The Arista MLS layer 2 switch must not use the default VLAN for management traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-255983 | ARST-L2-000200 | SV-255983r991777_rule | CCI-004931 | medium |
| Description | ||||
| Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. | ||||
| STIG | Date | |||
| Arista MLS EOS 4.X L2S Security Technical Implementation Guide | 2025-05-19 | |||
Details
Check Text (C-255983r991777_chk)
Verify the Arista MLS configuration for a Management_Network VRF instance globally on the switch with the following example:
switch(config)#sh run | sec vrf
ip name-server vrf default 192.168.10.20
!
vrf instance Management_Network
!
interface Ethernet12
description MANAGEMENT NETWORK PORT
no switchport
vrf Management_Network
ip address 10.10.40.254/30
!
ip routing vrf Management_Network
If the VRF is not configured to prevent the default VLAN from being used to access the switch, this is a finding.
Fix Text (F-59602r882290_fix)
Step 1: Configure the Arista MLS switch for a VRF instance for Management Network access by using the following commands:
switch(config)#vrf instance Management_Network
switch(config-vrf-Management_Network)#exit
Step 2: Configure the Ethernet port for VRF Management_Network and IP address for the management network traffic:
switch(config-if-Et12)#vrf Management_Network
switch(config-if-Et12)#ip address 10.10.40.254/30
switch(config-if-Et12)#exit