1-- ***************************************************************** 2-- CISCO-DYNAMIC-ARP-INSPECTION-MIB 3-- 4-- October 2003, Edward Pham 5-- 6-- Copyright (c) 2003, 2009, 2011 by cisco Systems, Inc. 7-- All rights reserved. 8-- ***************************************************************** 9 10CISCO-DYNAMIC-ARP-INSPECTION-MIB DEFINITIONS ::= BEGIN 11 12IMPORTS 13 MODULE-IDENTITY, 14 Gauge32, 15 Unsigned32, 16 Counter32, 17 OBJECT-TYPE 18 FROM SNMPv2-SMI 19 20 MODULE-COMPLIANCE, 21 OBJECT-GROUP 22 FROM SNMPv2-CONF 23 24 TruthValue, 25 MacAddress, 26 DateAndTime, 27 StorageType, 28 RowStatus 29 FROM SNMPv2-TC 30 31 ifIndex, 32 InterfaceIndexOrZero 33 FROM IF-MIB 34 35 InetAddressType, 36 InetAddress 37 FROM INET-ADDRESS-MIB 38 39 VlanIndex 40 FROM Q-BRIDGE-MIB 41 42 VlanIndexOrZero 43 FROM CISCO-PRIVATE-VLAN-MIB 44 45 SnmpAdminString 46 FROM SNMP-FRAMEWORK-MIB 47 48 ciscoMgmt 49 FROM CISCO-SMI; 50 51ciscoDynamicArpInspectionMIB MODULE-IDENTITY 52 LAST-UPDATED "201103210000Z" 53 ORGANIZATION "Cisco Systems, Inc." 54 CONTACT-INFO 55 " Cisco Systems 56 Customer Service 57 58 Postal: 170 W Tasman Drive 59 San Jose, CA 95134 60 USA 61 62 Tel: +1 800 553-NETS 63 64 E-mail: cs-lan-switch-snmp@cisco.com" 65 DESCRIPTION 66 "The MIB module is for configuration of Dynamic ARP Inspection 67 feature. Dynamic ARP Inspection is a security mechanism which 68 validate ARP packets seen on access ports." 69 REVISION "201103210000Z" 70 DESCRIPTION 71 "Add the following groups: 72 - cdaiLoggingConfigGroup. 73 - cdaiLogBufferGroup. 74 - cdaiLogBufferActionGroup. 75 - cdaiAddressValidationGroup. 76 - cdaiVlanCfgGroup. 77 - cdaiVlanArpProbeGroup. 78 - cdaiVlanStatisticsGroup. 79 - cdaiVlanExtStatisticsGroup." 80 REVISION "200310291500Z" 81 DESCRIPTION 82 "Initial revision of this MIB module." 83 ::= { ciscoMgmt 374 } 84 85cdaiMIBNotifs 86 OBJECT IDENTIFIER ::= { ciscoDynamicArpInspectionMIB 0 } 87cdaiMIBObjects 88 OBJECT IDENTIFIER ::= { ciscoDynamicArpInspectionMIB 1 } 89cdaiMIBConformance 90 OBJECT IDENTIFIER ::= { ciscoDynamicArpInspectionMIB 2 } 91 92cdaiGlobal 93 OBJECT IDENTIFIER ::= { cdaiMIBObjects 1 } 94cdaiVlan 95 OBJECT IDENTIFIER ::= { cdaiMIBObjects 2 } 96cdaiInterface 97 OBJECT IDENTIFIER ::= { cdaiMIBObjects 3 } 98cdaiStatistics 99 OBJECT IDENTIFIER ::= { cdaiMIBObjects 4 } 100 101 102-- 103-- The Global group 104-- 105 106cdaiLoggingEnable OBJECT-TYPE 107 SYNTAX TruthValue 108 MAX-ACCESS read-write 109 STATUS current 110 DESCRIPTION 111 "This object indicates whether the Dynamic ARP Inspection 112 logging is enabled on the device. 113 114 If this object is set to 'true', Dynamic ARP Inspection 115 logging is enabled. 116 117 If this object is set to 'false', Dynamic ARP Inspection 118 logging is disabled." 119 ::= { cdaiGlobal 1 } 120 121cdaiAddressValidate OBJECT-TYPE 122 SYNTAX BITS { 123 srcMacAddress(0), 124 dstMacAddress(1), 125 ip(2), 126 ipAllowZeros(3) 127 } 128 MAX-ACCESS read-write 129 STATUS current 130 DESCRIPTION 131 "This object specifies address validation criteria 132 used by Dynamic ARP Inspection feature. 133 134 'srcMacAddress' indicates that source MAC address in 135 ethernet header is checked against the sender MAC address 136 in ARP packet. When this bit is on, packets with different 137 MAC addresses are classified as invalid packets and are 138 dropped. This checking is done for both ARP request and 139 ARP response packet. 140 141 'dstMacAddress' indicates that the destination MAC address 142 in ethernet header is checked against the target MAC address 143 in ARP packet. When this bit is on, packets with different 144 addresses are classified as invalid packets and are dropped. 145 This checking is done for ARP response packet only. 146 147 'ip' indicates that the IP addresses in ARP packet are checked 148 for invalid or unexpected IP addresses. Addresses such as 149 0.0.0.0, 255.255.255.255 and all IP multicast addresses are 150 considered invalid. When this bit is on, both the sender 151 and target IP addresses in the ARP packet are checked. This 152 checking is done for both ARP request and response packet. 153 154 'ipAllowZeros' works the same as 'ip' but address 0.0.0.0 155 is allowed. 156 157 'ip' and 'ipAllowZeros' are mutually exclusive." 158 ::= { cdaiGlobal 2 } 159 160cdaiLogBufferSize OBJECT-TYPE 161 SYNTAX Unsigned32 162 UNITS "entries" 163 MAX-ACCESS read-write 164 STATUS current 165 DESCRIPTION 166 "This object specifies the size of the logging buffer." 167 ::= { cdaiGlobal 3 } 168 169cdaiLoggingRate OBJECT-TYPE 170 SYNTAX Unsigned32 171 UNITS "entries" 172 MAX-ACCESS read-write 173 STATUS current 174 DESCRIPTION 175 "This object specifies the maximum number of logging entries 176 will be logged during the time period denoted by 177 cdaiLoggingInterval object for system message generation purpose. 178 Zero value indicates that entry is placed in the log buffer, 179 but a system message is not generated." 180 ::= { cdaiGlobal 4 } 181 182cdaiLoggingInterval OBJECT-TYPE 183 SYNTAX Unsigned32 184 UNITS "seconds" 185 MAX-ACCESS read-write 186 STATUS current 187 DESCRIPTION 188 "This object specifies the logging interval for system 189 message generation purpose. Zero value indicates that 190 system message is immediately generated (and the log 191 buffer is always empty). Value of this object and value 192 of cdaiLoggingRate object cannot be zero at the same time." 193 ::= { cdaiGlobal 5 } 194 195cdaiLogBufferAction OBJECT-TYPE 196 SYNTAX INTEGER { 197 none(1), 198 clear(2) 199 } 200 MAX-ACCESS read-write 201 STATUS current 202 DESCRIPTION 203 "This objects specifies the action can be taken with 204 respect to logging buffer. 205 206 'none' indicates that no operation is performed. This 207 object always return value 'none' when read. 208 209 'clear' indicates that all entries in cdaiLoggingBufferTable 210 will be cleared." 211 ::= { cdaiGlobal 6 } 212 213-- 214-- The Dynamic ARP Inspection Logging Buffer Table 215-- 216 217cdaiLogBufferTable OBJECT-TYPE 218 SYNTAX SEQUENCE OF CdaiLogBufferEntry 219 MAX-ACCESS not-accessible 220 STATUS current 221 DESCRIPTION 222 "A table provides the information of logged ARP flows 223 for system message generation." 224 ::= { cdaiGlobal 7 } 225 226cdaiLogBufferEntry OBJECT-TYPE 227 SYNTAX CdaiLogBufferEntry 228 MAX-ACCESS not-accessible 229 STATUS current 230 DESCRIPTION 231 "A row instance contains logged ARP flow data for system 232 message generation. Entries in the log are cleared once 233 system messages are generated on their behalf. A special 234 entry will be populated for accounting drops of all flows 235 that result in exceeding the number of entries of the log 236 buffer. Special entry only contains packets counter and 237 timestamps information. The rest of its fields are 238 irrelevant." 239 INDEX { cdaiLogBufferIndex } 240 ::= { cdaiLogBufferTable 1 } 241 242CdaiLogBufferEntry ::= SEQUENCE { 243 cdaiLogBufferIndex Unsigned32, 244 cdaiLogBufferInterface InterfaceIndexOrZero, 245 cdaiLogBufferVlan VlanIndexOrZero, 246 cdaiLogBufferSenderMacAddress MacAddress, 247 cdaiLogBufferSenderAddressType InetAddressType, 248 cdaiLogBufferSenderIpAddress InetAddress, 249 cdaiLogBufferReason INTEGER, 250 cdaiLogBufferLastUpdate DateAndTime, 251 cdaiLogBufferPacketsCount Gauge32 252} 253 254cdaiLogBufferIndex OBJECT-TYPE 255 SYNTAX Unsigned32 (1..65535) 256 MAX-ACCESS not-accessible 257 STATUS current 258 DESCRIPTION 259 "This object uniquely identifies a logged ARP flow in the buffer." 260 ::= { cdaiLogBufferEntry 1 } 261 262cdaiLogBufferInterface OBJECT-TYPE 263 SYNTAX InterfaceIndexOrZero 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "This object indicates the interface which sent the logged 268 ARP flow. Zero value indicates the special entry." 269 ::= { cdaiLogBufferEntry 2 } 270 271cdaiLogBufferVlan OBJECT-TYPE 272 SYNTAX VlanIndexOrZero 273 MAX-ACCESS read-only 274 STATUS current 275 DESCRIPTION 276 "This object indicates the VLAN number which the logged 277 ARP flow belongs to. Zero value indicates the special entry." 278 ::= { cdaiLogBufferEntry 3 } 279 280cdaiLogBufferSenderMacAddress OBJECT-TYPE 281 SYNTAX MacAddress 282 MAX-ACCESS read-only 283 STATUS current 284 DESCRIPTION 285 "This object indicates the sender MAC address of the logged 286 ARP flow. All zeros MAC address value indicates the 287 special entry." 288 ::= { cdaiLogBufferEntry 4 } 289 290cdaiLogBufferSenderAddressType OBJECT-TYPE 291 SYNTAX InetAddressType 292 MAX-ACCESS read-only 293 STATUS current 294 DESCRIPTION 295 "This object indicates the sender Internet address type 296 of the logged ARP flow." 297 ::= { cdaiLogBufferEntry 5 } 298 299cdaiLogBufferSenderIpAddress OBJECT-TYPE 300 SYNTAX InetAddress 301 MAX-ACCESS read-only 302 STATUS current 303 DESCRIPTION 304 "This object indicates the sender Internet address 305 of the logged ARP flow. The type of this address is 306 determined by the value of cdaiLogBufferSenderAddressType 307 object. All zeros IP address value indicates the 308 special entry." 309 ::= { cdaiLogBufferEntry 6 } 310 311cdaiLogBufferReason OBJECT-TYPE 312 SYNTAX INTEGER { 313 unknown(1), 314 deny(2), 315 aclDeny(3), 316 aclPermit(4), 317 dhcpDeny(5), 318 dhcpPermit(6), 319 probePermit(7) 320 } 321 MAX-ACCESS read-only 322 STATUS current 323 DESCRIPTION 324 "This object indicates the reason for logging this ARP flow. 325 326 'unknown' indicates unknown reason. 327 328 'deny' indicates that this ARP flow is logged because it is 329 denied by Dynamic ARP Inspection feature. 330 331 'aclDeny' indicates that this ARP flow is logged because it is 332 denied by a configured ARP ACL. 333 334 'aclPermit' indicates that this ARP flow is logged because it 335 is permitted by a configured ARP ACL. 336 337 'dhcpDeny' indicates that this ARP flow is logged because it 338 is denied when comparing with DHCP bindings information. 339 340 'dhcpPermit' indicates that this ARP flow is logged because 341 it is permitted when comparing with DHCP binding information. 342 343 'probePermit' indicates that this ARP flow is logged because 344 it is a permitted ARP-Probe flow." 345 ::= { cdaiLogBufferEntry 7 } 346 347cdaiLogBufferLastUpdate OBJECT-TYPE 348 SYNTAX DateAndTime 349 MAX-ACCESS read-only 350 STATUS current 351 DESCRIPTION 352 "This object indicates the timestamp when the last packet 353 of this flow was accounted by the system." 354 ::= { cdaiLogBufferEntry 8 } 355 356cdaiLogBufferPacketsCount OBJECT-TYPE 357 SYNTAX Gauge32 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "This object indicates the number of packets of this ARP flow 362 was accounted by the system." 363 ::= { cdaiLogBufferEntry 9 } 364 365-- 366-- The Dynamic ARP Inspection VLAN Config Table 367-- 368 369cdaiVlanConfigTable OBJECT-TYPE 370 SYNTAX SEQUENCE OF CdaiVlanConfigEntry 371 MAX-ACCESS not-accessible 372 STATUS current 373 DESCRIPTION 374 "A table provides the mechanism to control Dynamic ARP 375 Inspection per VLAN. When a VLAN is created in a device 376 supporting this table, a corresponding entry of this table 377 will be added." 378 ::= { cdaiVlan 1 } 379 380cdaiVlanConfigEntry OBJECT-TYPE 381 SYNTAX CdaiVlanConfigEntry 382 MAX-ACCESS not-accessible 383 STATUS current 384 DESCRIPTION 385 "A row instance contains the configuration to enable 386 or disable Dynamic ARP Inspection at each existing VLAN." 387 INDEX { cdaiVlanIndex } 388 ::= { cdaiVlanConfigTable 1 } 389 390CdaiVlanConfigEntry ::= SEQUENCE { 391 cdaiVlanIndex VlanIndex, 392 cdaiVlanDynArpInspEnable TruthValue 393} 394 395cdaiVlanIndex OBJECT-TYPE 396 SYNTAX VlanIndex 397 MAX-ACCESS not-accessible 398 STATUS current 399 DESCRIPTION 400 "This object indicates the VLAN number on which Dynamic ARP 401 Inspection feature is configured." 402 ::= { cdaiVlanConfigEntry 1 } 403 404cdaiVlanDynArpInspEnable OBJECT-TYPE 405 SYNTAX TruthValue 406 MAX-ACCESS read-write 407 STATUS current 408 DESCRIPTION 409 "This object indicates whether Dynamic ARP Inspection is 410 enabled in this VLAN. 411 412 If this object is set to 'true', Dynamic ARP Inspection 413 is enabled. 414 415 If this object is set to 'false', Dynamic ARP Inspection 416 is disabled." 417 ::= { cdaiVlanConfigEntry 2 } 418 419-- 420-- cdaiVlanCfgTable 421-- 422 423cdaiVlanCfgTable OBJECT-TYPE 424 SYNTAX SEQUENCE OF CdaiVlanCfgEntry 425 MAX-ACCESS not-accessible 426 STATUS current 427 DESCRIPTION 428 "A table provides the mechanism to control Dynamic ARP 429 Inspection per VLAN. This table is populated for each 430 existing VLAN in the device as well as non-existing VLANs 431 which contains the Dynamic ARP Inspection configuration." 432 ::= { cdaiVlan 2 } 433 434cdaiVlanCfgEntry OBJECT-TYPE 435 SYNTAX CdaiVlanCfgEntry 436 MAX-ACCESS not-accessible 437 STATUS current 438 DESCRIPTION 439 "A row instance contains the Dynamic ARP inspection 440 configuration for a specific VLAN in the device." 441 INDEX { cdaiVlanId } 442 ::= { cdaiVlanCfgTable 1 } 443 444CdaiVlanCfgEntry ::= SEQUENCE { 445 cdaiVlanId VlanIndex, 446 cdaiVlanDynArpInspAdmin INTEGER, 447 cdaiVlanDynArpInspOper INTEGER, 448 cdaiVlanFilterArpAclName SnmpAdminString, 449 cdaiVlanFilterArpAclStatic TruthValue, 450 cdaiVlanAclLogging INTEGER, 451 cdaiVlanDhcpBindingLogging INTEGER, 452 cdaiVlanArpProbeLogging TruthValue, 453 cdaiVlanCfgStorageType StorageType, 454 cdaiVlanCfgRowStatus RowStatus 455} 456 457cdaiVlanId OBJECT-TYPE 458 SYNTAX VlanIndex 459 MAX-ACCESS not-accessible 460 STATUS current 461 DESCRIPTION 462 "This object indicates the VLAN number." 463 ::= { cdaiVlanCfgEntry 1 } 464 465cdaiVlanDynArpInspAdmin OBJECT-TYPE 466 SYNTAX INTEGER { enable(1), disable(2) } 467 MAX-ACCESS read-create 468 STATUS current 469 DESCRIPTION 470 "This object specifies the administrative status of Dynamic 471 ARP Inspection feature in this VLAN. 472 473 If this object value is 'enable', Dynamic ARP Inspection 474 is enabled. 475 476 If this object value is 'disable', Dynamic ARP Inspection 477 is disabled." 478 DEFVAL { enable } 479 ::= { cdaiVlanCfgEntry 2 } 480 481cdaiVlanDynArpInspOper OBJECT-TYPE 482 SYNTAX INTEGER { active(1), inactive(2) } 483 MAX-ACCESS read-only 484 STATUS current 485 DESCRIPTION 486 "This object indicates the operational status of Dynamic ARP 487 Inspection feature in this VLAN. 488 489 If this object is 'active', Dynamic ARP Inspection 490 is operationally active. 491 492 If this object is 'inactive', Dynamic ARP Inspection 493 is operationally inactive." 494 ::= { cdaiVlanCfgEntry 3 } 495 496cdaiVlanFilterArpAclName OBJECT-TYPE 497 SYNTAX SnmpAdminString 498 MAX-ACCESS read-create 499 STATUS current 500 DESCRIPTION 501 "This object specifies an ARP ACL name that Dynamic ARP 502 Inspection feature uses to check the validity of the bindings 503 information in ARP body. 504 505 An emptry string indicates that no such ARP ACL is 506 configured for this purpose." 507 DEFVAL { "" } 508 ::= { cdaiVlanCfgEntry 4 } 509 510cdaiVlanFilterArpAclStatic OBJECT-TYPE 511 SYNTAX TruthValue 512 MAX-ACCESS read-create 513 STATUS current 514 DESCRIPTION 515 "This object specifies whether the ARP ACL denoted by 516 cdaiVlanFilterArpAclName is statically applied by 517 Dynamic ARP Inspection feature. This object does not 518 take effect if value of cdaiVlanFilterArpAclName on 519 the row is an empty string. 520 521 'true' indicates that ARP ACL is applied statically. 522 The action (denied or permitted) results from applying 523 the ARP ACL is final and ARP packet is not compared against 524 DHCP bindings information. 525 526 'false' indicates ARP ACL is not applied statically. If 527 ARP packet is not explicitly classified by ARP ACL, it 528 will be compared against DHCP bindings information." 529 DEFVAL { false } 530 ::= { cdaiVlanCfgEntry 5 } 531 532cdaiVlanAclLogging OBJECT-TYPE 533 SYNTAX INTEGER { 534 none(1), 535 aclMatch(2), 536 deny(3) 537 } 538 MAX-ACCESS read-create 539 STATUS current 540 DESCRIPTION 541 "This object specifies the logging configuration that 542 Dynamic ARP Inspection feature applies to ARP packets 543 when they are classified by the configured ACL. 544 545 'none' indicates that no logging is performed when 546 packets are classified by the configured ACL. 547 548 'aclMatch' indicates that logging is performed when 549 packets are classified by the configured ACL and the 550 matched ACE specified a logging action. 551 552 'deny' indicates that logging is performed when packets 553 is denied by the configured ACL." 554 DEFVAL { deny } 555 ::= { cdaiVlanCfgEntry 6 } 556 557cdaiVlanDhcpBindingLogging OBJECT-TYPE 558 SYNTAX INTEGER { 559 none(1), 560 permit(2), 561 deny(3), 562 all(4) 563 } 564 MAX-ACCESS read-create 565 STATUS current 566 DESCRIPTION 567 "This object specifies packet logging configuration 568 performed by Dynamic ARP Inspection feature when 569 ARP packets is compared against DHCP bindings information. 570 571 'none' indicates that no packet logging is performed. 572 573 'permit' indicates that packet logging is performed only 574 for packets that are permitted as a result of comparing 575 with DHCP bindings information. 576 577 'deny' indicates that packet logging is performed only 578 for packets that are denied as a result of comparing with 579 DHCP bindings information. 580 581 'all' indicates that packet logging is performed for all 582 packets that are permitted or denied as a result of comparing 583 with DHCP bindings information." 584 DEFVAL { deny } 585 ::= { cdaiVlanCfgEntry 7 } 586 587cdaiVlanArpProbeLogging OBJECT-TYPE 588 SYNTAX TruthValue 589 MAX-ACCESS read-create 590 STATUS current 591 DESCRIPTION 592 "The objects specifies if ARP-Probe packets will be 593 logged by Dynamic ARP Inspection feature. 594 595 'true' indicates ARP-Probe packets will be logged. 596 597 'false' indicates ARP-Probe packets will not be logged." 598 DEFVAL { false } 599 ::= { cdaiVlanCfgEntry 8 } 600 601cdaiVlanCfgStorageType OBJECT-TYPE 602 SYNTAX StorageType 603 MAX-ACCESS read-create 604 STATUS current 605 DESCRIPTION 606 "The objects specifies the storage type for this conceptual 607 row." 608 DEFVAL { volatile } 609 ::= { cdaiVlanCfgEntry 9 } 610 611cdaiVlanCfgRowStatus OBJECT-TYPE 612 SYNTAX RowStatus 613 MAX-ACCESS read-create 614 STATUS current 615 DESCRIPTION 616 "The status of this conceptual row entry. This object 617 is used to manage creation and deletion of rows in this 618 table. 619 620 Deletion of an entry in this table is only allowed 621 if the VLAN indicated by its row index object does not 622 exist in the device. Writable objects can be modified at 623 any time even while the row is active." 624 ::= { cdaiVlanCfgEntry 10 } 625 626-- 627-- The Dynamic ARP Inspection Interface Config Table 628-- 629 630cdaiIfConfigTable OBJECT-TYPE 631 SYNTAX SEQUENCE OF CdaiIfConfigEntry 632 MAX-ACCESS not-accessible 633 STATUS current 634 DESCRIPTION 635 "A table provides the mechanism to configure the trust 636 state for Dynamic ARP Inspection purpose at each physical 637 interface capable of this feature. Some of the interfaces 638 (but not limited to) for which this feature might be 639 applicable are: ifType = ethernetCsmacd(6)." 640 ::= { cdaiInterface 1 } 641 642cdaiIfConfigEntry OBJECT-TYPE 643 SYNTAX CdaiIfConfigEntry 644 MAX-ACCESS not-accessible 645 STATUS current 646 DESCRIPTION 647 "A row instance contains the configuration to enable or 648 disable trust state for Dynamic ARP Inspection at each 649 physical interface capable of this feature." 650 INDEX { ifIndex } 651 ::= { cdaiIfConfigTable 1 } 652 653CdaiIfConfigEntry ::= SEQUENCE { 654 cdaiIfTrustEnable TruthValue 655} 656 657cdaiIfTrustEnable OBJECT-TYPE 658 SYNTAX TruthValue 659 MAX-ACCESS read-write 660 STATUS current 661 DESCRIPTION 662 "This object indicates whether the interface is trusted for 663 Dynamic ARP Inspection purpose. 664 665 If this object is set to 'true', the interface is trusted. 666 ARP packets coming to this interface will be forwarded 667 without checking. 668 669 If this object is set to 'false', the interface is not 670 trusted. ARP packets coming to this interface will be 671 subjected to ARP inspection." 672 ::= { cdaiIfConfigEntry 1 } 673 674-- 675-- The Dynamic ARP Inspection Rate Limit Interface Config Table 676-- 677 678cdaiIfRateLimitTable OBJECT-TYPE 679 SYNTAX SEQUENCE OF CdaiIfRateLimitEntry 680 MAX-ACCESS not-accessible 681 STATUS current 682 DESCRIPTION 683 "A table provides the mechanism to configure the rate limit 684 for Dynamic ARP Inspection purpose at each physical interface 685 capable of this feature." 686 ::= { cdaiInterface 2 } 687 688cdaiIfRateLimitEntry OBJECT-TYPE 689 SYNTAX CdaiIfRateLimitEntry 690 MAX-ACCESS not-accessible 691 STATUS current 692 DESCRIPTION 693 "A row instance contains the configuration of rate limit 694 Dynamic ARP Inspection at each physical interface capable 695 of this feature." 696 INDEX { ifIndex } 697 ::= { cdaiIfRateLimitTable 1 } 698 699CdaiIfRateLimitEntry ::= SEQUENCE { 700 cdaiIfRateLimit Unsigned32 701} 702 703cdaiIfRateLimit OBJECT-TYPE 704 SYNTAX Unsigned32 705 UNITS "packet per second" 706 MAX-ACCESS read-write 707 STATUS current 708 DESCRIPTION 709 "This object indicates rate limit value for Dynamic ARP 710 Inspection purpose. If the incoming rate of ARP packets 711 exceeds the value of this object, ARP packets will be 712 dropped. " 713 ::= { cdaiIfRateLimitEntry 1 } 714 715-- 716-- cdaiVlanStatsTable 717-- 718 719cdaiVlanStatsTable OBJECT-TYPE 720 SYNTAX SEQUENCE OF CdaiVlanStatsEntry 721 MAX-ACCESS not-accessible 722 STATUS current 723 DESCRIPTION 724 "A table lists the Dynamic Arp Inspection statistics per VLAN." 725 ::= { cdaiStatistics 1 } 726 727cdaiVlanStatsEntry OBJECT-TYPE 728 SYNTAX CdaiVlanStatsEntry 729 MAX-ACCESS not-accessible 730 STATUS current 731 DESCRIPTION 732 "A row instance contains Dynamic ARP Inspection statistics 733 information for each VLAN." 734 INDEX { cdaiVlanStatsIndex } 735 ::= { cdaiVlanStatsTable 1 } 736 737CdaiVlanStatsEntry ::= SEQUENCE { 738 cdaiVlanStatsIndex VlanIndex, 739 cdaiVlanForwarded Counter32, 740 cdaiVlanDropped Counter32, 741 cdaiVlanAclPermitted Counter32, 742 cdaiVlanDhcpBindingsPermitted Counter32, 743 cdaiVlanAclDenied Counter32, 744 cdaiVlanDhcpBindingDenied Counter32, 745 cdaiVlanSrcMacValidationFailures Counter32, 746 cdaiVlanDestMacValidationFailures Counter32, 747 cdaiVlanIpValidationFailures Counter32, 748 cdaiVlanArpProbePermitted Counter32, 749 cdaiVlanInvalidProtocolData Counter32 750} 751 752cdaiVlanStatsIndex OBJECT-TYPE 753 SYNTAX VlanIndex 754 MAX-ACCESS not-accessible 755 STATUS current 756 DESCRIPTION 757 "This object indicates the VLAN number." 758 ::= { cdaiVlanStatsEntry 1 } 759 760cdaiVlanForwarded OBJECT-TYPE 761 SYNTAX Counter32 762 UNITS "packets" 763 MAX-ACCESS read-only 764 STATUS current 765 DESCRIPTION 766 "This object indicates the number of ARP packets forwarded by 767 Dynamic Arp Inspection feature." 768 ::= { cdaiVlanStatsEntry 2 } 769 770cdaiVlanDropped OBJECT-TYPE 771 SYNTAX Counter32 772 UNITS "packets" 773 MAX-ACCESS read-only 774 STATUS current 775 DESCRIPTION 776 "This object indicates the number of ARP packets dropped by 777 Dynamic ARP Inspection feature." 778 ::= { cdaiVlanStatsEntry 3 } 779 780cdaiVlanAclPermitted OBJECT-TYPE 781 SYNTAX Counter32 782 UNITS "packets" 783 MAX-ACCESS read-only 784 STATUS current 785 DESCRIPTION 786 "This object indicates the number of ARP packets permitted by 787 the configured ACL." 788 ::= { cdaiVlanStatsEntry 4 } 789 790cdaiVlanDhcpBindingsPermitted OBJECT-TYPE 791 SYNTAX Counter32 792 UNITS "packets" 793 MAX-ACCESS read-only 794 STATUS current 795 DESCRIPTION 796 "This object indicates the number of DHCP-binding permitted 797 ARP packets." 798 ::= { cdaiVlanStatsEntry 5 } 799 800cdaiVlanAclDenied OBJECT-TYPE 801 SYNTAX Counter32 802 UNITS "packets" 803 MAX-ACCESS read-only 804 STATUS current 805 DESCRIPTION 806 "This object indicates the number of ARP packets denied by the 807 configured ACL." 808 ::= { cdaiVlanStatsEntry 6 } 809 810cdaiVlanDhcpBindingDenied OBJECT-TYPE 811 SYNTAX Counter32 812 UNITS "packets" 813 MAX-ACCESS read-only 814 STATUS current 815 DESCRIPTION 816 "This object indicates the number of DHCP-binding denied 817 ARP packets." 818 ::= { cdaiVlanStatsEntry 7 } 819 820cdaiVlanSrcMacValidationFailures OBJECT-TYPE 821 SYNTAX Counter32 822 UNITS "packets" 823 MAX-ACCESS read-only 824 STATUS current 825 DESCRIPTION 826 "This object indicates the number of ARP packets that fail 827 source MAC address validation." 828 ::= { cdaiVlanStatsEntry 8 } 829 830cdaiVlanDestMacValidationFailures OBJECT-TYPE 831 SYNTAX Counter32 832 UNITS "packets" 833 MAX-ACCESS read-only 834 STATUS current 835 DESCRIPTION 836 "This object indicates the number of ARP packets that fail 837 destination MAC address validation." 838 ::= { cdaiVlanStatsEntry 9 } 839 840cdaiVlanIpValidationFailures OBJECT-TYPE 841 SYNTAX Counter32 842 UNITS "packets" 843 MAX-ACCESS read-only 844 STATUS current 845 DESCRIPTION 846 "This object indicates the number of ARP packets that fail 847 IP validation." 848 ::= { cdaiVlanStatsEntry 10 } 849 850cdaiVlanArpProbePermitted OBJECT-TYPE 851 SYNTAX Counter32 852 UNITS "packets" 853 MAX-ACCESS read-only 854 STATUS current 855 DESCRIPTION 856 "This object indicates the number of ARP Probe packets that 857 are permitted." 858 ::= { cdaiVlanStatsEntry 11 } 859 860cdaiVlanInvalidProtocolData OBJECT-TYPE 861 SYNTAX Counter32 862 UNITS "packets" 863 MAX-ACCESS read-only 864 STATUS current 865 DESCRIPTION 866 "This object indicates the number of ARP packets that contain 867 invalid protocol data." 868 ::= { cdaiVlanStatsEntry 12 } 869 870-- Conformance 871 872cdaiMIBCompliances 873 OBJECT IDENTIFIER ::= { cdaiMIBConformance 1 } 874 875cdaiMIBGroups 876 OBJECT IDENTIFIER ::= { cdaiMIBConformance 2 } 877 878cdaiMIBCompliance MODULE-COMPLIANCE 879 STATUS deprecated 880 DESCRIPTION 881 "The compliance statement for CISCO-DYNAMIC-ARP-INSPECTION-MIB. 882 This compliance is superceded by cdaiMIBCompliance1." 