Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
41424344454647484950
Cisco Cat3K ST 6 June 2012
48
TOE SFRs How the SFR is Met
packet
00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1
packet
00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1
packet
00:15:33:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 2009
packets
This example is a named extended access list ext1 that permits ICMP packets
from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets.
Switch(config)# ip access-list extended ext1
Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log
Switch(config-ext-nacl)# deny udp any any log
Switch(config-std-nacl)# exit
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# ip access-group ext1 in
This is a an example of a log for an extended IP ACL:
01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp
10.1.1.15 -> 10.1.1.61 (0/0), 1 packet
01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp
10.1.1.15 -> 10.1.1.61 (0/0), 7 packets
01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->
255.255.255.255(0), 1 packet
01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->
255.255.255.255(0), 8 packets
Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG
with minor variations in format depending on the kind of ACL and the access
entry that has been matched.
This is an example of an output message when the log-input keyword is entered:
00:04:21:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp
10.1.1.10 (Vlan1 0001.42ef.a400) -> 10.1.1.61 (0/0), 1 packet
A log message for the same sort of packet using the log keyword does not
include the input interface information:
00:05:47:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp
10.1.1.10 -> 10.1.1.61 (0/0), 1 packet
The FIPS crypto tests, the messages are displayed on the console. Once the box
is up and operational and the crypto self test command is entered, then the
messages would be displayed on the console and will also be logged
Auditable Event Rationale
All decisions on requests for
information flow through ACLs, and
requests denied by VACLs.
The decisions as a result of
attempting to send traffic (data) are
logged, along with the origin or
source of the attempt.
All use of the user identification
mechanism.
Events will be generated for
attempted identification/