Detections
Analytics
ARST-RT-000580 - The multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
Information
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the Arista MSDP-enabled RP routers to limit the multicast forwarding cache for source-active entries.Step 1: Configure the ACL.
ip access-list PIM_NEIGHBOR_SA_FILTER
10 deny ip any 224.1.1.0/24
20 deny ip any 224.1.2.0/24
30 deny ip any 224.1.3.0/24
40 deny ip any 224.1.4.0/24
100 permit ip any any
Step 2: Apply the ACL in MSDP peer and define the multicast forwarding cache for source-active entries.
router msdp
peer 10.1.12.2
sa-filter in PIM_NEIGHBOR_SA_FILTER
sa-limit 500
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Arista MLS EOS 4.2x Router v2r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-256037r882453_rule, STIG-ID|ARST-RT-000580, Vuln-ID|V-256037
Plugin: Arista
Control ID: 5acbb2ce17b3508338dc2379da9be5550c70d561ec126a167cfbd1694cdf5645