1--
2HP-ICF-ARP-PROTECT DEFINITIONS ::= BEGIN
3
4IMPORTS
5    hpSwitch
6        FROM HP-ICF-OID
7    ifIndex
8        FROM IF-MIB
9    InetAddressType
10        FROM INET-ADDRESS-MIB
11    InetAddress
12        FROM INET-ADDRESS-MIB
13    VlanIndex
14        FROM Q-BRIDGE-MIB
15    OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP
16        FROM SNMPv2-CONF
17    Counter32, OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE
18        FROM SNMPv2-SMI
19    TruthValue, MacAddress
20        FROM SNMPv2-TC;
21
22
23-- 1.3.6.1.4.1.11.2.14.11.5.1.37
24hpicfArpProtect MODULE-IDENTITY
25    LAST-UPDATED "200708290000Z"      -- August 29, 2007 at 00:00 GMT
26    ORGANIZATION
27        "Hewlett-Packard Company
28        ProCurve Networking Business"
29    CONTACT-INFO
30        "Hewlett-Packard Company
31        8000 Foothills Blvd.
32        Roseville, CA 95747"
33    DESCRIPTION
34        "This MIB module contains HP proprietary
35        objects for managing Dynamic ARP
36        Protection."
37    REVISION "200708290000Z"      -- August 29, 2007 at 00:00 GMT
38    DESCRIPTION
39        "Added hpicfArpProtectNotification and associated objects."
40    REVISION "200605030027Z"      -- May 03, 2006 at 00:27 GMT
41    DESCRIPTION
42        "Initial revision."
43    ::= { hpSwitch 37 }
44
45
46--
47-- Node definitions
48--
49
50-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0
51hpicfArpProtectNotifications OBJECT IDENTIFIER ::= { hpicfArpProtect 0 }
52
53
54-- 1.3.6.1.4.1.11.2.14.11.5.1.37.0.1
55hpicfArpProtectErrantReply NOTIFICATION-TYPE
56    OBJECTS { hpicfArpProtectErrantCnt, hpicfArpProtectErrantSrcMac,
57        hpicfArpProtectErrantSrcIpType, hpicfArpProtectErrantSrcIp,
58        hpicfArpProtectErrantDestMac, hpicfArpProtectErrantDestIpType,
59        hpicfArpProtectErrantDestIp }
60    STATUS current
61    DESCRIPTION
62        "An hpicfArpProtectErrantReply notification signifies that
63        the ARP protection entity is enabled and has detected
64        an errant ARP reply packet.  The source and
65        destination addresses from the packet header are included
66        in the notification."
67    ::= { hpicfArpProtectNotifications 1 }
68
69
70-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1
71hpicfArpProtectObjects OBJECT IDENTIFIER ::= { hpicfArpProtect 1 }
72
73
74-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1
75hpicfArpProtectConfig OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 1 }
76
77
78-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1
79hpicfArpProtectGlobalCfg OBJECT IDENTIFIER ::= { hpicfArpProtectConfig 1 }
80
81
82-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.1
83hpicfArpProtectEnable OBJECT-TYPE
84    SYNTAX TruthValue
85    MAX-ACCESS read-write
86    STATUS current
87    DESCRIPTION
88        "The administrative status of the ARP Protection
89        feature."
90    ::= { hpicfArpProtectGlobalCfg 1 }
91
92
93-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.2
94hpicfArpProtectVlanEnable OBJECT-TYPE
95    SYNTAX OCTET STRING (SIZE (512))
96    MAX-ACCESS read-write
97    STATUS current
98    DESCRIPTION
99        "The administrative status for Dynamic ARP Protection
100        on each VLAN.  There will be one bit in this string
101        for each possible VLAN ID.  Each octet within this
102        value specifies a set of eight VLANs, with the first
103        octet specifying VLAN IDs 1 through 8, the second
104        octet specifying VLAN IDs 9 through 16, etc.  Within
105        each octet, the most significant bit represents the
106        lowest numbered VLAN ID, and the least significant
107        bit represents the highest numbered VLAN ID.  Thus,
108        each possible VLAN ID of the bridge is represented by
109        a single bit within the value of this object.  If
110        that bit has a value of '1', then Dynamic ARP
111        Protection is enabled on that VLAN; Dynamic ARP
112        Protection is not enabled on the VLAN its bit has a
113        value of '0'."
114    ::= { hpicfArpProtectGlobalCfg 2 }
115
116
117-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.3
118hpicfArpProtectValidation OBJECT-TYPE
119    SYNTAX BITS
120        {
121        srcMac(0),
122        dstMac(1),
123        ip(2)
124        }
125    MAX-ACCESS read-write
126    STATUS current
127    DESCRIPTION
128        "Additional validation checks to perform on ARP
129        packets during Dynamic ARP Protection.
130          srcMac - Drop any ARP request or response
131                   packet where the source MAC address in
132                   the Ethernet header does not match the
133                   sender MAC address in the body of the
134                   ARP packet.
135          dstMac - Drop any unicast ARP response packet
136                   where the destination MAC address in the
137                   Ethernet header does not match the target
138                   MAC address in the body of the ARP packet.
139          ip     - Drop any ARP packet where the sender IP
140                   address is invalid.  Drop any ARP response
141                   packet where the target IP address is
142                   invalid.  Invalid addresses include
143                   0.0.0.0, 255.255.255.255, all IP multicast
144                   addresses, and all class E IP addresses.
145        These checks are only performed for ARP packets
146        received on untrusted ports in VLANs that are enabled
147        for Dynamic ARP Protection.  ARP packets received on
148        trusted ports, and ARP packets in VLANs for which
149        Dynamic ARP Protection is disabled, are forwarded
150        without validation."
151    ::= { hpicfArpProtectGlobalCfg 3 }
152
153
154-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.1.4
155hpicfArpProtectErrantNotifyEnable OBJECT-TYPE
156    SYNTAX INTEGER
157        {
158        enabled(1),
159        disabled(2)
160        }
161    MAX-ACCESS read-write
162    STATUS current
163    DESCRIPTION
164        "Provides operational control of hpicfArpProtectErrantReply."
165    ::= { hpicfArpProtectGlobalCfg 4 }
166
167
168-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2
169hpicfArpProtectPortTable OBJECT-TYPE
170    SYNTAX SEQUENCE OF HpicfArpProtectPortEntry
171    MAX-ACCESS not-accessible
172    STATUS current
173    DESCRIPTION
174        "Per-interface configuration for Dynamic ARP
175        Protection."
176    ::= { hpicfArpProtectConfig 2 }
177
178
179-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1
180hpicfArpProtectPortEntry OBJECT-TYPE
181    SYNTAX HpicfArpProtectPortEntry
182    MAX-ACCESS not-accessible
183    STATUS current
184    DESCRIPTION
185        "Dynamic ARP Protection configuration information for
186        a single port."
187    INDEX { ifIndex }
188    ::= { hpicfArpProtectPortTable 1 }
189
190
191HpicfArpProtectPortEntry ::=
192    SEQUENCE {
193        hpicfArpProtectPortTrust
194            TruthValue
195     }
196
197-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.1.2.1.1
198hpicfArpProtectPortTrust OBJECT-TYPE
199    SYNTAX TruthValue
200    MAX-ACCESS read-write
201    STATUS current
202    DESCRIPTION
203        "This object indicates whether this port is
204        trusted for Dynamic ARP Protection."
205    ::= { hpicfArpProtectPortEntry 1 }
206
207
208-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2
209hpicfArpProtectStatus OBJECT IDENTIFIER ::= { hpicfArpProtectObjects 2 }
210
211
212-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1
213hpicfArpProtectVlanStatTable OBJECT-TYPE
214    SYNTAX SEQUENCE OF HpicfArpProtectVlanStatEntry
215    MAX-ACCESS not-accessible
216    STATUS current
217    DESCRIPTION
218        "Per-VLAN statistics for Dynamic ARP Protection."
219    ::= { hpicfArpProtectStatus 1 }
220
221
222-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1
223hpicfArpProtectVlanStatEntry OBJECT-TYPE
224    SYNTAX HpicfArpProtectVlanStatEntry
225    MAX-ACCESS not-accessible
226    STATUS current
227    DESCRIPTION
228        "Dynamic ARP Protection statistics for a single VLAN."
229    INDEX { hpicfArpProtectVlanStatIndex }
230    ::= { hpicfArpProtectVlanStatTable 1 }
231
232
233HpicfArpProtectVlanStatEntry ::=
234    SEQUENCE {
235        hpicfArpProtectVlanStatIndex
236            VlanIndex,
237        hpicfArpProtectVlanStatForwards
238            Counter32,
239        hpicfArpProtectVlanStatBadPkts
240            Counter32,
241        hpicfArpProtectVlanStatBadBindings
242            Counter32,
243        hpicfArpProtectVlanStatBadSrcMacs
244            Counter32,
245        hpicfArpProtectVlanStatBadDstMacs
246            Counter32,
247        hpicfArpProtectVlanStatBadIpAddrs
248            Counter32
249     }
250
251-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.1
252hpicfArpProtectVlanStatIndex OBJECT-TYPE
253    SYNTAX VlanIndex
254    MAX-ACCESS not-accessible
255    STATUS current
256    DESCRIPTION
257        "This variable uniquely identifies the VLAN that
258        the counters in this entry apply to.  The VLAN
259        identified by this object is the same VLAN as
260        identified by the identical value in the
261        dot1qVlanIndex object."
