BAYSTACK-IPV6-FIRST-HOP-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32 FROM SNMPv2-SMI MacAddress, TruthValue, TEXTUAL-CONVENTION, RowStatus, DisplayString FROM SNMPv2-TC bayStackMibs FROM SYNOPTICS-ROOT-MIB InterfaceIndex FROM IF-MIB Ipv6Address FROM IPV6-TC; bayStackIpv6FirstHopSecMib MODULE-IDENTITY LAST-UPDATED "201401170000Z" ORGANIZATION "Avaya" CONTACT-INFO "avaya.com" DESCRIPTION "This MIB module is used for IPv6 First Hop Security configuration. The purpose of First Hop Security feature is to take care of the treats caused by the immediate node to another immediate node attached to the same First Hop Security device." REVISION "201403200000Z" -- March 20, 2014 DESCRIPTION "Ver 6: Changed the MAX-ACCESS of some indices from read-only to not-accessible." REVISION "201401170000Z" -- January 17, 2014 DESCRIPTION "Ver 5: Added notification object bsIpv6FHSNDVlanID, changed trap names from bsIpv6SBTTableFull to bsIpv6NDSBTTableFull and from bsIpv6NDTrapNotificationUnTrustedPort to bsIpv6NDNotificationsUntrustedPort, extended range of bsIpv6FHSSbtVlan from 1..1094 to 1..4094 and made minor changes in the descriptions of both bsIpv6NDSBTTableFull and bsIpv6NDNotificationsUntrustedPort traps. Also, both traps now have the same notification objects: bsIpv6NDInspectionNotificationClientMACAddr, bsIpv6NDInspectionNotificationMsgType, bsIpv6FHSNDInterfaceIndex, bsIpv6FHSNDIpv6Address and bsIpv6FHSNDVlanID." REVISION "201311180000Z" -- November 18, 2013 DESCRIPTION "Ver 4: Added mibs for ND Inspection." REVISION "201310110000Z" -- October 11, 2013 DESCRIPTION "Ver 3: Changed FhsDhcpv6GuardDeviceRole values. Added types to IMPORTS." REVISION "201308200000Z" -- August 20, 2013 DESCRIPTION "Ver 2: Extend range of bsIpv6FHSRagHopLimitMin, bsIpv6FHSRagHopLimitMax, bsIpv6FHSDhcpv6gPrefLimitMin and bsIpv6FHSDhcpv6gPrefLimitMax from 1..255 to 0..255. Enumerations are starting from 1 instead on 0." REVISION "201305270000Z" -- May 27, 2013 DESCRIPTION "Ver 1: Initial version." ::= { bayStackMibs 45 } bsIpv6FirstHopSecNotifications OBJECT IDENTIFIER ::= { bayStackIpv6FirstHopSecMib 0 } bsIpv6FirstHopSecObjects OBJECT IDENTIFIER ::= { bayStackIpv6FirstHopSecMib 1 } -- Start Local Definition FhsRaGuardDeviceRole ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating a role of ra-guard device." SYNTAX INTEGER { router(1), host(2) } FhsRaManagedConfigFlag ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating ra-guard managed config flag." SYNTAX INTEGER { none(1), on(2), off(3) } FhsRaRouterPrefMax ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating ra-guard router max preference." SYNTAX INTEGER { none(1), high(2), medium(3), low(4) } FhsDhcpv6GuardDeviceRole ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating dhcp-guard device role." SYNTAX INTEGER { server(1), client(2) } FhsListName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "First Hop Security list name." SYNTAX DisplayString (SIZE(1..64)) FhsAccessType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating an access-type." SYNTAX INTEGER { allow(1), deny(2) } FhsSbtState ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating state of SBT entry" SYNTAX INTEGER { incomplete(1), reachable(2), stale(3), down(4) } FhsSbtType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value indicating SBT entry learn type" SYNTAX INTEGER { static(1), nd(2), dhcp(3) } -- End Local Definition -- Start Definition for First Hop Security scalar variable bsIpv6FHSScalVar OBJECT IDENTIFIER ::= { bsIpv6FirstHopSecObjects 1 } bsIpv6FHSAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "First Hop Security Global Admin status" DEFVAL { false } ::= { bsIpv6FHSScalVar 1 } bsIpv6FHSRagAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "RA guard Global Admin status" DEFVAL { false } ::= { bsIpv6FHSScalVar 2 } bsIpv6FHSDhcpv6gAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "DHCPv6 guard Global Admin status" DEFVAL { false } ::= { bsIpv6FHSScalVar 3 } bsIpv6FHSNdInspectAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "ND Inspection Global Admin status" DEFVAL { false } ::= { bsIpv6FHSScalVar 4 } bsIpv6FHSMaxDynSbtEntries OBJECT-TYPE SYNTAX INTEGER (0..1024) MAX-ACCESS read-write STATUS current DESCRIPTION "Maximum Dynamic SBT entries allowed" DEFVAL { 1024 } ::= { bsIpv6FHSScalVar 5 } bsIpv6FHSSbtReachLifeTime OBJECT-TYPE SYNTAX INTEGER (0..864000) MAX-ACCESS read-write STATUS current DESCRIPTION "SBT Reachable state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer" DEFVAL { 300 } ::= { bsIpv6FHSScalVar 6 } bsIpv6FHSSbtStaleLifeTime OBJECT-TYPE SYNTAX INTEGER (0..86400) MAX-ACCESS read-write STATUS current DESCRIPTION "SBT Stale state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer" DEFVAL { 86400 } ::= { bsIpv6FHSScalVar 7 } bsIpv6FHSSbtDownLifeTime OBJECT-TYPE SYNTAX INTEGER (0..86400) MAX-ACCESS read-write STATUS current DESCRIPTION "SBT Down state life time in seconds starts from 30 till 86400. Configure timer as 0 will not expire this timer" DEFVAL { 86400 } ::= { bsIpv6FHSScalVar 8 } bsIpv6FHSSbtTblOverFlow OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "SBT Table Overflow due to the maximum SBT entry restriction" ::= { bsIpv6FHSScalVar 9 } -- End Definition for First Hop Security scalar variable -- Start Definition for First Hop Security IPv6 access list -- This table contains list of IP Access List. With the -- ability to assign the range of the IP address using -- bsIpv6FHSIpAccessListMaskLenFrom and -- bsIpv6FHSIpAccessListMaskLenTo variable -- IP access list table contains the following -- elements -- IPv6 Access List Name -- IPv6 Prefix -- IPv6 Prefix Mask Len -- IPv6 Prefix Mask Len From -- IPv6 Prefix Mask Len To -- Access Type (Allow or Deny) bsIpv6FHSIpv6AccessListTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSIpv6AccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of IPv6 Access List used for Frist Hop Security Feature." ::= { bsIpv6FirstHopSecObjects 2 } bsIpv6FHSIpv6AccessListEntry OBJECT-TYPE SYNTAX BsIpv6FHSIpv6AccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of IPv6 Access List used for Frist Hop Security Feature." INDEX { bsIpv6FHSIpv6AccessListName, bsIpv6FHSIpv6AccessListPrefix, bsIpv6FHSIpv6AccessListPrefixMaskLen} ::= { bsIpv6FHSIpv6AccessListTable 1 } BsIpv6FHSIpv6AccessEntry ::= SEQUENCE { bsIpv6FHSIpv6AccessListName FhsListName, bsIpv6FHSIpv6AccessListPrefix Ipv6Address, bsIpv6FHSIpv6AccessListPrefixMaskLen INTEGER, bsIpv6FHSIpv6AccessListMaskLenFrom INTEGER, bsIpv6FHSIpv6AccessListMaskLenTo INTEGER, bsIpv6FHSIpv6AccessListAccessType FhsAccessType, bsIpv6FHSIpv6AccessListRowStatus RowStatus } bsIpv6FHSIpv6AccessListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS not-accessible STATUS current DESCRIPTION "IPv6 Access List Name" ::= { bsIpv6FHSIpv6AccessListEntry 1 } bsIpv6FHSIpv6AccessListPrefix OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS not-accessible STATUS current DESCRIPTION "IPv6 Prefix attached to this IPv6 access list Id" ::= { bsIpv6FHSIpv6AccessListEntry 2 } bsIpv6FHSIpv6AccessListPrefixMaskLen OBJECT-TYPE SYNTAX INTEGER (0..128) MAX-ACCESS not-accessible STATUS current DESCRIPTION "IPv6 Prefix mask length attached to this IPv6 access list Id" ::= { bsIpv6FHSIpv6AccessListEntry 3 } bsIpv6FHSIpv6AccessListMaskLenFrom OBJECT-TYPE SYNTAX INTEGER (0..128) MAX-ACCESS read-write STATUS current DESCRIPTION "IPv6 Prefix mask length range from" DEFVAL { 0 } ::= { bsIpv6FHSIpv6AccessListEntry 4 } bsIpv6FHSIpv6AccessListMaskLenTo OBJECT-TYPE SYNTAX INTEGER (0..128) MAX-ACCESS read-write STATUS current DESCRIPTION "IPv6 Prefix mask length range to" DEFVAL { 0 } ::= { bsIpv6FHSIpv6AccessListEntry 5 } bsIpv6FHSIpv6AccessListAccessType OBJECT-TYPE SYNTAX FhsAccessType MAX-ACCESS read-write STATUS current DESCRIPTION "IPv6 IP Access Type Allow or Deny" DEFVAL { allow } ::= { bsIpv6FHSIpv6AccessListEntry 6 } bsIpv6FHSIpv6AccessListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "IPv6 IP Access List row status" ::= { bsIpv6FHSIpv6AccessListEntry 7 } -- End Definition for First Hop Security IPv6 access list -- Start Definition for First Hop Security MAC access list -- This table contains list of -- MAC list name -- MAC Addresses -- MAC Access Type (Allow or Deny) bsIpv6FHSMacAccessListTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSMacAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of MAC Access List used for Frist Hop Security Feature." ::= { bsIpv6FirstHopSecObjects 3 } bsIpv6FHSMacAccessListEntry OBJECT-TYPE SYNTAX BsIpv6FHSMacAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of MAC Access List used for Frist Hop Security Feature." INDEX { bsIpv6FHSMacAccessListName, bsIpv6FHSMacAccessListMac } ::= { bsIpv6FHSMacAccessListTable 3 } BsIpv6FHSMacAccessEntry ::= SEQUENCE { bsIpv6FHSMacAccessListName FhsListName, bsIpv6FHSMacAccessListMac MacAddress, bsIpv6FHSMacAccessListAccessType FhsAccessType, bsIpv6FHSMacAccessListRowStatus RowStatus } bsIpv6FHSMacAccessListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS not-accessible STATUS current DESCRIPTION "MAC Access List Name" ::= { bsIpv6FHSMacAccessListEntry 1 } bsIpv6FHSMacAccessListMac OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "MAC address attached to this MAC access list Id" ::= { bsIpv6FHSMacAccessListEntry 2 } bsIpv6FHSMacAccessListAccessType OBJECT-TYPE SYNTAX FhsAccessType MAX-ACCESS read-write STATUS current DESCRIPTION "MAC Access Type Allow or Deny" DEFVAL { allow } ::= { bsIpv6FHSMacAccessListEntry 3 } bsIpv6FHSMacAccessListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "MAC Access List row status" ::= { bsIpv6FHSMacAccessListEntry 4 } -- End Definition for First Hop Security MAC access list -- Start Definition for First Hop Security - port Vs policy mapping -- This table consist of the mapping between physical port and -- different First Hop Security policy name -- -- At present there would be RA-guard and DHCP-guard per interface -- This Table consists of -- interface index -- DHCPv6-guard policy name - BsIpv6FHSDhcpv6gPolicyEntry -- RA-guard policy name - BsIpv6FHSRagPolicyEntry -- ND-inspection Enable/Disable -- SBT dynamic learning Enable/Disable -- DHCPv6 Packet Received -- DHCPv6 dropped due to the FHS security -- RA Packet Received -- RA Packet dropped due to the FHS security -- ND Packet Received -- ND Packet dropped due to the FHS security -- Clear Stats for DHCPv6 counters -- Clear Stats for RA counters -- Clear Stats for ND counters bsIpv6FHSPolicyPortMapTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSPolicyPortMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of First Hop security Policies attached to the interface." ::= { bsIpv6FirstHopSecObjects 4 } bsIpv6FHSPolicyPortMapEntry OBJECT-TYPE SYNTAX BsIpv6FHSPolicyPortMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of First Hop security Policies attached to the interface." INDEX { bsIpv6FHSPolicyPortMapIfIndex} ::= { bsIpv6FHSPolicyPortMapTable 1 } BsIpv6FHSPolicyPortMapEntry ::= SEQUENCE { bsIpv6FHSPolicyPortMapIfIndex InterfaceIndex, bsIpv6FHSPolicyPortMapDhcpv6gPolicyName FhsListName, bsIpv6FHSPolicyPortMapRagPolicyName FhsListName, bsIpv6FHSPolicyPortMapNDAdmin TruthValue, bsIpv6FHSPolicyPortMapSbtDynLearnAdmin TruthValue, bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv Counter32, bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped Counter32, bsIpv6FHSPolicyPortMapTotRaPktRcv Counter32, bsIpv6FHSPolicyPortMapTotRaPktDropped Counter32, bsIpv6FHSPolicyPortMapTotNdPktRcv Counter32, bsIpv6FHSPolicyPortMapTotNdPktDropped Counter32, bsIpv6FHSPolicyPortMapClearDhcpGuardStats TruthValue, bsIpv6FHSPolicyPortMapClearRaGuardStats TruthValue, bsIpv6FHSPolicyPortMapClearNDInspectStats TruthValue, bsIpv6FHSPolicyPortMapRowStatus RowStatus } bsIpv6FHSPolicyPortMapIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "Interface index number" ::= { bsIpv6FHSPolicyPortMapEntry 1 } bsIpv6FHSPolicyPortMapDhcpv6gPolicyName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "DHCPv6 guard policy name" ::= { bsIpv6FHSPolicyPortMapEntry 2 } bsIpv6FHSPolicyPortMapRagPolicyName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "RA guard policy name" ::= { bsIpv6FHSPolicyPortMapEntry 3 } bsIpv6FHSPolicyPortMapNDAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Enable/Disable ND-inspection" DEFVAL { false } ::= { bsIpv6FHSPolicyPortMapEntry 4 } bsIpv6FHSPolicyPortMapSbtDynLearnAdmin OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Enable/Disable learning dynamic SBT entry" DEFVAL { true } ::= { bsIpv6FHSPolicyPortMapEntry 5 } bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Dhcpv6 packets Received" ::= { bsIpv6FHSPolicyPortMapEntry 6 } bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Dhcpv6 packets dropped" ::= { bsIpv6FHSPolicyPortMapEntry 7 } bsIpv6FHSPolicyPortMapTotRaPktRcv OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of RA packets Received" ::= { bsIpv6FHSPolicyPortMapEntry 8 } bsIpv6FHSPolicyPortMapTotRaPktDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of RA packets dropped" ::= { bsIpv6FHSPolicyPortMapEntry 9 } bsIpv6FHSPolicyPortMapTotNdPktRcv OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of ND Packets Received" ::= { bsIpv6FHSPolicyPortMapEntry 10 } bsIpv6FHSPolicyPortMapTotNdPktDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of ND Packets Dropped" ::= { bsIpv6FHSPolicyPortMapEntry 11 } bsIpv6FHSPolicyPortMapClearDhcpGuardStats OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "First Hop security clear stats: bsIpv6FHSPolicyPortMapTotDhcpv6PktRcv and bsIpv6FHSPolicyPortMapTotDhcpv6PktDropped" DEFVAL { false } ::= { bsIpv6FHSPolicyPortMapEntry 12 } bsIpv6FHSPolicyPortMapClearRaGuardStats OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "First Hop security clear stats: bsIpv6FHSPolicyPortMapTotRaPktRcv and bsIpv6FHSPolicyPortMapTotRaPktDropped" DEFVAL { false } ::= { bsIpv6FHSPolicyPortMapEntry 13 } bsIpv6FHSPolicyPortMapClearNDInspectStats OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "First Hop security clear stats: bsIpv6FHSPolicyPortMapTotNdPktRcv, bsIpv6FHSPolicyPortMapTotNdPktDropped and bsIpv6FHSPolicyPortMapTotSbtEntDropped " DEFVAL { false } ::= { bsIpv6FHSPolicyPortMapEntry 14 } bsIpv6FHSPolicyPortMapRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "First Hop security row status" ::= { bsIpv6FHSPolicyPortMapEntry 15 } -- End Definition for First Hop Security port Vs policy mapping -- Start Definition for First Hop Security DHCPv6-guard-policy -- This table contains DHCPv6-guard Policy List -- Informations are -- policy-name -- device-role -- server-acces-list - BsIpv6FHSIpAccessEntry -- Relay-access-list - BsIpv6FHSIpAccessEntry -- Router-Pref-lim-min -- Router-pref-lim-max bsIpv6FHSDhcpv6gPolicyListTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSDhcpv6gPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of DHCPv6 guard Policies used for Hop Security Feature." ::= { bsIpv6FirstHopSecObjects 5 } bsIpv6FHSDhcpv6gPolicyListEntry OBJECT-TYPE SYNTAX BsIpv6FHSDhcpv6gPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of DHCPv6 guard Policies used for Hop Security Feature." INDEX { bsIpv6FHSDhcpv6gPolicyName} ::= { bsIpv6FHSDhcpv6gPolicyListTable 1 } BsIpv6FHSDhcpv6gPolicyEntry ::= SEQUENCE { bsIpv6FHSDhcpv6gPolicyName FhsListName, bsIpv6FHSDhcpv6gDeviceRole FhsDhcpv6GuardDeviceRole, bsIpv6FHSDhcpv6gServerAccessListName FhsListName, bsIpv6FHSDhcpv6gReplyPrefixListName FhsListName, bsIpv6FHSDhcpv6gPrefLimitMin INTEGER, bsIpv6FHSDhcpv6gPrefLimitMax INTEGER, bsIpv6FHSDhcpv6gPolicyListRowStatus RowStatus } bsIpv6FHSDhcpv6gPolicyName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the DHCPv6 guard Policy Name" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 1 } bsIpv6FHSDhcpv6gDeviceRole OBJECT-TYPE SYNTAX FhsDhcpv6GuardDeviceRole MAX-ACCESS read-write STATUS current DESCRIPTION "This is the device role of the received port. If the device role is client and if it receives DHCPv6 reply then those packets should be dropped" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 2 } bsIpv6FHSDhcpv6gServerAccessListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "This is the IPv6 access list which will be validating source IPv6 address of the DHCPv6 Reply packet from the server" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 3 } bsIpv6FHSDhcpv6gReplyPrefixListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "Validate the prefix information in the DHCPv6 reply against the configured reply prefix list. " ::= { bsIpv6FHSDhcpv6gPolicyListEntry 4 } bsIpv6FHSDhcpv6gPrefLimitMin OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "This is check against the DHCPv6 server / relay router preference. If the received router preference is less than the configured router preference than drop the packet" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 5 } bsIpv6FHSDhcpv6gPrefLimitMax OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "This is check against the DHCPv6 server / relay router preference. If the received router preference is greater than the configured router preference than drop the packet" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 6 } bsIpv6FHSDhcpv6gPolicyListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "DHCPv6 guard policy row status" ::= { bsIpv6FHSDhcpv6gPolicyListEntry 7 } -- End Definition for First Hop Security DHCPv6-guard-policy -- Start Definition for First Hop Security RA-guard-policy -- This table contains RA guard Policy List -- Information is -- policy-name -- device-role -- ipacces-list - BsIpv6FHSIpAccessEntry -- ip-prefix-name - BsIpv6FHSIpAccessEntry -- mac-list-name - BsIpv6FHSMacAccessEntry -- manage-config-flag -- ra-router-pref-max -- ra-router-pref-max -- router pref Max bsIpv6FHSRagPolicyListTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSRagPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of RA guard Policies used for Hop Security Feature." ::= { bsIpv6FirstHopSecObjects 6 } bsIpv6FHSRagPolicyListEntry OBJECT-TYPE SYNTAX BsIpv6FHSRagPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of RA guard Policies used for Hop Security Feature." INDEX { bsIpv6FHSRagPolicyName} ::= { bsIpv6FHSRagPolicyListTable 1 } BsIpv6FHSRagPolicyEntry ::= SEQUENCE { bsIpv6FHSRagPolicyName FhsListName, bsIpv6FHSRagDeviceRole FhsRaGuardDeviceRole, bsIpv6FHSRagIpv6AccessListName FhsListName, bsIpv6FHSRagIpv6PrefixListName FhsListName, bsIpv6FHSRagMacListName FhsListName, bsIpv6FHSRagManagedConfigFlag FhsRaManagedConfigFlag, bsIpv6FHSRagRouterPrefMax FhsRaRouterPrefMax, bsIpv6FHSRagHopLimitMin INTEGER, bsIpv6FHSRagHopLimitMax INTEGER, bsIpv6FHSRagPolicyListRowStatus RowStatus } bsIpv6FHSRagPolicyName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS not-accessible STATUS current DESCRIPTION "RA guard policy Name" ::= { bsIpv6FHSRagPolicyListEntry 1 } bsIpv6FHSRagDeviceRole OBJECT-TYPE SYNTAX FhsRaGuardDeviceRole MAX-ACCESS read-write STATUS current DESCRIPTION "This is the device role to be checked against" DEFVAL { router } ::= { bsIpv6FHSRagPolicyListEntry 2 } bsIpv6FHSRagIpv6AccessListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "This is the IPv6 access list which will be validating the source IPv6 address of the RA packet" ::= { bsIpv6FHSRagPolicyListEntry 3 } bsIpv6FHSRagIpv6PrefixListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "This is the IPv6 access list which will be validating the Prefix present in the RA packet" ::= { bsIpv6FHSRagPolicyListEntry 4 } bsIpv6FHSRagMacListName OBJECT-TYPE SYNTAX FhsListName MAX-ACCESS read-write STATUS current DESCRIPTION "This is the MAC access list which will be validating the source MAC of the received RA packet" ::= { bsIpv6FHSRagPolicyListEntry 5 } bsIpv6FHSRagManagedConfigFlag OBJECT-TYPE SYNTAX FhsRaManagedConfigFlag MAX-ACCESS read-write STATUS current DESCRIPTION "In the RA packets, there is an M flag (Managed Address configuration Flag) which is set indicating that the address assignments are available via DHCPv6. This means that DHCPv6 would take care of the interface address assignment in that LAN segment. If filtering policy is enabled then all the RA packets with M flag not set will be dropped. By default this check will be ignored" ::= { bsIpv6FHSRagPolicyListEntry 6 } bsIpv6FHSRagRouterPrefMax OBJECT-TYPE SYNTAX FhsRaRouterPrefMax MAX-ACCESS read-write STATUS current DESCRIPTION "In the RA packet there is router preference information is available in the Flags. This could be HIGH or LOW or MEDIUM. This filtering policy option would verify that the advertised default router preference parameter value is lower than or equal to a specified limit" DEFVAL { none } ::= { bsIpv6FHSRagPolicyListEntry 7 } bsIpv6FHSRagHopLimitMin OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the minimum value check for the hop limit value present in the RA packet. If the value is less than configured minimum value then drop the RA packet" DEFVAL { 0 } ::= { bsIpv6FHSRagPolicyListEntry 8 } bsIpv6FHSRagHopLimitMax OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the maximum value check for the hop limit value present in the RA packet. If the value is greater than configured maximum value then drop the RA packet" DEFVAL { 0 } ::= { bsIpv6FHSRagPolicyListEntry 9 } bsIpv6FHSRagPolicyListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "RA guard policy row status" ::= { bsIpv6FHSRagPolicyListEntry 10 } -- End Definition for First Hop Security RA-guard-policy -- Start Definition for First Hop Security Security Binding Table (FHSSBT) -- This table contains list of SBT entries. -- SBT Table contains the following elements -- Interface Index (unit/port) -- Vlan ID -- Source IPv6 Address -- Link Layer Address -- SBT Entry Type -- SBT Entry Priority -- SBT Entry State -- SBT Entry Age in seconds bsIpv6FHSSbtTable OBJECT-TYPE SYNTAX SEQUENCE OF BsIpv6FHSSbtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table contains the list of SBT entries learnt Dynamically and statically configure." ::= { bsIpv6FirstHopSecObjects 7 } bsIpv6FHSSbtListEntry OBJECT-TYPE SYNTAX BsIpv6FHSSbtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Entry contains the list of SBT entries." INDEX { bsIpv6FHSSbtInterfaceIndex, bsIpv6FHSSbtVlan, bsIpv6FHSSbtSrcIp} ::= { bsIpv6FHSSbtTable 1 } BsIpv6FHSSbtEntry ::= SEQUENCE { bsIpv6FHSSbtInterfaceIndex InterfaceIndex, bsIpv6FHSSbtVlan INTEGER, bsIpv6FHSSbtSrcIp Ipv6Address, bsIpv6FHSSbtLinkLayerAddress MacAddress, bsIpv6FHSSbtLearnType FhsSbtType, bsIpv6FHSSbtLearnPriority INTEGER, bsIpv6FHSSbtLearnState FhsSbtState, bsIpv6FHSSbtLearnAge INTEGER, bsIpv6FHSSbtRowStatus RowStatus } bsIpv6FHSSbtInterfaceIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "Derive unit and port number from this ifindex" ::= { bsIpv6FHSSbtListEntry 1 } bsIpv6FHSSbtVlan OBJECT-TYPE SYNTAX INTEGER (1..4094) MAX-ACCESS not-accessible STATUS current DESCRIPTION "VLAN" ::= { bsIpv6FHSSbtListEntry 2 } bsIpv6FHSSbtSrcIp OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS not-accessible STATUS current DESCRIPTION "Source IPv6 Address" ::= { bsIpv6FHSSbtListEntry 3 } bsIpv6FHSSbtLinkLayerAddress OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-write STATUS current DESCRIPTION "Link Layer MAC address" ::= { bsIpv6FHSSbtListEntry 4 } bsIpv6FHSSbtLearnType OBJECT-TYPE SYNTAX FhsSbtType MAX-ACCESS read-only STATUS current DESCRIPTION "SBT Entry Type" ::= { bsIpv6FHSSbtListEntry 5 } bsIpv6FHSSbtLearnPriority OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "SBT Entry priority" ::= { bsIpv6FHSSbtListEntry 6 } bsIpv6FHSSbtLearnState OBJECT-TYPE SYNTAX FhsSbtState MAX-ACCESS read-only STATUS current DESCRIPTION "SBT Entry state" ::= { bsIpv6FHSSbtListEntry 7 } bsIpv6FHSSbtLearnAge OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "Time Elapsed after being in this state" ::= { bsIpv6FHSSbtListEntry 8 } bsIpv6FHSSbtRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "SBT entry row status" ::= { bsIpv6FHSSbtListEntry 9 } -- End Definition for First Hop Security SBT table -- ============================================================================ -- Notification Objects -- ============================================================================ bsIpv6NDTrapNotificationObjects OBJECT IDENTIFIER ::= { bsIpv6FirstHopSecObjects 8 } bsIpv6NDInspectionNotificationClientMACAddr OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This value indicates the source MAC Address of a dropped ND inspection packet." ::= { bsIpv6NDTrapNotificationObjects 1 } bsIpv6NDInspectionNotificationMsgType OBJECT-TYPE SYNTAX INTEGER { ipv6NDNS(1), ipv6NDNA(2), ipv6NDRS(3), ipv6NDRA(4), ipv6NDRedir(5) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This value indicates the message type of a dropped ND packet." ::= { bsIpv6NDTrapNotificationObjects 2 } bsIpv6FHSNDInterfaceIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This value indicates the unit and port number of a dropped ND inspection packet." ::= { bsIpv6NDTrapNotificationObjects 3 } bsIpv6FHSNDIpv6Address OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This value indicates the Ipv6 source address of a dropped ND inspection packet." ::= { bsIpv6NDTrapNotificationObjects 4 } bsIpv6FHSNDVlanID OBJECT-TYPE SYNTAX INTEGER (1..4094) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This value indicates the Vlan ID of a dropped ND inspection packet." ::= { bsIpv6NDTrapNotificationObjects 5 } -- -- Notifications -- bsIpv6NDSBTTableFull NOTIFICATION-TYPE OBJECTS { bsIpv6NDInspectionNotificationClientMACAddr, bsIpv6NDInspectionNotificationMsgType, bsIpv6FHSNDInterfaceIndex, bsIpv6FHSNDIpv6Address, bsIpv6FHSNDVlanID } STATUS current DESCRIPTION "This notification is generated when an attempt is made to add a new SBT entry when the Secure Binding Table is full. The value of bsIpv6NDInspectionNotificationClientMACAddr represents the MAC address that could not be added to the SBT table. This notification also indicates that additional packets will not be added to the SBT and will be dropped." ::= { bsIpv6FirstHopSecNotifications 1 } bsIpv6NDNotificationsUntrustedPort NOTIFICATION-TYPE OBJECTS { bsIpv6NDInspectionNotificationClientMACAddr, bsIpv6NDInspectionNotificationMsgType, bsIpv6FHSNDInterfaceIndex, bsIpv6FHSNDIpv6Address, bsIpv6FHSNDVlanID } STATUS current DESCRIPTION "This notification is generated when an ND message is suspected to be generated by the untrusted system/host." ::= { bsIpv6FirstHopSecNotifications 2 } END