STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.

DISA Rule

SV-221064r622190_rule

Vulnerability Number

V-221064

Group Title

SRG-NET-000364-RTR-000116

Rule Version

CISC-RT-000900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers.

SW1(config)#ip access-list extended EXTERNAL_ACL_INBOUND
SW1(config-ext-nacl)#permit tcp any any established
SW1(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq 639
SW1(config-ext-nacl)#deny tcp any host x1.28.8 eq 639
SW1(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq bgp
SW1(config-ext-nacl)#permit tcp host x.1.28.2 eq bgp host x.1.28.8
SW1(config-ext-nacl)#permit pim host x.1.28.2 host x.1.28.8



SW1(config-ext-nacl)#deny ip any any

Check Contents

Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:

interface GigabitEthernet1/1
no switchport
ip address x.1.28.8 255.255.255.0
ip access-group EXTERNAL_ACL_INBOUND in
ip pim sparse-mode

Step 2: Verify that the ACL restricts MSDP peering to only known sources.

ip access-list extended EXTERNAL_ACL_INBOUND
permit tcp any any established
permit tcp host x.1.28.2 host x.1.28.8 eq 639
deny tcp any host x.1.28.8 eq 639 log
permit tcp host x.1.28.2 host 10.1.28.8 eq bgp
permit tcp host x.1.28.2 eq bgp host x.1.28.8
permit pim host x.1.28.2 host x.1.28.8



deny ip any any log

Note: MSDP connections is via TCP port 639.

If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Vulnerability Number

V-221064

Documentable

False

Rule Version

CISC-RT-000900

Severity Override Guidance

Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:

interface GigabitEthernet1/1
no switchport
ip address x.1.28.8 255.255.255.0
ip access-group EXTERNAL_ACL_INBOUND in
ip pim sparse-mode

Step 2: Verify that the ACL restricts MSDP peering to only known sources.

ip access-list extended EXTERNAL_ACL_INBOUND
permit tcp any any established
permit tcp host x.1.28.2 host x.1.28.8 eq 639
deny tcp any host x.1.28.8 eq 639 log
permit tcp host x.1.28.2 host 10.1.28.8 eq bgp
permit tcp host x.1.28.2 eq bgp host x.1.28.8
permit pim host x.1.28.2 host x.1.28.8



deny ip any any log

Note: MSDP connections is via TCP port 639.

If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Check Content Reference

M

Target Key

4074

Comments