The Arista Multilayer Switch must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-60925 | AMLS-L3-000280 | SV-75383r1_rule | Medium |
| Description |
|---|
| Advertisement of routes by an Autonomous System for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes a DoS on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the network could redistribute Interior Gateway Protocol routes into Border Gateway Protocol, thereby leaking internal routes. |
| STIG | Date |
|---|---|
| Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide | 2015-07-06 |
Details
| Check Text ( C-61871r1_chk ) |
|---|
| Review the router configuration to verify that Border Gateway Protocol connections are only from known neighbors in a trusted AS. Check the BGP configuration statements viewable via the "show running-config" command to validate that no dynamic BGP listen ranges are configured for EBGP peerings to external networks. This requirement to eliminate dynamic listen ranges does not apply to internal networks. If the router is configured with dynamic listen ranges for EBGP peers to external networks, this is a finding. |
| Fix Text (F-66637r1_fix) |
|---|
| Remove any configuration statements for dynamic listen ranges to external EBGP peers. If connections must exist, use explicit neighbor statements for the peering router. |