Check: CISC-RT-000880
Cisco NX OS Switch RTR STIG:
CISC-RT-000880
(in versions v2 r3 through v1 r0.1)
Title
The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports. (Cat II impact)
Discussion
The current multicast paradigm can let any host join any multicast group at any time by sending an IGMP or MLD membership report to the DR. In a Protocol Independent Multicast (PIM) Sparse Mode network, the DR will send a PIM Join message for the group to the RP. Without any form of admission control, this can pose a security risk to the entire multicast domain, specifically the multicast switches along the shared tree from the DR to the RP that must maintain the mroute state information for each group join request. Hence, it is imperative that the DR is configured to limit the number of mroute state information that must be maintained to mitigate the risk of IGMP or MLD flooding.
Check Content
Review the DR configuration to verify that it is limiting the number of mroute states via IGMP or MLD. Verify IGMP state limits have been configured on all applicable interfaces as shown in the example below: interface Ethernet2/4 no switchport ip address 10.2.22.3/24 ip pim sparse-mode ip igmp version 3 ip igmp state-limit nnn If the DR is not limiting multicast join requests via IGMP or MLD on all applicable interfaces, this is a finding.
Fix Text
Configure the DR on a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. SW1(config)# int e2/4 SW1(config-if)# ip igmp state-limit 44 SW1(config-if)# end
Additional Identifiers
Rule ID: SV-221140r856645_rule
Vulnerability ID: V-221140
Group Title: SRG-NET-000362-RTR-000122
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |