ARST-RT-000080 - The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

Information

To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40).

Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Configure Arista router to ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S,G) states.

router msdp
peer 10.1.12.2
sa-filter in PIM_NEIGHBOR_SA_FILTER

Step 2: Configure the source active access-list.

ip access-list PIM_NEIGHBOR_SA_FILTER
10 deny ip any 224.1.1.0/24
20 deny ip any 224.1.2.0/24
30 deny ip any 224.1.3.0/24
40 deny ip any 224.1.4.0/24
100 permit ip any any

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-255994r882324_rule, STIG-ID|ARST-RT-000080, Vuln-ID|V-255994

Plugin: Arista

Control ID: cbc97fa79fc1a87de98831abd4cd2bc45ef387d5139fbdd395cb17cf96889cf1