STIGQter: STIG Summary: Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.

DISA Rule

SV-75349r1_rule

Vulnerability Number

V-60891

Group Title

SRG-NET-000019-RTR-000004

Rule Version

AMLS-L3-000120

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure neighbor filters to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor filters to all PIM-enabled interfaces.

To create a new neighbor filter, create an access list by entering:

ip access-list [name]
[ip access list permit/deny statement]
exit

Then apply the neighbor filter based on the accesslist to the PIM-enabled interface:

int ethernet 1
ip pim neighbor-filter [name-of-ACL]

Check Contents

Review the multicast topology diagram and determine if router interfaces are enabled for IPv4 or IPv6 multicast routing.

If the router is enabled for multicast routing, verify all interfaces enabled for PIM have a neighbor filter bound to the interface. The neighbor filter must only accept PIM control plane traffic from the documented PIM neighbors. To verify a neighbor filter is active, execute the "show running-config" command and find the "ip pim neighbor-filter [name]" statement in the interface configuration mode.

If PIM neighbor filters are not bound to all interfaces that have PIM enabled, this is a finding.

Vulnerability Number

V-60891

Documentable

False

Rule Version

AMLS-L3-000120

Severity Override Guidance

Review the multicast topology diagram and determine if router interfaces are enabled for IPv4 or IPv6 multicast routing.

If the router is enabled for multicast routing, verify all interfaces enabled for PIM have a neighbor filter bound to the interface. The neighbor filter must only accept PIM control plane traffic from the documented PIM neighbors. To verify a neighbor filter is active, execute the "show running-config" command and find the "ip pim neighbor-filter [name]" statement in the interface configuration mode.

If PIM neighbor filters are not bound to all interfaces that have PIM enabled, this is a finding.

Check Content Reference

M

Target Key

2823

Comments