An error occurred:

Check: CACI-RT-000037

Cisco ACI Router STIG: CACI-RT-000037 (in version v1 r0.1)

Title

Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to only accept MSDP packets from known MSDP peers. (Cat II impact)

Discussion

MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.

Check Content

Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below: interface GigabitEthernet1/1 ip address x.1.28.8 255.255.255.0 ip access-group EXTERNAL_ACL_INBOUND in Step 2: Verify that the ACL restricts MSDP peering to only known sources. ip access-list extended EXTERNAL_ACL_INBOUND permit tcp host x.1.28.2 permit tcp host x.1.28.2 If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Fix Text

Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers. Ensure the IP addresses of all intended MSDP peers have been properly identified and configured before creating the ACL. Regularly review and update ACLs to reflect changes in the network topology and security requirements. Step 1: Create an ACL allowing only permitted IP addresses. apic(config)# ip access-list extended <ACL_filter_name> apic(config)# permit ip <allowed IP address or range> any apic(config)# permit ip <allowed IP address or range> any Step 2: Apply the ACL as the receive path filter on interface. interface <interface name> ip msdp incoming filter <ACL filter name>

Additional Identifiers

Rule ID: SV-272097r1064500_rule

Vulnerability ID: V-272097

Group Title: SRG-NET-000364-RTR-000116

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic