Detections
Analytics
CISC-RT-000810 - The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
Information
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.
Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.
Solution
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below.RP/0/0/CPU0:R2(config)#Ipv4 access-list MULTICAST_SCOPE
RP/0/0/CPU0:R2(config-ipv4-acl)#deny 239.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#permit any
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below.
RP/0/0/CPU0:R2(config)#multicast-routing
RP/0/0/CPU0:R2(config-mcast)#address-family ipv4
RP/0/0/CPU0:R2(config-mcast-default-ipv4)#int g0/0/0/1
RP/0/0/CPU0:R2(config-mcast-default-ipv4-if)#boundary MULTICAST_SCOPE
RP/0/0/CPU0:R2(config-mcast-default-ipv4-if)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XR Router RTR STIG v3r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-216809r1117237_rule, STIG-ID|CISC-RT-000810, STIG-Legacy|SV-105963, STIG-Legacy|V-96825, Vuln-ID|V-216809
Plugin: Cisco
Control ID: 0d8c37072d53725ea38e5f7c4ab53150308d9e91bb19f317a4516a8ae0a46126