Title

The Cisco ACI multicast shortest-path tree (SPT) threshold must be set to the default. (Cat II impact)

Discussion

On a Cisco ACI, the "ip pim spt-threshold" is not set to infinity by default; it is typically set to a finite value, with the default usually being zero, meaning it will always use the SPT for PIM calculations. The standard configuration for "ip pim spt-threshold" on Cisco devices is usually set to zero. This threshold determines when a router will use the SPT to forward multicast traffic in PIM Sparse Mode. While technically possible, setting the threshold to "infinity" would mean the router would never use the SPT, which is generally not the intended behavior. In a Cisco ACI fabric, the SPT threshold typically does not need to be manually configured to increase it for multicast, as the system automatically calculates the SPT based on the network topology, and the border leaf switches handle the SPT switchover functionality; however, in specific scenarios where there are a large number of multicast sources, or multicast traffic flow must be optimized, adjusting the SPT threshold may be considered depending on the network requirements. Thus, it is not recommended that this be configured. While technically possible, setting the threshold to "infinity" would mean the router would never use the SPT, which is generally not the intended behavior.

Check Content

Review the configuration to verify the SPT switchover threshold is not explicitly configured. If the "ip pim spt-threshold <value> command is configured for any value other than zero, this is a finding.

Fix Text

Remove the "ip pim spt-threshold" from the configuration. apic(config)# no ip pim spt-threshold <value>

Additional Identifiers

Rule ID: SV-272093r1064496_rule

Vulnerability ID: V-272093

Group Title: SRG-NET-000362-RTR-000123

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.