Check: CISC-RT-000710
Cisco IOS XR Router RTR STIG:
CISC-RT-000710
(in versions v2 r4 through v1 r0.1)
Title
The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain. (Cat III impact)
Discussion
IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.
Check Content
Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. l2vpn bridge group L2GROUP bridge-domain L2_BRIDGE_COI1 interface GigabitEthernet0/0/0/2 igmp snooping profile default If the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.
Fix Text
Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. RP/0/0/CPU0:R3(config)#l2vpn RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP RP/0/0/CPU0:R3(config-l2vpn-bg)# bridge-domain L2_BRIDGE_COI1 RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2 RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#igmp snooping profile default RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#end
Additional Identifiers
Rule ID: SV-216799r856448_rule
Vulnerability ID: V-216799
Group Title: SRG-NET-000362-RTR-000119
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |