STIGQter: STIG Summary: Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.

DISA Rule

SV-75347r1_rule

Vulnerability Number

V-60889

Group Title

SRG-NET-000019-RTR-000003

Rule Version

AMLS-L3-000110

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it.

Interfaces have PIM disabled by default. To disable PIM from an interface active in a multi-cast network, enter "no pim sparse-mode" in the interface configuration mode.

Check Contents

If IPv4 or IPv6 multicast routing is enabled, verify all interfaces enabled for PIM are documented in the network's multicast topology diagram. Review the router configuration via the "show running-config" command to determine if multicast routing is enabled and which interfaces are enabled for PIM, identified via the "ip pim sparse-mode" statement in the interface configuration. Alternatively, from the interface configuration mode, enter "show active all" and verify that the statement "no ip pim sparse-mode" is present, if PIM is not required for the active interface.

If an interface is not required to support multicast routing and it is enabled, this is a finding.

Vulnerability Number

V-60889

Documentable

False

Rule Version

AMLS-L3-000110

Severity Override Guidance

If IPv4 or IPv6 multicast routing is enabled, verify all interfaces enabled for PIM are documented in the network's multicast topology diagram. Review the router configuration via the "show running-config" command to determine if multicast routing is enabled and which interfaces are enabled for PIM, identified via the "ip pim sparse-mode" statement in the interface configuration. Alternatively, from the interface configuration mode, enter "show active all" and verify that the statement "no ip pim sparse-mode" is present, if PIM is not required for the active interface.

If an interface is not required to support multicast routing and it is enabled, this is a finding.

Check Content Reference

M

Target Key

2823

Comments