ENTERASYS-POLICY-PROFILE-MIB

The following tables, groups, and variables are supported in this MIB.

Table/Group Supported Variables Comments
etsysPolicyProfile group etsysPolicyProfileMaxEntries The maximum number of entries allowed in the etsysPolicyProfileTable.
etsysPolicyProfileNumEntries The current number of entries in the etsysPolicyProfileTable.
etsysPolicyProfileLastChange The sysUpTime at which the etsysPolicyProfileTable was last modified.
etsysPolicyProfileTableNextAvailableIndex

This object indicates the numerically lowest available index within this entity, which may be used for the value of etsysPolicyProfileIndex in the creation of a new entry in the etsysPolicyProfileTable.

An index is considered available if the index value falls within the range of 1 to 65535 and is not being used to index an existing entry in the etsysPolicyProfileTable contained within this entity.

This value should only be considered a guideline for management creation of etsysPolicyProfileEntries, there is no requirement on management to create entries based upon this index value.

etsysPolicyProfileTable A table containing policy profiles. A policy is a group of classification rules which may be applied on a per user basis, to ports or to stations.
etsysPolicyProfileEntry Conceptually defines a particular entry within the etsysPolicyProfileTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyProfileIndex A unique arbitrary identifier for this Policy. Since a policy will be applied to a user regardless of his or her location in the network fabric policy names SHOULD be unique within the entire network fabric. Policy IDs and policy names MUST be unique within the scope of a single managed entity.
etsysPolicyProfileName

Administratively assigned textual description of this Policy.

This object MUST NOT be modifiable while this entry's RowStatus is active(1).

etsysPolicyProfileRowStatus

This object allows for the dynamic creation and deletion of entries within the etsysPolicyProfileTable as well as the activation and deactivation of these entries.

When this object's value is active(1) the corresponding row's etsysPolicyProfilePortVid, etsysPolicyProfilePriority, and all entries within the etsysPolicyClassificationTable indexed by this row's etsysPolicyProfileIndex are available to be applied to network access ports or stations on the managed entity.

All ports corresponding to rows within the etsysPortPolicyProfileTable whose etsysPortPolicyProfileOperID is equal to the etsysPolicyProfileIndex, shall have the corresponding policy applied. Likewise, all stations corresponding to rows within the etsysStationPolicyProfileTable whose etsysStationPolicyProfileOperID is equal to the etsysPolicyProfileIndex, shall have the corresponding policy applied.

The value of etsysPortPolicyProfileOperID for each such row in the etsysPortPolicyProfileTable will be equal to the etsysPortPolicyProfileAdminID, unless the authorization information from a source such as a RADIUS server indicates to the contrary.

Refer to the specific objects within this MIB as well as well as RFC2674, the CTRON-PRIORITY-CLASSIFY-MIB, the CTRON-VLAN-CLASSIFY-MIB, and the CTRON-RATE-POLICING-MIB for a complete explanation of the application and behavior of these objects.

When this object's value is set to notInService(2) this policy will not be applied to any rows within the etsysPortPolicyProfileTable.

To allow policy profiles to be applied for security implementations, setting this object's value from active(1) to notInService(2) or destroy(6) SHALL fail if one or more instances of etsysPortPolicyProfileOperID or etsysStationPolicyProfileOperID currently reference this entry's associated policy due to a set by an underlying security protocol such as RADIUS.

For network functionality and clarity, setting this object to destroy(6) SHALL fail if one or more instances of etsysPortPolicyProfileOperID or etsysStationPolicyProfileOperID currently references this entry's etsysPolicyProfileIndex.

Refer to the RowStatus convention for further details on the behavior of this object.

etsysPolicyProfilePortVidStatus

This object defines whether a PVID override should be applied to ports which have this profile active.

enabled(1) means that any port with this policy active will have this row's etsysPolicyProfilePortVid applied to untagged frames or priority-tagged frames received on this port.

disabled(2) means that etsysPolicyProfilePortVid will not be applied. When this object is set to disabled(2) the value of etsysPolicyProfilePortVid has no meaning.

etsysPolicyProfilePortVid

This object defines the PVID of this profile. If a port has an active policy and the policy's etsysPolicyProfilePortVidStatus is set to enabled(1), the etsysPolicyProfilePortVid will be applied to all untagged frames arriving on the port that do not match any of the policy classification rules.

Note that the 802.1Q PVID will still exist from a management view but will NEVER be applied to traffic arriving on a port that has an active policy and enabled etsysPolicyProfilePortVid defined, since policy is applied to traffic arriving on the port prior to the assignment of a VLAN using the 802.1Q PVID.

The behavior of an enabled etsysPolicyProfilePortVid on any associated port SHALL be identical to the behavior of the dot1qPvid upon that port.

Note that two special, otherwise illegal, values of the etsysPolicyProfilePortVid are used in defining the default forwarding actions, to be used in conjunction with policy classification rules, and do not result in packet tagging:

0 Indicates that the default forwarding action is to drop all packets that do not match an explicit rule.

4095 Indicates that the default forwarding action is to forward any packets not matching any explicit rules.

etsysPolicyProfilePriorityStatus

This object defines whether a Class of Service should be applied to ports which have this profile active.

enabled(1) means that any port with this policy active will have etsysPolicyProfilePriority applied to this port.

disabled(2) means that etsysPolicyProfilePriority will not be applied. When this object is set to disabled(2) the value of etsysPolicyProfilePriority has no meaning.

etsysPolicyProfilePriority

This object defines the default ingress Class of Service of this profile.

If a port has an active policy and the policy's etsysPolicyProfilePriorityStatus is set to enabled(1), the etsysPolicyProfilePriority will be applied to all packets arriving on the port that do not match any of the policy classification rules.

Note that dot1dPortDefaultUserPriority will still exist from a management view but will NEVER be applied to traffic arriving on a port that has an active policy and enabled etsysPolicyProfilePriority defined, since policy is applied to traffic arriving on the port prior to the assignment of a priority using dot1dPortDefaultUserPriority.

The behavior of an enabled etsysPolicyProfilePriority on any associated port SHALL be identical to the behavior of the dot1dPortDefaultUserPriority upon that port.

etsysPolicyProfileEgressVlans The set of VLANs which are assigned by this policy to egress on ports for which this policy is active. Changes to a bit in this object affect the per-port per-VLAN Registrar control for Registration Fixed for the relevant GVRP state machine on each port for which this policy is active. A VLAN may not be added in this set if it is already a member of the set of VLANs in etsysPolicyProfileForbiddenVlans. This object is superseded on a per-port per-VLAN basis by any 'set' bits in dot1qVlanStaticEgressPorts and dot1qVlanForbiddenEgressPorts. The default value of this object is a string of zeros.
etsysPolicyProfileForbiddenVlans The set of VLANs which are prohibited by this policy to egress on ports for which this policy is active. Changes to this object that cause a port to be included or excluded affect the per-port per-VLAN Registrar control for Registration Forbidden for the relevant GVRP state machine on each port for which this policy is active. A VLAN may not be added in this set if it is already a member of the set of VLANs in etsysPolicyProfileEgressVlans. This object is superseded on a per-port per-VLAN basis by any 'set' bits in the dot1qVlanStaticEgressPorts and dot1qVlanForbiddenEgressPorts. The default value of this object is a string of zeros.
etsysPolicyProfileUntaggedVlans The set of VLANs which should transmit egress packets as untagged on ports for which this policy is active. This object is superseded on a per-port per-VLAN basis by any 'set' bits in dot1qVlanStaticUntaggedPorts.
etsysPolicyProfileOverwriteTCI If set, the information contained within the TCI field of inbound, tagged packets will not be used by the device after the ingress classification stage of packet relay. The net effect will be that the TCI information may be used to classify the packet, but will be overwritten (and ignored) by subsequent stages of packet relay.
etsysPolicyProfileRulePrecedence Each octet will contain a single value representing the rule type to be matched against, defined by the PolicyClassificationRuleType textual convention. When read, will return the currently operating rule matching precedence, ordered from first consulted (in the first octet) to last consulted (in the last octet). A set of a single octet of 0x00 will result in a reversion to the default precedence ordering. A set of any other values will result in the specified rule types being matched in the order specified, followed by the remaining rules, in default precedence order.
etsysPolicyProfileVlanRFC3580Mappings The set of VLANs which are currently being mapped onto this policy profile by the etsysPolicyRFC3580MapTable. This only refers to the mapping of vlan-tunnel-attributes returned from RADIUS in an RFC3580 context.
etsysPolicyProfileMirrorIndex

A reference to a packet mirror destination (defined elsewhere).

A value of (-1) indicates no mirror is specified, but a mirror is not explicitly prohibited.

A value of (0) indicates that mirroring is explicitly prohibited, unless a higher precedence source (a rule) has specified a mirror.

etsysPolicyProfileAuditSyslogEnable Enables the sending of a syslog message if no rule bound to this profile has prohibited it.
etsysPolicyProfileAuditTrapEnable Enables the sending of a SNMP NOTIFICATION if no rule bound to this profile has prohibited it.
etsysPolicyProfileDisablePort Will set the ifOperStatus of the port, on which the frame which used this profile was received, to disable, if if no rule bound to this profile has prohibited it.
etsysPolicyProfileUsageList When read, a set bit indicates that this profile was used to send a syslog or trap message for corresponding port. When set, the native PortList will be bit-wise AND'ed with the set PortList, allowing the agent to clear the usage indication.
etsysPolicyProfileFstIndex

A reference to a Flow Setup Throttling (FST) class as defined by the etsysFlowLimitingClassType object.

A value of (0) indicates no FST class is specified.

etsysPolicyProfileHttpRedirectIndex

A reference to a HTTP Redirect server group as specified by the etsysPolicyHttpRedirectGroupIndex object.

A value of (0) indicates no HTTP Redirect group is specified for this profile.

etsysPolicyProfilePortAuthOverride If a port has an active policy and that policy's etsysPolicyProfilePortAuthOverride is set to enabled(1), all frames arriving on the port will have that policy applied. In addition, any pre-existing entries with matching port values in the etsysMultiAuthSessionStationTable tables will change their authorization status to authTerminated(5). No further authentication will occur on this port. If disabled(2), the actions described above will not occur.
etsysPolicyClassification group etsysPolicyClassificationMaxEntries The maximum number of entries allowed in the etsysPolicyClassificationTable.
etsysPolicyClassificationNumEntries The current number of entries in the etsysPolicyClassificationTable.
etsysPolicyClassificationLastChange The sysUpTime at which the etsysPolicyClassificationTable was last modified.
etsysPolicyClassificationTable

A table containing reference OIDs to entries within the classification tables. These classification tables include but may not be limited to:

ctPriClassifyTable

ctVlanClassifyTable

ctRatePolicyingConfigTable

This table is used to map a list of classification rules to an instance of the etsysPolicyProfileTable.

etsysPolicyClassificationEntry Describes a particular entry within the etsysPolicyClassificationTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyClassificationIndex Administratively assigned unique value, greater than zero. Each etsysPolicyClassificationIndex instance MUST be unique within the scope of its associated etsysPolicyProfileIndex.
etsysPolicyClassificationOID

This object follows the RowPointer textual convention and is an OID reference to a classification rule.

This object MUST NOT be modifiable while this entry's etsysPolicyClassificationStatus object has a value of active(1).

etsysPolicyClassificationRowStatus

The status of this row.

When set to active(1) this entry's classification rule, as referenced by etsysPolicyClassificationOID, becomes one of its associated policy's set of rules.

When this entry's associated policy, as defined by etsysPolicyProfileIndex, is active and assigned to a port through the etsysPortPolicyProfileTable or to a station through the etsysStationPolicyProfileTabbe, this classification rule will be applied to the port or station. The exact behavior of this application depends upon the classification rule.

When this object is set to notInService(2) or notReady(3) this entry is not considered one of its associated policy's set of rules and this classification rule will not be applied.

An entry MAY NOT be set to active(1) unless this row's etsysPolicyClassificationOID is set to a valid classification rule.

etsysPolicyClassificationIngressList The ports on which an active policy profile has defined this classification rule applies.
etsysPortPolicyProfile group etsysPortPolicyProfileLastChange sysUpTime at which the etsysPortPolicyProfileTable was last modified.
  etsysPortPolicyProfileEntry Describes a particular entry within the etsysPortPolicyProfileTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
  etsysPortPolicyProfileIndexType This object defines the specific type of port this entry represents.
  etsysPortPolicyProfileIndex An index value which represents a unique port of the type defined by this entry's etsysPortPolicyProfileIndexType.
  etsysPortPolicyProfileAdminID

This object represents the desired Policy Profile for this dot1dBasePort or this ifIndex.

Setting this object to any value besides zero (0) should, if possible, immediately place this entry's dot1dBasePort or ifIndex into the given Policy Profile.

This object and etsysPortPolicyProfileOperID may not be the same if this object is set to a Policy (i.e. an instance of the etsysPolicyProfileTable) which is not in an active state or if the etsysPortPolicyProfileOperID has been set by an underlying security protocol such as RADIUS.

  etsysPortPolicyProfileOperID

This object is the current policy which is being applied to this entry's dot1dBasePort. A value of zero(0) indicates there is no policy being applied to this dot1dBasePort or this ifIndex.

If the value of this object has been set by an underlying security protocol such as RADIUS, sets to this entry's etsysPortPolicyProfileAdminID MUST NOT change the value of this object until such time as the security protocol releases this object by setting it to a value of zero (0).

  etsysPortPolicyProfileSummaryTable his table provides aggregate port information on a per policy, per port type basis.
  etsysPortPolicyProfileSummaryEntry Conceptually defines a particular entry within the etsysPortPolicyProfileSummaryTable.
  EtsysPortPolicyProfileSummaryEntry This object defines the specific type of port this entry represents.
  etsysPortPolicyProfileSummaryAdminID An aggregate list of all Ports currently supporting rules which assign this profileIndex through administrative means. Rules of this type have a valid etsysPolicyRuleResult2 action and a profileIndex of 0.
  etsysPortPolicyProfileSummaryOperID An aggregate list of all Ports currently supporting rules which assign this profileIndex through either an administrative or dynamic means. The profileId which will be assigned operationally, as frames are handled are too be reported here.
  etsysPortPolicyProfileSummaryDynamicID An aggregate list of all Ports currently supporting rules which assign this profileIndex through a dynamic means. For example the profileIndex returned via a successful 802.1X supplicant authentication.
etsysStationPolicyProfile group etsysStationPolicyProfileMaxEntries The maximum number of entries allowed in the etsysStationPolicyProfileTable. If this number is exceeded, based on stations connecting to the edge device, the oldest entries will be deleted.
etsysStationPolicyProfileNumEntries The current number of entries in the etsysStationPolicyProfileTable.
etsysStationPolicyProfileLastChange sysUpTime at which the etsysStationPolicyProfileTable was last modified.
etsysStationPolicyProfileTable This table allows for a one to one mapping between a station's identifying address and a Policy Profile.
etsysStationPolicyProfileEntry Describes a particular entry within the etsysStationPolicyProfileTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysStationPolicyProfileIndex An index value which represents a unique station entry.
etsysStationIdentifierType Indicates the type of station identifying address contained in etsysStationIdentifier.
etsysStationIdentifier A value which represents a unique MAC Address, IP Address, or other identifying address for a station, or other logical and authenticatable sub-entity within a station, connected to a port.
etsysStationPolicyProfileOperID

This object is the current policy which is being applied to this entry's MAC Address. A value of zero(0) indicates there is no policy being applied to this MAC Address.

The value of this object reflects either the setting from an underlying AAA service such as RADIUS, or the default setting based on the etsysPortPolicyProfileAdminID for the port on which the station is connected.

This object and the corresponding etsysPortPolicyProfileAdminID will not be the same if this object has been set by an underlying security protocol such as RADIUS.

etsysStationPolicyProfilePortType A textual convention that defines the specific type of port designator the corresponding entry represents.
etsysStationPolicyProfilePortID A value which represents the physical port, of the type defined by this entry's etsysStationPolicyProfilePortType, on which the associated station entity is connected. This object is for convenience in cross referencing stations to ports.
etsysInvalidPolicyPolicy group etsysInvalidPolicyAction

Specifies the action that the edge device should take if asked to apply an invalid or unknown policy.

applyDefaultPolicy(1) - Ignore the result and search for the next policy assignment rule.

dropPackets(2) - Block traffic.

forwardPackets(3) - Forward traffic, as if no policy had been assigned (via 802.1D/Q rules).

Although dropPackets(2) is the most secure option, it may not always be desirable.

etsysInvalidPolicyCount Increments to indicate the number of times the device has detected an invalid/unknown policy.
etsysDevicePolicyProfile group etsysDevicePolicyProfileDefault If this value is non-zero, the value indicates the etsysPolicyProfileEntry (and its associated etsysPolicyClassificationTable entries) which should be used by the device if the device is incapable of using the profile (or specific parts of the profile) explicitly applied to an inbound frame. A value of zero indicates that no default profile is currently active.
etsysPolicyCapability group etsysPolicyCapabilities A list of capabilities related to policies. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyDynaPIDRuleCapabilities A list of rule types which are supported by this device for the purpose of dynamically assigning a profile to the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyAdminPIDRuleCapabilities A list of rule types which are supported by this device for the purpose of administratively assigning a profile to the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyVlanRuleCapabilities A list of rule types which are supported by this device for the purpose of assigning a VlanId to the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyCosRuleCapabilities A list of rule types which are supported by this device for the purpose of assigning a CoS to the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyDropRuleCapabilities

A list of rule types which are supported by this device for the purpose of discarding the network traffic described by the bit.

A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.

etsysPolicyForwardRuleCapabilities A list of rule types which are supported by this device for the purpose of forwarding the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicySyslogRuleCapabilities

A list of rule types which are supported by this device for the purpose of issuing syslog messages when the rule is used to identify the network traffic described by the bit.

A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.

etsysPolicyTrapRuleCapabilities A list of rule types which are supported by this device for the purpose of issuing an SNMP notify (trap) messages when the rule is used to identify the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyDisablePortRuleCapabilities A list of rule types which are supported by this device for the purpose of disabling the ingress port identified when the rule matches the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicySupportedPortList The list ports which support policy profile assignment (i.e. the ports which _do_ policy). This object may be useful to management entities which desire to scope action to only those ports which support policy. A port which appears in this list, must support, at minimum, the assignment of a policy profile to all traffic ingressing the port.
etsysPolicyEnabledTable This table allows for the configuration of policy profile assignment methods, per port, including the ability to disable policy profile assignment, per port. In addition, a ports capabilities, with respect to policy profile assignment are reported.
etsysPolicyEnabledTableEntry Describes a particular entry within the etsysPolicyEnabledTable.
etsysPolicyEnabledSupportedRuleTypes The list of rule types which the devices supports for the purpose of assigning policy profiles to network traffic ingressing this dot1dBasePort.
etsysPolicyEnabledEnabledRuleTypes The list of rule types from which the device will assign policy profiles to network traffic ingressing this dot1dBasePort. Rules which have a type not enumerated here must not be used to assign policy profiles, but must still be used to interrogate the rule-set bound to the determined policy profile. A set of all cleared bits will effectively disable policy in the port.
etsysPolicyEnabledEgressEnabled Controls the enabling and disabling the application of policy as packets egress the switching process on the dot1dBasePort specified in the indexing.
etsysPolicyRuleAttributeTable This table details each supported rule type attribute for rule data length in bytes, rule data length in bits, and the maximum number of rules that may use that type.
etsysPolicyRuleAttributeTableEntry Describes a particular entry within the etsysPolicyRuleAttributeTable.
etsysPolicyRuleAttributeByteLength This rule type's maximum length, in bytes of the etsysPolicyRuleData. Devices supporting this object MUST allow sets for this rule data of any valid length up to and including the length value represented by this object. Management entities must also expect to read back the maximum data length for each type regardless of the length the data was set with.
etsysPolicyRuleAttributeBitLength This rule type's maximum bit length for traffic data. This value also represents the maximum mask that may be used for rule data. The mask MUST NOT exceed the rule data size. Masks that exceed the data size shall be considered invalid and result in an SNMP set failure.
etsysPolicyRuleAttributeMaxCreatable If this value is non-zero, the value indicates the maximum number of rules of this type the agent can support.
etsysPolicyRuleTciOverwriteCapabilities A list of rule types which are supported by this device for the purpose of overwriting the TCI in received packets described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyRuleMirrorCapabilities A list of rule types which are supported by this device for the purpose of mirroring the network traffic described by the bit. A set bit, with the value 1, indicates support for the described functionality. A clear bit, with the value 0, indicates the described functionality is not supported.
etsysPolicyRuleQuarantineCapabilities A list of rule types which are supported by this device for the purpose of quarantining the user to a specified profile id when the rule is used to identify the network traffic described by the bit. A set bit, with the value of 1, indicates support for the described functionality. A clear bit, with the value of 0, indicates the described functionality is not supported.
etsysPolicyMap group etsysPolicyMapMaxEntries This has been obsoleted.
etsysPolicyMapNumEntries This has been obsoleted.
etsysPolicyMapLastChange This has been obsoleted.
etsysPolicyMapPvidOverRide This has been obsoleted.
etsysPolicyMapUnknownPvidPolicy This has been obsoleted.
etsysPolicyMapTable This has been obsoleted.
etsysPolicyMapEntry This has been obsoleted.
etsysPolicyMapIndex This has been obsoleted.
etsysPolicyMapRowStatus This has been obsoleted.
etsysPolicyMapStartVid This has been obsoleted.
etsysPolicyMapEndVid This has been obsoleted.
etsysPolicyMapPolicyIndex This has been obsoleted.
etsysPolicyRules group etsysPolicyRulesMaxEntries The maximum number of entries allowed in the etsysPolicyRulesTable.
etsysPolicyRulesNumEntries The current number of entries in the etsysPolicyRulesTable.
etsysPolicyRulesLastChange The sysUpTime at which the etsysPolicyRulesTable was last modified.
etsysPolicyRulesAccountingEnable Controls the collection of rule usage statistics. If disabled, no usage statistics are gathered and no auditing messages will be sent. When enabled, rule will gather usage statistics, and auditing messages will be sent, if enabled for a given rule.
etsysPolicyRulesPortDisabledList

A portlist containing bits representing the dot1dBridgePorts which have been disabled via the mechanism described in the etsysPolicyRuleDisablePort leaf. A set bit indicates a disabled port.

Ports may be enabled by performing a set with the corresponding bit cleared. Bits which are set will be ignored during the set operation.

etsysPolicyRuleTable etsysPolicyRuleTable

A table containing rules bound to individual policies. A Rule is comprised of three components, a unique description of the network traffic, an associated list of actions, and an associated list of accounting and auditing controls and information.

The unique description of the network traffic, defined by a PolicyClassificationRuleType together with a length, matching data and a relevant bits field, port type, and port number (port number zero is reserved to mean any port), and scoped by a etsysPolicyProfileIndex, is used as the table index.

etsysPolicyRuleEntry Describes a particular entry within the etsysPolicyRuleTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyRuleProfileIndex

The etsysPolicyProfileIndex for which the rule is defined.

A value of zero(0) has special meaning in that it scopes rules which are used to determine the Policy Profile to which the frame belongs. See the etsysPolicyRuleResult1 and etsysPolicyRuleResult2 descriptions for specifics of how the results of a rule hit differ when the etsysPolicyRuleProfileIndex is zero.

etsysPolicyRuleType The type of network traffic reference by the etsysPolicyRuleData.
etsysPolicyRuleData The data pattern to match against, as defined by the etsysPolicyRuleType, encoded in network-byte order.
etsysPolicyRulePrefixBits The relevant number of bits defined by the etsysPolicyRuleData, to be used when matching against a frame, relevant bits are specified in longest-prefix-first style (left to right). A value of zero carries the special meaning of all bits are relevant.
etsysPolicyRulePortType The port number on which the rule will be applied. Zero(0) is a special case, indicating that the rule should be applied to all ports.
etsysPolicyRulePort The port number on which the rule will be applied. Zero(0) is a special case, indicating that the rule should be applied to all ports.
etsysPolicyRuleRowStatus

The status of this row.

When set to active(1) this entry's classification rule, as referenced by etsysPolicyRulesOID, becomes one of its associated policy's set of rules.

When this entry's associated policy, as defined by etsysPolicyRuleProfileIndex, is active and assigned to a port through the etsysPortPolicyProfileTable or to a station through the etsysStationPolicyProfileTabbe, this classification rule will be applied to the port or station. The exact behavior of this application depends upon the classification rule.

When this object is set to notInService(2) or notReady(3) this entry is not considered one of its associated policy's set of rules and this classification rule will not be applied.

etsysPolicyRuleStorageType

The storage type of this row.

When set to volatile(1) this entry's classification rule, as referenced by etsysPolicyRulesOID, will be removed (if present) from non-volatile storage. Rows created dynamically by the device will typically report this as their default storage type.

When set to nonVolatile(1) this entry's classification rule, as referenced by etsysPolicyRulesOID, will be added to non- volatile storage. This is the default value for rows created as the result of external management.

Values of other(0), permanent(4), and readOnly(5) may not be set, although they may be returned for rows created by the device.

etsysPolicyRuleUsageList When read, a set bit indicates that this rule was used to classify traffic on the corresponding port. When set, the native PortList will be bit-wise AND'ed with the set PortList, allowing the agent to clear the usage indication.
etsysPolicyRuleResult1

If the etsysPolicyRuleProfileIndex is 0 then this field is read-only and defines the profile ID which will be assigned to frames matching this rule. This is the dynamically assigned value and may differ from the administratively configured value.

If the etsysPolicyRuleProfileIndex is not 0 then this field is read-create and defines the VLAN ID with which to mark a frame matching this PolicyRule.

Note that three special, otherwise illegal, values of the etsysPolicyRuleVlan are used in defining the forwarding action.

-1 Indicates that no VLAN or forwarding behavior modification is desired. A rule will not be matched against for the purpose of determining a marking VID if this value is set.

0 Indicates that the default forwarding action is to drop the packets matching this rule.

4095 Indicates that the default forwarding action is to forward any packets matching this rule.

etsysPolicyRuleResult2

If the etsysPolicyRuleProfileIndex is 0 then this field is read-create and defines the profile ID which the managing entity desires assigned to frames matching this rule. This is the administrative value and may differ from the dynamically assigned active value.

If the etsysPolicyRuleProfileIndex is not 0 then this field is The CoS with which to mark a frame matching this PolicyRule.

Note that one special, otherwise illegal, values of the etsysPolicyRuleCoS are used in defining the forwarding action.

-1 Indicates that no CoS or forwarding behavior modification is desired. A rule will not be matched against for the purpose of determining a CoS if this value is set.

etsysPolicyRuleAuditSyslogEnable Controls the sending of a syslog message when a bit in the etsysPolicyRuleUsageList transitions from 0 to 1.
etsysPolicyRuleAuditTrapEnable Controls the sending of an SNMP NOTIFICATION when a bit in the etsysPolicyRuleUsageList transitions from 0 to 1.
etsysPolicyRuleDisablePort Controls the disabling of a port (ifOperStatus of the corresponding ifIndex will be down) when a bit in the etsysPolicyRuleUsageList transitions from 0 to 1. When set to enabled, the corresponding ifIndex will be disabled upon the transition.
etsysPolicyRuleOperPid

If the etsysPolicyRuleProfileIndex is 0 then this field contains the currently applied profile ID for frames matching this rule. This may be either the administratively applied value or the dynamically applied value.

If the etsysPolicyRuleProfileIndex is not 0, then this object will return -1.

Note that one special value exists:

-1 Indicates that no profile ID is being applied by this rule.

etsysPolicyRuleOverwriteTCI If set, the information contained within the TCI field of inbound, tagged packets will not be used by the device after the ingress classification stage of packet relay. The net effect will be that the TCI information may be used to classify the packet, but will be overwritten (and ignored) by subsequent stages of packet relay.
etsysPolicyRuleMirrorIndex

A reference to a packet mirror destination (defined elsewhere).

A value of (-1) indicates no mirror is specified, but a mirror is not explicitly prohibited.

A value of (0) indicates that mirroring is explicitly prohibited, unless a higher precedence rule has specified a mirror.

etsysPolicyRuleQuarantineProfileIndex

If the etsysPolicyRuleProfileIndex is not 0 this field defines the profile ID which will be used as the quarantine provisioning agents mux response for the mac address and port whose frames matched this rule.

A value of (-1) indicates no quarantine profile is specified, but quarantine is not explicitly prohibited.

A value of (0) indicates that quarantine is explicitly prohibited.

If the etsysPolicyRuleProfileIndex is 0 this field is read only and will always return -1 when read.

etsysPolicyRuleHttpRedirectIndex

A reference to a HTTP Redirect server group as specified by the etsysPolicyHttpRedirectGroupIndex object.

A value of (-1) indicates no HTTP Redirect is specified, but HTTP redirection is not explicitly prohibited.

A value of (0) indicates that HTTP Redirect is explicitly prohibited, unless a higher precedence rule has specified a HTTP Redirect.

Packets are only subject to HTTP redirection if they are IP frames with TCP port numbers matching an entry in etsysPolicyHttpRedirectSocketTable.

etsysPolicyRulePortTable etsysPolicyRulePortTable The purpose of this table is to provide an agent the ability to easily determine which rules have been used on a given bridge port. A row will only be present when the rule which the instancing describes has been used. The agent may remove a row (and clear the used status) by setting the etsysPolicyRulePortHit leaf to False. PolicyClassificationRuleType together with a length, matching data and a relevant bits field, port type, and port number (port number zero is reserved to mean any port), scoped by a etsysPolicyRuleProfileIndex, and preceded by a dot1dBasePort is used as the table index.
etsysPolicyRulePortEntry  
etsysPolicyRulePortHit Every row will report a value of True, indicating that the Rule described by the instancing was used on the given port. An agent may be set this leaf to False to clear remove the row and clear the Rule Use bit for the specified Rule, on the given bridgePort.
etsysPolicyRuleDynamicProfileAssignmentOverride If true, administratively assigned profile assignment rules override dynamically assigned profiles assignments for a given rule. If false, the dynamically assigned value (typically created by a successful authentication attempt) overrides the administratively configured value. The agent may optionally implement this leaf as read-only.
etsysPolicyRuleDefaultDynamicSyslogStatus If enabled(1), rules dynamically created will set etsysPolicyRuleAuditSyslogEnable to enabled. If disabled(2) a dynamically created rule will have etsysPolicyRuleAuditSyslogEnable set to disabled. The agent may optionally implement this leaf as read-only.
etsysPolicyRuleDefaultDynamicTrapStatus If enabled(1), rules dynamically created will set etsysPolicyRuleAuditTrapEnable to enabled. If disabled(2) a dynamically created rule will have etsysPolicyRuleAuditTrapEnable set to disabled. The agent may optionally implement this leaf as read-only.
etsysPolicyRuleStatsAutoClearOnLink If set to enabled(1), when operstatus up is detected on any port the agent will clear the rule usage information associated with that port. This ability is further scoped to the list of ports defined by etsysPolicyRuleStatsAutoClearPorts. This leaf is optional and will have no effect on an agent which has rule use accounting disabled or does not support rule use accounting. By default, the rule use accounting information will not be modified by operstatus transitions.
etsysPolicyRuleStatsAutoClearInterval The interval at which the device will automatically clear rule usage statistics, in minutes. This ability is disabled (usage statistics will not be automatically cleared) if set to zero(0). This ability is further scoped to the list of ports defined by etsysPolicyRuleStatsAutoClearPorts. This leaf is optional and will have no effect on an agent which has rule use accounting disabled or does not support rule use accounting.
etsysPolicyRuleStatsAutoClearPorts The list ports on which rule usage statistics will be cleared by one of the AutoClear actions (etsysPolicyRuleStatsAutoClearInterval, etsysPolicyRuleStatsAutoClearOnProfile, or etsysPolicyRuleStatsAutoClearOnLink). By default, no ports will be set in this list. This leaf is optional, unless the agent claims support for one of the other 'autoclear' objects, and will have no effect on an agent which has rule use accounting disabled or does not support rule use accounting.
etsysPolicyRuleStatsAutoClearOnProfile If set to enabled(1), when a rule assigning a PolicyProfile (whose etsysPolicyRuleProfileIndex is zero(0)) is activated, all the rule usage bits associated with the rules bound to the PolicyProfile specified by the etsysPolicyRuleOperPid and the port specified by the etsysPolicyRulePort are cleared (if there is no port specified or no valid etsysPolicyRuleProfileIndex specified, then no action follows). This ability is further scoped to the list of ports defined by etsysPolicyRuleStatsAutoClearPorts. This leaf is optional and will have no effect on an agent which has rule use accounting disabled or does not support rule use accounting. By default, the rule use accounting information will not be modified by the creation or activation of PolicyProfile assignment rules." DEFVAL { disabled }
etsysPolicyRuleStatsDroppedNotifications A count of the number of times the agent has dropped notification (syslog or trap) of a etsysPolicyRuleUsageList bit transition. A management entity might use this leaf as an indication to read the etsysPolicyRuleUsageList objects for important rules. This count should be kept to the best of the device's ability, and explicitly does not cover notifications discarded by the network.
etsysPolicyRuleSylogMachineReadableFormat If enabled, the device should format rule usage messages so that they might be processed by a machine (scripting backend, etc). If disabled, the messages should be formatted for human consumption.
etsysPolicyRuleSylogExtendedFormat If enabled, the device should provide additional information in rule-hit syslog messages. This information MAY include what actions may have been initiated by the rule (if any) or data mined from the packet which matched the rule.
etsysPolicyRuleSylogEveryTime If enabled, the device will syslog on every rule hit (or profile hit) which specifies SYSLOG as the action, instead of only when the associated bit in the etsysPolicyProfileUsageList or the etsysPolicyRuleUsageList is clear. It should be noted that this may cause MANY messages to be generated.
etsysPolicyNonVolatileRuleTable etsysPolicyNonVolatileRulesLastChange The sysUpTime at which the etsysPolicyNonVolatileRuleTable was last modified.
etsysPolicyNonVolatileRuleTable

A table containing rules bound to individual policies. The rules here contained are representations of the non-volatile rules contained in the etsysPolicyRuleTable defined in this MIB.

A Rule comprises three components, a unique description of the network traffic, an associated list of actions, and an associated list of accounting and auditing controls and information.

The unique description of the network traffic, defined by a PolicyClassificationRuleType together with a length, matching data and a relevant bits field, port type, and port number (port number zero is reserved to mean any port), and scoped by a etsysPolicyProfileIndex, is used as the table index.

etsysPolicyNonVolatileRuleEntry Describes a particular entry within the etsysPolicyNonVolatileRuleTable. Entries within this table are representations of the non-volatile entries found in the etsysPolicyRuleTable.
etsysPolicyNonVolatileRuleRowStatus

The status of this row.

When active(1) this entry's classification rule, is one of its associated policy's set of rules.

When this entry's associated policy, as defined by etsysPolicyRuleProfileIndex, is active and assigned to a port through the etsysPortPolicyProfileTable or to a station through the etsysStationPolicyProfileTable, this classification rule will be applied to the port or station. The exact behavior of this application depends upon the classification rule.

When this object is notInService(2) or notReady(3) this entry is not considered one of its associated policy's set of rules and this classification rule will not be applied.

etsysPolicyNonVolatileRuleStorageType

The storage type of this row.

For all entries in the table this is set to nonVolatile(1), and as such, this entry's classification rule will be added to non-volatile storage.

etsysPolicyNonVolatileRuleUsageList When read, a set bit indicates that this rule was used to classify traffic on the corresponding port.
etsysPolicyNonVolatileRuleResult1

If the etsysPolicyRuleProfileIndex is 0 this field defines the profile ID which will be assigned to frames matching this rule. This is the dynamically assigned value and may differ from the administratively configured value.

If the etsysPolicyRuleProfileIndex is not 0 then this field defines the VLAN ID with which to mark a frame matching this PolicyNonVolatileRule.

Note that three special, otherwise illegal, values of the etsysPolicyNonVolatileRuleVlan are used in defining the forwarding action.

-1 Indicates that no VLAN or forwarding behavior modification is desired. A rule will not be matched against for the purpose of determining a marking VID if this value is set.

0 Indicates that the default forwarding action is to drop the packets matching this rule.

4095 Indicates that the default forwarding action is to forward any packets matching this rule.

etsysPolicyNonVolatileRuleResult2

If the etsysPolicyRuleProfileIndex is 0 this field defines the profile ID which the managing entity desires assigned to frames matching this rule. This is the administrative value and may differ from the dynamically assigned active value.

If the etsysPolicyRuleProfileIndex is not 0 then this field is The CoS with which to mark a frame matching this PolicyNonVolatileRule.

Note that one special, otherwise illegal, value of the etsysPolicyNonVolatileRuleCoS is used in defining the forwarding action.

-1 Indicates that no CoS or forwarding behavior modification is desired. A rule will not be matched against for the purpose of determining a CoS if this value is set.

etsysPolicyNonVolatileRuleAuditSyslogEnable If enabled, a syslog message is sent when a bit in the etsysPolicyNonVolatileRuleUsageList transitions from 0 to 1.
etsysPolicyNonVolatileRuleAuditTrapEnable If enabled, an SNMP NOTIFICATION is sent when a bit in the etsysPolicyNonVolatileRuleUsageList transitions from 0 to 1.
etsysPolicyNonVolatileRuleDisablePort If enabled, a port is disabled (ifOperStatus of the corresponding ifIndex will be down) when a bit in the etsysPolicyNonVolatileRuleUsageList transitions from 0 to 1.
etsysPolicyNonVolatileRuleOperPid

If the etsysPolicyRuleProfileIndex is 0 then this field contains the currently applied profile ID for frames matching this rule. This may be either the administratively applied value or the dynamically applied value.

If the etsysPolicyRuleProfileIndex is not 0, then this object will return -1.

Note that one special value exists: -

1 Indicates that no profile ID is being applied by this rule.

etsysPolicyNonVolatileRuleOverwriteTCI If set, the information contained within the TCI field of inbound, tagged packets will not be used by the device after the ingress classification stage of packet relay. The net effect will be that the TCI information may be used to classify the packet, but will be overwritten (and ignored) by subsequent stages of packet relay.
etsysPolicyNonVolatileRuleMirrorIndex

A reference to a packet mirror destination (defined elsewhere).

A value of (-1) indicates no mirror is specified, but a mirror is not explicitly prohibited.

A value of (0) indicates that mirroring is explicitly prohibited, unless a higher precedence rule has specified a mirror.

etsysPolicyNonVolatileRuleQuarantineProfileIndex

If the etsysPolicyRuleProfileIndex is not 0 this field defines the profile ID which will be used as the quarantine provisioning agents mux response for the mac address and port whose frames matched this rule.

A value of (-1) indicates no quarantine profile is specified, but quarantine is not explicitly prohibited.

A value of (0) indicates that quarantine is explicitly prohibited. If the etsysPolicyRuleProfileIndex is 0 this field will always return -1 when read.

etsysPolicyRFC3580Map group etsysPolicyRFC3580MapResolveReponseConflict

Indicates which field to use in the application of the RADIUS response in the event that both the proprietary filter-id indicating a policy profile and the standard (RFC3580) vlan- tunnel-attribute are present. If policyProfile(1) is selected, then the filter-id will be used, if vlanTunnelAttribute(2) is selected, then the vlan-tunnel-attribute will be used (and the policy-map will be applied, if present). A value of vlanTunnelAttributeWithPolicyProfile(3) indicates that both attributes should be applied, in the following manner: the policyProfile should be enforced, with the exception of the etsysPolicyProfilePortVid (if present), the returned vlan-tunnel-attribute will be used in its place. In this case, the policy-map will be ignored (as the policyProfile was explicitly assigned). VLAN classification rules will still be applied, as defined by the assigned policyProfile.

Modifications of this value will not effect the current status of any users currently authenticated. The new state will be applied to new, successful authentications. The current status of current authentication may be modified through the individual agents or through the ENTERASYS-MULTI-AUTH-MIB, if supported.

etsysPolicyRFC3580MapLastChange The value of sysUpTime when the etsysPolicyRFC3580MapTable was last modified.
etsysPolicyRFC3580MapTableDefault If read as True, then the etsysPolicyRFC3580MapTable is in the default state (no mappings have been created), if False, then non-default mappings exist. If set to True, then the etsysPolicyRFC3580MapTable will be put into the default state (no mappings will exist). A set to False is not valid and MUST fail.
etsysPolicyRFC3580MapTable A table containing VLAN ID to policy mappings. A policy is a group of classification rules which may be applied on a per user basis, to ports or to stations.
etsysPolicyRFC3580MapEntry Conceptually defines a particular entry within the etsysPolicyRFC3580MapTable. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyRFC3580MapVlanId The VlanIndex which will map to the policy profile specified by the etsysPolicyRFC3580MapPolicyIndex of this row. This will be used to map the VLAN returned by value from the Tunnel- Private-Group-ID RADIUS attribute.
etsysPolicyRFC3580MapPolicyIndex

The index of a Policy Profle as defined in the etsysPolicyProfileTable. A value of 0 indicates that the row is functionally non- operational (no mapping exists). Devices which support the ENTERASYS-VLAN-AUTHORIZATION-MIB, and for which the value of etsysVlanAuthorizationEnable is Enabled and the value of etsysVlanAuthorizationStatus is Enabled on the port referenced by the authorization request, should then use the VlanIndex provisioned (e.g. from the Tunnel-Private-Group-ID RADIUS attribute) as defined by RFC3580, otherwise, the device should treat the result as if no matching Policy Profile had been found (e.g. as a simple success). In the case where a Policy Profile is already being applied to the referenced station, but no mapping exists, the device MUST treat the Tunnel-Private-Group-ID as an override to the etsysPolicyProfilePortVid defined by that profile (any matched classification rules which explicit provision a VLAN MUST still override both the etsysPolicyProfilePortVid and the Tunnel-Private-Group-ID.)

A non-zero value of this object indicates that the VlanIndex provisioned (e.g. from the Tunnel-Private-Group-ID RADIUS attribute) should be mapped to a Policy Profile as defined in the etsysPolicyProfileTable, and that policy applied as if the Policy name had been provisioned instead (e.g, in the Filter-ID RADIUS attribute). If the mapping references a non-existent row of the etsysPolicyProfileTable, or the referenced row has a etsysPolicyProfileRowStatus value other than Active, the device MUST behave as if the mapping did not exist (apply the vlan-tunnel-attribute). The etsysPolicyRFC3580MapInvalidMapping MUST then be incremented.

etsysPolicyRFC3580MapInvalidMapping Increments to indicate the number of times the device has detected an invalid/unknown EtsysPolicyRFC3580MapEntry (i.e. one that references an in-active or non-existent etsysPolicyProfile).
etsysPolicyHttpRedirect group etsysPolicyHttpRedirectMaxNumSockets The maximum number of TCP port numbers the device may listen on simultaneously for HTTP redirection.
etsysPolicyHttpRedirectMaxNumServer The number of servers that may be configured per server group in the etsysPolicyHttpRedirectServerTable.
etsysPolicyHttpRedirectSocketTable A table containing TCP sockets the device will listen on for HTTP traffic to redirect. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyHttpRedirectSocketEntry Conceptually specifies a TCP socket the device will listen on for HTTP traffic to redirect.
etsysPolicyHttpRedirectSocketIndex An arbitrary index from 1 to etsysPolicyHttpRedirectMaxNumSockets.
etsysPolicyHttpRedirectListenSocket TCP port number (1-65535) that the device will listen on for HTTP traffic suitable for redirection. A value of 0 indicates that this entry does not specify a TCP socket to listen on.
etsysPolicyHttpRedirectServerTable A table containing HTTP redirect server group entries.
etsysPolicyHttpRedirectServerEntry Conceptually defines a HTTP redirect server group. Within each group, one or more redirect servers may be defined. HTTP redirects will be sent to different servers within a group using a round-robin algorithm. Entries within this table MUST be considered non-volatile and MUST be maintained across entity resets.
etsysPolicyHttpRedirectGroupIndex The index referenced by etsysPolicyProfileHttpRedirectIndex to identify a particular HTTP redirect server group. The maximum value of this index is specified by the etsysPolicyHttpRedirectNumServerGroups object.
etsysPolicyHttpRedirectServerIndex The index for a particular server within the redirect group. The maximum value of this index is specified by the etsysPolicyHttpRedirectMaxNumServer object.
etsysPolicyHttpRedirectServerUri The absolute URI on the redirect server to redirect the user to. This object MUST specify the scheme, authority and path. The URI may optionally include a query and/or fragment portions as well.
etsysPolicyHttpRedirectServerStatus A value of enabled(1) causes the entry to be made ready for use in redirecting HTTP traffic. A set of enabled(1) will only succeed if the the other entries with STATUS of read-write in table have been set to appropriate non-default values.
etsysPolicySystem group etsysPolicyEnabledState

Controls the enabling and disabling the entire Policy application.

A value of enabled(1) indicates that all objects in this MIB module are actively being applied on the device. A value of disabled(2) indicates that none of the objects in this MIB are actively being applied.

The agent may optionally implement this leaf as read-only. All other objects in this MIB module MUST remain available and configurable regardless of the current value of this object. This object MUST be considered non-volatile and its value MUST be maintained across entity resets.