Check: ARST-RT-000090
Arista MLS EOS 4.2x Router STIG:
ARST-RT-000090
(in version v1 r1)
Title
The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis. (Cat III impact)
Discussion
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
Check Content
To verify the MSDP peer and the sa-limit filter is configured, execute the command "show run | sec router msdp". router msdp peer 10.1.12.2 sa-limit 500 peer 10.1.55.78 sa-limit 900 If the Arista router is not configured with a peer limit, this is a finding.
Fix Text
Configure the Arista MSDP router to limit the amount of source-active messages it accepts from each peer. ! router (config) #router msdp router (config-router-msdp) #peer 10.1.1.5 router (config-router-msdp-peer 10.1.1.5) # sa-limit 500 router (config-router-msdp) #peer 10.1.55.78 router (config-router-msdp-peer 10.1.55.78) # sa-limit 900 router (config-router-msdp-peer 10.1.55.78) # exit
Additional Identifiers
Rule ID: SV-255995r882327_rule
Vulnerability ID: V-255995
Group Title: SRG-NET-000018-RTR-000009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |