Title

The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis. (Cat III impact)

Discussion

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.

Check Content

If the ACI implementation does not use MSDP, this is not applicable. Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. show ip msdp If the ACI is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text

To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example: api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTER

Additional Identifiers

Rule ID: SV-272067r1064470_rule

Vulnerability ID: V-272067

Group Title: SRG-NET-000018-RTR-000009

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.