Check: CISR-RT-000003
Cisco ISR 4000 Series RTR STIG:
CISR-RT-000003
(in version v1 r1)
Title
The Cisco ISR 4000 Series router must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. (Cat II impact)
Discussion
Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. Protocol Independent Multicast traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, an unauthorized routers can join the PIM domain and discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service by traffic flooding or result in the unauthorized transfer of data.
Check Content
Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the following example: ip access-list standard PIM-NEIGHBORS permit 192.0.2.1 permit 192.0.2.3 Step 2: Verify that a pim neighbor-filter command is configured on all PIM enabled interfaces that is referencing the PIM neighbor ACL similar to the following example: interface GigabitEthernet0/3 ip address 192.0.2.2 255.255.255.0 ip pim sparse-mode pim neighbor-filter PIM-NEIGHBORS If the Cisco ISR 4000 Series router has not been configured with PIM neighbor filter on all PIM-enabled interfaces, this is a finding.
Fix Text
Configure the Cisco ISR 4000 Series router with PIM neighbor filters on all PIM-enabled interfaces as shown in the example below: ip access-list standard PIM-NEIGHBORS permit 192.0.2.1 permit 192.0.2.3 ... ... ... interface GigabitEthernet0/3 ip address 192.0.2.2 255.255.255.0 ip pim sparse-mode ip pim neighbor-filter PIM-NEIGHBORS
Additional Identifiers
Rule ID:
Vulnerability ID: V-74099
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |