You are here:

MonitorTools.com > Technical documentation > SNMP > MIB > Cisco > CISCO-IPSEC-POLICY-MAP-MIB
ActiveXperts Network Monitor 2019##AdminFavorites

CISCO-IPSEC-POLICY-MAP-MIB by vendor Cisco

CISCO-IPSEC-POLICY-MAP-MIB file content

The SNMP protocol is used to for conveying information and commands between agents and managing entities. SNMP uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. The reasons for using UDP for SNMP are, firstly it has low overheads in comparison to TCP, which uses a 3-way hand shake for connection. Secondly, in congested networks, SNMP over TCP is a bad idea because TCP in order to maintain reliability will flood the network with retransmissions.

Management information (MIB) is represented as a collection of managed objects. These objects together form a virtual information base called MIB. An agent may implement many MIBs, but all agents must implement a particular MIB called MIB-II [16]. This standard defines variables for things such as interface statistics (interface speeds, MTU, octets sent, octets received, etc.) as well as various other things pertaining to the system itself (system location, system contact, etc.). The main goal of MIB-II is to provide general TCP/IP management information.

Use ActiveXperts Network Monitor 2019 to import vendor-specific MIB files, inclusing CISCO-IPSEC-POLICY-MAP-MIB.


Vendor: Cisco
Mib: CISCO-IPSEC-POLICY-MAP-MIB  [download]  [view objects]
Tool: ActiveXperts Network Monitor 2019 [download]    (ships with advanced SNMP/MIB tools)
--
-- * $Source$
-- *------------------------------------------------------------------
-- *
-- CISCO-IPSEC-POLICY-MAP-MIB.my:  IPSec Tunnel-to-Policy
-- Mapping MIB.
--
-- * April 2000, S Ramakrishnan
-- *
-- * Copyright (c) 2000 by cisco Systems, Inc.
-- * All rights reserved.
-- *
-- *------------------------------------------------------------------

 CISCO-IPSEC-POLICY-MAP-MIB DEFINITIONS ::= BEGIN

   -- PREFACE:
   -- CISCO-IPSEC-POLICY-MAP-MIB Module is an enterprise
   -- specific appendage to the IPSEC-MONITOR-MIB
   -- that has been proposed to IETF. The only function
   -- of this MIB is to map the dynamically instantiated
   -- protocol structures (tunnels, SAs) to the policy
   -- entities that gave rise to them (policy definitions,
   -- cryptomaps, transforms etc).

   -- RELATIONSHIP TO COMMAND LINE INTERFACE (CLI):
   -- Information contained in all the MIB elements
   -- defined in this module are affected by CLI
   -- operations, EXCEPT where it is explicitly noted
   -- to the contrary.

    IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, Integer32
         FROM SNMPv2-SMI
       DisplayString
         FROM SNMPv2-TC
       MODULE-COMPLIANCE, OBJECT-GROUP
         FROM SNMPv2-CONF
       ciscoMgmt
                 FROM CISCO-SMI;

    ciscoIpSecPolMapMIB MODULE-IDENTITY
         LAST-UPDATED    "200008171257Z"
         ORGANIZATION "Tivoli Systems and Cisco Systems"
         CONTACT-INFO
                "Tivoli Systems
                 Research Triangle Park, NC

                 Cisco Systems
                 Enterprise Business Management Unit

                 Postal: 170 W Tasman Drive
                         San Jose, CA  95134
                         USA

                    Tel: +1 800 553-NETS

                 E-mail: cs-ipsecurity@cisco.com"

         DESCRIPTION
                 "The MIB module maps the IPSec
         entities created dynamically to the policy entities
         that caused them. This is an appendix to the
         IPSEC-MONITOR-MIB that has been proposed to
         IETF for monitoring IPSec based Virtual Private 
         Networks.

         Overview of Cisco IPsec Policy Map MIB

         MIB description

         There are two components to this MIB:  
	  #1 a table that maps an IPSec Phase-1 
	     tunnel to the Internet Security Association 
	     and Key Exchange (ISAKMP) Policy 
	     
	  and 

	  #2 a table that maps an IPSec Phase-2 
	     tunnel to the corresponding IPSec Policy
	     element - called 'cryptomaps' - in IOS 
	     (Internet Operating System)

         The first mappin (also called Internet Key Exchange
	 or IKE mapping) yields, given the index of
         the IKE tunnel in the ikeTunnelTable
         (IPSEC-MONITOR-MIB), the ISAKMP policy definition
         defined using the CLI on the managed entity.

         The IPSec mapping yields, given the index
         of the IPSec tunnel in the ipSecTunnelTable
         (IPSEC-MONITOR-MIB), the IPSec transform and
         the cryptomap definition that gave rise to
         this tunnel.

