The Arista router must be configured to restrict traffic destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission-critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256016r882390_rule
Severity: High
References: CCI-001097
Updated: 17 days ago

Configure all Arista routers with receive path filters to restrict traffic destined to the router.

Step 1: Configure the Control plane policy to restrict the LLDP traffic to CPU.

router(config)#policy-map type copp copp-system-policy
router(config-pmap-copp-system-policy)#class copp-system-lldprouter(config-pmap-c-copp-system-policy-copp-system-lldp)#bandwidth kbps 500

Step 2: Configure an ACL inbound to allow traffic per the requirement and deny all by default.

ip access-list INBOUND
   10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
   20 permit tcp 10.10.10.0/24 any eq www https
   30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 3: Apply the ACL inbound on all external interfaces.

router(config)#interface ethernet 13
router(config-if-Et13)#ip access-group INBOUND in

The Arista router must be configured to restrict traffic destined to itself.

Description

Remediation - Manual Procedure