Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the switch configuration and verify the switch does not have an unnecessary or non-secure services enabled. For example, the following directives should not be in the configuration (deleted) or, if present, must be disabled (inactive): Verify the following commands are not present: [edit system services] finger; ftp; rlogin; telnet; xnm-clear-text; tftp; rest { http; } web-management { http; https; } Note: If the services listed above are marked "inactive", they are not enabled. For example, although the FTP stanza is present in the following snippet, it is disabled (inactive): [edit system services] inactive: ftp; Because J-Web was not included in the FIPS certification, verify the web-management process is disabled. [edit system services] web-management disable; If any unnecessary services are enabled, this is a finding.
Disable the following services: If present, delete the following directives: delete system services finger delete system services ftp delete system services rlogin delete system services telnet delete system services xnm-clear-text delete system services tftp delete system services rest http delete system services web-management Disable the web-management process: set system processes web-management disable
Verify the switch configuration has 802.1x authentication implemented for all access interfaces connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Static MAC Bypass or MAC RADIUS must be configured on access interfaces connected to devices that do not support an 802.1x supplicant. Junos supports three supplicant types: 'single-secure' (authenticate and permit only a single device), 'multiple' (separately authenticate and permit multiple devices), and 'single' (authenticate the first supplicant and permit all others). Verify that the RADIUS server(s) are configured. RADIUS servers can be configured globally at [edit access radius-server] or defined for each group. [edit access] radius-server { <RADIUS IPv4 or IPv6 address> secret "PSK"; ## SECRET-DATA } profile dot1x_radius { authentication-order radius; radius { authentication-server <RADIUS IPv4 or IPv6 address>; } --or-- radius-server { <RADIUS IPv4 or IPv6 address> secret "PSK"; ## SECRET-DATA } } Verify 802.1x or MAC RADIUS is configured on all host-facing access interfaces when RADIUS is available as shown in the following example: [edit protocols dot1x] authenticator { authentication-profile-name dot1x_radius; interface { ge-0/0/0.0 { <<< Connected device with 802.1x supplicant supplicant single-secure; } ge-0/0/1.0 { <<< Connected device with 802.1x supplicant and interface support for MAC RADIUS supplicant multiple; mac-radius; } ge-0/0/2.0 { <<< Connected device without 802.1x supplicant mac-radius { restrict; } } } } Note: Junos simultaneously supports both 802.1x and MAC RADIUS on the same access interface. To prevent 802.1x and have the interface use only MAC RADIUS, configure the "restrict" qualifier. If RADIUS is unavailable or not configured: [edit protocols] dot1x { authenticator { static { <MAC address>/48 { vlan-assignment <vlan name>; interface <interface name>.<logical unit>; } } } } If the switch does not uniquely identify all network-connected endpoint devices before establishing any connection for access interfaces connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured. Configure RADIUS if available: set access radius-server <RADIUS IPv4 or IPv6 address> secret "<PSK>" set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address> -or- set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret "<PSK>" set access profile dot1x_radius authentication-order radius To configure 802.1x on an access interface: set protocols dot1x authenticator authentication-profile-name dot1x_radius set protocols dot1x authenticator interface <name>.<logical unit> supplicant single-secure --or-- set protocols dot1x authenticator interface <name>.<logical unit> supplicant multiple --or-- set protocols dot1x authenticator interface <name>.<logical unit> supplicant multiple set protocols dot1x authenticator interface <name>.<logical unit> mac-radius set protocols dot1x authenticator interface <name>.<logical unit> mac-radius restrict Note: Configure the "restrict" keyword if the connected device does not support a supplicant. Although a non 802.1x aware client will use MAC RADIUS if configured, without the "restrict" keyword 802.1x authentication is attempted before attempting MAC RADIUS, which increases the time the device must wait before gaining network access. To configure Static MAC Bypass: set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name> set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>
Review the switch configuration to verify if dynamic VLAN registration protocols are enabled. If dynamic VLAN registration protocols are enabled, verify that authentication has been configured. Juniper switches do not support VTP. Although Juniper switches support MVRP, it is disabled by default (there is no [edit protocols mvrp] stanza). Verify MVRP is not enabled as shown below. [edit protocols] mvrp { interface <name>; } If dynamic VLAN registration protocols have been configured on the switch and are not authenticating messages with a hash function using the most secured cryptographic algorithm available, this is a finding.
Configure the switch to disable all dynamic VLAN registration protocols. delete protocols mvrp
Review the switch configuration to verify that QoS has been enabled to ensure that sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. By default, Junos implements a standard Class-of-Service (CoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify at least a third queue (Voice) is active with an appropriate bandwidth allocation. Verify Voice over Internet Protocol (VoIP) phones are connected to VoIP interfaces and there is a separate VoIP Virtual Local Area Network (VLAN). For example, assume 20 percent VoIP traffic on "voip" VLAN 119 and normal production traffic is on "data" VLAN 150. VoIP traffic will use Expedited-Forwarding (EF) and Differentiated Services Codepoint (DSCP) values 44 (101110) and 36 (100100). Verify the VoIP VLAN is available. [edit vlans] data { vlan-id 150; } voip { vlan-id 119; } Verify the interfaces with connected VoIP phones are configured. [edit interfaces] <VoIP phone int-1> { unit <logical unit> { family ethernet-switching { vlan { members data; } } } } [edit switch-options] voip { interface <VoIP phone int-1>.<logical unit> { vlan voip; forwarding-class (expedited-forwarding|assured-forwarding); } } Note: The example forwarding class (FC) names (EF and AF spelled out above) are generally available on all switches. To use a custom FC name (e.g., "voip"), the default CoS must be modified. The only requirement is that the assigned FC must be available under [edit class-of-service]. Verify the CoS strategy includes support for the assigned VoIP VLAN. From the configured interface example above, assume "expedited-forwarding" using DSCP values 44 (101110) and 36 (100100) are used for VoIP traffic. Traffic must be classified (placed into forwarding classes / queues) on ingress and scheduled (shaped) on egress. [edit class-of-service] classifiers { dscp voip-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101110 100100 ]; } } } interfaces { <VoIP phone int-1> { scheduler-map voip-map; unit <logical unit> { classifiers { dscp voip-classifier; } } } <uplink interface> { scheduler-map voip-map; unit <logical unit> { classifiers { dscp voip-classifier; } } } scheduler-maps { voip-map { forwarding-class best-effort scheduler be-scheduler; forwarding-class expedited-forwarding scheduler ef-scheduler; forwarding-class network-control scheduler nc-scheduler; } } schedulers { be-scheduler { transmit-rate { remainder; } priority low; } ef-scheduler { shaping-rate percent 20; priority strict-high; } nc-scheduler { shaping-rate percent 5; priority strict-high; } } Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment. If the switch is not configured to implement a QoS policy, this is a finding.
Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. Configure the VLANs: set vlans <data VLAN> vlan-id <data VLAN ID> set vlans <VoIP VLAN> vlan-id <VoIP VLAN ID> Configure the VoIP interface(s): set interfaces <interface name> unit 0 family ethernet-switching interface-mode access set interfaces <interface name> unit 0 family ethernet-switching vlan members <data VLAN> set switch-options voip interface <interface name>.0 vlan <VoIP VLAN> set switch-options voip interface <interface name>.0 forwarding-class <VoIP forwarding class> Configure CoS: set class-of-service classifiers dscp <VoIP classifier name> import default set class-of-service classifiers dscp <VoIP classifier name> forwarding-class <VoIP forwarding class> loss-priority low code-points <DSCP code point> set class-of-service classifiers dscp <VoIP classifier name> forwarding-class <VoIP forwarding class> loss-priority low code-points <DSCP code point> (optional - only if multiple DSCP values are used) set class-of-service interfaces <VoIP interface> scheduler-map <VoIP scheduler map> set class-of-service interfaces <VoIP interface> unit 0 classifiers dscp <VoIP classifier name> set class-of-service interfaces <uplink interface> scheduler-map <VoIP scheduler map> set class-of-service interfaces <uplink interface> unit 0 classifiers dscp <VoIP classifier name> set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class best-effort scheduler <scheduler name> (e.g. be-scheduler) set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class <VoIP forwarding class> scheduler <scheduler name> (e.g. ef-scheduler) set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class network-control scheduler <scheduler name> (e.g. nc-scheduler) set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> | percent (0..100) | remainder) set class-of-service schedulers <be-scheduler name> priority (high | low | medium-high | medium-low | strict-high) set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100) set class-of-service schedulers <ef-scheduler name> priority (high | low | medium-high | medium-low | strict-high) set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100) set class-of-service schedulers <nc-scheduler name> priority (high | low | medium-high | medium-low | strict-high) Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.
