Detections
Analytics
ARST-RT-000020 - The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
Information
Accepting route advertisements for bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Step 1: Configure the BGP Bogon Prefix List.LEAF-1A(config)#ip prefix-list BOGON_v4
LEAF-1A(config-ip-pfx)#seq 1 deny 0.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 2 deny 10.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 3 deny 100.64.0.0/10 le 32
LEAF-1A(config-ip-pfx)#seq 4 deny 127.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 5 deny 169.254.0.0/16 le 32
LEAF-1A(config-ip-pfx)#seq 6 deny 172.16.0.0/12 le 32
LEAF-1A(config-ip-pfx)#seq 100 permit 0.0.0.0/0 ge 8
Step 2: Configure the prefix list inbound to the appropriate BGP neighbor.
LEAF-1A(config)#router bgp 65001
LEAF-1A(config-router-bgp)#neighbor 100.2.1.1 prefix-list BOGON_v4 in
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Arista MLS EOS 4.2x Router v2r1
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-255988r882306_rule, STIG-ID|ARST-RT-000020, Vuln-ID|V-255988
Plugin: Arista
Control ID: cb138ea7bdfc0b00bcc059cc5b59a0dd7041674e1ea2041de72d71d6c226ee97