883 MODULE 884 MANDATORY-GROUPS { 885 cdaiVlanConfigGroup, 886 cdaiIfConfigGroup 887 } 888 889 GROUP cdaiGlobalLoggingGroup 890 DESCRIPTION 891 "This group is mandatory only for the platform which supports 892 enabling Dynamic ARP Inspection logging at the device level." 893 894 GROUP cdaiIfRateLimitGroup 895 DESCRIPTION 896 "This group is mandatory only for the platform which supports 897 Dynamic ARP Inspection rate limit per interface." 898 899 ::= { cdaiMIBCompliances 1 } 900 901cdaiMIBCompliance1 MODULE-COMPLIANCE 902 STATUS current 903 DESCRIPTION 904 "The compliance statement for CISCO-DYNAMIC-ARP-INSPECTION-MIB" 905 MODULE 906 MANDATORY-GROUPS { 907 cdaiVlanCfgGroup, 908 cdaiIfConfigGroup 909 } 910 911 GROUP cdaiVlanConfigGroup 912 DESCRIPTION 913 "This group is mandatory only for the platform which supports 914 enabling Dynamic ARP Inspection per VLAN." 915 916 GROUP cdaiGlobalLoggingGroup 917 DESCRIPTION 918 "This group is mandatory only for the platform which supports 919 enabling Dynamic ARP Inspection logging at the device level." 920 921 GROUP cdaiIfRateLimitGroup 922 DESCRIPTION 923 "This group is mandatory only for the platform which supports 924 Dynamic ARP Inspection rate limit per interface." 925 926 GROUP cdaiLoggingConfigGroup 927 DESCRIPTION 928 "This group is mandatory only for the platform which supports 929 Dynamic ARP Inspection logging configuration." 930 931 GROUP cdaiAddressValidationGroup 932 DESCRIPTION 933 "This group is mandatory only for the platform which supports 934 address validation configuration." 935 936 GROUP cdaiLogBufferGroup 937 DESCRIPTION 938 "This group is mandatory only for the platform which supports 939 log buffer information for Dynamic ARP Inspection feature." 940 941 GROUP cdaiVlanStatisticsGroup 942 DESCRIPTION 943 "This group is mandatory only for the platform which supports 944 Dynamic ARP Inspection statistics per VLAN." 945 946 GROUP cdaiVlanExtStatisticsGroup 947 DESCRIPTION 948 "This group is mandatory only for the platform which supports 949 additional Dynamic ARP Inspection statistics per VLAN." 950 951 GROUP cdaiVlanArpProbeGroup 952 DESCRIPTION 953 "This group is mandatory only for the platform which supports 954 VLAN configuration for ARP Probe packets." 955 956 GROUP cdaiLogBufferActionGroup 957 DESCRIPTION 958 "This group is mandatory only for the platform which supports 959 log buffer action." 960 961 OBJECT cdaiVlanDynArpInspEnable 962 MIN-ACCESS read-only 963 DESCRIPTION 964 "Write access is not required." 965 966 OBJECT cdaiVlanDynArpInspAdmin 967 MIN-ACCESS read-only 968 DESCRIPTION 969 "Write access is not required." 970 971 OBJECT cdaiVlanFilterArpAclName 972 MIN-ACCESS read-only 973 DESCRIPTION 974 "Write access is not required." 975 976 OBJECT cdaiVlanFilterArpAclStatic 977 MIN-ACCESS read-only 978 DESCRIPTION 979 "Write access is not required." 980 981 OBJECT cdaiVlanAclLogging 982 MIN-ACCESS read-only 983 DESCRIPTION 984 "Write access is not required." 985 986 OBJECT cdaiVlanDhcpBindingLogging 987 MIN-ACCESS read-only 988 DESCRIPTION 989 "Write access is not required." 990 991 OBJECT cdaiVlanCfgStorageType 992 MIN-ACCESS read-only 993 DESCRIPTION 994 "Write access is not required." 995 996 OBJECT cdaiVlanCfgRowStatus 997 SYNTAX INTEGER { 998 active(1) 999 } 1000 WRITE-SYNTAX INTEGER { 1001 createAndGo(4), 1002 destroy(6) 1003 } 1004 MIN-ACCESS read-only 1005 DESCRIPTION 1006 "Read-create access is not required." 1007 1008 OBJECT cdaiIfTrustEnable 1009 MIN-ACCESS read-only 1010 DESCRIPTION 1011 "Write access is not required." 1012 1013 OBJECT cdaiLoggingEnable 1014 MIN-ACCESS read-only 1015 DESCRIPTION 1016 "Write access is not required." 1017 1018 OBJECT cdaiIfRateLimit 1019 MIN-ACCESS read-only 1020 DESCRIPTION 1021 "Write access is not required." 1022 1023 OBJECT cdaiLogBufferSize 1024 MIN-ACCESS read-only 1025 DESCRIPTION 1026 "Write access is not required." 1027 1028 OBJECT cdaiLoggingRate 1029 MIN-ACCESS read-only 1030 DESCRIPTION 1031 "Write access is not required." 1032 1033 OBJECT cdaiLoggingInterval 1034 MIN-ACCESS read-only 1035 DESCRIPTION 1036 "Write access is not required." 1037 1038 OBJECT cdaiAddressValidate 1039 MIN-ACCESS read-only 1040 DESCRIPTION 1041 "Write access is not required." 1042 1043 OBJECT cdaiVlanArpProbeLogging 1044 MIN-ACCESS read-only 1045 DESCRIPTION 1046 "Write access is not required." 1047 1048 OBJECT cdaiLogBufferAction 1049 MIN-ACCESS read-only 1050 DESCRIPTION 1051 "Write access is not required." 1052 1053 ::= { cdaiMIBCompliances 2 } 1054 1055-- Units of Conformance 1056 1057-- cdaiGlobalGroup 1058 1059cdaiGlobalLoggingGroup OBJECT-GROUP 1060 OBJECTS { 1061 cdaiLoggingEnable 1062 } 1063 STATUS current 1064 DESCRIPTION 1065 "A collection of object which is used to configure Dynamic 1066 ARP Inspection logging." 1067 ::= { cdaiMIBGroups 1 } 1068 1069cdaiVlanConfigGroup OBJECT-GROUP 1070 OBJECTS { 1071 cdaiVlanDynArpInspEnable 1072 } 1073 STATUS current 1074 DESCRIPTION 1075 "A collection of object which are used to configure as 1076 well as show information regarding the Dynamic ARP 1077 Inspection feature per VLAN." 1078 ::= { cdaiMIBGroups 2 } 1079 1080cdaiIfConfigGroup OBJECT-GROUP 1081 OBJECTS { 1082 cdaiIfTrustEnable 1083 } 1084 STATUS current 1085 DESCRIPTION 1086 "A collection of object which are used to configure as 1087 well as show information regarding the interface trust 1088 state for Dynamic ARP Inspection purpose." 1089 ::= { cdaiMIBGroups 3 } 1090 1091cdaiIfRateLimitGroup OBJECT-GROUP 1092 OBJECTS { 1093 cdaiIfRateLimit 1094 } 1095 STATUS current 1096 DESCRIPTION 1097 "A collection of object which are used to configure as 1098 well as show information regarding the rate limit per 1099 interface for Dynamic ARP Inspection purpose." 1100 ::= { cdaiMIBGroups 4 } 1101 1102cdaiLoggingConfigGroup OBJECT-GROUP 1103 OBJECTS { 1104 cdaiLogBufferSize, 1105 cdaiLoggingRate, 1106 cdaiLoggingInterval 1107 } 1108 STATUS current 1109 DESCRIPTION 1110 "A collection of object which provides logging configuration 1111 for Dynamic ARP Inspection feature." 1112 ::= { cdaiMIBGroups 5 } 1113 1114cdaiAddressValidationGroup OBJECT-GROUP 1115 OBJECTS { 1116 cdaiAddressValidate 1117 } 1118 STATUS current 1119 DESCRIPTION 1120 "A collection of object which provides address validation 1121 configuration for Dynamic ARP Inspection feature." 1122 ::= { cdaiMIBGroups 6 } 1123 1124cdaiVlanCfgGroup OBJECT-GROUP 1125 OBJECTS { 1126 cdaiVlanDynArpInspAdmin, 1127 cdaiVlanDynArpInspOper, 1128 cdaiVlanFilterArpAclName, 1129 cdaiVlanFilterArpAclStatic, 1130 cdaiVlanAclLogging, 1131 cdaiVlanDhcpBindingLogging, 1132 cdaiVlanCfgStorageType, 1133 cdaiVlanCfgRowStatus 1134 } 1135 STATUS current 1136 DESCRIPTION 1137 "A collection of object which provides additional VLAN 1138 configuration for Dynamic ARP Inspection feature." 1139 ::= { cdaiMIBGroups 7 } 1140 1141cdaiVlanStatisticsGroup OBJECT-GROUP 1142 OBJECTS { 1143 cdaiVlanForwarded, 1144 cdaiVlanDropped, 1145 cdaiVlanAclPermitted, 1146 cdaiVlanDhcpBindingsPermitted, 1147 cdaiVlanAclDenied, 1148 cdaiVlanDhcpBindingDenied, 1149 cdaiVlanSrcMacValidationFailures, 1150 cdaiVlanDestMacValidationFailures, 1151 cdaiVlanIpValidationFailures 1152 } 1153 STATUS current 1154 DESCRIPTION 1155 "A collection of object which provides Dynamic ARP Inspection 1156 statistics per VLAN." 1157 ::= { cdaiMIBGroups 8 } 1158 1159cdaiLogBufferGroup OBJECT-GROUP 1160 OBJECTS { 1161 cdaiLogBufferInterface, 1162 cdaiLogBufferVlan, 1163 cdaiLogBufferSenderMacAddress, 1164 cdaiLogBufferSenderAddressType, 1165 cdaiLogBufferSenderIpAddress, 1166 cdaiLogBufferReason, 1167 cdaiLogBufferLastUpdate, 1168 cdaiLogBufferPacketsCount 1169 } 1170 STATUS current 1171 DESCRIPTION 1172 "A collection of object which provides logging information 1173 for Dynamic ARP Inspection feature." 1174 ::= { cdaiMIBGroups 9 } 1175 1176cdaiVlanExtStatisticsGroup OBJECT-GROUP 1177 OBJECTS { 1178 cdaiVlanArpProbePermitted, 1179 cdaiVlanInvalidProtocolData 1180 } 1181 STATUS current 1182 DESCRIPTION 1183 "A collection of object which provides additional Dynamic 1184 ARP Inspection statistics per VLAN." 1185 ::= { cdaiMIBGroups 10 } 1186 1187cdaiVlanArpProbeGroup OBJECT-GROUP 1188 OBJECTS { 1189 cdaiVlanArpProbeLogging 1190 } 1191 STATUS current 1192 DESCRIPTION 1193 "A collection of object which provides additional VLAN 1194 configuration for ARP Probe packets." 1195 ::= { cdaiMIBGroups 11 } 1196 1197cdaiLogBufferActionGroup OBJECT-GROUP 1198 OBJECTS { 1199 cdaiLogBufferAction 1200 } 1201 STATUS current 1202 DESCRIPTION 1203 "A collection of object which provides log buffer action." 1204 ::= { cdaiMIBGroups 12 } 1205 1206END 1207 1208 1209