The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251390 | NET2008 | SV-251390r806125_rule | CCI-001414 | low |
| Description | ||||
| A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that COI-facing interfaces on all PIM routers are configured to block inbound and outbound administratively-scoped multicast traffic. | ||||
| STIG | Date | |||
| Network Infrastructure Policy Security Technical Implementation Guide | 2024-08-02 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · V10R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · V10R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001414
1.00
- DISA · V10R7 · disa_xccdf · related
Details
Check Text (C-251390r806125_chk)
The administratively-scoped IPv4 multicast address space is 239.0.0.0 through 239.255.255.255. Packets addressed to administratively-scoped multicast addresses must not cross administrative boundaries. This can be accomplished by applying a multicast boundary statement to all COI-facing interfaces as shown in the following example:
ip multicast-routing
!
interface FastEthernet0/0
ip address 199.36.92.1 255.255.255.252
ip pim sparse-mode
ip multicast boundary 1
!
access-list 1 deny 239.0.0.0 0.255.255.255
access-list 1 permit any
If inbound and outbound administratively-scoped multicast traffic is not blocked, this is a finding.
Fix Text (F-54778r806124_fix)
Configure a multicast boundary statement at all COI-facing interfaces that has PIM enabled to block inbound and outbound administratively-scoped multicast traffic.