STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-216719r531086_rule
V-216719
SRG-NET-000019-RTR-000005
CISC-RT-000810
CAT III
10
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below:
R2(config)#ip access-list standard MULTICAST_SCOPE
R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below:
R2(config)#int g1/2
R2(config-if)#ip multicast boundary MULTICAST_SCOPE
R2(config-if)#end
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below:
interface GigabitEthernet1/2
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
V-216719
False
CISC-RT-000810
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below:
interface GigabitEthernet1/2
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
M
4028