STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

DISA Rule

SV-216809r531087_rule

Vulnerability Number

V-216809

Group Title

SRG-NET-000019-RTR-000005

Rule Version

CISC-RT-000810

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below.

RP/0/0/CPU0:R2(config)#Ipv4 access-list MULTICAST_SCOPE
RP/0/0/CPU0:R2(config-ipv4-acl)#deny 239.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#permit any

Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below.

RP/0/0/CPU0:R2(config)#multicast-routing
RP/0/0/CPU0:R2(config-mcast)#address-family ipv4
RP/0/0/CPU0:R2(config-mcast-default-ipv4)#int g0/0/0/1
RP/0/0/CPU0:R2(config-mcast-default-ipv4-if)#boundary MULTICAST_SCOPE
RP/0/0/CPU0:R2(config-mcast-default-ipv4-if)#end

Check Contents

Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below.

ipv4 access-list MULTICAST_SCOPE
10 deny ipv4 239.0.0.0 0.255.255.255 any
20 permit ipv4 any any
…
…
…

multicast-routing
address-family ipv4
interface GigabitEthernet0/0/0/1
enable
boundary MULTICAST_SCOPE
!
interface GigabitEthernet0/0/0/2
enable
!
!
!

If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.

Vulnerability Number

V-216809

Documentable

False

Rule Version

CISC-RT-000810

Severity Override Guidance

Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below.

ipv4 access-list MULTICAST_SCOPE
10 deny ipv4 239.0.0.0 0.255.255.255 any
20 permit ipv4 any any
…
…
…

multicast-routing
address-family ipv4
interface GigabitEthernet0/0/0/1
enable
boundary MULTICAST_SCOPE
!
interface GigabitEthernet0/0/0/2
enable
!
!
!

If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.

Check Content Reference

M

Target Key

4029

Comments