You are here:

MonitorTools.com > Technical documentation > SNMP > MIB > Cisco > CISCO-IP-ENCRYPTION-MIB
ActiveXperts Network Monitor 2019##AdminFavorites

CISCO-IP-ENCRYPTION-MIB by vendor Cisco

CISCO-IP-ENCRYPTION-MIB file content

The SNMP protocol is used to for conveying information and commands between agents and managing entities. SNMP uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. The reasons for using UDP for SNMP are, firstly it has low overheads in comparison to TCP, which uses a 3-way hand shake for connection. Secondly, in congested networks, SNMP over TCP is a bad idea because TCP in order to maintain reliability will flood the network with retransmissions.

Management information (MIB) is represented as a collection of managed objects. These objects together form a virtual information base called MIB. An agent may implement many MIBs, but all agents must implement a particular MIB called MIB-II [16]. This standard defines variables for things such as interface statistics (interface speeds, MTU, octets sent, octets received, etc.) as well as various other things pertaining to the system itself (system location, system contact, etc.). The main goal of MIB-II is to provide general TCP/IP management information.

Use ActiveXperts Network Monitor 2019 to import vendor-specific MIB files, inclusing CISCO-IP-ENCRYPTION-MIB.


Vendor: Cisco
Mib: CISCO-IP-ENCRYPTION-MIB  [download]  [view objects]
Tool: ActiveXperts Network Monitor 2019 [download]    (ships with advanced SNMP/MIB tools)
-- *****************************************************************
-- CISCO-IP-ENCRYPTION-MIB.my:  Cisco IP encryption MIB file. 
--
-- April 1996, Subodh Nijsure
--
-- Copyright (c) 1996 by cisco Systems, Inc.
-- All rights reserved.
-- *****************************************************************
--

CISCO-IP-ENCRYPTION-MIB DEFINITIONS ::= BEGIN

-- MIB definitions for Cisco Crypto management.
--
--
IMPORTS
	MODULE-IDENTITY, OBJECT-TYPE, Counter32, Integer32, IpAddress,
	Gauge32, NOTIFICATION-TYPE
		FROM SNMPv2-SMI
	DisplayString, TruthValue,TimeStamp, RowStatus
		FROM SNMPv2-TC
	MODULE-COMPLIANCE, OBJECT-GROUP
		FROM SNMPv2-CONF
	OwnerString
		FROM IF-MIB
	ciscoMgmt
		FROM CISCO-SMI;

-- ***************************************************************
-- Define IP encryption MIB object
-- ***************************************************************

ciscoIpEncryptionMIB MODULE-IDENTITY
	LAST-UPDATED	"9508150000Z"
	ORGANIZATION	"Cisco Systems, Inc."
	CONTACT-INFO  
		"	Cisco Systems
		Customer Service

		Postal: 170 West Tasman Drive
		San Jose, CA  95134
		USA
	
		Tel: +1 800 553-NETS

		E-mail: cs-snmp@cisco.com"
	DESCRIPTION
		"Used to manage the encryption feature."
	::= { ciscoMgmt 52 }

ciscoIpEncryptionMIBObjects OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 1 }

-- 
-- Define cisco encryption mib objects
--

cieConfig		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 1 }
cieEngineStatus		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 2 }
cieConnections		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 3 }
cieTestConnection	OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 4 }


cieConfiguredAlgorithms OBJECT-TYPE
        SYNTAX  OCTET STRING  (SIZE  (16))      

	MAX-ACCESS  read-only
	STATUS  current
	DESCRIPTION
		"Type of encryption configured on a particular router, 
		encoded as a bit-string.
		A router can support multiple encryption algorithms 
		i.e. 56 bit des with 8 bit cipher feedback AND 40 bit des 
		with 64 bit cipher feedback.
		"
	::= { cieConfig 1 }

cieEncryptionKeyTimeout OBJECT-TYPE
	SYNTAX  Integer32 
	UNITS   "minutes"
	MAX-ACCESS  read-only
	STATUS  current
	DESCRIPTION
		"Interval at which keys expire for a session and they are is 
		re-negotiated." 
	::= { cieConfig 2 }

cieNumberOfCryptoEngines OBJECT-TYPE
	SYNTAX	Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Total number of encryption engines."
	::= { cieConfig 3 }

cieEngineStatusTable OBJECT-TYPE
	SYNTAX     SEQUENCE OF CieEngineStatusEntry
	MAX-ACCESS not-accessible
	STATUS     current
	DESCRIPTION
		"A table describing status of all encryption engines present
		within the router."
	::= { cieEngineStatus 1 }

cieEngineStatusEntry OBJECT-TYPE
	SYNTAX CieEngineStatusEntry
	MAX-ACCESS not-accessible
	STATUS     current
	DESCRIPTION
		"Each entry in this table describes public key associated with
		each engine, with its unique ID. In case of hardware assisted
		encryption each entry also describes status of encryption port
		adaptor."
	INDEX { cieEngineID }
	::= { cieEngineStatusTable 1 }

CieEngineStatusEntry ::=
	SEQUENCE {
		cieEngineID
			Integer32, 
		cieEngineCardIndex
			Integer32,
		cieEnginePublicKey
			OCTET STRING,
		cieEsaTampered
			TruthValue,
		cieEsaAuthenticated
			TruthValue,
		cieEsaMode 
			INTEGER
	}

cieEngineID OBJECT-TYPE
	SYNTAX  Integer32 (1..2147483647)
	MAX-ACCESS read-only
	STATUS	current
	DESCRIPTION
		"Unique value identifying the crypto engine, in case 
		of RP and other software only platforms, this is the 
		processor ID. In case of ESA, this will be a unique ID 
		retrieved from ESA."
	::= {  cieEngineStatusEntry 1 }

cieEngineCardIndex  OBJECT-TYPE
	SYNTAX	Integer32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Corresponds to cardIndex in the chassis mib, if value is 0 
		then this is a software encryption engine."
	::= { cieEngineStatusEntry 2 }


cieEnginePublicKey OBJECT-TYPE
	SYNTAX	OCTET STRING (SIZE (0..1024))
	MAX-ACCESS read-only
	STATUS	current
	DESCRIPTION
		"Public key for a particular crypto engine."
	::= { cieEngineStatusEntry 3 }

cieEsaTampered OBJECT-TYPE
	SYNTAX  TruthValue	
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Indicates whether encryption port adaptor has been tampered 
		with. 
		NOTE: This object is not present for software encryption 
		engines."
	::= { cieEngineStatusEntry 4 }

cieEsaAuthenticated OBJECT-TYPE
	SYNTAX TruthValue	
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Indicates whether encryption port adaptor has been properly
		authenticated for this router.
		NOTE: This object is not present for software encryption 
		engines."
	::= { cieEngineStatusEntry 5 }

cieEsaMode OBJECT-TYPE
	SYNTAX	INTEGER {
		enableActive(1),
		boot(2),
		error(3)
	}
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Indicates current operating mode of the ESA card. 
		This variable directly corresponds to LED status shown on ESA.
		NOTE: This object is not present for software encryption 
		engines."

	::= { cieEngineStatusEntry 6 }

cieNumberOfConnections OBJECT-TYPE
	SYNTAX	Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Total number of active, pending and dead crypto connections."
	::= { cieConnections 1 }

cieConnTable OBJECT-TYPE
	SYNTAX     SEQUENCE OF CieConnEntry
	MAX-ACCESS not-accessible
	STATUS     current
	DESCRIPTION
		"A table that describes all encrypted IP traffic 
		created by the router, between the protected entity
		(cieProtectedAddr) and the unprotected entity 
		(cieUnprotectedAddr). Each entry in this table
		describes a virtual encrypted IP tunnel."
	::= { cieConnections 2 }

cieConnEntry OBJECT-TYPE
	SYNTAX  CieConnEntry
	MAX-ACCESS  not-accessible
	STATUS  current
	DESCRIPTION
		"This entry describes a connection viz. the protected and 
		unprotected node, status of the connection and number of 
		packets encrypted, decrypted per connection and algorithm 
		used for encrypting data.
		Each entry also contains a pointer to crypto engine that is 
		performing the encryption." 
	INDEX   { cieEngineID, cieConnIndex }
	::= { cieConnTable 1 }

CieConnEntry ::=
	SEQUENCE {
		cieConnIndex 
			Integer32,
		cieProtectedAddr 
			IpAddress,
		cieUnprotectedAddr
			IpAddress,
		cieConnStatus 
			INTEGER,
		ciePktsEncrypted 
			Counter32,	
		ciePktsDecrypted 
			Counter32,	
		ciePktsDropped 
			Counter32,	
		cieLocalTimeEstablished 
			TimeStamp,
		cieAlgorithmType INTEGER
	}

cieConnIndex OBJECT-TYPE
	SYNTAX  Integer32 (1..2147483647)
	MAX-ACCESS not-accessible 
	STATUS current
	DESCRIPTION 
		"A monotonically increasing integer for the sole purpose of
		indexing the cieConnTable. When it reaches the
		maximum value, the agent wraps the value back to 1 and 
		may flush existing entries."
	::= { cieConnEntry 1 }

cieProtectedAddr OBJECT-TYPE
	SYNTAX  IpAddress
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"The IP address for protected (secure) node." 
	::= { cieConnEntry 2 }

cieUnprotectedAddr OBJECT-TYPE
	SYNTAX  IpAddress
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"The IP address of  the unprotected (insecure) node in 
		the network." 
	::= { cieConnEntry 3 }

cieConnStatus OBJECT-TYPE
	SYNTAX  INTEGER {
		pendingConnection(1),
		openConnection(2),
		exchangeKeys(3),
		badConnection(4)
	}
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"Integer describing status/type of connection. The pending
		and bad connections may be removed after 4 minutes of 
		non-activity. Open (active) connections may be removed if 
		they have not transmitted/received traffic in the last 
		cieEncryptionKeyTimeout minutes."
	::= { cieConnEntry 4 }

ciePktsEncrypted OBJECT-TYPE 
	SYNTAX  Counter32
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"Total number of packets encrypted for this connection."
	::= { cieConnEntry 5 }

ciePktsDecrypted OBJECT-TYPE 
	SYNTAX  Counter32
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"Total number of packets decrypted for this connection."
	::= { cieConnEntry 6 }

ciePktsDropped OBJECT-TYPE 
	SYNTAX  Counter32
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
                "Total number of packets dropped for this connection.  The 
		packets are dropped only in cases where encryption keys are
		not established between the protected entity and the 
		unprotected entity. An increase in this value indicates the
		possibility of mis-configured keys."
	::= { cieConnEntry 7 }

cieLocalTimeEstablished OBJECT-TYPE
	SYNTAX  TimeStamp
	MAX-ACCESS  read-only
	STATUS  current 
	DESCRIPTION
		"Value of sysUpTime at which the connection was established or 
		re-established."
	::= { cieConnEntry 8 }

cieAlgorithmType OBJECT-TYPE
	SYNTAX  INTEGER {
		des56bitCfb64(1),
		des56bitCfb8(2),
		des40bitCfb64(3),
		des40bitdesCfb8(4)
	}            
	MAX-ACCESS read-only	
	STATUS  current 
	DESCRIPTION
		"Type of encryption algorithm used for this connection."
	::= { cieConnEntry 9 }

cieTestConnTable OBJECT-TYPE
	SYNTAX     SEQUENCE OF CieTestConnEntry
	MAX-ACCESS not-accessible
	STATUS     current
	DESCRIPTION
		"A table of test crypto session entries."
	::= { cieTestConnection 1 }

cieTestConnEntry OBJECT-TYPE
	SYNTAX CieTestConnEntry
	MAX-ACCESS not-accessible
	STATUS     current
	DESCRIPTION
		"A encryption test entry. 
		A management station wishing to create an entry should
		first generate a pseudo-random serial number to be used
		as the index to this sparse table.  The station should
		then create the associated instance of the row status
		and row owner objects.  It must also, either in the same
		or in successive PDUs, create the associated instance of
		the address objects.  

		Once the appropriate instance of all the configuration
		objects have been created, either by an explicit SNMP
		set request, the row status should be set
		to active to initiate the request.  Note that this entire
		procedure may be initiated via a single set request which
		specifies a row status of createAndGo. 

		Once the connection sequence has been activated, it cannot be
		stopped -- it will run until a crypto connection has been
		established between source and destination. 
		
		Once the sequence completes, the management station should
		retrieve the values of the status objects of interest, and
		should then delete the entry.  In order to prevent old
		entries from clogging the table, entries will be aged out 
		30 minutes after they are created." 
	INDEX { cieTestConnSerialNumber }
	::= { cieTestConnTable 1 }

CieTestConnEntry ::= 
	SEQUENCE {
-- 		index
		cieTestConnSerialNumber
			Integer32,
-- configuration items
		cieTestConnProtectedAddr
			IpAddress,
		cieTestConnUnprotectedAddr
			IpAddress,
		cieTestConnTrapOnCompletion
			TruthValue,
                cieTestConnCryptoMapName
			DisplayString,
                cieTestConnCryptoMapTagNumber
			Integer32,
-- status items
		cieTestConnSessionStatus
			INTEGER,
		cieTestConnEntryOwner
			OwnerString,
		cieTestConnEntryStatus
			RowStatus
}

cieTestConnSerialNumber OBJECT-TYPE
	SYNTAX     Integer32 (1..2147483647)
	MAX-ACCESS not-accessible 
	STATUS     current
	DESCRIPTION
		"Object which specifies a unique entry in the
		cieTestConnTable.  A management station wishing
		to initiate a crypto session test operation should use a
		pseudo-random value for this object when creating
		an instance of a cieTestConnEntry.
		The RowStatus semantics of the cieTestConnEntryStatus
		object will prevent access conflicts."
	::= { cieTestConnEntry 1 }

cieTestConnProtectedAddr OBJECT-TYPE
	SYNTAX     IpAddress 
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"The IP address of the protected (secure) node, for
		the test connection."
	::= { cieTestConnEntry 2 }

cieTestConnUnprotectedAddr OBJECT-TYPE
	SYNTAX     IpAddress 
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"The IP address of the unprotected (insecure) node for
		the test connection."

	::= { cieTestConnEntry 3 }

cieTestConnTrapOnCompletion OBJECT-TYPE
	SYNTAX     TruthValue 
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"Specifies whether or not a cieTestCompletion 
		trap should be issued on completion of test crypto session. 
		If such a trap is desired, it is the responsibility of the 
		management entity to ensure that the SNMP administrative 
		model is configured in such a way as to allow the trap to 
		be delivered."
	DEFVAL { false }
	::= { cieTestConnEntry 4 }

cieTestConnCryptoMapName OBJECT-TYPE
	SYNTAX     DisplayString 
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"Specifies name of the crypto map already configured on the
		router. A crypto map along with its tag number fully 
		specifies the enryption policy, such as type of algorithm to 
		be used, the name of the peer router and access list."
	::= { cieTestConnEntry 5 }

cieTestConnCryptoMapTagNumber OBJECT-TYPE
	SYNTAX     Integer32 (1..2147483647)
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"Specifies tag number of the crypto map already configured on 
		the router. A crypto map along with its tag number fully 
		specifies the enryption policy, such as type of algorithm to 
		be used, the name of the peer router and access list."
	::= { cieTestConnEntry 6 }

cieTestConnSessionStatus OBJECT-TYPE
	SYNTAX  INTEGER {
		inProgress(1),
		fail(2),
		success(3),
		badCryptoMapName(4)
	}
	MAX-ACCESS read-only
	STATUS     current
	DESCRIPTION
		"Set to a value that indicates whether a crypto session was 
		successfully established, failed or the connection 
		establishment process is in progress.  If the specified crypto 
		map is not configured, value is set to badCryptoMapName."
	::= { cieTestConnEntry 7 }

cieTestConnEntryOwner OBJECT-TYPE
	SYNTAX     OwnerString
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"The entity that configured this entry."
	::= { cieTestConnEntry 8 }

cieTestConnEntryStatus OBJECT-TYPE
	SYNTAX     RowStatus
	MAX-ACCESS read-create
	STATUS     current
	DESCRIPTION
		"The status of this table entry.  Once the entry status is
		set to active, the associate entry cannot be modified until
		the sequence completes (cieTestConnSessionStatus has 
		value other than inprogress )."
	DEFVAL { createAndGo }
	::= { cieTestConnEntry 9 }


cieMIBTrapPrefix OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 2 }
cieMIBTraps OBJECT IDENTIFIER ::= { cieMIBTrapPrefix 0 }

cieTestCompletion NOTIFICATION-TYPE
	OBJECTS    {    
		cieTestConnSessionStatus,
		cieTestConnProtectedAddr,
		cieTestConnUnprotectedAddr
	}
	STATUS     current
	DESCRIPTION
		"A cieTestCompletion trap is sent at the completion
		of a crypto session establishment if such a trap was requested
		when the sequence was initiated.  "
	::= { cieMIBTraps 1 }

-- conformance information

cieMIBConformance OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 3 }

cieMIBCompliances OBJECT IDENTIFIER ::= { cieMIBConformance 1 }

cieMIBGroups      OBJECT IDENTIFIER ::= { cieMIBConformance 2 }


-- compliance statements

cieMIBCompliance MODULE-COMPLIANCE
	STATUS  current
	DESCRIPTION
		"The compliance statement for entities which implement
		the Cisco Encryption MIB"
	MODULE  -- this module
	MANDATORY-GROUPS { cieMIBGroup }
	::= { cieMIBCompliances 1 }

-- units of conformance

cieMIBGroup OBJECT-GROUP
	OBJECTS {
		cieConfiguredAlgorithms, 
		cieEncryptionKeyTimeout,
		cieNumberOfCryptoEngines,
                cieEngineID, 
		cieEngineCardIndex,
		cieEnginePublicKey,
		cieEsaTampered,
		cieEsaAuthenticated,
		cieEsaMode,
		cieNumberOfConnections,
		cieProtectedAddr,
		cieUnprotectedAddr,
		cieConnStatus,
		ciePktsEncrypted,
		ciePktsDecrypted,
		ciePktsDropped,
		cieLocalTimeEstablished,
		cieAlgorithmType,
		cieTestConnProtectedAddr,
		cieTestConnUnprotectedAddr,
		cieTestConnTrapOnCompletion,
                cieTestConnCryptoMapName,
                cieTestConnCryptoMapTagNumber,
		cieTestConnSessionStatus,
		cieTestConnEntryOwner,
		cieTestConnEntryStatus
	}
	STATUS  current
	DESCRIPTION
		"A collection of objects providing information about 
		IP crypto subsystem." 
	::= { cieMIBGroups 1 }

END