Title

The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface. (Cat II impact)

Discussion

Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit that would apply across all interfaces, or it may be necessary to configure limits on individual interfaces.

Check Content

Review the relevant BD configuration. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.

Fix Text

Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries Note: This setting is used to limit the mroute states for the BD or interface created by IGMP reports. Default is disabled, no limit enforced. Valid range is 1-4294967295.

Additional Identifiers

Rule ID: SV-272092r1168163_rule

Vulnerability ID: V-272092

Group Title: SRG-NET-000362-RTR-000122

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.