262    ::= { hpicfArpProtectVlanStatEntry 1 }
263
264
265-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.2
266hpicfArpProtectVlanStatForwards OBJECT-TYPE
267    SYNTAX Counter32
268    MAX-ACCESS read-only
269    STATUS current
270    DESCRIPTION
271        "The number of ARP packets received on untrusted
272        ports in this VLAN that were successfully validated
273        and forwarded.  This count does not increment for
274        VLANs for which Dynamic ARP Protection is not
275        enabled."
276    ::= { hpicfArpProtectVlanStatEntry 2 }
277
278
279-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.3
280hpicfArpProtectVlanStatBadPkts OBJECT-TYPE
281    SYNTAX Counter32
282    MAX-ACCESS read-only
283    STATUS current
284    DESCRIPTION
285        "The number of ARP packets received on untrusted
286        ports that were dropped because they were malformed
287        in some way.  This may include an unrecognized
288        opcode, an unrecognized protocol type, an
289        unrecognized hardware type, an invalid protocol
290        address length, or an invalid hardware address
291        length.  This count does not increment for VLANs
292        for which Dynamic ARP Protection is not enabled."
293    ::= { hpicfArpProtectVlanStatEntry 3 }
294
295
296-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.4
297hpicfArpProtectVlanStatBadBindings OBJECT-TYPE
298    SYNTAX Counter32
299    MAX-ACCESS read-only
300    STATUS current
301    DESCRIPTION
302        "The number of ARP packets received on untrusted
303        ports that were dropped because they advertized
304        a source IP-to-MAC binding that did not match a
305        known, valid binding.  This count does not increment
306        for VLANs for which Dynamic ARP Protection is not
307        enabled."
308    ::= { hpicfArpProtectVlanStatEntry 4 }
309
310
311-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.5
312hpicfArpProtectVlanStatBadSrcMacs OBJECT-TYPE
313    SYNTAX Counter32
314    MAX-ACCESS read-only
315    STATUS current
316    DESCRIPTION
317        "The number of ARP packets received on untrusted
318        ports that were dropped because the source MAC
319        address in the Ethernet header did not match the
320        sender MAC address in the body of the ARP packet.
321        This count does not increment when source MAC
322        validation is not enabled.  This count does not
323        increment for VLANs for which Dynamic ARP Protection
324        is not enabled."
325    ::= { hpicfArpProtectVlanStatEntry 5 }
326
327
328-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.6
329hpicfArpProtectVlanStatBadDstMacs OBJECT-TYPE
330    SYNTAX Counter32
331    MAX-ACCESS read-only
332    STATUS current
333    DESCRIPTION
334        "The number of unicast ARP response packets received
335        on untrusted ports that were dropped because the
336        destination MAC address in the Ethernet header did
337        not match the target MAC address in the body of the
338        ARP packet.  This count does not increment when
339        destination address validation is not enabled.
340        This count does not increment for VLANs for which
341        Dynamic ARP Protection is not enabled."
342    ::= { hpicfArpProtectVlanStatEntry 6 }
343
344
345-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.2.1.1.7
346hpicfArpProtectVlanStatBadIpAddrs OBJECT-TYPE
347    SYNTAX Counter32
348    MAX-ACCESS read-only
349    STATUS current
350    DESCRIPTION
351        "The number of ARP packets received on untrusted
352        ports that were dropped because they contained
353        an invalid sender IP address, or they contained
354        an invalid target IP address in an ARP response.
355        This count does not increment when IP address
356        validation is not enabled. This count does not
357        increment for VLANs for which Dynamic ARP Protection
358        is not enabled."
359    ::= { hpicfArpProtectVlanStatEntry 7 }
360
361
362-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.3
363hpicfArpProtectErrantCnt OBJECT-TYPE
364    SYNTAX Counter32
365    MAX-ACCESS accessible-for-notify
366    STATUS current
367    DESCRIPTION
368        "A count of hpicfArpProtectErrantReply sent
369        from the ARP Protection entity to the SNMP
370        entity.  This count may differ from the count
371        of notifications transmitted due to rate
372        limiting or configuration."
373    ::= { hpicfArpProtectObjects 3 }
374
375
376-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.4
377hpicfArpProtectErrantSrcMac OBJECT-TYPE
378    SYNTAX MacAddress
379    MAX-ACCESS accessible-for-notify
380    STATUS current
381    DESCRIPTION
382        "Errant source MAC address included in a
383        hpicfArpProtectNotification."
384    ::= { hpicfArpProtectObjects 4 }
385
386
387-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.5
388hpicfArpProtectErrantSrcIpType OBJECT-TYPE
389    SYNTAX InetAddressType
390    MAX-ACCESS accessible-for-notify
391    STATUS current
392    DESCRIPTION
393        "IP Address type reported in hpicfArpProtectErrantSrcIp."
394    ::= { hpicfArpProtectObjects 5 }
395
396
397-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.6
398hpicfArpProtectErrantSrcIp OBJECT-TYPE
399    SYNTAX InetAddress
400    MAX-ACCESS accessible-for-notify
401    STATUS current
402    DESCRIPTION
403        "Errant source IP address included in a
404        hpicfArpProtectNotification."
405    ::= { hpicfArpProtectObjects 6 }
406
407
408-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.7
409hpicfArpProtectErrantDestMac OBJECT-TYPE
410    SYNTAX MacAddress
411    MAX-ACCESS accessible-for-notify
412    STATUS current
413    DESCRIPTION
414        "Errant destination MAC address included in a
415        hpicfArpProtectNotification."
416    ::= { hpicfArpProtectObjects 7 }
417
418
419-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.8
420hpicfArpProtectErrantDestIpType OBJECT-TYPE
421    SYNTAX InetAddressType
422    MAX-ACCESS accessible-for-notify
423    STATUS current
424    DESCRIPTION
425        "IP Address type reported in hpicfArpProtectErrantDestIp."
426    ::= { hpicfArpProtectObjects 8 }
427
428
429-- 1.3.6.1.4.1.11.2.14.11.5.1.37.1.9
430hpicfArpProtectErrantDestIp OBJECT-TYPE
431    SYNTAX InetAddress
432    MAX-ACCESS accessible-for-notify
433    STATUS current
434    DESCRIPTION
435        "Errant destination IP address included in a
436        hpicfArpProtectNotification."
437    ::= { hpicfArpProtectObjects 9 }
438
439
440-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2
441hpicfArpProtectConformance OBJECT IDENTIFIER ::= { hpicfArpProtect 2 }
442
443
444-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1
445hpicfArpProtectGroups OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 1 }
446
447
448-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.1
449hpicfArpProtectBaseGroup OBJECT-GROUP
450    OBJECTS { hpicfArpProtectEnable, hpicfArpProtectVlanEnable,
451    hpicfArpProtectValidation, hpicfArpProtectPortTrust,
452    hpicfArpProtectVlanStatForwards, hpicfArpProtectVlanStatBadPkts,
453    hpicfArpProtectVlanStatBadBindings, hpicfArpProtectVlanStatBadSrcMacs,
454    hpicfArpProtectVlanStatBadDstMacs, hpicfArpProtectVlanStatBadIpAddrs,
455        hpicfArpProtectErrantSrcMac, hpicfArpProtectErrantSrcIp,
456        hpicfArpProtectErrantDestMac, hpicfArpProtectErrantSrcIpType,
457        hpicfArpProtectErrantDestIpType, hpicfArpProtectErrantDestIp,
458        hpicfArpProtectErrantCnt, hpicfArpProtectErrantNotifyEnable }
459    STATUS current
460    DESCRIPTION
461        "A collection of objects for configuring and
462        monitoring the base Dynamic ARP Protection
463        functionality."
464    ::= { hpicfArpProtectGroups 1 }
465
466
467-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.1.2
468hpicfArpProtectionNotifications NOTIFICATION-GROUP
469    NOTIFICATIONS { hpicfArpProtectErrantReply }
470    STATUS current
471    DESCRIPTION
472        "A group of Notifications whose implementation is
473        mandatory when HP-ICF-ARP-PROTECTION is
474        implemented."
475    ::= { hpicfArpProtectGroups 2 }
476
477
478-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2
479hpicfArpProtectCompliances OBJECT IDENTIFIER ::= { hpicfArpProtectConformance 2 }
480
481
482-- 1.3.6.1.4.1.11.2.14.11.5.1.37.2.2.1
483hpicfArpProtectCompliance MODULE-COMPLIANCE
484    STATUS current
485    DESCRIPTION
486        "The compliance statement for HP ProCurve switches
487        that support Dynamic ARP Protection."
488    MODULE -- this module
489        MANDATORY-GROUPS { hpicfArpProtectBaseGroup, hpicfArpProtectionNotifications }
490    ::= { hpicfArpProtectCompliances 1 }
491
492
493
494END
495
496