Rule ID
SV-255983r882291_rule
Version
V1R1
CCIs
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
Verify the Arista MLS configuration for a Management_Network VRF instance globally on the switch with the following example: switch(config)#sh run | sec vrf ip name-server vrf default 192.168.10.20 ! vrf instance Management_Network ! interface Ethernet12 description MANAGEMENT NETWORK PORT no switchport vrf Management_Network ip address 10.10.40.254/30 ! ip routing vrf Management_Network If the VRF is not configured to prevent the default VLAN from being used to access the switch, this is a finding.
Step 1: Configure the Arista MLS switch for a VRF instance for Management Network access by using the following commands: switch(config)#vrf instance Management_Network switch(config-vrf-Management_Network)#exit Step 2: Configure the Ethernet port for VRF Management_Network and IP address for the management network traffic: switch(config-if-Et12)#vrf Management_Network switch(config-if-Et12)#ip address 10.10.40.254/30 switch(config-if-Et12)#exit