1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
|
JUNIPER-SECURE-ACCESS-PORT-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Unsigned32,
NOTIFICATION-TYPE, Integer32
FROM SNMPv2-SMI
TruthValue, TEXTUAL-CONVENTION, DisplayString
FROM SNMPv2-TC
ifIndex
FROM IF-MIB
jnxExSecureAccessPort
FROM JUNIPER-EX-SMI;
jnxExSecureAccessPortMIB MODULE-IDENTITY
LAST-UPDATED "200705151000Z"
ORGANIZATION "Juniper Networks, Inc."
CONTACT-INFO
" Juniper Technical Assistance Center
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, CA 94089
E-mail: support@juniper.net"
DESCRIPTION
"This is Juniper Networks' implementation of enterprise specific
MIB for configuration of Secure Access Port feature. DHCP Snooping
and Dynamic ARP Inspection are mechanisms to provide per interface
security capabilities. This MIB Module is also used to control
some layer 2 functions like MAC limiting. It also supports
IP Source Guard, Mac Source Guard and Storm Control features."
::= { jnxExSecureAccessPort 1 }
jnxSecAccessPortMIBNotifications
OBJECT IDENTIFIER ::= { jnxExSecureAccessPortMIB 0 }
jnxSecAccessPortMIBObjects
OBJECT IDENTIFIER ::= { jnxExSecureAccessPortMIB 1 }
-- TEXTUAL-CONVENTION
JnxMacLimitExceededAction ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"One of the following action will be taken by the system
on an interface, when the system detects the current learned
number of MAC addresses in the forwarding table has exceeded
the limit number of MAC address.
none : No action will be taken. It means Mac limit is not
enabled in the specified interface.
drop : The notification will be generated when MAC limit is
exceeded and also the MAC limit is enforced for the interface.
The new address will not be learned in the entity and also the
traffic with new address will not be flooded in the entity.
The learning will be re-enabled in the interface if the number
of MAC addresses falls below the limit.
alarm : A notification will be generated if the Mac Limit is
exceeded.
shutdown : The notification will be generated as the Mac Limit is
exceeded. The interface will be moved to blocked state, no traffic
will be allowed in the entity. The traffic will be re-enabled in
the interface if the number of MAC addresses falls below the limit."
SYNTAX INTEGER {
none (1),
drop (2),
alarm (3),
shutdown (4)
}
-- The Port Security Table for Vlan
jnxSecAccessPortVlanTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxSecAccessPortVlanEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table provides the mechanism to control DHCP Snooping
and Dynamic ARP Inspection per VLAN. When a VLAN is created
in a device supporting this table, a corresponding entry will
be added to this table."
::= { jnxSecAccessPortMIBObjects 1 }
jnxSecAccessPortVlanEntry OBJECT-TYPE
SYNTAX JnxSecAccessPortVlanEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row instance contains whether DHCP Snooping and Dynamic
ARP Inspection at each existing VLAN is enabled or disabled."
INDEX { jnxSecAccessVlanName }
::= { jnxSecAccessPortVlanTable 1 }
JnxSecAccessPortVlanEntry ::= SEQUENCE {
jnxSecAccessVlanName DisplayString,
jnxSecAccessVlanDhcpSnoopStatus TruthValue,
jnxSecAccessVlanDAIStatus TruthValue
}
jnxSecAccessVlanName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..255))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indicates the VLAN name on which Dhcp Snooping
feature and Dynamic ARP Inspection is enabled."
::= { jnxSecAccessPortVlanEntry 1 }
jnxSecAccessVlanDhcpSnoopStatus OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether Dhcp Snooping is
enabled in this VLAN.
If this object is 'true', Dhcp Snooping is enabled in the
specified VLAN.
If this object is 'false', Dhcp Snooping is disabled in the
specified VLAN."
::= { jnxSecAccessPortVlanEntry 2 }
jnxSecAccessVlanDAIStatus OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether Dynamic ARP Inspection is
enabled in this VLAN.
If this object is 'true', Dynamic ARP Inspection is enabled.
If this object is 'false', Dynamic ARP Inspection is disabled."
::= { jnxSecAccessPortVlanEntry 3 }
-- The Port Security Table for Interface
jnxSecAccessPortIfTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxSecAccessPortIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table contains the trust state and rate limit of each interface
for DHCP Snooping purpose. The table also contains information on MAC
address limit feature for each interface capable of this feature.
This table also specifies whether IP source guard and MAC source
guard are enabled on each interface."
::= { jnxSecAccessPortMIBObjects 2 }
jnxSecAccessPortIfEntry OBJECT-TYPE
SYNTAX JnxSecAccessPortIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table entry contains the trust state and rate limit of an
interface, MAC address limit for that Interface. It also contains
the action to be undertaken if MAC address limit is exceeded. A table
entry specifies whether IP source guard and MAC source guard are enabled
on the specified interface."
INDEX { ifIndex }
::= { jnxSecAccessPortIfTable 1 }
JnxSecAccessPortIfEntry ::=
SEQUENCE {
jnxSecAccessdsIfTrustState TruthValue,
jnxSecAccessdsIfRateLimit Unsigned32,
jnxSecAccessIfMacLimit Unsigned32,
jnxSecAccessIfMacLimitExceed JnxMacLimitExceededAction,
jnxSecAccessIfIpSrcGuardStatus TruthValue,
jnxSecAccessIfMacSrcGuardStatus TruthValue
}
jnxSecAccessdsIfTrustState OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether the interface is trusted for
DHCP Snooping purpose.
If this object is 'true', the interface is trusted.
DHCP packets coming to this interface will be forwarded without
checking.
If this object is 'false', the interface is not trusted. DHCP
packets coming to this interface will be subjected to DHCP checks."
::= { jnxSecAccessPortIfEntry 1 }
jnxSecAccessdsIfRateLimit OBJECT-TYPE
SYNTAX Unsigned32
UNITS "packets per second"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates rate limit value for DHCP Snooping purpose.
If the value of this object is 0, no rate limit is applied for DHCP
traffic at this interface."
::= { jnxSecAccessPortIfEntry 2 }
jnxSecAccessIfMacLimit OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the threshold limit for the number of
MAC address entries on this interface.
When the instance value of this object is set to 0, no threshold
limit will be applied for this interfacew and the
corresponding instance value of jnxIfMacLimitExceedAction
of the same row has no effect."
DEFVAL { 5 }
::= { jnxSecAccessPortIfEntry 3 }
jnxSecAccessIfMacLimitExceed OBJECT-TYPE
SYNTAX JnxMacLimitExceededAction
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the action to be taken by the system for this
interface while the number of MAC addresses has exceeded the value
of jnxIfMacLimit.
This object value is only effective when the corresponding instance
value of jnxIfMacLimit is not set to 0."
::= { jnxSecAccessPortIfEntry 4 }
jnxSecAccessIfIpSrcGuardStatus OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether IP Source Guard is enabled on
the specified interface.
If this object is 'true', then IP Source Guard is enabled on the
specified interface.
If this object is 'false', then IP Source Guard is disabled on
the specified interface."
::= { jnxSecAccessPortIfEntry 5 }
jnxSecAccessIfMacSrcGuardStatus OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether Mac Source Guard is enabled on
the specified interface.
If this object is 'true', then Mac Source Guard is enabled on the
specified interface.
If this object is 'false', then IP Source Guard is disabled on
the specified interface."
::= { jnxSecAccessPortIfEntry 6 }
-- Storm Control Table
jnxStormCtlTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxStormCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Storm control monitors each type of traffic level on an interface.
If traffic level exceeds the threshold value(rising threshold),
switch will drop all packets of that type until traffic level drops
to the threshold level (falling threshold). If traffic rate for a
particular type exceeds the rising threshold, action will be taken
to shutdown or add configured filter on the port.
This table describes the traffic type for each interface, the rising
threshold, falling threshold and the action to be taken if the traffic
exceeds the rising threshold."
::= { jnxSecAccessPortMIBObjects 3 }
jnxStormCtlEntry OBJECT-TYPE
SYNTAX JnxStormCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry contains the interface index,traffic type for the interface,
the rising threshold, falling threshold and the action to be taken
if the traffic exceeds the rising threshold."
INDEX {ifIndex, jnxStormCtlIfTrafficType }
::= { jnxStormCtlTable 1 }
JnxStormCtlEntry ::= SEQUENCE {
jnxStormCtlIfTrafficType INTEGER,
jnxStormCtlRisingThreshold Integer32,
jnxStormCtlFallingThreshold Integer32,
jnxStormCtlAction INTEGER
}
jnxStormCtlIfTrafficType OBJECT-TYPE
SYNTAX INTEGER {
broadcast(1),
multicast(2),
unicast (3)
}
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object specifies the traffic type on the particular
interface. Value 1 specifies that it is broadcast traffic,
value 2 specifies that it is multicast traffic and
value 3 specifies that it is unicast traffic."
::= { jnxStormCtlEntry 1 }
jnxStormCtlRisingThreshold OBJECT-TYPE
SYNTAX Integer32
UNITS "packets per second"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the rising threshold value in packets
per second. The storm control action is occurs when the traffic
exceeds this threshold value."
::= { jnxStormCtlEntry 2 }
jnxStormCtlFallingThreshold OBJECT-TYPE
SYNTAX Integer32
UNITS "packets per second"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the falling threshold value in packets
per second. The storm control action ceases when the traffic
drops to this threshold value."
::= { jnxStormCtlEntry 3 }
jnxStormCtlAction OBJECT-TYPE
SYNTAX INTEGER {
shutdown(1),
filter (2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the action to be taken, when traffic exceeds
rising threshold value. Value 1 specifies that the action taken is
to shutdown the port. Value 2 specifies that the action taken is to
apply a policy filter on the interface for the given packet type.
Default is to shutdown(1) the port."
DEFVAL { 1 }
::= { jnxStormCtlEntry 4 }
-- Definition of DHCP Snooping notifications
jnxSecAccessdsRateLimitCrossed NOTIFICATION-TYPE
OBJECTS { jnxSecAccessdsIfRateLimit }
STATUS current
DESCRIPTION
"A jnxdsRateLimitCrossed notification is generated when
the number of DHCP packets from an untrusted interface exceeds
jnxSecAccessdsIfRateLimit."
::= { jnxSecAccessPortMIBNotifications 1 }
-- Definition of MAC Limit Exceeded Notification
jnxSecAccessIfMacLimitExceeded NOTIFICATION-TYPE
OBJECTS { jnxSecAccessIfMacLimit, jnxSecAccessIfMacLimitExceed }
STATUS current
DESCRIPTION
"Notification is sent when the number of MAC addresses learnt by
the interface has crossed the limit of MAC addresses(jnxSecAccessIfMacLimit)
and if MAC Limit Exceeded Action(jnxSecAccessIfMacLimitExceed) is
drop or alarm or shutdown."
::= { jnxSecAccessPortMIBNotifications 2 }
-- Definition of Storm Event Notification
jnxStormEventNotification NOTIFICATION-TYPE
OBJECTS { jnxStormCtlRisingThreshold }
STATUS current
DESCRIPTION
"Notification is sent when the traffic in the interface exceeds
rising threshold(jnxStormCtlRisingThreshold)."
::= { jnxSecAccessPortMIBNotifications 3 }
END
|
