Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
11121314151617181920
Cisco Cat3K ST 6 June 2012
15
1.7.3 Traffic Filtering and Switching (VLAN Processing and ACLs)
VLANs control whether Ethernet frames are passed through the switch interfaces
based on the VLAN tag information in the frame header. IP ACLs or ICMP ACLs
control whether routed IP packets are forwarded or blocked at Layer 3 TOE interfaces
(interfaces that have been configured with IP addresses). VACLs (using access
mapping) control whether non-routed frames (by inspection of MAC addresses in the
frame header) and packets (by inspection of IP addresses in the packet header) are
forwarded or blocked at Layer 2 ports assigned to VLANs. The TOE examines each
frame and packet to determine whether to forward or drop it, on the basis of criteria
specified within the VLANs access lists and access maps applied to the interfaces
through which the traffic would enter and leave the TOE. For those interfaces
configured with Layer-3 addressing the ACLs can be configured to filter IP traffic
using: the source address of the traffic; the destination address of the traffic; and the
upper-layer protocol identifier. Layer-2 interfaces can be made part of Private VLANs
(PVLANs), to allow traffic to pass in a pre-defined manner among a primary, and
secondary (isolated orcommunity’) VLANs within the same PVLAN.
VACL access mapping is used to match IP ACLs or MAC ACLs to the action to be
taken by the TOE as the traffic crosses the interface, causing the packet to be
forwarded or dropped. The traffic is matched only against access lists of the same
protocol type; IP packets can be matched against IP access lists, and any Ethernet
frame can be matched against MAC access lists. Both IP and MAC addresses can be
specified within the VLAN access map.
Use of Access Control Lists (ACLs) also allows restriction of remote administration
connectivity to specific interfaces of the TOE so that sessions will only be accepted
from approved management station addresses identified as specified by the
administrator.
The TOE supports routing protocols including BGPv4, EIGRP, PIM-SMv2, and
OSPFv2 to maintain routing tables, or routing tables can configured and maintained
manually. Since routing tables are used to determine which egress ACL is applied,
the authority to modify the routing tables is restricted to authenticated administrators,
and authenticated neighbor routers. The only aspects of routing protocols that are
security relevant in this TOE is the TOE’s ability to authentication neighbor routers
using shared passwords. Other security features and configuration options of routing
protocols are beyond the scope of this Security Target and are described in
administrative guidance.
The TOE supports VACLs (VLAN ACLs), which can filter traffic traversing VLANs
on the TOE based on IP addressing and MAC addressing.
The TOE also ensures that packets transmitted from the TOE do not contain residual
information from previous packets. Packets that are not the required length use zeros
for padding so that residual data from previous traffic is never transmitted from the
TOE.