-- ################################################################################

EXTREME-IP-SECURITY-MIB DEFINITIONS ::= BEGIN

      IMPORTS
                MODULE-IDENTITY                                                     FROM SNMPv2-SMI
		OBJECT-TYPE                                                         FROM SNMPv2-SMI
		IpAddress                                                           FROM SNMPv2-SMI
		Counter64                                                           FROM SNMPv2-SMI
                Integer32                                                           FROM SNMPv2-SMI     	
                TEXTUAL-CONVENTION, DisplayString, MacAddress, RowStatus            FROM SNMPv2-TC
                InetAddressType, InetAddress , InetPortNumber                       FROM INET-ADDRESS-MIB 
                extremeAgent                                                        FROM EXTREME-BASE-MIB;


     extremeIpSecurity MODULE-IDENTITY
	        LAST-UPDATED "200502140000Z"
            ORGANIZATION "Extreme Networks, Inc."
            CONTACT-INFO "www.extremenetworks.com"
            DESCRIPTION "Extreme IP Security MIB"
         ::= { extremeAgent 34 }

     extremeIpSecurityTraps     OBJECT IDENTIFIER
         ::= { extremeIpSecurity 1 }

     extremeIpSecurityTrapsPrefix     OBJECT IDENTIFIER
         ::= { extremeIpSecurityTraps 0 }

     extremeIpSecurityViolation NOTIFICATION-TYPE
        OBJECTS { extremeIpSecurityVlanIfIndex,
                  extremeIpSecurityVlanDescr,
                  extremeIpSecurityPortIfIndex,
                  extremeIpSecurityIpAddr,
                  extremeIpSecurityMacAddress,
                  extremeIpSecurityViolationType }
        STATUS      current
        DESCRIPTION
            "For vlans/ports on which one or more of the IP Security 
            features have been enabled, this trap will be generated when a packet 
            received on that vlan/port is in violation of the configured IP 
            Security protections"
        ::= { extremeIpSecurityTrapsPrefix 1 }
 
     extremeIpSecurityVlanIfIndex OBJECT-TYPE
         SYNTAX Integer32
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "The ifIndex of the VLAN on which the violating packet was received."
         ::= { extremeIpSecurityTraps 1 }

     extremeIpSecurityVlanDescr OBJECT-TYPE
         SYNTAX DisplayString (SIZE(0..32))
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "The description(name) of the VLAN on which the violating packet was received."
         ::= { extremeIpSecurityTraps 2 }

    extremeIpSecurityPortIfIndex  OBJECT-TYPE
        SYNTAX Integer32
        MAX-ACCESS accessible-for-notify
        STATUS current
        DESCRIPTION
        "The ifIndex of the port on which the violating packet was received."
        ::= { extremeIpSecurityTraps 3 }

    extremeIpSecurityIpAddr  OBJECT-TYPE
        SYNTAX  IpAddress
        MAX-ACCESS accessible-for-notify
        STATUS       current
        DESCRIPTION
        "Source IP address of the violating packet"
        ::= { extremeIpSecurityTraps 4 }

    extremeIpSecurityMacAddress  OBJECT-TYPE
        SYNTAX MacAddress
        MAX-ACCESS accessible-for-notify
        STATUS current
        DESCRIPTION
        "Source MAC address from the ethernet header of the violating packet"
        ::= { extremeIpSecurityTraps 5 }

        extremeIpSecurityViolationType OBJECT-TYPE
        SYNTAX  INTEGER {
            rogueDhcpServerPacket(1),
            badIpMacBindingInArpPacket(2),
            badIpInArpPacket(3),
            badMacInArpPacket(4),
            bcastSenderIpInArpPacket(5),
            bcastTargetIpInArpPacket(6)
        }
        MAX-ACCESS accessible-for-notify
        STATUS current
        DESCRIPTION
        "The type of IP Security violation that occurred
            - rogueDhcpServerPacket(1)
                    A rogue DHCP server packet was received.
            - badIpMacBindingInArpPacket(2)
                    The IP-MAC binding received in the ARP packet does not exist in 
                    the DHCP Bindings table or is incorrect.
            - badIpInArpPacket(3)
                    The Source IP address in the ARP payload is invalid.
            - badMacInArpPacket(4)
                    One of the MAC addresses in the ARP payload does not match with
                    its counterpart in the ethernet header.
            - bcastSenderIpInArpPacket(5)
                    The Sender IP address in the ARP payload is Broadcast.
            - bcastTargetIpInArpPacket(6)
                    The Target IP address in the ARP payload is Broadcast."
        ::= { extremeIpSecurityTraps 6 }


--
-- protocol anomaly traps
--

-- internal conventions 

     HexOctet ::= TEXTUAL-CONVENTION
         DISPLAY-HINT    "2x"
         STATUS          current
         DESCRIPTION
            "A single hexidecimal octet used to specify TCP flags" 
         SYNTAX          OCTET STRING (SIZE (2))

     VlanTag ::= TEXTUAL-CONVENTION
         STATUS          current
         DESCRIPTION
            "The tag used when encapsulating packets transmitted" 
         SYNTAX         INTEGER (0..4095) 

    IpProtocol ::= TEXTUAL-CONVENTION
        DISPLAY-HINT    "d"
        STATUS          current
        DESCRIPTION
             "The value of the IP Protocol field of an IP Datagram
              Header. This identifies the protocol layer above IP. For
              example, the value 6 is used for TCP and the value 17 is used
              for UDP.  The values of this field are defined in the Assigned
              Numbers RFC."
        SYNTAX          INTEGER {
                        unknown(0),
                        icmp(1),
                        tcp(6),
                        udp(17)
                    }

    TcpFlagAnomalyReason ::= TEXTUAL-CONVENTION
        STATUS          current
        DESCRIPTION
           " 1) (TCP flag SYN is set) and (its TCP source port < 1024). OR   
             2) (TCP flag == 0) and (TCP seq # == 0). OR   
             3) (TCP flag FIN/URG/PSH bits sre set) and (TCP seq # == 0). OR   
             4) Both TCP iflag SYN and FIN are set" 
        SYNTAX          INTEGER {
                        unknown(0),
                        flagSynAndSrcPort(1),
                        flagAndSeq(2),
                        flagFinAndUrgAandPshandSeq(3),
                        flagSynAndFin(4)
                    }

    IcmpAnomalyReason ::= TEXTUAL-CONVENTION
        STATUS          current
        DESCRIPTION
           " 1) the size of ICMP is large than pre-configured allowed size  
             2) Fragmented ICMP packet" 
        SYNTAX          INTEGER {
                        unknown(0),
                        icmpOverSize(1),
                        icmpFragmented(2)
                    }

    TcpFragmentAnomalyReason ::= TEXTUAL-CONVENTION
        STATUS          current
        DESCRIPTION
           " 1) TCP packet and incompleted TCP header (IP payload less tahn MIN_TCP_HDR_SIZE)   
             2) Fragmented TCP packet (IP fragment offset = 1) " 
        SYNTAX          INTEGER {
                        unknown(0),
                        tcpHdrLessSize(1),
                        tcpFragmented(2)
                    }

-- anomaly traps

     extremeIpSecurityAnomalyTraps     OBJECT IDENTIFIER
         ::= { extremeIpSecurity 2 }

     extremeIpSecurityAnomalyTrapsPrefix     OBJECT IDENTIFIER
         ::= { extremeIpSecurityAnomalyTraps 0 }


-- anomaly ip address traps

     extremeIpSecurityAnomalyIpViolation NOTIFICATION-TYPE
        OBJECTS { esAnomalyPortIfIndex, 
                  esAnomalyVlanIfIndex,
                  esAnomalyVlanDescr,
                  esAnomalySrcMacAddress,
                  esAnomalyDestMacAddress,
                  esAnomalyVlanTag,
                  esAnomalySrcIpAddrType,
                  esAnomalySrcIpAddr,
                  esAnomalyDestIpAddrType,
                  esAnomalyDestIpAddr,
                  esAnomalyIpProto} 
        STATUS      current
        DESCRIPTION
            "For ports on which the protocol anomaly protection IP 
            features has been enabled, this trap will be generated when a packet 
            received on that port if the packet's source IP == destination IP" 
        ::= { extremeIpSecurityAnomalyTrapsPrefix  1 }


-- anomaly L4port traps

     extremeIpSecurityAnomalyL4PortViolation NOTIFICATION-TYPE
        OBJECTS { esAnomalyPortIfIndex, 
                  esAnomalyVlanIfIndex,
                  esAnomalyVlanDescr,
                  esAnomalySrcMacAddress,
                  esAnomalyDestMacAddress,
                  esAnomalyVlanTag,
                  esAnomalySrcIpAddrType,
                  esAnomalySrcIpAddr,
                  esAnomalyDestIpAddrType,
                  esAnomalyDestIpAddr,
                  esAnomalyIpProto,
                  esAnomalySrcL4Port,
                  esAnomalyDestL4Port} 
        STATUS    current
        DESCRIPTION
            "For ports on which the protocol anomaly protection L4port 
            features has been enabled, this trap will be generated when a packet 
            received on that port if 
            1) the packet is a TCP or UDP packetr.  AND 
            2) its source L4 port == destination port" 
        ::= { extremeIpSecurityAnomalyTrapsPrefix 2 }


-- anomaly TCP flags trap 

     extremeIpSecurityAnomalyTcpFlagViolation NOTIFICATION-TYPE
        OBJECTS { esAnomalyPortIfIndex, 
                  esAnomalyVlanIfIndex,
                  esAnomalyVlanDescr,
                  esAnomalySrcMacAddress,
                  esAnomalyDestMacAddress,
                  esAnomalyVlanTag,
                  esAnomalySrcIpAddrType,
                  esAnomalySrcIpAddr,
                  esAnomalyDestIpAddrType,
                  esAnomalyDestIpAddr,
                  esAnomalySrcL4Port,
                  esAnomalyDestL4Port,
                  esAnomalyTcpFlagReason,
                  esAnomalyTcpFlag,
                  esAnomalyTcpSeq} 
        STATUS    current
        DESCRIPTION
            "For ports on which the protocol anomaly protection TCP flags 
            features has been enabled, this trap will be generated when a TCP 
            packet received on that port if 
            1) (TCP flag SYN is set) and (its TCP source port < 1024). OR   
            2) (TCP flag == 0) and (TCP seq # == 0). OR   
            3) (TCP flag FIN/URG/PSH bits sre set) and (TCP seq # == 0). OR   
            4) Both TCP iflag SYN and FIN are set" 
        ::= { extremeIpSecurityAnomalyTrapsPrefix  3 }


-- anomaly fragmented TCP trap 

     extremeIpSecurityAnomalyTcpFragmentViolation NOTIFICATION-TYPE
        OBJECTS { esAnomalyPortIfIndex, 
                  esAnomalyVlanIfIndex,
                  esAnomalyVlanDescr,
                  esAnomalySrcMacAddress,
                  esAnomalyDestMacAddress,
                  esAnomalyVlanTag,
                  esAnomalySrcIpAddrType,
                  esAnomalySrcIpAddr,
                  esAnomalyDestIpAddrType,
                  esAnomalyDestIpAddr,
                  esAnomalyTcpFragmentReason,
                  esAnomalyTcpHdrSize}
        STATUS    current
        DESCRIPTION
            "For ports on which the protocol anomaly protection TCP fragment 
            features has been enabled, this trap will be generated when a packet 
            received on that port if 
            1) the packet is a TCP, and its size of the TCP header is less than pre-configured value; or
            2) the packet is a TCP and it is a IP fragmented packet (IP offset != 0)" 
        ::= { extremeIpSecurityAnomalyTrapsPrefix  4 }


-- anomaly ICMP trap 

     extremeIpSecurityAnomalyIcmpViolation NOTIFICATION-TYPE
        OBJECTS { esAnomalyPortIfIndex, 
                  esAnomalyVlanIfIndex,
                  esAnomalyVlanDescr,
                  esAnomalySrcMacAddress,
                  esAnomalyDestMacAddress,
                  esAnomalyVlanTag,
                  esAnomalySrcIpAddrType,
                  esAnomalySrcIpAddr,
                  esAnomalyDestIpAddrType,
                  esAnomalyDestIpAddr,
                  esAnomalyIcmpReason}
        STATUS    current
        DESCRIPTION
            "For ports on which the protocol anomaly protection ICMP 
            features has been enabled, this trap will be generated when an ICMP 
            packet received on that port if 
            1) the size of ICMP (IP payload) is large thant pre-configured value; or   
            2) it is a fragmented IP/ICMP packet (IP offset != 0)" 
        ::= { extremeIpSecurityAnomalyTrapsPrefix  5 }


-- internal objects

     esAnomalyPortIfIndex  OBJECT-TYPE
        SYNTAX Integer32
        MAX-ACCESS accessible-for-notify
        STATUS current
        DESCRIPTION
        "The ifIndex of the port on which the violating packet was received."
        ::= { extremeIpSecurityAnomalyTraps  1 }

     esAnomalyVlanIfIndex OBJECT-TYPE 
         SYNTAX Integer32
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "The ifIndex of the VLAN on which the violating packet was received."
         ::= { extremeIpSecurityAnomalyTraps  2 }

     esAnomalyVlanDescr OBJECT-TYPE
         SYNTAX DisplayString (SIZE(0..32))
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "The description(name) of the VLAN on which the violating packet was received."
         ::= { extremeIpSecurityAnomalyTraps  3 }

     esAnomalySrcMacAddress OBJECT-TYPE
         SYNTAX MacAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "Source MAC address in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  4 }

     esAnomalyDestMacAddress OBJECT-TYPE
         SYNTAX MacAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "Destination MAC address in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  5 }

     esAnomalySrcIpAddrType OBJECT-TYPE
         SYNTAX InetAddressType 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "source IP address type: ipv4 or ipv6"
         ::= { extremeIpSecurityAnomalyTraps  6 }

     esAnomalySrcIpAddr OBJECT-TYPE
         SYNTAX InetAddress 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "source IP address in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  7 }

     esAnomalyDestIpAddrType OBJECT-TYPE
         SYNTAX InetAddressType 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "destination IP address type: ipv4 or ipv6"
         ::= { extremeIpSecurityAnomalyTraps  8 }

     esAnomalyDestIpAddr OBJECT-TYPE
         SYNTAX InetAddress 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "destination IP address in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  9 }

     esAnomalyIpProto OBJECT-TYPE
         SYNTAX IpProtocol 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "IP protocol in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  10 }

     esAnomalySrcL4Port OBJECT-TYPE
         SYNTAX InetPortNumber 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "tcp/udp source port number in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  11 }

     esAnomalyDestL4Port OBJECT-TYPE
         SYNTAX InetPortNumber 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "tcp/udp destination port in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  12 }


     esAnomalyTcpFlag OBJECT-TYPE
         SYNTAX       HexOctet 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "TCP flags in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  13 }

     esAnomalyTcpSeq OBJECT-TYPE
         SYNTAX       Integer32 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "TCP sequence number in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  14 }

     esAnomalyTcpHdrSize OBJECT-TYPE
         SYNTAX       Integer32 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "TCP Header size in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  15 }

     esAnomalyTcpFlagReason OBJECT-TYPE
         SYNTAX       TcpFlagAnomalyReason 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "TCP flag anomaly reason code"
         ::= { extremeIpSecurityAnomalyTraps  16 }

     esAnomalyIcmpReason OBJECT-TYPE
         SYNTAX       IcmpAnomalyReason 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "ICMP anomaly reason code"
         ::= { extremeIpSecurityAnomalyTraps  17 }

     esAnomalyVlanTag OBJECT-TYPE
         SYNTAX       VlanTag 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "the vlan tag in the violating packet"
         ::= { extremeIpSecurityAnomalyTraps  18 }


     esAnomalyTcpFragmentReason OBJECT-TYPE
         SYNTAX       TcpFragmentAnomalyReason 
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
         "TCP fragment anomaly reason code"
         ::= { extremeIpSecurityAnomalyTraps  19 }

END
