Arista MLS EOS 4.2x Router Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
<VulnDiscussion>The primary security model for an MPLS L3VPN infrastructure is traffic separation. The service provider must guarantee the cu...Rule High Severity -
SRG-NET-000512-RTR-000006
<GroupDescription></GroupDescription>Group -
The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
<VulnDiscussion>The primary security model for an MPLS L3VPN as well as a VRF-lite infrastructure is traffic separation. Each interface can o...Rule High Severity -
The PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).
<VulnDiscussion>An RD provides uniqueness to the customer address spaces within the MPLS L3VPN infrastructure. The concept of the VPN-IPv4 an...Rule Medium Severity -
SRG-NET-000512-RTR-000008
<GroupDescription></GroupDescription>Group -
The PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.
<VulnDiscussion>VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two cust...Rule High Severity -
SRG-NET-000512-RTR-000011
<GroupDescription></GroupDescription>Group -
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic.
<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability o...Rule Low Severity -
SRG-NET-000512-RTR-000012
<GroupDescription></GroupDescription>Group -
The Arista router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
<VulnDiscussion>The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.