The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272067 | CACI-RT-000007 | SV-272067r1113973_rule | CCI-001368 | low |
| Description | ||||
| To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source. | ||||
| STIG | Date | |||
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 | |||
Details
Check Text (C-272067r1113973_chk)
If the ACI implementation does not use MSDP, this is not applicable.
Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.
show ip msdp
If the ACI is not configured to limit the source-active messages it accepts, this is a finding.
Fix Text (F-76024r1063597_fix)
To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example:
api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTER