-- ***************************************************************** -- CISCO-TRUSTSEC-POLICY-MIB.my -- -- November 2009, Edward Pham -- -- Copyright (c) 2009, 2011-2012 by cisco Systems Inc. -- All rights reserved. -- -- ***************************************************************** CISCO-TRUSTSEC-POLICY-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, Counter64 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF TruthValue, DateAndTime, StorageType, RowStatus FROM SNMPv2-TC ifIndex FROM IF-MIB CtsSecurityGroupTag, CtsGenerationId, CtsAclName, CtsAclList, CtsAclListOrEmpty, CtsAclNameOrEmpty, CtsSgaclMonitorMode FROM CISCO-TRUSTSEC-TC-MIB InetAddressType, InetAddress, InetAddressPrefixLength FROM INET-ADDRESS-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB VlanIndex FROM Q-BRIDGE-MIB CiscoVrfName, Cisco2KVlanList FROM CISCO-TC ciscoMgmt FROM CISCO-SMI; ciscoTrustSecPolicyMIB MODULE-IDENTITY LAST-UPDATED "201212190000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO "Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-lan-switch-snmp@cisco.com" DESCRIPTION "This MIB module defines managed objects that facilitate the management of various policies within the Cisco Trusted Security (TrustSec) infrastructure. The information available through this MIB includes: o Device and interface level configuration for enabling SGACL (Security Group Access Control List) enforcement on Layer2/3 traffic. o Administrative and operational SGACL mapping to Security Group Tag (SGT). o Various statistics counters for traffic subject to SGACL enforcement. o TrustSec policies with respect to peer device. o Interface level configuration for enabling the propagation of SGT along with the Layer 3 traffic in portions of network which does not have the capability to support TrustSec feature. o TrustSec policies with respect to SGT propagation with Layer 3 traffic. The following terms are used throughout this MIB: VRF: Virtual Routing and Forwarding. SGACL: Security Group Access Control List. ACE: Access Control Entries. SXP: SGT Propagation Protocol. SVI: Switch Virtual Interface. IPM: Identity Port Mapping. SGT (Security Group Tag) is a unique 16 bits value assigned to every security group and used by network devices to enforce SGACL. Peer is another device connected to the local device on the other side of a TrustSec link. Default Policy: Policy applied to traffic when there is no explicit policy between the SGT associated with the originator of the traffic and the SGT associated with the destination of the traffic." REVISION "201212190000Z" DESCRIPTION "Added following OBJECT-GROUP: - ctspNotifCtrlGroup - ctspNotifGroup - ctspNotifInfoGroup - ctspIfSgtMappingGroup - ctspVlanSgtMappingGroup - ctspSgtCachingGroup - ctspSgaclMonitorGroup - ctspSgaclMonitorStatisticGroup Added new compliance - ciscoTrustSecPolicyMIBCompliances Modified ctspIpSgtSource to add l3if(6), vlan(7), caching(8)." REVISION "200911060000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 713 } ciscoTrustSecPolicyMIBNotifs OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIB 0 } ciscoTrustSecPolicyMIBObjects OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIB 1 } ciscoTrustSecPolicyMIBConformance OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIB 2 } ctspSgacl OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 1 } ctspPeerPolicy OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 2 } ctspLayer3Transport OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 3 } ctspIpSgtMappings OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 4 } ctspSgtPolicy OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 5 } ctspIfSgtMappings OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 6 } ctspVlanSgtMappings OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 7 } ctspSgtCaching OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 8 } ctspNotifsControl OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 9 } ctspNotifsOnlyInfo OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBObjects 10 } ctspSgaclGlobals OBJECT IDENTIFIER ::= { ctspSgacl 1 } ctspSgaclMappings OBJECT IDENTIFIER ::= { ctspSgacl 2 } ctspSgaclStatistics OBJECT IDENTIFIER ::= { ctspSgacl 3 } -- -- ctspSgaclGlobals -- ctspSgaclEnforcementEnable OBJECT-TYPE SYNTAX INTEGER { none(1), l3Only(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether SGACL enforcement for all Layer 3 interfaces (excluding SVIs) is enabled at the managed system. 'none' indicates that SGACL enforcement for all Layer 3 interfaces (excluding SVIs) is disabled. 'l3Only' indicates that SGACL enforcement is enabled on every TrustSec capable Layer3 interface (excluding SVIs) in the device." ::= { ctspSgaclGlobals 1 } ctspSgaclIpv4DropNetflowMonitor OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies an existing flexible netflow monitor name used to collect and export the IPv4 traffic dropped packets statistics due to SGACL enforcement. The zero-length string indicates that no such netflow monitor is configured in the device." ::= { ctspSgaclGlobals 2 } ctspSgaclIpv6DropNetflowMonitor OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies an existing flexible netflow monitor name used to collect and export the IPv6 traffic dropped packets statistics due to SGACL enforcement. The zero-length string indicates that no such netflow monitor is configured in the device." ::= { ctspSgaclGlobals 3 } ctspVlanConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspVlanConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the SGACL enforcement for Layer 2 and Layer 3 switched packet in a VLAN as well as VRF information for VLANs in the device." ::= { ctspSgaclGlobals 4 } ctspVlanConfigEntry OBJECT-TYPE SYNTAX CtspVlanConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the SGACL enforcement information for Layer 2 and Layer 3 switched packets in a VLAN identified by its VlanIndex value. Entry in this table is populated for VLANs which contains SGACL enforcement or VRF configuration." INDEX { ctspVlanConfigIndex } ::= { ctspVlanConfigTable 1 } CtspVlanConfigEntry ::= SEQUENCE { ctspVlanConfigIndex VlanIndex, ctspVlanConfigSgaclEnforcement TruthValue, ctspVlanSviActive TruthValue, ctspVlanConfigVrfName CiscoVrfName, ctspVlanConfigStorageType StorageType, ctspVlanConfigRowStatus RowStatus } ctspVlanConfigIndex OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the VLAN-ID of this VLAN." ::= { ctspVlanConfigEntry 1 } ctspVlanConfigSgaclEnforcement OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the configured SGACL enforcement status for this VLAN i.e., 'true' = enabled and 'false' = disabled." ::= { ctspVlanConfigEntry 2 } ctspVlanSviActive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates if there is an active SVI associated with this VLAN. 'true' indicates that there is an active SVI associated with this VLAN. and SGACL is enforced for both Layer 2 and Layer 3 switched packets within that VLAN. 'false' indicates that there is no active SVI associated with this VLAN, and SGACL is only enforced for Layer 2 switched packets within that VLAN." ::= { ctspVlanConfigEntry 3 } ctspVlanConfigVrfName OBJECT-TYPE SYNTAX CiscoVrfName MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies an existing VRF where this VLAN belongs to. The zero length value indicates this VLAN belongs to the default VRF." ::= { ctspVlanConfigEntry 4 } ctspVlanConfigStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The objects specifies the storage type for this conceptual row." DEFVAL { volatile } ::= { ctspVlanConfigEntry 5 } ctspVlanConfigRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row entry. This object is used to manage creation and deletion of rows in this table. When this object value is 'active', other writable objects in the same row cannot be modified." ::= { ctspVlanConfigEntry 6 } -- -- ctspSgaclMappings -- ctspConfigSgaclMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspConfigSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the SGACLs information which is applied to unicast IP traffic which carries a source SGT and travels to a destination SGT." ::= { ctspSgaclMappings 1 } ctspConfigSgaclMappingEntry OBJECT-TYPE SYNTAX CtspConfigSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the SGACL mapping to source and destination SGT for a certain traffic type as well as status of this instance. A row instance can be created or removed by setting the appropriate value of its RowStatus object." INDEX { ctspConfigSgaclMappingIpTrafficType, ctspConfigSgaclMappingDestSgt, ctspConfigSgaclMappingSourceSgt } ::= { ctspConfigSgaclMappingTable 1 } CtspConfigSgaclMappingEntry ::= SEQUENCE { ctspConfigSgaclMappingIpTrafficType INTEGER, ctspConfigSgaclMappingDestSgt CtsSecurityGroupTag, ctspConfigSgaclMappingSourceSgt CtsSecurityGroupTag, ctspConfigSgaclMappingSgaclName CtsAclList, ctspConfigSgaclMappingStorageType StorageType, ctspConfigSgaclMappingRowStatus RowStatus, ctspConfigSgaclMonitor CtsSgaclMonitorMode } ctspConfigSgaclMappingIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the unicast IP traffic carrying the source SGT and travelling to destination SGT and subjected to SGACL enforcement." ::= { ctspConfigSgaclMappingEntry 1 } ctspConfigSgaclMappingDestSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the destination SGT value. Value of zero indicates that the destination SGT is unknown." ::= { ctspConfigSgaclMappingEntry 2 } ctspConfigSgaclMappingSourceSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the source SGT value. Value of zero indicates that the source SGT is unknown." ::= { ctspConfigSgaclMappingEntry 3 } ctspConfigSgaclMappingSgaclName OBJECT-TYPE SYNTAX CtsAclList MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the list of existing SGACLs which is administratively configured to apply to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspConfigSgaclMappingEntry 4 } ctspConfigSgaclMappingStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row." DEFVAL { volatile } ::= { ctspConfigSgaclMappingEntry 5 } ctspConfigSgaclMappingRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to manage the creation and deletion of rows in this table. ctspConfigSgaclName may be modified at any time." ::= { ctspConfigSgaclMappingEntry 6 } ctspConfigSgaclMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies whether SGACL monitor mode is turned on for the configured SGACL enforced traffic." DEFVAL { off } ::= { ctspConfigSgaclMappingEntry 7 } ctspDefConfigIpv4Sgacls OBJECT-TYPE SYNTAX CtsAclListOrEmpty MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the SGACLs of the unicast default policy for IPv4 traffic. If there is no SGACL configured for unicast default policy for IPv4 traffic, the value of this object is the zero-length string." ::= { ctspSgaclMappings 2 } ctspDefConfigIpv6Sgacls OBJECT-TYPE SYNTAX CtsAclListOrEmpty MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the SGACLs of the unicast default policy for IPv6 traffic. If there is no SGACL configured for unicast default policy for IPv6 traffic, the value of this object is the zero-length string." ::= { ctspSgaclMappings 3 } -- -- The ctspDownloadedSgaclMappingTable -- ctspDownloadedSgaclMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDownloadedSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the downloaded SGACLs information applied to unicast IP traffic which carries a source SGT and travels to a destination SGT." ::= { ctspSgaclMappings 4 } ctspDownloadedSgaclMappingEntry OBJECT-TYPE SYNTAX CtspDownloadedSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the downloaded SGACLs mapping. A row instance is added for each pair of which contains SGACL that is dynamically downloaded from ACS server." INDEX { ctspDownloadedSgaclDestSgt, ctspDownloadedSgaclSourceSgt, ctspDownloadedSgaclIndex } ::= { ctspDownloadedSgaclMappingTable 1 } CtspDownloadedSgaclMappingEntry ::= SEQUENCE { ctspDownloadedSgaclDestSgt CtsSecurityGroupTag, ctspDownloadedSgaclSourceSgt CtsSecurityGroupTag, ctspDownloadedSgaclIndex Unsigned32, ctspDownloadedSgaclName CtsAclName, ctspDownloadedSgaclGenId CtsGenerationId, ctspDownloadedIpTrafficType BITS, ctspDownloadedSgaclMonitor CtsSgaclMonitorMode } ctspDownloadedSgaclDestSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the destination SGT value. Value of zero indicates that the destination SGT is unknown." ::= { ctspDownloadedSgaclMappingEntry 1 } ctspDownloadedSgaclSourceSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the source SGT value. Value of zero indicates that the source SGT is unknown." ::= { ctspDownloadedSgaclMappingEntry 2 } ctspDownloadedSgaclIndex OBJECT-TYPE SYNTAX Unsigned32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the downloaded SGACL which is applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspDownloadedSgaclMappingEntry 3 } ctspDownloadedSgaclName OBJECT-TYPE SYNTAX CtsAclName MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the name of downloaded SGACL which is applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspDownloadedSgaclMappingEntry 4 } ctspDownloadedSgaclGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of downloaded SGACL which is applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspDownloadedSgaclMappingEntry 5 } ctspDownloadedIpTrafficType OBJECT-TYPE SYNTAX BITS { ipv4(0), ipv6(1) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the type of the unicast IP traffic carrying the source SGT and travelling to destination SGT and subjected to SGACL enforcement by this downloaded default policy." ::= { ctspDownloadedSgaclMappingEntry 6 } ctspDownloadedSgaclMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether SGACL monitor mode is turned on for the downloaded SGACL enforced traffic." ::= { ctspDownloadedSgaclMappingEntry 7 } -- -- The ctspDefDownloadedSgaclMappingTable -- ctspDefDownloadedSgaclMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDefDownloadedSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the downloaded SGACLs information of the default policy applied to unicast IP traffic." ::= { ctspSgaclMappings 5 } ctspDefDownloadedSgaclMappingEntry OBJECT-TYPE SYNTAX CtspDefDownloadedSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the downloaded SGACLs mapping. A row instance contains the SGACL information of the default policy dynamically downloaded from ACS server for unicast IP traffic." INDEX { ctspDefDownloadedSgaclIndex } ::= { ctspDefDownloadedSgaclMappingTable 1 } CtspDefDownloadedSgaclMappingEntry ::= SEQUENCE { ctspDefDownloadedSgaclIndex Unsigned32, ctspDefDownloadedSgaclName CtsAclName, ctspDefDownloadedSgaclGenId CtsGenerationId, ctspDefDownloadedIpTrafficType BITS, ctspDefDownloadedSgaclMonitor CtsSgaclMonitorMode } ctspDefDownloadedSgaclIndex OBJECT-TYPE SYNTAX Unsigned32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the SGACL of downloaded default policy applied to unicast IP traffic." ::= { ctspDefDownloadedSgaclMappingEntry 1 } ctspDefDownloadedSgaclName OBJECT-TYPE SYNTAX CtsAclName MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the name of the SGACL of downloaded default policy applied to unicast IP traffic." ::= { ctspDefDownloadedSgaclMappingEntry 2 } ctspDefDownloadedSgaclGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the SGACL of downloaded default policy applied to unicast IP traffic." ::= { ctspDefDownloadedSgaclMappingEntry 3 } ctspDefDownloadedIpTrafficType OBJECT-TYPE SYNTAX BITS { ipv4(0), ipv6(1) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the type of the IP traffic subjected to SGACL enforcement by this downloaded default policy." ::= { ctspDefDownloadedSgaclMappingEntry 4 } ctspDefDownloadedSgaclMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether SGACL monitor mode is turned on for the default downloaded SGACL enforced traffic." ::= { ctspDefDownloadedSgaclMappingEntry 5 } -- -- The ctspOperSgaclMappingTable -- ctspOperSgaclMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspOperSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the operational SGACLs information applied to unicast IP traffic which carries a source SGT and travels to a destination SGT." ::= { ctspSgaclMappings 6 } ctspOperSgaclMappingEntry OBJECT-TYPE SYNTAX CtspOperSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the operational SGACLs mapping. A row instance is added for each pair of which contains the SGACL that either statically configured at the device or dynamically downloaded from ACS server." INDEX { ctspOperIpTrafficType, ctspOperSgaclDestSgt, ctspOperSgaclSourceSgt, ctspOperSgaclIndex } ::= { ctspOperSgaclMappingTable 1 } CtspOperSgaclMappingEntry ::= SEQUENCE { ctspOperIpTrafficType INTEGER, ctspOperSgaclDestSgt CtsSecurityGroupTag, ctspOperSgaclSourceSgt CtsSecurityGroupTag, ctspOperSgaclIndex Unsigned32, ctspOperationalSgaclName CtsAclName, ctspOperationalSgaclGenId CtsGenerationId, ctspOperSgaclMappingSource INTEGER, ctspOperSgaclConfigSource INTEGER, ctspOperSgaclMonitor CtsSgaclMonitorMode } ctspOperIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the unicast IP traffic carrying the source SGT and travelling to destination SGT and subjected to SGACL enforcement." ::= { ctspOperSgaclMappingEntry 1 } ctspOperSgaclDestSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the destination SGT value. Value of zero indicates that the destination SGT is unknown." ::= { ctspOperSgaclMappingEntry 2 } ctspOperSgaclSourceSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the source SGT value. Value of zero indicates that the source SGT is unknown." ::= { ctspOperSgaclMappingEntry 3 } ctspOperSgaclIndex OBJECT-TYPE SYNTAX Unsigned32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the SGACL operationally applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspOperSgaclMappingEntry 4 } ctspOperationalSgaclName OBJECT-TYPE SYNTAX CtsAclName MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the name of the SGACL operationally applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspOperSgaclMappingEntry 5 } ctspOperationalSgaclGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the SGACL operationally applied to unicast IP traffic carrying the source SGT to the destination SGT." ::= { ctspOperSgaclMappingEntry 6 } ctspOperSgaclMappingSource OBJECT-TYPE SYNTAX INTEGER { configured(1), downloaded(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the source of SGACL mapping for the SGACL operationally applied to unicast IP traffic carrying the source SGT to the destination SGT. 'downloaded' indicates that the mapping is downloaded from ACS server. 'configured' indicates that the mapping is locally configured in the device." ::= { ctspOperSgaclMappingEntry 7 } ctspOperSgaclConfigSource OBJECT-TYPE SYNTAX INTEGER { configured(1), downloaded(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the source of SGACL creation for this SGACL. 'configured' indicates that the SGACL is locally configured in the local device. 'downloaded' indicates that the SGACL is created at ACS server and downloaded to the local device." ::= { ctspOperSgaclMappingEntry 8 } ctspOperSgaclMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether SGACL monitor mode is turned on for the SGACL enforced traffic." ::= { ctspOperSgaclMappingEntry 9 } -- -- The ctspDefOperSgaclMappingTable -- ctspDefOperSgaclMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDefOperSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the operational SGACLs information of the default policy applied to unicast IP traffic." ::= { ctspSgaclMappings 7 } ctspDefOperSgaclMappingEntry OBJECT-TYPE SYNTAX CtspDefOperSgaclMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row instance contains the SGACL information of the default policy which is either statically configured at the device or dynamically downloaded from ACS server for unicast IP traffic." INDEX { ctspDefOperIpTrafficType, ctspDefOperSgaclIndex } ::= { ctspDefOperSgaclMappingTable 1 } CtspDefOperSgaclMappingEntry ::= SEQUENCE { ctspDefOperIpTrafficType INTEGER, ctspDefOperSgaclIndex Unsigned32, ctspDefOperationalSgaclName CtsAclName, ctspDefOperationalSgaclGenId CtsGenerationId, ctspDefOperSgaclMappingSource INTEGER, ctspDefOperSgaclConfigSource INTEGER, ctspDefOperSgaclMonitor CtsSgaclMonitorMode } ctspDefOperIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the unicast IP traffic subjected to default policy enforcement." ::= { ctspDefOperSgaclMappingEntry 1 } ctspDefOperSgaclIndex OBJECT-TYPE SYNTAX Unsigned32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the SGACL of default policy operationally applied to unicast IP traffic." ::= { ctspDefOperSgaclMappingEntry 2 } ctspDefOperationalSgaclName OBJECT-TYPE SYNTAX CtsAclName MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the name of the SGACL of default policy operationally applied to unicast IP traffic." ::= { ctspDefOperSgaclMappingEntry 3 } ctspDefOperationalSgaclGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the SGACL of default policy operationally applied to unicast IP traffic." ::= { ctspDefOperSgaclMappingEntry 4 } ctspDefOperSgaclMappingSource OBJECT-TYPE SYNTAX INTEGER { configured(1), downloaded(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the source of SGACL mapping for the SGACL of default policy operationally applied to unicast IP traffic. 'downloaded' indicates that the mapping is downloaded from ACS server. 'configured' indicates that the mapping is locally configured in the device." ::= { ctspDefOperSgaclMappingEntry 5 } ctspDefOperSgaclConfigSource OBJECT-TYPE SYNTAX INTEGER { configured(1), downloaded(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the source of SGACL creation for the SGACL of default policy operationally applied to unicast IP traffic. 'downloaded' indicates that the SGACL is created at ACS server and downloaded to the local device. 'configured' indicates that the SGACL is locally configured in the local device." ::= { ctspDefOperSgaclMappingEntry 6 } ctspDefOperSgaclMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether SGACL monitor mode is turned on for the SGACL of default policy enforced traffic." ::= { ctspDefOperSgaclMappingEntry 7 } -- -- ctspSgaclStatistics -- ctspDefConfigIpv4SgaclsMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether SGACL monitor mode is turned on for the default configured SGACL enforced Ipv4 traffic." ::= { ctspSgaclMappings 8 } ctspDefConfigIpv6SgaclsMonitor OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether SGACL monitor mode is turned on for the default configured SGACL enforced Ipv6 traffic." ::= { ctspSgaclMappings 9 } ctspSgaclMonitorEnable OBJECT-TYPE SYNTAX CtsSgaclMonitorMode MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether SGACL monitor mode is turned on for the entire system. It has precedence than the per SGACL ctspConfigSgaclMonitor control. It could act as safety mechanism to turn off monitor in case the monitor feature impact system performance." ::= { ctspSgaclMappings 10 } -- -- ctspSgaclStatistics -- ctspSgtStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspSgtStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes SGACL statistics counters per a pair of that is capable of providing this information." ::= { ctspSgaclStatistics 1 } ctspSgtStatsEntry OBJECT-TYPE SYNTAX CtspSgtStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the SGACL statistics related to IPv4 or IPv6 packets carrying the source SGT travelling to the destination SGT and subjected to SGACL enforcement." INDEX { ctspStatsIpTrafficType, ctspStatsDestSgt, ctspStatsSourceSgt } ::= { ctspSgtStatsTable 1 } CtspSgtStatsEntry ::= SEQUENCE { ctspStatsIpTrafficType INTEGER, ctspStatsDestSgt CtsSecurityGroupTag, ctspStatsSourceSgt CtsSecurityGroupTag, ctspStatsIpSwDropPkts Counter64, ctspStatsIpHwDropPkts Counter64, ctspStatsIpSwPermitPkts Counter64, ctspStatsIpHwPermitPkts Counter64, ctspStatsIpSwMonitorPkts Counter64, ctspStatsIpHwMonitorPkts Counter64 } ctspStatsIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the unicast IP traffic carrying the source SGT and travelling to destination SGT and subjected to SGACL enforcement." ::= { ctspSgtStatsEntry 1 } ctspStatsDestSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the destination SGT value. Value of zero indicates that the destination SGT is unknown." ::= { ctspSgtStatsEntry 2 } ctspStatsSourceSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the source SGT value. Value of zero indicates that the source SGT is unknown." ::= { ctspSgtStatsEntry 3 } ctspStatsIpSwDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are dropped by SGACL." ::= { ctspSgtStatsEntry 4 } ctspStatsIpHwDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are dropped by SGACL." ::= { ctspSgtStatsEntry 5 } ctspStatsIpSwPermitPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are permitted by SGACL." ::= { ctspSgtStatsEntry 6 } ctspStatsIpHwPermitPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are permitted by SGACL." ::= { ctspSgtStatsEntry 7 } ctspStatsIpSwMonitorPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are SGACL enforced & monitored." ::= { ctspSgtStatsEntry 8 } ctspStatsIpHwMonitorPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are SGACL enforced & monitored." ::= { ctspSgtStatsEntry 9 } ctspDefStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDefStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes statistics counters for unicast IP traffic subjected to default unicast policy." ::= { ctspSgaclStatistics 2 } ctspDefStatsEntry OBJECT-TYPE SYNTAX CtspDefStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the statistics counter for each IP traffic type." INDEX { ctspDefIpTrafficType } ::= { ctspDefStatsTable 1 } CtspDefStatsEntry ::= SEQUENCE { ctspDefIpTrafficType INTEGER, ctspDefIpSwDropPkts Counter64, ctspDefIpHwDropPkts Counter64, ctspDefIpSwPermitPkts Counter64, ctspDefIpHwPermitPkts Counter64, ctspDefIpSwMonitorPkts Counter64, ctspDefIpHwMonitorPkts Counter64 } ctspDefIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the IP traffic subjected to default unicast policy enforcement." ::= { ctspDefStatsEntry 1 } ctspDefIpSwDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are dropped by default unicast policy." ::= { ctspDefStatsEntry 2 } ctspDefIpHwDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are dropped by default unicast policy." ::= { ctspDefStatsEntry 3 } ctspDefIpSwPermitPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are permitted by default unicast policy." ::= { ctspDefStatsEntry 4 } ctspDefIpHwPermitPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are permitted by default unicast policy." ::= { ctspDefStatsEntry 5 } ctspDefIpSwMonitorPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of software-forwarded IP packets which are monitored by default unicast policy." ::= { ctspDefStatsEntry 6 } ctspDefIpHwMonitorPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of hardware-forwarded IP packets which are monitored by default unicast policy." ::= { ctspDefStatsEntry 7 } -- -- ctsPeerPolicy group -- ctspAllPeerPolicyAction OBJECT-TYPE SYNTAX INTEGER { none(1), refresh(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows user to specify the action to be taken with respect to all peer policies in the device. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh all peer policies in the device." ::= { ctspPeerPolicy 1 } ctspPeerPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspPeerPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the peer policy information for each peer device." ::= { ctspPeerPolicy 2 } ctspPeerPolicyEntry OBJECT-TYPE SYNTAX CtspPeerPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the managed objects for peer policies for each peer device based on its name." INDEX { IMPLIED ctspPeerName } ::= { ctspPeerPolicyTable 1 } CtspPeerPolicyEntry ::= SEQUENCE { ctspPeerName SnmpAdminString, ctspPeerSgt CtsSecurityGroupTag, ctspPeerSgtGenId CtsGenerationId, ctspPeerTrustState INTEGER, ctspPeerPolicyLifeTime Unsigned32, ctspPeerPolicyLastUpdate DateAndTime, ctspPeerPolicyAction INTEGER } ctspPeerName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..128)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object uniquely identifies a peer device." ::= { ctspPeerPolicyEntry 1 } ctspPeerSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the SGT value of this peer device." ::= { ctspPeerPolicyEntry 2 } ctspPeerSgtGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the SGT value assigned to this peer device." ::= { ctspPeerPolicyEntry 3 } ctspPeerTrustState OBJECT-TYPE SYNTAX INTEGER { trusted(1), noTrust(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the TrustSec trust state of this peer device. 'trusted' indicates that this is a trusted peer device. 'noTrust' indicates that this peer device is not trusted." ::= { ctspPeerPolicyEntry 4 } ctspPeerPolicyLifeTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the policy life time which provides the time interval during which the peer policy is valid." ::= { ctspPeerPolicyEntry 5 } ctspPeerPolicyLastUpdate OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time when this peer policy is last updated." ::= { ctspPeerPolicyEntry 6 } ctspPeerPolicyAction OBJECT-TYPE SYNTAX INTEGER { none(1), refresh(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows user to specify the action to be taken with this peer policy. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh this peer policy." ::= { ctspPeerPolicyEntry 7 } -- -- ctspLayer3Transport -- ctspLayer3PolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspLayer3PolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes Layer 3 transport policy for IP traffic regarding SGT propagation." ::= { ctspLayer3Transport 1 } ctspLayer3PolicyEntry OBJECT-TYPE SYNTAX CtspLayer3PolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the Layer 3 transport policies per IP traffic type per policy type." INDEX { ctspLayer3PolicyIpTrafficType, ctspLayer3PolicyType } ::= { ctspLayer3PolicyTable 1 } CtspLayer3PolicyEntry ::= SEQUENCE { ctspLayer3PolicyIpTrafficType INTEGER, ctspLayer3PolicyType INTEGER, ctspLayer3PolicyLocalConfig CtsAclNameOrEmpty, ctspLayer3PolicyDownloaded CtsAclNameOrEmpty, ctspLayer3PolicyOperational CtsAclNameOrEmpty } ctspLayer3PolicyIpTrafficType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the IP traffic affected by Layer-3 transport policy. 'ipv4' indicates that the affected traffic is IPv4 traffic. 'ipv6' indicates that the affected traffic is IPv6 traffic." ::= { ctspLayer3PolicyEntry 1 } ctspLayer3PolicyType OBJECT-TYPE SYNTAX INTEGER { permit(1), exception(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of the Layer-3 transport policy affecting IP traffic regarding SGT propagation. 'permit' indicates that the transport policy is used to classify Layer-3 traffic which is subject to SGT propagation. 'exception' indicates that the transport policy is used to classify Layer-3 traffic which is NOT subject to SGT propagation." ::= { ctspLayer3PolicyEntry 2 } ctspLayer3PolicyLocalConfig OBJECT-TYPE SYNTAX CtsAclNameOrEmpty MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the name of an ACL that is administratively configured to classify Layer3 traffic. Zero-length string indicates there is no such configured policy." ::= { ctspLayer3PolicyEntry 3 } ctspLayer3PolicyDownloaded OBJECT-TYPE SYNTAX CtsAclNameOrEmpty MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the name of an ACL that is downloaded from policy server to classify Layer3 traffic. Zero-length string indicates there is no such downloaded policy." ::= { ctspLayer3PolicyEntry 4 } ctspLayer3PolicyOperational OBJECT-TYPE SYNTAX CtsAclNameOrEmpty MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the name of an operational ACL currently used to classify Layer3 traffic. Zero-length string indicates there is no such policy in effect." ::= { ctspLayer3PolicyEntry 5 } ctspIfL3PolicyConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspIfL3PolicyConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the interfaces which support Layer3 Transport policy." ::= { ctspLayer3Transport 2 } ctspIfL3PolicyConfigEntry OBJECT-TYPE SYNTAX CtspIfL3PolicyConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains managed objects for Layer3 Transport on interface capable of providing this information." INDEX { ifIndex } ::= { ctspIfL3PolicyConfigTable 1 } CtspIfL3PolicyConfigEntry ::= SEQUENCE { ctspIfL3Ipv4PolicyEnabled TruthValue, ctspIfL3Ipv6PolicyEnabled TruthValue } ctspIfL3Ipv4PolicyEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the Layer3 Transport policies will be applied on this interface for egress IPv4 traffic. 'true' indicates that Layer3 permit and exception policy will be applied at this interface for egress IPv4 traffic. 'false' indicates that Layer3 permit and exception policy will not be applied at this interface for egress IPv4 traffic." ::= { ctspIfL3PolicyConfigEntry 1 } ctspIfL3Ipv6PolicyEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the Layer3 Transport policies will be applied on this interface for egress IPv6 traffic. 'true' indicates that Layer3 permit and exception policy will be applied at this interface for egress IPv6 traffic. 'false' indicates that Layer3 permit and exception policy will not be applied at this interface for egress IPv6 traffic." ::= { ctspIfL3PolicyConfigEntry 2 } -- -- ctspIpSgtMappingTable -- ctspIpSgtMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspIpSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the IP-to-SGT mapping information in the device." ::= { ctspIpSgtMappings 1 } ctspIpSgtMappingEntry OBJECT-TYPE SYNTAX CtspIpSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the IP-to-SGT mapping and status of this instance. Entry in this table is either populated automatically by the device or manually configured by a user. A manually configured row instance can be created or removed by setting the appropriate value of its RowStatus object." INDEX { ctspIpSgtVrfName, ctspIpSgtAddressType, ctspIpSgtIpAddress, ctspIpSgtAddressLength } ::= { ctspIpSgtMappingTable 1 } CtspIpSgtMappingEntry ::= SEQUENCE { ctspIpSgtVrfName CiscoVrfName, ctspIpSgtAddressType InetAddressType, ctspIpSgtIpAddress InetAddress, ctspIpSgtAddressLength InetAddressPrefixLength, ctspIpSgtValue CtsSecurityGroupTag, ctspIpSgtSource INTEGER, ctspIpSgtStorageType StorageType, ctspIpSgtRowStatus RowStatus } ctspIpSgtVrfName OBJECT-TYPE SYNTAX CiscoVrfName MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the VRF where IP-SGT mapping belongs to. The zero length value indicates the default VRF." ::= { ctspIpSgtMappingEntry 1 } ctspIpSgtAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the type of Internet address." ::= { ctspIpSgtMappingEntry 2 } ctspIpSgtIpAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates an Internet address. The type of this address is determined by the value of ctspIpSgtAddressType object." ::= { ctspIpSgtMappingEntry 3 } ctspIpSgtAddressLength OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the length of an Internet address prefix." ::= { ctspIpSgtMappingEntry 4 } ctspIpSgtValue OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the SGT value assigned to an Internet address." ::= { ctspIpSgtMappingEntry 5 } ctspIpSgtSource OBJECT-TYPE SYNTAX INTEGER { configured(1), arp(2), localAuthenticated(3), sxp(4), internal(5), l3if(6), vlan(7), caching(8) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the source of the mapping. 'configured' indicates that the mapping is manually configured by user. 'arp' indicates that the mapping is dynamically learnt from tagged ARP replies. 'localAuthenticated' indicates that the mapping is dynamically learnt from the device authentication of a host. 'sxp' indicates that the mapping is dynamically learnt from SXP (SGT Propagation Protocol). 'internal' indicates that the mapping is automatically created by the device between the device IP addresses and the device own SGT. 'l3if' indicates that Interface-SGT mapping is configured by user. 'vlan' indicates that Vlan-SGT mapping is configured by user. 'cached' indicates that sgt mapping is cached. Only 'configured' value is accepted when setting this object." ::= { ctspIpSgtMappingEntry 6 } ctspIpSgtStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row." DEFVAL { volatile } ::= { ctspIpSgtMappingEntry 7 } ctspIpSgtRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to manage the creation and deletion of rows in this table. If this object value is 'active', user cannot modify any writable object in this row. If value of ctspIpSgtSource object in an entry is not 'configured', user cannot change the value of this object." ::= { ctspIpSgtMappingEntry 8 } -- -- ctsSgtPolicy group -- ctspAllSgtPolicyAction OBJECT-TYPE SYNTAX INTEGER { none(1), refresh(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows user to specify the action to be taken with respect to all SGT policies in the device. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh all SGT policies in the device." ::= { ctspSgtPolicy 1 } ctspDownloadedSgtPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDownloadedSgtPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the SGT policy information downloaded by the device." ::= { ctspSgtPolicy 2 } ctspDownloadedSgtPolicyEntry OBJECT-TYPE SYNTAX CtspDownloadedSgtPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the managed objects for SGT policies downloaded by the device." INDEX { ctspDownloadedSgtPolicySgt } ::= { ctspDownloadedSgtPolicyTable 1 } CtspDownloadedSgtPolicyEntry ::= SEQUENCE { ctspDownloadedSgtPolicySgt CtsSecurityGroupTag, ctspDownloadedSgtPolicySgtGenId CtsGenerationId, ctspDownloadedSgtPolicyLifeTime Unsigned32, ctspDownloadedSgtPolicyLastUpdate DateAndTime, ctspDownloadedSgtPolicyAction INTEGER } ctspDownloadedSgtPolicySgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the SGT value for which the downloaded policy is applied to. Value of zero indicates that the SGT is unknown." ::= { ctspDownloadedSgtPolicyEntry 1 } ctspDownloadedSgtPolicySgtGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the SGT value denoted by ctspDownloadedSgtPolicySgt object." ::= { ctspDownloadedSgtPolicyEntry 2 } ctspDownloadedSgtPolicyLifeTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the policy life time which provides the time interval during which this downloaded policy is valid." ::= { ctspDownloadedSgtPolicyEntry 3 } ctspDownloadedSgtPolicyLastUpdate OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time when this downloaded SGT policy is last updated." ::= { ctspDownloadedSgtPolicyEntry 4 } ctspDownloadedSgtPolicyAction OBJECT-TYPE SYNTAX INTEGER { none(1), refresh(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows user to specify the action to be taken with this downloaded SGT policy. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh this SGT policy." ::= { ctspDownloadedSgtPolicyEntry 5 } -- -- ctspDownloadedDefSgtPolicyTable -- ctspDownloadedDefSgtPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspDownloadedDefSgtPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the default SGT policy information downloaded by the device." ::= { ctspSgtPolicy 3 } ctspDownloadedDefSgtPolicyEntry OBJECT-TYPE SYNTAX CtspDownloadedDefSgtPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the managed objects for default SGT policies downloaded by the device." INDEX { ctspDownloadedDefSgtPolicyType } ::= { ctspDownloadedDefSgtPolicyTable 1 } CtspDownloadedDefSgtPolicyEntry ::= SEQUENCE { ctspDownloadedDefSgtPolicyType INTEGER, ctspDownloadedDefSgtPolicySgtGenId CtsGenerationId, ctspDownloadedDefSgtPolicyLifeTime Unsigned32, ctspDownloadedDefSgtPolicyLastUpdate DateAndTime, ctspDownloadedDefSgtPolicyAction INTEGER } ctspDownloadedDefSgtPolicyType OBJECT-TYPE SYNTAX INTEGER { unicastDefault(1) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates the downloaded default SGT policy type. 'unicastDefault' indicates the SGT policy applied to traffic which carries the default unicast SGT." ::= { ctspDownloadedDefSgtPolicyEntry 1 } ctspDownloadedDefSgtPolicySgtGenId OBJECT-TYPE SYNTAX CtsGenerationId MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the generation identification of the downloaded default SGT policy." ::= { ctspDownloadedDefSgtPolicyEntry 2 } ctspDownloadedDefSgtPolicyLifeTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the policy life time which provides the time interval during which this download default policy is valid." ::= { ctspDownloadedDefSgtPolicyEntry 3 } ctspDownloadedDefSgtPolicyLastUpdate OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time when this downloaded SGT policy is last updated." ::= { ctspDownloadedDefSgtPolicyEntry 4 } ctspDownloadedDefSgtPolicyAction OBJECT-TYPE SYNTAX INTEGER { none(1), refresh(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows user to specify the action to be taken with this default downloaded SGT policy. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh this default SGT policy." ::= { ctspDownloadedDefSgtPolicyEntry 5 } -- -- ctspIfSgtMappingTable -- ctspIfSgtMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspIfSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the Interface-to-SGT mapping configuration information in the device." ::= { ctspIfSgtMappings 1 } ctspIfSgtMappingEntry OBJECT-TYPE SYNTAX CtspIfSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the SGT mapping configuration of a particular interface. A row instance can be created or removed by setting ctspIfSgtRowStatus." INDEX { ifIndex } ::= { ctspIfSgtMappingTable 1 } CtspIfSgtMappingEntry ::= SEQUENCE { ctspIfSgtValue CtsSecurityGroupTag, ctspIfSgName SnmpAdminString, ctspIfSgtStorageType StorageType, ctspIfSgtRowStatus RowStatus } ctspIfSgtValue OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the SGT value assigned to the interface." ::= { ctspIfSgtMappingEntry 1 } ctspIfSgName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the Security Group Name assigned to the interface." ::= { ctspIfSgtMappingEntry 2 } ctspIfSgtStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row." DEFVAL { volatile } ::= { ctspIfSgtMappingEntry 3 } ctspIfSgtRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to manage the creation and deletion of rows in this table." ::= { ctspIfSgtMappingEntry 4 } -- -- ctspIfSgtMappingInfoTable -- ctspIfSgtMappingInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspIfSgtMappingInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the Interface-to-SGT mapping status information in the device." ::= { ctspIfSgtMappings 2 } ctspIfSgtMappingInfoEntry OBJECT-TYPE SYNTAX CtspIfSgtMappingInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Containing the Interface-to-SGT mapping status of the specified interface." INDEX { ifIndex } ::= { ctspIfSgtMappingInfoTable 1 } CtspIfSgtMappingInfoEntry ::= SEQUENCE { ctspL3IPMStatus INTEGER } ctspL3IPMStatus OBJECT-TYPE SYNTAX INTEGER { disabled(1), active(2), inactive(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the Layer 3 Identity Port Mapping(IPM) operational mode. disabled - The L3 IPM is not configured. active - The L3 IPM is configured for this interface, and SGT is available. inactive - The L3 IPM is configured for this interface, and SGT is unavailable." ::= { ctspIfSgtMappingInfoEntry 1 } -- -- ctspVlanSgtMappingTable -- ctspVlanSgtMappingTable OBJECT-TYPE SYNTAX SEQUENCE OF CtspVlanSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the Vlan-SGT mapping information in the device." ::= { ctspVlanSgtMappings 1 } ctspVlanSgtMappingEntry OBJECT-TYPE SYNTAX CtspVlanSgtMappingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each row contains the SGT mapping configuration of a particular VLAN. A row instance can be created or removed by setting ctspVlanSgtRowStatus." INDEX { ctspVlanSgtMappingIndex } ::= { ctspVlanSgtMappingTable 1 } CtspVlanSgtMappingEntry ::= SEQUENCE { ctspVlanSgtMappingIndex VlanIndex, ctspVlanSgtMapValue CtsSecurityGroupTag, ctspVlanSgtStorageType StorageType, ctspVlanSgtRowStatus RowStatus } ctspVlanSgtMappingIndex OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object specifies the VLAN-ID which is used as index." ::= { ctspVlanSgtMappingEntry 1 } ctspVlanSgtMapValue OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the SGT value assigned to the vlan." ::= { ctspVlanSgtMappingEntry 2 } ctspVlanSgtStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row." DEFVAL { volatile } ::= { ctspVlanSgtMappingEntry 3 } ctspVlanSgtRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to manage the creation and deletion of rows in this table." ::= { ctspVlanSgtMappingEntry 4 } -- -- ctsSgtCaching group -- ctspSgtCachingMode OBJECT-TYPE SYNTAX INTEGER { none(1), standAlone(2), withEnforcement(3), vlan(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies which SGT-caching mode is configured for SGT caching capable interfaces at the managed system. 'none' indicates that sgt-caching for all Layer 3 interfaces (excluding SVIs) is disabled. 'standAlone' indicates that SGT-caching is enabled on every TrustSec capable Layer3 interface (excluding SVIs) in the device. 'withEnforcement' indicates that SGT-caching is enabled on interfaces that have RBAC enforcement enabled. 'vlan' indicates that SGT-caching is enabled on the VLANs specified by ctspSgtCachingVlansfFirst2K & ctspSgtCachingVlansSecond2K" ::= { ctspSgtCaching 1 } ctspSgtCachingVlansFirst2K OBJECT-TYPE SYNTAX Cisco2KVlanList MAX-ACCESS read-write STATUS current DESCRIPTION "A string of octets containing one bit per VLAN for VLANs 0 to 2047. If the bit corresponding to a VLAN is set to 1, it indicates SGT-caching is enabled on the VLAN. If the bit corresponding to a VLAN is set to 0, it indicates SGT-caching is disabled on the VLAN." ::= { ctspSgtCaching 2 } ctspSgtCachingVlansSecond2K OBJECT-TYPE SYNTAX Cisco2KVlanList MAX-ACCESS read-write STATUS current DESCRIPTION "A string of octets containing one bit per VLAN for VLANs 2048 to 4095. If the bit corresponding to a VLAN is set to 1, it indicates SGT-caching is enabled on the VLAN. If the bit corresponding to a VLAN is set to 0, it indicates SGT-caching is disabled on the VLAN." ::= { ctspSgtCaching 3 } -- Notifications Control ctspPeerPolicyUpdatedNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the system generates ctspPeerPolicyUpdatedNotif. A value of 'false' will prevent ctspPeerPolicyUpdatedNotif notifications from being generated by this system." ::= { ctspNotifsControl 1 } ctspAuthorizationSgaclFailNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether this system generates the ctspAuthorizationSgaclFailNotif. A value of 'false' will prevent ctspAuthorizationSgaclFailNotif notifications from being generated by this system." ::= { ctspNotifsControl 2 } -- Notifications Only Info ctspOldPeerSgt OBJECT-TYPE SYNTAX CtsSecurityGroupTag MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object provides the old sgt value for ctspPeerPolicyUpdatedNotif, i.e., the sgt value before the policy is updated." ::= { ctspNotifsOnlyInfo 1 } ctspAuthorizationSgaclFailReason OBJECT-TYPE SYNTAX INTEGER { downloadACE(1), downloadSrc(2), downloadDst(3), installPolicy(4), installPolicyStandby(5), installForIP(6), uninstall(7) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the reason of failure during SGACL acquisitions, installations and uninstallations, which is associated with ctspAuthorizationSgaclFailNotif; 'downloadACE' - Failure during downloading ACE in SGACL acquisition. 'downloadSrc' - Failure during downloading source list in SGACL acquisition. 'downloadDst' - Failure during downloading destination list in SGACL acquisition. 'installPolicy' - Failure during SGACL policy installation 'installPolicyStandby' - Failure during SGACL policy installation on standby 'installForIP' - Failure during SGACL installation for specific IP type. 'uninstall' - Failure during SGACL uninstallation." ::= { ctspNotifsOnlyInfo 2 } ctspAuthorizationSgaclFailInfo OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object provides additional information about authorization SGACL failure, which is associated with ctspAuthorizationSgaclFailNotif." ::= { ctspNotifsOnlyInfo 3 } -- Notifications ctspPeerPolicyUpdatedNotif NOTIFICATION-TYPE OBJECTS { ctspOldPeerSgt, ctspPeerSgt } STATUS current DESCRIPTION "A ctspPeerPolicyUpdatedNotif is generated when the SGT value of a peer device has been updated." ::= { ciscoTrustSecPolicyMIBNotifs 1 } ctspAuthorizationSgaclFailNotif NOTIFICATION-TYPE OBJECTS { ctspAuthorizationSgaclFailReason, ctspAuthorizationSgaclFailInfo } STATUS current DESCRIPTION "A ctspAuthorizationSgaclFailNotif is generated when the authorization of SGACL fails." ::= { ciscoTrustSecPolicyMIBNotifs 2 } -- -- Conformance -- ciscoTrustSecPolicyMIBCompliances OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBConformance 1 } ciscoTrustSecPolicyMIBGroups OBJECT IDENTIFIER ::= { ciscoTrustSecPolicyMIBConformance 2 } ciscoTrustSecPolicyMIBCompliance MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for the CISCO-TRUSTSEC-POLICY-MIB" MODULE MANDATORY-GROUPS { ctspGlobalSgaclEnforcementGroup, ctspOperSgaclMappingGroup, ctspDownloadedSgaclMappingGroup, ctspIpSwStatisticsGroup, ctspDefSwStatisticsGroup } GROUP ctspVlanConfigGroup DESCRIPTION "This group is mandatory only for platforms which support SGACL enforcement for VLAN." GROUP ctspConfigSgaclMappingGroup DESCRIPTION "This group is mandatory only for platforms which support statically configured SGACLs in the device." GROUP ctspIpHwStatisticsGroup DESCRIPTION "This group is mandatory only for platforms which support hardware statistics counters for unicast IP traffic subjected to SGACL enforcement." GROUP ctspDefHwStatisticsGroup DESCRIPTION "This group is mandatory only for platforms which support hardware statistics counters for unicast IP traffic subjected to default unicast policy enforcement." GROUP ctspSgaclIpv4DropNetflowMonitorGroup DESCRIPTION "This group is mandatory only for platforms which support netflow monitor for IPv4 traffic drop packet due to SGACL enforcement information in the device." GROUP ctspSgaclIpv6DropNetflowMonitorGroup DESCRIPTION "This group is mandatory only for platforms which support netflow monitor for IPv6 traffic drop packet due to SGACL enforcement information in the device." GROUP ctspPeerPolicyGroup DESCRIPTION "This group is mandatory only for platforms which support peer policies information in the device." GROUP ctspPeerPolicyActionGroup DESCRIPTION "This group is mandatory only for platforms which support refresh of all peer policies information in the device." GROUP ctspLayer3TransportGroup DESCRIPTION "This group is mandatory only for platforms which support SGT propagation along Layer 3 traffic to network that is not capable of TrustSec feature." GROUP ctspIpSgtMappingGroup DESCRIPTION "This group is mandatory only for platforms which support IP-to-SGT mapping information." GROUP ctspIfL3PolicyConfigGroup DESCRIPTION "This group is mandatory only for platforms which support Layer3 Transport policy enforcement on capable interface." GROUP ctspSgtPolicyGroup DESCRIPTION "This group is mandatory only for platforms which support SGT policies information in the device." OBJECT ctspVlanConfigSgaclEnforcement MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigVrfName MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspConfigSgaclMappingStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspConfigSgaclMappingRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspSgaclEnforcementEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgaclIpv4DropNetflowMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgaclIpv6DropNetflowMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspConfigSgaclMappingSgaclName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv4Sgacls MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv6Sgacls MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspLayer3PolicyLocalConfig MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIpSgtStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspIpSgtRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspIpSgtValue MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIpSgtSource MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfL3Ipv4PolicyEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfL3Ipv6PolicyEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspAllPeerPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspPeerPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspAllSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDownloadedSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDownloadedDefSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { ciscoTrustSecPolicyMIBCompliances 1 } ciscoTrustSecPolicyMIBComplianceRev2 MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for the CISCO-TRUSTSEC-POLICY-MIB" MODULE MANDATORY-GROUPS { ctspGlobalSgaclEnforcementGroup, ctspOperSgaclMappingGroup, ctspDownloadedSgaclMappingGroup, ctspIpSwStatisticsGroup, ctspDefSwStatisticsGroup } GROUP ctspVlanConfigGroup DESCRIPTION "This group is mandatory only for platforms which support SGACL enforcement for VLAN." GROUP ctspConfigSgaclMappingGroup DESCRIPTION "This group is mandatory only for platforms which support statically configured SGACLs in the device." GROUP ctspIpHwStatisticsGroup DESCRIPTION "This group is mandatory only for platforms which support hardware statistics counters for unicast IP traffic subjected to SGACL enforcement." GROUP ctspDefHwStatisticsGroup DESCRIPTION "This group is mandatory only for platforms which support hardware statistics counters for unicast IP traffic subjected to default unicast policy enforcement." GROUP ctspSgaclIpv4DropNetflowMonitorGroup DESCRIPTION "This group is mandatory only for platforms which support netflow monitor for IPv4 traffic drop packet due to SGACL enforcement information in the device." GROUP ctspSgaclIpv6DropNetflowMonitorGroup DESCRIPTION "This group is mandatory only for platforms which support netflow monitor for IPv6 traffic drop packet due to SGACL enforcement information in the device." GROUP ctspPeerPolicyGroup DESCRIPTION "This group is mandatory only for platforms which support peer policies information in the device." GROUP ctspPeerPolicyActionGroup DESCRIPTION "This group is mandatory only for platforms which support refresh of all peer policies information in the device." GROUP ctspLayer3TransportGroup DESCRIPTION "This group is mandatory only for platforms which support SGT propagation along Layer 3 traffic to network that is not capable of TrustSec feature." GROUP ctspIpSgtMappingGroup DESCRIPTION "This group is mandatory only for platforms which support IP-to-SGT mapping information." GROUP ctspIfL3PolicyConfigGroup DESCRIPTION "This group is mandatory only for platforms which support Layer3 Transport policy enforcement on capable interface." GROUP ctspSgtPolicyGroup DESCRIPTION "This group is mandatory only for platforms which support SGT policies information in the device." GROUP ctspIfSgtMappingGroup DESCRIPTION "This group is mandatory only for platforms which support Interface-to-SGT mapping information." GROUP ctspVlanSgtMappingGroup DESCRIPTION "This group is mandatory only for platforms which support Vlan-to-SGT mapping information." GROUP ctspSgtCachingGroup DESCRIPTION "This group is mandatory only for platforms which support SGT-Caching feature." GROUP ctspSgaclMonitorGroup DESCRIPTION "This group is mandatory only for platforms which support SGACL monitor feature." GROUP ctspSgaclMonitorStatisticGroup DESCRIPTION "This group is mandatory only for platforms which support SGACL monitor statistic." GROUP ctspNotifCtrlGroup DESCRIPTION "This group is mandatory only for platforms which support cisco TrustSec policy notifications." GROUP ctspNotifGroup DESCRIPTION "This group is mandatory only for platforms which support cisco TrustSec policy notifications." GROUP ctspNotifInfoGroup DESCRIPTION "This group is mandatory only for platforms which support cisco TrustSec policy notifications." OBJECT ctspVlanConfigSgaclEnforcement MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigVrfName MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspVlanConfigRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspConfigSgaclMappingStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspConfigSgaclMappingRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspSgaclEnforcementEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgaclIpv4DropNetflowMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgaclIpv6DropNetflowMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspConfigSgaclMappingSgaclName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv4Sgacls MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv6Sgacls MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspLayer3PolicyLocalConfig MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIpSgtStorageType MIN-ACCESS read-only DESCRIPTION "Support for read-create access is not required." OBJECT ctspIpSgtRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support for 'createAndWait' is not required." OBJECT ctspIpSgtValue MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIpSgtSource MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfL3Ipv4PolicyEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfL3Ipv6PolicyEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspAllPeerPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspPeerPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspAllSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDownloadedSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDownloadedDefSgtPolicyAction MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv4SgaclsMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspDefConfigIpv6SgaclsMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgaclMonitorEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfSgtValue MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfSgName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspIfSgtStorageType MIN-ACCESS read-only DESCRIPTION "Read-create access is not required." OBJECT ctspIfSgtRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Read-create access is not required." OBJECT ctspVlanSgtMapValue MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspVlanSgtStorageType MIN-ACCESS read-only DESCRIPTION "Read-create access is not required." OBJECT ctspVlanSgtRowStatus SYNTAX INTEGER { active(1) } WRITE-SYNTAX INTEGER { createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Read-create access is not required." OBJECT ctspConfigSgaclMonitor MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgtCachingMode MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgtCachingVlansFirst2K MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspSgtCachingVlansSecond2K MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspPeerPolicyUpdatedNotifEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ctspAuthorizationSgaclFailNotifEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { ciscoTrustSecPolicyMIBCompliances 2 } -- -- Units of Conformance -- ctspGlobalSgaclEnforcementGroup OBJECT-GROUP OBJECTS { ctspSgaclEnforcementEnable } STATUS current DESCRIPTION "A collection of object which provides the SGACL enforcement information for all TrustSec capable Layer 3 interfaces (excluding SVIs) at the device level." ::= { ciscoTrustSecPolicyMIBGroups 1 } ctspSgaclIpv4DropNetflowMonitorGroup OBJECT-GROUP OBJECTS { ctspSgaclIpv4DropNetflowMonitor } STATUS current DESCRIPTION "A collection of object which provides netflow monitor information for IPv4 traffic drop packet due to SGACL enforcement in the device." ::= { ciscoTrustSecPolicyMIBGroups 2 } ctspSgaclIpv6DropNetflowMonitorGroup OBJECT-GROUP OBJECTS { ctspSgaclIpv6DropNetflowMonitor } STATUS current DESCRIPTION "A collection of object which provides netflow monitor information for IPv6 traffic drop packet due to SGACL enforcement in the device." ::= { ciscoTrustSecPolicyMIBGroups 3 } ctspVlanConfigGroup OBJECT-GROUP OBJECTS { ctspVlanConfigSgaclEnforcement, ctspVlanSviActive, ctspVlanConfigVrfName, ctspVlanConfigStorageType, ctspVlanConfigRowStatus } STATUS current DESCRIPTION "A collection of object which provides the SGACL enforcement and VRF information for each VLAN." ::= { ciscoTrustSecPolicyMIBGroups 4 } ctspConfigSgaclMappingGroup OBJECT-GROUP OBJECTS { ctspConfigSgaclMappingSgaclName, ctspConfigSgaclMappingStorageType, ctspConfigSgaclMappingRowStatus, ctspDefConfigIpv4Sgacls, ctspDefConfigIpv6Sgacls } STATUS current DESCRIPTION "A collection of objects which provides the administratively configured SGACL mapping information in the device." ::= { ciscoTrustSecPolicyMIBGroups 5 } ctspDownloadedSgaclMappingGroup OBJECT-GROUP OBJECTS { ctspDownloadedSgaclName, ctspDownloadedSgaclGenId, ctspDownloadedIpTrafficType, ctspDefDownloadedSgaclName, ctspDefDownloadedSgaclGenId, ctspDefDownloadedIpTrafficType } STATUS current DESCRIPTION "A collection of objects which provides the downloaded SGACL mapping information in the device." ::= { ciscoTrustSecPolicyMIBGroups 6 } ctspOperSgaclMappingGroup OBJECT-GROUP OBJECTS { ctspOperationalSgaclName, ctspOperationalSgaclGenId, ctspOperSgaclMappingSource, ctspOperSgaclConfigSource, ctspDefOperationalSgaclName, ctspDefOperationalSgaclGenId, ctspDefOperSgaclMappingSource, ctspDefOperSgaclConfigSource } STATUS current DESCRIPTION "A collection of objects which provides the operational SGACL mapping information in the device." ::= { ciscoTrustSecPolicyMIBGroups 7 } ctspIpSwStatisticsGroup OBJECT-GROUP OBJECTS { ctspStatsIpSwDropPkts, ctspStatsIpSwPermitPkts } STATUS current DESCRIPTION "A collection of objects which provides software statistics counters for unicast IP traffic subjected to SGACL enforcement." ::= { ciscoTrustSecPolicyMIBGroups 8 } ctspIpHwStatisticsGroup OBJECT-GROUP OBJECTS { ctspStatsIpHwDropPkts, ctspStatsIpHwPermitPkts } STATUS current DESCRIPTION "A collection of objects which provides hardware statistics counters for unicast IP traffic subjected to SGACL enforcement." ::= { ciscoTrustSecPolicyMIBGroups 9 } ctspDefSwStatisticsGroup OBJECT-GROUP OBJECTS { ctspDefIpSwDropPkts, ctspDefIpSwPermitPkts } STATUS current DESCRIPTION "A collection of objects which provides software statistics counters for unicast IP traffic subjected to unicast default policy enforcement." ::= { ciscoTrustSecPolicyMIBGroups 10 } ctspDefHwStatisticsGroup OBJECT-GROUP OBJECTS { ctspDefIpHwDropPkts, ctspDefIpHwPermitPkts } STATUS current DESCRIPTION "A collection of objects which provides hardware statistics counters for unicast IP traffic subjected to unicast default policy enforcement." ::= { ciscoTrustSecPolicyMIBGroups 11 } ctspPeerPolicyActionGroup OBJECT-GROUP OBJECTS { ctspAllPeerPolicyAction } STATUS current DESCRIPTION "A collection of object which provides refreshing of all peer policies in the device." ::= { ciscoTrustSecPolicyMIBGroups 12 } ctspPeerPolicyGroup OBJECT-GROUP OBJECTS { ctspPeerSgt, ctspPeerSgtGenId, ctspPeerTrustState, ctspPeerPolicyLifeTime, ctspPeerPolicyLastUpdate, ctspPeerPolicyAction } STATUS current DESCRIPTION "A collection of object which provides peer policy information in the device." ::= { ciscoTrustSecPolicyMIBGroups 13 } ctspLayer3TransportGroup OBJECT-GROUP OBJECTS { ctspLayer3PolicyLocalConfig, ctspLayer3PolicyDownloaded, ctspLayer3PolicyOperational } STATUS current DESCRIPTION "A collection of objects which provides managed information regarding the SGT propagation along with Layer 3 traffic in the device." ::= { ciscoTrustSecPolicyMIBGroups 14 } ctspIfL3PolicyConfigGroup OBJECT-GROUP OBJECTS { ctspIfL3Ipv4PolicyEnabled, ctspIfL3Ipv6PolicyEnabled } STATUS current DESCRIPTION "A collection of objects which provides managed information for Layer3 Tranport policy enforcement on capable interface in the device." ::= { ciscoTrustSecPolicyMIBGroups 15 } ctspIpSgtMappingGroup OBJECT-GROUP OBJECTS { ctspIpSgtValue, ctspIpSgtSource, ctspIpSgtStorageType, ctspIpSgtRowStatus } STATUS current DESCRIPTION "A collection of objects which provides managed information regarding IP-to-Sgt mapping in the device." ::= { ciscoTrustSecPolicyMIBGroups 16 } ctspSgtPolicyGroup OBJECT-GROUP OBJECTS { ctspAllSgtPolicyAction, ctspDownloadedSgtPolicySgtGenId, ctspDownloadedSgtPolicyLifeTime, ctspDownloadedSgtPolicyLastUpdate, ctspDownloadedSgtPolicyAction, ctspDownloadedDefSgtPolicySgtGenId, ctspDownloadedDefSgtPolicyLifeTime, ctspDownloadedDefSgtPolicyLastUpdate, ctspDownloadedDefSgtPolicyAction } STATUS current DESCRIPTION "A collection of object which provides SGT policy information in the device." ::= { ciscoTrustSecPolicyMIBGroups 17 } ctspIfSgtMappingGroup OBJECT-GROUP OBJECTS { ctspIfSgtValue, ctspIfSgName, ctspL3IPMStatus, ctspIfSgtStorageType, ctspIfSgtRowStatus } STATUS current DESCRIPTION "A collection of objects which provides managed information regarding Interface-to-Sgt mapping in the device." ::= { ciscoTrustSecPolicyMIBGroups 18 } ctspVlanSgtMappingGroup OBJECT-GROUP OBJECTS { ctspVlanSgtMapValue, ctspVlanSgtStorageType, ctspVlanSgtRowStatus } STATUS current DESCRIPTION "A collection of objects which provides sgt mapping information for the IP traffic in the specified Vlan." ::= { ciscoTrustSecPolicyMIBGroups 19 } ctspSgtCachingGroup OBJECT-GROUP OBJECTS { ctspSgtCachingMode, ctspSgtCachingVlansFirst2K, ctspSgtCachingVlansSecond2K } STATUS current DESCRIPTION "A collection of objects which provides sgt Caching information." ::= { ciscoTrustSecPolicyMIBGroups 20 } ctspSgaclMonitorGroup OBJECT-GROUP OBJECTS { ctspSgaclMonitorEnable, ctspConfigSgaclMonitor, ctspDefConfigIpv4SgaclsMonitor, ctspDefConfigIpv6SgaclsMonitor, ctspDownloadedSgaclMonitor, ctspDefDownloadedSgaclMonitor, ctspOperSgaclMonitor, ctspDefOperSgaclMonitor } STATUS current DESCRIPTION "A collection of objects which provides SGACL monitor information." ::= { ciscoTrustSecPolicyMIBGroups 21 } ctspSgaclMonitorStatisticGroup OBJECT-GROUP OBJECTS { ctspStatsIpSwMonitorPkts, ctspStatsIpHwMonitorPkts, ctspDefIpSwMonitorPkts, ctspDefIpHwMonitorPkts } STATUS current DESCRIPTION "A collection of objects which provides monitor statistics counters for unicast IP traffic subjected to SGACL enforcement." ::= { ciscoTrustSecPolicyMIBGroups 22 } ctspNotifCtrlGroup OBJECT-GROUP OBJECTS { ctspPeerPolicyUpdatedNotifEnable, ctspAuthorizationSgaclFailNotifEnable } STATUS current DESCRIPTION "A collection of objects providing notification control for TrustSec policy notifications." ::= { ciscoTrustSecPolicyMIBGroups 23 } ctspNotifGroup NOTIFICATION-GROUP NOTIFICATIONS { ctspPeerPolicyUpdatedNotif, ctspAuthorizationSgaclFailNotif } STATUS current DESCRIPTION "A collection of notifications for TrustSec policy." ::= { ciscoTrustSecPolicyMIBGroups 24 } ctspNotifInfoGroup OBJECT-GROUP OBJECTS { ctspOldPeerSgt, ctspAuthorizationSgaclFailReason, ctspAuthorizationSgaclFailInfo } STATUS current DESCRIPTION "A collection of objects providing the variable binding for TrustSec policy notifications." ::= { ciscoTrustSecPolicyMIBGroups 25 } END