Detections
Analytics

3.3.1.3 PIM SSM

Information

Protocol Independent Multicast - Source-Specific Multicast (PIM-SSM) is a specialized subset of PIM sparse mode that enables efficient delivery of multicast traffic from specific sources to receivers. It relies on IGMP version 3 (IGMPv3) for IPv4 and MLD version 2 (MLDv2) for IPv6 to allow receivers to explicitly specify the source from which they wish to receive multicast traffic. By default, PIM-SSM operates within the group range 232.0.0.0/8 for IPv4 and FF3x::/32 for IPv6. The feature also allows administrators to customize this range using an access list (ACL) to define valid multicast group addresses.

The design of PIM-SSM aligns with the goal of optimizing multicast traffic by allowing receivers to filter traffic based on source, thereby reducing overhead for both the network and end devices. The use of IGMPv3/MLDv2 protocols enables precise source selection, ensuring compatibility with modern network environments. The ability to modify the default SSM group range via ACLs provides network administrators with flexibility to tailor multicast configurations to meet specific organizational needs while adhering to operational constraints.

Solution

Configuration to enable PIM-SSM Range ACL -

switch(config)# access-list ip <pim_ssm_grp_range_acl>
switch(config-acl-ip)# 10 permit any any <225.1.1.2/255.255.255.0>
switch(config-acl-ip)# 20 permit any any <239.1.1.2/255.255.255.0>
switch(config-acl-ip)# exit
switch(config)# router pim
switch(config-pim)# pim-ssm range-access-list <pim_ssm_grp_range_acl>
switch(config-pim)# exit
switch(config)# access-list ipv6 <pim_ssm_v6grp_range_acl>
switch(config-acl-ipv6)# 10 permit any any <ff2e::2/64>
switch(config-acl-ipv6)# 20 permit any any <ff1e::1/64>
switch(config-acl-ipv6)# exit
switch(config)# router pim6
switch(config-pim6)# pim-ssm range-access-list <pim_ssm_v6grp_range_acl>
switch(config-pim6)# exit

Impact:

PIM-SSM significantly improves multicast traffic efficiency by eliminating unnecessary traffic from unwanted sources, reducing network congestion, and ensuring only relevant multicast streams are delivered to receivers. However, modifying the PIM-SSM range can lead to temporary traffic loss as the system rebuilds multicast states, potentially disrupting application performance momentarily. Ensuring uniformity in the SSM range across a network is critical to maintaining seamless multicast traffic delivery and avoiding inconsistencies in routing behavior.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CA-7, 800-53|MP-2, 800-53|SC-4, CSCv7|14.6, CSCv7|14.7

Plugin: ArubaOS

Control ID: 7c56c5d4dfe13b285cb4ef49028dbdc890e9551c1718579036e7daf12aa1eb60