The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251390 | NET2008 | SV-251390r806125_rule | CCI-001414 | low |
| Description | ||||
| A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that COI-facing interfaces on all PIM routers are configured to block inbound and outbound administratively-scoped multicast traffic. | ||||
| STIG | Date | |||
| Network Infrastructure Policy Security Technical Implementation Guide | 2024-08-02 | |||
Details
Check Text (C-251390r806125_chk)
The administratively-scoped IPv4 multicast address space is 239.0.0.0 through 239.255.255.255. Packets addressed to administratively-scoped multicast addresses must not cross administrative boundaries. This can be accomplished by applying a multicast boundary statement to all COI-facing interfaces as shown in the following example:
ip multicast-routing
!
interface FastEthernet0/0
ip address 199.36.92.1 255.255.255.252
ip pim sparse-mode
ip multicast boundary 1
!
access-list 1 deny 239.0.0.0 0.255.255.255
access-list 1 permit any
If inbound and outbound administratively-scoped multicast traffic is not blocked, this is a finding.
Fix Text (F-54778r806124_fix)
Configure a multicast boundary statement at all COI-facing interfaces that has PIM enabled to block inbound and outbound administratively-scoped multicast traffic.