The Nokia layer 2 switch must provide source Internet Protocol (IP) address filtering on untrusted layer 2 interfaces.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-283684SRG-NET-000362-L2S-000026NOKI-L2-000120SV-283684r1204128_rule2026-06-151

Description

Source IP address filtering on a layer 2 port prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses Dynamic Host Configuration Protocol (DHCP) snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports. Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.

ℹ️ Check

Review the router virtual private local area network service (VPLS) configuration and verify an equivalent command for the Dynamic Address Resolution Protocol Inspection feature is enabled on all user virtual local area networks (VLANs). Verify both "DHCP snooping" and "lease populate" options under DHCP result for each service access point (SAP) configured within a VPLS service: - show service id 10 sap 1/1/c3/10 detail | match "Anti Spoofing" Anti Spoofing : Ip-Mac Dynamic Hosts : Enabled Using the same command, verify "Anti Spoofing" is enabled with type IP-MAC. If this is not enabled on all user VLANs, this is a finding.

✔️ Fix

Configure the Nokia router VPLS service to enable DHCP snooping at all points where DHCP messages requiring snooping enter the VPLS service: - configure service vpls <service id> sap <sap id> dhcp snoop Populate the DHCP lease state information extracted from snooped DHCP ACK messages. If the optional number "lease state table entries allowed" is omitted, only a single entry is allowed. Once the maximum number of entries has been reached, subsequent lease state entries are not allowed, and DHCP ACK messages are discarded. - configure service vpls <service id> sap <sap id> dhcp lease-populate <number of DHCP leases allowed> Enable anti-spoof filtering for untrusted VPLS service access points. Anti-spoof type can be ip, ip-mac, or mac. When type "ip" is used, only the source IP address is used in its lookup. The "ip-mac" type uses both the IP address and source MAC address in its lookup, while the "mac" type uses only the source MAC address in its lookup. If an entry does not match the ingress packet, the packet is silently discarded while incrementing the SAP discard counter. - configure service vpls <service id> sap <sap id> anti-spoof <anti-spoof type>