CISC-RT-000920 - The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

Information

The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees.

MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources.

When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains.

Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.

Solution

Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below.

RP/0/0/CPU0:R2(config)#ipv4 access-list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any host 224.0.1.3
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.22
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.2
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.35
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.60
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.39
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.40
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 232.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 239.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 10.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 127.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 172.16.0.0 0.15.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 192.168.0.0 0.0.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 any any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
RP/0/0/CPU0:R2(config)#router msdp
RP/0/0/CPU0:R2(config-msdp)#sa-filter in list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-msdp)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-216820r531087_rule, STIG-ID|CISC-RT-000920, STIG-Legacy|SV-105985, STIG-Legacy|V-96847, Vuln-ID|V-216820

Plugin: Cisco

Control ID: 1f352aec599400fe62b8cedf84960720643a7996f2fdfe83849c1c60fe0fd303