Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Date: 2026-06-15Version: 1
Description
V-283678highThe Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016
V-283679mediumThe Nokia layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance. This denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures must be taken to mitigate the effects of a successful volumetric attack to ensure sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).
V-283681mediumThe Nokia layer 2 switch must have Spanning Tree Protocol (STP) loop guard enabled on all nondesignated STP switch ports.The STP loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of Bridge Protocol Data Units (BPDUs) based on the port role. The designated port transmits BPDUs, and the nondesignated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes a designated port and moves to a forwarding state. This situation creates a loop. The loop guard feature makes additional checks. If BPDUs are not received on a nondesignated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state. Satisfies: SRG-NET-000362-L2S-000023, SRG-NET-000362-L2S-000022
V-283682mediumThe Nokia layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the virtual local area network (VLAN) number and the destination Media Access Control (MAC) address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port.
V-283683mediumThe Nokia layer 2 switch must have Dynamic Host Configuration Protocol (DHCP) snooping for all user virtual local area networks (VLANs) to validate DHCP messages from untrusted sources.In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server. This includes any device (personal computer, wireless access point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources, filters out invalid messages, and rate-limits DHCP traffic from trusted and untrusted sources. The DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Therefore, it is imperative that the DHCP snooping feature is enabled on all VLANs.
V-283684mediumThe Nokia layer 2 switch must provide source Internet Protocol (IP) address filtering on untrusted layer 2 interfaces.Source IP address filtering on a layer 2 port prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses Dynamic Host Configuration Protocol (DHCP) snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports. Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.
V-283685mediumThe Nokia layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user virtual local area networks (VLANs).DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the Dynamic Host Configuration Protocol (DHCP) snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
V-283688mediumThe Nokia layer 2 switch must implement Rapid Spanning Tree Protocol (RSTP) where virtual local area networks (VLANs) span multiple switches with redundant links.STP is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. Convergence time can be reduced significantly using RSTP (802.1w) instead of STP (802.1d), resulting in improved availability. RSTP should be deployed by implementing either Rapid Per-VLAN Spanning Tree (Rapid-PVST) or Multiple Spanning Tree Protocol (MSTP). The latter scales much better when there are many VLANs.
V-283689mediumThe Nokia layer 2 switch must enable Ethernet Connectivity Fault Management (ETH-CFM) to protect against one-way connections.In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as Spanning Tree Protocol (STP) can cause network instability. Enabling ETH-CFM is the standard and most effective way to protect a layer 2 service against one-way (unidirectional) connections on a Nokia 7750 SR. The constant, bidirectional exchange of Continuity Check Messages (CCMs) provides an "always-on" monitoring system. It ensures that connectivity is healthy in both directions, detecting silent failures that would be missed by on-demand tests such as a loopback (ping).
V-283690mediumThe Nokia layer 2 switch must assign all virtual private local area network service (VPLS) ports not in use to an inactive VLAN.A disabled port assigned to a user or management VLAN could be enabled accidentally or by an attacker. As a result, the attacker could gain access to that VLAN as a member. Satisfies: SRG-NET-000512-L2S-000007, SRG-NET-000512-L2S-000009, SRG-NET-000512-L2S-000010, SRG-NET-000512-L2S-000011, SRG-NET-000512-L2S-000012, SRG-NET-000512-L2S-000013
V-283691mediumThe Nokia layer 2 switch must not have the default virtual local area network (VLAN) assigned to any host-facing switch ports.In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP), which is all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
V-283692mediumThe Nokia layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.
V-283680lowThe Nokia layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to "0" in an effort to secure the root bridge position. The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state, and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge, it is imperative that root guard is enabled on all ports where the root bridge should never appear.
V-283686lowThe Nokia layer 2 switch must have Storm Control configured on all host-facing switch ports.A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.
V-283687lowThe Nokia layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all virtual local area networks (VLANs).IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic. This significantly reduces the volume of multicast traffic that would otherwise flood the VLAN.