Title

The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups. In a Cisco ACI fabric, the border leaf switches are responsible for handling external multicast traffic and are where access control lists (ACLs) to filter PIM Join messages would be applied.

Check Content

View the configuration to verify PIM compliance. Configure the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs >> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP. If the Cisco ACI is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Fix Text

Configure ACLs on the border leaf switches that act as the PIM DRs, specifically targeting the multicast group addresses to be blocked. This essentially prevents unwanted multicast traffic from entering the fabric by filtering the Join messages at the entry point. Configure the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs >> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP.

Additional Identifiers

Rule ID: SV-272074r1168396_rule

Vulnerability ID: V-272074

Group Title: SRG-NET-000019-RTR-000014

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.