1-- ***************************************************************** 2-- CISCO-ACL-MIB 3-- 4-- Definitions of managed objects describing Cisco Access Control 5-- Lists. 6-- 7-- March 2013, Kapil Jain, Jorge Serpa 8-- 9-- Copyright (c) 2013 by Cisco Systems, Inc. 10-- All rights reserved. 11-- ***************************************************************** 12 13CISCO-ACL-MIB DEFINITIONS ::= BEGIN 14 15IMPORTS 16 MODULE-IDENTITY, 17 OBJECT-TYPE, 18 Counter64, 19 Unsigned32, 20 Integer32 21 FROM SNMPv2-SMI 22 TEXTUAL-CONVENTION, 23 RowStatus 24 FROM SNMPv2-TC 25 MODULE-COMPLIANCE, 26 OBJECT-GROUP 27 FROM SNMPv2-CONF 28 SnmpAdminString 29 FROM SNMP-FRAMEWORK-MIB 30 InetAddressType, 31 InetPortNumber, 32 InetAddress 33 FROM INET-ADDRESS-MIB 34 ifIndex 35 FROM IF-MIB 36 CiscoIpProtocol 37 FROM CISCO-TC 38 ciscoMgmt 39 FROM CISCO-SMI; 40 41 42ciscoACLMIB MODULE-IDENTITY 43 LAST-UPDATED "201303270000Z" 44 ORGANIZATION "Cisco Systems, Inc." 45 CONTACT-INFO 46 "Cisco Systems 47 Customer Service 48 49 Postal: 170 West Tasman Drive 50 San Jose, CA 95134 51 USA 52 53 Tel: +1 800 553-NETS 54 55 E-mail: cs-snmp@cisco.com" 56 57 DESCRIPTION 58 "This MIB module defines objects that describe Cisco Access 59 Control Lists (ACL). 60 61 This MIB describes different objects that enable the 62 network administrator to remotely configure ACLs, apply them 63 to interfaces and monitor their usage statistics. 64 65 A typical application of this MIB module will facilitate 66 monitoring of ACL match (sometimes referred as hit) counts. 67 However, by no means does the definition of this MIB module 68 prevent other applications from using it. 69 70 An ACL is an ordered list of statements that deny or permit 71 packets based on matching fields contained within the packet 72 header (layer 3 source and destination addresses, layer 4 73 protocol, layer 4 source and destination port numbers, etc.) In 74 addition there is an implicit *Deny All* at the end of the ACL. 75 ACLs are used to perform packet filtering to control 76 which packets are allowed through the network. Such control 77 can help limit network traffic, and restrict the access of 78 applications and devices on the network. Each one of these 79 statements is referred to as an Access List Control Entry 80 (ACE). 81 Here is an example of an ACL configuration. 82 ipv4 access-list V4Example 83 10 permit tcp any any 84 ! 85 ipv6 access-list V6Example 86 10 permit tcp any any 87 ! 88 89 The mechanism for monitoring ACL usage is by configuring, in 90 the desired ACEs a counter label. A counter label is a name 91 that is given to a counter and is defined in any ACE. ACEs 92 that share the same Counter label name will have their counters 93 aggregated into the same label. 94 Here is an example of how to use counter labels. 95 ipv4 access-list V4CounterExample 96 10 permit tcp any any counter CountPermits 97 20 permit udp any any counter CountPermits 98 99 The same applies to IPv6 ACLs. 100 101 This MIB consists of following tables: 102 * caAclCfgTable 103 Defines the ACLs configured in the device. 104 * caAclIPV4ACECfgTable 105 Defines the ACEs that make up an IPV4 ACL. 106 * caAclIPV6ACECfgTable 107 Defines the ACEs that make up an IPV6 ACL. 108 * caAclAccessGroupCfgTable 109 Defines the Access Control Groups (ACG) applied to 110 interfaces on the device. 111 * caAclLabelIntfStatsTable 112 Defines the statistics for a specific ACE with counter 113 labels attached to interfaces on the device. 114 " 115 REVISION "201303270000Z" 116 DESCRIPTION 117 "The initial version of this MIB module." 118 ::= { ciscoMgmt 808 } 119 120 121-- ******************************************************************** 122-- * Top-Level Trees * 123-- ******************************************************************** 124 125caAclMIBObjects OBJECT IDENTIFIER ::= { ciscoACLMIB 1 } 126caAclMIBConformance OBJECT IDENTIFIER ::= { ciscoACLMIB 2 } 127 128caAclConfiguration OBJECT IDENTIFIER ::= { caAclMIBObjects 1 } 129caAclStats OBJECT IDENTIFIER ::= { caAclMIBObjects 2 } 130 131caAclMIBACEConform OBJECT IDENTIFIER ::= { caAclMIBConformance 1 } 132 133caAclMIBACECompliances OBJECT IDENTIFIER ::= { caAclMIBACEConform 1 } 134 135caAclMIBCfgGroups OBJECT IDENTIFIER ::= { caAclMIBACEConform 2 } 136 137 138-- ******************************************************************** 139-- * Textual Conventions * 140-- ******************************************************************** 141 142CaAclTrafficDirection ::= TEXTUAL-CONVENTION 143 STATUS current 144 DESCRIPTION 145 "Enumeration value indicating the direction of the ACL 146 ingress - in the ingress (input) direction, 147 egress - in the egress (output) direction." 148 SYNTAX INTEGER { 149 ingress(1), 150 egress(2) 151 } 152 153CaAclACLIndex ::= TEXTUAL-CONVENTION 154 DISPLAY-HINT "d" 155 STATUS current 156 DESCRIPTION 157 "A unique value, greater than zero, for each ACL name in the 158 managed system. It is recommended that these values be assigned 159 contiguously starting from 1. The value for each ACL name must 160 remains constant at least from one re-initialization of the 161 entity's network management system to the next 162 re-initialization." 163 SYNTAX Unsigned32 (1..4294967295) 164 165CaAclSequenceNumber ::= TEXTUAL-CONVENTION 166 DISPLAY-HINT "d" 167 STATUS current 168 DESCRIPTION 169 "A unsigned 32-bit integer value." 170 SYNTAX Unsigned32 (1..4294967295) 171 172CaAclPortOperator ::= TEXTUAL-CONVENTION 173 STATUS current 174 DESCRIPTION 175 "This textual convention represents the operator that will be 176 applied on the transport layer source/destination ports. The 177 port in packets to be filtered and the port (or port range in 178 case of range(5)). 179 lt(1) - match ports that are small than the configured value. 180 gt(2) - match ports that are greater than the configured value. 181 eq(3) - match ports that are equal to the configured value. 182 neq(4) - match ports that are not equal to the configured value. 183 range(5) - match ports in the range of configured values, 184 inclusive." 185 SYNTAX INTEGER { 186 lt(1), 187 gt(2), 188 eq(3), 189 neq(4), 190 range(5) 191 } 192 193CaAclAction ::= TEXTUAL-CONVENTION 194 STATUS current 195 DESCRIPTION 196 "Enumeration value indicating the action to be taken on packets 197 that match the ACE. 198 permit(1) the packet will be considered for further processing. 199 deny(2) the packet will be dropped without any further 200 processing." 201 SYNTAX INTEGER { 202 permit(1), 203 deny(2) 204 } 205 206CaAclLogOption ::= TEXTUAL-CONVENTION 207 STATUS current 208 DESCRIPTION 209 "Enumeration value indicating the log option that is to be 210 applied to an ACE. Currently the options are log-input and 211 log. The difference between log and logInput is that logInput 212 logs all the information as in log, with the addition of 213 ingress interface as well as the MAC address of the device 214 that last handled the packet." 215 SYNTAX INTEGER { 216 log(1), 217 logInput(2) 218 } 219 220CaAclTcpFlagsMatch ::= TEXTUAL-CONVENTION 221 STATUS current 222 DESCRIPTION 223 "An enumeration value indicating the type of matching that 224 is to be done on the TCP flags field of the packet, providing 225 that the packet being filtered is a TCP packet. 226 matchAny(1) - take caAclAction if any of TCP flags in the 227 packet match the configured value. 228 matchAll(2) - take caAclAction only if all the TCP flags in 229 packet match the configured value. 230 matchNone(3) - take caAclAction only if none of the TCP flags 231 in the packet match the configure value. 232 " 233 SYNTAX INTEGER { 234 matchAny(1), 235 matchAll(2), 236 matchNone(3) 237 } 238 239CaAclPrecedenceValue ::= TEXTUAL-CONVENTION 240 STATUS current 241 DESCRIPTION 242 "An enumeration value indicating the value of the precedence 243 field. It is specified as a number between 0 and 7, as defined 244 in RFC-791." 245 SYNTAX INTEGER { 246 routine(0), 247 priority(1), 248 immediate(2), 249 flash(3), 250 flashOverride(4), 251 critical(5), 252 internet(6), 253 network(7) 254 } 255 256-- ******************************************************************** 257-- ACL entry table * 258-- ******************************************************************** 259 260caAclCfgTable OBJECT-TYPE 261 SYNTAX SEQUENCE OF CaAclCfgTableEntry 262 MAX-ACCESS not-accessible 263 STATUS current 264 DESCRIPTION 265 "A table of ACL definitions. Each entry in this table defines 266 a unique IPV4 or IPV6 ACL." 267 ::= { caAclConfiguration 1 } 268 269caAclCfgTableEntry OBJECT-TYPE 270 SYNTAX CaAclCfgTableEntry 271 MAX-ACCESS not-accessible 272 STATUS current 273 DESCRIPTION 274 "A conceptual row in the caAclTable. Each entry of this table 275 consists of acl index and the address type. This is so that 276 the table may contain both IPV4 and IPV6 ACLs." 277 INDEX { 278 caAclIndex, 279 caAclAddressType 280 } 281 ::= { caAclCfgTable 1 } 282 283CaAclCfgTableEntry ::= SEQUENCE { 284 caAclIndex CaAclACLIndex, 285 caAclAddressType InetAddressType, 286 caAclName SnmpAdminString, 287 caAclRowStatus RowStatus 288} 289 290caAclIndex OBJECT-TYPE 291 SYNTAX CaAclACLIndex 292 MAX-ACCESS not-accessible 293 STATUS current 294 DESCRIPTION 295 "An arbitrary (system assigned) index for each ACL name. The 296 index is unique for each ACL name in the device, but is further 297 qualified by the address family. 298 299 For example, consider the following configuration: 300 ipv4 access-list ACL1 301 10 permit ipv4 any any 302 ! 303 ipv6 access-list ACL1 304 10 permit ipv6 any any 305 306 In this case the caAclIndex value for both ACLs will be the 307 same." 308 ::= { caAclCfgTableEntry 1 } 309 310caAclAddressType OBJECT-TYPE 311 SYNTAX InetAddressType 312 MAX-ACCESS not-accessible 313 STATUS current 314 DESCRIPTION 315 "This object defines the address family of the ACL." 316 ::= { caAclCfgTableEntry 2 } 317 318caAclName OBJECT-TYPE 319 SYNTAX SnmpAdminString (SIZE (1..64)) 320 MAX-ACCESS read-create 321 STATUS current 322 DESCRIPTION 323 "A string that identifies the ACL name." 324 ::= { caAclCfgTableEntry 3 } 325 326caAclRowStatus OBJECT-TYPE 327 SYNTAX RowStatus 328 MAX-ACCESS read-create 329 STATUS current 330 DESCRIPTION 331 "This object is used to create, modify, or delete an entry 332 in the caAclTable. 333 334 A row can be created using the 'CreateAndGo' option. When the 335 row is successfully created, the RowStatus will be set to 336 active by the agent. Once a row becomes active, values in 337 any other column within the row cannot be modified. 338 339 A row may be deleted by setting the RowStatus for 'destroy'." 340 ::= { caAclCfgTableEntry 4 } 341 342 343-- ******************************************************************** 344-- IPV4 ACE entry table * 345-- ******************************************************************** 346 347caAclIPV4ACECfgTable OBJECT-TYPE 348 SYNTAX SEQUENCE OF CaAclIPV4ACECfgTableEntry 349 MAX-ACCESS not-accessible 350 STATUS current 351 DESCRIPTION 352 "A table of IPV4 ACE definitions. The ACE definition controls 353 whether packets are accepted or rejected. The access control 354 may be applied before sending the packet to the forwarding 355 engine, or may be applied after the packet is processed by the 356 forwarding engine. 357 358 If two ACE entries with the same sequence number are configured 359 the latter will overwrite the former." 360 ::= { caAclConfiguration 2 } 361 362caAclIPV4ACECfgTableEntry OBJECT-TYPE 363 SYNTAX CaAclIPV4ACECfgTableEntry 364 MAX-ACCESS not-accessible 365 STATUS current 366 DESCRIPTION 367 "A conceptual row in the caAclIPV4ACLTable. Each entry of this 368 table consists of a set of match criteria for a given ACL." 369 INDEX { 370 caAclIndex, 371 caAclAddressType, 372 caAclIPV4ACESequenceNumber 373 } 374 ::= { caAclIPV4ACECfgTable 1 } 375 376CaAclIPV4ACECfgTableEntry ::= SEQUENCE { 377 caAclIPV4ACESequenceNumber CaAclSequenceNumber, 378 caAclIPV4ACEAction CaAclAction, 379 caAclIPV4ACEProtocol CiscoIpProtocol, 380 caAclIPV4ACESourceAddress InetAddress, 381 caAclIPV4ACESourceWildCardMask InetAddress, 382 caAclIPV4ACESourceNetworkGroup SnmpAdminString, 383 caAclIPV4ACESourcePortOperator CaAclPortOperator, 384 caAclIPV4ACESourcePort InetPortNumber, 385 caAclIPV4ACESourcePortUpper InetPortNumber, 386 caAclIPV4ACESourcePortGroup SnmpAdminString, 387 caAclIPV4ACEDestinationAddress InetAddress, 388 caAclIPV4ACEDestinationWildCardMask InetAddress, 389 caAclIPV4ACEDestinationNetworkGroup SnmpAdminString, 390 caAclIPV4ACEDestinationPortOperator CaAclPortOperator, 391 caAclIPV4ACEDestinationPort InetPortNumber, 392 caAclIPV4ACEDestinationPortUpper InetPortNumber, 393 caAclIPV4ACEDestinationPortGroup SnmpAdminString, 394 caAclIPV4ACEDscpValue Unsigned32, 395 caAclIPV4ACETcpFlagsValue Unsigned32, 396 caAclIPV4ACETcpFlagsMask Unsigned32, 397 caAclIPV4ACETcpFlagsMatchType CaAclTcpFlagsMatch, 398 caAclIPV4ACETosValue Unsigned32, 399 caAclIPV4ACEPrecedenceValue CaAclPrecedenceValue, 400 caAclIPV4ACELogOption CaAclLogOption, 401 caAclIPV4ACECounterLabel SnmpAdminString, 402 caAclIPV4ACERemark SnmpAdminString, 403 caAclIPV4ACERowStatus RowStatus 404} 405 406caAclIPV4ACESequenceNumber OBJECT-TYPE 407 SYNTAX CaAclSequenceNumber 408 MAX-ACCESS not-accessible 409 STATUS current 410 DESCRIPTION 411 "This object uniquely identifies an ACE within an ACL. Sequence 412 numbers are assigned to each permit/deny statement, causing the 413 system to insert the statement in that numbered position within 414 the ACL. If two ACE entries with the same sequence number are 415 configured, the latter one will overwrite the former." 416 ::= { caAclIPV4ACECfgTableEntry 1 } 417 418caAclIPV4ACEAction OBJECT-TYPE 419 SYNTAX CaAclAction 420 MAX-ACCESS read-create 421 STATUS current 422 DESCRIPTION 423 "This object indicates the type of action to be taken if the 424 packet matches the given criteria. 425 426 If it is set to permit(1), all packets matching this ACE will 427 be allowed for further processing. 428 429 If it is set to deny(2), all packets matching this ACE will 430 be discarded." 431 ::= { caAclIPV4ACECfgTableEntry 2 } 432 433caAclIPV4ACEProtocol OBJECT-TYPE 434 SYNTAX CiscoIpProtocol 435 MAX-ACCESS read-create 436 STATUS current 437 DESCRIPTION 438 "This object identifies the layer 3 protocol type to be 439 filtered by the ACE. Protocol numbers are defined in the 440 Network Working Group Request For Comment documents." 441 REFERENCE 442 "RFC-790, Assigned Numbers, September 1981, Section 443 Assigned Internet Protocol Numbers." 444 ::= { caAclIPV4ACECfgTableEntry 3 } 445 446caAclIPV4ACESourceAddress OBJECT-TYPE 447 SYNTAX InetAddress 448 MAX-ACCESS read-create 449 STATUS current 450 DESCRIPTION 451 "This object determines the address of the network or host from 452 which the packet is being sent. If this object value is 0.0.0.0 453 and the value of caAclIPV4ACESourceWildCardMask object in the 454 same entry is 255.255.255.255, this entry matches any source 455 address. 456 457 If this object value is not 0.0.0.0 and the value of 458 caAclIPV4ACESourceWildCardMask is 0.0.0.0, this entry matches 459 specific host address defined in this object." 460 ::= { caAclIPV4ACECfgTableEntry 4 } 461 462caAclIPV4ACESourceWildCardMask OBJECT-TYPE 463 SYNTAX InetAddress 464 MAX-ACCESS read-create 465 STATUS current 466 DESCRIPTION 467 "This object determines the mask of wild card address bits 468 for caAclIPV4ACESourceAddress. Wild card masking is to indicate 469 to the system whether to check or ignore the corresponding 470 IP address bits when comparing the address bits in an ACL 471 to a packet being submitted to the ACL. The default wild card 472 mask is 0.0.0.0. The wild card mask is the inverse of a 473 regular subnet mask. If the mask value 0.0.0.255 is applied to 474 1.2.3.0." 475 ::= { caAclIPV4ACECfgTableEntry 5 } 476 477caAclIPV4ACESourceNetworkGroup OBJECT-TYPE 478 SYNTAX SnmpAdminString (SIZE (1..64)) 479 MAX-ACCESS read-create 480 STATUS current 481 DESCRIPTION 482 "This object defines the Source Network Object Group from 483 which the packet is being sent." 484 ::= { caAclIPV4ACECfgTableEntry 6 } 485 486caAclIPV4ACESourcePortOperator OBJECT-TYPE 487 SYNTAX CaAclPortOperator 488 MAX-ACCESS read-create 489 STATUS current 490 DESCRIPTION 491 "This object defines the operation to be performed to the layer 492 source port field. Source port fields are present only for 493 IGMP, ICMP, SCTP, TCP, and UDP protocols. 494 495 If caAclIPV4ACEProtocol is none of the ones listed above, this 496 field should set to noOperator(1), which means not comparison 497 is to be performed. 498 499 If this field is set to range(5) then two port numbers are 500 necessary. I.e., Both caAclIPV4ACESourcePort and 501 caAclIPV4ACESourcePortUpper need to be provided." 502 ::= { caAclIPV4ACECfgTableEntry 7 } 503 504caAclIPV4ACESourcePort OBJECT-TYPE 505 SYNTAX InetPortNumber 506 MAX-ACCESS read-create 507 STATUS current 508 DESCRIPTION 509 "This object defines the source port number of the layer 4 510 protocol. This is the field to be matched with the specified 511 source port based on the caAclIPV4ACESourcePortOperator. If 512 caAclIPV4ACESourcePortOperator is range(5) then this object 513 will have the inclusive lower bound of the source port range 514 that is to be matched." 515 ::= { caAclIPV4ACECfgTableEntry 8 } 516 517caAclIPV4ACESourcePortUpper OBJECT-TYPE 518 SYNTAX InetPortNumber 519 MAX-ACCESS read-create 520 STATUS current 521 DESCRIPTION 522 "This object defines the inclusive upper bound of the layer 4 523 source port range that is to be matched." 524 ::= { caAclIPV4ACECfgTableEntry 9 } 525 526caAclIPV4ACESourcePortGroup OBJECT-TYPE 527 SYNTAX SnmpAdminString (SIZE (1..64)) 528 MAX-ACCESS read-create 529 STATUS current 530 DESCRIPTION 531 "This object defines the Source Port Object Group from which 532 the packet is being sent." 533 ::= { caAclIPV4ACECfgTableEntry 10 } 534 535caAclIPV4ACEDestinationAddress OBJECT-TYPE 536 SYNTAX InetAddress 537 MAX-ACCESS read-create 538 STATUS current 539 DESCRIPTION 540 "This object determines the address of the network or host to 541 which the packet is being sent. If this object value is 0.0.0.0 542 and the value of caAclIPV4ACLDestinationWildCardMask object in 543 the same entry is 255.255.255.255, this entry matches any 544 source IP address. 545 546 If this object value is not 0.0.0.0 and the value of 547 caAclIPV4ACLDestinationWildCardMask is 0.0.0.0, this entry 548 matches the specific host address defined in this object." 549 ::= { caAclIPV4ACECfgTableEntry 11 } 550 551caAclIPV4ACEDestinationWildCardMask OBJECT-TYPE 552 SYNTAX InetAddress 553 MAX-ACCESS read-create 554 STATUS current 555 DESCRIPTION 556 "This object determines the mask of wild card address bits 557 for caAclIPV4ACLDestinationAddress. Wild card masking is to 558 indicate to the system whether to check or ignore the 559 corresponding IP address bits when comparing the address 560 bits in an ACE to a packet being submitted to the ACE. The 561 default wild card mask is 0.0.0.0. The wild card mask is the 562 inverse of a regular subnet mask. If the mask value 0.0.0.255 563 is applied to the address 1.2.3.4, it will match all traffic 564 from subnet 1.2.3.0." 565 ::= { caAclIPV4ACECfgTableEntry 12 } 566 567caAclIPV4ACEDestinationNetworkGroup OBJECT-TYPE 568 SYNTAX SnmpAdminString (SIZE (1..64)) 569 MAX-ACCESS read-create 570 STATUS current 571 DESCRIPTION 572 "This object defines the Destination Network Object Group to 573 which the packet is being sent." 574 ::= { caAclIPV4ACECfgTableEntry 13 } 575 576 577caAclIPV4ACEDestinationPortOperator OBJECT-TYPE 578 SYNTAX CaAclPortOperator 579 MAX-ACCESS read-create 580 STATUS current 581 DESCRIPTION 582 "This object defines the operation to be performed to the layer 583 destination port field. Source port fields are present only for 584 IGMP, ICMP, SCTP, TCP, and UDP protocols. 585 586 If caAclIPV4ACLProtocol is none of the ones listed above, this 587 field should set to noOperator(1), which means not comparison 588 is to be performed. 589 590 If this field is set to range(5) then two port numbers are 591 necessary. I.e., Both caAclIPV4ACEDestinationPort and 592 caAclIPV4ACEDestinationPortUpper need to be provided." 593 ::= { caAclIPV4ACECfgTableEntry 14 } 594 595caAclIPV4ACEDestinationPort OBJECT-TYPE 596 SYNTAX InetPortNumber 597 MAX-ACCESS read-create 598 STATUS current 599 DESCRIPTION 600 "This object defines the destination port number of the layer 601 4 protocol. This is the field to be matched with the specified 602 destination port based on the caAclIPV4ACLSourceOperator. If 603 caAclIPV4ACLDestinationOperator is range(5) then this object 604 will have the inclusive lower bound of the destination port 605 range that is to be matched." 606 ::= { caAclIPV4ACECfgTableEntry 15 } 607 608caAclIPV4ACEDestinationPortUpper OBJECT-TYPE 609 SYNTAX InetPortNumber 610 MAX-ACCESS read-create 611 STATUS current 612 DESCRIPTION 613 "This object defines the inclusive upper bound of the layer 4 614 destination port range that is to be matched." 615 ::= { caAclIPV4ACECfgTableEntry 16 } 616 617caAclIPV4ACEDestinationPortGroup OBJECT-TYPE 618 SYNTAX SnmpAdminString (SIZE (1..64)) 619 MAX-ACCESS read-create 620 STATUS current 621 DESCRIPTION 622 "This object defines the Source Port Object Group to which the 623 packet is being sent." 624 ::= { caAclIPV4ACECfgTableEntry 17 } 625 626caAclIPV4ACEDscpValue OBJECT-TYPE 627 SYNTAX Unsigned32 (0..63) 628 MAX-ACCESS read-create 629 STATUS current 630 DESCRIPTION 631 "This object defines the dscp value that will be considered 632 in the match criteria against the value in the packet." 633 ::= { caAclIPV4ACECfgTableEntry 18 } 634 635caAclIPV4ACETcpFlagsValue OBJECT-TYPE 636 SYNTAX Unsigned32 (0..255) 637 MAX-ACCESS read-create 638 STATUS current 639 DESCRIPTION 640 "This object defines the value of the TCP flags which will 641 be considered in the match criteria based on 642 caAclIPV4ACLTcpFlagsMatchType. 643 Users can select any desired combination of the TCP flags 644 on which to filter TCP packets." 645 ::= { caAclIPV4ACECfgTableEntry 19 } 646 647caAclIPV4ACETcpFlagsMask OBJECT-TYPE 648 SYNTAX Unsigned32 (0..255) 649 MAX-ACCESS read-create 650 STATUS current 651 DESCRIPTION 652 "This object defines the mask value of the TCP flags field." 653 ::= { caAclIPV4ACECfgTableEntry 20 } 654 655caAclIPV4ACETcpFlagsMatchType OBJECT-TYPE 656 SYNTAX CaAclTcpFlagsMatch 657 MAX-ACCESS read-create 658 STATUS current 659 DESCRIPTION 660 "This object defines the type of matching to be done on the 661 TCP flags field." 662 ::= { caAclIPV4ACECfgTableEntry 21 } 663 664caAclIPV4ACETosValue OBJECT-TYPE 665 SYNTAX Unsigned32 (0..16) 666 MAX-ACCESS read-create 667 STATUS current 668 DESCRIPTION 669 "This object defines the value of the TOS field to be filtered. 670 Packets can be filtered by the TOS level as specified by a 671 number from 0 to 15. Use the value 16 to indicate that the 672 TOS field should be ignored during matching." 673 ::= { caAclIPV4ACECfgTableEntry 22 } 674 675caAclIPV4ACEPrecedenceValue OBJECT-TYPE 676 SYNTAX CaAclPrecedenceValue 677 MAX-ACCESS read-create 678 STATUS current 679 DESCRIPTION 680 "This object indicates the value of the precedence field to be 681 filtered." 682 REFERENCE 683 "RFC-791, Internet Protocol Darpa Internet Program Protocol 684 Specification, September 1981." 685 ::= { caAclIPV4ACECfgTableEntry 23 } 686 687caAclIPV4ACELogOption OBJECT-TYPE 688 SYNTAX CaAclLogOption 689 MAX-ACCESS read-create 690 STATUS current 691 DESCRIPTION 692 "This object defines the value of the log option field to be 693 applied to packets that match this ACE entry." 694 ::= { caAclIPV4ACECfgTableEntry 24 } 695 696caAclIPV4ACECounterLabel OBJECT-TYPE 697 SYNTAX SnmpAdminString (SIZE (1..64)) 698 MAX-ACCESS read-create 699 STATUS current 700 DESCRIPTION 701 "This object defines the counter label name for this ACE. 702 ACEs that share the same counter label name will have their 703 hit counts aggregated into the same counter label name." 704 ::= { caAclIPV4ACECfgTableEntry 25 } 705 706caAclIPV4ACERemark OBJECT-TYPE 707 SYNTAX SnmpAdminString (SIZE (1..100)) 708 MAX-ACCESS read-create 709 STATUS current 710 DESCRIPTION 711 "This object defines a comment in the ACL. It helps the user 712 to define some meaningful comment to identify the ACE 713 quickly, or to know the purpose of a set of ACEs. 714 This field is not used during packet matching." 715 ::= { caAclIPV4ACECfgTableEntry 26 } 716 717caAclIPV4ACERowStatus OBJECT-TYPE 718 SYNTAX RowStatus 719 MAX-ACCESS read-create 720 STATUS current 721 DESCRIPTION 722 "This object is used to create, modify, or delete an entry 723 in the caAclIPV4ACLTable. 724 725 A row can be created using the 'CreateAndGo' option. When the 726 row is successfully created, the RowStatus will be set to 727 active by the agent. 728 729 A row may be deleted by setting the RowStatus for 'destroy'. 730 731 The minimum objects required to delete a row in this table 732 is simply the sequence number (caAclIPV4ACESequenceNumber)." 733 ::= { caAclIPV4ACECfgTableEntry 27 } 734 735 736-- ******************************************************************** 737-- IPV6 ACE entry table * 738-- ******************************************************************** 739 740caAclIPV6ACECfgTable OBJECT-TYPE 741 SYNTAX SEQUENCE OF CaAclIPV6ACECfgTableEntry 742 MAX-ACCESS not-accessible 743 STATUS current 744 DESCRIPTION 745 "A table of IPV6 ACE definitions. The ACE definition controls 746 whether packets are accepted or rejected. The access control 747 may be applied before sending the packet to the forwarding 748 engine, or may be applied after the packet is processed by the 749 forwarding engine." 750 ::= { caAclConfiguration 3 } 751 752caAclIPV6ACECfgTableEntry OBJECT-TYPE 753 SYNTAX CaAclIPV6ACECfgTableEntry 754 MAX-ACCESS not-accessible 755 STATUS current 756 DESCRIPTION 757 "A conceptual row in the caAclIPV6ACLTable. Each entry of this 758 table consists of a set of match criteria for a given ACL." 759 INDEX { 760 caAclIndex, 761 caAclAddressType, 762 caAclIPV6ACESequenceNumber 763 } 764 ::= { caAclIPV6ACECfgTable 1 } 765 766CaAclIPV6ACECfgTableEntry ::= SEQUENCE { 767 caAclIPV6ACESequenceNumber CaAclSequenceNumber, 768 caAclIPV6ACEAction CaAclAction, 769 caAclIPV6ACEProtocol CiscoIpProtocol, 770 caAclIPV6ACESourceAddress InetAddress, 771 caAclIPV6ACESourcePrefixLength Integer32, 772 caAclIPV6ACESourceNetworkGroup SnmpAdminString, 773 caAclIPV6ACESourcePortOperator CaAclPortOperator, 774 caAclIPV6ACESourcePort InetPortNumber, 775 caAclIPV6ACESourcePortUpper InetPortNumber, 776 caAclIPV6ACESourcePortGroup SnmpAdminString, 777 caAclIPV6ACEDestinationAddress InetAddress, 778 caAclIPV6ACEDestinationPrefixLength Integer32, 779 caAclIPV6ACEDestinationNetworkGroup SnmpAdminString, 780 caAclIPV6ACEDestinationPortOperator CaAclPortOperator, 781 caAclIPV6ACEDestinationPort InetPortNumber, 782 caAclIPV6ACEDestinationPortUpper InetPortNumber, 783 caAclIPV6ACEDestinationPortGroup SnmpAdminString, 784 caAclIPV6ACETrafficClassValue Unsigned32, 785 caAclIPV6ACETcpFlagsValue Unsigned32, 786 caAclIPV6ACETcpFlagsMask Unsigned32, 787 caAclIPV6ACETcpFlagsMatchType CaAclTcpFlagsMatch, 788 caAclIPV6ACELogOption CaAclLogOption, 789 caAclIPV6ACECounterLabel SnmpAdminString, 790 caAclIPV6ACERemark SnmpAdminString, 791 caAclIPV6ACERowStatus RowStatus 792} 793 794caAclIPV6ACESequenceNumber OBJECT-TYPE 795 SYNTAX CaAclSequenceNumber 796 MAX-ACCESS not-accessible 797 STATUS current 798 DESCRIPTION 799 "This object uniquely identifies an ACE within an ACL. Sequence 800 numbers are assigned to each permit/deny statement, causing the 801 system to insert the statement in that numbered position within 802 the ACL." 803 ::= { caAclIPV6ACECfgTableEntry 1 } 804 805caAclIPV6ACEAction OBJECT-TYPE 806 SYNTAX CaAclAction 807 MAX-ACCESS read-create 808 STATUS current 809 DESCRIPTION 810 "This object indicates the type of action to be taken if the 811 packet matches the given criteria. 812 813 If it is set to permit(1), all packets matching this ACE will 814 be allowed for further processing. 815 816 If it is set to deny(2), all packets matching this ACE will 817 be discarded." 818 ::= { caAclIPV6ACECfgTableEntry 2 } 819 820caAclIPV6ACEProtocol OBJECT-TYPE 821 SYNTAX CiscoIpProtocol 822 MAX-ACCESS read-create 823 STATUS current 824 DESCRIPTION 825 "This object identifies the protocol type to be filtered by 826 the ACE. Protocol numbers are defined in the Network Working 827 Group Request For Comment (RFC) documents." 828 REFERENCE 829 "RFC-790, Assigned Numbers, September 1981, Section 830 Assigned Internet Protocol Numbers." 831 ::= { caAclIPV6ACECfgTableEntry 3 } 832 833caAclIPV6ACESourceAddress OBJECT-TYPE 834 SYNTAX InetAddress 835 MAX-ACCESS read-create 836 STATUS current 837 DESCRIPTION 838 "This object determines the address of the network or host from 839 which the packet is being sent. If this object value is 0::0 840 and the value of caAclIPV6ACLSourcePrefixLength is 0 then this 841 matches any source address. 842 843 If this object value is not 0::0 and the value of 844 caAclIPV6ACLSourcePrefixLength is less than 128, this entry 845 matches the all the addresses that are in the sub-net. 846 847 If this object value is 0::0 and the value of 848 caAclIPV6ACLSourcePrefixLength is also 0, this entry matches 849 all hosts." 850 ::= { caAclIPV6ACECfgTableEntry 4 } 851 852caAclIPV6ACESourcePrefixLength OBJECT-TYPE 853 SYNTAX Integer32 (0..128) 854 MAX-ACCESS read-create 855 STATUS current 856 DESCRIPTION 857 "This object determines the number of bits in the field 858 caAclIPV6ACLSourceAddress to be checked. 859 860 If the value of this object is 0, then the source address 861 in the packet must match caAclIPV6ACESourceAddress exactly 862 for the ACE action to be taken." 863 ::= { caAclIPV6ACECfgTableEntry 5 } 864 865caAclIPV6ACESourceNetworkGroup OBJECT-TYPE 866 SYNTAX SnmpAdminString (SIZE (1..64)) 867 MAX-ACCESS read-create 868 STATUS current 869 DESCRIPTION 870 "This object defines the Source Network Object Group from 871 which the packet is being sent." 872 ::= { caAclIPV6ACECfgTableEntry 6 } 873 874caAclIPV6ACESourcePortOperator OBJECT-TYPE 875 SYNTAX CaAclPortOperator 876 MAX-ACCESS read-create 877 STATUS current 878 DESCRIPTION 879 "This object defines the operation to be performed to the layer 880 source port field. Source port fields are present only for 881 IGMP, ICMP, SCTP, TCP, and UDP protocols. 882 883 If caAclIPV6ACLProtocol is none of the ones listed above, this 884 field should set to noOperator(1), which means not comparison 885 is to be performed. 886 887 If this field is set to range(5) then two port numbers are 888 necessary. I.e., Both caAclIPV6ACLSourcePort and 889 caAclIPV6ACLSourcePortUpper need to be provided." 890 ::= { caAclIPV6ACECfgTableEntry 7 } 891 892caAclIPV6ACESourcePort OBJECT-TYPE 893 SYNTAX InetPortNumber 894 MAX-ACCESS read-create 895 STATUS current 896 DESCRIPTION 897 "This object defines the source port number of the layer 4 898 protocol. This is the field to be matched with the specified 899 source port based on the caAclIPV6ACLSourceOperator. If 900 caAclIPV6ACLSourceOperator is range(5) then this object wail 901 have the inclusive lower bound of the source port range that 902 is to be matched." 903 ::= { caAclIPV6ACECfgTableEntry 8 } 904 905caAclIPV6ACESourcePortUpper OBJECT-TYPE 906 SYNTAX InetPortNumber 907 MAX-ACCESS read-create 908 STATUS current 909 DESCRIPTION 910 "This object defines the inclusive upper bound of the layer 4 911 source port range that is to be matched." 912 ::= { caAclIPV6ACECfgTableEntry 9 } 913 914caAclIPV6ACESourcePortGroup OBJECT-TYPE 915 SYNTAX SnmpAdminString (SIZE (1..64)) 916 MAX-ACCESS read-create 917 STATUS current 918 DESCRIPTION 919 "This object defines the Source Port Object Group from which 920 the packet is being sent." 921 ::= { caAclIPV6ACECfgTableEntry 10 } 922 923caAclIPV6ACEDestinationAddress OBJECT-TYPE 924 SYNTAX InetAddress 925 MAX-ACCESS read-create 926 STATUS current 927 DESCRIPTION 928 "This object determines the address of the network or host to 929 which the packet is being sent. If this object value is 0::0 930 and the value of caAclIPV6ACLSourcePrefixLength is 0 then this 931 matches any source address. 932 933 If this object value is not 0::0 and the value of 934 caAclIPV6ACLSourcePrefixLength is less than 128, this entry 935 matches the all the addresses that are in the sub-net. 936 937 If this object value is 0::0 and the value of 938 caAclIPV6ACLSourcePrefixLength is also 0, this entry matches 939 all osts." 940 ::= { caAclIPV6ACECfgTableEntry 11 } 941 942caAclIPV6ACEDestinationPrefixLength OBJECT-TYPE 943 SYNTAX Integer32 (0..128) 944 MAX-ACCESS read-create 945 STATUS current 946 DESCRIPTION 947 "This object determines the number of bits in the field 948 caAclIPV6ACLDestinationAddress to be checked. 949 950 If the value of this object is 0, then the source address 951 in the packet must match caAclIPV6ACEDestinationAddress exactly 952 for the ACE action to be taken." 953 ::= { caAclIPV6ACECfgTableEntry 12 } 954 955caAclIPV6ACEDestinationNetworkGroup OBJECT-TYPE 956 SYNTAX SnmpAdminString (SIZE (1..64)) 957 MAX-ACCESS read-create 958 STATUS current 959 DESCRIPTION 960 "This object defines the Source Network Object Group to which 961 the packet is being sent." 962 ::= { caAclIPV6ACECfgTableEntry 13 } 963 964 965caAclIPV6ACEDestinationPortOperator OBJECT-TYPE 966 SYNTAX CaAclPortOperator 967 MAX-ACCESS read-create 968 STATUS current 969 DESCRIPTION 970 "This object defines the operation to be performed to the layer 971 destination port field. Source port fields are present only for 972 IGMP, ICMP, SCTP, TCP, and UDP protocols. 973 974 If caAclIPV6ACLProtocol is none of the ones listed above, this 975 field should set to noOperator(1), which means no comparison 976 is to be performed. 977 978 If this field is set to range(5) then two port numbers are 979 necessary. I.e., Both caAclIPV6ACLDestinationPort and 980 caAclIPV6ACLDestinationPortUpper need to be provided." 981 ::= { caAclIPV6ACECfgTableEntry 14 } 982 983caAclIPV6ACEDestinationPort OBJECT-TYPE 984 SYNTAX InetPortNumber 985 MAX-ACCESS read-create 986 STATUS current 987 DESCRIPTION 988 "This object defines the destination port number of the layer 989 4 protocol. This is the field to be matched with the specified 990 destination port based on the caAclIPV6ACLSourceOperator. If 991 caAclIPV6ACLDestinationOperator is range(5) then this object 992 will have the inclusive lower bound of the destination port 993 range that is to be matched." 994 ::= { caAclIPV6ACECfgTableEntry 15 } 995 996caAclIPV6ACEDestinationPortUpper OBJECT-TYPE 997 SYNTAX InetPortNumber 998 MAX-ACCESS read-create 999 STATUS current 1000 DESCRIPTION 1001 "This object defines the inclusive upper bound of the layer 4 1002 destination port range that is to be matched." 1003 ::= { caAclIPV6ACECfgTableEntry 16 } 1004 1005caAclIPV6ACEDestinationPortGroup OBJECT-TYPE 1006 SYNTAX SnmpAdminString (SIZE (1..64)) 1007 MAX-ACCESS read-create 1008 STATUS current 1009 DESCRIPTION 1010 "This object defines the Source Port Object Group to which the 1011 packet is being sent." 1012 ::= { caAclIPV6ACECfgTableEntry 17 } 1013 1014caAclIPV6ACETrafficClassValue OBJECT-TYPE 1015 SYNTAX Unsigned32 (0..255) 1016 MAX-ACCESS read-create 1017 STATUS current 1018 DESCRIPTION 1019 "This object defines the traffic class value that will be 1020 considered in the match criteria against the value in the 1021 packet." 1022 ::= { caAclIPV6ACECfgTableEntry 18 } 1023 1024caAclIPV6ACETcpFlagsValue OBJECT-TYPE 1025 SYNTAX Unsigned32 (0..255) 1026 MAX-ACCESS read-create 1027 STATUS current 1028 DESCRIPTION 1029 "This object defines the value of the TCP flags which will 1030 be considered in the match criteria based on 1031 caAclIPV6ACLTcpFlagsMatchType. 1032 Users can select any desired combination of the TCP flags 1033 on which to filter TCP packets." 1034 REFERENCE 1035 "RFC-793, Transmission Control Protocol, Darpa Internet 1036 Program Protocol Specification, September 1981." 1037 ::= { caAclIPV6ACECfgTableEntry 19 } 1038 1039caAclIPV6ACETcpFlagsMask OBJECT-TYPE 1040 SYNTAX Unsigned32 (0..255) 1041 MAX-ACCESS read-create 1042 STATUS current 1043 DESCRIPTION 1044 "This object defines the mask value of the TCP flags field." 1045 ::= { caAclIPV6ACECfgTableEntry 20 } 1046 1047caAclIPV6ACETcpFlagsMatchType OBJECT-TYPE 1048 SYNTAX CaAclTcpFlagsMatch 1049 MAX-ACCESS read-create 1050 STATUS current 1051 DESCRIPTION 1052 "This object defines the type of matching to be done on the 1053 TCP flags field." 1054 ::= { caAclIPV6ACECfgTableEntry 21 } 1055 1056caAclIPV6ACELogOption OBJECT-TYPE 1057 SYNTAX CaAclLogOption 1058 MAX-ACCESS read-create 1059 STATUS current 1060 DESCRIPTION 1061 "This object defines the value of the log option field to be 1062 applied to packets that match this ACE entry." 1063 ::= { caAclIPV6ACECfgTableEntry 22 } 1064 1065 1066caAclIPV6ACECounterLabel OBJECT-TYPE 1067 SYNTAX SnmpAdminString (SIZE (1..64)) 1068 MAX-ACCESS read-create 1069 STATUS current 1070 DESCRIPTION 1071 "This object defines the counter label name for this ACE. 1072 ACEs that share the same counter label name will have their 1073 hit counts aggregated into the same counter label name." 1074 ::= { caAclIPV6ACECfgTableEntry 23 } 1075 1076caAclIPV6ACERemark OBJECT-TYPE 1077 SYNTAX SnmpAdminString (SIZE (1..100)) 1078 MAX-ACCESS read-create 1079 STATUS current 1080 DESCRIPTION 1081 "This object defines a comment in the ACL. It helps the user 1082 to define some meaningful comment to identify the ACE 1083 quickly, or to know the purpose of a set of ACEs. 1084 This field is not used during packet matching." 1085 ::= { caAclIPV6ACECfgTableEntry 24 } 1086 1087caAclIPV6ACERowStatus OBJECT-TYPE 1088 SYNTAX RowStatus 1089 MAX-ACCESS read-create 1090 STATUS current 1091 DESCRIPTION 1092 "This object is used to create, modify, or delete an entry 1093 in the caAclIPV6ACLTable. 1094 1095 A row can be created using the 'CreateAndGo' option. When the 1096 row is successfully created, the RowStatus will be set to 1097 active by the agent. 1098 1099 A row may be deleted by setting the RowStatus for 'destroy'. 1100 1101 The minimum objects required to delete a row in this table 1102 is simply the sequence number (caAclIPV6ACESequenceNumber)." 1103 ::= { caAclIPV6ACECfgTableEntry 25 } 1104 1105 1106-- ******************************************************************** 1107-- IP access group entry configuration table * 1108-- ******************************************************************** 1109 1110caAclAccessGroupCfgTable OBJECT-TYPE 1111 SYNTAX SEQUENCE OF CaAclAccessGroupCfgEntry 1112 MAX-ACCESS not-accessible 1113 STATUS current 1114 DESCRIPTION 1115 "This table lists the ACLs configured on the device and 1116 applied on an interface in the ingress or egress direction." 1117 ::= { caAclConfiguration 4 } 1118 1119caAclAccessGroupCfgEntry OBJECT-TYPE 1120 SYNTAX CaAclAccessGroupCfgEntry 1121 MAX-ACCESS not-accessible 1122 STATUS current 1123 DESCRIPTION 1124 "This entry describes an ACL configured on the device and 1125 applied to an interface." 1126 INDEX { 1127 ifIndex, 1128 caAclAccessGroupCfgAddressType, 1129 caAclAccessGroupDirection, 1130 caAclAccessGroupSequenceNumber 1131 } 1132 ::= { caAclAccessGroupCfgTable 1 } 1133 1134CaAclAccessGroupCfgEntry ::= SEQUENCE { 1135 caAclAccessGroupACL CaAclACLIndex, 1136 caAclAccessGroupCfgAddressType InetAddressType, 1137 caAclAccessGroupDirection CaAclTrafficDirection, 1138 caAclAccessGroupSequenceNumber CaAclSequenceNumber, 1139 caAclAccessGroupRowStatus RowStatus 1140} 1141 1142caAclAccessGroupACL OBJECT-TYPE 1143 SYNTAX CaAclACLIndex 1144 MAX-ACCESS read-create 1145 STATUS current 1146 DESCRIPTION 1147 "The name of the ACL associated with this entry." 1148 ::= { caAclAccessGroupCfgEntry 1 } 1149 1150 1151caAclAccessGroupCfgAddressType OBJECT-TYPE 1152 SYNTAX InetAddressType 1153 MAX-ACCESS not-accessible 1154 STATUS current 1155 DESCRIPTION 1156 "This entry describes the address family of the access group 1157 being applied on the interface." 1158 ::= { caAclAccessGroupCfgEntry 2 } 1159 1160caAclAccessGroupDirection OBJECT-TYPE 1161 SYNTAX CaAclTrafficDirection 1162 MAX-ACCESS not-accessible 1163 STATUS current 1164 DESCRIPTION 1165 "This object defines the direction in which the ACL is 1166 applied." 1167 ::= { caAclAccessGroupCfgEntry 3 } 1168 1169caAclAccessGroupSequenceNumber OBJECT-TYPE 1170 SYNTAX CaAclSequenceNumber 1171 MAX-ACCESS not-accessible 1172 STATUS current 1173 DESCRIPTION 1174 "This object uniquely identifies the order that Access Group 1175 applied to a interface. It can be used by platforms that 1176 support applying more than one Access List per address 1177 family per direction. 1178 For example: 1179 interface GigabitEthernet 0/0 1180 ipv4 access-group ACL1 ACL2 ACL2 ingress 1181 ! 1182 " 1183 ::= { caAclAccessGroupCfgEntry 4 } 1184 1185caAclAccessGroupRowStatus OBJECT-TYPE 1186 SYNTAX RowStatus 1187 MAX-ACCESS read-create 1188 STATUS current 1189 DESCRIPTION 1190 "This object is used to create, modify, or delete an entry in 1191 the caAclAccessGroupCfgTable. 1192 A row can be created using the 'CreateAndGo' option. When the 1193 row is successfully created, the RowStatus will be set to 1194 active by the agent. Once a row becomes active, values in 1195 any other column within the row cannot be modified. 1196 1197 A row may be deleted by setting the RowStatus for 'destroy'." 1198 ::= { caAclAccessGroupCfgEntry 5 } 1199 1200 1201-- ******************************************************************** 1202-- Label interface statistics table * 1203-- ******************************************************************** 1204 1205caAclLabelIntfStatsTable OBJECT-TYPE 1206 SYNTAX SEQUENCE OF CaAclLabelIntfStatsEntry 1207 MAX-ACCESS not-accessible 1208 STATUS current 1209 DESCRIPTION 1210 "This table describes the statistics for all ACEs with assigned 1211 counter labels, attached to interfaces on the device. 1212 1213 An entry in this table is created when an ACL containing an ACE 1214 that references the specified counter label name is applied to 1215 an interface. 1216 1217 An entry in this table is deleted when an ACL containing an ACE 1218 that references the specified counter lable name is removed 1219 from an interface." 1220 ::= { caAclStats 1 } 1221 1222caAclLabelIntfStatsEntry OBJECT-TYPE 1223 SYNTAX CaAclLabelIntfStatsEntry 1224 MAX-ACCESS not-accessible 1225 STATUS current 1226 DESCRIPTION 1227 "Each entry in this table provides the aggregated counters for 1228 all ACEs applied on the given interface/direction that have 1229 been assigned the same counter label." 1230 INDEX { 1231 ifIndex, 1232 caAclAccessGroupCfgAddressType, 1233 caAclAccessGroupDirection, 1234 caAclIntfStatsCounterLabelName 1235 } 1236 ::= { caAclLabelIntfStatsTable 1 } 1237 1238CaAclLabelIntfStatsEntry ::= SEQUENCE { 1239 caAclIntfStatsCounterLabelName SnmpAdminString, 1240 caAclIntfStatsPackets Counter64, 1241 caAclIntfStatsOctets Counter64 1242} 1243 1244caAclIntfStatsCounterLabelName OBJECT-TYPE 1245 SYNTAX SnmpAdminString (SIZE (1..64)) 1246 MAX-ACCESS not-accessible 1247 STATUS current 1248 DESCRIPTION 1249 "The counter label index associated with this set of 1250 statistics." 1251 ::= { caAclLabelIntfStatsEntry 1 } 1252 1253caAclIntfStatsPackets OBJECT-TYPE 1254 SYNTAX Counter64 1255 UNITS "packets" 1256 MAX-ACCESS read-only 1257 STATUS current 1258 DESCRIPTION 1259 "The total number of packets that match this counter label." 1260 ::= { caAclLabelIntfStatsEntry 2 } 1261 1262caAclIntfStatsOctets OBJECT-TYPE 1263 SYNTAX Counter64 1264 UNITS "bytes" 1265 MAX-ACCESS read-only 1266 STATUS current 1267 DESCRIPTION 1268 "The total number of octets that match this counter label." 1269 ::= { caAclLabelIntfStatsEntry 3 } 1270 1271 1272-- ******************************************************************** 1273-- Units of Conformance 1274-- ******************************************************************** 1275 1276caAclMIBCfgGroup OBJECT-GROUP 1277 OBJECTS { 1278 caAclName, 1279 caAclRowStatus 1280 } 1281 STATUS current 1282 DESCRIPTION 1283 "This group contains objects describing ACLs." 1284 ::= { caAclMIBCfgGroups 1 } 1285 1286caAclIPV4ACLMIBACEGroup OBJECT-GROUP 1287 OBJECTS { 1288 caAclIPV4ACEAction, 1289 caAclIPV4ACEProtocol, 1290 caAclIPV4ACESourceAddress, 1291 caAclIPV4ACESourceWildCardMask, 1292 caAclIPV4ACESourceNetworkGroup, 1293 caAclIPV4ACESourcePortOperator, 1294 caAclIPV4ACESourcePort, 1295 caAclIPV4ACESourcePortUpper, 1296 caAclIPV4ACESourcePortGroup, 1297 caAclIPV4ACEDestinationAddress, 1298 caAclIPV4ACEDestinationWildCardMask, 1299 caAclIPV4ACEDestinationNetworkGroup, 1300 caAclIPV4ACEDestinationPortOperator, 1301 caAclIPV4ACEDestinationPort, 1302 caAclIPV4ACEDestinationPortUpper, 1303 caAclIPV4ACEDestinationPortGroup, 1304 caAclIPV4ACEDscpValue, 1305 caAclIPV4ACETcpFlagsValue, 1306 caAclIPV4ACETcpFlagsMask, 1307 caAclIPV4ACETcpFlagsMatchType, 1308 caAclIPV4ACETosValue, 1309 caAclIPV4ACEPrecedenceValue, 1310 caAclIPV4ACELogOption, 1311 caAclIPV4ACECounterLabel, 1312 caAclIPV4ACERemark, 1313 caAclIPV4ACERowStatus 1314 } 1315 STATUS current 1316 DESCRIPTION 1317 "This group is a collection of objects providing IPV4 ACE 1318 feature." 1319 ::= { caAclMIBCfgGroups 2 } 1320 1321caAclIPV6ACLMIBACEGroup OBJECT-GROUP 1322 OBJECTS { 1323 caAclIPV6ACEAction, 1324 caAclIPV6ACEProtocol, 1325 caAclIPV6ACESourceAddress, 1326 caAclIPV6ACESourcePrefixLength, 1327 caAclIPV6ACESourceNetworkGroup, 1328 caAclIPV6ACESourcePortOperator, 1329 caAclIPV6ACESourcePort, 1330 caAclIPV6ACESourcePortUpper, 1331 caAclIPV6ACESourcePortGroup, 1332 caAclIPV6ACEDestinationAddress, 1333 caAclIPV6ACEDestinationPrefixLength, 1334 caAclIPV6ACEDestinationNetworkGroup, 1335 caAclIPV6ACEDestinationPortOperator, 1336 caAclIPV6ACEDestinationPort, 1337 caAclIPV6ACEDestinationPortUpper, 1338 caAclIPV6ACEDestinationPortGroup, 1339 caAclIPV6ACETcpFlagsValue, 1340 caAclIPV6ACETcpFlagsMask, 1341 caAclIPV6ACETcpFlagsMatchType, 1342 caAclIPV6ACETrafficClassValue, 1343 caAclIPV6ACELogOption, 1344 caAclIPV6ACECounterLabel, 1345 caAclIPV6ACERemark, 1346 caAclIPV6ACERowStatus 1347 } 1348 STATUS current 1349 DESCRIPTION 1350 "This group is a collection of objects providing IPV6 ACE 1351 feature." 1352 ::= { caAclMIBCfgGroups 3 } 1353 1354caAclMIBAccessGroupCfgGroup OBJECT-GROUP 1355 OBJECTS { 1356 caAclAccessGroupACL, 1357 caAclAccessGroupRowStatus 1358 } 1359 STATUS current 1360 DESCRIPTION 1361 "This group contains the objects describing the access group 1362 configuration." 1363 ::= { caAclMIBCfgGroups 4 } 1364 1365caAclMIBCounterGroup OBJECT-GROUP 1366 OBJECTS { 1367 caAclIntfStatsPackets, 1368 caAclIntfStatsOctets 1369 } 1370 STATUS current 1371 DESCRIPTION 1372 "This group contains the objects describing the ACE 1373 counter label." 1374 ::= { caAclMIBCfgGroups 5 } 1375 1376caAclMIBCompliance MODULE-COMPLIANCE 1377 STATUS current 1378 DESCRIPTION 1379 "This compliance statement specifies the minimal requirements 1380 that an implementation must meet in order to claim full 1381 compliance with the definitions of the C-ACL-MIB." 1382 MODULE -- this module 1383 MANDATORY-GROUPS { 1384 caAclMIBCfgGroup 1385 } 1386 GROUP caAclMIBAccessGroupCfgGroup 1387 DESCRIPTION 1388 "This group is mandatory except for systems that do not 1389 support filtering IPV4 and or IPV6 packets." 1390 GROUP caAclIPV4ACLMIBACEGroup 1391 DESCRIPTION 1392 "This group is mandatory except for systems that do not 1393 support IPV4 ACLs." 1394 GROUP caAclIPV6ACLMIBACEGroup 1395 DESCRIPTION 1396 "This group is mandatory except for systems that do not 1397 support IPV6 ACLs." 1398 GROUP caAclMIBCounterGroup 1399 DESCRIPTION 1400 "This group is mandatory except for systems that do not 1401 support ACL counter gathering statistics." 1402 OBJECT caAclName 1403 MIN-ACCESS read-only 1404 DESCRIPTION 1405 "Write-access is not required." 1406 OBJECT caAclRowStatus 1407 MIN-ACCESS read-only 1408 DESCRIPTION 1409 "Write-access is not required." 1410 OBJECT caAclIPV4ACEAction 1411 MIN-ACCESS read-only 1412 DESCRIPTION 1413 "Write-access is not required." 1414 OBJECT caAclIPV4ACEProtocol 1415 MIN-ACCESS read-only 1416 DESCRIPTION 1417 "Write-access is not required." 1418 OBJECT caAclIPV4ACESourceAddress 1419 MIN-ACCESS read-only 1420 DESCRIPTION 1421 "Write-access is not required." 1422 OBJECT caAclIPV4ACESourceWildCardMask 1423 MIN-ACCESS read-only 1424 DESCRIPTION 1425 "Write-access is not required." 1426 OBJECT caAclIPV4ACESourceNetworkGroup 1427 MIN-ACCESS read-only 1428 DESCRIPTION 1429 "Write-access is not required." 1430 OBJECT caAclIPV4ACESourcePortOperator 1431 MIN-ACCESS read-only 1432 DESCRIPTION 1433 "Write-access is not required." 1434 OBJECT caAclIPV4ACESourcePort 1435 MIN-ACCESS read-only 1436 DESCRIPTION 1437 "Write-access is not required." 1438 OBJECT caAclIPV4ACESourcePortUpper 1439 MIN-ACCESS read-only 1440 DESCRIPTION 1441 "Write-access is not required." 1442 OBJECT caAclIPV4ACESourcePortGroup 1443 MIN-ACCESS read-only 1444 DESCRIPTION 1445 "Write-access is not required." 1446 OBJECT caAclIPV4ACEDestinationAddress 1447 MIN-ACCESS read-only 1448 DESCRIPTION 1449 "Write-access is not required." 1450 OBJECT caAclIPV4ACEDestinationWildCardMask 1451 MIN-ACCESS read-only 1452 DESCRIPTION 1453 "Write-access is not required." 1454 OBJECT caAclIPV4ACEDestinationNetworkGroup 1455 MIN-ACCESS read-only 1456 DESCRIPTION 1457 "Write-access is not required." 1458 OBJECT caAclIPV4ACEDestinationPortOperator 1459 MIN-ACCESS read-only 1460 DESCRIPTION 1461 "Write-access is not required." 1462 OBJECT caAclIPV4ACEDestinationPort 1463 MIN-ACCESS read-only 1464 DESCRIPTION 1465 "Write-access is not required." 1466 OBJECT caAclIPV4ACEDestinationPortUpper 1467 MIN-ACCESS read-only 1468 DESCRIPTION 1469 "Write-access is not required." 1470 OBJECT caAclIPV4ACEDestinationPortGroup 1471 MIN-ACCESS read-only 1472 DESCRIPTION 1473 "Write-access is not required." 1474 OBJECT caAclIPV4ACEDscpValue 1475 MIN-ACCESS read-only 1476 DESCRIPTION 1477 "Write-access is not required." 1478 OBJECT caAclIPV4ACETcpFlagsValue 1479 MIN-ACCESS read-only 1480 DESCRIPTION 1481 "Write-access is not required." 1482 OBJECT caAclIPV4ACETcpFlagsMask 1483 MIN-ACCESS read-only 1484 DESCRIPTION 1485 "Write-access is not required." 1486 OBJECT caAclIPV4ACETcpFlagsMatchType 1487 MIN-ACCESS read-only 1488 DESCRIPTION 1489 "Write-access is not required." 1490 OBJECT caAclIPV4ACETosValue 1491 MIN-ACCESS read-only 1492 DESCRIPTION 1493 "Write-access is not required." 1494 OBJECT caAclIPV4ACEPrecedenceValue 1495 MIN-ACCESS read-only 1496 DESCRIPTION 1497 "Write-access is not required." 1498 OBJECT caAclIPV4ACELogOption 1499 MIN-ACCESS read-only 1500 DESCRIPTION 1501 "Write-access is not required." 1502 OBJECT caAclIPV4ACECounterLabel 1503 MIN-ACCESS read-only 1504 DESCRIPTION 1505 "Write-access is not required." 1506 OBJECT caAclIPV4ACERemark 1507 MIN-ACCESS read-only 1508 DESCRIPTION 1509 "Write-access is not required." 1510 OBJECT caAclIPV4ACERowStatus 1511 MIN-ACCESS read-only 1512 DESCRIPTION 1513 "Write-access is not required." 1514 OBJECT caAclIPV6ACEAction 1515 MIN-ACCESS read-only 1516 DESCRIPTION 1517 "Write-access is not required." 1518 OBJECT caAclIPV6ACEProtocol 1519 MIN-ACCESS read-only 1520 DESCRIPTION 1521 "Write-access is not required." 1522 OBJECT caAclIPV6ACESourceAddress 1523 MIN-ACCESS read-only 1524 DESCRIPTION 1525 "Write-access is not required." 1526 OBJECT caAclIPV6ACESourcePrefixLength 1527 MIN-ACCESS read-only 1528 DESCRIPTION 1529 "Write-access is not required." 1530 OBJECT caAclIPV6ACESourceNetworkGroup 1531 MIN-ACCESS read-only 1532 DESCRIPTION 1533 "Write-access is not required." 1534 OBJECT caAclIPV6ACESourcePortOperator 1535 MIN-ACCESS read-only 1536 DESCRIPTION 1537 "Write-access is not required." 1538 OBJECT caAclIPV6ACESourcePort 1539 MIN-ACCESS read-only 1540 DESCRIPTION 1541 "Write-access is not required." 1542 OBJECT caAclIPV6ACESourcePortUpper 1543 MIN-ACCESS read-only 1544 DESCRIPTION 1545 "Write-access is not required." 1546 OBJECT caAclIPV6ACESourcePortGroup 1547 MIN-ACCESS read-only 1548 DESCRIPTION 1549 "Write-access is not required." 1550 OBJECT caAclIPV6ACEDestinationAddress 1551 MIN-ACCESS read-only 1552 DESCRIPTION 1553 "Write-access is not required." 1554 OBJECT caAclIPV6ACEDestinationPrefixLength 1555 MIN-ACCESS read-only 1556 DESCRIPTION 1557 "Write-access is not required." 1558 OBJECT caAclIPV6ACEDestinationNetworkGroup 1559 MIN-ACCESS read-only 1560 DESCRIPTION 1561 "Write-access is not required." 1562 OBJECT caAclIPV6ACEDestinationPortOperator 1563 MIN-ACCESS read-only 1564 DESCRIPTION 1565 "Write-access is not required." 1566 OBJECT caAclIPV6ACEDestinationPort 1567 MIN-ACCESS read-only 1568 DESCRIPTION 1569 "Write-access is not required." 1570 OBJECT caAclIPV6ACEDestinationPortUpper 1571 MIN-ACCESS read-only 1572 DESCRIPTION 1573 "Write-access is not required." 1574 OBJECT caAclIPV6ACEDestinationPortGroup 1575 MIN-ACCESS read-only 1576 DESCRIPTION 1577 "Write-access is not required." 1578 OBJECT caAclIPV6ACETrafficClassValue 1579 MIN-ACCESS read-only 1580 DESCRIPTION 1581 "Write-access is not required." 1582 OBJECT caAclIPV6ACETcpFlagsValue 1583 MIN-ACCESS read-only 1584 DESCRIPTION 1585 "Write-access is not required." 1586 OBJECT caAclIPV6ACETcpFlagsMask 1587 MIN-ACCESS read-only 1588 DESCRIPTION 1589 "Write-access is not required." 1590 OBJECT caAclIPV6ACETcpFlagsMatchType 1591 MIN-ACCESS read-only 1592 DESCRIPTION 1593 "Write-access is not required." 1594 OBJECT caAclIPV6ACELogOption 1595 MIN-ACCESS read-only 1596 DESCRIPTION 1597 "Write-access is not required." 1598 OBJECT caAclIPV6ACECounterLabel 1599 MIN-ACCESS read-only 1600 DESCRIPTION 1601 "Write-access is not required." 1602 OBJECT caAclIPV6ACERemark 1603 MIN-ACCESS read-only 1604 DESCRIPTION 1605 "Write-access is not required." 1606 OBJECT caAclIPV6ACERowStatus 1607 MIN-ACCESS read-only 1608 DESCRIPTION 1609 "Write-access is not required." 1610 OBJECT caAclAccessGroupACL 1611 MIN-ACCESS read-only 1612 DESCRIPTION 1613 "Write-access is not required." 1614 OBJECT caAclAccessGroupRowStatus 1615 MIN-ACCESS read-only 1616 DESCRIPTION 1617 "Write-access is not required." 1618 1619 ::= { caAclMIBACECompliances 1 } 1620 1621END 1622 1623 1624 1625 1626