Check: AMLS-L3-000160
Arista MLS DCS-7000 Series RTR STIG:
AMLS-L3-000160
(in versions v1 r3 through v1 r2)
Title
If Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway. (Cat II impact)
Discussion
The perimeter router will not use a routing protocol to advertise NIPRNet addresses to Alternate Gateways. Most ISPs use Border Gateway Protocol (BGP) to share route information with other autonomous systems, that is, any network under a different administrative control and policy than a local site. If BGP is configured on the perimeter router, no BGP neighbors will be defined to peer routers from an AS belonging to any Alternate Gateway. The only allowable method is a static route to reach the Alternate Gateway.
Check Content
This requirement applies only to DoDIN enclaves. Review the configuration of the router connecting to the Alternate Gateway via the "show router bgp [processID]" command. Verify there are no BGP neighbors configured to the remote AS that belongs to the Alternate Gateway service provider. If there are BGP neighbors connecting the remote AS of the Alternate Gateway service provider, this is a finding.
Fix Text
Configure a static route on the perimeter router to reach the AS of a router connecting to an Alternate Gateway Ip route [destination/mask] [forwarding interface]
Additional Identifiers
Rule ID: SV-75357r1_rule
Vulnerability ID: V-60899
Group Title: SRG-NET-000019-RTR-000010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |