551 lines
20 KiB
Plaintext
551 lines
20 KiB
Plaintext
-- *****************************************************************
|
|
-- DLINKSW-PORT-SECURITY-MIB.mib : Port Security MIB
|
|
--
|
|
-- Copyright (c) 2013 D-Link Corporation, all rights reserved.
|
|
--
|
|
-- *****************************************************************
|
|
DLINKSW-PORT-SECURITY-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
NOTIFICATION-TYPE,
|
|
Unsigned32,
|
|
Integer32,
|
|
Counter64
|
|
FROM SNMPv2-SMI
|
|
TruthValue,
|
|
MacAddress,
|
|
RowStatus
|
|
FROM SNMPv2-TC
|
|
MODULE-COMPLIANCE,
|
|
OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
ifIndex, InterfaceIndex
|
|
FROM IF-MIB
|
|
VlanId,
|
|
VlanIdOrNone
|
|
FROM Q-BRIDGE-MIB
|
|
dlinkIndustrialCommon
|
|
FROM DLINK-ID-REC-MIB;
|
|
|
|
|
|
dlinkSwPortSecurityMIB MODULE-IDENTITY
|
|
LAST-UPDATED "201307300000Z"
|
|
ORGANIZATION "D-Link Corp."
|
|
CONTACT-INFO
|
|
" D-Link Corporation
|
|
|
|
Postal: No. 289, Sinhu 3rd Rd., Neihu District,
|
|
Taipei City 114, Taiwan, R.O.C
|
|
Tel: +886-2-66000123
|
|
E-mail: tsd@dlink.com.tw
|
|
"
|
|
DESCRIPTION
|
|
"This MIB module defines objects for port security."
|
|
|
|
REVISION "201307300000Z"
|
|
DESCRIPTION
|
|
" This is the first version of the MIB file for 'port
|
|
security' functionality.
|
|
"
|
|
::= { dlinkIndustrialCommon 8 }
|
|
|
|
-- -----------------------------------------------------------------------------
|
|
dPortSecNotifications OBJECT IDENTIFIER ::= { dlinkSwPortSecurityMIB 0 }
|
|
dPortSecObjects OBJECT IDENTIFIER ::= { dlinkSwPortSecurityMIB 1 }
|
|
dPortSecConformance OBJECT IDENTIFIER ::= { dlinkSwPortSecurityMIB 2 }
|
|
|
|
-- -----------------------------------------------------------------------------
|
|
-- dPortSecObjects
|
|
-- -----------------------------------------------------------------------------
|
|
dPortSecGlobalNotifControl OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Set to 'true' to enable global SNMP Notification
|
|
for port security feature. Setting the object to
|
|
'false' will disable SNMP notifications."
|
|
DEFVAL { false }
|
|
::= { dPortSecObjects 1}
|
|
|
|
dPortSecGlobalNotifRate OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..1000)
|
|
UNITS "notifications per second"
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Expressed in the number of notifications can be generated
|
|
per second.
|
|
The global control configures the rate-limit of
|
|
SNMP Notification for port security feature. This object
|
|
specifies the rate at which SNMP Notification is generated
|
|
when dPortSecIfViolationCount increases. When the rate is over
|
|
the configured rate, the SNMP Notification is suppressed but it
|
|
does not affect dPortSecIfViolationCount.
|
|
A value of 0 indicates that an SNMP Notification is generated
|
|
for every security violation."
|
|
DEFVAL { 0 }
|
|
::= { dPortSecObjects 2 }
|
|
|
|
dPortSecNotifyInfo OBJECT IDENTIFIER ::= { dPortSecObjects 3 }
|
|
|
|
dPortSecIfViolationMacAddress OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is also used as a variable in the dPortSecMacAddrViolation
|
|
notification to contain the value of the MAC address which caused the violation."
|
|
::= { dPortSecNotifyInfo 1 }
|
|
|
|
dPortSecGlobalMaximumNum OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the system maximum addresses number (users) allowed.
|
|
A value of -1 means no-limit. The max entry range is (1..N).
|
|
The value N means the max number and is determined by the project itself."
|
|
DEFVAL { -1 }
|
|
::= { dPortSecObjects 4}
|
|
|
|
dPortSecVlanTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF DPortSecVlanEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table is used to configure and display port security settings
|
|
and status for a particular VLAN."
|
|
::= { dPortSecObjects 5}
|
|
|
|
dPortSecVlanEntry OBJECT-TYPE
|
|
SYNTAX DPortSecVlanEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry contains port security information for a particular
|
|
VLAN."
|
|
INDEX { dPortSecVlanID }
|
|
::= { dPortSecVlanTable 1}
|
|
|
|
DPortSecVlanEntry ::= SEQUENCE {
|
|
dPortSecVlanID VlanId,
|
|
dPortSecVlanMaximumNum Integer32,
|
|
dPortSecVlanCurrentNum Unsigned32
|
|
}
|
|
|
|
dPortSecVlanID OBJECT-TYPE
|
|
SYNTAX VlanId
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the VLAN ID for address learning."
|
|
::= { dPortSecVlanEntry 1}
|
|
|
|
dPortSecVlanMaximumNum OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the VLAN maximum addresses number (users) allowed.
|
|
A value of -1 means no-limit. The range is (1..N).
|
|
The value N means the upper limit and is determined by the project
|
|
itself."
|
|
DEFVAL { -1 }
|
|
::= { dPortSecVlanEntry 2}
|
|
|
|
dPortSecVlanCurrentNum OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the current number of secure MAC addresses on this VLAN."
|
|
::= { dPortSecVlanEntry 3}
|
|
|
|
dPortSecIfTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF DPortSecIfEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table is used to configure and display port security settings
|
|
and status for a particular interface."
|
|
::= { dPortSecObjects 6 }
|
|
|
|
dPortSecIfEntry OBJECT-TYPE
|
|
SYNTAX DPortSecIfEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Entry containing port security information for a particular
|
|
interface."
|
|
INDEX { ifIndex }
|
|
::= { dPortSecIfTable 1 }
|
|
|
|
DPortSecIfEntry ::= SEQUENCE {
|
|
dPortSecIfEnable TruthValue,
|
|
dPortSecIfCurrentStatus INTEGER,
|
|
dPortSecIfMaximumNum Unsigned32,
|
|
dPortSecIfViolationAction INTEGER,
|
|
dPortSecIfSecureMode INTEGER,
|
|
dPortSecIfAgingTime INTEGER,
|
|
dPortSecIfAgingType INTEGER,
|
|
dPortSecIfClearDynamicAddr INTEGER,
|
|
dPortSecIfCurrentNum Unsigned32,
|
|
dPortSecIfViolationCount Counter64
|
|
}
|
|
|
|
dPortSecIfEnable OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Uses the object to enable or disable port security."
|
|
DEFVAL { false }
|
|
::= { dPortSecIfEntry 1 }
|
|
|
|
dPortSecIfCurrentStatus OBJECT-TYPE
|
|
SYNTAX INTEGER { notEnabled(1), forwarding(2), errDisabled(3) }
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the operational status
|
|
of the port security feature on an interface.
|
|
|
|
notEnabled(1) - This indicates port security
|
|
is not enabled.
|
|
forwarding(2) - This indicates port security is
|
|
operational.
|
|
errDisabled(3) - This indicates that the port is
|
|
shutdown due to port security
|
|
violation when the object
|
|
dPortSecIfViolationAction is of type
|
|
'shutdown'."
|
|
::= { dPortSecIfEntry 2 }
|
|
|
|
dPortSecIfMaximumNum OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object sets the maximum number of secure MAC addresses
|
|
(users) allowed."
|
|
DEFVAL { 32 }
|
|
::= { dPortSecIfEntry 3 }
|
|
|
|
dPortSecIfViolationAction OBJECT-TYPE
|
|
SYNTAX INTEGER { protect(1), restrict(2), shutdown(3) }
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object sets the action to be taken when a security violation is detected.
|
|
|
|
protect(1) - Drops all the packets from the insecure hosts at the
|
|
port-security process level but does not increment
|
|
the security-violation count.
|
|
restrict(2) - Drops all packets from the insecure hosts at the
|
|
port-security process level and increments the
|
|
security-violation count.
|
|
shutdown(3) - Shuts down the port if there is a security violation."
|
|
DEFVAL { shutdown }
|
|
::= { dPortSecIfEntry 4 }
|
|
|
|
dPortSecIfSecureMode OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
permanent(1),
|
|
deleteOnTimeout(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Use the object to set the port security mode.
|
|
|
|
permanent(1) - Under this mode all learned MAC addresses won't be
|
|
purged unless a user deletes these entries manually.
|
|
deleteOnTimeout(2) - Under this mode all learned MAC addresses
|
|
will be purged when an entry ages out or a user deletes
|
|
these entries manually."
|
|
DEFVAL { deleteOnTimeout }
|
|
::= { dPortSecIfEntry 5 }
|
|
|
|
dPortSecIfAgingTime OBJECT-TYPE
|
|
SYNTAX INTEGER(0..1440)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Use the object to set aging time for auto-learned dynamic secured address.
|
|
When 0 is set on the specified interface, it means the port security aging
|
|
has been disabled."
|
|
DEFVAL { 0 }
|
|
::= { dPortSecIfEntry 6 }
|
|
|
|
dPortSecIfAgingType OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
absolute(1),
|
|
inactivity(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Use the object to set aging type for auto-learned dynamic secured address.
|
|
|
|
absolute(1) - Under this aging type, all the secured address on this interface will
|
|
age out exactly after the time specified.
|
|
inactivity(2) - Under this aging type, all learned MAC addresses on this interface
|
|
will age out only if there is no data traffic from the secure source
|
|
address for the specified time period."
|
|
DEFVAL { absolute }
|
|
::= { dPortSecIfEntry 7 }
|
|
|
|
dPortSecIfClearDynamicAddr OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
clear(1),
|
|
noOp(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Setting this object to 'clear' to clear the addresses which will be
|
|
purged out when an entry is aged out on the corresponding
|
|
interface.
|
|
No action is taken if this object is set to 'noOp'.
|
|
When read, the value 'noOp' is returned."
|
|
DEFVAL { noOp }
|
|
::= { dPortSecIfEntry 8 }
|
|
|
|
dPortSecIfCurrentNum OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the current number of secure MAC addresses
|
|
on this interface."
|
|
::= { dPortSecIfEntry 9 }
|
|
|
|
dPortSecIfViolationCount OBJECT-TYPE
|
|
SYNTAX Counter64
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the number of address violations
|
|
occurred on a secure interface. The counter will
|
|
be initialized to zero when the port security
|
|
feature is enabled on an interface."
|
|
::= { dPortSecIfEntry 10 }
|
|
-- -----------------------------------------------------------------------------
|
|
dPortSecAddrTableCurrentNum OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the number of entries present in the dPortSecAddrTable."
|
|
::= { dPortSecObjects 7 }
|
|
|
|
dPortSecAddrTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF DPortSecAddrEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A list of port security entries containing the secure MAC address
|
|
information."
|
|
::= { dPortSecObjects 8 }
|
|
|
|
dPortSecAddrEntry OBJECT-TYPE
|
|
SYNTAX DPortSecAddrEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry contains secure MAC address information for a particular
|
|
interface. A secure MAC address can be added by the user
|
|
and can be added when the device learns a new secure MAC address."
|
|
INDEX { dPortSecAddrIfIndex, dPortSecAddrVlanID, dPortSecAddrMacAddress }
|
|
::= { dPortSecAddrTable 1 }
|
|
|
|
DPortSecAddrEntry ::= SEQUENCE {
|
|
dPortSecAddrIfIndex InterfaceIndex,
|
|
dPortSecAddrVlanID VlanIdOrNone,
|
|
dPortSecAddrMacAddress MacAddress,
|
|
dPortSecAddrSecureMode INTEGER,
|
|
dPortSecAddrRemainTime INTEGER,
|
|
dPortSecAddrRowStatus RowStatus
|
|
}
|
|
|
|
dPortSecAddrIfIndex OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The ifIndex value of the interface."
|
|
::= { dPortSecAddrEntry 1 }
|
|
|
|
dPortSecAddrVlanID OBJECT-TYPE
|
|
SYNTAX VlanIdOrNone
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the VLAN ID where the user-defined secure
|
|
MAC address is located. If this object is set to 0 at row creation
|
|
time, the PVID (default port VLAN ID) will be used for the MAC
|
|
address."
