No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 MIB Reference

This document provides the function overview, relationships between tables, description of single objects, description of MIB tables, and description of alarm objects.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SNMP-VIEW-BASED-ACM-MIB

SNMP-VIEW-BASED-ACM-MIB

Functions Overview

This MIB is applicable to the SNMPv3 management, including access control view, group, View-based Access Control Model (VACM) security mode, and security level.

The OID of root objects is:

iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpVacmMIB(16)

Relationship Between Tables

Figure 181-1 shows the relationship between vacmSecurityToGroupTable and vacmAccessTable.

Figure 181-1  Relationship between vacmSecurityToGroupTable and vacmAccessTable

vacmSecurityToGroupTable describes attributes of SNMPv3 security group. vacmAccessTable associates with vacmSecurityToGroupTable through vacmAccessTable, which describes the configuration of SNMPv3 security access attributes.

Description of Single Objects

vacmViewSpinLock

OID

Object Name

Syntax

Max Access

Description

Implemented Specifications

1.3.6.1.6.3.16.1.5.1

vacmViewSpinLock

TestAndIncr

Read-write

This object indicates an advisory lock used to allow cooperating SNMP Command Generator applications to coordinate their use of the SET operation in creating or modifying views.

When creating a new view or altering an existing view, it is important to understand the potential interactions with other uses of the view.

vacmViewSpinLock should be retrieved. The name of the view to be created should be determined to be unique by the SNMP Command Generator application by consulting the vacmViewTreeFamilyTable. Finally, the named view may be created (Set), including the advisory lock.

If another SNMP Command Generator application has altered the views in the meantime, and then the spin lock's value changes, and so this creation fails because it specifies the wrong value for the spin lock. This is an advisory lock, so the use of this lock is not enforced.

This object is implemented as defined in the corresponding MIB files.

Description of MIB Tables

vacmContextTable

The table lists the locally available contexts.

This table provides information to SNMP Command Generator applications so that they can properly configure vacmAccessTable to control access to all contexts at the SNMP entity.

This table may change dynamically if the SNMP entity allows contexts to be added or deleted dynamically. For example, this table can change dynamically when its configuration changes. Such changes happen only if the management instrumentation at that SNMP entity recognizes more (or fewer) contexts.

The presence of entries in this table and in vacmAccessTable is independent. That is, a context identified by an entry in this table is not necessarily referenced by any entries in vacmAccessTable and the context(s) referenced by an entry in vacmAccessTable does not necessarily currently exist and thus need not be identified by an entry in this table.

This table must be made accessible via the default context so that Command Responder applications have a standard way of retrieving the information. This table is read-only. It cannot be configured through SNMP.

The index of the table is vacmContextName.

OID

Object Name

Syntax

Max Access

Description

Implemented Specifications

1.3.6.1.6.3.16.1.1.1.1

vacmContextName

SnmpAdminString (SIZE(0 to 32))

Read-only

A human readable name identifying a particular context at a particular SNMP entity.

The empty contextName (zero length) represents the default context.

NOTE:
The configuration of the context name is not supported by the use of HUAWEI data communications products.

This object is implemented as defined in the corresponding MIB files.

Creation Restriction

The entries in this table cannot be created.

Modification Restriction

The entries in this table cannot be modified.

Deletion Restriction

The entries in this table cannot be deleted.

Access Restriction

The entries in this table on an SNMPv3 device can be accessed by a V3 user in the SNMPv3 group that is configured with mib-view in the device.

vacmSecurityToGroupTable

This table maps a combination of securityModel and securityName into a groupName that is used to define an access control policy for a group of principals.

The indexes of the table are vacmSecurityModel and vacmSecurityName.

OID

Object Name

Syntax

Max Access

Description

Implemented Specifications

1.3.6.1.6.3.16.1.2.1.1

vacmSecurityModel

SnmpSecurityModel(1..2147483647)

Not-accessible

The Security Model, by which the vacmSecurityName referenced by this entry is provided. Note, this object may not take the 'any' (0) value.

Currently, the value 3 is supported.

1.3.6.1.6.3.16.1.2.1.2

vacmSecurityName

SnmpAdminString (SIZE(1..32))

Not-accessible

The securityName for the principal, represented in a Security Model independent format, which is mapped by this entry to a groupName. The securityName for a principal represented in a Security Model independent format.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.2.1.3

vacmGroupName

SnmpAdminString (SIZE(1..32))

Read-create

The name of the group to which this entry (for example, the combination of securityModel and securityName) belongs.

This groupName is used as index into the vacmAccessTable to select an access control policy. However, a value in this table does not imply that an instance with the value exists in table vacmAccesTable.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.2.1.4

vacmSecurityToGroupStorageType

StorageType

Read-create

This object indicates the storage type for this conceptual row. Conceptual rows having the value "permanent" need not allow write-access to any columnar objects in the row.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.2.1.5

vacmSecurityToGroupStatus

RowStatus

Read-create

The status of this conceptual row.

Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the vacmSecurityToGroupStatus column is "notReady".

In particular, a newly created row cannot be made active until a value has been set for vacmGroupName.

The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:

The value of this object has no effect on whether other objects in this conceptual row can be modified.

This object is implemented as defined in the corresponding MIB files.

Creation Restriction

No SNMPv1 or SNMPv2 community name can be created in this table.

Modification Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be modified.

Deletion Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be deleted.

Access Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be read. The SNMPv3 security group must be configured.

vacmAccessTable

The table of access rights for groups.

Each entry is indexed by groupName, contextPrefix, securityModel, and securityLevel. To determine whether access is allowed, one entry from this table needs to be selected and the proper viewName from that entry must be used for access control checking.

To select the proper entry, follow these steps:

  1. The set of possible matches is formed by the intersection of the following sets of entries:

    • Set of entries with identical vacmGroupNames

    • Set of entries with identical vacmAccessContextPrefixes

    • Set of entries with vacmAccessContextMatch value of "prefix" and matching vacmAccessContextPrefix intersected with the union of these two sets

    • Set of entries with identical vacmSecurityModels

    • Set of entries with vacmSecurityModel value of "any" intersected with the set of entries with vacmAccessSecurityLevel value less than or equal to the requested securityLevel

  2. If the set contains more than one member, identify the priorities of ContextPrefixes, SecurityModels, and SecurityLevels based on the following rules:

    • If the subset of entries with securityModel matching the securityModel in the message is not empty, discard the rest.

    • If the subset of entries with vacmAccessContextPrefix matching the contextName in the message is not empty, discard the rest.

    • Discard all entries with ContextPrefixes shorter than the longest one remaining in the set.

    • Select the entry with the highest securityLevel. Please note that for securityLevel noAuthNoPriv, all groups are really equivalent since the assumption that the securityName has been authenticated does not hold.

Indexes of the table are as follows:

  • vacmGroupName

  • vacmAccessContextPrefix

  • vacmAccessSecurityModel

  • vacmAccessSecurityLevel

OID

Object Name

Syntax

Max Access

Description

Implemented Specifications

1.3.6.1.6.3.16.1.4.1.1

vacmAccessContextPrefix

SnmpAdminString (SIZE(0..32))

Not-accessible

In order to gain the access rights allowed by this conceptual row, a contextName must match exactly (if the value of vacmAccessContextMatch is "exact") or partially (if the value of vacmAccessContextMatch is "prefix") to the value of the instance of this object.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.2

vacmAccessSecurityModel

SnmpSecurityModel

Not-accessible

In order to gain the access rights allowed by this conceptual row, this securityModel must be in use.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.3

vacmAccessSecurityLevel

SnmpSecurityLevel

Not-accessible

The minimum level of security required in order to gain the access rights allowed by this conceptual row. A securityLevel of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv.

If multiple entries are equally indexed except for this vacmAccessSecurityLevel index, then the entry which has the highest value for vacmAccessSecurityLevel is selected.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.4

vacmAccessContextMatch

INTEGER

{

exact (1),

prefix (2)

}

Read-create

If the value of this object is exact(1), then all rows where the contextName exactly matches vacmAccessContextPrefix are selected.

If the value of this object is prefix(2), then all rows where the contextName whose starting octets exactly match vacmAccessContextPrefix are selected. This allows for a simple form of wildcarding.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.5

vacmAccessReadViewName

SnmpAdminString (SIZE(0..32))

Read-create

The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes read access.

The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.6

vacmAccessWriteViewName

SnmpAdminString (SIZE(0..32))

Read-create

The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes write access.

The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.7

vacmAccessNotifyViewName

SnmpAdminString (SIZE(0..32))

Read-create

The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes access for notifications.

The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.8

vacmAccessStorageType

StorageType

Read-create

This object indicates the storage type for this conceptual row. Conceptual rows having the value "permanent" need not allow write-access to any columnar objects in the row

.The default value is { nonVolatile }.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.4.1.9

vacmAccessStatus

RowStatus

Read-create

This object indicates the status of this conceptual row.

The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified. The value of this object has no effect on whether other objects in this conceptual row can be modified.

This object is implemented as defined in the corresponding MIB files.

Creation Restriction

No SNMPv1 or SNMPv2 community name can be created in this table.

Modification Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be modified.

Deletion Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be deleted.

Access Restriction

The SNMPv1 or SNMPv2 community name in this table cannot be read. The SNMPv3 security group must be configured.

vacmViewTreeFamilyTable

The table lists the locally held information about families of subtrees within MIB views.

Each MIB view is defined by two sets of view subtrees:

  • Included view subtrees

  • Excluded view subtrees

Every such view subtree, both the included and the excluded ones, is defined in this table.

To determine if a particular object instance is in a particular MIB view, compare the object instance's OBJECT IDENTIFIER with each of the MIB view's active entries in this table.

If none match, the object instance is not in the MIB view. If one or more match, the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers.

If multiple entries match and have the same number of sub-identifiers (when wildcarding is specified with the value of vacmViewTreeFamilyMask), the lexicographically greatest instance of vacmViewTreeFamilyType determines the inclusion or exclusion.

An object instance's OBJECT IDENTIFIER X matches an active entry in this table when the number of sub-identifiers in X is at least as many as in the value of vacmViewTreeFamilySubtree for the entry, and each sub-identifier in the value of vacmViewTreeFamilySubtree matches its corresponding sub-identifier in X. Two sub-identifiers match either if the corresponding bit of the value of vacmViewTreeFamilyMask for the entry is zero (the "wild card" value), or if they are equal.

A "family" of subtrees is the set of subtrees defined by a particular combination of values of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask. In the case where no "wild card" is defined in the vacmViewTreeFamilyMask, the family of subtrees reduces to a single subtree.

When creating or changing MIB views, an SNMP Command Generator application should utilize the vacmViewSpinLock to try to avoid collisions. See DESCRIPTION clause of vacmViewSpinLock.

When creating MIB views, it is strongly advised that first the "excluded" vacmViewTreeFamilyEntries are created and then the "included" entries.

When deleting MIB views, it is strongly advised that first the "included" vacmViewTreeFamilyEntries are deleted and then the "excluded" entries.

If a request for creating an entry for instance-level access control is received and the implementation does not support instance-level granularity, an inconsistentName error must be returned.

The indexes of the table are vacmViewTreeFamilyViewName and vacmViewTreeFamilySubtree.

OID

Object Name

Syntax

Max Access

Description

Implemented Specifications

1.3.6.1.6.3.16.1.5.2.1.1

vacmViewTreeFamilyViewName

SnmpAdminString (SIZE(1 to 32))

Not-accessible

This object indicates the human readable name for a family of view subtrees

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.5.2.1.2

vacmViewTreeFamilySubtree

OBJECT IDENTIFIER

Not-accessible

This object indicates the MIB subtree, combined with the corresponding instance of vacmViewTreeFamilyMask to define a family of view subtrees.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.5.2.1.3

vacmViewTreeFamilyMask

OCTET STRING (SIZE (0 to 16))

Read-create

The bit mask which, in combination with the corresponding instance of vacmViewTreeFamilySubtree, defines a family of view subtrees.

Each bit of this bit mask corresponds to a sub-identifier of vacmViewTreeFamilySubtree, with the most significant bit of the i-th octet of this octet string value (extended if necessary, see below) corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier, where i is in the range 1 through 16.

Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an OBJECT IDENTIFIER is in this family of view subtrees; a "1" indicates that an exact match must occur; a "0" indicates "wild card", that is, any sub-identifier value matches.

Therefore, the OBJECT IDENTIFIER X of an object instance is contained in a family of view subtrees if, for each sub-identifier of the value of vacmViewTreeFamilySubtree, either: the i-th bit of vacmViewTreeFamilyMask is 0, or the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of vacmViewTreeFamilySubtree.

If the value of this bit mask is M bits long and there are more than M sub-identifiers in the corresponding instance of vacmViewTreeFamilySubtree, then the bit mask is extended with 1"s to be the required length. Note that when the value of this object is the zero-length string, this extension rule results in a mask of all-1"s being used (that is, no "wild card"), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of vacmViewTreeFamilySubtree. Note that masks of length greater than zero length do not need to be supported. In this case this object is made read-only.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.5.2.1.4

vacmViewTreeFamilyType

INTEGER { included(1), excluded(2) }

Read-create

The value of this object indicates whether the corresponding instances of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask define a family of view subtrees which is included in or excluded from the MIB view.

The default value is { included }.

This object is implemented as defined in the corresponding MIB files.

1.3.6.1.6.3.16.1.5.2.1.5

vacmViewTreeFamilyStorageType

StorageType

Read-create

The storage type for this conceptual row. Conceptual rows having the value "permanent" need not allow write-access to any columnar objects in the row.

The default value is { nonVolatile }.

This object is implemented as defined in the corresponding files.

1.3.6.1.6.3.16.1.5.2.1.6

vacmViewTreeFamilyStatus

RowStatus

Read-create

The status of this conceptual row. The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified: The value of this object has no effect on whether other objects in this conceptual row can be modified.

This object is implemented as defined in the corresponding MIB files.

Creation Restriction

The entries in this table can be created.

Modification Restriction

The entries in this table can be modified.

Deletion Restriction

The entries in this table can be deleted.

Access Restriction

The entries in this table can be accessed.

Description of Alarm Objects

None.

Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065666

Views: 14842

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next