An error occurred:

Cisco ACI Router STIG Version Comparison

Cisco ACI Router Security Technical Implementation Guide

Comparison

There are 44 differences between versions v1 r0.1 (Feb. 7, 2025) (the "left" version) and v1 r2 (Jan. 5, 2026) (the "right" version).

Check CACI-RT-000005 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

Check Content

If this is a DODIN or JRSS system, this is not applicable. Verify the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration is configured to block any unwanted multicast prefixes from being advertised as shown in the example below: router bgp 100 neighbor 10.1.1.2 remote-as 200 address-family ipv4 unicast route-map BLOCK_MULTICAST permit If the ACI is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Discussion

The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. MSDP helps ACI border leaf switches identify the location of multicast sources in external networks, allowing them to properly route multicast traffic to interested receivers within the ACI fabric. MSDP within a layer 3 context, allowing the ACI fabric to discover multicast sources located in other multicast domains when connecting to external networks through "L3Out" connections, enabling efficient multicast traffic forwarding across different network segments.

Fix

Use the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration to block any unwanted multicast prefixes from being advertised. 1. Navigate to BGP neighbor configuration. apci1(config)# router bgp <AS number> apci1(config-router)# neighbor <peer-IP> remote-as <peer-AS> 2. Create a route map. apci1(config-router)# ip route-map <route-map-name> permit 10 apci1(config-router)# match ip address prefix <undesirable-multicast-prefix> exit 3. Apply route-map to BGP neighbor. apci1(config)# address-family ipv4 unicast apci1(config)# route-map <route-map-name> permit