--- SECURITY MIB -SECURITY-MIB DEFINITIONS ::= BEGIN IMPORTS OBJECT-TYPE FROM RFC-1212 TRAP-TYPE FROM RFC-1215 mrmPortAdminStatus,

securePort FROM LBHUB-MSH-MIB; a3Com generic securePort OBJECT IDENTIFIER ::= { enterprises 43 } OBJECT IDENTIFIER ::= { a3Com 10 } OBJECT IDENTIFIER ::= { generic 22 }

securePortTable OBJECT-TYPE SYNTAX SEQUENCE OF SecurePortEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table defines the security status of each secure p ort. Each port can have a number of authorised MAC addresses, and these are s tored in the secureAddressTable." ::= {securePort 1} securePortEntry OBJECT-TYPE SYNTAX SecurePortEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "There is a row in this table for each secure port, and allows repeater ports to be configured for security on a per port basis. It is indexed using the objects secureSlotIndex and securePortIndex." INDEX {secureSlotIndex,securePortIndex} ::= {securePortTable 1} SecurePortEntry ::= SEQUENCE { secureSlotIndex securePortIndex securePortMode secureNeedToKnowMode secureIntrusionAction secureNumberAddresses secureNumberAddressesStored secureMaximumAddresses INTEGER } INTEGER, INTEGER, INTEGER, INTEGER, INTEGER, INTEGER, INTEGER,

secureSlotIndex OBJECT-TYPE SYNTAX INTEGER (1..1024) ACCESS read-only STATUS mandatory DESCRIPTION "The slot or unit number of the secure port. This is the first index into the securePortTable." ::= {securePortEntry 1}

securePortIndex OBJECT-TYPE SYNTAX INTEGER (1..1024) ACCESS read-only STATUS mandatory DESCRIPTION "The port number of the secure port. This is the second index into the securePortTable." ::= {securePortEntry 2} securePortMode OBJECT-TYPE SYNTAX INTEGER { noRestrictions (1), continuousLearning (2), autoLearn (3), secure (4) } ACCESS read-write STATUS mandatory DESCRIPTION "Determines the learning and security modes of the port. See secureNeedToKnowMode and secureIntrusionAction to configure Need To Know and Intrusion Action on each port. (When in a learning mode, secureNumberAddresses determines the maximum n umber of addresses that can be learned on the port. This is set by the user.) noRestrictions(1) continuousLearning(2) sses are of the older entries will be aged out. Need To Know and Intrusion Action d epends on secureNeedToKnowMode and secureIntrusionActio n respectively. autoLearn(3) n addresses are de is then set to secure. Need To Know and Intrusion Action dep ends on secureNeedToKnowMode and secureIntrusionActio n respectively. secure(4) Action depends n respectively. The secureAddressLearned trap is sent whenever a station has been learne d. The secureViolation trap is sent whenever a packet is received from an u nauthorised station. " ::= {securePortEntry 3} Learning is disabled. Need To Know and Intrusion on secureNeedToKnowMode and secureIntrusionActio All addresses for this port are deleted, and the learned up to the number permitted. securePortMo All learning and security are disabled. Addresses are learned continually. If more addre learned than are permitted on the port, then one

secureNeedToKnowMode OBJECT-TYPE SYNTAX INTEGER { notAvailable (1), disabled (2), needToKnowOnly (3), needToKnowWithBroadcastsAllowed (4), needToKnowWithMulticastsAllowed (5), permanentNeedToKnowOnly (6), permanentNeedToKnowWithBroadcastsAllowed (7), permanentNeedToKnowWithMulticastsAllowed (8) } ACCESS read-write STATUS mandatory DESCRIPTION "Attribute to determine which frames are to be forwarded to this port intact. 1 2 3 4 s. 5 - Frames addressed to the authorised devices, plus all broadcast and m ulticast frames. 6 - As 3 and cannot be changed. 7 - As 4 and cannot be changed. 8 - As 5 and cannot be changed. If this object returns 1,6,7 or 8, it means that the Need To Know config uration cannot be changed, and any attempt to write to this object will cause an error. " ::= {securePortEntry 4} secureIntrusionAction OBJECT-TYPE SYNTAX INTEGER { notAvailable (1), noAction (2), disablePort (3) } ACCESS read-write STATUS mandatory DESCRIPTION "Attribute to determine the action if an unauthorised de vice tranmsits on this port." ::= {securePortEntry 5} --- The following 3 objects are used to allow multiple MAC addresses to be assign ed to the port. secureNumberAddresses OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum number of addresses that the port can learn or store. Reducing this number may cause some addresses to be deleted. This value is set by the user and cannot be automatically changed by the agent. The following relationship must allows be preserved. Need To Know is not available. All frames. Frames addressed to the authorised devices only. Frames addressed to the authorised devices, plus all broadcast frame

secureNumberAddressesStored <= secureNumberAddresses <= secureMa ximumAddresses " ::= {securePortEntry 6} secureNumberAddressesStored OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of addresses that are currently in the Addre ssTable for this port. If this object has the same value as secureNumberAddresses, then no more address es can be authorised on this port. The following relationship must allows be preserved. secureNumberAddressesStored <= secureNumberAddresses <= secureMa ximumAddresses " ::= {securePortEntry 7} secureMaximumAddresses OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This indicates the maximum value that secureNumberAddre sses can be set to. It is dependent on the resources available so may change, eg. if resources are shared between ports, then this value can both increase and decrease. Th is object must be read before setting secureNumberAddresses. The following relationship must allows be preserved. secureNumberAddressesStored <= secureNumberAddresses <= secureMa ximumAddresses " ::= {securePortEntry 8} --- SECURE ADDRESS TABLE -secureAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF SecureAddressEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table which stores the MAC addresses assigned to e ach port. Addresses will normally defined as authorised, and describe the de vices which are permitted to transmit and receive on the corresponding port. This table can be written to by the agent as well as the management station." ::= {securePort 2} secureAddressEntry OBJECT-TYPE SYNTAX SecureAddressEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table allows multiple addresses to be assigned to

each secure port. It is indexed using the objects secureAddrSlotIndex, secureAddrPortIndex and secureAddrMACAddress." INDEX {secureAddrSlotIndex,secureAddrPortIndex,secureAddrMAC} ::= {secureAddressTable 1} SecureAddressEntry ::= SEQUENCE { secureAddrSlotIndex INTEGER, secureAddrPortIndex INTEGER, secureAddrMAC OCTET STRING, secureAddrRowStatus INTEGER } secureAddrSlotIndex OBJECT-TYPE SYNTAX INTEGER (1..1024) ACCESS read-only STATUS mandatory DESCRIPTION "The slot or unit number of the secure port. This is th e first index into the secureAddressTable." ::= {secureAddressEntry 1} secureAddrPortIndex OBJECT-TYPE SYNTAX INTEGER (1..1024) ACCESS read-only STATUS mandatory DESCRIPTION "The port number of the secure port. This is the second index into the secureAddressTable." ::= {secureAddressEntry 2} secureAddrMAC OBJECT-TYPE SYNTAX OCTET STRING (SIZE(6)) ACCESS read-only STATUS mandatory DESCRIPTION "The MAC address of a station assigned to this port. Th is is the third index into the secureAddressTable." ::= {secureAddressEntry 3} secureAddrRowStatus OBJECT-TYPE SYNTAX INTEGER { active (1), notInService (2), notReady (3), createAndGo (4), createAndWait (5), destroy (6) } ACCESS read-write STATUS mandatory DESCRIPTION "This manages the creation and deletion or rows, and sho ws the current status of the indexed MAC address. This object has the foll owing values. 1 - The indexed MAC address is authorised on this port. 2 - The indexed MAC address is not authorised on this port. 3 - Not applicable. (This value indicates an incomplete row.)

4 5 ive(1) is 6

- Assign a new MAC address to the port and authorise immediately. - Assign a new MAC address to the port, but do not authorise until act written to this object. - Delete this entry.

When creating a new entry, index a new row and use createAndGo(4) or cre ateAndWait(5). Some hardware will not allow the address to be unauthorised, and will automatically switch the row to active(1). When reading this object, only active(1) and notInService(2) will be returned. Only the values active(1) and destroy(6) will be allowed for an existing row, or createAndGo(4) and createAndWait(5) for a new row." ::= {secureAddressEntry 4} secureAddressLearned TRAP-TYPE ENTERPRISE a3Com VARIABLES {secureAddrRowStatus } DESCRIPTION "This trap is sent when a new station has been learned. The slot and port on which the address was received are in the first and second index of secureAddrRowStatus, and t he MAC address of the learned station is in the third index." ::= 71 secureViolation TRAP-TYPE ENTERPRISE a3Com VARIABLES { secureAddrRowStatus, mrmPortAdminStatus } DESCRIPTION "This trap is sent whenever a security violation has occ ured. The slot and port on which the violation occured are in the first and second index of secureAddrRowStat us, and the MAC address of the offending station is in the third index. mrmPortAdminStatus indicates if the port has been disabled because of the violation. The implementation may not send violation traps from the same port at in tervals of less than 5 seconds" ::= 72 --- The following MIB objects will need to be changed to support the new MIB --- mrmPortDUDAction -- A new enumeration, notAvailable(4), will need to be added, as this object is incompatible with the new security MIB. --- mrmPortSecurityAvailable -- The enumeration will need changing to distinguish between the security MIBs -- securityI(1), -- notAvailable(2), -- securityII(3) END