Detections
Analytics
CISC-RT-000800 - The Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
Information
PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, unauthorized routers can join the PIM domain, discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service by traffic flooding or result in the unauthorized transfer of data.Solution
This requirement is not applicable for the DODIN Backbone.Configure neighbor ACLs to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor ACLs to all PIM enabled interfaces.
Step 1: Configure ACL for PIM neighbors.
RP/0/0/CPU0:R2(config)#ipv4 access-list PIM_NEIGHBOR_1
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 host 10.1.1.2 any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
Step 2: Apply the ACL to all interfaces enabled for PIM.
RP/0/0/CPU0:R2(config)#router pim
RP/0/0/CPU0:R2(config-pim)#address-family ipv4
RP/0/0/CPU0:R2(config-pim-default-ipv4)#int g0/0/0/1
RP/0/0/CPU0:R2(config-pim-ipv4-if)#neighbor-filter PIM_NEIGHBOR_1
RP/0/0/CPU0:R2(config-pim-ipv4-if)#exit
RP/0/0/CPU0:R2(config-pim-default-ipv4)#int g0/0/0/2
RP/0/0/CPU0:R2(config-pim-ipv4-if)#neighbor-filter PIM_NEIGHBOR_2
RP/0/0/CPU0:R2(config-pim-ipv4-if)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XR Router RTR STIG v3r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|II, CCI|CCI-001414, Rule-ID|SV-216808r1117237_rule, STIG-ID|CISC-RT-000800, STIG-Legacy|SV-105961, STIG-Legacy|V-96823, Vuln-ID|V-216808
Plugin: Cisco
Control ID: e9759f4d3ebae4071067bd43285a5c5a5e943b80bac4a0788106e8bd9998e8b0