Title

The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge. (Cat III impact)

Discussion

A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that COI-facing interfaces on all PIM routers are configured to block inbound and outbound administratively-scoped multicast traffic.

Check Content

The administratively-scoped IPv4 multicast address space is 239.0.0.0 through 239.255.255.255. Packets addressed to administratively-scoped multicast addresses must not cross administrative boundaries. This can be accomplished by applying a multicast boundary statement to all COI-facing interfaces as shown in the following example: ip multicast-routing ! interface FastEthernet0/0 ip address 199.36.92.1 255.255.255.252 ip pim sparse-mode ip multicast boundary 1 ! access-list 1 deny 239.0.0.0 0.255.255.255 access-list 1 permit any If inbound and outbound administratively-scoped multicast traffic is not blocked, this is a finding.

Fix Text

Configure a multicast boundary statement at all COI-facing interfaces that has PIM enabled to block inbound and outbound administratively-scoped multicast traffic.

Additional Identifiers

Rule ID: SV-251390r806125_rule

Vulnerability ID: V-251390

Group Title: NET2008

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.