ARST-RT-000340 - The Arista router must be configured to restrict traffic destined to itself.

Information

The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission-critical network outages.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure all Arista routers with receive path filters to restrict traffic destined to the router.

Step 1: Configure the Control plane policy to restrict the LLDP traffic to CPU.

router(config)#policy-map type copp copp-system-policy
router(config-pmap-copp-system-policy)#class copp-system-lldp
router(config-pmap-c-copp-system-policy-copp-system-lldp)#bandwidth kbps 500

Step 2: Configure an ACL inbound to allow traffic per the requirement and deny all by default.

ip access-list INBOUND
10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
20 permit tcp 10.10.10.0/24 any eq www https
30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 3: Apply the ACL inbound on all external interfaces.

router(config)#interface ethernet 13
router(config-if-Et13)#ip access-group INBOUND in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|I, CCI|CCI-001097, Rule-ID|SV-256016r882390_rule, STIG-ID|ARST-RT-000340, Vuln-ID|V-256016

Plugin: Arista

Control ID: 90d2dc90eb91bf842bf95cb747604be67a8d9696855e7001f82faa89b5ada556