Title

The PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain. (Cat III impact)

Discussion

IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.

Check Content

Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain (VFI instance). If the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.

Fix Text

Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain.

Additional Identifiers

Rule ID: SV-207158r856642_rule

Vulnerability ID: V-207158

Group Title: SRG-NET-000362

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.