2 hpicfArpProtectCompliances OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 2 } -- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2.1 hpicfArpProtectCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for HP ProCurve switches that support Dynamic ARP Protection." MODULE -- this module MANDATORY-GROUPS { hpicfArpProtectBaseGroup, hpicfArpProtectionNotifications } ::= { hpicfArpProtectCompliances 1 } END