System information
Cisco Cat3K ST 6 June 2012
36
a) security attributes of controlled subjects:
• VLAN ID
• VLAN access-map containing one or more map
sequences each with a match clause and an action
clause
b) security attributes of controlled information:
• Ethernet frame header attributes (when MAC
ACLs are specified in a match clause)
o source MAC address identified within the
packet;
o destination MAC address identified in the
packet;
o EtherType (e.g. 0x0800 for IPv4)
• IP packet header attributes (when ACLs are
specified in a match clause):
o source IP address identified within the
packet;
o destination IP address identified within the
packet;
o transport layer protocol number (e.g.
UDP, TCP)].
FDP_IFF.1.2(3) The TSF shall permit an information flow between a controlled
subject and controlled information via a controlled operation if
the following rules hold: [
• all the information security attribute values are
unambiguously permitted by the information flow
security policy rules (VACLs), where such rules
may be composed from all possible combinations
of the values of the information flow security
attributes, created by the authorized
administrator].
FDP_IFF.1.3(3) The TSF shall enforce the [if an empty or undefined ACL is
specified in the match clause of the access-map, any
packet/frame will match the match clause, and the action
defined in the associated action clause will be taken for all
packets/frames].
FDP_IFF.1.4(3) The TSF shall explicitly authorize an information flow based on
the following rules: [IGMP packets are not checked against