Title

The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface. (Cat II impact)

Discussion

Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit which would apply across all interfaces, or it may be necessary to configure limits on individual interfaces.

Check Content

Review the configuration to verify it is limiting the number of mroute states via IGMP or MLD. Verify IGMP limits have been configured globally or on each host-facing interface via the ip igmp limit command as shown in the example: interface GigabitEthernet0/0 ip igmp limit nn Review the relevant Bridge Domain (BD) or interface. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. tenant <tenant_name> apic(config-tenant)# bridge-domain <BD_name> apic(config-bd)# interface <interface_name> apic(config-if)# ip mroute limit <maximum_mroute_count> If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.

Fix Text

Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. Navigate to the specific BD or interface settings within the APIC configuration. Use the CLI command "ip igmp limit <number>" in global configuration mode, which sets a global limit on the number of mroute states allowed across the entire fabric. This limit cannot be configured on a per interface basis in ACI. To limit the number of mroute states created on a BD or interface by MLD reports on a Cisco APIC, configure the "Maximum Multicast Entries" parameter within the BD or interface settings. apic# configure terminal apic(config)# ip igmp limit 100 or apic(config)#int g0/0 apic(config-if)#ip igmp limit 2 On the relevant BD or interface, limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. Navigate to the specific BD and interface where the mroute limit is to be set. apic(config)# tenant <tenant_name> apic(config-tenant)# bridge-domain <BD_name> apic(config-bd)# interface <interface_name> apic(config-if)# ip mroute limit <maximum_mroute_count> Note: Monitor multicast traffic on the network and adjust the "ip mroute limit" value as needed to balance performance and resource usage.

Additional Identifiers

Rule ID: SV-272092r1064601_rule

Vulnerability ID: V-272092

Group Title: SRG-NET-000362-RTR-000122

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.