Detections
Analytics
CISC-RT-000830 - The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.
Information
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.Solution
Configure the switch to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources x.1.2.6 and x.1.2.7.SW2(config)#ip access-list extended PIM_REGISTER_FILTER
SW2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
SW2(config-ext-nacl)#permit ip host x.1.2.6 any
SW2(config-ext-nacl)#permit ip host x.1.2.7 any
SW2(config-ext-nacl)#deny ip any any
SW2(config-ext-nacl)#exit
SW2(config)#ip pim accept-register list PIM_REGISTER_FILTER
SW2(config)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XE Switch RTR STIG v3r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-221057r1117237_rule, STIG-ID|CISC-RT-000830, STIG-Legacy|SV-110935, STIG-Legacy|V-101831, Vuln-ID|V-221057
Plugin: Cisco
Control ID: 48460396889ccb3203daa7777d7bf4441088a19d9b2480dd85584a092707fb2e