This module contains a collection of YANG definitions for monitoring of Cisco Trustsec operational information on Role based per...
Version: 2021-03-01
module Cisco-IOS-XE-trustsec-oper { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-trustsec-oper"; prefix trustsec-ios-xe-oper; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "This module contains a collection of YANG definitions for monitoring of Cisco Trustsec operational information on Role based permissions, IP-SGT bindings and SXP connections. Copyright (c) 2016-2017, 2019-2021 by Cisco Systems, Inc. All rights reserved."; revision "2021-03-01" { description "- Fixed calculation and model description of speaker duration & listener duration leaves in ctx-sxp-connection list - Deprecated from-cfp SXP binding source value. Added a new SXP binding source value from-sxp"; reference "1.6.0"; } revision "2020-11-01" { description "- Added CTS PAC operational data - Added CTS Environment operational data"; reference "1.5.0"; } revision "2020-07-01" { description "Modified trustsec oper model to support CTS manual."; reference "1.4.0"; } revision "2019-11-01" { description "Added model for IPv6 CTS role based policy."; reference "1.3.0"; } revision "2019-05-01" { description "Added semantic version"; reference "1.2.0"; } revision "2018-10-29" { description "Cleaned up spelling errors in descriptions."; reference "1.1.0"; } revision "2017-02-07" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "1.6.0"; cisco-semver:module-version "1.5.0"; cisco-semver:module-version "1.4.0"; cisco-semver:module-version "1.3.0"; cisco-semver:module-version "1.2.0"; cisco-semver:module-version "1.1.0"; cisco-semver:module-version "1.0.0"; typedef cts-odm-binding-source { type enumeration { enum "default" { value 0; description "Default Security Group Tag binding value in this device for the given IP-Address"; } enum "from-vlan" { value 1; description "Security Group Tag binding value in this device for the given IP-Address is learned from a VLAN"; } enum "from-cli" { value 2; description "Security Group Tag binding value in this device for the given IP-Address is configure from CLI (Command Line Interface)"; } enum "from-l3if" { value 3; description "Security Group Tag binding value in this device for the given IP-Address is learned from a L3 (Layer 3) interface"; } enum "from-cfp" { value 4; description "This value has been deprecated. Security Group Tag binding value in this device for the given IP-Address is learned via SXP binding exchange protocol"; } enum "from-ip-arp" { value 5; description "Security Group Tag binding value in this device for the given IP-Address is learned via IP-ARP protocol"; } enum "from-local" { value 6; description "Security Group Tag binding value in this device for the given IP-Address is learned locally"; } enum "from-sgt-caching" { value 7; description "Security Group Tag binding value in this device for the given IP-Address is learned via Security Group Tag caching from data path."; } enum "from-cli-hi" { value 8; description "Security Group Tag binding value in this device for the given IP-Address is configured from CLI-high priority."; } enum "from-sxp" { value 9; description "Security Group Tag binding value in this device for the given IP-Address is learned via SXP binding exchange protocol"; } } description "Binding Source enumeration"; } typedef sxp-con-state { type enumeration { enum "state-off" { value 0; description "SXP Connection state is OFF"; } enum "state-pending-on" { value 1; description "SXP Connection state is Pending-On"; } enum "state-on" { value 2; description "SXP Connection state is ON"; } enum "state-delete-hold-down" { value 3; description "SXP Connection state is Delete-Hold-Down"; } enum "state-not-applicable" { value 4; description "SXP Connection state is Not-Applicable"; } } description "SXP Connection state"; } typedef sxp-con-mode { type enumeration { enum "con-mode-invalid" { value 0; description "SXP Connection mode is Invalid"; } enum "con-mode-speaker" { value 1; description "SXP Connection mode is Speaker"; } enum "con-mode-listener" { value 2; description "SXP Connection mode is Listener"; } enum "con-mode-both" { value 3; description "SXP Connection mode is Both (Speaker and Listener)"; } } description "SXP Connection mode"; } typedef cts-ndac-mode { type enumeration { enum "cts-ndac-mode-invalid" { value 0; description "CTS Interface Connection mode is Invalid"; } enum "cts-ndac-mode-manual" { value 1; description "CTS Interface Connection mode is MANUAL"; } } description "CTS Interface Connection mode"; } typedef cts-manual-ifc-state { type enumeration { enum "cts-manual-mode-init" { value 0; description "CTS IFC state is Init"; } enum "cts-manual-mode-authenticating" { value 1; description "CTS IFC state is in authentication. This is bypassed in MANUAL mode."; } enum "cts-manual-mode-authorizing" { value 2; description "CTS IFC state is in authorization. This is bypassed in MANUAL mode."; } enum "cts-manual-mode-sap-ne" { value 3; description "CTS IFC state is in SAP negotiation"; } enum "cts-manual-mode-open" { value 4; description "CTS IFC state is in OPEN state"; } enum "cts-manual-mode-held" { value 5; description "CTS IFC state is in HELD state"; } enum "cts-manual-mode-disconnecting" { value 6; description "CTS IFC state is in disconnecting state"; } enum "cts-manual-mode-invalid" { value 7; description "CTS IFC state is invalid indicating some error condition"; } enum "cts-manual-mode-license-err" { value 8; description "CTS IFC state is in license error state indicating that current license level does not permit usage of CTS MANUAL"; } enum "cts-manual-mode-ignore" { value 9; description "Ignore CTS IFC state value as the interface is not configured with CTS MANUAL"; } } description "CTS Manual IFC State Machine status"; } typedef cts-manual-trust-status { type enumeration { enum "cts-manual-trusted" { value 0; description "CTS MANUAL connection on the interface is trusted"; } enum "cts-manual-untrusted" { value 1; description "CTS Interface connection on the interface is untrusted"; } enum "cts-manual-trust-status-ignore" { value 2; description "Ignore the trust status as CTS MANUAL is not configured on the interface"; } } description "CTS Interface trust status"; } typedef cts-manual-sgt-propagate-status { type enumeration { enum "cts-sgt-propagate-enabled" { value 0; description "Inline SGT propagation is enabled on the interface"; } enum "cts-sgt-propagate-disabled" { value 1; description "Inline SGT propagation is not enabled on the interface"; } enum "cts-sgt-propagate-ignore" { value 2; description "Ignore the SGT propagation status as CTS MANUAL is not configured on the interface"; } } description "CTS Interface SGT propagation status"; } typedef cts-sap-status { type enumeration { enum "cts-sap-unknown" { value 0; description "SAP negotiation is unknown indicating some error condition"; } enum "cts-sap-in-progress" { value 1; description "SAP negotiation is in progress"; } enum "cts-sap-success" { value 2; description "SAP negotiation is successful"; } enum "cts-sap-failed" { value 3; description "SAP negotiation failed on the interface"; } enum "cts-sap-license-err" { value 4; description "Current license level does not support SAP"; } enum "cts-sap-not-applicable" { value 5; description "SAP status is not applicable on this interface"; } enum "cts-sap-status-ignore" { value 6; description "SAP status is not applicable on this interface"; } } description "CTS SAP negotiation status"; } typedef cts-env-data-status-s { type enumeration { enum "env-download-in-progress" { value 0; description "Environment data downloads is in progress"; } enum "env-download-success" { value 1; description "Environment data downloads complete"; } enum "env-download-failed" { value 2; description "Environment data downloads failed"; } enum "env-download-incomplete" { value 3; description "Partial environment data received from Identity Services Engine"; } enum "env-download-response-timeout" { value 4; description "Time elapsed to receive response from Identity Services Engine"; } enum "env-data-cleared" { value 5; description "Environment data cleared from the device"; } enum "env-download-started" { value 6; description "Environment data downloads started"; } } description "Cisco TrustSec environment data downloads status"; } typedef cts-transport-type { type enumeration { enum "cts-radius-server" { value 0; description "Environment data uses Radius as transport protocol"; } enum "cts-policy-server" { value 1; description "Environment data uses HTTPS as transport protocol"; } } description "Cisco TrustSec Environment data server transport protocol"; } typedef cts-eap-pac-type { type enumeration { enum "pac-type-tunnel" { value 0; description "PAC type Tunnel"; } enum "pac-type-machine-authen" { value 1; description "PAC type machine authentication"; } enum "pac-type-user-author" { value 2; description "PAC type User Authorization"; } enum "pac-type-posture" { value 3; description "PAC type Posture"; } enum "pac-type-cisco-trustsec" { value 4; description "PAC type Cisco Trustsec"; } enum "pac-type-unknown" { value 5; description "PAC type UnKnown"; } } description "Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling defines, various PAC types"; } grouping cts-ip-sgt-map-key { description "IP-Address information to find corresponding CTS Security Group Tag binding"; leaf ip { type inet:ip-prefix; description "IP-Prefix information to find its corresponding Secure Group Tag. Only IPv4 prefix information is supported currently to get the Security Group Tag binding in this device"; } leaf vrf-name { type string; description "VRF-Name to find the Security Group Tag for the corresponding IP-Address in this VRF instance. Only default VRF is supported currently which is indicated by (empty string)"; } } // grouping cts-ip-sgt-map-key grouping cts-ip-sgt-map { description "Trustsec Security Group Tag binding information"; leaf sgt { type int32; description "Security Group Tag value corresponding to the given IP-Address"; } leaf source { type cts-odm-binding-source; description "Source information via which the Security Group Tag binding was learned in this device"; } } // grouping cts-ip-sgt-map grouping cts-role-based-policy-key { description "Source Security Group Tag and Destination Security Group Tag information to find the list of Security Group Access Control List that are currently applied between two security groups in the device"; leaf src-sgt { type int32; description "Source Security Group Tag number. This value must be in the inclusive range of -1 to 65519"; } leaf dst-sgt { type int32; description "Destination Security Tag number. This value must be in the inclusive range of -1 to 65519"; } } // grouping cts-role-based-policy-key grouping cts-role-based-policy { description "Trustsec Role based permissions between a Source Security Group and the Destination Security Group"; leaf sgacl-name { type string; description "List of Security Group Access Control List names separated by semi-colon(;)"; } leaf num-of-sgacl { type uint32; description "Number of Security Group Access Control Lists that are currently applied between the Source Security Group and the Destination Security Group. This should match the number of Security Group Access Control List names in sgacl-name"; } leaf monitor-mode { type boolean; description "Indicates the monitor mode status between the Source Security Group and Destination Security Group is currently enabled or disabled. This will be TRUE if monitor mode is enabled and FALSE if it is disabled"; } leaf policy-life-time { type uint64; description "Duration of the Role based permissions that are applied between a Source Security Group and a Destination Security Group. The duration is represented in seconds"; } leaf last-updated-time { type yang:date-and-time; description "Indicates the time when the Role based permissions between a Source Security Group and a Destination Security Group was modified or updated last. The value will be represented as date and time corresponding to the local time zone of the Identify Services Engine when the Role based permissions was modified or updated last"; } leaf total-deny-count { type uint64; description "Total number of packets that have been denied by the Role based permissions between a Source Security Group and a Destination Security Group. This corresponds to total packets denied in both hardware and software forwarding paths of the device"; } leaf total-permit-count { type uint64; description "Total number of packets that have been permitted by the Role based permissions between a Source Security Group and a Destination Security Group. This corresponds to total packets allowed in both hardware and software forwarding paths of the device"; } leaf software-deny-count { type uint64; description "Number of packets that have been denied in the software forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group"; } leaf software-permit-count { type uint64; description "Number of packets that have been permitted in the software forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group"; } leaf hardware-deny-count { type uint64; description "Number of packets that have been denied in the hardware forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group"; } leaf hardware-permit-count { type uint64; description "Number of packets that have been permitted in the hardware forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group."; } leaf software-monitor-count { type uint64; description "Number of packets that have been monitored in the software forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group"; } leaf hardware-monitor-count { type uint64; description "Number of packets that have been monitored in the hardware forwarding path of the device by the Role based permissions between a Source Security Group and a Destination Security Group"; } } // grouping cts-role-based-policy grouping cts-sxp-con-key { description "The peer IP-Address of a CTS SXP connection and vrf-name of the VRF instance in this device to which this IP-Address is configured. This information is used to get additional details of the SXP connection"; leaf peer-ip { type inet:ip-address; description "IP-Address information of the peer of an SXP connection in this device. Only IPv4 address is currently supported."; } leaf vrf-name { type string; description "vrf-name string of the VRF instance in this device, to which the peer of an SXP connection belongs to. Only default VRF is supported currently which is indicated by empty string"; } } // grouping cts-sxp-con-key grouping cts-sxp-con { description "SXP connection information"; leaf source-ip { type inet:ip-address; description "Source IP-Address of the SXP connection in this device for the given peer IP-Address."; } leaf speaker-state { type sxp-con-state; description "SXP speaker state information of the SXP connection in this device. This information is valid only if the local mode of the SXP connection in this device is Speaker"; } leaf speaker-duration { type uint64; units "seconds"; description "Duration since last state change of the SXP connection. This information is valid only if the local mode of the SXP connection is Speaker"; } leaf listener-state { type sxp-con-state; description "SXP listener state information of the SXP connection in this device. This information is valid only if the local mode of the SXP connection in the device is Listener"; } leaf listener-duration { type uint64; units "seconds"; description "Duration since last state change of the SXP connection. This information is valid only if the local mode of the SXP connection is Listener"; } leaf local-mode { type sxp-con-mode; description "SXP connection mode of this device for the SXP connection with the given peer"; } } // grouping cts-sxp-con grouping cts-manual-record { description "CTS Manual connection information"; leaf if-name { type string; description "Interface name"; } leaf mode { type cts-ndac-mode; description "Indicates the configured mode of CTS on the interface."; } leaf ifc-state { type cts-manual-ifc-state; description "State of the IFC state machine that controls the interface when CTS manual is configured."; } leaf trusted { type cts-manual-trust-status; description "Indicates whether incoming inline SGT on this interface can be trusted and used for further classification."; } leaf sgt-propagate { type cts-manual-sgt-propagate-status; description "Status of SGT propagation on the interface. SGT is inserted inline for further propagation only if this is enabled."; } leaf sap-status { type cts-sap-status; description "The status of SAP negotiation on the given interface"; } leaf peer-sgt { type uint16; description "Statically configured peer SGT value that is used to classify the incoming traffic on the interface"; } } // grouping cts-manual-record grouping cts-pac-data { description "Cisco TrustSec PAC detailed information"; leaf pac-type { type cts-eap-pac-type; description "Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling defines, various PAC types"; } leaf authority-id { type string; description "TrustSec device authenticate with policy server where policy server ID is considered as authority ID "; } leaf initiator-id { type string; description "Device ID is referred as an initiator identity, requests a PAC key from the policy server"; } leaf authority-id-info { type string; description "Authority ID info contains name of the policy server"; } leaf pac-life-time { type yang:date-and-time; description "PAC keys are associated with life time"; } leaf pac-refresh-time { type yang:date-and-time; description "The time at which device initiates PAC provisioning and update the database with new set of keys"; } leaf pac-opaque { type string; description "PAC-Opaque field is unique for each device, these opaque keys are generated by policy server"; } } // grouping cts-pac-data grouping cts-pac-record { description "The PAC is a unique shared credential used to mutually authenticate client and server. These are encrypted keys"; list pac { description "Protected Access Credentials, is associated with a specific initiator ID and a server authority ID"; uses trustsec-ios-xe-oper:cts-pac-data; } // list pac } // grouping cts-pac-record grouping cts-radius-server { description "Radius server detailed information"; leaf ip-addr { type inet:ip-address; description "IPv4 address of Radius server"; } leaf port-num { type uint16; description "Port number of Radius server"; } leaf is-alive { type boolean; description "Boolean indicating whether the radius server is alive"; } leaf auto-test { type boolean; description "Indicates whether radius server automated test functionality is enabled"; } leaf keywrap { type boolean; description "Indicates whether radius server key wrap functionality is enabled"; } leaf idle-time { type uint32; units "minutes"; description "Identity Services Engine Connection remain up though its idle till idle time expires"; } leaf dead-time { type uint32; units "seconds"; description "Ignore an unresponsive server till dead time expires"; } } // grouping cts-radius-server grouping cts-radius-servers { description "List of Radius servers"; list radius-server { description "Radius server detailed information"; uses trustsec-ios-xe-oper:cts-radius-server; } // list radius-server } // grouping cts-radius-servers grouping cts-policy-server { description "Policy server detailed information"; leaf server-name { type string; description "Policy server name received from Identity Services Engine"; } leaf domain-name { type string; description "Policy server FQDN domain name received from Identity Services Engine"; } leaf port-num { type uint16; description "Port number of policy server"; } leaf-list ipv4-address { type inet:ipv4-address; ordered-by user; description "List of IPv4 addresses received from Identity Services Engine for this server"; } leaf-list ipv6-address { type inet:ipv6-address; ordered-by user; description "List of IPv6 addresses received from Identity Services Engine for this server"; } } // grouping cts-policy-server grouping cts-http-servers { description "List of policy servers"; list policy-server { description "Policy server detailed information"; uses trustsec-ios-xe-oper:cts-policy-server; } // list policy-server } // grouping cts-http-servers grouping cts-env-data { description "Cisco TrustSec environment data received from Identity Services Engine(ISE)"; leaf status { type cts-env-data-status-s; description "Environment data download status"; } leaf device-sgt { type uint16; description "Source Group Tag assigned to the device"; } leaf total-num-servers { type uint8; description "Number of policy servers information received from Identity Services Engine (ISE)"; } leaf life-time { type uint32; units "seconds"; description "Duration of time the environment data is valid. Measured in seconds since the last environment data update"; } leaf last-updated-time { type yang:date-and-time; description "Time of the last successful receipt of environment data from Identity Services Engine"; } leaf next-refresh-time { type yang:date-and-time; description "Time of the next environment data refresh"; } choice transport-type-choice { description "Transport protocol used for Identity Services Engine communication either Radius or HTTPS"; container radius-servers { description "List of Radius servers received from Identity Services Engine"; uses trustsec-ios-xe-oper:cts-radius-servers; } // container radius-servers container policy-servers { description "List of policy servers received from Identity Services Engine"; uses trustsec-ios-xe-oper:cts-http-servers; } // container policy-servers } // choice transport-type-choice } // grouping cts-env-data container trustsec-state { config false; description "This is top level container for Cisco Trusted Security solution operational data. It can have Security Group Tag binding information for the given IP-Address, Role based permissions between a Source Security Group Tag and a Destination Security Group, SXP Connection information for a given peer IP-Address in this device"; container cts-rolebased-sgtmaps { description "Security Group Tag value corresponding to an IP-Address in the given VRF instance in this device"; list cts-rolebased-sgtmap { key "ip vrf-name"; description "Security Group Tag is assigned for an IP-Address based on the user permissions and authorization level as configured by the network administrator in Identity Service Engine server or in the device locally"; uses trustsec-ios-xe-oper:cts-ip-sgt-map-key; uses trustsec-ios-xe-oper:cts-ip-sgt-map; } // list cts-rolebased-sgtmap } // container cts-rolebased-sgtmaps container cts-rolebased-policies { description "Role based permissions between a Source Security Group and a Destination Security Group are configured by the administrator in the Identity Services Engine or in the Device"; list cts-rolebased-policy { key "src-sgt dst-sgt"; description "Role based permissions between a Source Security Group and a Destination Security Group can be retrieved from the device using a Security Group Tag and Destination Group Tag value"; uses trustsec-ios-xe-oper:cts-role-based-policy-key; uses trustsec-ios-xe-oper:cts-role-based-policy; } // list cts-rolebased-policy } // container cts-rolebased-policies list cts-rolebased-ipv6-policy { key "src-sgt dst-sgt"; description "Role based permissions ifor ipv6 between a Source Security Group and a Destination Security Group can be retrieved from the device using a Security Group Tag and Destination Group Tag value"; uses trustsec-ios-xe-oper:cts-role-based-policy-key; uses trustsec-ios-xe-oper:cts-role-based-policy; } // list cts-rolebased-ipv6-policy container cts-sxp-connections { description "Trustsec SXP connection is used between Cisco devices to propagate Security Group Tags from one device to another device. One of the device will be in Speaker mode or Listener mode or both the devices can be in both the connection modes"; list cts-sxp-connection { key "peer-ip vrf-name"; description "Trustsec SXP connection information from a device can be retrieved with the SXP connection peer IP address. Only IPv4 address as Peer IP and default VRF instance in device is supported currently"; uses trustsec-ios-xe-oper:cts-sxp-con-key; uses trustsec-ios-xe-oper:cts-sxp-con; } // list cts-sxp-connection } // container cts-sxp-connections list cts-manual-con { key "if-name"; description "A TrustSec link between two devices can be configured manually to propagate the Scalable Group Tag (SGT) inline. MACSec can also be enabled on the link using SAP and a static SGT assignment is also possible to classify the incoming traffic. The link can be either configured as trusted or untrusted. There is no authentication in this mode. The status of CTS manual connection between two devices can be retrieved with the interface name."; uses trustsec-ios-xe-oper:cts-manual-record; } // list cts-manual-con container cts-pac { presence "cts-pac"; description "Cisco Trustsec PAC is a unique shared credential used to mutually authenticate the client and server. It is associated with a specific IID and AID"; uses trustsec-ios-xe-oper:cts-pac-record; } // container cts-pac container cts-env-data { presence "cts-env-data"; description "A TrustSec environment data is used for Trustsec functionality. A security group information table that maps SGTs to security group names, server list and device sgt is downloaded from the Identity Services Engine with the environment data."; uses trustsec-ios-xe-oper:cts-env-data; } // container cts-env-data } // container trustsec-state } // module Cisco-IOS-XE-trustsec-oper
© 2023 YumaWorks, Inc. All rights reserved.