Additional Support for Simple Network Management Protocol Management Information Base
Simple Network Management Protocol (SNMP) is used to get specific information from a device or to send it information for the purposes of configuration changes. Because the FWSM is a security device, you cannot send it information, but you can gather information for keeping track of interface statistics, packet counts, and so on. There have been two additions to the Management Information Base (MIB):
- ACL entries and hit counters located under CISCO-IP-PROTOCOL-FILTER-MIB
- Address Resolution Protocol (ARP) table entries located under IP-MIB
Table 25-1 shows the MIB additions with definitions.
Table 25-1. FWSM 4.01 MIB Additions
CISCO-IP-PROTOCOL-FILTER-MIB |
cippfIpFilterTable |
Command Line Interface (CLI) show run access-list |
1.3.6.1.4.1.9.9.278.1.1.1.1.1 |
cippfIpProfileName |
ACL name |
1.3.6.1.4.1.9.9.278.1.1.3.1.1 |
cippfIpFilterIndex |
Access Control Entry (ACE) line number |
1.3.6.1.4.1.9.9.278.1.1.3.1.3 |
cippfIpFilterAction |
Permit/Deny |
1.3.6.1.4.1.9.9.278.1.1.3.1.4 |
cippfIpFilterAddressType |
Either ipv4 or ipv6 |
1.3.6.1.4.1.9.9.278.1.1.3.1.5 |
cippfIpFilterSrcAddress |
Source IP addr |
1.3.6.1.4.1.9.9.278.1.1.3.1.6 |
cippfIpFilterSrcMask |
Source IP mask |
1.3.6.1.4.1.9.9.278.1.1.3.1.7 |
cippfIpFilterDestAddress |
Destination IP addr |
1.3.6.1.4.1.9.9.278.1.1.3.1.8 |
cippfIpFilterDestMask |
Destination IP mask |
1.3.6.1.4.1.9.9.278.1.1.3.1.9 |
cippfIpFilterProtocol |
Protocol (IP/TCP/UDP/ICMP) |
1.3.6.1.4.1.9.9.278.1.1.3.1.10 |
cippfIpFilterSrcPortLow |
Src port low |
1.3.6.1.4.1.9.9.278.1.1.3.1.11 |
cippfIpFilterSrcPortHigh |
Src port high |
1.3.6.1.4.1.9.9.278.1.1.3.1.12 |
cippfIpFilterDestPortLow |
Dest port low |
1.3.6.1.4.1.9.9.278.1.1.3.1.13 |
cippfIpFilterDestPortHigh |
Dest port high |
1.3.6.1.4.1.9.9.278.1.1.3.1.16 |
cippfIpFilterLogEnabled |
Log enabled/disabled |
1.3.6.1.4.1.9.9.278.1.1.3.1.17 |
cippfIpFilterStatus |
ACL Active/Inactive |
1.3.6.1.4.1.9.9.278.1.1.3.1.22 |
cippfIpFilterSrcIPGroupName |
Src n/w object group name |
1.3.6.1.4.1.9.9.278.1.1.3.1.23 |
cippfIpFilterDstIPGroupName |
Dest n/w object group name |
1.3.6.1.4.1.9.9.278.1.1.3.1.24 |
cippfIpFilterProtocolGroupName |
Protocol object group name |
1.3.6.1.4.1.9.9.278.1.1.3.1.25 |
cippfIpFilterSrcServiceGroupName |
Src service object group name |
1.3.6.1.4.1.9.9.278.1.1.3.1.26 |
cippfIpFilterDstServiceGroupName |
Dest service object group name |
1.3.6.1.4.1.9.9.278.1.1.3.1.27 |
cippfIpFilterICMPGroupName |
ICMP object group |
cippfIpFilterStatsTable |
CLI show access-list acl-name |
|
 1.3.6.1.4.1.9.9.278.1.1.1.1.1 |
cippfIpProfileName |
ACL name |
1.3.6.1.4.1.9.9.278.1.1.3.1.1 |
cippfIpFilterIndex |
ACE line number within the ACL |
1.3.6.1.4.1.9.9.278.1.2.1.1.1 |
cippfIpFilterHits |
ACE hit-count |
IP-MIB(RFC2011) |
ipNetToPhysicalTable |
CLI show arp |
1.3.6.1.2.1.4.35.1.1 |
ipNetToPhysicalIfIndex |
Interface number for the ARP entry |
1.3.6.1.2.1.4.35.1.2 |
ipNetToPhysicalNetAddressType>  |
IP address type for the ARP entry |
1.3.6.1.2.1.4.35.1.3 |
ipNetToPhysicalNetAddress |
IP address for the ARP entry |
1.3.6.1.2.1.4.35.1.4 |
ipNetToPhysicalPhysAddress |
Media Access Control (MAC) address for the IP address |
When using SNMP, avoid using ansnmp walk. This process will start at the top of the MIB tree and get the statistics for each MIB, until it gets to the end of the tree. Because SNMP is not performed in hardware, this will put an undue burden on the FWSM.
SNMP is a very valuable tool to gather statistics from the FWSM, and with the addition of ACL entries, ACL counters, and ARP table entries, it becomes an even better tool. Just remember not to overwhelm the FWSM with too many queries.