Check: ARST-L2-000110
Arista MLS EOS 4.2x L2S STIG:
ARST-L2-000110
(in version v1 r1)
Title
The Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. (Cat II impact)
Discussion
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Check Content
Review the Arista MLS switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs. Verify ARP inspection for user VLANs by the following command: sh ip arp inspection vlan VLAN 2200 ------------ Configuration: Enabled Operation State: Active If static ARP inspection is not enabled on all user VLANs, this is a finding.
Fix Text
Configure the Arista MLS switch to have static Address Resolution Protocol (ARP) Inspection to be enabled on all user VLANs. By default, Arista MLS switch static ARP Inspection is disabled on all VLANs. Static ARP inspection can be enabled on all specific user VLANs by using the following command: switch(config)#ip arp inspection vlan <vlan-list>
Additional Identifiers
Rule ID: SV-255975r882267_rule
Vulnerability ID: V-255975
Group Title: SRG-NET-000362-L2S-000027
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |