The Arista MLS layer 2 switch must have IGMP or MLD Snooping configured on all VLANs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255976	ARST-L2-000130	SV-255976r882270_rule		Low

Description
IGMP and MLD snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN.

Description

IGMP and MLD snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN.

STIG	Date
Arista MLS EOS 4.2x L2S Security Technical Implementation Guide	2023-01-11

Details

Check Text ( C-59652r882268_chk )
Review the Arista MLS switch configuration to verify that IGMP or MLD snooping has been configured. Determine which snooping feature is used. For IGMP: Verify the PIM that also enables IGMP on an Arista MLS switch VLAN interface by using the "sh run interface vlan8" command: switch(config)#sh run int vlan8 interface VLAN8 ip igmp pim ipv4 sparse-mode switch(config)#exit For MLD: Verify the Arista MLS switch is configured for MLD snooping on an interface for version 1 and 2. Version 2 is the default MLD version. switch#sh run \| section mld mld snooping vlan 200 If the Arista switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.

Check Text ( C-59652r882268_chk )

Review the Arista MLS switch configuration to verify that IGMP or MLD snooping has been configured.

Determine which snooping feature is used.

For IGMP:
Verify the PIM that also enables IGMP on an Arista MLS switch VLAN interface by using the "sh run interface vlan8" command:

switch(config)#sh run int vlan8
interface VLAN8
ip igmp
pim ipv4 sparse-mode
switch(config)#exit

For MLD:
Verify the Arista MLS switch is configured for MLD snooping on an interface for version 1 and 2. Version 2 is the default MLD version.

switch#sh run | section mld
mld snooping
vlan 200

If the Arista switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.

Fix Text (F-59595r882269_fix)
Configure the Arista MLS switch for IGMP snooping for IPv4 and IPv6 multicast traffic for each VLAN. Configure the Arista MLS switch for IP PIM, which also enables IGMP on an Arista MLS switch VLAN or interface, by using the following command: switch(config)#int vlan8 ip igmp pim ipv4 sparse-mode pim ipv6 sparse-mode switch(config)#exit ! Arista MLS switch alternative configuration for MLD snooping on an interface for version 1 and 2. Version 2 is the default MLD version. switch(config)# mld snooping switch(config-mld-snooping)# vlan 200 !

Fix Text (F-59595r882269_fix)

Configure the Arista MLS switch for IGMP snooping for IPv4 and IPv6 multicast traffic for each VLAN.

Configure the Arista MLS switch for IP PIM, which also enables IGMP on an Arista MLS switch VLAN or interface, by using the following command:

switch(config)#int vlan8
ip igmp
pim ipv4 sparse-mode
pim ipv6 sparse-mode
switch(config)#exit
!

Arista MLS switch alternative configuration for MLD snooping on an interface for version 1 and 2. Version 2 is the default MLD version.

switch(config)# mld snooping
switch(config-mld-snooping)# vlan 200
!