Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
41424344454647484950
Cisco Cat3K ST 6 June 2012
47
TOE SFRs How the SFR is Met
The administrator can set the level of the audit records to be displayed on the
console or sent to the syslog server. For instance all emergency, alerts, critical,
errors, and warning message can be sent to the console alerting the administrator
that some action needs to be taken as these types of messages mean that the
functionality of the switch is affected. All notifications and information type
message can be sent to the syslog server, where as message is only for
information; switch functionality is not affected. Note that audit records are
transmitted in the clear to the syslog server, though it is stated the syslog server
attached to the internal (trusted) network.
For audit records of IP packets denied by VACLs (FDP_IFF.1(3)), the first
packet of a denied traffic flow is logged. Subsequent messages for the same
denied traffic flow are summary messages containing a count of denied packets
of that same traffic flow. Though summary messages contain a timestamp for
when the summary message was generated, summary messages do not include a
timestamp for when each counted packet was denied. Summary messages are
generated at 5 minutes intervals or sooner if a packet count “threshold” is
reached (defined using the “vlan access-log threshold <packet-count>”
command). A separate “log table” is used to count packets for active traffic
flows. This log table will count up to 2048 packets. The log table size can be
set with the “vlan access-log maxflow <number>” command, and setting the
size to 0 will clear the table. Packets are removed from the log table when their
summary message is written to syslog. If the log table is full, packets for new
flows will not be counted. For VACL logging, a flow is defined as packets with
the same IP addresses and Layer 4 (UDP or TCP) port numbers.
Following is a sample of the ACL and the logging
In this example, standard named access list stan1 denies traffic from 10.1.1.0
0.0.0.255, allows traffic from all other sources, and includes the log keyword.
Switch(config)# ip access-list standard stan1
Switch(config-std-nacl)# deny 10.1.1.0 0.0.0.255 log
Switch(config-std-nacl)# permit any log
Switch(config-std-nacl)# exit
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group stan1 in
Switch(config-if)# end
Switch# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 37 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 37 messages logged
File logging: disabled
Trap logging: level debugging, 39 message lines logged
Log Buffer (4096 bytes):
00:00:48: NTP: authentication delay calculation problems
<output truncated>
00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1