STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

V-283685

CAT II (Medium)

The Nokia layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user virtual local area networks (VLANs).

Rule ID

SV-283685r1204130_rule

STIG

Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385

Discussion

DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the Dynamic Host Configuration Protocol (DHCP) snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Check Content

Review the virtual private local area network service (VPLS) configuration and verify an equivalent command for the DAI feature is enabled on all user VLANs.

Verify both "DHCP snooping" and "lease populate" options under DHCP result for each service access point (SAP) within a VPLS service:

-show service id 10 sap 1/1/c3/10 detail | match "Anti Spoofing"
Anti Spoofing      : Ip-Mac                   Dynamic Hosts     : Enabled

- show service id 10 sap 1/1/c3/10 detail | match "ARP Reply Agent"
ARP Reply Agent    : Enabled                  Host Conn Verify  : Disabled

Using the same command, verify "Anti Spoofing" is enabled with type IP-MAC, and "ARP Reply Agent" is also enabled.

If these are not enabled on all user VLANs, this is a finding.

Fix Text

The system evaluates ARP replies and requests received on a SAP with arp-reply-agent enabled against the anti-spoof filter entries associated with the ingress SAP. ARPs from unknown hosts on the SAP are discarded when anti-spoof filtering is enabled.

Configure the Nokia router VPLS service to enable DHCP snooping at all points where DHCP messages requiring snooping enter the VPLS service:

- configure service vpls <service id> sap <sap id> dhcp snoop

Populate the DHCP lease state information extracted from snooped DHCP ACK messages. If the optional number "lease state table entries allowed" is omitted, only a single entry is allowed. Once the maximum number of entries has been reached, subsequent lease state entries are not allowed, and DHCP ACK messages are discarded.

- configure service vpls <service id> sap <sap id> dhcp lease-populate <number of DHCP leases allowed>

Enable anti-spoof filtering for untrusted VPLS service access points. Anti-spoof type can be ip, ip-mac, or mac. 

When type "ip" is used, only the source IP address is used in its lookup. The "ip-mac" type uses both IP address and the source MAC address in its lookup, while the "mac" type uses only the source MAC address in its lookup.

If an entry does not match the ingress packet, the packet is silently discarded while incrementing the SAP discard counter. 

- configure service vpls <service id> sap <sap id> anti-spoof <anti-spoof type>

Enable arp-reply-agent:

- configure service vpls sap <sap id> arp-reply-agent