Title

The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.

Check Content

This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the rendezvous point switch. Review the configuration of the designated router (DR) to verify that it is filtering IGMP or MLD Membership Report messages, allowing hosts to join only those groups that have been approved. If the Cisco ACI is not filtering IGMP or MLD Membership Report messages, this is a finding.

Fix Text

Configure "IGMP Snooping" and create access groups that define which multicast groups are permitted on specific ports. For filtering IPv6 multicast traffic (MLD), use similar commands with the "mld" keyword instead of "igmp". Step 1: Navigate to the relevant bridge domain, interface or VLAN and enable IGMP snooping using the command. apic(config)# interface <interface_name> apic (config-if)# ip igmp snooping or apic(config)# bd BD-1 apic(config-bd-1)# ip igmp snooping Step 2: Define a new access group with a name and specify the permitted multicast groups. apic(config)# ip igmp snooping vlan <vlan_id> access-group <access_group_name> apic(config)# access-group <access_group_name> apic(config)# permit ip multicast <multicast_group_address> Step 3: Navigate to the specific port configuration where the filter is to be applied. apic(config)# ip igmp snooping access-group <group-name> to associate the created access group with the port. apic(config)# interface Ethernet1/1 apic(config-if)# ip igmp snooping access-group allowed-groups

Additional Identifiers

Rule ID: SV-272095r1064603_rule

Vulnerability ID: V-272095

Group Title: SRG-NET-000364-RTR-000114

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.