Detections
Analytics
ARST-L2-000170 - The Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
Information
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure all Arista MLS switch ports not in use to be shut down and assigned to an unused VLAN.Step 1: Configure all unused ports to be shut down and assigned to an unused VLAN.
switch(config)#interface ethernet 9
switch(config-eth9)#shutdown
switch(config-eth9)# description this port is intentionally shutdown
switch(config-eth9)# switchport access vlan 999
Step 2: Configure any trunk links to exclude the unused VLAN.
switch(config)# interface ethernet 10
switch(config-eth10)# switchport trunk native vlan 1000
switch(config-eth9)# switchport trunk allowed vlan 2-998, 1001-4094
switch(config-eth9)# switchport mode trunk
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-X_Y25M07_STIG.zip
Item Details
Audit Name: DISA Arista MLS EOS 4.X L2S STIG v2r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7, CAT|II, CCI|CCI-004891, Rule-ID|SV-255980r991774_rule, STIG-ID|ARST-L2-000170, Vuln-ID|V-255980
Plugin: Arista
Control ID: b69cfc5dda4e1bf6cb164ba04ff64a8301236fd982ca5c7b5c16f953315a6ef9