System information
Cisco Cat3K ST 6 June 2012
33
FDP_IFF.1.2(1) The TSF shall permit an information flow between a controlled
subject and controlled information via a controlled operation if
the following rules hold: [
• if
the source and destination Layer 2 ports are
configured to be in the same VLAN or
• the frames have been permitted into the VLAN
through traffic flow controls enforced at Layer 3 as
defined in FDP_IFF.1(2)].
FDP_IFF.1.3(1) The TSF shall enforce the [none].
FDP_IFF.1.4(1) The TSF shall explicitly authorize an information flow based on
the following rules: [
When the ingress port is part of a PVLAN:
• Traffic entering a promiscuous port can be
forwarded through all ports within the same
PVLAN, including the isolated and
community ports.
• Traffic entering an isolated port can be
forwarded only through promiscuous ports.
• Traffic entering a community port can be
forwarded only through other ports in the
same community and through promiscuous
ports].
FDP_IFF.1.5(1) The TSF shall explicitly deny an information flow based on the
following rules: [
When the ingress port is not part of a PVLAN:
• The VLAN tag in the frame packets does not
match the VLAN of the ingress port associated
with a VLAN will not be forwarded to VLAN
interfaces (subjects) not configured to be in that
VLAN
When the ingress port is part of a PVLAN:
• Traffic entering an isolated port has complete
Layer 2 separation from the other isolated and
community ports within the same PVLAN, and
from ports outside the PVLAN
• Traffic entering a community port has complete
Layer 2 separation from all other interfaces in
other communities and from isolated ports
within the same PVLAN, and from ports outside
the PVLAN].