Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253963 | JUEX-L2-000160 | SV-253963r843922_rule | Low |
Description |
---|
IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN. |
STIG | Date |
---|---|
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide | 2022-08-31 |
Check Text ( C-57415r843920_chk ) |
---|
Review the switch configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively. Verify IGMP and MLD is globally configured for all VLANs: [edit protocols] igmp-snooping { vlan all { immediate-leave; interface multicast-router-interface; } } } mld-snooping { vlan all { immediate-leave; interface multicast-router-interface; } } } For VLAN-specific values, verify IGMP and MLD snooping is configured for each VLAN: [edit protocols] igmp-snooping { vlan vlan-name { immediate-leave; interface multicast-router-interface; } interface host-only-interface; } } } mld-snooping { vlan vlan-name { immediate-leave; interface multicast-router-interface; } interface host-only-interface; } } } If the switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding. |
Fix Text (F-57366r843921_fix) |
---|
Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VLAN. Global: set protocols igmp-snooping vlan all immediate-leave set protocols igmp-snooping vlan all interface set protocols mld-snooping vlan all immediate-leave set protocols mld-snooping vlan all interface Per VLAN: set protocols igmp-snooping vlan vlan-name immediate-leave set protocols igmp-snooping vlan vlan-name interface set protocols igmp-snooping vlan vlan-name interface set protocols mld-snooping vlan vlan-name immediate-leave set protocols mld-snooping vlan vlan-name interface set protocols mld-snooping vlan vlan-name interface |