STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-220463r622190_rule
V-220463
SRG-NET-000019-RTR-000005
CISC-RT-000810
CAT III
10
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below:
SW2(config)#ip access-list standard MULTICAST_SCOPE
SW2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
SW2(config-std-nacl)#permit any
SW2(config-std-nacl)#exit
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below:
SW2(config)#int g1/2
SW2(config-if)#ip multicast boundary MULTICAST_SCOPE
SW2(config-if)#end
Review the switch configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below:
interface GigabitEthernet1/2
no switchport
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the switch is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
V-220463
False
CISC-RT-000810
Review the switch configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below:
interface GigabitEthernet1/2
no switchport
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the switch is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
M
4065