The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272092 | CACI-RT-000032 | SV-272092r1168163_rule | CCI-002385 | medium |
| Description | ||||
| Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit that would apply across all interfaces, or it may be necessary to configure limits on individual interfaces. | ||||
| STIG | Date | |||
| Cisco ACI Router Security Technical Implementation Guide | 2025-12-11 | |||
Details
Check Text (C-272092r1168163_chk)
Review the relevant BD configuration. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports.
Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries
If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.
Fix Text (F-76049r1168162_fix)
Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports.
Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries
Note: This setting is used to limit the mroute states for the BD or interface created by IGMP reports. Default is disabled, no limit enforced. Valid range is 1-4294967295.