|
|
::= { dPortSecAddrEntry 2 }
|
|
|
|
dPortSecAddrMacAddress OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the secure MAC address to gain port access
|
|
rights."
|
|
::= { dPortSecAddrEntry 3 }
|
|
|
|
dPortSecAddrSecureMode OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
permanent(1),
|
|
deleteOnTimeout(2)
|
|
}
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the secure mode.
|
|
For manually configured secure MAC addresses, the dPortSecAddrSecureMode is
|
|
permanent."
|
|
::= { dPortSecAddrEntry 4 }
|
|
|
|
dPortSecAddrRemainTime OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the remaining aging time for the auto-learned dynamic secured address."
|
|
::= { dPortSecAddrEntry 5 }
|
|
|
|
dPortSecAddrRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The status of this conceptual row.
|
|
This object is used to create and delete instances
|
|
of this table. In other words, besides 'permanent' secure MAC
|
|
address, a 'deleteOnTimeout' address can be cleared by
|
|
this object."
|
|
::= { dPortSecAddrEntry 99 }
|
|
|
|
-- ***************************************************************************
|
|
-- Notifications
|
|
-- ***************************************************************************
|
|
|
|
dPortSecMacAddrViolation NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
ifIndex,
|
|
dPortSecIfCurrentStatus,
|
|
dPortSecIfViolationMacAddress
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The address violation notification is generated when port security
|
|
address violation is detected (dPortSecIfViolationCount increases)."
|
|
::= { dPortSecNotifications 1 }
|
|
|
|
-- ***************************************************************************
|
|
-- Conformance
|
|
-- ***************************************************************************
|
|
dPortSecMIBCompliances
|
|
OBJECT IDENTIFIER ::= { dPortSecConformance 1 }
|
|
dPortSecMIBGroups
|
|
OBJECT IDENTIFIER ::= { dPortSecConformance 2 }
|
|
|
|
dPortSecMIBCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for the Port Security MIB."
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
dPortSecIfCfgGroup,
|
|
dPortSecIfStatusGroup,
|
|
dPortSecAddrGroup
|
|
}
|
|
::= { dPortSecMIBCompliances 1 }
|
|
|
|
dPortSecIfCfgGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
dPortSecIfEnable,
|
|
dPortSecIfMaximumNum,
|
|
dPortSecIfViolationAction,
|
|
dPortSecIfSecureMode,
|
|
dPortSecIfAgingTime,
|
|
dPortSecIfAgingType,
|
|
dPortSecIfClearDynamicAddr
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects for configuring port
|
|
security feature."
|
|
::= { dPortSecMIBGroups 1 }
|
|
|
|
dPortSecIfStatusGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
dPortSecIfCurrentNum,
|
|
dPortSecIfCurrentStatus,
|
|
dPortSecIfViolationCount
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects providing the counter
|
|
information for the port security feature."
|
|
::= { dPortSecMIBGroups 2 }
|
|
|
|
dPortSecAddrGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
dPortSecAddrRowStatus,
|
|
dPortSecAddrSecureMode,
|
|
dPortSecAddrRemainTime,
|
|
dPortSecAddrTableCurrentNum
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects providing the address
|
|
information for the port security feature."
|
|
::= { dPortSecMIBGroups 3 }
|
|
|
|
dPortSecAddrNumCtrlGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
dPortSecGlobalMaximumNum,
|
|
dPortSecVlanMaximumNum,
|
|
dPortSecVlanCurrentNum
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects provides the configuration of
|
|
the maximum secure MAC address number on system or VLAN specific."
|
|
::= { dPortSecMIBGroups 4 }
|
|
|
|
dPortSecNotifEnableGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
dPortSecGlobalNotifControl,
|
|
dPortSecGlobalNotifRate
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of object(s) that provides control over
|
|
port security related notification(s)."
|
|
::= { dPortSecMIBGroups 5}
|
|
|
|
dPortSecNotifGroup NOTIFICATION-GROUP
|
|
NOTIFICATIONS {
|
|
dPortSecMacAddrViolation
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of notifications providing information
|
|
about address violation."
|
|
::= { dPortSecMIBGroups 6}
|
|
|
|
|
|
|
|
END
|
|
|
|
|
|
|