An error occurred:

Check: CACI-RT-000005

Cisco ACI Router STIG: CACI-RT-000005 (in version v1 r0.1)

Title

The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources. (Cat III impact)

Discussion

The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. MSDP helps ACI border leaf switches identify the location of multicast sources in external networks, allowing them to properly route multicast traffic to interested receivers within the ACI fabric. MSDP within a layer 3 context, allowing the ACI fabric to discover multicast sources located in other multicast domains when connecting to external networks through "L3Out" connections, enabling efficient multicast traffic forwarding across different network segments.

Check Content

If this is a DODIN or JRSS system, this is not applicable. Verify the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration is configured to block any unwanted multicast prefixes from being advertised as shown in the example below: router bgp 100 neighbor 10.1.1.2 remote-as 200 address-family ipv4 unicast route-map BLOCK_MULTICAST permit If the ACI is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Fix Text

Use the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration to block any unwanted multicast prefixes from being advertised. Step 1: Navigate to BGP neighbor configuration. apci1(config)# router bgp <AS number> apci1(config-router)# neighbor <peer-IP> remote-as <peer-AS> Step 2: Create a route map. apci1(config-router)# ip route-map <route-map-name> permit 10 apci1(config-router)# match ip address prefix <undesirable-multicast-prefix> exit Step 3: Apply route-map to BGP neighbor. apci1(config)# address-family ipv4 unicast apci1(config)# route-map <route-map-name> permit

Additional Identifiers

Rule ID: SV-272065r1067378_rule

Vulnerability ID: V-272065

Group Title: SRG-NET-000018-RTR-000007

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement