-- ***************************************************************** -- CISCO-IP-PROTOCOL-FILTER-MIB.my: Cisco IP Protocol Filter MIB -- file -- -- June 2002, Francis Pang -- -- Copyright (c) 2002 , 2005 by Cisco Systems, Inc. -- All rights reserved. -- ***************************************************************** -- CISCO-IP-PROTOCOL-FILTER-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 , Counter64 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB RowStatus, TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC ifIndex FROM IF-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB SyslogSeverity FROM CISCO-SYSLOG-MIB CfgFilterGroupName FROM CISCO-FILTER-GROUP-MIB ciscoMgmt FROM CISCO-SMI; ciscoIpProtocolMIB MODULE-IDENTITY LAST-UPDATED "200504200000Z" ORGANIZATION "Cisco System Inc." CONTACT-INFO " Cisco Systems Customer Service Postal: 170 West Tasman Drive, San Jose CA 95134-1706. USA Tel: +1 800 553-NETS E-mail: cs-dot11@cisco.com" DESCRIPTION "The MIB module is for management of information to support packet filtering on IP protocols. The cippfIpProfileTable allows users to create delete, and get information about filter profiles. Filter profiles are uniquely identified by the profile names. Filter profiles can either be of Simple or Extended usage types, and the usage type cannot be changed once it has been created. The cippfIfIpProfileTable applies the filtering profiles to device interfaces running IP. A filter profile can be applied to multiple interfaces. The cippfIpFilterTable contains ordered lists of IP filters for all the filtering profiles. Filters and profiles are related if they are of the same filter profile name. Filters can only be created if their associated filter profiles already exist in the cippfIpProfileTable. Filters of the same profile name belongs to a common profile. The cippfIfIpProfileTable can be configured with information independent from the other. However, if the name of a profile in the cippfIfIpProfileTable matches that of any profile in the cippfIpProfileTable and the profile name of any filter entry in the cippfIpFilterTable, the profile is 'active' and the filter entry is being applied to IP traffic passing through the attached device interfaces. Therefore, any change to the filters in the cippfIpFilterTable or the profile itself in the cippfIpProfileTable will affect all the attached interfaces." REVISION "200504200000Z" DESCRIPTION "- Added 'extendedIPv6' enumeration in cippfIpProfileType. - Added following enumerations in cippfIfIpProfileDirection. inboundIPv6 (3) outboundIPv6 (4). - Added following objects in cippfIpFilterTable: cippfIpFilterSrcIPGroupName cippfIpFilterDstIPGroupName cippfIpFilterProtocolGroupName cippfIpFilterSrcServiceGroupName cippfIpFilterDstServiceGroupName cippfIpFilterICMPGroupName. - Added following tables cippfIpFilterExtTable. cippfIpFilterStatsTable." REVISION "200306160000Z" DESCRIPTION "Added following objects to cippfIpFilterTable: cippfIpFilterICMPType,cippfIpFilterEstablished, cippfIpFilterFragments,cippfIpFilterICMPCode. Updated the conformance statement." REVISION "200207110000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 278 } ciscoIpProtocolFilterMIBNotifs OBJECT IDENTIFIER ::= { ciscoIpProtocolMIB 0 } ciscoIpProtocolFilterMIBObjects OBJECT IDENTIFIER ::= { ciscoIpProtocolMIB 1 } ciscoIpProtocolFilterMIBConform OBJECT IDENTIFIER ::= { ciscoIpProtocolMIB 2 } cippfIpFilterConfig OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBObjects 1 } cippfIpFilterStats OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBObjects 2 } -- Textual Conventions CippfIpFilterProfileName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Objects defined with this textual convention are used to identify IP protocol filter profiles. The object value shall be an alphanumeric string." SYNTAX OCTET STRING (SIZE (1..64)) cippfIpProfileTable OBJECT-TYPE SYNTAX SEQUENCE OF CippfIpProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the existing IP protocol filter profiles. These filter profiles contain protocol filters used to filter IP traffic through the device interfaces. The IP protocol filters associated with these profiles are defined in the cippfIpFilterTable. For profiles to be associated with filters, the object value of the cippfIpProfileName of a profile must matches that of the cippfIpProfileName of a filter entry in the cippfIpFilterTable. Filters of the same profile name belong to a common filter profile and are of the same usage type of the profile. This table can only be used to create or delete filter profiles. Deleting any profile in this table will also delete all the associated filters in the cippfIpFilterTable and cause the state of the associated 'active' filter profile in the cippfIfIpProfileTable to be changed to 'notReady'. All of these deleted or changed entries are associated by virtue of the same profile name." ::= { cippfIpFilterConfig 1 } cippfIpProfileEntry OBJECT-TYPE SYNTAX CippfIpProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry defines the type, state, and the last object index assigned to a filter of the filter profile." INDEX { cippfIpProfileName } ::= { cippfIpProfileTable 1 } CippfIpProfileEntry ::= SEQUENCE { cippfIpProfileName CippfIpFilterProfileName, cippfIpProfileType INTEGER, cippfIpProfileLastFilterIndex Unsigned32, cippfIpProfileStatus RowStatus } cippfIpProfileName OBJECT-TYPE SYNTAX CippfIpFilterProfileName MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the unique IP protocol filter profile identifier. If this value is the same as the cippfIpProfileName in the cippfIpFilterTable and the cippfIfIpProfileName in cippfIfIpFilterTable, they are all referring to the same filter profile." ::= { cippfIpProfileEntry 1 } cippfIpProfileType OBJECT-TYPE SYNTAX INTEGER { simple (1), extended (2), extendedIPv6 (3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the usage type this filter profile. This usage type cannot be changed after the profile has been created. The usage type simple(1) implies that the valid objects of each filter entry in the profile in the cippfIpFilterTable only include: cippfIpFilterIndex, cippfIpFilterOrderPosition, cippfIpFilterAction, cippfIpFilterAddressType, cippfIpFilterSrcAddress, cippfIpFilterSrcMask, cippfIpFilterLogEnabled, cippfIpFilterStatus. This means that only the above objects will be used to create the protocol filter, and all other objects will be ignored during filter creation. The usage extended(2) implies that all objects defined in the cippfIpFilterTable are valid for any filter entry in the corresponding profile. The usage extendedIPv6(3) implies that this is a IPv6 profile and all objects defined in the cippfIpFilterTable are valid for any filter entry in the corresponding profile." DEFVAL { extended } ::= { cippfIpProfileEntry 2 } cippfIpProfileLastFilterIndex OBJECT-TYPE SYNTAX Unsigned32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "This value is the same as the last cippfIpFilterIndex value assigned to a filter of this profile." ::= { cippfIpProfileEntry 3 } cippfIpProfileStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object controls and reflects the status of rows in this table. To create a filter profile of a particular usage type, the NMS must do a multivarbind set containing both cippfIpProfileStatus and cippfIpProfileType. Creation of rows must be done via 'createAndGo' for all profiles. When the agent successfully creates the filter profile, this object is set to 'active' by the agent. To delete a row, set this object value to 'destroy'." ::= { cippfIpProfileEntry 4 } cippfIfIpProfileTable OBJECT-TYPE SYNTAX SEQUENCE OF CippfIfIpProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the IP protocol filter profiles being applied to IP traffic on the device interfaces. An IP protocol filter profile can be shared by multiple interfaces. The filter profiles are defined in the cippfIpProfileTable, and filters of these profiles are defined in the cippfIpFilterTable. Protocol filter profiles and their associated filters can be 'attached to' or 'removed from' in-bound or out-bound interfaces. Both existing and non-existing protocol filter profiles can be 'attached to' the interfaces. However, the cippfIfIpProfileStatus will only become 'active' if the filter profile exists in the cippfIpProfileTable, and the filters will then be applied to the IP traffic through the interface. Modification of any filters associated with a shared profile will affect all interfaces sharing that profile. Each interface can only be attached with one protocol filter profile on the in-bound direction and one on the out-bound direction." ::= { cippfIpFilterConfig 2 } cippfIfIpProfileEntry OBJECT-TYPE SYNTAX CippfIfIpProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry attaches an IP traffic filter profile to a particular device interface and a specific traffic direction. The interface can be of any ifType supporting and running IP." INDEX { ifIndex, cippfIfIpProfileDirection } ::= { cippfIfIpProfileTable 1 } CippfIfIpProfileEntry ::= SEQUENCE { cippfIfIpProfileDirection INTEGER, cippfIfIpProfileName CippfIpFilterProfileName, cippfIfIpProfileStatus RowStatus } cippfIfIpProfileDirection OBJECT-TYPE SYNTAX INTEGER { inbound (1), outbound (2), inboundIPv6 (3), outboundIPv6 (4) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object determines whether this filter profile is applied to inbound or outbound traffic of a particular interface. The possible value(s) are: inbound - inbound traffic. outbound - outbound traffic. inboundIPv6 - IPv6 inbound traffic. outboundIPv6 - IPv6 outbound traffic." ::= { cippfIfIpProfileEntry 1 } cippfIfIpProfileName OBJECT-TYPE SYNTAX CippfIpFilterProfileName MAX-ACCESS read-create STATUS current DESCRIPTION "This is the unique IP protocol filter profile identifier. This value must be the same as one of the existing cippfIpProfileName object values in the cippfIpProfileTable for this profile and the cippfIfIpProfileStatus of value 'createAndGo' to become 'active'. If this object value does not match any existing cippfIpProfileName, an entry of this table can only be created with cippfIfIpProfileStatus in 'createAndWait' state. The entry can only be made 'active' by the agent when the corresponding cippfIpProfileName is added to the cippfIpProfileTable." ::= { cippfIfIpProfileEntry 2 } cippfIfIpProfileStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object controls and reflects the status of rows in this table. To apply this filter profile or remove this filter profile, the NMS must do a multivarbind set containing both cippfIfIpProfileStatus and cippfIfIpProfileName. Creation of rows may be done via 'createAndGo' for profiles already exist in the cippfIpProfileTable, and the filter profile will only be effective when this object is set to 'active' by the agent. Creation of rows may also be done via 'createAndWait' for profiles do not exist in the cippfIpProfileTable. This object will be set by the agent to 'notReady', and the filter profile will not participate in IP filtering. This object will only be set to 'active' when there is a corresponding 'active' profile in the cippfIpProfileTable. To remove a row, set this object value to 'destroy'." ::= { cippfIfIpProfileEntry 3 } cippfIpFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF CippfIpFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains ordered lists of filters for all the IP protocol filter profiles. Device traffic filtering system applies filters of a filter profile according to the filter order position. IP packets matching any filter will be processed according to the matching action specified by the filter or they will be discarded if they do not match any filters. Any IP packet through an interface can theoretically match multiple filters or rows of this table of the same filter profile. When applying a filter to a packet, the cippfIfIpProfileTable is used to first identify the filter profile to use, then this table is scanned according to filter profile name and filter order position. If the packet matches all criteria for that row, the action defined in the cippfIpFilterAction object of the row will be taken. If the action for the matching filter is deny(1), the packet is discarded and the processing is completed. If the action for the matching filter is permit(2), the packet is accepted and permitted to be processed by the bridging or routing logic. If the packet matches no filter in this table, the packet is always deny(1) and will be dropped. To create a filter, the cippfIpProfileName must already exists in the cippfIpProfileTable. No filter can be created without an existing filter in the cippfIpProfileTable. If the filter profile is deleted from the cippfIpProfileTable, all the associated filters in this table will also be deleted." ::= { cippfIpFilterConfig 3 } cippfIpFilterEntry OBJECT-TYPE SYNTAX CippfIpFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry is an IP Protocol traffic filter within an IP filter profile. Entries with the same cippfIpProfileName belong to the same IP filter profile." INDEX { cippfIpProfileName, cippfIpFilterIndex } ::= { cippfIpFilterTable 1 } CippfIpFilterEntry ::= SEQUENCE { cippfIpFilterIndex Unsigned32, cippfIpFilterOrderPosition Unsigned32, cippfIpFilterAction INTEGER, cippfIpFilterAddressType InetAddressType, cippfIpFilterSrcAddress InetAddress, cippfIpFilterSrcMask InetAddress, cippfIpFilterDestAddress InetAddress, cippfIpFilterDestMask InetAddress, cippfIpFilterProtocol Integer32, cippfIpFilterSrcPortLow InetPortNumber, cippfIpFilterSrcPortHigh InetPortNumber, cippfIpFilterDestPortLow InetPortNumber, cippfIpFilterDestPortHigh InetPortNumber, cippfIpFilterPrecedence INTEGER, cippfIpFilterTos Integer32, cippfIpFilterLogEnabled TruthValue, cippfIpFilterStatus RowStatus, cippfIpFilterICMPType Integer32, cippfIpFilterTCPEstablished TruthValue, cippfIpFilterFragments TruthValue, cippfIpFilterICMPCode Integer32, cippfIpFilterSrcIPGroupName CfgFilterGroupName, cippfIpFilterDstIPGroupName CfgFilterGroupName, cippfIpFilterProtocolGroupName CfgFilterGroupName, cippfIpFilterSrcServiceGroupName CfgFilterGroupName, cippfIpFilterDstServiceGroupName CfgFilterGroupName, cippfIpFilterICMPGroupName CfgFilterGroupName } cippfIpFilterIndex OBJECT-TYPE SYNTAX Unsigned32 (0..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This index uniquely identifies the IP protocol filters within this table and among all filter profiles. When a new filter is added and if this value is '0', the filter will be appended as the last entry for the corresponding profile in this table. For any set operation, the cippfIpFilterIndex value must match the index of an existing 'active' filter for the set operation to be successful." ::= { cippfIpFilterEntry 1 } cippfIpFilterOrderPosition OBJECT-TYPE SYNTAX Unsigned32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to order the IP protocol filters within a filter profile. The filter with the lowest order position number is applied first, that is cippfIpFilterOrderPosition '1'. The order position number among all filters of a profile is always consecutive. The agent will automatically arrange the order position to a consecutive manner for the filter entries within the profile after each addition (when the created entry moves to 'active' state) and modification or deletion (when the active entry moves out from 'active' state) of any filter. For example, a new filter is added to an empty profile with the cippfIpFilterOrderPosition '2' , the filter will be actually positioned to cippfIpFilterOrderPosition '1' by the agent. Moreover, if there are 3 filters in the profile and their order positions are 1, 2, and 3. Adding a new filter with any cippfIpFilterOrderPosition greater than '3' will produce the same effect. The new filter will actually be in position '4' because the agent maintains the filters in consecutive order. When a filter is removed from a profile, the filters following this filter will be moved forward and decrement their order position numbers. For example, if there are 6 filters in the profile and their order positions are 1, 2, 3, 4, 5, 6. Deleting the filter of cippfIpFilterOrderPosition '4' will cause the existing filters of cippfIpFilterOrderPosition '5' and '6' to change to '4' and '5' respectively. When a filter is added to the order position of an existing filter of the same profile, the existing filter entry and all subsequent entries following it will increment their cippfIpFilterOrderPosition. This essentially move the existing filters towards the end of the filter profile. For example, if there are 6 filters in the profile, and their cippfIpFilterOrderPosition values are 1, 2, 3, 4, 5, 6. If the user would like to add a new one and specifies '4' to be the cippfIpFilterOrderPosition of the new filter, the existing filters of cippfIpFilterOrderPosition values 4, 5, 6 will become 5, 6, 7. The cippfIpFilterOrderPosition value '0' is a special number meaning to append the filter to the last filter of the profile. Continue with our previous example, if another new filter is added and the user specifies the cippfIpFilterOrderPosition to be '0'. The new filter will actually be created with cippfIpFilterOrderPosition equal to 8. Finally, moving a filter within a profile will have the same effect of first deleting and then adding the filter to the new position. For example, if the filter of cippfIpFilterOrderPosition 2 is moved to 4, the filters originally at the cippfIpFilterOrderPosition 3 and 4 will be moved forward to 2 and 3 respectively and filters of all other cippfIpFilterOrderPosition values will remain unchanged." DEFVAL { 0 } ::= { cippfIpFilterEntry 2 } cippfIpFilterAction OBJECT-TYPE SYNTAX INTEGER { deny(1), permit(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "If it is set to deny(1), all packets matching this filter will be discarded and scanning of the remainder of the filter list will be aborted. If it is set to permit(2), all packets matching this filter will be allowed for further bridging or routing processing." DEFVAL { deny } ::= { cippfIpFilterEntry 3 } cippfIpFilterAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "This is the IP address type of for the cippfIpFilterSrcAddress, cippfIpFilterSrcMask, cippfIpFilterDestAddress, and cippfIpFilterDestMask." ::= { cippfIpFilterEntry 4 } cippfIpFilterSrcAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The source IP address to be matched for this filter. A value of zero causes all source address to match. The object value has to be consistent with the type specified in cippfIpFilterAddressType." DEFVAL { "0" } ::= { cippfIpFilterEntry 5 } cippfIpFilterSrcMask OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This is the wildcard mask for the cippfIpFilterSrcAddress bits that must match. 0 bits in the mask indicate the corresponding bits in the cippfIpFilterSrcAddress must match in order for the matching to be successful, and 1 bits are don't care bits in the matching. A value of zero causes only IP packets of source address the same as cippfIpFilterSrcAddress to match. This object value has to be consistent with the type specified in cippfIpFilterAddressType." DEFVAL { 'ffffffff'H } -- 255.255.255.255 ::= { cippfIpFilterEntry 6 } cippfIpFilterDestAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The destination IP address to be matched for this filter. A value of zero causes all source address to match. The object value has to be consistent with the type specified in cippfIpFilterAddressType." DEFVAL { "0" } ::= { cippfIpFilterEntry 7 } cippfIpFilterDestMask OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This is the wildcard mask for the cippfIpFilterDestAddress bits that must match. 0 bits in the mask indicate the corresponding bits in the cippfIpFilterDestAddress must match in order for the matching to be successful, and 1 bits are don't care bits in the matching. A value of zero causes only IP packets of source address the same as cippfIpFilterSrcAddress to match. This object value has to be consistent with the type specified in cippfIpFilterAddressType." DEFVAL { 'ffffffff'H } -- 255.255.255.255 ::= { cippfIpFilterEntry 8 } cippfIpFilterProtocol OBJECT-TYPE SYNTAX Integer32 (-1..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This filter protocol object matches the Internet Protocol Number in the packets. These IP numbers are defined in the Network Working Group Request for Comments (RFC) documents. For example, Cisco commonly used protocol includes: 1 - Internet Control Message Protocol 2 - Internet Gateway Message Protocol 4 - IP in IP tunneling 6 - Transmission Control Protocol 9 - Cisco's IGRP routing protocol 17 - User Datagram Protocol 47 - Cisco's GRE tunneling 50 - Encapsulation Security Payload 51 - Authentication Header Protocol 88 - Cisco's EIGRP routing protocol 89 - OSPF routing protocol 94 - KA9Q NOS compatible IP over IP tunneling 103 - Protocol Independent Multicast 108 - Payload Compression Protocol Setting this object to '-1' will make the filtering match any IP number." REFERENCE "RFC-790, ASSIGNED NUMBERS, September 1981, Section ASSIGNED INTERNET PROTOCOL NUMBERS." DEFVAL { -1 } ::= { cippfIpFilterEntry 9 } cippfIpFilterSrcPortLow OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "If cippfIpFilterProtocol is udp or tcp, this is the inclusive lower bound of the transport-layer source port range that is to be matched, otherwise it is ignored during matching. This value must be equal to or less than the value specified for this entry in cippfIpFilterSrcPortHigh." DEFVAL { 0 } ::= { cippfIpFilterEntry 10 } cippfIpFilterSrcPortHigh OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "If cippfIpFilterProtocol is udp or tcp, this is the inclusive upper bound of the transport-layer source port range that is to be matched, otherwise it is ignored during matching. This value must be equal to or greater than the value specified for this entry in cippfIpFilterSrcPortLow. If this value is '0', the udp or tcp port number is ignored during matching." DEFVAL { 65535 } ::= { cippfIpFilterEntry 11 } cippfIpFilterDestPortLow OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "If cippfIpFilterProtocol is udp or tcp, this is the inclusive lower bound of the transport-layer destination port range that is to be matched, otherwise it is ignored during matching. This value must be equal to or less than the value specified for this entry in cippfIpFilterDestPortHigh." DEFVAL { 0 } ::= { cippfIpFilterEntry 12 } cippfIpFilterDestPortHigh OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "If cippfIpFilterProtocol is udp or tcp, this is the inclusive upper bound of the transport-layer destination port range that is to be matched, otherwise it is ignored during matching. This value must be equal to or greater than the value specified for this entry in cippfIpFilterDestPortLow. If this value is '0', the udp or tcp port number is ignored during matching." DEFVAL { 65535 } ::= { cippfIpFilterEntry 13 } cippfIpFilterPrecedence OBJECT-TYPE SYNTAX INTEGER { any(-1), routine(0), priority(1), immediate(2), flash(3), flashOverride(4), critical(5), internet(6), network(7) } MAX-ACCESS read-create STATUS current DESCRIPTION "The IP traffic precedence parameters in each packet are used to guide the selection of the actual service parameters when transmitting a datagram through a particular network. Most network treats high precedence traffic as more important than other traffic. The IP Precedence value ranges from '0' to '7', with '7' the highest precedence and '0' the lowest precedence. This object sets criteria for matching the IP packet precedence parameter. The object value '-1' means to match packets of any IP precedence. In other words, the IP precedence parameter will not to checked if this object is '-1'. The precedence level are: routine(0) - Routine traffic precedence priority(1) - Priority traffic precedence immediate(2) - Immediate traffic precedence flash(3) - Flash traffic precedence flashOverride(4) - Flash-override traffic precedence critical(5) - Critical precedence internet(6) - Internetwork control traffic precedence network(7) - Network control traffic precedence." REFERENCE "RFC-791, INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION, September 1981, Section 3.1, Internet Header Format." DEFVAL { any } ::= { cippfIpFilterEntry 14 } cippfIpFilterTos OBJECT-TYPE SYNTAX Integer32 (-1..15) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the value to match to the Type of Service (TOS) of the packet. The TOS values ranges from '0' to '15'. The value '-1' matches any TOS value." DEFVAL { -1 } ::= { cippfIpFilterEntry 15 } cippfIpFilterLogEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies whether filtered packets will be logged by the filtering subsystem or not. If it is true(1), then all packets will be logged. If it is false(2), then no packet will be logged." DEFVAL { false } ::= { cippfIpFilterEntry 16 } cippfIpFilterStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object controls and reflects the status of rows in this table. Creation of rows must be done via 'createAndGo' and this object will become 'active' if the NMS performs a multivarbind set containing this object and the cippfIpFilterOrderPosition. The default matching action of a new filter is deny(1). Any object in a row can be modified any time when the row is in the 'active' state. Removal of a row can be done via setting this object to 'destroy'." ::= { cippfIpFilterEntry 17 } cippfIpFilterICMPType OBJECT-TYPE SYNTAX Integer32 (-1..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This filter specifies the ICMP message type to be matched. Setting this object to '-1' will make the filtering match any ICMP message type." REFERENCE "RFC-792 INTERNET CONTROL MESSAGE PROTOCOL" DEFVAL { -1 } ::= { cippfIpFilterEntry 18 } cippfIpFilterTCPEstablished OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This filter if 'true' specifies that for TCP protocol, in an established connection, a match occurs if the TCP datagram has the ACK,FIN,PSH,RST,SYN or URG control bits set. If 'false' a match will occur for any TCP datagram. " DEFVAL {false} ::= { cippfIpFilterEntry 19 } cippfIpFilterFragments OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "If 'true', this filter applies only to the second and further fragments of fragmented packets. If 'false', the filter will only match head fragments or unfragmented packets. Note: Second and subsequent fragments do not contain source or destination ports info, therefore cannot be filtered on that basis." DEFVAL {false} ::= { cippfIpFilterEntry 20 } cippfIpFilterICMPCode OBJECT-TYPE SYNTAX Integer32 (-1..255) MAX-ACCESS read-create STATUS current DESCRIPTION "This filter specifies the ICMP message code to be matched. Setting this object to '-1' will make the filtering match any ICMP code." REFERENCE "RFC-792 INTERNET CONTROL MESSAGE PROTOCOL" DEFVAL { -1 } ::= { cippfIpFilterEntry 21 } cippfIpFilterSrcIPGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about source IP addresses and masks that need to be matched for this filter. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'network' and must match an entry in cfgFilterNetworkGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterSrcAddress cippfIpFilterSrcMask. This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterNetworkGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 22 } cippfIpFilterDstIPGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about destination IP addresses and masks that need to be matched for this filter. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'network' and must match an entry in cfgFilterNetworkGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterDestAddress cippfIpFilterDestMask. This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterNetworkGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 23 } cippfIpFilterProtocolGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about internet protocol numbers. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'service' and must match an entry in cfgFilterServiceGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterProtocol. This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterProtocolGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 24 } cippfIpFilterSrcServiceGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about port(TCP/UDP) numbers. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'service' and must match an entry in cfgFilterServiceGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterSrcPortLow cippfIpFilterSrcPortHigh This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterServiceGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 25 } cippfIpFilterDstServiceGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about port(TCP/UDP) numbers. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'service' and must match an entry in cfgFilterServiceGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterDestPortLow cippfIpFilterDestPortHigh This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterServiceGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 26 } cippfIpFilterICMPGroupName OBJECT-TYPE SYNTAX CfgFilterGroupName MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the filter group containing information about ICMP message. This value must match an entry in cfgFilterGroupTable whose cfgFilterGroupType value is set to 'icmp' and must match an entry in cfgFilterICMPGroupTable. This object cannot be set if any of the following objects are set: cippfIpFilterICMPType cippfIpFilterICMPCode. This object is not instantiated if not applicable." REFERENCE "Refer following tables in CISCO-FILTER-GROUP-MIB: cfgFilterGroupTable cfgFilterICMPGroupTable." DEFVAL { "" } ::= { cippfIpFilterEntry 27 } cippfIpFilterExtTable OBJECT-TYPE SYNTAX SEQUENCE OF CippfIpFilterExtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is an extension to cippfIpFilterTable. This table is used for configuring the objects that are used for reporting the information about filters and reporting the logs. These objects do not change the match criteria for the filter but assist in troubleshooting the matched criteria." ::= { cippfIpFilterConfig 4 } cippfIpFilterExtEntry OBJECT-TYPE SYNTAX CippfIpFilterExtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in filter extension table. Each entry contains information on the description of the filter and logging related objects." AUGMENTS { cippfIpFilterEntry } ::= { cippfIpFilterExtTable 1 } CippfIpFilterExtEntry ::= SEQUENCE { cippfIpFilterExtDescription SnmpAdminString, cippfIpFilterExtLogLevel SyslogSeverity, cippfIpFilterExtLogInterval Unsigned32 } cippfIpFilterExtDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used for configuring description of the filter." DEFVAL { "" } ::= { cippfIpFilterExtEntry 1 } cippfIpFilterExtLogLevel OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used for specifying the log level (severity) used in syslog for this filter." DEFVAL { info } ::= { cippfIpFilterExtEntry 2 } cippfIpFilterExtLogInterval OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used for configuring the time interval at which the syslog message for this filter to be generated." DEFVAL { 300 } ::= { cippfIpFilterExtEntry 3 } cippfIpFilterStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF CippfIpFilterStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a set of statistics related to packet filter. The statistics related to matched filters are available here." ::= { cippfIpFilterStats 1 } cippfIpFilterStatsEntry OBJECT-TYPE SYNTAX CippfIpFilterStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in IP Filter stats table. An entry exists in this table for every entry in cippfIpFilterTable." INDEX{ cippfIpProfileName, cippfIpFilterIndex } ::= { cippfIpFilterStatsTable 1 } CippfIpFilterStatsEntry ::= SEQUENCE { cippfIpFilterHits Counter64 } cippfIpFilterHits OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the number of packets that are matched the packet filter configuration in cippfIpFilterTable." ::= { cippfIpFilterStatsEntry 1 } -- ***************************************************************** -- Conformance information -- ***************************************************************** ciscoIpProtocolFilterMIBCompl OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBConform 1 } ciscoIpProtocolFilterMIBGroups OBJECT IDENTIFIER ::= { ciscoIpProtocolFilterMIBConform 2 } -- ***************************************************************** -- Compliance statements -- ***************************************************************** ciscoIpProtocolMIBCompliance MODULE-COMPLIANCE STATUS deprecated -- superceeded by -- ciscoIpProtocolMIBComplianceRev1 DESCRIPTION "The compliance statement for entities implementing the Cisco IP Protocol Filter MIB. OBJECT cippfIpFilterAddressType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION An implementation is only required to support IPv4 addresses. OBJECT cippfIpFilterSrcAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION An implementation is only required to support IPv4 addresses. OBJECT cippfIpFilterDestAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION An implementation is only required to support IPv4 addresses." MODULE MANDATORY-GROUPS { ciscoIpProtocolFilteringGroup } ::= { ciscoIpProtocolFilterMIBCompl 1 } ciscoIpProtocolMIBComplianceRev1 MODULE-COMPLIANCE STATUS deprecated -- superceeded by -- ciscoIpProtocolMIBComplianceRev2 DESCRIPTION "The compliance statement for entities implementing the Cisco IP Protocol Filter MIB. OBJECT cippfIpFilterAddressType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION An implementation is only required to support IPv4 addresses. OBJECT cippfIpFilterSrcAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION An implementation is only required to support IPv4 addresses. OBJECT cippfIpFilterDestAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION An implementation is only required to support IPv4 addresses. OBJECT cippfIpFilterOrderPosition MIN-ACCESS read-only DESCRIPTION Write access is not required. OBJECT cippfIpProfileType MIN-ACCESS read-only DESCRIPTION Write access is not required. " MODULE MANDATORY-GROUPS { ciscoIpProtocolFilteringGroup } GROUP ciscoIpProtocolFilterGroup2 DESCRIPTION "Implementation of this group is optional." ::= { ciscoIpProtocolFilterMIBCompl 2 } ciscoIpProtocolMIBComplianceRev2 MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities implementing the Cisco IP Protocol Filter MIB." MODULE MANDATORY-GROUPS { ciscoIpProtocolFilteringGroup, ciscoIpProtocolFilterStatsGroup } OBJECT cippfIpFilterAddressType -- SYNTAX InetAddressType { ipv4(1) } SYNTAX INTEGER { ipv4(1) } DESCRIPTION "An implementation is only required to support IPv4 addresses." OBJECT cippfIpFilterSrcAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses." OBJECT cippfIpFilterDestAddress SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses." OBJECT cippfIpFilterOrderPosition MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cippfIpProfileType MIN-ACCESS read-only DESCRIPTION "Write access is not required. " GROUP ciscoIpProtocolFilterGroup2 DESCRIPTION "Implementation of this group is optional." GROUP ciscoIpProtocolFilterExtGroup DESCRIPTION "Implementation of this group is mandatory for those systems where additional objects supported for each filter." GROUP ciscoIpProtocolFilterObjectGroup DESCRIPTION "Implementation of this group is mandatory for those systems where filter groups are supported in IP filters." OBJECT cippfIpFilterSrcIPGroupName MIN-ACCESS not-accessible DESCRIPTION "This object is not required to be implemented if filter group is not supported." OBJECT cippfIpFilterDstIPGroupName MIN-ACCESS not-accessible DESCRIPTION "This object is not required to be implemented if filter group is not supported." OBJECT cippfIpFilterSrcServiceGroupName MIN-ACCESS not-accessible DESCRIPTION "This object is not required to be implemented if filter group is not supported." OBJECT cippfIpFilterDstServiceGroupName MIN-ACCESS not-accessible DESCRIPTION "This object is not required to be implemented if filter group is not supported." OBJECT cippfIpFilterICMPGroupName MIN-ACCESS not-accessible DESCRIPTION "This object is not required to be implemented if filter group is not supported." ::= { ciscoIpProtocolFilterMIBCompl 3 } -- ***************************************************************** -- Units of conformance -- ***************************************************************** ciscoIpProtocolFilteringGroup OBJECT-GROUP OBJECTS { cippfIpProfileType, cippfIpProfileLastFilterIndex, cippfIpProfileStatus, cippfIfIpProfileName, cippfIfIpProfileStatus, cippfIpFilterOrderPosition, cippfIpFilterAction, cippfIpFilterAddressType, cippfIpFilterSrcAddress, cippfIpFilterSrcMask, cippfIpFilterDestAddress, cippfIpFilterDestMask, cippfIpFilterProtocol, cippfIpFilterSrcPortLow, cippfIpFilterSrcPortHigh, cippfIpFilterDestPortLow, cippfIpFilterDestPortHigh, cippfIpFilterPrecedence, cippfIpFilterTos, cippfIpFilterLogEnabled, cippfIpFilterStatus } STATUS current DESCRIPTION "Configuration parameters for IP Protocol filters." ::= { ciscoIpProtocolFilterMIBGroups 1 } ciscoIpProtocolFilterGroup2 OBJECT-GROUP OBJECTS { cippfIpFilterICMPType, cippfIpFilterTCPEstablished, cippfIpFilterFragments, cippfIpFilterICMPCode } STATUS current DESCRIPTION "Configuration parameters for IP Protocol filters. " ::= { ciscoIpProtocolFilterMIBGroups 2 } ciscoIpProtocolFilterExtGroup OBJECT-GROUP OBJECTS { cippfIpFilterExtDescription, cippfIpFilterExtLogLevel, cippfIpFilterExtLogInterval } STATUS current DESCRIPTION "Configuration parameters for logging packet filters." ::= { ciscoIpProtocolFilterMIBGroups 4 } ciscoIpProtocolFilterObjectGroup OBJECT-GROUP OBJECTS { cippfIpFilterSrcIPGroupName, cippfIpFilterDstIPGroupName, cippfIpFilterProtocolGroupName, cippfIpFilterSrcServiceGroupName, cippfIpFilterDstServiceGroupName, cippfIpFilterICMPGroupName } STATUS current DESCRIPTION "Configuration parameters for filter groups in a protocol filter." ::= { ciscoIpProtocolFilterMIBGroups 5 } ciscoIpProtocolFilterStatsGroup OBJECT-GROUP OBJECTS { cippfIpFilterHits } STATUS current DESCRIPTION "This is a group containing objects related to packet filter." ::= { ciscoIpProtocolFilterMIBGroups 6 } -- ***************************************************************** -- End of units of conformance -- ***************************************************************** END