Verify if the switch configuration has an analyzer to capture ingress and egress packets from any designated access interface for the purpose of monitoring a specific user session. Packet capture using the [edit forwarding-options analyzer <analyzer name>] configuration will only be present and enabled when actively monitoring sessions. If actively capturing packets, verify an analyzer is present. [edit forwarding-options] analyzer { <analyzer name> { input { ingress { interface <input interface>.<logical unit>; -or- interface irb.<logical unit>; } egress { interface <input interface>.<logical unit>; -or- interface irb.<logical unit>; } } output { interface <output interface>.<logical unit>; } } } Note: Simultaneously mirroring both ingress and egress traffic may exceed the output interface capacity. Packet mirroring consumes resources and should only be enabled when actively monitoring sessions. If active monitoring is not currently required, the lack of an analyzer, or the presence of an inactive (disabled) analyzer, is not a finding. If the switch is not configured to capture ingress and egress packets from a designated access interface, this is a finding.
Enable the feature or configure the switch so that it is capable of capturing ingress and egress packets from any designated switch port for the purpose of monitoring a specific user session. To capture packets from the L2 interface ge-0/0/0 and forward out the L2 interface ge-0/0/1, configure the switch similarly to the example: set forwarding-options analyzer <analyzer name> input ingress interface <input interface>.<logical unit> -or- set forwarding-options analyzer <analyzer name> input ingress interface irb.<logical unit> set forwarding-options analyzer <analyzer name> input egress interface <input interface>.<logical unit> -or- set forwarding-options analyzer <analyzer name> input egress interface irb.<logical unit> set forwarding-options analyzer <analyzer name> output interface <output interface>.<logical unit>
Verify if the switch configuration has an analyzer to capture ingress and egress packets from any designated switch port for the purpose of remotely monitoring a specific user session. Packet capture using the [edit forwarding-options analyzer <analyzer name>] configuration will only be present and enabled when actively monitoring sessions. The Juniper switch supports either output interface or output vlan. To output to a VLAN that is trunked to a remote location, configure the switch with the destination VLAN, configure the uplink interface as trunked, and include the remote analyzer VLAN in the uplink trunk. If actively capturing packets, verify an analyzer is present. [edit vlans] <destination VLAN name> { vlan-id <VLAN ID>; } [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members <destination VLAN name>; } } } } [edit forwarding-options] analyzer { <analyzer name> { input { ingress { interface <input interface>.<logical unit>; -or- interface irb.<logical unit>; } egress { interface <input interface>.<logical unit>; -or- interface irb.<logical unit>; } output { vlan { <destination VLAN name>; } } } } Note: Simultaneously mirroring both ingress and egress traffic may exceed the output interface capacity. Packet mirroring consumes resources and should only be enabled when actively monitoring sessions. If active monitoring is not currently required, the lack of an analyzer, or the presence of an inactive (disabled) analyzer, is not a finding. If the switch is not configured to capture ingress and egress packets from a designated access interface for the purpose of remotely monitoring a specific user session, this is a finding.
Enable the feature or configure the switch so that it is capable of capturing ingress and egress packets from any designated switch port for the purpose of monitoring a specific user session. set vlans <destination VLAN name> vlan-id <VLAN ID> set interfaces <interface name> unit 0 family ethernet-switching interface-mode trunk set interfaces <interface name> unit 0 family ethernet-switching vlan members <destination VLAN name> set forwarding-options analyzer <analyzer name> input ingress interface <input interface>.<logical unit> -or- set forwarding-options analyzer <analyzer name> input ingress interface irb.<logical unit> set forwarding-options analyzer <analyzer name> input egress interface <input interface>.<logical unit> -or- set forwarding-options analyzer <analyzer name> input egress interface irb.<logical unit> set forwarding-options analyzer <analyzer name> output vlan <destination VLAN name>
Verify the switch configuration has 802.1x authentication implemented for all access interfaces connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Static MAC Bypass or MAC RADIUS must be configured on access interfaces connected to devices that do not support an 802.1x supplicant. Junos supports three supplicant types: single-secure (authenticate and permit only a single device), multiple (separately authenticate and permit multiple devices), and single (authenticate the first supplicant and permit all others). Verify that the RADIUS server(s) are configured. RADIUS servers can be configured globally at [edit access radius-server] or defined for each group. [edit access] radius-server { <RADIUS IPv4 or IPv6 address> secret "PSK"; ## SECRET-DATA } profile dot1x_radius { authentication-order radius; radius { authentication-server <RADIUS IPv4 or IPv6 address>; <<< Must be defined if using global RADIUS server. Optional if RADIUS is defined specifically for the profile. } radius-server { <RADIUS IPv4 or IPv6 address> secret "PSK"; ## SECRET-DATA <<< Must be defined if not using global RADIUS server. Takes precedence if both profile and global RADIUS is configured. } } Verify 802.1x or MAC RADIUS is configured on all host-facing access interfaces when RADIUS is available as shown in the following example: [edit protocols dot1x] authenticator { authentication-profile-name dot1x_radius; interface { ge-0/0/0.0 { <<< Connected device with 802.1x supplicant supplicant single-secure; } ge-0/0/1.0 { <<< Connected device with 802.1x supplicant and interface support for MAC RADIUS supplicant multiple; mac-radius; } ge-0/0/2.0 { <<< Connected device without 802.1x supplicant mac-radius { restrict; } } } } Note: Junos simultaneously supports both 802.1x and MAC RADIUS on the same access interface. To prevent 802.1x and have the interface use only MAC RADIUS, configure the "restrict" qualifier. If RADIUS is unavailable or not configured: [edit protocols] dot1x { authenticator { static { <MAC address>/48 { vlan-assignment <vlan name>; interface <interface name>.<logical unit>; } } } } If 802.1x authentication, Static MAC Bypass, or MAC RADIUS is not configured on all access interfaces connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured. Configure RADIUS if available: set access radius-server <RADIUS IPv4 or IPv6 address (global)> secret "<PSK>" set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address (global)> -or- set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret "<PSK>" set access profile dot1x_radius authentication-order radius To configure 802.1x on an access interface: set protocols dot1x authenticator authentication-profile-name dot1x_radius set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single-secure set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius set protocols dot1x authenticator interface ge-0/0/2.0 mac-radius restrict To configure Static MAC Bypass: set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name> set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>
Review the switch topology as well as the switch configuration to verify that Root Protection is enabled on all interfaces connecting to access layer switches and hosts. [edit protocols] mstp { interface <interface name> { no-root-port; } } Note: Root Protection and Loop Protection are mutually exclusive and cannot be simultaneously configured on the same interface. If the switch has not enabled Root Protection on all interfaces connecting to access layer switches and hosts, this is a finding.
Configure the switch to have Root Protection enabled on all switch ports connecting to access layer switches and hosts using trunked interfaces. set protocols mstp interface <interface name> no-root-port Note: Root Protection and Loop Protection are mutually exclusive and cannot be simultaneously configured on the same interface.
Review the switch configuration to verify that BPDU Protection is enabled on all user-facing or untrusted access switch interfaces. BPDU Protection discards all BPDUs received on a configured interface and stops forwarding on that interface. In contrast, Root Protection discards only superior root BPDUs but accepts remaining BPDU types. Verify BDPU Protection (bpdu-block-on-edge) and the edge interfaces where no BPDUs are expected. [protocols] mstp { bpdu-block-on-edge; interface <interface name> { edge; } } Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection. If the switch has not enabled BPDU Protection, this is a finding.
Configure the switch to have BPDU Protection enabled on all user-facing or untrusted access switch interfaces. set protocols mstp bpdu-block-on-edge set protocols mstp interface <interface name> edge Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection.
Review the switch configuration to verify that STP Loop Protection is enabled on all non-designated STP switch ports. Verify STP Loop Protection for RSTP and VSTP. [edit protocols] rstp { interface <interface name> { bpdu-timeout-action { block; } } } vstp { interface <interface name> { bpdu-timeout-action { block; } } } Verify Loop Protection for all instances on an MSTP interface: [protocols] mstp { interface <interface name> { bpdu-timeout-action { block; } } } Note: Loop Protection and Root Protection are mutually exclusive and cannot be simultaneously configured on the same interface. If STP Loop Protection is not configured on non-designated STP ports, this is a finding.
Configure the switch to have STP Loop Protection enabled on all non-designated STP interfaces. RSTP or VSTP non-designated interface loop protection: set protocols rstp interface <interface name> bpdu-timeout-action block set protocols vstp interface <interface name> bpdu-timeout-action block All instances on an MSTP interface: set protocols mstp interface <interface name> bpdu-timeout-action block Note: Loop Protection and Root Protection are mutually exclusive and cannot be simultaneously configured on the same interface.
Review the switch configuration to verify that unknown unicast frames are forwarded to a single interface. [edit switch-options] unknown-unicast-forwarding { vlan <VLAN name> { interface <interface name>.<logical unit>; } } Note: Validate the MAC and/or ARP timers are consistent across the network. Blindly forwarding unknown unicast traffic can cause the DoS condition this check intends to prevent. Validate the network architecture and that the receiving interface is appropriate. If any access VLANs are not configured to forward unknown unicast to a single interface, this is a finding.
Configure the switch to have VLANs forward unknown unicast frames to a single interface. set switch-options unknown-unicast-forwarding vlan <VLAN name> interface <interface name>.<logical unit>
Review the switch configuration and verify that DHCP snooping is enabled on all user-facing or untrusted VLANs. DHCP snooping is enabled if dhcp-security is configured for any VLAN, and is automatically enabled whenever any other VLAN port security feature is configured (e.g., IP Source Guard or Dynamic ARP Inspection). Devices like printers, servers, and VoIP phones are under administrative control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in non-user-facing VLANs. Verify DHCP snooping on user-facing or untrusted VLANs. [edit vlans] <untrusted VLAN name> { vlan-id <VLAN ID>; forwarding-options { dhcp-security; } } If the switch does not have DHCP snooping enabled for all user-facing or untrusted VLANs to validate DHCP messages from untrusted sources, this is a finding.
Configure the switch to have DHCP snooping for all user-facing or untrusted VLANs to validate DHCP messages from untrusted sources. set vlans <untrusted VLAN name> vlan-id <untrusted VLAN ID> set vlans <untrusted VLAN name> forwarding-options dhcp-security
Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted VLANs. Configuring IP Source Guard automatically enables DHCP snooping. Devices like printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in non-user-facing VLANs. Verify IP Source Guard on user-facing or untrusted VLANs. [edit vlans] <untrusted VLAN name> { vlan-id <VLAN ID>; forwarding-options { dhcp-security { ip-source-guard; } } } Note: IP Source Guard depends upon DHCP snooping or static MAC address bindings. If the switch does not have IP Source Guard enabled on all user-facing or untrusted VLANs, this is a finding.
Configure the switch to have IP Source Guard enabled on all user-facing or untrusted VLANs. set vlans <untrusted VLAN name> vlan-id <VLAN ID> set vlans <untrusted VLAN name> forwarding-options dhcp-security ip-source-guard
Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs. Configuring DAI automatically enables DHCP snooping. Devices like printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in non-user-facing VLANs. Verify DAI on user-facing or untrusted VLANs. [edit vlans] <untrusted VLAN name> { vlan-id <VLAN ID>; forwarding-options { dhcp-security { arp-inspection; } } } Note: DAI depends upon DHCP snooping or static MAC address bindings. If DAI is not enabled on all user VLANs, this is a finding.
Configure the switch to have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. set vlans <untrusted VLAN name> vlan-id <VLAN ID> set vlans <untrusted VLAN name> forwarding-options dhcp-security arp-inspection
Review the switch configuration to verify that storm control is enabled on host-facing access interfaces. Verify storm control profiles at [edit forwarding-options storm-control-profiles] with an appropriate bandwidth value (actual bandwidth value or a percentage). By default, ELS versions of Junos enable storm control with an 80 percent of bandwidth value, but permit setting different values as either an absolute level or a percentage of available bandwidth. Note: Although percentage of bandwidth remains supported, it is deprecated and subject to removal. Therefore, an absolute level should be used. Threshold values must be configured appropriately for the target network. Verify the default storm control profile or a custom profile with appropriate bandwidth percentage or level. [edit forwarding-options] storm-control-profiles profile-percent { all { bandwidth-percentage (1..100); } action-shutdown; } storm-control-profiles profile-level { all { bandwidth-level (100..100000000 kbps); } action-shutdown; } Note: Storm control profiles are created with the hierarchy "all" but support removing specific traffic types using the "no-<traffic type>" keyword. The currently supported exclusions: no-broadcast Disable broadcast storm control no-multicast Disable multicast storm control no-registered-multicast Disable registered multicast storm control no-unknown-unicast Disable unknown unicast storm control no-unregistered-multicast Disable unregistered multicast storm control If excluding traffic, verify at least broadcast storm control is enabled. Verify that storm control profiles are applied to layer 2 host-facing access interfaces. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { storm-control <profile name>; recovery-timeout (10..3600 seconds); } } } Note: If a recovery-timeout is not specified, and the storm control profile enforces action-shutdown, affected interfaces are disabled until manually enabled by an authorized administrator. If storm control is not enabled on all host-facing access interfaces, this is a finding.
