496 lines
16 KiB
Plaintext
496 lines
16 KiB
Plaintext
--
|
|
HP-ICF-ARP-PROTECT DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
hpSwitch
|
|
FROM HP-ICF-OID
|
|
ifIndex
|
|
FROM IF-MIB
|
|
InetAddressType
|
|
FROM INET-ADDRESS-MIB
|
|
InetAddress
|
|
FROM INET-ADDRESS-MIB
|
|
VlanIndex
|
|
FROM Q-BRIDGE-MIB
|
|
OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP
|
|
FROM SNMPv2-CONF
|
|
Counter32, OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE
|
|
FROM SNMPv2-SMI
|
|
TruthValue, MacAddress
|
|
FROM SNMPv2-TC;
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37
|
|
hpicfArpProtect MODULE-IDENTITY
|
|
LAST-UPDATED "200708290000Z" -- August 29, 2007 at 00:00 GMT
|
|
ORGANIZATION
|
|
"Hewlett-Packard Company
|
|
ProCurve Networking Business"
|
|
CONTACT-INFO
|
|
"Hewlett-Packard Company
|
|
8000 Foothills Blvd.
|
|
Roseville, CA 95747"
|
|
DESCRIPTION
|
|
"This MIB module contains HP proprietary
|
|
objects for managing Dynamic ARP
|
|
Protection."
|
|
REVISION "200708290000Z" -- August 29, 2007 at 00:00 GMT
|
|
DESCRIPTION
|
|
"Added hpicfArpProtectNotification and associated objects."
|
|
REVISION "200605030027Z" -- May 03, 2006 at 00:27 GMT
|
|
DESCRIPTION
|
|
"Initial revision."
|
|
::= { hpSwitch 37 }
|
|
|
|
|
|
--
|
|
-- Node definitions
|
|
--
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0
|
|
hpicfArpProtectNotifications OBJECT IDENTIFIER ::= { hpicfArpProtect 0 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0.1
|
|
hpicfArpProtectErrantReply NOTIFICATION-TYPE
|
|
OBJECTS { hpicfArpProtectErrantCnt, hpicfArpProtectErrantSrcMac,
|
|
hpicfArpProtectErrantSrcIpType, hpicfArpProtectErrantSrcIp,
|
|
hpicfArpProtectErrantDestMac, hpicfArpProtectErrantDestIpType,
|
|
hpicfArpProtectErrantDestIp }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An hpicfArpProtectErrantReply notification signifies that
|
|
the ARP protection entity is enabled and has detected
|
|
an errant ARP reply packet. The source and
|
|
destination addresses from the packet header are included
|
|
in the notification."
|
|
::= { hpicfArpProtectNotifications 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1
|
|
hpicfArpProtectObjects OBJECT IDENTIFIER ::= { hpicfArpProtect 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1
|
|
hpicfArpProtectConfig OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1
|
|
hpicfArpProtectGlobalCfg OBJECT IDENTIFIER ::= { hpicfArpProtectConfig 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.1
|
|
hpicfArpProtectEnable OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The administrative status of the ARP Protection
|
|
feature."
|
|
::= { hpicfArpProtectGlobalCfg 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.2
|
|
hpicfArpProtectVlanEnable OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE (512))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The administrative status for Dynamic ARP Protection
|
|
on each VLAN. There will be one bit in this string
|
|
for each possible VLAN ID. Each octet within this
|
|
value specifies a set of eight VLANs, with the first
|
|
octet specifying VLAN IDs 1 through 8, the second
|
|
octet specifying VLAN IDs 9 through 16, etc. Within
|
|
each octet, the most significant bit represents the
|
|
lowest numbered VLAN ID, and the least significant
|
|
bit represents the highest numbered VLAN ID. Thus,
|
|
each possible VLAN ID of the bridge is represented by
|
|
a single bit within the value of this object. If
|
|
that bit has a value of '1', then Dynamic ARP
|
|
Protection is enabled on that VLAN; Dynamic ARP
|
|
Protection is not enabled on the VLAN its bit has a
|
|
value of '0'."
|
|
::= { hpicfArpProtectGlobalCfg 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.3
|
|
hpicfArpProtectValidation OBJECT-TYPE
|
|
SYNTAX BITS
|
|
{
|
|
srcMac(0),
|
|
dstMac(1),
|
|
ip(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Additional validation checks to perform on ARP
|
|
packets during Dynamic ARP Protection.
|
|
srcMac - Drop any ARP request or response
|
|
packet where the source MAC address in
|
|
the Ethernet header does not match the
|
|
sender MAC address in the body of the
|
|
ARP packet.
|
|
dstMac - Drop any unicast ARP response packet
|
|
where the destination MAC address in the
|
|
Ethernet header does not match the target
|
|
MAC address in the body of the ARP packet.
|
|
ip - Drop any ARP packet where the sender IP
|
|
address is invalid. Drop any ARP response
|
|
packet where the target IP address is
|
|
invalid. Invalid addresses include
|
|
0.0.0.0, 255.255.255.255, all IP multicast
|
|
addresses, and all class E IP addresses.
|
|
These checks are only performed for ARP packets
|
|
received on untrusted ports in VLANs that are enabled
|
|
for Dynamic ARP Protection. ARP packets received on
|
|
trusted ports, and ARP packets in VLANs for which
|
|
Dynamic ARP Protection is disabled, are forwarded
|
|
without validation."
|
|
::= { hpicfArpProtectGlobalCfg 3 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.4
|
|
hpicfArpProtectErrantNotifyEnable OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
enabled(1),
|
|
disabled(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Provides operational control of hpicfArpProtectErrantReply."
|
|
::= { hpicfArpProtectGlobalCfg 4 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2
|
|
hpicfArpProtectPortTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpicfArpProtectPortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Per-interface configuration for Dynamic ARP
|
|
Protection."
|
|
::= { hpicfArpProtectConfig 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1
|
|
hpicfArpProtectPortEntry OBJECT-TYPE
|
|
SYNTAX HpicfArpProtectPortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Dynamic ARP Protection configuration information for
|
|
a single port."
|
|
INDEX { ifIndex }
|
|
::= { hpicfArpProtectPortTable 1 }
|
|
|
|
|
|
HpicfArpProtectPortEntry ::=
|
|
SEQUENCE {
|
|
hpicfArpProtectPortTrust
|
|
TruthValue
|
|
}
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1.1
|
|
hpicfArpProtectPortTrust OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates whether this port is
|
|
trusted for Dynamic ARP Protection."
|
|
::= { hpicfArpProtectPortEntry 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2
|
|
hpicfArpProtectStatus OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1
|
|
hpicfArpProtectVlanStatTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpicfArpProtectVlanStatEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Per-VLAN statistics for Dynamic ARP Protection."
|
|
::= { hpicfArpProtectStatus 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1
|
|
hpicfArpProtectVlanStatEntry OBJECT-TYPE
|
|
SYNTAX HpicfArpProtectVlanStatEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Dynamic ARP Protection statistics for a single VLAN."
|
|
INDEX { hpicfArpProtectVlanStatIndex }
|
|
::= { hpicfArpProtectVlanStatTable 1 }
|
|
|
|
|
|
HpicfArpProtectVlanStatEntry ::=
|
|
SEQUENCE {
|
|
hpicfArpProtectVlanStatIndex
|
|
VlanIndex,
|
|
hpicfArpProtectVlanStatForwards
|
|
Counter32,
|
|
hpicfArpProtectVlanStatBadPkts
|
|
Counter32,
|
|
hpicfArpProtectVlanStatBadBindings
|
|
Counter32,
|
|
hpicfArpProtectVlanStatBadSrcMacs
|
|
Counter32,
|
|
hpicfArpProtectVlanStatBadDstMacs
|
|
Counter32,
|
|
hpicfArpProtectVlanStatBadIpAddrs
|
|
Counter32
|
|
}
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.1
|
|
hpicfArpProtectVlanStatIndex OBJECT-TYPE
|
|
SYNTAX VlanIndex
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable uniquely identifies the VLAN that
|
|
the counters in this entry apply to. The VLAN
|
|
identified by this object is the same VLAN as
|
|
identified by the identical value in the
|
|
dot1qVlanIndex object."
|
|
::= { hpicfArpProtectVlanStatEntry 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.2
|
|
hpicfArpProtectVlanStatForwards OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of ARP packets received on untrusted
|
|
ports in this VLAN that were successfully validated
|
|
and forwarded. This count does not increment for
|
|
VLANs for which Dynamic ARP Protection is not
|
|
enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.3
|
|
hpicfArpProtectVlanStatBadPkts OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of ARP packets received on untrusted
|
|
ports that were dropped because they were malformed
|
|
in some way. This may include an unrecognized
|
|
opcode, an unrecognized protocol type, an
|
|
unrecognized hardware type, an invalid protocol
|
|
address length, or an invalid hardware address
|
|
length. This count does not increment for VLANs
|
|
for which Dynamic ARP Protection is not enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 3 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.4
|
|
hpicfArpProtectVlanStatBadBindings OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of ARP packets received on untrusted
|
|
ports that were dropped because they advertized
|
|
a source IP-to-MAC binding that did not match a
|
|
known, valid binding. This count does not increment
|
|
for VLANs for which Dynamic ARP Protection is not
|
|
enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 4 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.5
|
|
hpicfArpProtectVlanStatBadSrcMacs OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of ARP packets received on untrusted
|
|
ports that were dropped because the source MAC
|
|
address in the Ethernet header did not match the
|
|
sender MAC address in the body of the ARP packet.
|
|
This count does not increment when source MAC
|
|
validation is not enabled. This count does not
|
|
increment for VLANs for which Dynamic ARP Protection
|
|
is not enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 5 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.6
|
|
hpicfArpProtectVlanStatBadDstMacs OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of unicast ARP response packets received
|
|
on untrusted ports that were dropped because the
|
|
destination MAC address in the Ethernet header did
|
|
not match the target MAC address in the body of the
|
|
ARP packet. This count does not increment when
|
|
destination address validation is not enabled.
|
|
This count does not increment for VLANs for which
|
|
Dynamic ARP Protection is not enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 6 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.7
|
|
hpicfArpProtectVlanStatBadIpAddrs OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of ARP packets received on untrusted
|
|
ports that were dropped because they contained
|
|
an invalid sender IP address, or they contained
|
|
an invalid target IP address in an ARP response.
|
|
This count does not increment when IP address
|
|
validation is not enabled. This count does not
|
|
increment for VLANs for which Dynamic ARP Protection
|
|
is not enabled."
|
|
::= { hpicfArpProtectVlanStatEntry 7 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.3
|
|
hpicfArpProtectErrantCnt OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A count of hpicfArpProtectErrantReply sent
|
|
from the ARP Protection entity to the SNMP
|
|
entity. This count may differ from the count
|
|
of notifications transmitted due to rate
|
|
limiting or configuration."
|
|
::= { hpicfArpProtectObjects 3 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.4
|
|
hpicfArpProtectErrantSrcMac OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Errant source MAC address included in a
|
|
hpicfArpProtectNotification."
|
|
::= { hpicfArpProtectObjects 4 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.5
|
|
hpicfArpProtectErrantSrcIpType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IP Address type reported in hpicfArpProtectErrantSrcIp."
|
|
::= { hpicfArpProtectObjects 5 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.6
|
|
hpicfArpProtectErrantSrcIp OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Errant source IP address included in a
|
|
hpicfArpProtectNotification."
|
|
::= { hpicfArpProtectObjects 6 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.7
|
|
hpicfArpProtectErrantDestMac OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Errant destination MAC address included in a
|
|
hpicfArpProtectNotification."
|
|
::= { hpicfArpProtectObjects 7 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.8
|
|
hpicfArpProtectErrantDestIpType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IP Address type reported in hpicfArpProtectErrantDestIp."
|
|
::= { hpicfArpProtectObjects 8 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.9
|
|
hpicfArpProtectErrantDestIp OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Errant destination IP address included in a
|
|
hpicfArpProtectNotification."
|
|
::= { hpicfArpProtectObjects 9 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2
|
|
hpicfArpProtectConformance OBJECT IDENTIFIER ::= { hpicfArpProtect 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1
|
|
hpicfArpProtectGroups OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.1
|
|
hpicfArpProtectBaseGroup OBJECT-GROUP
|
|
OBJECTS { hpicfArpProtectEnable, hpicfArpProtectVlanEnable,
|
|
hpicfArpProtectValidation, hpicfArpProtectPortTrust,
|
|
hpicfArpProtectVlanStatForwards, hpicfArpProtectVlanStatBadPkts,
|
|
hpicfArpProtectVlanStatBadBindings, hpicfArpProtectVlanStatBadSrcMacs,
|
|
hpicfArpProtectVlanStatBadDstMacs, hpicfArpProtectVlanStatBadIpAddrs,
|
|
hpicfArpProtectErrantSrcMac, hpicfArpProtectErrantSrcIp,
|
|
hpicfArpProtectErrantDestMac, hpicfArpProtectErrantSrcIpType,
|
|
hpicfArpProtectErrantDestIpType, hpicfArpProtectErrantDestIp,
|
|
hpicfArpProtectErrantCnt, hpicfArpProtectErrantNotifyEnable }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects for configuring and
|
|
monitoring the base Dynamic ARP Protection
|
|
functionality."
|
|
::= { hpicfArpProtectGroups 1 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.2
|
|
hpicfArpProtectionNotifications NOTIFICATION-GROUP
|
|
NOTIFICATIONS { hpicfArpProtectErrantReply }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A group of Notifications whose implementation is
|
|
mandatory when HP-ICF-ARP-PROTECTION is
|
|
implemented."
|
|
::= { hpicfArpProtectGroups 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2
|
|
hpicfArpProtectCompliances OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 2 }
|
|
|
|
|
|
-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2.1
|
|
hpicfArpProtectCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for HP ProCurve switches
|
|
that support Dynamic ARP Protection."
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS { hpicfArpProtectBaseGroup, hpicfArpProtectionNotifications }
|
|
::= { hpicfArpProtectCompliances 1 }
|
|
|
|
|
|
|
|
END
|
|
|