Detections
Analytics
CISC-RT-000920 - The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
Information
The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees.MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources.
When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains.
Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.
Solution
Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below.RP/0/0/CPU0:R2(config)#ipv4 access-list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any host 224.0.1.3
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.22
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.2
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.35
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.60
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.39
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.40
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 232.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 239.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 10.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 127.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 172.16.0.0 0.15.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 192.168.0.0 0.0.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 any any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
RP/0/0/CPU0:R2(config)#router msdp
RP/0/0/CPU0:R2(config-msdp)#sa-filter in list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-msdp)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS-XR Router RTR v3r1
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-216820r531087_rule, STIG-ID|CISC-RT-000920, STIG-Legacy|SV-105985, STIG-Legacy|V-96847, Vuln-ID|V-216820
Plugin: Cisco
Control ID: 1f352aec599400fe62b8cedf84960720643a7996f2fdfe83849c1c60fe0fd303