Title

The multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages. (Cat II impact)

Discussion

When a new source starts transmitting in a PIM Sparse Mode network, the designated router (DR) will encapsulate the multicast packets into register messages and forward them to the RP using unicast. This process can be taxing on the CPU for both the DR and the RP if the source is running at a high data rate and there are many new sources starting at the same time. This scenario can potentially occur immediately after a network failover. The rate limit for the number of register messages should be set to a relatively low value based on the known number of multicast sources within the multicast domain. Satisfies: SRG-NET-000362-RTR-000120

Check Content

Review the PIM configuration: Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Multicast >> Configuration >> Pattern Policy >> under Register Traffic Policy look for Max Rate (packets per second) If the RP router is not configured to filter PIM register messages, rate limit the number of PIM register messages, and accept multicast packets only from known peers, this is a finding.

Fix Text

Configure the switch to filter PIM register messages, rate limit the number of PIM register messages, and accept multicast packets only from known peers. Use the command "ip pim register-rate-limit <rate>", where <rate> specifies the desired maximum number of register messages per second allowed to be sent. Navigate to the following location to configure: Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Multicast >> Configuration >> Pattern Policy >> under Register Traffic Policy look for Max Rate (packets per second)

Additional Identifiers

Rule ID: SV-272091r1168160_rule

Vulnerability ID: V-272091

Group Title: SRG-NET-000362-RTR-000121

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.