Configure storm control on each host-facing access interface. set forwarding-options storm-control-profiles profile-percent all bandwidth-percentage (1..100) set forwarding-options storm-control-profiles profile-level all bandwidth-level (100..100000000 kbps) set interfaces <interface name> unit 0 family ethernet-switching storm-control <profile name> set interfaces <interface name> unit 0 family ethernet-switching recovery-timeout (10..3600 seconds)
Review the switch configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively. Verify IGMP and MLD is globally configured for all VLANs: [edit protocols] igmp-snooping { vlan all { immediate-leave; interface <multicast router interface name>.<logical unit> { multicast-router-interface; } } } mld-snooping { vlan all { immediate-leave; interface <multicast router interface name>.<logical unit> { multicast-router-interface; } } } For VLAN-specific values, verify IGMP and MLD snooping is configured for each VLAN: [edit protocols] igmp-snooping { vlan vlan-name { immediate-leave; interface <multicast router interface name>.<logical unit> { multicast-router-interface; } interface <host interface name>.<logical unit> { host-only-interface; } } } mld-snooping { vlan vlan-name { immediate-leave; interface <multicast router interface name>.<logical unit> { multicast-router-interface; } interface <host interface name>.<logical unit> { host-only-interface; } } } If the switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.
Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VLAN. Global: set protocols igmp-snooping vlan all immediate-leave set protocols igmp-snooping vlan all interface <multicast router interface name>.<logical unit> multicast-router-interface set protocols mld-snooping vlan all immediate-leave set protocols mld-snooping vlan all interface <multicast router interface name>.<logical unit> multicast-router-interface Per VLAN: set protocols igmp-snooping vlan vlan-name immediate-leave set protocols igmp-snooping vlan vlan-name interface <multicast router interface name>.<logical unit> multicast-router-interface set protocols igmp-snooping vlan vlan-name interface <host interface name>.<logical unit> host-only-interface set protocols mld-snooping vlan vlan-name immediate-leave set protocols mld-snooping vlan vlan-name interface <multicast router interface name>.<logical unit> multicast-router-interface set protocols mld-snooping vlan vlan-name interface <host interface name>.<logical unit> host-only-interface
If STP is required, then review the switch configuration to verify that Rapid STP or Multiple STP has been implemented. RSTP and MSTP are similar, except MSTP is more granular, flexible, and scalable. RTSP and MSTP can be enabled simultaneously, but in general only one STP is configured. RSTP: [edit protocols rstp] rstp { bridge-priority (0..61440 in 4k increments); << e.g. 0, 4k, 8k...60k interface <interface name> { edge; } interface <interface name-1> { mode point-to-point; } bpdu-block-on-edge; } -OR- MSTP: [edit protocols mstp] configuration-name <name>; revision-level (0..65535); max-age (6..40 seconds); hello-time (1..10 seconds); forward-delay (4..30 seconds); bridge-priority (0..61440 in 4k increments); << e.g. 0, 4k, 8k...60k bpdu-block-on-edge; interface <interface name> { edge; } interface <interface name-1> { mode point-to-point; } msti 3 { bridge-priority (0..61440 in 4k increments); << e.g. 0, 4k, 8k...60k vlan [ vlan-id-1 vlan-id-2 ]; } If Rapid STP or Multiple STP has not been implemented where an STP is required, this is a finding.
Configure Rapid STP to be implemented at the access and distribution layers where VLANs span multiple switches. RSTP: set protocols rstp bridge-priority (0..61440 in 4k increments) << e.g. 0, 4k, 8k...60k set protocols rstp interface <interface name> edge set protocols rstp interface <interface name-1> mode point-to-point set protocols rstp bpdu-block-on-edge MSTP: set protocols mstp configuration-name <name> set protocols mstp revision-level (0..65535) set protocols mstp max-age (6..40 seconds) set protocols mstp hello-time (1..10 seconds) set protocols mstp forward-delay (4..30 seconds) set protocols mstp bridge-priority (0..61440 in 4k increments) << e.g. 0, 4k, 8k...60k set protocols mstp bpdu-block-on-edge set protocols mstp interface <interface name> edge set protocols mstp interface <interface name-1> mode point-to-point set protocols mstp msti 3 bridge-priority (0..61440 in 4k increments) << e.g. 0, 4k, 8k...60k set protocols mstp msti 3 vlan <VLAN ID 1> set protocols mstp msti 3 vlan <VLAN ID 2>
If any of the interfaces have fiber optic interconnections with neighbors, review the switch configuration to verify that OAM or LAG is enabled on those interfaces. Because OAM and LAG interfaces exchange packets, the neighbor device must also be configured with OAM or LAG. Verify OAM connectivity fault management: [edit protocols oam ethernet link-fault-management] interface <interface name>; Note: To enable LFM using default values, specifying the interface is sufficient. Verify OAM connectivity with custom actions (must match the target environment). action-profile <profile name> { event { link-adjacency-loss; protocol-down; link-event-rate { frame-error (1..1000 error(s) per 100 milli-second); frame-period (1..100 error(s) per 100 frames); frame-period-summary (1..1000 error(s) per second); symbol-period (1..100 error(s) per 100 symbol); } } action { syslog; link-down; } } interface <interface name-1> { apply-action-profile <profile name>; pdu-interval (100..1000 milliseconds); pdu-threshold (5..10); detect-loc; link-discovery active; } interface <interface name>; Verify LAG on appropriate interfaces: [edit interfaces] <interface name> { ether-options { 802.3ad ae<bundle number>; } } ae<bundle number> { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } Note: The bundle number is an integer value that matches the logical LAG interface. For example, physical interface "ge-0/0/0 ether-options 802.3ad ae0" is only associated with the logical LAG bundle "ae0". If the switch has fiber optic interconnections with neighbors and OAM or LAG is not enabled, this is a finding.
Configure the switch to enable OAM or LAG to protect against one-way connections. LFM with default values: set protocols oam ethernet link-fault-management interface <interface name> LAG: set interfaces <interface name> ether-options 802.3ad ae<bundle number> set interfaces ae<bundle number> aggregated-ether-options lacp set interfaces ae<bundle number> unit 0 family ethernet-switching interface-mode trunk set interfaces ae<bundle number> unit 0 family ethernet-switching vlan members <vlan_name> : set interfaces ae<bundle number> unit 0 family ethernet-switching vlan members <vlan_name>
Review the switch configurations and examine all access interfaces. Each access interface not in use should have membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Verify a VLAN is configured for unused interfaces. [edit vlans] vlan_disabled { vlan-id <VLAN ID>; } Verify disabled interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually. Multiple interfaces simultaneously configured via interface-range. [edit interfaces] interface-range <name> { member <interface name>; member-range <starting interface name> to <ending interface name>; <<< Member ranges are contiguous from <start interface> to <end interface> inclusive disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } Individually configured: [edit interfaces] <interface name> { disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } In this example, "vlan_disabled" is designated for all unused interfaces and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below. [edit interfaces] <interface name> { unit <logical unit> { family { ethernet-switching { interface-mode trunk; vlan { members [ vlan_name vlan_disabled ]; } } } } } If there are any access interfaces not in use and not in an inactive VLAN, this is a finding. Note: Access interfaces configured for 802.1x are exempt from this requirement.
Disable all access interfaces not in use and assign to an inactive VLAN. In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name. set vlans vlan_disabled vlan-id <VLAN ID> set interfaces interface-range <name> member <interface name> set interfaces interface-range <name> member-range <starting interface name> to <ending interface name> set interfaces interface-range <name> disable set interfaces interface-range <name> unit 0 family ethernet-switching vlan members vlan_disabled set interfaces <interface name> disable set interfaces <interface name> unit 0 family ethernet-switching vlan members vlan_disabled Delete the unused VLAN from all trunked interfaces. delete interfaces <trunked interface> unit 0 family ethernet-switching vlan members vlan_disabled Note: Switch ports configured for 802.1x are exempt from this requirement.
Review the switch configurations and verify all access interfaces are assigned to a configured VLAN not used for L2 control traffic. If assigning via interface-range, the configuration will be similar to the example. [edit interfaces] interface-range <name> { member <interface name>; member-range <starting interface name> to <ending interface name>; <<< Member ranges are contiguous from <start interface> to <end interface> inclusive unit 0 { family ethernet-switching { vlan { members <vlan name>; } } } } If assigning individually, the configuration will be similar to the example. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { vlan { members <vlan name>; } } } } Verify the assigned VLANs are configured. [edit vlans] <vlan name> { vlan-id <VLAN ID>; } Note: Assigning interfaces to a VLAN automatically removes them from the default VLAN. If there are access interfaces assigned to the VLANs used for L2 control traffic, this is a finding.
