Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below: interface Ethernet2/3 no switchport ip access-group EXTERNAL_ACL_INBOUND in ip address x.1.28.8/24 ip pim sparse-mode Step 2: Verify that the ACL restricts MSDP peering to only known sources. ip access-list EXTERNAL_ACL_INBOUND 10 permit tcp any any established 20 permit tcp x.1.28.2/32 x.1.28.8/32 eq 639 30 deny tcp any x.1.28.8/32 eq 639 log 40 permit tcp x.1.28.2/32 10.x.28.8/32 eq bgp 50 permit tcp x.1.28.2/32 eq bgp x.1.28.8/32 60 permit pim x.1.28.2/32 x.1.28.8/32 … … … 120 deny ip any any log Note: MSDP connections are via TCP port 639. If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.