This MIB module defines managed objects that facilitate the
management of various policies within the Cisco Trusted Security
(TrustSec) infrastructure.
The information available through this MIB includes:
o Device and interface level configuration for enabling
SGACL (Security Group Access Control List) enforcement
on Layer2/3 traffic.
o Administrative and operational SGACL mapping to Security
Group Tag (SGT).
o Various statistics counters for traffic subject to SGACL
enforcement.
o TrustSec policies with respect to peer device.
o Interface level configuration for enabling the propagation
of SGT along with the Layer 3 traffic in portions of network
which does not have the capability to support TrustSec
feature.
o TrustSec policies with respect to SGT propagation with
Layer 3 traffic.
The following terms are used throughout this MIB:
VRF: Virtual Routing and Forwarding.
SGACL: Security Group Access Control List.
ACE: Access Control Entries.
SXP: SGT Propagation Protocol.
SVI: Switch Virtual Interface.
IPM: Identity Port Mapping.
SGT (Security Group Tag) is a unique 16 bits value assigned
to every security group and used by network devices to
enforce SGACL.
Peer is another device connected to the local device on the
other side of a TrustSec link.
Default Policy: Policy applied to traffic when there is
no explicit policy between the SGT associated with the
originator of the traffic and the SGT associated with
the destination of the traffic.
This object specifies whether SGACL enforcement for all
Layer 3 interfaces (excluding SVIs) is enabled at the
managed system.
'none' indicates that SGACL enforcement for all Layer 3
interfaces (excluding SVIs) is disabled.
'l3Only' indicates that SGACL enforcement is enabled on
every TrustSec capable Layer3 interface (excluding SVIs)
in the device.
This object specifies an existing flexible netflow monitor
name used to collect and export the IPv4 traffic dropped
packets statistics due to SGACL enforcement. The zero-length
string indicates that no such netflow monitor is configured
in the device.
This object specifies an existing flexible netflow monitor
name used to collect and export the IPv6 traffic dropped
packets statistics due to SGACL enforcement. The zero-length
string indicates that no such netflow monitor is configured
in the device.
Each row contains the SGACL enforcement information
for Layer 2 and Layer 3 switched packets in a VLAN
identified by its VlanIndex value. Entry in this
table is populated for VLANs which contains SGACL
enforcement or VRF configuration.
This object indicates if there is an active SVI
associated with this VLAN.
'true' indicates that there is an active SVI associated
with this VLAN. and SGACL is enforced for both Layer 2 and
Layer 3 switched packets within that VLAN.
'false' indicates that there is no active SVI associated
with this VLAN, and SGACL is only enforced for Layer 2
switched packets within that VLAN.
The status of this conceptual row entry. This object
is used to manage creation and deletion of rows in this
table. When this object value is 'active', other
writable objects in the same row cannot be modified.
Each row contains the SGACL mapping to source and destination
SGT for a certain traffic type as well as status of this
instance. A row instance can be created or removed by setting
the appropriate value of its RowStatus object.
This object specifies the list of existing SGACLs which is
administratively configured to apply to unicast IP traffic
carrying the source SGT to the destination SGT.
This object specifies the SGACLs of the unicast default
policy for IPv4 traffic. If there is no SGACL configured
for unicast default policy for IPv4 traffic, the value of
this object is the zero-length string.
This object specifies the SGACLs of the unicast default
policy for IPv6 traffic. If there is no SGACL configured
for unicast default policy for IPv6 traffic, the value of
this object is the zero-length string.
This object indicates the generation identification of
downloaded SGACL which is applied to unicast IP traffic
carrying the source SGT to the destination SGT.
This object indicates the type of the unicast IP traffic
carrying the source SGT and travelling to destination
SGT and subjected to SGACL enforcement by this downloaded
default policy.
Each row contains the downloaded SGACLs mapping.
A row instance contains the SGACL information of the default
policy dynamically downloaded from ACS server for unicast
IP traffic.
This object indicates the generation identification
of the SGACL operationally applied to unicast IP traffic
carrying the source SGT to the destination SGT.
This object indicates the source of SGACL mapping
for the SGACL operationally applied to unicast IP traffic
carrying the source SGT to the destination SGT.
'downloaded' indicates that the mapping is downloaded
from ACS server.
'configured' indicates that the mapping is locally
configured in the device.
This object indicates the source of SGACL creation
for this SGACL.
'configured' indicates that the SGACL is locally
configured in the local device.
'downloaded' indicates that the SGACL is created at
ACS server and downloaded to the local device.
A row instance contains the SGACL information of the default
policy which is either statically configured at the device
or dynamically downloaded from ACS server for unicast
IP traffic.
This object indicates the source of SGACL mapping
for the SGACL of default policy operationally
applied to unicast IP traffic.
'downloaded' indicates that the mapping is downloaded
from ACS server.
'configured' indicates that the mapping is locally
configured in the device.
This object indicates the source of SGACL creation
for the SGACL of default policy operationally
applied to unicast IP traffic.
'downloaded' indicates that the SGACL is created at
ACS server and downloaded to the local device.
'configured' indicates that the SGACL is locally
configured in the local device.
This object specifies whether SGACL monitor mode is turned on
for the entire system. It has precedence than the per SGACL
ctspConfigSgaclMonitor control. It could act as safety
mechanism to turn off monitor in case the monitor feature
impact system performance.
Each row contains the SGACL statistics related to
IPv4 or IPv6 packets carrying the source SGT travelling
to the destination SGT and subjected to SGACL enforcement.
This object allows user to specify the action to be taken
with respect to all peer policies in the device.
When read, this object always returns the value 'none'.
'none' - No operation.
'refresh' - Refresh all peer policies in the device.
This object indicates the TrustSec trust state of this
peer device.
'trusted' indicates that this is a trusted peer device.
'noTrust' indicates that this peer device is not trusted.
This object allows user to specify the action to be taken
with this peer policy.
When read, this object always returns the value 'none'.
'none' - No operation.
'refresh' - Refresh this peer policy.
This object indicates the type of the IP traffic
affected by Layer-3 transport policy.
'ipv4' indicates that the affected traffic is IPv4
traffic.
'ipv6' indicates that the affected traffic is IPv6
traffic.
This object indicates the type of the Layer-3
transport policy affecting IP traffic regarding
SGT propagation.
'permit' indicates that the transport policy is used
to classify Layer-3 traffic which is subject to
SGT propagation.
'exception' indicates that the transport policy is used
to classify Layer-3 traffic which is NOT subject to
SGT propagation.
This object specifies the name of an ACL that is
administratively configured to classify Layer3
traffic. Zero-length string indicates there is no
such configured policy.
This object specifies the name of an ACL that is
downloaded from policy server to classify Layer3
traffic. Zero-length string indicates there is no
such downloaded policy.
This object specifies the name of an operational ACL
currently used to classify Layer3 traffic. Zero-length
string indicates there is no such policy in effect.
This object specifies whether the Layer3 Transport
policies will be applied on this interface for egress
IPv4 traffic.
'true' indicates that Layer3 permit and exception policy
will be applied at this interface for egress IPv4 traffic.
'false' indicates that Layer3 permit and exception policy
will not be applied at this interface for egress IPv4
traffic.
This object specifies whether the Layer3 Transport
policies will be applied on this interface for egress
IPv6 traffic.
'true' indicates that Layer3 permit and exception policy
will be applied at this interface for egress IPv6 traffic.
'false' indicates that Layer3 permit and exception policy
will not be applied at this interface for egress IPv6
traffic.
Each row contains the IP-to-SGT mapping and status of
this instance. Entry in this table is either populated
automatically by the device or manually configured by
a user. A manually configured row instance can be created
or removed by setting the appropriate value of its
RowStatus object.
This object indicates the source of the mapping.
'configured' indicates that the mapping is manually
configured by user.
'arp' indicates that the mapping is dynamically learnt
from tagged ARP replies.
'localAuthenticated' indicates that the mapping is
dynamically learnt from the device authentication of
a host.
'sxp' indicates that the mapping is dynamically learnt
from SXP (SGT Propagation Protocol).
'internal' indicates that the mapping is automatically
created by the device between the device IP addresses
and the device own SGT.
'l3if' indicates that Interface-SGT mapping is configured
by user.
'vlan' indicates that Vlan-SGT mapping is configured by user.
'cached' indicates that sgt mapping is cached.
Only 'configured' value is accepted when setting this
object.
This object is used to manage the creation and deletion
of rows in this table. If this object value is 'active',
user cannot modify any writable object in this row.
If value of ctspIpSgtSource object in an entry is not
'configured', user cannot change the value of this object.
This object allows user to specify the action to be taken
with respect to all SGT policies in the device.
When read, this object always returns the value 'none'.
'none' - No operation.
'refresh' - Refresh all SGT policies in the device.
This object allows user to specify the action to be taken
with this downloaded SGT policy.
When read, this object always returns the value 'none'.
'none' - No operation.
'refresh' - Refresh this SGT policy.
This object indicates the downloaded default SGT
policy type.
'unicastDefault' indicates the SGT policy applied to
traffic which carries the default unicast SGT.
This object allows user to specify the action to be taken
with this default downloaded SGT policy.
When read, this object always returns the value 'none'.
'none' - No operation.
'refresh' - Refresh this default SGT policy.
This object indicates the Layer 3 Identity Port Mapping(IPM)
operational mode.
disabled - The L3 IPM is not configured.
active - The L3 IPM is configured for this interface, and
SGT is available.
inactive - The L3 IPM is configured for this interface, and
SGT is unavailable.
This object specifies which SGT-caching mode is configured
for SGT caching capable interfaces at the managed system.
'none' indicates that sgt-caching for all Layer 3
interfaces (excluding SVIs) is disabled.
'standAlone' indicates that SGT-caching is enabled on
every TrustSec capable Layer3 interface (excluding SVIs)
in the device.
'withEnforcement' indicates that SGT-caching is enabled on
interfaces that have RBAC enforcement enabled.
'vlan' indicates that SGT-caching is enabled on
the VLANs specified by ctspSgtCachingVlansfFirst2K &
ctspSgtCachingVlansSecond2K
A string of octets containing one bit per VLAN for VLANs 0 to
2047.
If the bit corresponding to a VLAN is set to 1, it indicates
SGT-caching is enabled on the VLAN.
If the bit corresponding to a VLAN is set to 0, it indicates
SGT-caching is disabled on the VLAN.
A string of octets containing one bit per VLAN for VLANs 2048
to 4095.
If the bit corresponding to a VLAN is set to 1, it indicates
SGT-caching is enabled on the VLAN.
If the bit corresponding to a VLAN is set to 0, it indicates
SGT-caching is disabled on the VLAN.
This object specifies whether the system generates
ctspPeerPolicyUpdatedNotif.
A value of 'false' will prevent
ctspPeerPolicyUpdatedNotif notifications
from being generated by this system.
This object specifies whether this system generates the
ctspAuthorizationSgaclFailNotif.
A value of 'false' will prevent
ctspAuthorizationSgaclFailNotif notifications
from being generated by this system.
This object indicates the reason of failure during SGACL
acquisitions, installations and uninstallations, which is
associated with ctspAuthorizationSgaclFailNotif;
'downloadACE'
- Failure during downloading ACE in SGACL acquisition.
'downloadSrc'
- Failure during downloading source list in SGACL acquisition.
'downloadDst'
- Failure during downloading destination list in
SGACL acquisition.
'installPolicy'
- Failure during SGACL policy installation
'installPolicyStandby'
- Failure during SGACL policy installation on standby
'installForIP'
- Failure during SGACL installation for specific IP type.
'uninstall' - Failure during SGACL uninstallation.
A collection of object which provides the SGACL enforcement
information for all TrustSec capable Layer 3 interfaces
(excluding SVIs) at the device level.