An error occurred:

Check: CACI-RT-000036

Cisco ACI Router STIG: CACI-RT-000036 (in version v1 r0.1)

Title

The Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. (Cat II impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.

Check Content

This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the rendezvous point switch. Review the configuration to verify that it is filtering IGMP or MLD Membership Report messages, allowing hosts to join only those groups that have been approved. switch BD-1 ip igmp snooping ip igmp snooping policy ApprovedSources ip igmp snooping policy ApprovedSources source-filter 10.0.0.1 interface Vlan10 ip igmp snooping policy ApprovedSources If the Cisco API is not filtering IGMP or MLD Membership Report messages, this is a finding.

Fix Text

Configure an IGMP snooping policy with source-based filtering, defining which IP addresses are permitted to send multicast traffic to a specific group within a VLAN. Step 1: Navigate to the relevant interface or bridge domain. [apic#] switch <bridge-name> [apic(switch-BD-1)#] ip igmp snooping Step 2: Within the IGMP Snooping Policy, specify allowed source IP addresses. [apic(switch-BD-1)#] ip igmp snooping policy<policy-name> [apic(switch-<bridge-domain-name>)#] ip igmp snooping policy <policy-name> source-filter <source-ip-address1> <source-ip-address2> Step 3: Assign the created policy to the relevant interface or VLAN. [apic(switch-BD-1)#] interface <interface-name> [apic(switch-BD-1)#] ip igmp snooping policy <policy-name>

Additional Identifiers

Rule ID: SV-272096r1064605_rule

Vulnerability ID: V-272096

Group Title: SRG-NET-000364-RTR-000115

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic