1-- CISCO-PORT-SECURITY-MIB.my: 2-- MIB support for the Port Security feature 3-- 4-- May 2002, Nagarani Chandika 5-- 6-- Copyright (c) 2002, 2003, 2004, 2005 by Cisco Systems, Inc. 7-- All rights reserved. 8 9CISCO-PORT-SECURITY-MIB DEFINITIONS ::= BEGIN 10 11IMPORTS 12 MODULE-IDENTITY,OBJECT-TYPE, 13 NOTIFICATION-TYPE, Integer32, 14 Counter32, Unsigned32 15 FROM SNMPv2-SMI 16 MODULE-COMPLIANCE, OBJECT-GROUP, 17 NOTIFICATION-GROUP 18 FROM SNMPv2-CONF 19 ifIndex, ifName 20 FROM IF-MIB 21 TruthValue, MacAddress, RowStatus, TEXTUAL-CONVENTION 22 FROM SNMPv2-TC 23 ciscoMgmt 24 FROM CISCO-SMI 25 vtpVlanName 26 FROM CISCO-VTP-MIB 27 VlanIndex 28 FROM Q-BRIDGE-MIB; 29 30ciscoPortSecurityMIB MODULE-IDENTITY 31 LAST-UPDATED "200905080000Z" 32 ORGANIZATION "Cisco Systems, Inc." 33 CONTACT-INFO 34 " Cisco Systems 35 Customer Services 36 37 Postal: 170 W Tasman Drive 38 San Jose, CA 95134 39 USA 40 41 Tel: +1 800 553-NETS 42 E-mail: cs-lan-switch-snmp@cisco.com" 43 DESCRIPTION 44 "The MIB module for managing Cisco Port Security." 45 46-- Revision History 47 48 REVISION "200905080000Z" 49 DESCRIPTION 50 "Update description of cpsIfMaxSecureMacAddr object." 51 REVISION "200505040000Z" 52 DESCRIPTION 53 "Obsolete cpsIfVlanTable and replace it with 54 cpsIfMultiVlanTable. 55 56 Add cpsExtInterfaceGroup1 and 57 cpsIfVlanSecureNotificationGroup." 58 REVISION "200503120000Z" 59 DESCRIPTION 60 "Change description in cpsIfSecureLastMacAddress." 61 REVISION "200408070000Z" 62 DESCRIPTION 63 "Added cpsTrunkSecureMacAddrViolation. 64 Expanded on the description of 65 cpsSecureMacAddrViolation. 66 Created the NOTIFICATION-GROUP 67 cpsTrunkSecureNotificationGroup." 68 REVISION "200403080000Z" 69 DESCRIPTION 70 "Adding cpsGlobalClearSecureMacAddresses, 71 cpsIfClearSecureMacAddresses, 72 cpsIfInvalidSrcRateLimitEnable, 73 cpsIfInvalidSrcRateLimitValue 74 cpsIfStickyEnable, 75 cpsIfVlanTable, cpsInterfaceGroup2, 76 ciscoPortSecurityMIBCompliance2 and 77 cpsInterfaceGroup2. 78 Deprecating cpsIfClearSecureAddresses, 79 ciscoPortSecurityMIBCompliance1 80 and cpsInterfaceGroup1." 81 REVISION "200402100000Z" 82 DESCRIPTION 83 "Deprecated cpsSecureMacAddressTable. 84 Adding cpsIfVlanSecureMacAddrTable." 85 REVISION "200307010000Z" 86 DESCRIPTION 87 "Deprecated the ciscoPortSecurityMIBCompliance. 88 Adding ciscoPortSecurityMIBCompliance1. 89 Adding cpsUnicastFloodingInterfaceGroup 90 and cpsShutdownTimeoutInterfaceGroup." 91 REVISION "200302240000Z" 92 DESCRIPTION 93 "Initial version of this MIB module." 94 ::= { ciscoMgmt 315 } 95 96ciscoPortSecurityMIBNotifs OBJECT IDENTIFIER ::= 97 { ciscoPortSecurityMIB 0 } 98ciscoPortSecurityMIBObjects OBJECT IDENTIFIER ::= 99 { ciscoPortSecurityMIB 1 } 100ciscoPortSecurityMIBConform OBJECT IDENTIFIER ::= 101 { ciscoPortSecurityMIB 2 } 102 103 104cpsGlobalObjects OBJECT IDENTIFIER ::= 105 { ciscoPortSecurityMIBObjects 1 } 106cpsInterfaceObjects OBJECT IDENTIFIER ::= 107 { ciscoPortSecurityMIBObjects 2 } 108 109-- 110-- textual conventions 111-- 112 113ClearSecureMacAddrType ::= TEXTUAL-CONVENTION 114 STATUS current 115 DESCRIPTION 116 "This are the different type of secure mac addresses 117 which user is allowed to delete globally or 118 per interface. 119 When the address deletion is in progress 120 GET request will not show any values which 121 were set using SET operation. 122 123 done(0) - This the value which is always returned 124 in a GET request when the clear command has 125 completed or in progress. 126 Setting this value to this object has 127 no effect. 128 dynamic(1) - All secure MAC addresses which are 129 learned on the switch. 130 static(2) - All secure MAC addresses which are 131 configured by user. 132 sticky(3) - All secure MAC addresses which 133 are learned and retained across 134 reboots. 135 all(4) - All the MAC addresses on the switch." 136 137 SYNTAX INTEGER { 138 done(0), 139 dynamic(1), 140 static(2), 141 sticky(3), 142 all(4) 143 } 144 145-- 146-- Port Security Global Configuration Objects 147-- 148cpsGlobalMaxSecureAddress OBJECT-TYPE 149 SYNTAX Integer32 (1..2147483647) 150 MAX-ACCESS read-only 151 STATUS current 152 DESCRIPTION "The maximum number of secure MAC addresses 153 allowed in the device." 154 ::= { cpsGlobalObjects 1 } 155 156cpsGlobalTotalSecureAddress OBJECT-TYPE 157 SYNTAX Integer32 (0..2147483647) 158 MAX-ACCESS read-only 159 STATUS current 160 DESCRIPTION "The total number of MAC addresses secured 161 in the device." 162 ::= { cpsGlobalObjects 2 } 163 164cpsGlobalPortSecurityEnable OBJECT-TYPE 165 SYNTAX TruthValue 166 MAX-ACCESS read-write 167 STATUS current 168 DESCRIPTION "The global control to enable or disable 169 port security feature on the device." 170 ::= { cpsGlobalObjects 3 } 171 172cpsGlobalSNMPNotifRate OBJECT-TYPE 173 SYNTAX Integer32 (0..1000) 174 UNITS "notifs per second" 175 MAX-ACCESS read-write 176 STATUS current 177 DESCRIPTION "The global control to set the SNMP Notification 178 rate for port security feature. This object 179 specifies the rate at which SNMP Notifications 180 are generated when cpsIfViolationAction 181 selected is of the type 'dropNotify'. 182 A value of 0 indicates that an SNMP Notification 183 is generated for every security violation." 184 ::= { cpsGlobalObjects 4 } 185 186cpsGlobalSNMPNotifControl OBJECT-TYPE 187 SYNTAX TruthValue 188 MAX-ACCESS read-write 189 STATUS current 190 DESCRIPTION "Set to 'true' to enable global SNMP Notification 191 for port security feature. Setting the object to 192 'false' will disable SNMP notifications even if 193 the cpsIfViolationAction is set to 'dropNotify' 194 on an interface. The default value is 'false'." 195 ::= { cpsGlobalObjects 5 } 196 197cpsGlobalClearSecureMacAddresses OBJECT-TYPE 198 SYNTAX ClearSecureMacAddrType 199 MAX-ACCESS read-write 200 STATUS current 201 DESCRIPTION "This objects allows the user to delete 202 secure MAC addresses based on the specified 203 type." 204 205 ::= { cpsGlobalObjects 6 } 206 207-- 208-- Port Security Interface Configuration Table 209-- 210cpsIfConfigTable OBJECT-TYPE 211 SYNTAX SEQUENCE OF CpsIfConfigEntry 212 MAX-ACCESS not-accessible 213 STATUS current 214 DESCRIPTION 215 "A list of port security configuration entries. 216 The number of entries is determined by the number of 217 interfaces in the system that can support the 218 port security feature. Interfaces that are not 219 port security capable will not be displayed 220 in this Table. This table includes interfaces 221 on which port security parameters can be set even 222 if port security feature itself cannot be enabled 223 due to conflict with other features." 224 ::= { cpsInterfaceObjects 1 } 225 226cpsIfConfigEntry OBJECT-TYPE 227 SYNTAX CpsIfConfigEntry 228 MAX-ACCESS not-accessible 229 STATUS current 230 DESCRIPTION 231 "Entry containing port security information for a 232 particular interface." 233 INDEX { ifIndex } 234 ::= { cpsIfConfigTable 1 } 235 236CpsIfConfigEntry ::= 237 SEQUENCE { 238 cpsIfPortSecurityEnable TruthValue, 239 cpsIfPortSecurityStatus INTEGER, 240 cpsIfMaxSecureMacAddr Integer32, 241 cpsIfCurrentSecureMacAddrCount Integer32, 242 cpsIfSecureMacAddrAgingTime Integer32, 243 cpsIfSecureMacAddrAgingType INTEGER, 244 cpsIfStaticMacAddrAgingEnable TruthValue, 245 cpsIfViolationAction INTEGER, 246 cpsIfViolationCount Counter32, 247 cpsIfSecureLastMacAddress MacAddress, 248 cpsIfClearSecureAddresses TruthValue, 249 cpsIfUnicastFloodingEnable TruthValue, 250 cpsIfShutdownTimeout Unsigned32, 251 cpsIfClearSecureMacAddresses ClearSecureMacAddrType, 252 cpsIfStickyEnable TruthValue, 253 cpsIfInvalidSrcRateLimitEnable TruthValue, 254 cpsIfInvalidSrcRateLimitValue Integer32, 255 cpsIfSecureLastMacAddrVlanId VlanIndex 256 } 257 258cpsIfPortSecurityEnable OBJECT-TYPE 259 SYNTAX TruthValue 260 MAX-ACCESS read-write 261 STATUS current 262 DESCRIPTION "Indicates whether the port security feature 263 is enabled on an interface. Upon setting this 264 object to 'true', the source MAC address that 265 does not match any cpsSecureMacAddress for the 266 given interface in cpsSecureMacAddressTable and 267 the value of cpsIfCurrentSecureMacAddrCount is 268 equal to cpsIfMaxSecureMacAddr, is considered 269 as port security violation and an action as 270 specified in cpsIfViolationAction is taken on 271 the interface. The value of this object has no 272 effect when the value of 273 cpsGlobalPortSecurityEnable is set to 'false'." 274 ::= { cpsIfConfigEntry 1 } 275 276cpsIfPortSecurityStatus OBJECT-TYPE 277 SYNTAX INTEGER { secureup(1), securedown(2), 278 shutdown(3) } 279 MAX-ACCESS read-only 280 STATUS current 281 DESCRIPTION "This object represents the operational status 282 of the port security feature on an interface. 283 284 secureup(1) - This indicates port security 285 is operational. 286 securedown(2) - This indicates port security is 287 not operational. This happens 288 when port security is configured 289 to be enabled but could not be 290 enabled due to certain reasons 291 such as conflict with other 292 features. 293 shutdown(3) - This indicates that the port is 294 shutdown due to port security 295 violation when the object 296 cpsIfViolationAction is of type 297 'shutdown'." 298 299 ::= { cpsIfConfigEntry 2 } 300 301cpsIfMaxSecureMacAddr OBJECT-TYPE 302 SYNTAX Integer32 (1..2147483647) 303 MAX-ACCESS read-write 304 STATUS current 305 DESCRIPTION "The maximum number (N) of MAC addresses to be 306 secured on the interface. The first N MAC 307 addresses learned or configured are made secured. 308 Changing this object value from N to M is not 309 allowed if M is smaller than N, and M is less 310 than the value of cpsIfCurrentSecureMacAddrCount 311 on the interface. One way to change the number in 312 this case is by deleting sufficient number of 313 secure mac addresses configured or learned on the 314 device. Also, some devices may choose to limit the 315 sum of this object value for all interfaces to 316 less than or equal to cpsGlobalMaxSecureAddress." 317 ::= { cpsIfConfigEntry 3 } 318 319cpsIfCurrentSecureMacAddrCount OBJECT-TYPE 320 SYNTAX Integer32 (0..2147483647) 321 MAX-ACCESS read-only 322 STATUS current 323 DESCRIPTION "The current number of MAC addresses secured 324 on this interface." 325 ::= { cpsIfConfigEntry 4 } 326 327cpsIfSecureMacAddrAgingTime OBJECT-TYPE 328 SYNTAX Integer32 (0..1440) 329 UNITS "minutes" 330 MAX-ACCESS read-write 331 STATUS current 332 DESCRIPTION "The interval in which the interface is 333 secured. After the expiration of the 334 time, the corresponding cpsSecureMacAddressEntry 335 from the cpsSecureMacAddressTable will be 336 removed. If the value of this object is 0, 337 the aging mechanism is disabled." 338 ::= { cpsIfConfigEntry 5 } 339 340cpsIfSecureMacAddrAgingType OBJECT-TYPE 341 SYNTAX INTEGER { absolute(1), inactivity(2) } 342 MAX-ACCESS read-write 343 STATUS current 344 DESCRIPTION "The aging type determines the way the 345 secure MAC addresses are aged out. 346 absolute(1) - all the secure MAC addresses 347 will be aged out after 348 cpsIfSecureMacAddrAgingTime 349 minutes since the time the 350 secure MAC address is learned 351 or configured. 352 inactivity(2) - all the secure MAC addresses 353 will age out and will be removed 354 from the cpsSecureMacAddressTable 355 only if there is no data traffic 356 from the secure source MAC address 357 for the specified time period." 358 ::= { cpsIfConfigEntry 6 } 359 360cpsIfStaticMacAddrAgingEnable OBJECT-TYPE 361 SYNTAX TruthValue 362 MAX-ACCESS read-write 363 STATUS current 364 DESCRIPTION "Indicates whether the secure MAC address aging 365 mechanism is enabled on static MAC address entries 366 in cpsSecureMacAddressTable. 367 Setting this object value to 'false' will cause 368 the static MAC addresses to remain in the 369 cpsSecureMacAddressTable regardless of the aging 370 time and type configured on the interface. 371 Setting this object value to 'true' will cause 372 the static MAC addresses to be aged out from 373 cpsSecureMacAddressTable according to the aging 374 time and type specified on the interface." 375 ::= { cpsIfConfigEntry 7 } 376 377cpsIfViolationAction OBJECT-TYPE 378 SYNTAX INTEGER { shutdown(1), dropNotify(2), drop(3) } 379 MAX-ACCESS read-write 380 STATUS current 381 DESCRIPTION "Determines the action that the device will 382 take if the traffic matches the port security 383 violation. 384 385 shutdown(1) - the interface will be forced to 386 shut down. 387 388 dropNotify(2) - the matched traffic will be 389 dropped and 390 cpsSecureMacAddrViolation 391 notification will be generated. 392 393 drop(3) - the matched traffic will be 394 dropped." 395 ::= { cpsIfConfigEntry 8 } 396 397cpsIfViolationCount OBJECT-TYPE 398 SYNTAX Counter32 399 MAX-ACCESS read-only 400 STATUS current 401 DESCRIPTION "This object indicates the number of violations 402 occurred on a secure interface. The counter will 403 be initialized to zero when the port security 404 feature is enabled on an interface. This MIB 405 object is only instantiated if the device can 406 provide this violation statistics on the 407 interface." 408 ::= { cpsIfConfigEntry 9 } 409 410cpsIfSecureLastMacAddress OBJECT-TYPE 411 SYNTAX MacAddress 412 MAX-ACCESS read-only 413 STATUS current 414 DESCRIPTION "This object indicates the last MAC 415 address that is seen on this interface. 416 417 This object is also used as a variable in 418 the cpsSecureMacAddrViolation notification 419 to contain the value of the MAC address 420 which caused the violation." 421 ::= { cpsIfConfigEntry 10 } 422 423cpsIfClearSecureAddresses OBJECT-TYPE 424 SYNTAX TruthValue 425 MAX-ACCESS read-write 426 STATUS deprecated -- superceded by 427 -- cpsIfClearSecureMacAddresses 428 DESCRIPTION "Set to 'true' to delete all secure addresses on 429 this interface. Setting this object to 'false' 430 has no effect. This object always returns 'false' 431 when read." 432 ::= { cpsIfConfigEntry 11 } 433 434cpsIfUnicastFloodingEnable OBJECT-TYPE 435 SYNTAX TruthValue 436 MAX-ACCESS read-write 437 STATUS current 438 DESCRIPTION "Setting this object to true(1) will configure 439 the interface not to block unicast flooded 440 traffic when the secure address count reaches the 441 threshold. 442 Setting this object to false(2) will configure 443 the interface to block unicast flooded traffic 444 when the secure address count reaches the 445 threshold." 446 ::= { cpsIfConfigEntry 12 } 447 448cpsIfShutdownTimeout OBJECT-TYPE 449 SYNTAX Unsigned32 450 UNITS "minutes" 451 MAX-ACCESS read-write 452 STATUS current 453 DESCRIPTION "The interval in which the cpsIfPortSecurityStatus 454 may remain in shutdown(3). After the expiration of 455 the time, all the security configuration of this 456 port is re-installed and the port is enabled. If 457 the value of this object is 0, the port is shut 458 down permanently." 459 ::= { cpsIfConfigEntry 13 } 460 461cpsIfClearSecureMacAddresses OBJECT-TYPE 462 SYNTAX ClearSecureMacAddrType 463 MAX-ACCESS read-write 464 STATUS current 465 DESCRIPTION "This objects allows the user to delete 466 secure MAC addresses based on the type specified." 467 468 ::= { cpsIfConfigEntry 14 } 469 470cpsIfStickyEnable OBJECT-TYPE 471 SYNTAX TruthValue 472 MAX-ACCESS read-write 473 STATUS current 474 DESCRIPTION "Set to 'true' to enable and 'false' to 475 disable Sticky port security feature on this 476 interface. Enabling this feature allows the 477 device to secure learned MAC addresses on this 478 interface permanently. In order to remove the 479 sticky addresses on this interface, user has to 480 manually delete the sticky MAC address(es) or 481 disable the sticky feature itself. Manual deletion 482 of all addresses can be accomplished by 483 cpsIfClearSecureMacAddresses object. Manual 484 of single address can be accomplished by 485 cpsIfVlanSecureMacAddrRowStatus object." 486 ::= { cpsIfConfigEntry 15 } 487 488cpsIfInvalidSrcRateLimitEnable OBJECT-TYPE 489 SYNTAX TruthValue 490 MAX-ACCESS read-write 491 STATUS current 492 DESCRIPTION "Set to 'true' to enable and 'false' to disable 493 rate limiting for invalid source MAC addresses 494 received on this interface. Enabling this feature 495 will help to rate limit packets which comes with 496 invalid src MAC address on this interface." 497 ::= { cpsIfConfigEntry 16 } 498 499cpsIfInvalidSrcRateLimitValue OBJECT-TYPE 500 SYNTAX Integer32 (-1..1000) 501 UNITS "Packets per second" 502 MAX-ACCESS read-write 503 STATUS current 504 DESCRIPTION "If cpsIfInvalidSrcRateLimitEnable is set to 505 'true' then this value is used to limit the 506 rate at which packets with invalid source MAC 507 addresses are processed on this interface. Upon 508 exceeding the rate, the port is shutdown. If 509 cpsIfInvalidSrcRateLimitEnable is set to 'false' 510 then this value will be -1." 511 ::= { cpsIfConfigEntry 17 } 512 513cpsIfSecureLastMacAddrVlanId OBJECT-TYPE 514 SYNTAX VlanIndex 515 MAX-ACCESS read-only 516 STATUS current 517 DESCRIPTION "This object indicates the VLAN where the last 518 MAC address that is seen on this interface. 519 520 This object is also used as a variable in 521 the cpsIfVlanSecureMacAddrViolation notification 522 to contain the value of the VLAN received the 523 mac address which caused the violation." 524 ::= { cpsIfConfigEntry 18 } 525 526 527-- Port Security Mac Address Table. 528-- This table is used to both configure and display secure MAC addresses 529-- on an interface. 530 531cpsSecureMacAddressTable OBJECT-TYPE 532 SYNTAX SEQUENCE OF CpsSecureMacAddressEntry 533 MAX-ACCESS not-accessible 534 STATUS deprecated 535 DESCRIPTION "A list of port security entries containing 536 the secure MAC address information." 537 ::= { cpsInterfaceObjects 2 } 538 539cpsSecureMacAddressEntry OBJECT-TYPE 540 SYNTAX CpsSecureMacAddressEntry 541 MAX-ACCESS not-accessible 542 STATUS deprecated 543 DESCRIPTION "Entry containing secure MAC address 544 information for a particular interface. 545 A secure MAC address can be configured 546 by the user and can be added by the agent 547 when the device learns a new secured 548 MAC address. 549 Note that the secure MAC addresses can be 550 configured on an interface even if port 551 security feature is disabled." 552 INDEX { ifIndex, cpsSecureMacAddress } 553 ::= { cpsSecureMacAddressTable 1 } 554 555CpsSecureMacAddressEntry ::= 556 SEQUENCE { 557 cpsSecureMacAddress MacAddress, 558 cpsSecureMacAddrType INTEGER, 559 cpsSecureMacAddrRemainingAge Integer32, 560 cpsSecureMacAddrRowStatus RowStatus 561 } 562 563cpsSecureMacAddress OBJECT-TYPE 564 SYNTAX MacAddress 565 MAX-ACCESS not-accessible 566 STATUS deprecated 567 DESCRIPTION "This object indicates a secure MAC 568 address configured or learned on an 569 interface." 570 ::= { cpsSecureMacAddressEntry 1 } 571 572cpsSecureMacAddrType OBJECT-TYPE 573 SYNTAX INTEGER { static(1), dynamic(2) } 574 MAX-ACCESS read-only 575 STATUS deprecated 576 DESCRIPTION "This object indicates if the secure MAC address 577 is a configured (static) or learned (dynamic) 578 address on this interface." 579 ::= { cpsSecureMacAddressEntry 2 } 580 581cpsSecureMacAddrRemainingAge OBJECT-TYPE 582 SYNTAX Integer32 (0..1440) 583 UNITS "minutes" 584 MAX-ACCESS read-only 585 STATUS deprecated 586 DESCRIPTION "This object indicates the remaining age 587 of the secure MAC address if aging is 588 enabled on that port. A value of 0 indicates 589 that aging is disabled for this MAC address 590 entry." 591 ::= { cpsSecureMacAddressEntry 3 } 592 593cpsSecureMacAddrRowStatus OBJECT-TYPE 594 SYNTAX RowStatus 595 MAX-ACCESS read-create 596 STATUS deprecated 597 DESCRIPTION 598 "This object is a conceptual row entry that allows to add 599 or delete entries to or from the cpsSecureMacAddressTable. 600 601 1. When creating an entry in this table 'createAndGo' 602 method is used and the value of this object is set to 603 'active'. Deactivation of an 'active' entry is not 604 allowed. 605 606 2. When deleting an entry in this table 'destroy' method 607 is used." 608 ::= { cpsSecureMacAddressEntry 4 } 609 610cpsIfVlanSecureMacAddrTable OBJECT-TYPE 611 SYNTAX SEQUENCE OF CpsIfVlanSecureMacAddrEntry 612 MAX-ACCESS not-accessible 613 STATUS current 614 DESCRIPTION "A list of port security entries containing 615 the secure MAC address information. 616 617 This table is simular to cpsSecureMacAddressTable 618 except that cpsIfVlanSecureVlanIndex is part of 619 the INDEX clause. 620 621 This table is used to configure a secure MAC 622 address on either an access interface or trunking 623 interface which support port security feature." 624 ::= { cpsInterfaceObjects 3 } 625 626cpsIfVlanSecureMacAddrEntry OBJECT-TYPE 627 SYNTAX CpsIfVlanSecureMacAddrEntry 628 MAX-ACCESS not-accessible 629 STATUS current 630 DESCRIPTION "Entry containing secure MAC address 631 information for a particular interface. 632 A secure MAC address can be configured 633 by the user and can be added by the agent 634 when the device learns a new secure MAC address. 635 Note that the secure MAC addresses can be 636 configured on an interface even if the port 637 security feature is disabled." 638 INDEX { ifIndex, 639 cpsIfVlanSecureMacAddress, 640 cpsIfVlanSecureVlanIndex } 641 ::= { cpsIfVlanSecureMacAddrTable 1 } 642 643CpsIfVlanSecureMacAddrEntry ::= 644 SEQUENCE { 645 cpsIfVlanSecureMacAddress MacAddress, 646 cpsIfVlanSecureVlanIndex VlanIndex, 647 cpsIfVlanSecureMacAddrType INTEGER, 648 cpsIfVlanSecureMacAddrRemainAge Unsigned32, 649 cpsIfVlanSecureMacAddrRowStatus RowStatus 650 } 651 652cpsIfVlanSecureMacAddress OBJECT-TYPE 653 SYNTAX MacAddress 654 MAX-ACCESS not-accessible 655 STATUS current 656 DESCRIPTION "This object indicates a secure MAC 657 address configured or learned on an 658 interface." 659 ::= { cpsIfVlanSecureMacAddrEntry 1 } 660 661cpsIfVlanSecureVlanIndex OBJECT-TYPE 662 SYNTAX VlanIndex 663 MAX-ACCESS not-accessible 664 STATUS current 665 DESCRIPTION "This object indicates the vlan 666 configured on an interface." 667 ::= { cpsIfVlanSecureMacAddrEntry 2 } 668 669cpsIfVlanSecureMacAddrType OBJECT-TYPE 670 SYNTAX INTEGER { static(1), dynamic(2), sticky(3) } 671 MAX-ACCESS read-only 672 STATUS current 673 DESCRIPTION "This object indicates if the secure MAC address 674 is a configured 'static' or learned 'dynamic' or 675 learned and retained across reboots 'sticky'." 676 ::= { cpsIfVlanSecureMacAddrEntry 3 } 677 678cpsIfVlanSecureMacAddrRemainAge OBJECT-TYPE 679 SYNTAX Unsigned32 680 UNITS "minutes" 681 MAX-ACCESS read-only 682 STATUS current 683 DESCRIPTION "This object indicates the remaining age 684 of the secure MAC address if aging is 685 enabled on that port. A value of 0 indicates 686 that aging is disabled for this MAC address 687 entry." 688 ::= { cpsIfVlanSecureMacAddrEntry 4 } 689 690cpsIfVlanSecureMacAddrRowStatus OBJECT-TYPE 691 SYNTAX RowStatus 692 MAX-ACCESS read-create 693 STATUS current 694 DESCRIPTION 695 "This object is a conceptual row entry that allows adding 696 or deleting entries to or from the 697 cpsIfVlanSecureMacAddressTable. 698 699 1. When creating an entry in this table the 'createAndGo' 700 method is used and the value of this object is set to 701 'active'. Deactivation of an 'active' entry is not 702 allowed. 703 704 2. When deleting an entry in this table 'destroy' method 705 is used." 706 ::= { cpsIfVlanSecureMacAddrEntry 5 } 707 708-- Port Security Trunk Interface VLAN Table 709-- 710cpsIfVlanTable OBJECT-TYPE 711 SYNTAX SEQUENCE OF CpsIfVlanEntry 712 MAX-ACCESS not-accessible 713 STATUS obsolete 714 DESCRIPTION "Each entry in this table represents 715 port-security information for each vlan 716 that is allowed on trunk interface. 717 718 The number of entries is determined by 719 the number of allowed VLANs on trunk 720 interface in the system . 721 722 An Entry in the table gets created when 723 a vlan becomes allowed and gets deleted 724 when a vlan becomes disallowed on a trunk 725 port. 726 727 User cannot create new entries in this 728 table, but can only read and modify 729 existing entries. 730 731 This table is obsolete and replaced with 732 cpsIfMultiVlanTable." 733 734 ::= { cpsInterfaceObjects 4 } 735 736cpsIfVlanEntry OBJECT-TYPE 737 SYNTAX CpsIfVlanEntry 738 MAX-ACCESS not-accessible 739 STATUS obsolete 740 DESCRIPTION "Entry containing port security information for 741 a particular VLAN within a trunk port." 742 INDEX { ifIndex, cpsIfVlanIndex } 743 744 ::= { cpsIfVlanTable 1 } 745 746CpsIfVlanEntry ::= 747 SEQUENCE { 748 cpsIfVlanIndex VlanIndex, 749 cpsIfVlanMaxSecureMacAddr Unsigned32, 750 cpsIfVlanCurSecureMacAddrCount Unsigned32 751 } 752 753cpsIfVlanIndex OBJECT-TYPE 754 SYNTAX VlanIndex 755 MAX-ACCESS not-accessible 756 STATUS obsolete 757 DESCRIPTION "The ID of a VLAN within this trunk port." 758 REFERENCE 759 "IEEE 802.1Q/D11 Section 9.3.2.3" 760 ::= { cpsIfVlanEntry 1 } 761 762cpsIfVlanMaxSecureMacAddr OBJECT-TYPE 763 SYNTAX Unsigned32 (1..2147483647) 764 MAX-ACCESS read-write 765 STATUS obsolete 766 DESCRIPTION "The maximum number of MAC addresses to 767 be secured in the VLAN indicated by 768 cpsIfVlanIndex on this interface. 769 770 If cpsIfVlanMaxSecureMacAddr is not set, 771 its value is 1. 772 773 If cpsIfVlanMaxSecureMacAddr is not set, then 774 the cpsIfMaxSecureMacAddr applies to this 775 VLAN. 776 777 If cpsIfVlanMaxSecureMacAddr is set 778 and is less than cpsIfMaxSecureMacAddr, then 779 the cpsIfVlanMaxSecureMacAddr applies to this 780 VLAN. 781 782 If cpsIfVlanMaxSecureMacAddr is set 783 and is greater than cpsIfMaxSecureMacAddr, then 784 the cpsIfMaxSecureMacAddr applies to this 785 VLAN." 786 ::= { cpsIfVlanEntry 2 } 787 788cpsIfVlanCurSecureMacAddrCount OBJECT-TYPE 789 SYNTAX Unsigned32 (0..2147483647) 790 MAX-ACCESS read-only 791 STATUS obsolete 792 DESCRIPTION "The current number of MAC addresses secured 793 in the VLAN indicated by cpsIfVlanIndex on this 794 interface." 795 ::= { cpsIfVlanEntry 3 } 796 797 798-- Port Security Interface Multi Vlan Table 799-- 800cpsIfMultiVlanTable OBJECT-TYPE 801 SYNTAX SEQUENCE OF CpsIfMultiVlanEntry 802 MAX-ACCESS not-accessible 803 STATUS current 804 DESCRIPTION 805 "Each entry in this table represents port-security 806 information such as the maximum value of secured 807 mac address allowed, the current number of secure 808 mac address applied on a VLAN that is allowed on 809 multi-vlan interface as well as a mechanism to 810 clear the secure mac address on such VLANs." 811 ::= { cpsInterfaceObjects 5 } 812 813cpsIfMultiVlanEntry OBJECT-TYPE 814 SYNTAX CpsIfMultiVlanEntry 815 MAX-ACCESS not-accessible 816 STATUS current 817 DESCRIPTION 818 "Entry containing port security information for 819 a particular VLAN within a multi-vlan port. When 820 secured mac addresses are learned or configured on 821 such interface denoted by ifIndex and an allowed VLAN 822 in this interface denoted by cpsIfMultiVlanIndex, 823 an entry will be automatically created in this table. 824 825 If there is no corresponding entry in this table 826 for a specific interface and VLAN, the maximum number 827 of secured MAC addresses allowed in such interface 828 and VLAN will be limited in the manner which the device 829 limits the aggregate maximum number of secured MAC 830 address allowed in this specific interface." 831 INDEX { ifIndex, cpsIfMultiVlanIndex } 832 ::= { cpsIfMultiVlanTable 1 } 833 834CpsIfMultiVlanEntry ::= 835 SEQUENCE { 836 cpsIfMultiVlanIndex VlanIndex, 837 cpsIfMultiVlanMaxSecureMacAddr Unsigned32, 838 cpsIfMultiVlanSecureMacAddrCount Unsigned32, 839 cpsIfMultiVlanClearSecureMacAddr ClearSecureMacAddrType, 840 cpsIfMultiVlanRowStatus RowStatus 841 } 842 843cpsIfMultiVlanIndex OBJECT-TYPE 844 SYNTAX VlanIndex 845 MAX-ACCESS not-accessible 846 STATUS current 847 DESCRIPTION 848 "The VLAN ID of an allowed VLAN for this multi-vlan port." 849 REFERENCE 850 "IEEE 802.1Q/D11 Section 9.3.2.3" 851 ::= { cpsIfMultiVlanEntry 1 } 852 853cpsIfMultiVlanMaxSecureMacAddr OBJECT-TYPE 854 SYNTAX Unsigned32 855 MAX-ACCESS read-create 856 STATUS current 857 DESCRIPTION 858 "The maximum number (N) of MAC addresses to be secured 859 in the VLAN indicated by cpsIfMultiVlanIndex object on 860 this interface. 861 862 Setting the value of this object to zero indicates that 863 there is no specific restriction on the maximum number 864 of MAC adddress to be secured for this particular VLAN 865 in this interface. In this case, the maximum number of 866 secured MAC addresses allowed in this VLAN will be limited 867 in the manner which the device limits the aggregate maximum 868 number of secured MAC address allowed in this interface. 869 870 Changing this object value from N to M (M is greater 871 than 0) is not allowed if M is smaller than N, and M is 872 less than the value of cpsIfMultiVlanSecureMacAddrCount 873 on this VLAN. One way to change the number in this case 874 is by deleting sufficient number of secure mac addresses 875 configured or learned on the VLAN. 876 877 If cpsIfMultiVlanMaxSecureMacAddr is less than 878 cpsIfMaxSecureMacAddr, then the aggregate maximum number 879 of secure mac address allowed in this interface is limited 880 by the value of cpsIfMaxSecureMacAddr, and the maximum 881 number of secure mac address allowed in this VLAN for this 882 interface is the value of cpsIfMultiVlanMaxSecureMacAddr 883 object. 884 885 If cpsIfMultiVlanMaxSecureMacAddr is greater than 886 cpsIfMaxSecureMacAddr, then this object value does not 887 have any effect. The aggregate maximum number of secure mac 888 address allowed in all VLANs for this interface is limited 889 by the value of cpsIfMaxSecureMacAddr object." 890 DEFVAL { 1 } 891 ::= { cpsIfMultiVlanEntry 2 } 892 893cpsIfMultiVlanSecureMacAddrCount OBJECT-TYPE 894 SYNTAX Unsigned32 895 MAX-ACCESS read-only 896 STATUS current 897 DESCRIPTION 898 "The current number of MAC addresses secured in the VLAN 899 indicated by cpsIfMultiVlanIndex object on this interface." 900 ::= { cpsIfMultiVlanEntry 3 } 901 902cpsIfMultiVlanClearSecureMacAddr OBJECT-TYPE 903 SYNTAX ClearSecureMacAddrType 904 MAX-ACCESS read-create 905 STATUS current 906 DESCRIPTION 907 "This objects allows the user to delete secure MAC addresses 908 based on the type specified per interface per VLAN." 909 DEFVAL { done } 910 ::= { cpsIfMultiVlanEntry 4 } 911 912cpsIfMultiVlanRowStatus OBJECT-TYPE 913 SYNTAX RowStatus 914 MAX-ACCESS read-create 915 STATUS current 916 DESCRIPTION 917 "The object is used to manage the creation and deletion 918 of row in this table. It only supports 'active', 'destroy', 919 and 'createAndGo' value. 920 921 Entry in the table gets created by setting 922 cpsIfMultiVlanRowStatus object to 'createAndGo'. 923 Entry in this table gets deleted by setting 924 cpsIfMultiVlanRowStatus object to 'destroy' or 925 when a VLAN indicated by cpsIfMultiVlanIndex object 926 becomes disallowed on a multi-vlan port. 927 928 If the value of cpsIfMultiVlanSecureMacAddrCount object 929 in the same row is greater than zero, this entry cannot 930 be deleted. 931 932 Value of cpsIfMultiVlanMaxSecureMacAddr object can be 933 modified when the value of this RowStatus object is 934 'active'." 935 ::= { cpsIfMultiVlanEntry 5 } 936 937 938-- 939-- Notifications 940-- 941 942cpsInterfaceNotifs 943 OBJECT IDENTIFIER ::= { ciscoPortSecurityMIBNotifs 0 } 944cpsSecureMacAddrViolation NOTIFICATION-TYPE 945 OBJECTS { ifIndex, ifName, cpsIfSecureLastMacAddress } 946 STATUS current 947 DESCRIPTION 948 "The address violation notification is generated 949 when port security address violation is detected 950 on a secure non-trunk, access interface (that carries 951 a single vlan) and the cpsIfViolationAction is set to 952 'dropNotify'." 953 ::= { cpsInterfaceNotifs 1 } 954 955cpsTrunkSecureMacAddrViolation NOTIFICATION-TYPE 956 OBJECTS { ifName, vtpVlanName, cpsIfSecureLastMacAddress } 957 STATUS deprecated 958 DESCRIPTION 959 "The address violation notification is generated when port 960 security address violation is detected on a secure trunk 961 or a multi-vlan interface and the cpsIfViolationAction is 962 set to 'dropNotify'." 963 ::= { cpsInterfaceNotifs 2 } 964 965cpsIfVlanSecureMacAddrViolation NOTIFICATION-TYPE 966 OBJECTS { ifName, 967 cpsIfSecureLastMacAddrVlanId, 968 cpsIfSecureLastMacAddress 969 } 970 STATUS current 971 DESCRIPTION 972 "The address violation notification is generated 973 when port security address violation is detected 974 on a multi-vlan interface and the cpsIfViolationAction 975 is set to 'dropNotify'." 976 ::= { cpsInterfaceNotifs 3 } 977 978-- 979-- Conformance 980-- 981ciscoPortSecurityMIBCompliances 982 OBJECT IDENTIFIER ::= { ciscoPortSecurityMIBConform 1 } 983ciscoPortSecurityMIBGroups 984 OBJECT IDENTIFIER ::= { ciscoPortSecurityMIBConform 2 } 985 986 987ciscoPortSecurityMIBCompliance MODULE-COMPLIANCE 988 STATUS deprecated -- superceded 989 -- by ciscoPortSecurityMIBCompliance1 990 DESCRIPTION 991 "The compliance statement for the Port Security MIB." 992 MODULE -- this module 993 MANDATORY-GROUPS { 994 cpsGlobalGroup, 995 cpsInterfaceGroup 996 } 997 998 GROUP cpsExtInterfaceGroup 999 DESCRIPTION 1000 "This group is mandatory only for the device that 1001 is capable of keeping track of the last secure MAC 1002 address learned or configured on the interface." 1003 1004 GROUP cpsNotificationGroup 1005 DESCRIPTION 1006 "This is mandatory only for the device that supports 1007 'dropNotify' of cpsIfViolationAction." 1008 1009 GROUP cpsExtConfigInterfaceGroup 1010 DESCRIPTION 1011 "This group is a optional." 1012 1013 OBJECT cpsGlobalPortSecurityEnable 1014 MIN-ACCESS read-only 1015 DESCRIPTION 1016 "read-write access is not required. This may be 1017 read-only." 1018 1019 OBJECT cpsGlobalSNMPNotifRate 1020 MIN-ACCESS read-only 1021 DESCRIPTION 1022 "read-write access is not required." 1023 1024 OBJECT cpsGlobalSNMPNotifControl 1025 MIN-ACCESS read-only 1026 DESCRIPTION 1027 "read-write access is not required." 1028 1029 OBJECT cpsIfSecureMacAddrAgingType 1030 MIN-ACCESS read-only 1031 DESCRIPTION 1032 "read-write is not required if the device only support 1033 one aging type." 1034 1035 OBJECT cpsIfViolationAction 1036 SYNTAX INTEGER { shutdown(1) } 1037 DESCRIPTION 1038 "The support of the values 'dropNotify' and/or 'drop' 1039 is not required if the device does not support the 1040 configuration of 'dropNotify' and/or 'drop'." 1041 1042 OBJECT cpsIfViolationCount 1043 DESCRIPTION 1044 "An implementation of violation count is 1045 required only if the device can provide the 1046 number of the violations occurred on the device." 1047 1048 OBJECT cpsIfStaticMacAddrAgingEnable 1049 MIN-ACCESS read-only 1050 DESCRIPTION 1051 "read-write access is not required." 1052 1053 OBJECT cpsIfSecureLastMacAddress 1054 DESCRIPTION 1055 "An implementation of this object is not mandatory." 1056 1057 OBJECT cpsIfClearSecureAddresses 1058 MIN-ACCESS read-only 1059 DESCRIPTION 1060 "read-write access is not required if the device 1061 does not support the command to clear all secure 1062 address on the interface." 1063 1064 ::= { ciscoPortSecurityMIBCompliances 1 } 1065 1066ciscoPortSecurityMIBCompliance1 MODULE-COMPLIANCE 1067 STATUS deprecated -- superceded 1068 -- by ciscoPortSecurityMIBCompliance2 1069 DESCRIPTION 1070 "The compliance statement for the Port Security MIB." 1071 MODULE -- this module 1072 MANDATORY-GROUPS { 1073 cpsGlobalGroup, 1074 cpsInterfaceGroup1, 1075 cpsIfVlanSecureMacAddrGroup 1076 } 1077 1078 GROUP cpsExtInterfaceGroup 1079 DESCRIPTION 1080 "This group is mandatory only for the device that 1081 is capable of keeping track of the last secure MAC 1082 address learned or configured on the interface." 1083 1084 GROUP cpsNotificationGroup 1085 DESCRIPTION 1086 "This is mandatory only for the device that supports 1087 'dropNotify' of cpsIfViolationAction." 1088 1089 GROUP cpsUnicastFloodingInterfaceGroup 1090 DESCRIPTION 1091 "This group is mandatory only for the device that 1092 is capable of blocking unicast flooded traffic when 1093 the secure address count reaches the threshold on 1094 the interface." 1095 1096 GROUP cpsShutdownTimeoutInterfaceGroup 1097 DESCRIPTION 1098 "This group is mandatory only for the device that 1099 is capable to support shutdown timeout on the 1100 interface." 1101 1102 OBJECT cpsGlobalPortSecurityEnable 1103 MIN-ACCESS read-only 1104 DESCRIPTION 1105 "read-write access is not required. This may be 1106 read-only." 1107 1108 OBJECT cpsGlobalSNMPNotifRate 1109 MIN-ACCESS read-only 1110 DESCRIPTION 1111 "read-write access is not required." 1112 1113 OBJECT cpsGlobalSNMPNotifControl 1114 MIN-ACCESS read-only 1115 DESCRIPTION 1116 "read-write access is not required." 1117 1118 OBJECT cpsIfSecureMacAddrAgingType 1119 MIN-ACCESS read-only 1120 DESCRIPTION 1121 "read-write is not required if the device only support 1122 one aging type." 1123 1124 OBJECT cpsIfViolationAction 1125 SYNTAX INTEGER { shutdown(1) } 1126 DESCRIPTION 1127 "The support of the values 'dropNotify' and/or 'drop' 1128 is not required if the device does not support the 1129 configuration of 'dropNotify' and/or 'drop'." 1130 1131 OBJECT cpsIfViolationCount 1132 DESCRIPTION 1133 "An implementation of violation count is 1134 required only if the device can provide the 1135 number of the violations occurred on the device." 1136 1137 OBJECT cpsIfStaticMacAddrAgingEnable 1138 MIN-ACCESS read-only 1139 DESCRIPTION 1140 "read-write access is not required." 1141 1142 OBJECT cpsIfSecureLastMacAddress 1143 DESCRIPTION 1144 "An implementation of this object is not mandatory." 1145 1146 OBJECT cpsIfClearSecureAddresses 1147 MIN-ACCESS read-only 1148 DESCRIPTION 1149 "read-write access is not required if the device 1150 does not support the command to clear all secure 1151 address on the interface." 1152 1153 ::= { ciscoPortSecurityMIBCompliances 2 } 1154 1155ciscoPortSecurityMIBCompliance2 MODULE-COMPLIANCE 1156 STATUS obsolete -- superceded 1157 -- by ciscoPortSecurityMIBCompliance3 1158 DESCRIPTION 1159 "The compliance statement for the Port Security MIB." 1160 MODULE -- this module 1161 MANDATORY-GROUPS { 1162 cpsGlobalGroup, 1163 cpsInterfaceGroup2, 1164 cpsIfVlanSecureMacAddrGroup 1165 } 1166 1167 GROUP cpsExtInterfaceGroup 1168 DESCRIPTION 1169 "This group is mandatory only for the device that 1170 is capable of keeping track of the last secure MAC 1171 address learned or configured on the interface." 1172 1173 GROUP cpsNotificationGroup 1174 DESCRIPTION 1175 "This is mandatory only for the device that supports 1176 'dropNotify' of cpsIfViolationAction." 1177 1178 GROUP cpsUnicastFloodingInterfaceGroup 1179 DESCRIPTION 1180 "This group is mandatory only for the device that 1181 is capable of blocking unicast flooded traffic when 1182 the secure address count reaches the threshold on 1183 the interface." 1184 1185 GROUP cpsShutdownTimeoutInterfaceGroup 1186 DESCRIPTION 1187 "This group is mandatory only for the device that 1188 is capable to support shutdown timeout on the 1189 interface." 1190 1191 OBJECT cpsGlobalPortSecurityEnable 1192 MIN-ACCESS read-only 1193 DESCRIPTION 1194 "read-write access is not required. This may be 1195 read-only." 1196 1197 OBJECT cpsGlobalSNMPNotifRate 1198 MIN-ACCESS read-only 1199 DESCRIPTION 1200 "read-write access is not required." 1201 1202 OBJECT cpsGlobalSNMPNotifControl 1203 MIN-ACCESS read-only 1204 DESCRIPTION 1205 "read-write access is not required." 1206 1207 OBJECT cpsIfSecureMacAddrAgingType 1208 MIN-ACCESS read-only 1209 DESCRIPTION 1210 "read-write is not required if the device only support 1211 one aging type." 1212 1213 OBJECT cpsIfViolationAction 1214 SYNTAX INTEGER { shutdown(1) } 1215 DESCRIPTION 1216 "The support of the values 'dropNotify' and/or 'drop' 1217 is not required if the device does not support the 1218 configuration of 'dropNotify' and/or 'drop'." 1219 1220 OBJECT cpsIfViolationCount 1221 DESCRIPTION 1222 "An implementation of violation count is 1223 required only if the device can provide the 1224 number of the violations occurred on the device." 1225 1226 OBJECT cpsIfStaticMacAddrAgingEnable 1227 MIN-ACCESS read-only 1228 DESCRIPTION 1229 "read-write access is not required." 1230 1231 OBJECT cpsIfSecureLastMacAddress 1232 DESCRIPTION 1233 "An implementation of this object is not mandatory." 1234 GROUP cpsIfVlanGroup 1235 DESCRIPTION 1236 "This group is mandatory only for the device that 1237 is capable to support trunk port security on the 1238 interfaces." 1239 1240 GROUP cpsGlobalClearAddressGroup 1241 DESCRIPTION 1242 "This group is mandatory only for the device that 1243 is capable of clearing secure addresses from 1244 the system." 1245 1246 OBJECT cpsGlobalClearSecureMacAddresses 1247 MIN-ACCESS read-only 1248 DESCRIPTION 1249 "read-write access is not required if the device 1250 does not support the command to clear all secure 1251 address on the interface." 1252 1253 OBJECT cpsIfClearSecureMacAddresses 1254 MIN-ACCESS read-only 1255 DESCRIPTION 1256 "read-write access is not required if the device 1257 does not support the command to clear all secure 1258 address on the interface." 1259 1260 ::= { ciscoPortSecurityMIBCompliances 3 } 1261 1262 1263ciscoPortSecurityMIBCompliance3 MODULE-COMPLIANCE 1264 STATUS obsolete -- superceded by 1265 -- ciscoPortSecurityMIBCompliance4 1266 DESCRIPTION 1267 "The compliance statement for the Port Security MIB." 1268 MODULE -- this module 1269 MANDATORY-GROUPS { 1270 cpsGlobalGroup, 1271 cpsInterfaceGroup2, 1272 cpsIfVlanSecureMacAddrGroup 1273 } 1274 1275 GROUP cpsExtInterfaceGroup 1276 DESCRIPTION 1277 "This group is mandatory only for the device that 1278 is capable of keeping track of the last secure MAC 1279 address learned or configured on the interface." 1280 1281 GROUP cpsNotificationGroup 1282 DESCRIPTION 1283 "This is mandatory only for the device that supports 1284 'dropNotify' of cpsIfViolationAction." 1285 1286 GROUP cpsUnicastFloodingInterfaceGroup 1287 DESCRIPTION 1288 "This group is mandatory only for the device that 1289 is capable of blocking unicast flooded traffic when 1290 the secure address count reaches the threshold on 1291 the interface." 1292 1293 GROUP cpsShutdownTimeoutInterfaceGroup 1294 DESCRIPTION 1295 "This group is mandatory only for the device that 1296 is capable to support shutdown timeout on the 1297 interface." 1298 1299 OBJECT cpsGlobalPortSecurityEnable 1300 MIN-ACCESS read-only 1301 DESCRIPTION 1302 "read-write access is not required. This may be 1303 read-only." 1304 1305 OBJECT cpsGlobalSNMPNotifRate 1306 MIN-ACCESS read-only 1307 DESCRIPTION 1308 "read-write access is not required." 1309 1310 OBJECT cpsGlobalSNMPNotifControl 1311 MIN-ACCESS read-only 1312 DESCRIPTION 1313 "read-write access is not required." 1314 1315 OBJECT cpsIfSecureMacAddrAgingType 1316 MIN-ACCESS read-only 1317 DESCRIPTION 1318 "read-write is not required if the device only support 1319 one aging type." 1320 1321 OBJECT cpsIfViolationAction 1322 SYNTAX INTEGER { shutdown(1) } 1323 DESCRIPTION 1324 "The support of the values 'dropNotify' and/or 'drop' 1325 is not required if the device does not support the 1326 configuration of 'dropNotify' and/or 'drop'." 1327 1328 OBJECT cpsIfViolationCount 1329 DESCRIPTION 1330 "An implementation of violation count is 1331 required only if the device can provide the 1332 number of the violations occurred on the device." 1333 1334 OBJECT cpsIfStaticMacAddrAgingEnable 1335 MIN-ACCESS read-only 1336 DESCRIPTION 1337 "read-write access is not required." 1338 1339 OBJECT cpsIfSecureLastMacAddress 1340 DESCRIPTION 1341 "An implementation of this object is not mandatory." 1342 GROUP cpsIfVlanGroup 1343 DESCRIPTION 1344 "This group is mandatory only for the device that 1345 is capable to support trunk port security on the 1346 interfaces." 1347 1348 GROUP cpsGlobalClearAddressGroup 1349 DESCRIPTION 1350 "This group is mandatory only for the device that 1351 is capable of clearing secure addresses from 1352 the system." 1353 1354 OBJECT cpsGlobalClearSecureMacAddresses 1355 MIN-ACCESS read-only 1356 DESCRIPTION 1357 "read-write access is not required if the device 1358 does not support the command to clear all secure 1359 address on the interface." 1360 1361 OBJECT cpsIfClearSecureMacAddresses 1362 MIN-ACCESS read-only 1363 DESCRIPTION 1364 "read-write access is not required if the device 1365 does not support the command to clear all secure 1366 address on the interface." 1367 1368 GROUP cpsTrunkSecureNotificationGroup 1369 DESCRIPTION 1370 "This group is mandatory only if the device supports 1371 port-security feature on a trunk or multi-vlan port and 1372 also supports the 'dropNotify' option for the object 1373 cpsIfViolationAction." 1374 1375 ::= { ciscoPortSecurityMIBCompliances 4 } 1376 1377ciscoPortSecurityMIBCompliance4 MODULE-COMPLIANCE 1378 STATUS current 1379 DESCRIPTION 1380 "The compliance statement for the Port Security MIB." 1381 MODULE -- this module 1382 MANDATORY-GROUPS { 1383 cpsGlobalGroup, 1384 cpsInterfaceGroup2, 1385 cpsIfVlanSecureMacAddrGroup 1386 } 1387 1388 GROUP cpsExtInterfaceGroup 1389 DESCRIPTION 1390 "This group is mandatory only for the device that 1391 is capable of keeping track of the last secure MAC 1392 address learned or configured on the interface." 1393 1394 GROUP cpsNotificationGroup 1395 DESCRIPTION 1396 "This is mandatory only for the device that supports 1397 'dropNotify' of cpsIfViolationAction." 1398 1399 GROUP cpsUnicastFloodingInterfaceGroup 1400 DESCRIPTION 1401 "This group is mandatory only for the device that 1402 is capable of blocking unicast flooded traffic when 1403 the secure address count reaches the threshold on 1404 the interface." 1405 1406 GROUP cpsShutdownTimeoutInterfaceGroup 1407 DESCRIPTION 1408 "This group is mandatory only for the device that 1409 is capable to support shutdown timeout on the 1410 interface." 1411 1412 OBJECT cpsGlobalPortSecurityEnable 1413 MIN-ACCESS read-only 1414 DESCRIPTION 1415 "read-write access is not required. This may be 1416 read-only." 1417 1418 OBJECT cpsGlobalSNMPNotifRate 1419 MIN-ACCESS read-only 1420 DESCRIPTION 1421 "read-write access is not required." 1422 1423 OBJECT cpsGlobalSNMPNotifControl 1424 MIN-ACCESS read-only 1425 DESCRIPTION 1426 "read-write access is not required." 1427 1428 OBJECT cpsIfSecureMacAddrAgingType 1429 MIN-ACCESS read-only 1430 DESCRIPTION 1431 "read-write is not required if the device only support 1432 one aging type." 1433 1434 OBJECT cpsIfViolationAction 1435 SYNTAX INTEGER { shutdown(1) } 1436 DESCRIPTION 1437 "The support of the values 'dropNotify' and/or 'drop' 1438 is not required if the device does not support the 1439 configuration of 'dropNotify' and/or 'drop'." 1440 1441 OBJECT cpsIfViolationCount 1442 DESCRIPTION 1443 "An implementation of violation count is 1444 required only if the device can provide the 1445 number of the violations occurred on the device." 1446 1447 OBJECT cpsIfStaticMacAddrAgingEnable 1448 MIN-ACCESS read-only 1449 DESCRIPTION 1450 "read-write access is not required." 1451 1452 OBJECT cpsIfSecureLastMacAddress 1453 DESCRIPTION 1454 "An implementation of this object is not mandatory." 1455 1456 GROUP cpsIfMultiVlanGroup 1457 DESCRIPTION 1458 "This group is mandatory only for the device that 1459 is capable to support port security on the multi-vlan 1460 interfaces as well as capable to support the maximum 1461 number of secure mac address specified on per interface 1462 per VLAN." 1463 1464 GROUP cpsGlobalClearAddressGroup 1465 DESCRIPTION 1466 "This group is mandatory only for the device that 1467 is capable of clearing secure addresses from 1468 the system." 1469 1470 OBJECT cpsGlobalClearSecureMacAddresses 1471 MIN-ACCESS read-only 1472 DESCRIPTION 1473 "read-write access is not required if the device 1474 does not support the command to clear all secure 1475 address on the interface." 1476 1477 OBJECT cpsIfClearSecureMacAddresses 1478 MIN-ACCESS read-only 1479 DESCRIPTION 1480 "read-write access is not required if the device 1481 does not support the command to clear all secure 1482 address on the interface." 1483 1484 GROUP cpsIfVlanSecureNotificationGroup 1485 DESCRIPTION 1486 "This group is mandatory only if the device supports 1487 port-security feature on a multi-vlan port and 1488 also supports the 'dropNotify' option for the object 1489 cpsIfViolationAction." 1490 1491 GROUP cpsExtInterfaceGroup1 1492 DESCRIPTION 1493 "This group is mandatory only for the device that 1494 is capable of keeping track of the VLAN-id where last 1495 MAC address that is seen on the interface." 1496 1497 ::= { ciscoPortSecurityMIBCompliances 5 } 1498 1499-- 1500-- Units of Conformance 1501-- 1502cpsGlobalGroup OBJECT-GROUP 1503 OBJECTS { 1504 cpsGlobalMaxSecureAddress, 1505 cpsGlobalTotalSecureAddress, 1506 cpsGlobalPortSecurityEnable, 1507 cpsGlobalSNMPNotifRate, 1508 cpsGlobalSNMPNotifControl 1509 } 1510 STATUS current 1511 DESCRIPTION 1512 "A collection of objects for use with the Port 1513 Security feature." 1514 ::= { ciscoPortSecurityMIBGroups 1 } 1515 1516cpsInterfaceGroup OBJECT-GROUP 1517 OBJECTS { 1518 cpsIfPortSecurityEnable, 1519 cpsIfPortSecurityStatus, 1520 cpsIfMaxSecureMacAddr, 1521 cpsIfCurrentSecureMacAddrCount, 1522 cpsIfSecureMacAddrAgingType, 1523 cpsIfSecureMacAddrAgingTime, 1524 cpsIfStaticMacAddrAgingEnable, 1525 cpsIfViolationAction, 1526 cpsIfViolationCount, 1527 cpsIfClearSecureAddresses, 1528 cpsSecureMacAddrType, 1529 cpsSecureMacAddrRemainingAge, 1530 cpsSecureMacAddrRowStatus 1531 } 1532 STATUS deprecated 1533 DESCRIPTION 1534 "********* THIS GROUP IS DEPRECATED ********** 1535 A collection of objects for use with the Port 1536 Security feature." 1537 ::= { ciscoPortSecurityMIBGroups 2 } 1538 1539cpsExtInterfaceGroup OBJECT-GROUP 1540 OBJECTS { cpsIfSecureLastMacAddress } 1541 STATUS current 1542 DESCRIPTION 1543 "A collection of objects providing the additional 1544 information for the Port Security feature." 1545 ::= { ciscoPortSecurityMIBGroups 3 } 1546 1547cpsNotificationGroup NOTIFICATION-GROUP 1548 NOTIFICATIONS { cpsSecureMacAddrViolation } 1549 STATUS current 1550 DESCRIPTION 1551 "A collection of notifications for use 1552 with the Port Security feature." 1553 ::= { ciscoPortSecurityMIBGroups 4 } 1554 1555cpsUnicastFloodingInterfaceGroup OBJECT-GROUP 1556 OBJECTS { cpsIfUnicastFloodingEnable } 1557 STATUS current 1558 DESCRIPTION 1559 "A collection of objects providing the 1560 unicast flooding information for the 1561 Port Security feature." 1562 ::= { ciscoPortSecurityMIBGroups 5 } 1563 1564cpsShutdownTimeoutInterfaceGroup OBJECT-GROUP 1565 OBJECTS { cpsIfShutdownTimeout } 1566 STATUS current 1567 DESCRIPTION 1568 "A collection of objects providing the 1569 shutdown timeout information for the 1570 Port Security feature." 1571 ::= { ciscoPortSecurityMIBGroups 6 } 1572 1573cpsIfVlanSecureMacAddrGroup OBJECT-GROUP 1574 OBJECTS { 1575 cpsIfVlanSecureMacAddrType, 1576 cpsIfVlanSecureMacAddrRemainAge, 1577 cpsIfVlanSecureMacAddrRowStatus 1578 } 1579 STATUS current 1580 DESCRIPTION 1581 "A collection of objects for use with the Port 1582 Security feature." 1583 ::= { ciscoPortSecurityMIBGroups 8 } 1584 1585cpsInterfaceGroup1 OBJECT-GROUP 1586 OBJECTS { 1587 cpsIfPortSecurityEnable, 1588 cpsIfPortSecurityStatus, 1589 cpsIfMaxSecureMacAddr, 1590 cpsIfCurrentSecureMacAddrCount, 1591 cpsIfSecureMacAddrAgingType, 1592 cpsIfSecureMacAddrAgingTime, 1593 cpsIfStaticMacAddrAgingEnable, 1594 cpsIfViolationAction, 1595 cpsIfViolationCount, 1596 cpsIfClearSecureAddresses 1597 } 1598 STATUS deprecated -- superceded 1599 -- by cpsInterfaceGroup2 1600 DESCRIPTION 1601 "********* THIS GROUP IS DEPRECATED ********** 1602 A collection of objects for use with the Port 1603 Security configuration." 1604 ::= { ciscoPortSecurityMIBGroups 9 } 1605 1606cpsExtConfigInterfaceGroup OBJECT-GROUP 1607 OBJECTS { 1608 cpsIfShutdownTimeout, 1609 cpsIfUnicastFloodingEnable 1610 } 1611 STATUS deprecated 1612 DESCRIPTION 1613 "********* THIS GROUP IS DEPRECATED ********** 1614 A collection of objects providing the additional 1615 information for the Port Security feature." 1616 ::= { ciscoPortSecurityMIBGroups 10 } 1617 1618cpsIfVlanGroup OBJECT-GROUP 1619 OBJECTS { 1620 cpsIfVlanMaxSecureMacAddr, 1621 cpsIfVlanCurSecureMacAddrCount 1622 } 1623 STATUS obsolete 1624 DESCRIPTION 1625 "A collection of objects providing additional trunk 1626 VLAN information for the Port Security feature on a 1627 given interface." 1628 ::= { ciscoPortSecurityMIBGroups 11 } 1629 1630cpsGlobalClearAddressGroup OBJECT-GROUP 1631 OBJECTS { 1632 cpsGlobalClearSecureMacAddresses 1633 } 1634 STATUS current 1635 DESCRIPTION 1636 "A collection of objects for clearing addresses 1637 on the device." 1638 ::={ ciscoPortSecurityMIBGroups 12 } 1639 1640cpsInterfaceGroup2 OBJECT-GROUP 1641 OBJECTS { 1642 cpsIfPortSecurityEnable, 1643 cpsIfPortSecurityStatus, 1644 cpsIfMaxSecureMacAddr, 1645 cpsIfCurrentSecureMacAddrCount, 1646 cpsIfSecureMacAddrAgingType, 1647 cpsIfSecureMacAddrAgingTime, 1648 cpsIfStaticMacAddrAgingEnable, 1649 cpsIfViolationAction, 1650 cpsIfViolationCount, 1651 cpsIfClearSecureMacAddresses, 1652 cpsIfInvalidSrcRateLimitEnable, 1653 cpsIfInvalidSrcRateLimitValue, 1654 cpsIfStickyEnable 1655 1656 } 1657 STATUS current 1658 DESCRIPTION 1659 "A collection of objects for use with the Port 1660 Security configuration." 1661 ::= { ciscoPortSecurityMIBGroups 13 } 1662 1663cpsTrunkSecureNotificationGroup NOTIFICATION-GROUP 1664 NOTIFICATIONS { cpsTrunkSecureMacAddrViolation } 1665 STATUS deprecated 1666 DESCRIPTION 1667 "A collection of trunk or multi-vlan port related 1668 notifications for use with the port-security feature." 1669 ::= { ciscoPortSecurityMIBGroups 14 } 1670 1671cpsIfMultiVlanGroup OBJECT-GROUP 1672 OBJECTS { 1673 cpsIfMultiVlanMaxSecureMacAddr, 1674 cpsIfMultiVlanSecureMacAddrCount, 1675 cpsIfMultiVlanClearSecureMacAddr, 1676 cpsIfMultiVlanRowStatus 1677 } 1678 STATUS current 1679 DESCRIPTION 1680 "A collection of objects providing additional per 1681 interface per VLAN port security feature information 1682 on a multi-vlan interface." 1683 ::= { ciscoPortSecurityMIBGroups 15 } 1684 1685cpsIfVlanSecureNotificationGroup NOTIFICATION-GROUP 1686 NOTIFICATIONS { cpsIfVlanSecureMacAddrViolation } 1687 STATUS current 1688 DESCRIPTION 1689 "A collection of trunk or multi-vlan port related 1690 notifications for use with the port-security feature." 1691 ::= { ciscoPortSecurityMIBGroups 16 } 1692 1693cpsExtInterfaceGroup1 OBJECT-GROUP 1694 OBJECTS { cpsIfSecureLastMacAddrVlanId } 1695 STATUS current 1696 DESCRIPTION 1697 "A collection of objects providing the information of 1698 the VLAN-id for the last MAC address seen on the 1699 interface." 1700 ::= { ciscoPortSecurityMIBGroups 17 } 1701 1702END 1703 1704 1705 1706