ARST-RT-000140 - The Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

Information

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.

Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.

Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Configure the Arista router ACL to deny packets with multicast administratively scoped destination addresses.

router(config)#ip access-list standard mbac1
router(config-std-acl-mbac1)#10 deny 239.120.10.0/24
router(config-std-acl-mbac1)#20 permit 224.0.0.0/4
router(config-std-acl-mbac1)#exit

Step 2: Apply the multicast boundary at the appropriate interfaces.

router(config)#interface vlan 200
router(config-if-Vl200)#multicast ipv4 boundary mbac1 out
router(config-if-Vl200)#exit

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-256000r882342_rule, STIG-ID|ARST-RT-000140, Vuln-ID|V-256000

Plugin: Arista

Control ID: 1e92e6583427cc064e85be31cc0ac125ed9f7566b19439d80a9483b0d54e85d7