The MIB module maps the IPSec entities created dynamically to the policy entities that caused them. This is an appendix to the I...
Version: 2000-08-17
module CISCO-IPSEC-POLICY-MAP-MIB { yang-version 1; namespace "urn:ietf:params:xml:ns:yang:smiv2:CISCO-IPSEC-POLICY-MAP-MIB"; prefix CISCO-IPSEC-POLICY-MAP-MIB; import SNMPv2-TC { prefix snmpv2-tc; } import ietf-yang-smiv2 { prefix smiv2; } organization "Tivoli Systems and Cisco Systems"; contact "Tivoli Systems Research Triangle Park, NC Cisco Systems Enterprise Business Management Unit Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-ipsecurity@cisco.com"; description "The MIB module maps the IPSec entities created dynamically to the policy entities that caused them. This is an appendix to the IPSEC-MONITOR-MIB that has been proposed to IETF for monitoring IPSec based Virtual Private Networks. Overview of Cisco IPsec Policy Map MIB MIB description There are two components to this MIB: #1 a table that maps an IPSec Phase-1 tunnel to the Internet Security Association and Key Exchange (ISAKMP) Policy and #2 a table that maps an IPSec Phase-2 tunnel to the corresponding IPSec Policy element - called 'cryptomaps' - in IOS (Internet Operating System) The first mappin (also called Internet Key Exchange or IKE mapping) yields, given the index of the IKE tunnel in the ikeTunnelTable (IPSEC-MONITOR-MIB), the ISAKMP policy definition defined using the CLI on the managed entity. The IPSec mapping yields, given the index of the IPSec tunnel in the ipSecTunnelTable (IPSEC-MONITOR-MIB), the IPSec transform and the cryptomap definition that gave rise to this tunnel. In implementation and usage, this MIB cannot exist independent of the IPSEC-MONITOR-MIB. "; revision "2000-08-17" { description "[Revision added by libsmi due to a LAST-UPDATED clause.]"; } smiv2:alias "ciscoIpSecPolMapMIB" { smiv2:oid "1.3.6.1.4.1.9.9.172"; } smiv2:alias "ciscoIpSecPolMapMIBObjects" { smiv2:oid "1.3.6.1.4.1.9.9.172.1"; } smiv2:alias "ipSecPhaseOnePolMap" { smiv2:oid "1.3.6.1.4.1.9.9.172.1.1"; } smiv2:alias "ipSecPhaseTwoPolMap" { smiv2:oid "1.3.6.1.4.1.9.9.172.1.2"; } smiv2:alias "ciscoIpSecPolMapMIBNotifPrefix" { smiv2:oid "1.3.6.1.4.1.9.9.172.2"; } smiv2:alias "ciscoIpSecPolMapMIBConformance" { smiv2:oid "1.3.6.1.4.1.9.9.172.3"; } smiv2:alias "ipSecPolMapMIBGroups" { smiv2:oid "1.3.6.1.4.1.9.9.172.3.1"; } smiv2:alias "ipSecPolMapMIBCompliances" { smiv2:oid "1.3.6.1.4.1.9.9.172.3.2"; } container CISCO-IPSEC-POLICY-MAP-MIB { config false; container ikePolMapTable { smiv2:oid "1.3.6.1.4.1.9.9.172.1.1.1"; description "The IPSec Phase-1 Internet Key Exchange Tunnel to Policy Mapping Table. There is one entry in this table for each active IPSec Phase-1 Tunnel."; list ikePolMapEntry { smiv2:oid "1.3.6.1.4.1.9.9.172.1.1.1.1"; key "ikePolMapTunIndex"; description "Each entry contains the attributes associated with mapping an active IPSec Phase-1 IKE Tunnel to it's configured Policy definition."; leaf ikePolMapTunIndex { smiv2:max-access "not-accessible"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.1.1.1.1"; type int32 { range "1..2147483647"; } description "The index of the IPSec Phase-1 Tunnel to Policy Map Table. The value of the index is the number used to represent this IPSec Phase-1 Tunnel in the IPSec MIB (ikeTunIndex in the ikeTunnelTable)."; } leaf ikePolMapPolicyNum { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.1.1.1.2"; type int32 { range "1..2147483647"; } description "The number of the locally defined ISAKMP policy used to establish the IPSec IKE Phase-1 Tunnel. This is the number which was used on the crypto command. For example, if the configuration command was: ==> crypto isakmp policy 15 then the value of this object would be 15. If ISAKMP was not used to establish this tunnel, then the value of this object will be zero."; } } // list