The Nokia layer 2 switch must have Dynamic Host Configuration Protocol (DHCP) snooping for all user virtual local area networks (VLANs) to validate DHCP messages from untrusted sources.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-283683 | SRG-NET-000362-L2S-000025 | NOKI-L2-000110 | SV-283683r1204077_rule | 2026-06-15 | 1 |
Description
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources.
An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server. This includes any device (personal computer, wireless access point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports.
The DHCP snooping feature validates DHCP messages received from untrusted sources, filters out invalid messages, and rate-limits DHCP traffic from trusted and untrusted sources. The DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Therefore, it is imperative that the DHCP snooping feature is enabled on all VLANs.
ℹ️ Check
Use the command below for each virtual private local area network service (VPLS) and verify the status of DHCP for all user VLANs:
- show service id 10 dhcp summary
DHCP Summary, service 10
Sap/Sdp Snoop Used/ Arp Reply Info Admin
Provided Agent Option State
sap:1/1/c3/10 Yes 0/1 Yes Keep Up
Number of Entries : 1
If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources, this is a finding.
✔️ Fix
Configure the switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
Configure DHCP snooping for all user service access points:
- configure service vpls <vpls service id> sap <sap id> dhcp
- snoop
- no shutdown