Information
The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission-critical network outages.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure all Arista routers with receive path filters to restrict traffic destined to the router.
Step 1: Configure the Control plane policy to restrict the LLDP traffic to CPU.
router(config)#policy-map type copp copp-system-policy
router(config-pmap-copp-system-policy)#class copp-system-lldp
router(config-pmap-c-copp-system-policy-copp-system-lldp)#bandwidth kbps 500
Step 2: Configure an ACL inbound to allow traffic per the requirement and deny all by default.
ip access-list INBOUND
10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
20 permit tcp 10.10.10.0/24 any eq www https
30 permit udp 10.20.20.0/24 any eq bootps snmp
Step 3: Apply the ACL inbound on all external interfaces.
router(config)#interface ethernet 13
router(config-if-Et13)#ip access-group INBOUND in