         In implementation and usage, this MIB cannot
         exist independent of the IPSEC-MONITOR-MIB. "
         ::= { ciscoMgmt 172 }

 -- Root under ciscoMgmt currently is tentative

 -- IPSec Policy Map MIB Object Groups
 --
 -- This MIB module contains the following groups:
 -- 1) IPSec Policy Map Group
 --    (a) IPSec Phase-1 Policy Map Group
 --    (b) IPSec Phase-1 Policy Map Group
 -- 2) IPSec Policy Map Notifications Group (empty)
 -- 3) IPSec Policy Map Conformance Group

    ciscoIpSecPolMapMIBObjects OBJECT IDENTIFIER
              ::= {ciscoIpSecPolMapMIB 1}

    ciscoIpSecPolMapMIBNotifPrefix OBJECT IDENTIFIER
              ::= {ciscoIpSecPolMapMIB 2}

    ciscoIpSecPolMapMIBConformance OBJECT IDENTIFIER
              ::= {ciscoIpSecPolMapMIB 3}

    ipSecPhaseOnePolMap OBJECT IDENTIFIER
              ::= {ciscoIpSecPolMapMIBObjects 1}

    ipSecPhaseTwoPolMap OBJECT IDENTIFIER
              ::= {ciscoIpSecPolMapMIBObjects 2}

 --
 -- The IPSec Phase-1 Policy Map Table
 --
    ikePolMapTable OBJECT-TYPE
       SYNTAX SEQUENCE OF IkePolMapEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
          "The IPSec Phase-1 Internet Key Exchange Tunnel
           to Policy Mapping Table. There is one entry in
           this table for each active IPSec Phase-1
           Tunnel."
      ::= { ipSecPhaseOnePolMap 1 }

    ikePolMapEntry OBJECT-TYPE
       SYNTAX IkePolMapEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
             "Each entry contains the attributes associated
              with mapping an active IPSec Phase-1 IKE Tunnel
              to it's configured Policy definition."
       INDEX { ikePolMapTunIndex }
       ::= { ikePolMapTable 1}

    IkePolMapEntry ::= SEQUENCE {
       ikePolMapTunIndex        Integer32,
       ikePolMapPolicyNum       Integer32
    }

    ikePolMapTunIndex OBJECT-TYPE
       SYNTAX Integer32(1..2147483647)
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
          "The index of the IPSec Phase-1 Tunnel to Policy
           Map Table.  The value of the index is the number
           used to represent this IPSec Phase-1 Tunnel in
           the IPSec MIB (ikeTunIndex in the
           ikeTunnelTable)."
       ::= { ikePolMapEntry 1 }

    ikePolMapPolicyNum OBJECT-TYPE
       SYNTAX Integer32(1..2147483647)
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
          "The number of the locally defined ISAKMP policy
          used to establish the IPSec IKE Phase-1 Tunnel.
          This is the number which was used on the crypto
          command. For example, if the configuration command
          was:

           ==>  crypto isakmp policy 15

          then the value of this object would be 15.
          If ISAKMP was not used to establish this tunnel,
          then the value of this object will be zero."
       ::= { ikePolMapEntry 2 }

 --
 -- The IPSec Phase-2 Policy Map Table
 --
    ipSecPolMapTable OBJECT-TYPE
       SYNTAX SEQUENCE OF IpSecPolMapEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
          "The IPSec Phase-2 Tunnel to Policy Mapping Table.
           There is one entry in this table for each active
           IPSec Phase-2 Tunnel."
      ::= { ipSecPhaseTwoPolMap 1 }

    ipSecPolMapEntry OBJECT-TYPE
       SYNTAX IpSecPolMapEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
             "Each entry contains the attributes associated
              with mapping an active IPSec Phase-2 Tunnel
              to its configured Policy definition."
       INDEX { ipSecPolMapTunIndex }
       ::= { ipSecPolMapTable 1}

    IpSecPolMapEntry ::= SEQUENCE {
       ipSecPolMapTunIndex        Integer32,
       ipSecPolMapCryptoMapName   DisplayString,
       ipSecPolMapCryptoMapNum    Integer32,
       ipSecPolMapAclString       DisplayString,
       ipSecPolMapAceString       DisplayString
    }

    ipSecPolMapTunIndex OBJECT-TYPE
       SYNTAX Integer32(1..2147483647)
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
          "The index of the IPSec Phase-2 Tunnel to Policy
          Map Table. The value of the index is the number
          used to represent this IPSec Phase-2 Tunnel in
          the IPSec MIB (ipSecTunIndex in the
          ipSecTunnelTable)."
       ::= { ipSecPolMapEntry 1 }

    ipSecPolMapCryptoMapName OBJECT-TYPE
       SYNTAX DisplayString
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
           "The value of this object should be the name of 
	   the IPSec Policy (cryptomap) as assigned by the 
	   operator while configuring the policy of 
	   the IPSec traffic.

           For instance, on an IOS router, the if the command
	   entered to configure the IPSec policy was 

           ==>  crypto map ftpPolicy 10 ipsec-isakmp

           then the value of this object would be 'ftpPolicy'."
       ::= { ipSecPolMapEntry 2 }

    ipSecPolMapCryptoMapNum  OBJECT-TYPE
       SYNTAX Integer32(1..2147483647)
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
           "The value of this object should be the priority
	   of the IPSec Policy (cryptomap) assigned by the 
	   operator while configuring the policy of 
	   this IPSec tunnel.

           For instance, on an IOS router, the if the command
	   entered to configure the IPSec policy was 

           ==>  crypto map ftpPolicy 10 ipsec-isakmp

           then the value of this object would be 10."
       ::= { ipSecPolMapEntry 3 }

    ipSecPolMapAclString  OBJECT-TYPE
       SYNTAX DisplayString
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
          "The value of this object is the number or
          the name of the access control string (ACL) 
          that caused this IPSec tunnel to be established. 
	  The ACL that causes an IPSec tunnel
	  to be established is referenced by the 
	  cryptomap of the tunnel.

	  The ACL identifies the traffic that requires
	  protection as defined by the policy.

	  For instance, the ACL that requires FTP
	  traffic between local subnet 172.16.14.0 and a
	  remote subnet 172.16.16.0 to be protected
	  is defined as

           ==>access-list 101 permit tcp 172.16.14.0 0.0.0.255
                            172.16.16.0 0.0.0.255 eq ftp

           When this command causes an IPSec tunnel to be
	   established, the object 'ipSecPolMapAclString'
	   assumes the string value '101'.

           If the ACL is a named list such as
	   ==> ip access-list standard myAcl
	        permit 172.16.16.8 0.0.0.0

           then the value of this MIB element corresponding to 
	   IPSec tunnel that was created by this ACL would
	   be 'myAcl'."
                            
       ::= { ipSecPolMapEntry 4 }

    ipSecPolMapAceString  OBJECT-TYPE
       SYNTAX DisplayString
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
          "The value of this object is the access control 
	  entry (ACE) within the ACL that caused this IPSec 
	  tunnel to be established. 

	  For instance, if an ACL defines access for two
	  traffic streams (FTP and SNMP) as follows:
	  
           access-list 101 permit tcp 172.16.14.0 0.0.0.255
                            172.16.16.0 0.0.0.255 eq ftp
           access-list 101 permit udp 172.16.14.0 0.0.0.255
                            host 172.16.16.1 eq 161


          When associated with an IPSec policy, the second
	  element of the ACL gives rise to an IPSec tunnel
	  in the wake of SNMP traffic. The value of the
	  object 'ipSecPolMapAceString' for the IPSec tunnel
	  would be then the string
           'access-list 101 permit udp 172.16.14.0 0.0.0.255
                            host 172.16.16.1 eq 161'"
       ::= { ipSecPolMapEntry 5 }

 --
 -- Conformance Information
 --
    ipSecPolMapMIBGroups OBJECT IDENTIFIER
                   ::= {ciscoIpSecPolMapMIBConformance 1}

    ipSecPolMapMIBCompliances OBJECT IDENTIFIER
                   ::= {ciscoIpSecPolMapMIBConformance 2}
 --
 -- Compliance Statements
 --
    ipSecPolMapMIBCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
         "The compliance statement for SNMP entities
          for IP Security Protocol Tunnels to Policy
          definition mappings."
       MODULE -- this module
         MANDATORY-GROUPS  { ipSecPhaseOnePolMapGroup,
                             ipSecPhaseTwoPolMapGroup
                           }
         ::= { ipSecPolMapMIBCompliances 1 }

 --
 -- Units of Conformance
 --
    ipSecPhaseOnePolMapGroup OBJECT-GROUP
       OBJECTS {
                 ikePolMapPolicyNum
               }
       STATUS current
       DESCRIPTION
          "This group consists of a:
           1) IPSec Phase-1 Policy Map Table"
       ::= { ipSecPolMapMIBGroups 1 }

    ipSecPhaseTwoPolMapGroup OBJECT-GROUP
       OBJECTS {
                 ipSecPolMapCryptoMapName,
                 ipSecPolMapCryptoMapNum,
                 ipSecPolMapAclString,
                 ipSecPolMapAceString
               }
       STATUS current
       DESCRIPTION
          "This group consists of a:
           1) IPSec Phase-2 Policy Map Table"
       ::= { ipSecPolMapMIBGroups 2 }

 END