The Arista MLS layer 2 switch must not use the default VLAN for management traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255983	ARST-L2-000200	SV-255983r882291_rule		Medium

Description
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Description

Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

STIG	Date
Arista MLS EOS 4.2x L2S Security Technical Implementation Guide	2023-01-11

Details

Check Text ( C-59659r882289_chk )
Verify the Arista MLS configuration for a Management_Network VRF instance globally on the switch with the following example: switch(config)#sh run \| sec vrf ip name-server vrf default 192.168.10.20 ! vrf instance Management_Network ! interface Ethernet12 description MANAGEMENT NETWORK PORT no switchport vrf Management_Network ip address 10.10.40.254/30 ! ip routing vrf Management_Network If the VRF is not configured to prevent the default VLAN from being used to access the switch, this is a finding.

Check Text ( C-59659r882289_chk )

Verify the Arista MLS configuration for a Management_Network VRF instance globally on the switch with the following example:

switch(config)#sh run | sec vrf
ip name-server vrf default 192.168.10.20
!
vrf instance Management_Network
!
interface Ethernet12
description MANAGEMENT NETWORK PORT
no switchport
vrf Management_Network
ip address 10.10.40.254/30
!
ip routing vrf Management_Network

If the VRF is not configured to prevent the default VLAN from being used to access the switch, this is a finding.

Fix Text (F-59602r882290_fix)
Step 1: Configure the Arista MLS switch for a VRF instance for Management Network access by using the following commands: switch(config)#vrf instance Management_Network switch(config-vrf-Management_Network)#exit Step 2: Configure the Ethernet port for VRF Management_Network and IP address for the management network traffic: switch(config-if-Et12)#vrf Management_Network switch(config-if-Et12)#ip address 10.10.40.254/30 switch(config-if-Et12)#exit

Fix Text (F-59602r882290_fix)

Step 1: Configure the Arista MLS switch for a VRF instance for Management Network access by using the following commands:

switch(config)#vrf instance Management_Network
switch(config-vrf-Management_Network)#exit

Step 2: Configure the Ethernet port for VRF Management_Network and IP address for the management network traffic:

switch(config-if-Et12)#vrf Management_Network
switch(config-if-Et12)#ip address 10.10.40.254/30
switch(config-if-Et12)#exit