ARST-RT-000090 - The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.

Information

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

Solution

Configure the Arista MSDP router to limit the amount of source-active messages it accepts from each peer.

!
router (config) #router msdp
router (config-router-msdp) #peer 10.1.1.5
router (config-router-msdp-peer 10.1.1.5) # sa-limit 500
router (config-router-msdp) #peer 10.1.55.78
router (config-router-msdp-peer 10.1.55.78) # sa-limit 900
router (config-router-msdp-peer 10.1.55.78) # exit

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-255995r882327_rule, STIG-ID|ARST-RT-000090, Vuln-ID|V-255995

Plugin: Arista

Control ID: e566e84749ec37690f969ef188891413285ac362d4cbc66111e3904f3ef96263