CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.

Information

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.

Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.

Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Solution

Step 1: Configure an ingress and egress ACL to block administratively scoped multicast traffic.

SW1(config)# ip access-list FILTER_TRAFFIC_IN
SW1(config-acl)# deny 239.0.0.0/8
SW1(config-acl)# permit tcp any any established
SW1(config-acl)# ...
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
SW1(config)# ip access-list FILTER_TRAFFIC_OUT
SW1(config-acl)# deny 239.0.0.0/8
SW1(config-acl)# ...
SW1(config-acl)# permit ip any any
SW1(config-acl)# exit

Step 2: Apply the ingress and egress ACL to the applicable interfaces.

SW1(config)# int e2/1
SW1(config-if)# ip access-group FILTER_TRAFFIC_IN in
SW1(config-if)# ip access-group FILTER_TRAFFIC_OUT out
SW1(config-if)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-221134r999743_rule, STIG-ID|CISC-RT-000810, STIG-Legacy|SV-111087, STIG-Legacy|V-101983, Vuln-ID|V-221134

Plugin: Cisco

Control ID: 6a58d5fd09f251983fad2a87bc207648c25da029daf6f59c6866e5699664cf2d