System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF

Cisco Cat3K ST 6 June 2012

TOE SFRs How the SFR is Met

tables are used to determine which egress ACL is applied, the authority to

modify the routing tables is restricted to authenticated administrators, and

authenticated neighbor routers.

FDP_IFC.1(3) Unlike regular Cisco IOS ACLs (discussed in FDP_IFF.1(2)) that are

configured on Layer 3 interfaces only and are applied on routed packets only,

VACLs apply to all packets and can be applied to any VLAN. As with ACLs

for Layer 3 interfaces discussed in FDP_IFF.1(2), the TOE controls the flow of

IP traffic by matching information contained in the headers of connection-

oriented or connection-less IP packets against a set of rules specified by the

authorized administrator in the IP flow control policies.

VACLs provide access control for packets that traverse the VLANs to which

VACLs are applied, whether bridged within a VLAN or routed into or out of a

VLAN.

o When a VACL is applied to a VLAN, all packets traversing a port in

that VLAN are checked against this VACL.

o When a VACL is applied to a VLAN, and an ACL is applied a routed

interface in that VLAN, a packet entering the TOE through a port in

the VLAN is first checked against the VACL, and, if permitted, is then

checked against the inbound/ingress ACL applied to the routed

interface per FDP_IFF.1(2).

o When the packet is routed within the TOE to another VLAN, it is first

checked against the outbound/egress ACL applied to the routed

interface per FDP_IFF.1(2), and, if permitted, is then checked against

the VACL configured for the destination VLAN.

For context of the above description, the following example shows how to

identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes

the VLAN to forward an IP packet if the packet matches the conditions defined

in access list al2:

Switch(config)# vlan access-map vmap4

Switch(config-access-map)# match ip address al2

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter vmap4 vlan-list 5-6

FDP_IFF.1(3)

FDP_RIP.2 The TOE ensures that packets transmitted from the TOE do not contain residual

information from previous packets. Packets that are not the required length use

zeros for padding. Residual data is never transmitted from the TOE. Once

packet handling is completed its content is overwritten before memory buffer

which previously contained the packet is reused. This applies to both data plane

traffic and administrative session traffic.

FIA_ATD.1

The TOE maintains and manages the following user security attributes; user

identity, privilege levels, and password. The user name and password are used

by the TOE to identify and authenticate an administrator wishing to gain access

to the TOE management functionality. The privilege level is used by the TOE to

allow an authenticated user to assume a predefined TOE privilege level and

perform specific management functions.

For neighbor routers, which do not have access to the interactive admin

interface, the attributes maintained are IP address and password, which are used

to authenticate the remote router for exchange of routing table information.

FIA_UAU.2

The TOE requires all users to be successfully identified and authenticated before