-- File Name : ZTE-DSL-DEV-SECURITY-ACL-MIB.mib
-- Date      : 2006-07-25
-- Author    : Wan Guanghua


ZTE-DSL-DEV-SECURITY-ACL-MIB DEFINITIONS ::= BEGIN
  IMPORTS 
       zxDsl
          FROM ZTE-DSL-MIB    
       MODULE-IDENTITY, OBJECT-TYPE, IpAddress, NOTIFICATION-TYPE, Integer32
          FROM SNMPv2-SMI
       InetAddress,InetAddressPrefixLength,InetAddressType     
          FROM INET-ADDRESS-MIB
       RowStatus, MacAddress
          FROM SNMPv2-TC;

    zxDslDevSecurityAclMib   MODULE-IDENTITY
        LAST-UPDATED    "200607250000Z"
        ORGANIZATION    "ZTE Corporation"
        CONTACT-INFO    "Wan Guanghua  
        Tel:   021-68896253     
        email: wan.guanghua@zte.com.cn"
        
        DESCRIPTION
            "This MIB defines the managed objects of ZTE DSLAM 
                        security access control policy.
        And it is used to configure what kind of packets can 
        access the DSLAM."
        ::=  {  zxDsl  24  }

    zxDslDevSecurityAclObjects   OBJECT IDENTIFIER
        ::=  {  zxDslDevSecurityAclMib  1  }
  
    zxDslDevSecurityAclEnable  OBJECT-TYPE
        SYNTAX      INTEGER { enable (1), disable (2) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Enable or disable the ACL rules for the DSLAM.
                     the default value is disable,
                     which means all packets are permit to access the DSLAM."
        DEFVAL      { disable }
        ::=  { zxDslDevSecurityAclObjects  1 }

    zxDslDevSecurityAclTable    OBJECT-TYPE
        SYNTAX      SEQUENCE  OF  ZxDslDevSecurityAclEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "This table is used to define what kind of packets should be 
        permitted or denied.
             It can help us to prevent our devices from some vicious attackes, 
        such as virus. By default, when the packet isn't coincident with any 
        rules, it's permitted.
             We can define all other packets to be permitted or denied by 
        setting source IP and source mask to 0.0.0.0."
        ::=  { zxDslDevSecurityAclObjects  2 }

    zxDslDevSecurityAclEntry    OBJECT-TYPE
        SYNTAX      ZxDslDevSecurityAclEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "An entry in zxDslDevSecurityAclTable."
        INDEX       {  zxDslDevSecAclIndex  }
        ::=  { zxDslDevSecurityAclTable 1 }

    ZxDslDevSecurityAclEntry  ::=  SEQUENCE {
        zxDslDevSecAclIndex               INTEGER,
        zxDslDevSecAclSrcIp               IpAddress,
        zxDslDevSecAclSrcMask             IpAddress,  
        zxDslDevSecAclProtocolType        INTEGER,
        zxDslDevSecAclSrcPortStart        INTEGER,
        zxDslDevSecAclSrcPortEnd          INTEGER,
        zxDslDevSecAclDestPortStart       INTEGER,
        zxDslDevSecAclDestPortEnd         INTEGER,
        zxDslDevSecAclAccessLevel         INTEGER,
        zxDslDevSecAclRuleMatchTimes      Integer32,
        zxDslDevSecAclRowStatus           RowStatus,
        ZxDslDevSecAclSrcMac              MacAddress,
        ZxDslDevSecAclDestMac             MacAddress,
        zxDslDevSecAclSrcIpType           InetAddressType,
        zxDslDevSecAclSrcIpv6Ip           InetAddress,
        zxDslDevSecAclSrcIpv6IpPfxLen     InetAddressPrefixLength,
        zxDslDevSecAclDestIpType          InetAddressType,
        zxDslDevSecAclDestIp              InetAddress,
        zxDslDevSecAclDestIpMask          IpAddress,
        zxDslDevSecAclDestIpv6PfxLen      InetAddressPrefixLength,
        zxDslDevSecAclEtherType           INTEGER,
        zxDslDevSecAclVlan                INTEGER,
        zxDslDevSecAclPktRateLimit        INTEGER
        }

    zxDslDevSecAclIndex    OBJECT-TYPE 
        SYNTAX          INTEGER ( 1 .. 16 ) 
        MAX-ACCESS      not-accessible
        STATUS          current
        DESCRIPTION
            "The index in the ACL rule table, which is the ACL rule number."
        ::=  {  zxDslDevSecurityAclEntry  1  }

     zxDslDevSecAclSrcIp   OBJECT-TYPE
          SYNTAX         IpAddress
          MAX-ACCESS     read-create
          STATUS         current
          DESCRIPTION
             "The source Ipv4 IP of the ACL rule.
              0.0.0.0 means not configured."
        ::=  {  zxDslDevSecurityAclEntry  2  }

     zxDslDevSecAclSrcMask OBJECT-TYPE
          SYNTAX         IpAddress
          MAX-ACCESS     read-create
          STATUS         current
          DESCRIPTION
             "The source IPv4 mask of the ACL rule.
              0.0.0.0 means not configured."
        ::=  {  zxDslDevSecurityAclEntry  3  }

    zxDslDevSecAclProtocolType OBJECT-TYPE 
        SYNTAX          INTEGER  
            { 
                all(0),
                icmp(1),
                tcp(2),
                udp(3)
            } 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Protocol type of the packets.
             The default value is ALL (0), which means all protocol types.
            "
        DEFVAL          { all }
        ::=  {  zxDslDevSecurityAclEntry  4  }

    zxDslDevSecAclSrcPortStart OBJECT-TYPE 
        SYNTAX          INTEGER ( 0 .. 65535 ) 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Beginning source port of the packets.
             The default value is 0, which means all source ports.
            "
        DEFVAL          { 0 }
        ::=  {  zxDslDevSecurityAclEntry  5  }

    zxDslDevSecAclSrcPortEnd   OBJECT-TYPE 
        SYNTAX          INTEGER ( 0 .. 65535 ) 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Ending source port of the packets.
             The default value is 0, which means all source ports.
            "
        DEFVAL          { 0 }
        ::=  {  zxDslDevSecurityAclEntry  6  }

    zxDslDevSecAclDestPortStart    OBJECT-TYPE 
        SYNTAX          INTEGER ( 0 .. 65535 ) 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Beginning destination port of the packets.
             The default value is 0, which means all destination ports.
            "
        DEFVAL          { 0 }
        ::=  {  zxDslDevSecurityAclEntry  7  }

    zxDslDevSecAclDestPortEnd  OBJECT-TYPE 
        SYNTAX          INTEGER ( 0 .. 65535 ) 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Ending destination port of the packets.
             The default value is 0, which means all destination ports.
            "
        DEFVAL          { 0 }
        ::=  {  zxDslDevSecurityAclEntry  8  }

    zxDslDevSecAclAccessLevel  OBJECT-TYPE 
        SYNTAX          INTEGER  { permit (1), deny (2) } 
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "The level of access to DSLAM,
             which means permit or deny this kind of packets.
            "
        ::=  {  zxDslDevSecurityAclEntry  9  }

    zxDslDevSecAclRuleMatchTimes  OBJECT-TYPE 
        SYNTAX          Integer32
        MAX-ACCESS      read-only
        STATUS          current
        DESCRIPTION
            "The number of times that packets match this rule."
        ::=  {  zxDslDevSecurityAclEntry  10  }

    zxDslDevSecAclRowStatus    OBJECT-TYPE 
        SYNTAX          RowStatus
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "This object is used to create a new row
             or delete an existing row in this table.
             Set it 4 to add, and 6 to delete the ACL rule.
            "
        ::=  {  zxDslDevSecurityAclEntry  11  }          
          
    zxDslDevSecAclSrcMac  OBJECT-TYPE 
        SYNTAX          MacAddress
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Source MAC of the packets."
        ::=  {  zxDslDevSecurityAclEntry  12  }

    zxDslDevSecAclDestMac  OBJECT-TYPE 
        SYNTAX          MacAddress
        MAX-ACCESS      read-create
        STATUS          current
        DESCRIPTION
            "Destination MAC of the packets."
        ::=  {  zxDslDevSecurityAclEntry  13  }       
    
    zxDslDevSecAclSrcIpType OBJECT-TYPE
        SYNTAX      InetAddressType
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The type of Source IP address.
             The value is unknown(0) means that source IP address is not 
             configured (include IPv4 and IPv6)."
        DEFVAL{ ipv4 } 
        ::= {   zxDslDevSecurityAclEntry  14   } 
        
    zxDslDevSecAclSrcIpv6Ip OBJECT-TYPE
        SYNTAX      InetAddress
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The source IPv6 IpAddress of the ACL rule.
             Zero-length string means not configured."
        ::= {   zxDslDevSecurityAclEntry  15   }
        
    zxDslDevSecAclSrcIpv6IpPfxLen OBJECT-TYPE
        SYNTAX      InetAddressPrefixLength
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The prefix length of the IPv6 IP address.
             0 means not configured."                          
        ::= {   zxDslDevSecurityAclEntry  16   }
        
    zxDslDevSecAclDestIpType OBJECT-TYPE
        SYNTAX      InetAddressType
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The type of destination IP address.
             The value is unknown(0) means that destination IP address is not 
             configured (include IPv4 and IPv6)."
        DEFVAL{ ipv4 } 
        ::= {   zxDslDevSecurityAclEntry  17   }         
        
    zxDslDevSecAclDestIp OBJECT-TYPE
        SYNTAX      InetAddress
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The destination IP address of the ACL rule.
             Zero-length string means not configured.
            "
        ::= {   zxDslDevSecurityAclEntry  18   }
    
    zxDslDevSecAclDestIpMask OBJECT-TYPE
        SYNTAX      IpAddress
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The destination IPv4 mask of the ACL rult.
             0.0.0.0 means not configured.
            "
        ::= {   zxDslDevSecurityAclEntry  19   }
        
    zxDslDevSecAclDestIpv6PfxLen OBJECT-TYPE
        SYNTAX      InetAddressPrefixLength
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The prefix length of the destination IPv6 IP address.
             0 means not configured.
            "
        ::= {   zxDslDevSecurityAclEntry  20   }
        
    zxDslDevSecAclEtherType OBJECT-TYPE
        SYNTAX      INTEGER
            {
                any(1),
                arp(2),
                ipv4(3),
                ipv6(4)
            }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Ethernet type of the ACL rule.
             any(1) means that the acl rule filters all packets that ethernet 
                    type is ARP, IPv4 or IPv6.
             arp(2) means that the acl rule filters all packets that ethernet
                    type is ARP.
             ipv4(3) means that the acl rule filters all packets that ethernet
                     type is IPv4.
             ipv6(4) means that the acl rule filters all packets that ethernet
                     type is IPv6.
            "
        DEFVAL { any } 
        ::= {   zxDslDevSecurityAclEntry  21   }
        
    zxDslDevSecAclVlan OBJECT-TYPE
        SYNTAX      INTEGER  (0..4094)
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "VLAN ID of the ACL rule.
             0 means not configured.
            "
        DEFVAL { 0 }
        ::= {   zxDslDevSecurityAclEntry  22   }
        
    zxDslDevSecAclPktRateLimit  OBJECT-TYPE
        SYNTAX      INTEGER(0..2048)
        UNITS       "pps"
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "This object indicates the rate limit of the packet filtered by 
             the ACL rule.
             0 means the packet rate is unlimited.
            "
        DEFVAL      {  0  }
        ::= {   zxDslDevSecurityAclEntry  23  }
                          
    zxDslDevSecurityAclGlobalObjects OBJECT IDENTIFIER
        ::=  {  zxDslDevSecurityAclObjects  3  } 
        
    zxDslDevSecurityAclActionScope OBJECT-TYPE 
        SYNTAX     INTEGER  { 
                             allMgmtPacket(1), 
                             onlyPacketToMgmtIp(2)
        } 
        MAX-ACCESS read-write
        STATUS     current        
        DEFVAL     { allMgmtPacket }
        DESCRIPTION
           "The effect scope of device security acl.
            Possible values are:
            allMgmtPacket(1)     - all packet received will be filter by 
                                   ACL list.               
            onlyPacketToMgmtIp(2)- only packet to managment IP will be 
                                   filter by ACL list. 
           "
        ::=  {  zxDslDevSecurityAclGlobalObjects  1  }
        
    zxDslAclPktRateLimitTrapEnable OBJECT-TYPE 
        SYNTAX     INTEGER  
            {
                enable(1), 
                disable(2)
            } 
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Enables or disables the zxDslDevAclPktOverRateLimitTrap and 
             zxDslDevAclPktUnderRateLimitTrap.
            "
        DEFVAL    { disable }
        ::=  {  zxDslDevSecurityAclGlobalObjects  2  }

    zxDslDevSecurityAclTrapObjects OBJECT IDENTIFIER
        ::=  {  zxDslDevSecurityAclMib  2  }
  
    zxDslDevAclPktOverRateLimitTrap      NOTIFICATION-TYPE
        OBJECTS { zxDslDevSecAclPktRateLimit  }
        STATUS  current
        DESCRIPTION
            "ACL packet rate is over zxDslDevSecAclPktRateLimit and the
             zxDslDevAclPktOverRateLimitTrap will be sent.
            "
        ::= { zxDslDevSecurityAclTrapObjects 1 }  
        
    zxDslDevAclPktUnderRateLimitTrap      NOTIFICATION-TYPE
        OBJECTS { zxDslDevSecAclPktRateLimit  }
        STATUS  current
        DESCRIPTION
            "ACL packet rate is lower than zxDslDevSecAclPktRateLimit and the
             zxDslDevAclPktOverRateLimitTrap will be restored.
            "
        ::= { zxDslDevSecurityAclTrapObjects 2 }
  
END
