<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Nokia_SR_OS_25-x_L2S_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2026-06-15">accepted</status><title>Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 28 Apr 2026</plain-text><plain-text id="generator">3.5.2</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283678" selected="true" /><select idref="V-283679" selected="true" /><select idref="V-283680" selected="true" /><select idref="V-283681" selected="true" /><select idref="V-283682" selected="true" /><select idref="V-283683" selected="true" /><select idref="V-283684" selected="true" /><select idref="V-283685" selected="true" /><select idref="V-283686" selected="true" /><select idref="V-283687" selected="true" /><select idref="V-283688" selected="true" /><select idref="V-283689" selected="true" /><select idref="V-283690" selected="true" /><select idref="V-283691" selected="true" /><select idref="V-283692" selected="true" /></Profile><Group id="V-283678"><title>SRG-NET-000148-L2S-000015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283678r1204062_rule" weight="10.0" severity="high"><version>NOKI-L2-000020</version><title>The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.</title><description>&lt;VulnDiscussion&gt;Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection.

Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-88148r1204061_fix">Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, Media Access Control (MAC) Authentication Bypass must be configured.

Configure dot1x radius policy:

- exit all
- configure system security dot1x radius-plcy &lt;policy name&gt; create
- server &lt;server index&gt; address &lt;server ip address&gt; secret &lt;secret key&gt;
- source-address &lt;source address of the radius packet&gt;
- no shutdown

Configure port dot1x authentication parameters:

- configure port &lt;port id&gt; ethernet dot1x 
- radius-plcy &lt;policy name&gt;
- port-control auto
- per-host-authentication 
- allowed-source-macs &lt;mac address&gt;
- no shutdown</fixtext><fix id="F-88148r1204061_fix" /><check system="C-88243r1204060_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Verify Nokia router configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. The 802.1x authentication is not required for switch ports connected to devices that do not support an 802.1x supplicant.

For 7750 nodes, use the command below to verify dot1x "Authentication" status and list of "Allowed hosts" and "Disallowed hosts" is correct:

- show system security dot1x

Verify dot1x is enabled and configured for each port:

- show port 1/1/c3/10 dot1x

802.1x Port Status

Port control            : auto
Port status             : authorized
Authenticator PAE state : authenticated
Backend state           : idle
Reauth enabled          : no           Reauth period         : N/A
Max auth requests       : 2            Transmit period       : 30
Supplicant timeout      : 30           Server timeout        : 30
Quiet period            : 60
Radius policy           : test
Radius server plcy auth : N/A
Radius server plcy acct : N/A
Untagged tunneling      : false
Dot1q tunneling         : true
Qinq tunneling          : true
Per-host authentication : enabled
MAC-based authentication: disabled
Authenticator Initiation: true
Allowed hosts           : 1 (max 100)
Disallowed hosts        : 1
Admin-state             : enabled

If 802.1x authentication is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.</check-content></check></Rule></Group><Group id="V-283679"><title>SRG-NET-000193-L2S-000020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283679r1204137_rule" weight="10.0" severity="medium"><version>NOKI-L2-000040</version><title>The Nokia layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.</title><description>&lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance. This denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets.

Measures must be taken to mitigate the effects of a successful volumetric attack to ensure sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001095</ident><fixtext fixref="F-88149r1204125_fix">Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the CC/S/As.

Following is one of multiple ways to create a QoS policy. 

Configure sap-ingress and/or sap-egress QoS policies:

- configure qos sap-ingress &lt;id&gt; create
- configure qos sap-egress &lt;id&gt; create

For each sap-ingress and sap-egress QoS policy, create as many policers as needed:

- policer &lt;policer  id&gt; create
- percent-rate &lt;value&gt; cir &lt;value&gt;
- mbs &lt;value in kbytes&gt;
- cbs &lt;value in kbytes&gt;
- back

Create as many forwarding classes as needed. Forwarding classes can be created using ip-criteria, Differentiated Services Code Point (DSCP) bits in IP header, Precedence bits (IP header), and dot1p bits (Ethernet header). Because this is a layer 2 switch requirement, the example below is using dot1p bits:

- fc &lt;forwarding class&gt; create
- policer &lt;policer id&gt;
- back
- dot1p &lt;dot1p value&gt; fc &lt;forwarding class&gt; priority {low or high} 
- exit

For network policy, copy the default network policy 1 into a new network policy and modify parameters as needed:

- configure qos copy network 1 &lt;network policy id&gt;

To list the entries in the network policy created:

- configure qos network &lt;network policy id&gt;
- info detail

Modify the parameters as needed, or use the "no" form of the command to remove them from the configuration.

Configure network QoS queues:

- configure qos network-queue &lt;network queue id&gt; create 
- queue &lt;queue id&gt; &lt;queue type&gt; create 
- rate &lt;pir percent&gt; cir &lt;cir percent&gt; fir &lt;fir percent&gt;
- mbs &lt;percentage&gt;
- cbs &lt;percentage&gt;

Configure as many queues as needed.

Create as many forwarding classes as needed and assign a queue to them:

- fc &lt;name of forwarding class&gt; create
- multicast-queue &lt;queue id&gt;
- queue &lt;queue id&gt; 

QoS policies are applied at the ingress or egress of the access and network ports.

For access interfaces:

- configure service &lt;service id&gt; sap &lt;sap id&gt; ingress qos &lt;sap ingress qos policy id&gt;
- configure service &lt;service id&gt; sap &lt;sap id&gt; egress qos &lt;sap egress  qos policy id&gt;

For network interfaces:

- configure router interface &lt;interface name&gt;  qos &lt;network qos policy id&gt;</fixtext><fix id="F-88149r1204125_fix" /><check system="C-88244r1204124_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the Nokia router configuration to verify QoS has been enabled to ensure sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commands/Services/Agencies (CC/S/As).

Nokia routers have default QoS policy "1" applied to all ports and service access points (SAPs). Based on the network requirements, another QoS policy should be defined and applied to all ports. 

Use the commands below to verify the QoS policies defined and where the policies are applied:

For sap-ingress policies:

- show qos sap-ingress association

Associations

Service-Name   : 10
Service-Id     : 10 (VPLS)                    Customer-Id  : 1
 - SAP : 1/1/c3/10

For sap-egress policies:

- show qos sap-egress association

Associations

Service-Name   : 900
Service-Id     : 900 (VPLS)             Customer-Id        : 1
 - SAP : lag-4:900

For network policies:

- queue &lt;queue id&gt;
- show qos network &lt;policy id&gt; detail

Interface Association

Interface      : to-sr-1-24d-a
IP Addr.         : 192.168.1.2/30         Port Id          : 1/1/c9/1
IPv6 Addr.     : 2001:400:0:3::2/64
Interface      : to-sr-1-24d-b
IP Addr.         : 192.168.2.1/30         Port Id          : 1/1/c10/1

- show qos network-queue association

Port-id : 1/1/c3/1
Port-id : 1/1/c3/2
Port-id : 1/1/c3/3
Port-id : 1/1/c3/4

If the switch is not configured to implement a QoS policy, this is a finding.</check-content></check></Rule></Group><Group id="V-283680"><title>SRG-NET-000362-L2S-000021</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283680r1204068_rule" weight="10.0" severity="low"><version>NOKI-L2-000070</version><title>The Nokia layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.</title><description>&lt;VulnDiscussion&gt;Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to "0" in an effort to secure the root bridge position.

The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state, and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge, it is imperative that root guard is enabled on all ports where the root bridge should never appear.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88150r1204067_fix">Configure the virtual private local area network service (VPLS) to have Root Guard enabled on all switch ports connecting to access layer switches and hosts.

Enable root guard for configured VPLS access ports where required using the command below:

- configure service vpls &lt;vpls service id&gt; 
- sap &lt;port id:vlan tag&gt;
- stp root-guard</fixtext><fix id="F-88150r1204067_fix" /><check system="C-88245r1204066_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the switch topology and the configuration to verify Root Guard is enabled on all switch ports connecting to access layer switches and hosts.

Use the command below for each port connecting to access layer switches and verify "Root Guard" is enabled:

- show service id 10 sap 1/1/c3/10 stp | match "Root Guard"
Root Guard         : Enabled                  Active Protocol   : N/A

If the switch has not enabled Root Guard on all switch ports connecting to access layer switches and hosts, this is a finding.</check-content></check></Rule></Group><Group id="V-283681"><title>SRG-NET-000362-L2S-000023</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283681r1204071_rule" weight="10.0" severity="medium"><version>NOKI-L2-000090</version><title>The Nokia layer 2 switch must have Spanning Tree Protocol (STP) loop guard enabled on all nondesignated STP switch ports.</title><description>&lt;VulnDiscussion&gt;The STP loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of Bridge Protocol Data Units (BPDUs) based on the port role. 

The designated port transmits BPDUs, and the nondesignated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. 

Eventually, the blocking port from the alternate or backup port becomes a designated port and moves to a forwarding state. This situation creates a loop. The loop guard feature makes additional checks. If BPDUs are not received on a nondesignated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state.

Satisfies: SRG-NET-000362-L2S-000023, SRG-NET-000362-L2S-000022&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88151r1204070_fix">Configure the Nokia router VPLS service to disable STP for untrusted ports:

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; stp shutdown</fixtext><fix id="F-88151r1204070_fix" /><check system="C-88246r1204069_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the router configuration to verify BPDU Guard is enabled on the virtual private local area network service (VPLS) for all user-facing or untrusted access switch ports. 

BPDUs received will be discarded on service access ports when STP on the VPLS is administratively enabled and the administrative state of STP is disabled.

To verify STP is disabled on the service access ports, use the command below and verify "Stp Admin State" is set to "Down":

- show service id 10 stp

Stp port info

Sap/Sdp/PIP Id     Oper-     Port-      Port-       Port-  Oper-  Link-  Active
                   State     Role       State       Num    Edge   Type   Prot.

1/1/c3/10          Down      N/A        Discard     N/A    N/A    Pt-pt  N/A

If the switch has not disabled STP for untrusted user-facing ports, this is a finding.</check-content></check></Rule></Group><Group id="V-283682"><title>SRG-NET-000362-L2S-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283682r1204074_rule" weight="10.0" severity="medium"><version>NOKI-L2-000100</version><title>The Nokia layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.</title><description>&lt;VulnDiscussion&gt;Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the virtual local area network (VLAN) number and the destination Media Access Control (MAC) address of the frame. 

When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. 

To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88152r1204073_fix">Configure the Nokia router VPLS service to have Unknown discard enabled:

- configure service vpls &lt;service id&gt; discard-unknown</fixtext><fix id="F-88152r1204073_fix" /><check system="C-88247r1204072_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the router virtual private local area network service (VPLS) configuration and verify discard-unknown is enabled for VPLS service. 

The discard-unknown feature discards packets with unknown destination MAC addresses. 

Use the command below and verify "Discard Unknown" is enabled:

- show service id 10 all | match "Discard Unknown"
Mac Learning      : Enabled             Discard Unknown   : Enabled

If "Discard Unknown" is disabled, this is a finding.</check-content></check></Rule></Group><Group id="V-283683"><title>SRG-NET-000362-L2S-000025</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283683r1204077_rule" weight="10.0" severity="medium"><version>NOKI-L2-000110</version><title>The Nokia layer 2 switch must have Dynamic Host Configuration Protocol (DHCP) snooping for all user virtual local area networks (VLANs) to validate DHCP messages from untrusted sources.</title><description>&lt;VulnDiscussion&gt;In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. 

An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server. This includes any device (personal computer, wireless access point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports.

The DHCP snooping feature validates DHCP messages received from untrusted sources, filters out invalid messages, and rate-limits DHCP traffic from trusted and untrusted sources. The DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Therefore, it is imperative that the DHCP snooping feature is enabled on all VLANs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88153r1204076_fix">Configure the switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.

Configure DHCP snooping for all user service access points:

- configure service vpls &lt;vpls service id&gt; sap &lt;sap id&gt; dhcp
- snoop
- no shutdown</fixtext><fix id="F-88153r1204076_fix" /><check system="C-88248r1204075_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Use the command below for each virtual private local area network service (VPLS) and verify the status of DHCP for all user VLANs:

- show service id 10 dhcp summary

DHCP Summary, service 10

Sap/Sdp                Snoop  Used/       Arp Reply   Info     Admin
                              Provided    Agent       Option   State

sap:1/1/c3/10          Yes    0/1         Yes         Keep     Up

Number of Entries : 1

If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources, this is a finding.</check-content></check></Rule></Group><Group id="V-283684"><title>SRG-NET-000362-L2S-000026</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283684r1204128_rule" weight="10.0" severity="medium"><version>NOKI-L2-000120</version><title>The Nokia layer 2 switch must provide source Internet Protocol (IP) address filtering on untrusted layer 2 interfaces.</title><description>&lt;VulnDiscussion&gt;Source IP address filtering on a layer 2 port prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses Dynamic Host Configuration Protocol (DHCP) snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports. 

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88154r1204127_fix">Configure the Nokia router VPLS service to enable DHCP snooping at all points where DHCP messages requiring snooping enter the VPLS service:

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; dhcp snoop

Populate the DHCP lease state information extracted from snooped DHCP ACK messages. If the optional number "lease state table entries allowed" is omitted, only a single entry is allowed. Once the maximum number of entries has been reached, subsequent lease state entries are not allowed, and DHCP ACK messages are discarded.

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; dhcp lease-populate &lt;number of DHCP leases allowed&gt;

Enable anti-spoof filtering for untrusted VPLS service access points. Anti-spoof type can be ip, ip-mac, or mac.

When type "ip" is used, only the source IP address is used in its lookup. The "ip-mac" type uses both the IP address and source MAC address in its lookup, while the "mac" type uses only the source MAC address in its lookup.

If an entry does not match the ingress packet, the packet is silently discarded while incrementing the SAP discard counter. 

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; anti-spoof &lt;anti-spoof type&gt;</fixtext><fix id="F-88154r1204127_fix" /><check system="C-88249r1204078_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the router virtual private local area network service (VPLS) configuration and verify an equivalent command for the Dynamic Address Resolution Protocol Inspection feature is enabled on all user virtual local area networks (VLANs).

Verify both "DHCP snooping" and "lease populate" options under DHCP result for each service access point (SAP) configured within a VPLS service:

- show service id 10 sap 1/1/c3/10 detail | match "Anti Spoofing"
Anti Spoofing      : Ip-Mac                   Dynamic Hosts     : Enabled

Using the same command, verify "Anti Spoofing" is enabled with type IP-MAC.

If this is not enabled on all user VLANs, this is a finding.</check-content></check></Rule></Group><Group id="V-283685"><title>SRG-NET-000362-L2S-000027</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283685r1204130_rule" weight="10.0" severity="medium"><version>NOKI-L2-000130</version><title>The Nokia layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user virtual local area networks (VLANs).</title><description>&lt;VulnDiscussion&gt;DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and forwarding the packet to the appropriate destination. 

Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the Dynamic Host Configuration Protocol (DHCP) snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-88155r1204129_fix">The system evaluates ARP replies and requests received on a SAP with arp-reply-agent enabled against the anti-spoof filter entries associated with the ingress SAP. ARPs from unknown hosts on the SAP are discarded when anti-spoof filtering is enabled.

Configure the Nokia router VPLS service to enable DHCP snooping at all points where DHCP messages requiring snooping enter the VPLS service:

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; dhcp snoop

Populate the DHCP lease state information extracted from snooped DHCP ACK messages. If the optional number "lease state table entries allowed" is omitted, only a single entry is allowed. Once the maximum number of entries has been reached, subsequent lease state entries are not allowed, and DHCP ACK messages are discarded.

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; dhcp lease-populate &lt;number of DHCP leases allowed&gt;

Enable anti-spoof filtering for untrusted VPLS service access points. Anti-spoof type can be ip, ip-mac, or mac. 

When type "ip" is used, only the source IP address is used in its lookup. The "ip-mac" type uses both IP address and the source MAC address in its lookup, while the "mac" type uses only the source MAC address in its lookup.

If an entry does not match the ingress packet, the packet is silently discarded while incrementing the SAP discard counter. 

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; anti-spoof &lt;anti-spoof type&gt;

Enable arp-reply-agent:

- configure service vpls sap &lt;sap id&gt; arp-reply-agent</fixtext><fix id="F-88155r1204129_fix" /><check system="C-88250r1204081_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the virtual private local area network service (VPLS) configuration and verify an equivalent command for the DAI feature is enabled on all user VLANs.

Verify both "DHCP snooping" and "lease populate" options under DHCP result for each service access point (SAP) within a VPLS service:

-show service id 10 sap 1/1/c3/10 detail | match "Anti Spoofing"
Anti Spoofing      : Ip-Mac                   Dynamic Hosts     : Enabled

- show service id 10 sap 1/1/c3/10 detail | match "ARP Reply Agent"
ARP Reply Agent    : Enabled                  Host Conn Verify  : Disabled

Using the same command, verify "Anti Spoofing" is enabled with type IP-MAC, and "ARP Reply Agent" is also enabled.

If these are not enabled on all user VLANs, this is a finding.</check-content></check></Rule></Group><Group id="V-283686"><title>SRG-NET-000512-L2S-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283686r1204132_rule" weight="10.0" severity="low"><version>NOKI-L2-000140</version><title>The Nokia layer 2 switch must have Storm Control configured on all host-facing switch ports.</title><description>&lt;VulnDiscussion&gt;A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88156r1204085_fix">Configure storm control on each host-facing switch port.

- configure port &lt;port id&gt; ethernet ingress-rate &lt;value in mbps&gt;</fixtext><fix id="F-88156r1204085_fix" /><check system="C-88251r1204131_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the router configuration to verify traffic is rate limited on host-facing interfaces.

Use the command below for each host-facing port and verify "Ingress Rate" is set to the required value: 

- show port 1/1/c3/1 | match "Ingress Rate"
Egress Rate        : Default                    Ingress Rate     : 500 
 
If storm control is not enabled on all host-facing switch ports, this is a finding.</check-content></check></Rule></Group><Group id="V-283687"><title>SRG-NET-000512-L2S-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283687r1204134_rule" weight="10.0" severity="low"><version>NOKI-L2-000150</version><title>The Nokia layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all virtual local area networks (VLANs).</title><description>&lt;VulnDiscussion&gt;IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic. This significantly reduces the volume of multicast traffic that would otherwise flood the VLAN.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88157r1204088_fix">Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VLAN.

The igmp-snooping and mld-snooping can be configured at the VPLS service level or for each access point (VLAN).

For VPLS service-level configuration:

- configure service vpls &lt;service id&gt; igmp-snooping no shutdown
- configure service vpls &lt;service id&gt; mld-snooping no shutdown

For VPLS service access point-level configuration:

- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; igmp-snooping
- configure service vpls &lt;service id&gt; sap &lt;sap id&gt; mld-snooping</fixtext><fix id="F-88157r1204088_fix" /><check system="C-88252r1204133_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the switch configuration to verify IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively.

Use the command below for each virtual private local area network service (VPLS) and verify the state of IGMP snooping and MLD snooping:

- show service id 10 igmp-snooping base

IGMP Snooping Base info for service 10

Admin State : Up
Querier     : No querier found
SBD service : N/A
Evpn-proxy  : Disabled
Port                       Oper MRtr Pim  Send Max  Max  Max   MVR       Num
Id                         Stat Port Port Qrys Grps Srcs Grp   From-VPLS Grps
                                                         Srcs

sap:1/1/c3/10              Up No   No   No   None None None  Local     0

- show service id 10 mld-snooping base

MLD Snooping Base info for service 10

Admin State : Up
Querier     : No querier found
SBD service : N/A
Evpn-proxy  : Disabled

Port                                       Oper MRtr Send Max  MVR       Num
Id                                         Stat Port Qrys Grps From-VPLS Grps

sap:1/1/c3/10                              Up No   No   None Local     0

If the switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.</check-content></check></Rule></Group><Group id="V-283688"><title>SRG-NET-000512-L2S-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283688r1204092_rule" weight="10.0" severity="medium"><version>NOKI-L2-000160</version><title>The Nokia layer 2 switch must implement Rapid Spanning Tree Protocol (RSTP) where virtual local area networks (VLANs) span multiple switches with redundant links.</title><description>&lt;VulnDiscussion&gt;STP is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. 

Convergence time can be reduced significantly using RSTP (802.1w) instead of STP (802.1d), resulting in improved availability. RSTP should be deployed by implementing either Rapid Per-VLAN Spanning Tree (Rapid-PVST) or Multiple Spanning Tree Protocol (MSTP). The latter scales much better when there are many VLANs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88158r1204091_fix">Configure RSTP to be implemented at the access and distribution layers where VLANs span multiple switches.

For VPLS services where RSTP should be implemented, use the command below to enable RSTP for an already-created VPLS service:

- configure service vpls &lt;vpls id&gt; 
- stp mode rstp
- no shutdown</fixtext><fix id="F-88158r1204091_fix" /><check system="C-88253r1204090_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>In cases where VLANs do not span multiple switches, it is a best practice to not implement STP. Avoiding the use of STP will provide the most deterministic and highly available network topology. If STP is required, review the router virtual private local area network service (VPLS) configuration to verify RSTP has been implemented. 

Use the command below and verify STP mode is set to RSTP for VPLS, where RSTP should be implemented.

- show service id 10 stp | match Mode
Mode               : Rstp                     Last Top. Change  : 0d 00:00:00

If RSTP has not been implemented where STP is required, this is a finding.</check-content></check></Rule></Group><Group id="V-283689"><title>SRG-NET-000512-L2S-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283689r1204095_rule" weight="10.0" severity="medium"><version>NOKI-L2-000170</version><title>The Nokia layer 2 switch must enable Ethernet Connectivity Fault Management (ETH-CFM) to protect against one-way connections.</title><description>&lt;VulnDiscussion&gt;In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as Spanning Tree Protocol (STP) can cause network instability. 

Enabling ETH-CFM is the standard and most effective way to protect a layer 2 service against one-way (unidirectional) connections on a Nokia 7750 SR. The constant, bidirectional exchange of Continuity Check Messages (CCMs) provides an "always-on" monitoring system. It ensures that connectivity is healthy in both directions, detecting silent failures that would be missed by on-demand tests such as a loopback (ping).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88159r1204094_fix">Configure the ETH-CFM maintenance domain and bind the Maintenance Endpoint (MEP) to the SAP to be monitored. Use the CCMs to detect possible unidirectional issues.
 
Configure ETH-CFM domain information:
 
- configure eth-cfm domain &lt;domain id&gt; format none  level &lt;level&gt; 
- association 1 format icc-based name &lt;name&gt;
- bridge-identifier bridge-name &lt;vpls service name&gt;
- back
- remote-mepid &lt;mep id&gt;
 
Apply to the SAP within VPLS:
 
- configure service vpls &lt;id&gt;
- sap &lt;sap id&gt; eth-cfm mep &lt;mep id&gt; domain &lt;domain id&gt; association &lt;index&gt; 
- ccm-enable
- no shutdown</fixtext><fix id="F-88159r1204094_fix" /><check system="C-88254r1204093_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Verify the ETH-CFM configuration for the service access point (SAP) in the virtual private local area network service (VPLS) appears as shown in the example below.

- show service id 10 sap 1/1/c3/10 detail

Eth-Cfm MEP Configuration Information

Md-index           : 3                        Direction         : Down
Ma-index           : 1                        Admin             : Enabled
MepId              : 10                       CCM-Enable        : Enabled

If ETH-CFM is not configured to protect against one-way connections, this is a finding.</check-content></check></Rule></Group><Group id="V-283690"><title>SRG-NET-000512-L2S-000007</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283690r1204098_rule" weight="10.0" severity="medium"><version>NOKI-L2-000190</version><title>The Nokia layer 2 switch must assign all virtual private local area network service (VPLS) ports not in use to an inactive VLAN.</title><description>&lt;VulnDiscussion&gt;A disabled port assigned to a user or management VLAN could be enabled accidentally or by an attacker. As a result, the attacker could gain access to that VLAN as a member.

Satisfies: SRG-NET-000512-L2S-000007, SRG-NET-000512-L2S-000009, SRG-NET-000512-L2S-000010, SRG-NET-000512-L2S-000011, SRG-NET-000512-L2S-000012, SRG-NET-000512-L2S-000013&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88160r1204097_fix">Note: Switch ports configured for 802.1x are exempt from this requirement.

Assign all VPLS service ports not in use to an inactive VLAN.

Configure VPLS service access ports with either dot1q or qinq encapsulation:

- configure port &lt;port id&gt; ethernet encap-type &lt;dot1q or qinq&gt;

Configure unused SAPs with inactive VLAN tag in VPLS SAP configurations:

- configure service vpls &lt;service id&gt;
- sap &lt;port id:vlan tag&gt; create</fixtext><fix id="F-88160r1204097_fix" /><check system="C-88255r1204096_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Note: Switch ports configured for 802.1x are exempt from this requirement.

Review Nokia router configurations and examine all access switch ports. Each access switch port not in use should have membership to an inactive VLAN that is not used for any purpose.

For any port to be part of a VPLS service, the port must be configured for that service. Just enabling a port does not give the port access to a bridge domain. VLAN configuration is also part of configuring a port for a VPLS service. 

Use the command below to verify all VLAN tags used for all VPLS services.

Pay attention to wildcard "*" usage in the VLAN tag portion of the service access point (SAP) ID configuration. When the wild card "*" is configured in the VLAN tag portion of the SAP, it allows all VLAN tags. 

- show service sap-using
Service Access Points
PortId                          SvcId      Ing.  Ing.    Egr.  Egr.   Adm  Opr
                                           QoS   Fltr    QoS   Fltr

1/1/c1/1:200                    200        1     none    1     none   Up   Up
1/1/c1/1:300                    300        1     none    1     none   Up   Up

If a port is configured with null encapsulation, it will allow all VLAN tags. Verify access ports are configured with "Port Encp" set to "dotq" or "qinq":

- show port
Ports on Slot 1

Port          Admin Link Port    Cfg  Oper LAG/ Port Port Port   C/QS/S/XFP/
Id            State      State   MTU  MTU  Bndl Mode Encp Type   MDIMDX

1/1/c1/1      Up    Yes  Up      1518 1518    - accs dotq cgige
1/1/c2        Up         Link Up                          conn   100G CWDM4 M*

If any access switch ports are not in use and not in an inactive VLAN, this is a finding.</check-content></check></Rule></Group><Group id="V-283691"><title>SRG-NET-000512-L2S-000008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283691r1204101_rule" weight="10.0" severity="medium"><version>NOKI-L2-000200</version><title>The Nokia layer 2 switch must not have the default virtual local area network (VLAN) assigned to any host-facing switch ports.</title><description>&lt;VulnDiscussion&gt;In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP), which is all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88161r1204100_fix">Remove the assignment of the default VLAN from all access switch ports.

Remove the access VPLS service ports using the default VLAN or wildcard VLAN tag "*" in VPLS SAP configurations:

- configure service vpls &lt;service id&gt;
- sap &lt;port id:vlan tag&gt; shutdown
- no sap &lt;port id:vlan tag&gt;</fixtext><fix id="F-88161r1204100_fix" /><check system="C-88256r1204099_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Review the switch configurations and verify no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1).

The service access points (SAPs) are configured to allow specific VLANs. Use the command below and verify the VLAN tag used for all SAPs. 

When wild card "*" is configured in the VLAN tag portion of the SAP, it allows all VLAN tags, including VLAN 1. 

For any port to be part of a virtual private local area network service (VPLS), the port must be configured for that service. Just enabling a port does not give the port access to a bridge domain. VLAN configuration is also part of configuring a port for a VPLS service. 

- show service sap-using
Service Access Points
PortId                          SvcId      Ing.  Ing.    Egr.  Egr.   Adm  Opr
                                           QoS   Fltr    QoS   Fltr

1/1/c1/1:200                    200        1     none    1     none   Up   Up
1/1/c1/1:300                    300        1     none    1     none   Up   Up

If a port is configured with null encapsulation, it will allow all VLAN tags. Verify access ports are configured with "Port Encp" set to "dotq" or "qinq":

- show port
Ports on Slot 1

Port          Admin Link Port    Cfg  Oper LAG/ Port Port Port   C/QS/S/XFP/
Id            State      State   MTU  MTU  Bndl Mode Encp Type   MDIMDX

1/1/c1/1      Up    Yes  Up      1518 1518    - accs dotq cgige
1/1/c2        Up         Link Up                          conn   100G CWDM4 M*

If access ports are assigned to the default VLAN, this is a finding.</check-content></check></Rule></Group><Group id="V-283692"><title>SRG-NET-000715-L2S-000120</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283692r1204104_rule" weight="10.0" severity="medium"><version>NOKI-L2-000270</version><title>The Nokia layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.</title><description>&lt;VulnDiscussion&gt;Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure.

For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Nokia SR OS 25.x L2S</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Nokia SR OS 25.x L2S</dc:subject><dc:identifier>5743</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004891</ident><fixtext fixref="F-88162r1204103_fix">Configure the layer 2 switch to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

A layer 2 switch VPLS service is a logically separate subnetwork. Configure a VPLS service using the following commands:

- configure service vpls &lt;vpls service id&gt; customer &lt;customer id&gt; create
- sap &lt;port id:vlan tag if needed&gt; create
- back

Add as many service access point (SAP) access ports as needed. If connection to a remote site is needed, add a service distribution point (SDP) tunnel to the remote endpoint:

- spoke-sdp: &lt;sdp id&gt;:&lt;vc id&gt; create
- back
- no shutdown</fixtext><fix id="F-88162r1204103_fix" /><check system="C-88257r1204102_chk"><check-content-ref href="Nokia_SR_OS_25.x_L2S_STIG.xml" name="M" /><check-content>Verify the layer 2 switch is configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

Logical layer 2 switch separation is configured using separate virtual private local area network services (VPLS). Verify VPLS services created and access ports configured for each VPLS service using the commands below.

To view all the VPLS services created, use the following command:

- show service service-using vpls
Services [vpls]
===============================================================================
ServiceId    Type      Adm  Opr  CustomerId Service Name
-------------------------------------------------------------------------------
200          VPLS      Up   Up   1          200
300          VPLS      Up   Up   1          300

Use the command below to view all the access points that are part of each VPLS service:

- show service id 200 base | match sap
sap:1/1/c1/1:200                         q-tag        1518    1518    Up   Up

If the layer 2 switch is not configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions, this is a finding.</check-content></check></Rule></Group></Benchmark>