Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-101833 | CISC-RT-000840 | SV-110937r1_rule | Low |
Description |
---|
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups. |
STIG | Date |
---|---|
Cisco IOS-XE Switch RTR Security Technical Implementation Guide | 2020-05-20 |
Check Text ( C-100721r1_chk ) |
---|
Verify that the RP is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed. ip pim rp-address 10.2.2.2 ip pim accept-rp 10.2.2.2 FILTER_PIM_JOINS … … … ip access-list standard FILTER_PIM_JOINS deny 239.8.0.0 0.0.255.255 permit any ! If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding. |
Fix Text (F-107517r1_fix) |
---|
Configure the RP to filter PIM join messages for any undesirable multicast groups as shown in the example below: SW2(config)#ip access-list standard PIM_JOIN_FILTER SW2(config-std-nacl)#deny 239.8.0.0 0.0.255.255 SW2(config-std-nacl)#permit any SW2(config-std-nacl)#exit SW2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER SW2(config)#end |