ikePolMapEntry } // container ikePolMapTable container ipSecPolMapTable { smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1"; description "The IPSec Phase-2 Tunnel to Policy Mapping Table. There is one entry in this table for each active IPSec Phase-2 Tunnel."; list ipSecPolMapEntry { smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1"; key "ipSecPolMapTunIndex"; description "Each entry contains the attributes associated with mapping an active IPSec Phase-2 Tunnel to its configured Policy definition."; leaf ipSecPolMapTunIndex { smiv2:max-access "not-accessible"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1.1"; type int32 { range "1..2147483647"; } description "The index of the IPSec Phase-2 Tunnel to Policy Map Table. The value of the index is the number used to represent this IPSec Phase-2 Tunnel in the IPSec MIB (ipSecTunIndex in the ipSecTunnelTable)."; } leaf ipSecPolMapCryptoMapName { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1.2"; type snmpv2-tc:DisplayString; description "The value of this object should be the name of the IPSec Policy (cryptomap) as assigned by the operator while configuring the policy of the IPSec traffic. For instance, on an IOS router, the if the command entered to configure the IPSec policy was ==> crypto map ftpPolicy 10 ipsec-isakmp then the value of this object would be 'ftpPolicy'."; } leaf ipSecPolMapCryptoMapNum { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1.3"; type int32 { range "1..2147483647"; } description "The value of this object should be the priority of the IPSec Policy (cryptomap) assigned by the operator while configuring the policy of this IPSec tunnel. For instance, on an IOS router, the if the command entered to configure the IPSec policy was ==> crypto map ftpPolicy 10 ipsec-isakmp then the value of this object would be 10."; } leaf ipSecPolMapAclString { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1.4"; type snmpv2-tc:DisplayString; description "The value of this object is the number or the name of the access control string (ACL) that caused this IPSec tunnel to be established. The ACL that causes an IPSec tunnel to be established is referenced by the cryptomap of the tunnel. The ACL identifies the traffic that requires protection as defined by the policy. For instance, the ACL that requires FTP traffic between local subnet 172.16.14.0 and a remote subnet 172.16.16.0 to be protected is defined as ==>access-list 101 permit tcp 172.16.14.0 0.0.0.255 172.16.16.0 0.0.0.255 eq ftp When this command causes an IPSec tunnel to be established, the object 'ipSecPolMapAclString' assumes the string value '101'. If the ACL is a named list such as ==> ip access-list standard myAcl permit 172.16.16.8 0.0.0.0 then the value of this MIB element corresponding to IPSec tunnel that was created by this ACL would be 'myAcl'."; } leaf ipSecPolMapAceString { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.172.1.2.1.1.5"; type snmpv2-tc:DisplayString; description "The value of this object is the access control entry (ACE) within the ACL that caused this IPSec tunnel to be established. For instance, if an ACL defines access for two traffic streams (FTP and SNMP) as follows: access-list 101 permit tcp 172.16.14.0 0.0.0.255 172.16.16.0 0.0.0.255 eq ftp access-list 101 permit udp 172.16.14.0 0.0.0.255 host 172.16.16.1 eq 161 When associated with an IPSec policy, the second element of the ACL gives rise to an IPSec tunnel in the wake of SNMP traffic. The value of the object 'ipSecPolMapAceString' for the IPSec tunnel would be then the string 'access-list 101 permit udp 172.16.14.0 0.0.0.255 host 172.16.16.1 eq 161'"; } } // list ipSecPolMapEntry } // container ipSecPolMapTable } // container CISCO-IPSEC-POLICY-MAP-MIB } // module CISCO-IPSEC-POLICY-MAP-MIB
© 2023 YumaWorks, Inc. All rights reserved.