Assign all access interfaces to a VLAN not used for L2 control traffic. Interface range configuration: set interfaces interface-range name member <interface name> set interfaces interface-range name member-range <starting interface name> to <ending interface name> set interfaces interface-range name unit 0 family ethernet-switching vlan members <vlan name> Individual interface configuration: set interfaces <interface name> unit 0 family ethernet-switching vlan members <vlan name> Configure the VLAN: set vlans <vlan name> vlan-id <VLAN ID>
Review the switch configuration and verify that the default VLAN is pruned from trunk links that do not require it. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } If the default VLAN is not pruned from trunk links that should not be transporting frames for that VLAN, this is a finding.
Remove unnecessary VLANs from trunked interfaces. delete interfaces <trunked interface name> unit 0 family ethernet-switching vlan members <default | other unnecessary VLAN name>
Review the switch configuration and verify that the default VLAN is not used to access the switch for management. Verify access interfaces used for management are assigned to an appropriate VLAN as in the example below. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode access; vlan { members <vlan name>; } } } } If the default VLAN is being used to access the switch, this is a finding.
Configure the switch for management access to use a VLAN other than the default VLAN. set interfaces <interface name> unit 0 family ethernet-switching interface-mode access set interfaces <interface name> unit 0 family ethernet-switching vlan members <vlan name>
Review the switch configuration and examine all user-facing or untrusted interfaces and verify the interface mode command is not present or, if present, is not configured with the keyword "trunk". Default interface-mode access for interface configured with family ethernet-switching. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { } } } Note: Because the default interface-mode is "access", an interface configured for family ethernet-switching and without an "interface-mode" declaration is automatically an access interface. Interfaces explicitly configured mode access. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode access; } } } If any of the user-facing access interfaces are configured as a trunk, this is a finding.
Disable trunking on all user-facing or untrusted access interfaces. Deleting interface-mode from the configuration automatically assigns mode access: delete interfaces <interface name> unit 0 family ethernet-switching interface-mode Explicitly configure mode access for a user-facing or untrusted interface: set interfaces <interface name> unit 0 family ethernet-switching interface-mode access
Review the switch configuration and examine all trunked interfaces to verify no native VLAN ID is assigned. If a native VLAN has been assigned, verify the VLAN is unique. By default, there are no native VLANs assigned to any trunked interface. Verify trunked interface do not have a native VLAN ID configured. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } If trunked interfaces require a native VLAN, verify it is unique. [edit interfaces] <interface name> { native-vlan-id <unique VLAN ID>; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } Note: By default, Juniper switches do not automatically assign a native VLAN. Configuring an interface with "interface-mode trunk" does not automatically assign the default VLAN. Verify any VLAN assigned as native for any trunked interface has been configured. [edit vlans] native_vlan_name { vlan-id <VLAN ID>; } If trunked interfaces do not have a native VLAN ID configured, this is not a finding. If a native VLAN is configured and does not have a unique VLAN ID, this is a finding.
To ensure the integrity of the trunk link, either remove the native VLAN ID or configure the native VLAN ID with a unique value. If used, the native VLAN ID must be the same on both ends of the trunk link. Example deleting a native VLAN ID: delete interfaces <interface name> native-vlan-id Example configuring a native VLAN ID: set interfaces <interface name> native-vlan-id <VLAN ID not 1> Example configuring a VLAN used as native for any trunked interface: set vlans vlan_name vlan-id 30
Review the switch configurations and examine all access interfaces. Verify that they do not belong to any VLAN configured as native for any trunked interface. Example trunked interface with native VLAN ID 30 and an access interface configured for vlan_name: [edit interfaces] <trunk interface name> { native-vlan-id 30; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ <vlan name> ... <vlan name> ]; } } } } <access interface name> { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan_name; } } } } Example VLANs (vlan-id 30 is configured on a trunked interface as native and must not be assigned to access interfaces): [edit vlans] vlan_30 { vlan-id 30; } vlan_name { vlan-id <VLAN ID not 30>; } If trunked interfaces are not configured with a native VLAN ID, this is not a finding. If any trunked interface is configured with a native VLAN ID, and any access interfaces have been assigned to the same VLAN, this is a finding.
Configure all access interfaces with a VLAN separate from any VLAN configured as native on any trunked interface. set interfaces <interface name> unit 0 family ethernet-switching interface-mode access set interfaces <interface name> unit 0 family ethernet-switching vlan members vlan_name set vlans <vlan_name> vlan-id <VLAN ID not assigned as native to any trunked interface>