The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-255995 | SRG-NET-000018-RTR-000009 | ARST-RT-000090 | SV-255995r882327_rule | 2025-02-20 | 2 |
| Description |
|---|
| To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. |
| ℹ️ Check |
|---|
| To verify the MSDP peer and the sa-limit filter is configured, execute the command "show run | sec router msdp". router msdp peer 10.1.12.2 sa-limit 500 peer 10.1.55.78 sa-limit 900 If the Arista router is not configured with a peer limit, this is a finding. |
| ✔️ Fix |
|---|
| Configure the Arista MSDP router to limit the amount of source-active messages it accepts from each peer. ! router (config) #router msdp router (config-router-msdp) #peer 10.1.1.5 router (config-router-msdp-peer 10.1.1.5) # sa-limit 500 router (config-router-msdp) #peer 10.1.55.78 router (config-router-msdp-peer 10.1.55.78) # sa-limit 900 router (config-router-msdp-peer 10.1.55.78) # exit |