| V-283678 | | The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. | Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal compu... |
| V-283679 | | The Nokia layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to... |
| V-283681 | | The Nokia layer 2 switch must have Spanning Tree Protocol (STP) loop guard enabled on all nondesignated STP switch ports. | The STP loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology ... |
| V-283682 | | The Nokia layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled. | Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the virtual local area network (VLAN... |
| V-283683 | | The Nokia layer 2 switch must have Dynamic Host Configuration Protocol (DHCP) snooping for all user virtual local area networks (VLANs) to validate DHCP messages from untrusted sources. | In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the ne... |
| V-283684 | | The Nokia layer 2 switch must provide source Internet Protocol (IP) address filtering on untrusted layer 2 interfaces. | Source IP address filtering on a layer 2 port prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP addr... |
| V-283685 | | The Nokia layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user virtual local area networks (VLANs). | DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and forw... |
| V-283688 | | The Nokia layer 2 switch must implement Rapid Spanning Tree Protocol (RSTP) where virtual local area networks (VLANs) span multiple switches with redundant links. | STP is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant lin... |
| V-283689 | | The Nokia layer 2 switch must enable Ethernet Connectivity Fault Management (ETH-CFM) to protect against one-way connections. | In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mism... |
| V-283690 | | The Nokia layer 2 switch must assign all virtual private local area network service (VPLS) ports not in use to an inactive VLAN. | A disabled port assigned to a user or management VLAN could be enabled accidentally or by an attacker. As a result, the attacker could gain access to ... |
| V-283691 | | The Nokia layer 2 switch must not have the default virtual local area network (VLAN) assigned to any host-facing switch ports. | In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Sp... |
| V-283692 | | The Nokia layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. | Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa... |
| V-283680 | | The Nokia layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts. | Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any sw... |
| V-283686 | | The Nokia layer 2 switch must have Storm Control configured on all host-facing switch ports. | A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network ... |
| V-283687 | | The Nokia layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all virtual local area networks (VLANs). | IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within ... |