An error occurred:

Check: CACI-RT-000014

Cisco ACI Router STIG: CACI-RT-000014 (in version v1 r0.1)

Title

The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups. In a Cisco ACI fabric, the border leaf switches are responsible for handling external multicast traffic and are where access control lists (ACLs) to filter PIM Join messages would be applied.

Check Content

View the configuration to verify PIM compliance. APIC1(config)#show running-configuration pim Example: ! ACL to deny specific multicast groups ip access-list extended PIM_JOIN_FILTER deny ip multicast group 224.0.0.1 deny ip multicast group 224.0.0.2 permit ip any any ! ACL to the L3Out interface on the border leaf switch interface L3Out_to_External ip access-group PIM_JOIN_FILTER in If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Fix Text

Configure ACLs on the border leaf switches that act as the PIM DRs, specifically targeting the multicast group addresses to be blocked. This essentially prevents unwanted multicast traffic from entering the fabric by filtering the Join messages at the entry point. Step 1: Create an ACL to deny specific multicast groups. ip access-list extended PIM_JOIN_FILTER deny ip multicast group 224.0.0.1 deny ip multicast group 224.0.0.2 permit ip any any Step 2: Apply the ACL to the L3Out interface on the border leaf switch. interface L3Out_to_External ip access-group PIM_JOIN_FILTER in

Additional Identifiers

Rule ID: SV-272074r1064477_rule

Vulnerability ID: V-272074

Group Title: SRG-NET-000019-RTR-000014

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement