The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-255995 | ARST-RT-000090 | SV-255995r882327_rule | Low |
| Description |
|---|
| To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. |
| STIG | Date |
|---|---|
| Arista MLS EOS 4.2x Router Security Technical Implementation Guide | 2023-01-17 |
Details
| Check Text ( C-59671r882325_chk ) |
|---|
| To verify the MSDP peer and the sa-limit filter is configured, execute the command "show run | sec router msdp". router msdp peer 10.1.12.2 sa-limit 500 peer 10.1.55.78 sa-limit 900 If the Arista router is not configured with a peer limit, this is a finding. |
| Fix Text (F-59614r882326_fix) |
|---|
| Configure the Arista MSDP router to limit the amount of source-active messages it accepts from each peer. ! router (config) #router msdp router (config-router-msdp) #peer 10.1.1.5 router (config-router-msdp-peer 10.1.1.5) # sa-limit 500 router (config-router-msdp) #peer 10.1.55.78 router (config-router-msdp-peer 10.1.55.78) # sa-limit 900 router (config-router-msdp-peer 10.1.55.78) # exit |