The Arista router must be configured to restrict traffic destined to itself.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256016	ARST-RT-000340	SV-256016r882390_rule		High

Description
The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission-critical network outages.

STIG	Date
Arista MLS EOS 4.2x Router Security Technical Implementation Guide	2023-01-17

Details

Check Text ( C-59692r882388_chk )
Review the access control list (ACL) or filter for the Arista router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing. Step 1: Review the Arista router configuration for Control Plane ACL, which can be modified to permit or deny additional protocols that can be matched via an extended access-list for management traffic. Sample Default CP ACL: ! ip access-list ENCLAVE_GATEWAY_FILTER 10 permit ip any 172.16.0.0/16 ! ip access-list STIG 10 deny ip 172.16.50.0/30 10.10.100.0/24 ! ip access-list control-plane-modified !! Line 180 added for AMLS-L3-000260 which requires eBGP GTSM or equivalent statistics per-entry 10 permit icmp any any 20 permit ip any any tracked 30 permit udp any any eq bfd ttl eq 255 40 permit udp any any eq bfd-echo ttl eq 254 50 permit ospf any any 60 permit tcp any any eq ssh telnet www snmp bgp https msdp 70 permit udp any any eq bootps bootpc snmp rip ntp 80 permit tcp any any eq mlag ttl eq 255 90 permit udp any any eq mlag ttl eq 255 100 permit vrrp any any 110 permit ahp any any 120 permit pim any any 130 permit igmp any any 140 permit tcp any any range 5900 5910 150 permit tcp any any range 50000 50100 160 permit udp any any range 51000 51100 170 permit tcp any any eq mlag-arp-sync ttl eq 255 180 permit tcp 192.168.1.0/30 192.168.1.0/30 eq bgp ttl eq 255 log Step 2: Verify the control plane policy is configured to restricting the LLDP traffic to CPU. router#show running-config \| section policy-map policy-map type copp copp-system-policy class copp-system-lldp bandwidth kbps 500 Step 3: To verify the ACL is configured to allow the traffic per the requirement and deny all by default, execute the command "sh ip access-list". router#show ip access-list ip access-list INBOUND 10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet 20 permit tcp 10.10.10.0/24 any eq www https 30 permit udp 10.20.20.0/24 any eq bootps snmp Step 4: To verify the ACL is applied inbound on all external interfaces, execute the command "sh run int Eth YY". router#show running-config interface Ethernet 13 interface ethernet 13 ip access-group INBOUND in If the Arista router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Check Text ( C-59692r882388_chk )

Review the access control list (ACL) or filter for the Arista router receive path and verify that it will only process specific management plane and control plane traffic from specific sources.

Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Step 1: Review the Arista router configuration for Control Plane ACL, which can be modified to permit or deny additional protocols that can be matched via an extended access-list for management traffic. Sample Default CP ACL:

!
ip access-list ENCLAVE_GATEWAY_FILTER
10 permit ip any 172.16.0.0/16
!
ip access-list STIG
10 deny ip 172.16.50.0/30 10.10.100.0/24
!
ip access-list control-plane-modified
!! Line 180 added for AMLS-L3-000260 which requires eBGP GTSM or equivalent
statistics per-entry
10 permit icmp any any
20 permit ip any any tracked
30 permit udp any any eq bfd ttl eq 255
40 permit udp any any eq bfd-echo ttl eq 254
50 permit ospf any any
60 permit tcp any any eq ssh telnet www snmp bgp https msdp
70 permit udp any any eq bootps bootpc snmp rip ntp
80 permit tcp any any eq mlag ttl eq 255
90 permit udp any any eq mlag ttl eq 255
100 permit vrrp any any
110 permit ahp any any
120 permit pim any any
130 permit igmp any any
140 permit tcp any any range 5900 5910
150 permit tcp any any range 50000 50100
160 permit udp any any range 51000 51100
170 permit tcp any any eq mlag-arp-sync ttl eq 255
180 permit tcp 192.168.1.0/30 192.168.1.0/30 eq bgp ttl eq 255 log

Step 2: Verify the control plane policy is configured to restricting the LLDP traffic to CPU.

router#show running-config | section policy-map
policy-map type copp copp-system-policy
class copp-system-lldp
bandwidth kbps 500

Step 3: To verify the ACL is configured to allow the traffic per the requirement and deny all by default, execute the command "sh ip access-list".

router#show ip access-list
ip access-list INBOUND
10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
20 permit tcp 10.10.10.0/24 any eq www https
30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 4: To verify the ACL is applied inbound on all external interfaces, execute the command "sh run int Eth YY".

router#show running-config interface Ethernet 13
interface ethernet 13
ip access-group INBOUND in

If the Arista router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Fix Text (F-59635r882389_fix)
Configure all Arista routers with receive path filters to restrict traffic destined to the router. Step 1: Configure the Control plane policy to restrict the LLDP traffic to CPU. router(config)#policy-map type copp copp-system-policy router(config-pmap-copp-system-policy)#class copp-system-lldp router(config-pmap-c-copp-system-policy-copp-system-lldp)#bandwidth kbps 500 Step 2: Configure an ACL inbound to allow traffic per the requirement and deny all by default. ip access-list INBOUND 10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet 20 permit tcp 10.10.10.0/24 any eq www https 30 permit udp 10.20.20.0/24 any eq bootps snmp Step 3: Apply the ACL inbound on all external interfaces. router(config)#interface ethernet 13 router(config-if-Et13)#ip access-group INBOUND in

Fix Text (F-59635r882389_fix)

Configure all Arista routers with receive path filters to restrict traffic destined to the router.

Step 1: Configure the Control plane policy to restrict the LLDP traffic to CPU.

router(config)#policy-map type copp copp-system-policy
router(config-pmap-copp-system-policy)#class copp-system-lldp
router(config-pmap-c-copp-system-policy-copp-system-lldp)#bandwidth kbps 500

Step 2: Configure an ACL inbound to allow traffic per the requirement and deny all by default.

ip access-list INBOUND
10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
20 permit tcp 10.10.10.0/24 any eq www https
30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 3: Apply the ACL inbound on all external interfaces.

router(config)#interface ethernet 13
router(config-if-Et13)#ip access-group INBOUND in