-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathCISCO-IPSEC-POLICY-MAP-MIB.mib
379 lines (317 loc) · 12.1 KB
/
CISCO-IPSEC-POLICY-MAP-MIB.mib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
--
-- * $Source$
-- *------------------------------------------------------------------
-- *
-- CISCO-IPSEC-POLICY-MAP-MIB.my: IPSec Tunnel-to-Policy
-- Mapping MIB.
--
-- * April 2000, S Ramakrishnan
-- *
-- * Copyright (c) 2000 by cisco Systems, Inc.
-- * All rights reserved.
-- *
-- *------------------------------------------------------------------
CISCO-IPSEC-POLICY-MAP-MIB DEFINITIONS ::= BEGIN
-- PREFACE:
-- CISCO-IPSEC-POLICY-MAP-MIB Module is an enterprise
-- specific appendage to the IPSEC-MONITOR-MIB
-- that has been proposed to IETF. The only function
-- of this MIB is to map the dynamically instantiated
-- protocol structures (tunnels, SAs) to the policy
-- entities that gave rise to them (policy definitions,
-- cryptomaps, transforms etc).
-- RELATIONSHIP TO COMMAND LINE INTERFACE (CLI):
-- Information contained in all the MIB elements
-- defined in this module are affected by CLI
-- operations, EXCEPT where it is explicitly noted
-- to the contrary.
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32
FROM SNMPv2-SMI
DisplayString
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
ciscoMgmt
FROM CISCO-SMI;
ciscoIpSecPolMapMIB MODULE-IDENTITY
LAST-UPDATED "200008171257Z"
ORGANIZATION "Tivoli Systems and Cisco Systems"
CONTACT-INFO
"Tivoli Systems
Research Triangle Park, NC
Cisco Systems
Enterprise Business Management Unit
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: [email protected]"
DESCRIPTION
"The MIB module maps the IPSec
entities created dynamically to the policy entities
that caused them. This is an appendix to the
IPSEC-MONITOR-MIB that has been proposed to
IETF for monitoring IPSec based Virtual Private
Networks.
Overview of Cisco IPsec Policy Map MIB
MIB description
There are two components to this MIB:
#1 a table that maps an IPSec Phase-1
tunnel to the Internet Security Association
and Key Exchange (ISAKMP) Policy
and
#2 a table that maps an IPSec Phase-2
tunnel to the corresponding IPSec Policy
element - called 'cryptomaps' - in IOS
(Internet Operating System)
The first mappin (also called Internet Key Exchange
or IKE mapping) yields, given the index of
the IKE tunnel in the ikeTunnelTable
(IPSEC-MONITOR-MIB), the ISAKMP policy definition
defined using the CLI on the managed entity.
The IPSec mapping yields, given the index
of the IPSec tunnel in the ipSecTunnelTable
(IPSEC-MONITOR-MIB), the IPSec transform and
the cryptomap definition that gave rise to
this tunnel.
In implementation and usage, this MIB cannot
exist independent of the IPSEC-MONITOR-MIB. "
::= { ciscoMgmt 172 }
-- Root under ciscoMgmt currently is tentative
-- IPSec Policy Map MIB Object Groups
--
-- This MIB module contains the following groups:
-- 1) IPSec Policy Map Group
-- (a) IPSec Phase-1 Policy Map Group
-- (b) IPSec Phase-1 Policy Map Group
-- 2) IPSec Policy Map Notifications Group (empty)
-- 3) IPSec Policy Map Conformance Group
ciscoIpSecPolMapMIBObjects OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 1}
ciscoIpSecPolMapMIBNotifPrefix OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 2}
ciscoIpSecPolMapMIBConformance OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIB 3}
ipSecPhaseOnePolMap OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBObjects 1}
ipSecPhaseTwoPolMap OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBObjects 2}
--
-- The IPSec Phase-1 Policy Map Table
--
ikePolMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkePolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IPSec Phase-1 Internet Key Exchange Tunnel
to Policy Mapping Table. There is one entry in
this table for each active IPSec Phase-1
Tunnel."
::= { ipSecPhaseOnePolMap 1 }
ikePolMapEntry OBJECT-TYPE
SYNTAX IkePolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains the attributes associated
with mapping an active IPSec Phase-1 IKE Tunnel
to it's configured Policy definition."
INDEX { ikePolMapTunIndex }
::= { ikePolMapTable 1}
IkePolMapEntry ::= SEQUENCE {
ikePolMapTunIndex Integer32,
ikePolMapPolicyNum Integer32
}
ikePolMapTunIndex OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of the IPSec Phase-1 Tunnel to Policy
Map Table. The value of the index is the number
used to represent this IPSec Phase-1 Tunnel in
the IPSec MIB (ikeTunIndex in the
ikeTunnelTable)."
::= { ikePolMapEntry 1 }
ikePolMapPolicyNum OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the locally defined ISAKMP policy
used to establish the IPSec IKE Phase-1 Tunnel.
This is the number which was used on the crypto
command. For example, if the configuration command
was:
==> crypto isakmp policy 15
then the value of this object would be 15.
If ISAKMP was not used to establish this tunnel,
then the value of this object will be zero."
::= { ikePolMapEntry 2 }
--
-- The IPSec Phase-2 Policy Map Table
--
ipSecPolMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecPolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IPSec Phase-2 Tunnel to Policy Mapping Table.
There is one entry in this table for each active
IPSec Phase-2 Tunnel."
::= { ipSecPhaseTwoPolMap 1 }
ipSecPolMapEntry OBJECT-TYPE
SYNTAX IpSecPolMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains the attributes associated
with mapping an active IPSec Phase-2 Tunnel
to its configured Policy definition."
INDEX { ipSecPolMapTunIndex }
::= { ipSecPolMapTable 1}
IpSecPolMapEntry ::= SEQUENCE {
ipSecPolMapTunIndex Integer32,
ipSecPolMapCryptoMapName DisplayString,
ipSecPolMapCryptoMapNum Integer32,
ipSecPolMapAclString DisplayString,
ipSecPolMapAceString DisplayString
}
ipSecPolMapTunIndex OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of the IPSec Phase-2 Tunnel to Policy
Map Table. The value of the index is the number
used to represent this IPSec Phase-2 Tunnel in
the IPSec MIB (ipSecTunIndex in the
ipSecTunnelTable)."
::= { ipSecPolMapEntry 1 }
ipSecPolMapCryptoMapName OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object should be the name of
the IPSec Policy (cryptomap) as assigned by the
operator while configuring the policy of
the IPSec traffic.
For instance, on an IOS router, the if the command
entered to configure the IPSec policy was
==> crypto map ftpPolicy 10 ipsec-isakmp
then the value of this object would be 'ftpPolicy'."
::= { ipSecPolMapEntry 2 }
ipSecPolMapCryptoMapNum OBJECT-TYPE
SYNTAX Integer32(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object should be the priority
of the IPSec Policy (cryptomap) assigned by the
operator while configuring the policy of
this IPSec tunnel.
For instance, on an IOS router, the if the command
entered to configure the IPSec policy was
==> crypto map ftpPolicy 10 ipsec-isakmp
then the value of this object would be 10."
::= { ipSecPolMapEntry 3 }
ipSecPolMapAclString OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the number or
the name of the access control string (ACL)
that caused this IPSec tunnel to be established.
The ACL that causes an IPSec tunnel
to be established is referenced by the
cryptomap of the tunnel.
The ACL identifies the traffic that requires
protection as defined by the policy.
For instance, the ACL that requires FTP
traffic between local subnet 172.16.14.0 and a
remote subnet 172.16.16.0 to be protected
is defined as
==>access-list 101 permit tcp 172.16.14.0 0.0.0.255
172.16.16.0 0.0.0.255 eq ftp
When this command causes an IPSec tunnel to be
established, the object 'ipSecPolMapAclString'
assumes the string value '101'.
If the ACL is a named list such as
==> ip access-list standard myAcl
permit 172.16.16.8 0.0.0.0
then the value of this MIB element corresponding to
IPSec tunnel that was created by this ACL would
be 'myAcl'."
::= { ipSecPolMapEntry 4 }
ipSecPolMapAceString OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the access control
entry (ACE) within the ACL that caused this IPSec
tunnel to be established.
For instance, if an ACL defines access for two
traffic streams (FTP and SNMP) as follows:
access-list 101 permit tcp 172.16.14.0 0.0.0.255
172.16.16.0 0.0.0.255 eq ftp
access-list 101 permit udp 172.16.14.0 0.0.0.255
host 172.16.16.1 eq 161
When associated with an IPSec policy, the second
element of the ACL gives rise to an IPSec tunnel
in the wake of SNMP traffic. The value of the
object 'ipSecPolMapAceString' for the IPSec tunnel
would be then the string
'access-list 101 permit udp 172.16.14.0 0.0.0.255
host 172.16.16.1 eq 161'"
::= { ipSecPolMapEntry 5 }
--
-- Conformance Information
--
ipSecPolMapMIBGroups OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBConformance 1}
ipSecPolMapMIBCompliances OBJECT IDENTIFIER
::= {ciscoIpSecPolMapMIBConformance 2}
--
-- Compliance Statements
--
ipSecPolMapMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
for IP Security Protocol Tunnels to Policy
definition mappings."
MODULE -- this module
MANDATORY-GROUPS { ipSecPhaseOnePolMapGroup,
ipSecPhaseTwoPolMapGroup
}
::= { ipSecPolMapMIBCompliances 1 }
--
-- Units of Conformance
--
ipSecPhaseOnePolMapGroup OBJECT-GROUP
OBJECTS {
ikePolMapPolicyNum
}
STATUS current
DESCRIPTION
"This group consists of a:
1) IPSec Phase-1 Policy Map Table"
::= { ipSecPolMapMIBGroups 1 }
ipSecPhaseTwoPolMapGroup OBJECT-GROUP
OBJECTS {
ipSecPolMapCryptoMapName,
ipSecPolMapCryptoMapNum,
ipSecPolMapAclString,
ipSecPolMapAceString
}
STATUS current
DESCRIPTION
"This group consists of a:
1) IPSec Phase-2 Policy Map Table"
::= { ipSecPolMapMIBGroups 2 }
END