1-- 2HP-ICF-ARP-PROTECT DEFINITIONS ::= BEGIN 3 4IMPORTS 5 hpSwitch 6 FROM HP-ICF-OID 7 ifIndex 8 FROM IF-MIB 9 InetAddressType 10 FROM INET-ADDRESS-MIB 11 InetAddress 12 FROM INET-ADDRESS-MIB 13 VlanIndex 14 FROM Q-BRIDGE-MIB 15 OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP 16 FROM SNMPv2-CONF 17 Counter32, OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE 18 FROM SNMPv2-SMI 19 TruthValue, MacAddress 20 FROM SNMPv2-TC; 21 22 23-- 1.3.6.1.4.1.11.2.14.11.5.1.37 24hpicfArpProtect MODULE-IDENTITY 25 LAST-UPDATED "200708290000Z" -- August 29, 2007 at 00:00 GMT 26 ORGANIZATION 27 "Hewlett-Packard Company 28 ProCurve Networking Business" 29 CONTACT-INFO 30 "Hewlett-Packard Company 31 8000 Foothills Blvd. 32 Roseville, CA 95747" 33 DESCRIPTION 34 "This MIB module contains HP proprietary 35 objects for managing Dynamic ARP 36 Protection." 37 REVISION "200708290000Z" -- August 29, 2007 at 00:00 GMT 38 DESCRIPTION 39 "Added hpicfArpProtectNotification and associated objects." 40 REVISION "200605030027Z" -- May 03, 2006 at 00:27 GMT 41 DESCRIPTION 42 "Initial revision." 43 ::= { hpSwitch 37 } 44 45 46-- 47-- Node definitions 48-- 49 50-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0 51hpicfArpProtectNotifications OBJECT IDENTIFIER ::= { hpicfArpProtect 0 } 52 53 54-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0.1 55hpicfArpProtectErrantReply NOTIFICATION-TYPE 56 OBJECTS { hpicfArpProtectErrantCnt, hpicfArpProtectErrantSrcMac, 57 hpicfArpProtectErrantSrcIpType, hpicfArpProtectErrantSrcIp, 58 hpicfArpProtectErrantDestMac, hpicfArpProtectErrantDestIpType, 59 hpicfArpProtectErrantDestIp } 60 STATUS current 61 DESCRIPTION 62 "An hpicfArpProtectErrantReply notification signifies that 63 the ARP protection entity is enabled and has detected 64 an errant ARP reply packet. The source and 65 destination addresses from the packet header are included 66 in the notification." 67 ::= { hpicfArpProtectNotifications 1 } 68 69 70-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1 71hpicfArpProtectObjects OBJECT IDENTIFIER ::= { hpicfArpProtect 1 } 72 73 74-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1 75hpicfArpProtectConfig OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 1 } 76 77 78-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1 79hpicfArpProtectGlobalCfg OBJECT IDENTIFIER ::= { hpicfArpProtectConfig 1 } 80 81 82-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.1 83hpicfArpProtectEnable OBJECT-TYPE 84 SYNTAX TruthValue 85 MAX-ACCESS read-write 86 STATUS current 87 DESCRIPTION 88 "The administrative status of the ARP Protection 89 feature." 90 ::= { hpicfArpProtectGlobalCfg 1 } 91 92 93-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.2 94hpicfArpProtectVlanEnable OBJECT-TYPE 95 SYNTAX OCTET STRING (SIZE (512)) 96 MAX-ACCESS read-write 97 STATUS current 98 DESCRIPTION 99 "The administrative status for Dynamic ARP Protection 100 on each VLAN. There will be one bit in this string 101 for each possible VLAN ID. Each octet within this 102 value specifies a set of eight VLANs, with the first 103 octet specifying VLAN IDs 1 through 8, the second 104 octet specifying VLAN IDs 9 through 16, etc. Within 105 each octet, the most significant bit represents the 106 lowest numbered VLAN ID, and the least significant 107 bit represents the highest numbered VLAN ID. Thus, 108 each possible VLAN ID of the bridge is represented by 109 a single bit within the value of this object. If 110 that bit has a value of '1', then Dynamic ARP 111 Protection is enabled on that VLAN; Dynamic ARP 112 Protection is not enabled on the VLAN its bit has a 113 value of '0'." 114 ::= { hpicfArpProtectGlobalCfg 2 } 115 116 117-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.3 118hpicfArpProtectValidation OBJECT-TYPE 119 SYNTAX BITS 120 { 121 srcMac(0), 122 dstMac(1), 123 ip(2) 124 } 125 MAX-ACCESS read-write 126 STATUS current 127 DESCRIPTION 128 "Additional validation checks to perform on ARP 129 packets during Dynamic ARP Protection. 130 srcMac - Drop any ARP request or response 131 packet where the source MAC address in 132 the Ethernet header does not match the 133 sender MAC address in the body of the 134 ARP packet. 135 dstMac - Drop any unicast ARP response packet 136 where the destination MAC address in the 137 Ethernet header does not match the target 138 MAC address in the body of the ARP packet. 139 ip - Drop any ARP packet where the sender IP 140 address is invalid. Drop any ARP response 141 packet where the target IP address is 142 invalid. Invalid addresses include 143 0.0.0.0, 255.255.255.255, all IP multicast 144 addresses, and all class E IP addresses. 145 These checks are only performed for ARP packets 146 received on untrusted ports in VLANs that are enabled 147 for Dynamic ARP Protection. ARP packets received on 148 trusted ports, and ARP packets in VLANs for which 149 Dynamic ARP Protection is disabled, are forwarded 150 without validation." 151 ::= { hpicfArpProtectGlobalCfg 3 } 152 153 154-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.4 155hpicfArpProtectErrantNotifyEnable OBJECT-TYPE 156 SYNTAX INTEGER 157 { 158 enabled(1), 159 disabled(2) 160 } 161 MAX-ACCESS read-write 162 STATUS current 163 DESCRIPTION 164 "Provides operational control of hpicfArpProtectErrantReply." 165 ::= { hpicfArpProtectGlobalCfg 4 } 166 167 168-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2 169hpicfArpProtectPortTable OBJECT-TYPE 170 SYNTAX SEQUENCE OF HpicfArpProtectPortEntry 171 MAX-ACCESS not-accessible 172 STATUS current 173 DESCRIPTION 174 "Per-interface configuration for Dynamic ARP 175 Protection." 176 ::= { hpicfArpProtectConfig 2 } 177 178 179-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1 180hpicfArpProtectPortEntry OBJECT-TYPE 181 SYNTAX HpicfArpProtectPortEntry 182 MAX-ACCESS not-accessible 183 STATUS current 184 DESCRIPTION 185 "Dynamic ARP Protection configuration information for 186 a single port." 187 INDEX { ifIndex } 188 ::= { hpicfArpProtectPortTable 1 } 189 190 191HpicfArpProtectPortEntry ::= 192 SEQUENCE { 193 hpicfArpProtectPortTrust 194 TruthValue 195 } 196 197-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1.1 198hpicfArpProtectPortTrust OBJECT-TYPE 199 SYNTAX TruthValue 200 MAX-ACCESS read-write 201 STATUS current 202 DESCRIPTION 203 "This object indicates whether this port is 204 trusted for Dynamic ARP Protection." 205 ::= { hpicfArpProtectPortEntry 1 } 206 207 208-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2 209hpicfArpProtectStatus OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 2 } 210 211 212-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1 213hpicfArpProtectVlanStatTable OBJECT-TYPE 214 SYNTAX SEQUENCE OF HpicfArpProtectVlanStatEntry 215 MAX-ACCESS not-accessible 216 STATUS current 217 DESCRIPTION 218 "Per-VLAN statistics for Dynamic ARP Protection." 219 ::= { hpicfArpProtectStatus 1 } 220 221 222-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1 223hpicfArpProtectVlanStatEntry OBJECT-TYPE 224 SYNTAX HpicfArpProtectVlanStatEntry 225 MAX-ACCESS not-accessible 226 STATUS current 227 DESCRIPTION 228 "Dynamic ARP Protection statistics for a single VLAN." 229 INDEX { hpicfArpProtectVlanStatIndex } 230 ::= { hpicfArpProtectVlanStatTable 1 } 231 232 233HpicfArpProtectVlanStatEntry ::= 234 SEQUENCE { 235 hpicfArpProtectVlanStatIndex 236 VlanIndex, 237 hpicfArpProtectVlanStatForwards 238 Counter32, 239 hpicfArpProtectVlanStatBadPkts 240 Counter32, 241 hpicfArpProtectVlanStatBadBindings 242 Counter32, 243 hpicfArpProtectVlanStatBadSrcMacs 244 Counter32, 245 hpicfArpProtectVlanStatBadDstMacs 246 Counter32, 247 hpicfArpProtectVlanStatBadIpAddrs 248 Counter32 249 } 250 251-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.1 252hpicfArpProtectVlanStatIndex OBJECT-TYPE 253 SYNTAX VlanIndex 254 MAX-ACCESS not-accessible 255 STATUS current 256 DESCRIPTION 257 "This variable uniquely identifies the VLAN that 258 the counters in this entry apply to. The VLAN 259 identified by this object is the same VLAN as 260 identified by the identical value in the 261 dot1qVlanIndex object." 262 ::= { hpicfArpProtectVlanStatEntry 1 } 263 264 265-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.2 266hpicfArpProtectVlanStatForwards OBJECT-TYPE 267 SYNTAX Counter32 268 MAX-ACCESS read-only 269 STATUS current 270 DESCRIPTION 271 "The number of ARP packets received on untrusted 272 ports in this VLAN that were successfully validated 273 and forwarded. This count does not increment for 274 VLANs for which Dynamic ARP Protection is not 275 enabled." 276 ::= { hpicfArpProtectVlanStatEntry 2 } 277 278 279-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.3 280hpicfArpProtectVlanStatBadPkts OBJECT-TYPE 281 SYNTAX Counter32 282 MAX-ACCESS read-only 283 STATUS current 284 DESCRIPTION 285 "The number of ARP packets received on untrusted 286 ports that were dropped because they were malformed 287 in some way. This may include an unrecognized 288 opcode, an unrecognized protocol type, an 289 unrecognized hardware type, an invalid protocol 290 address length, or an invalid hardware address 291 length. This count does not increment for VLANs 292 for which Dynamic ARP Protection is not enabled." 293 ::= { hpicfArpProtectVlanStatEntry 3 } 294 295 296-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.4 297hpicfArpProtectVlanStatBadBindings OBJECT-TYPE 298 SYNTAX Counter32 299 MAX-ACCESS read-only 300 STATUS current 301 DESCRIPTION 302 "The number of ARP packets received on untrusted 303 ports that were dropped because they advertized 304 a source IP-to-MAC binding that did not match a 305 known, valid binding. This count does not increment 306 for VLANs for which Dynamic ARP Protection is not 307 enabled." 308 ::= { hpicfArpProtectVlanStatEntry 4 } 309 310 311-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.5 312hpicfArpProtectVlanStatBadSrcMacs OBJECT-TYPE 313 SYNTAX Counter32 314 MAX-ACCESS read-only 315 STATUS current 316 DESCRIPTION 317 "The number of ARP packets received on untrusted 318 ports that were dropped because the source MAC 319 address in the Ethernet header did not match the 320 sender MAC address in the body of the ARP packet. 321 This count does not increment when source MAC 322 validation is not enabled. This count does not 323 increment for VLANs for which Dynamic ARP Protection 324 is not enabled." 325 ::= { hpicfArpProtectVlanStatEntry 5 } 326 327 328-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.6 329hpicfArpProtectVlanStatBadDstMacs OBJECT-TYPE 330 SYNTAX Counter32 331 MAX-ACCESS read-only 332 STATUS current 333 DESCRIPTION 334 "The number of unicast ARP response packets received 335 on untrusted ports that were dropped because the 336 destination MAC address in the Ethernet header did 337 not match the target MAC address in the body of the 338 ARP packet. This count does not increment when 339 destination address validation is not enabled. 340 This count does not increment for VLANs for which 341 Dynamic ARP Protection is not enabled." 342 ::= { hpicfArpProtectVlanStatEntry 6 } 343 344 345-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.7 346hpicfArpProtectVlanStatBadIpAddrs OBJECT-TYPE 347 SYNTAX Counter32 348 MAX-ACCESS read-only 349 STATUS current 350 DESCRIPTION 351 "The number of ARP packets received on untrusted 352 ports that were dropped because they contained 353 an invalid sender IP address, or they contained 354 an invalid target IP address in an ARP response. 355 This count does not increment when IP address 356 validation is not enabled. This count does not 357 increment for VLANs for which Dynamic ARP Protection 358 is not enabled." 359 ::= { hpicfArpProtectVlanStatEntry 7 } 360 361 362-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.3 363hpicfArpProtectErrantCnt OBJECT-TYPE 364 SYNTAX Counter32 365 MAX-ACCESS accessible-for-notify 366 STATUS current 367 DESCRIPTION 368 "A count of hpicfArpProtectErrantReply sent 369 from the ARP Protection entity to the SNMP 370 entity. This count may differ from the count 371 of notifications transmitted due to rate 372 limiting or configuration." 373 ::= { hpicfArpProtectObjects 3 } 374 375 376-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.4 377hpicfArpProtectErrantSrcMac OBJECT-TYPE 378 SYNTAX MacAddress 379 MAX-ACCESS accessible-for-notify 380 STATUS current 381 DESCRIPTION 382 "Errant source MAC address included in a 383 hpicfArpProtectNotification." 384 ::= { hpicfArpProtectObjects 4 } 385 386 387-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.5 388hpicfArpProtectErrantSrcIpType OBJECT-TYPE 389 SYNTAX InetAddressType 390 MAX-ACCESS accessible-for-notify 391 STATUS current 392 DESCRIPTION 393 "IP Address type reported in hpicfArpProtectErrantSrcIp." 394 ::= { hpicfArpProtectObjects 5 } 395 396 397-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.6 398hpicfArpProtectErrantSrcIp OBJECT-TYPE 399 SYNTAX InetAddress 400 MAX-ACCESS accessible-for-notify 401 STATUS current 402 DESCRIPTION 403 "Errant source IP address included in a 404 hpicfArpProtectNotification." 405 ::= { hpicfArpProtectObjects 6 } 406 407 408-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.7 409hpicfArpProtectErrantDestMac OBJECT-TYPE 410 SYNTAX MacAddress 411 MAX-ACCESS accessible-for-notify 412 STATUS current 413 DESCRIPTION 414 "Errant destination MAC address included in a 415 hpicfArpProtectNotification." 416 ::= { hpicfArpProtectObjects 7 } 417 418 419-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.8 420hpicfArpProtectErrantDestIpType OBJECT-TYPE 421 SYNTAX InetAddressType 422 MAX-ACCESS accessible-for-notify 423 STATUS current 424 DESCRIPTION 425 "IP Address type reported in hpicfArpProtectErrantDestIp." 426 ::= { hpicfArpProtectObjects 8 } 427 428 429-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.9 430hpicfArpProtectErrantDestIp OBJECT-TYPE 431 SYNTAX InetAddress 432 MAX-ACCESS accessible-for-notify 433 STATUS current 434 DESCRIPTION 435 "Errant destination IP address included in a 436 hpicfArpProtectNotification." 437 ::= { hpicfArpProtectObjects 9 } 438 439 440-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2 441hpicfArpProtectConformance OBJECT IDENTIFIER ::= { hpicfArpProtect 2 } 442 443 444-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1 445hpicfArpProtectGroups OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 1 } 446 447 448-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.1 449hpicfArpProtectBaseGroup OBJECT-GROUP 450 OBJECTS { hpicfArpProtectEnable, hpicfArpProtectVlanEnable, 451 hpicfArpProtectValidation, hpicfArpProtectPortTrust, 452 hpicfArpProtectVlanStatForwards, hpicfArpProtectVlanStatBadPkts, 453 hpicfArpProtectVlanStatBadBindings, hpicfArpProtectVlanStatBadSrcMacs, 454 hpicfArpProtectVlanStatBadDstMacs, hpicfArpProtectVlanStatBadIpAddrs, 455 hpicfArpProtectErrantSrcMac, hpicfArpProtectErrantSrcIp, 456 hpicfArpProtectErrantDestMac, hpicfArpProtectErrantSrcIpType, 457 hpicfArpProtectErrantDestIpType, hpicfArpProtectErrantDestIp, 458 hpicfArpProtectErrantCnt, hpicfArpProtectErrantNotifyEnable } 459 STATUS current 460 DESCRIPTION 461 "A collection of objects for configuring and 462 monitoring the base Dynamic ARP Protection 463 functionality." 464 ::= { hpicfArpProtectGroups 1 } 465 466 467-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.2 468hpicfArpProtectionNotifications NOTIFICATION-GROUP 469 NOTIFICATIONS { hpicfArpProtectErrantReply } 470 STATUS current 471 DESCRIPTION 472 "A group of Notifications whose implementation is 473 mandatory when HP-ICF-ARP-PROTECTION is 474 implemented." 475 ::= { hpicfArpProtectGroups 2 } 476 477 478-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2 479hpicfArpProtectCompliances OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 2 } 480 481 482-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2.1 483hpicfArpProtectCompliance MODULE-COMPLIANCE 484 STATUS current 485 DESCRIPTION 486 "The compliance statement for HP ProCurve switches 487 that support Dynamic ARP Protection." 488 MODULE -- this module 489 MANDATORY-GROUPS { hpicfArpProtectBaseGroup, hpicfArpProtectionNotifications } 490 ::= { hpicfArpProtectCompliances 1 } 491 492 493 494END 495 496