STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

DISA Rule

SV-221067r622190_rule

Vulnerability Number

V-221067

Group Title

SRG-NET-000018-RTR-000008

Rule Version

CISC-RT-000930

Severity

CAT III

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the switch with an export policy avoid global visibility of local multicast (S, G) states. The example below will prevent exporting multicast active sources belonging to the private network.

SW1(config)#ip access-list extended OUTBOUND_MSDP_SA_FILTER
SW1(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
SW1(config-ext-nacl)#permit ip any any
SW1(config-ext-nacl)#exit
SW1(config)#ip msdp sa-filter in x.1.28.2 list OUTBOUND_MSDP_SA_FILTER

Check Contents

Review the switch configuration to determine if there is export policy to block local source-active multicast advertisements.

Step 1: Verify that an outbound source-active filter is bound to each MSDP peer as shown in the example below:

ip msdp peer 10.1.28.8 remote-as 8
ip msdp sa-filter out 10.1.28.8 list OUTBOUND_MSDP_SA_FILTER

Step 2: Review the access lists referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local.

ip access-list extended OUTBOUND_MSDP_SA_FILTER
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any

If the switch is not configured with an export policy to filter local source-active multicast advertisements, this is a finding.

Vulnerability Number

V-221067

Documentable

False

Rule Version

CISC-RT-000930

Severity Override Guidance

Review the switch configuration to determine if there is export policy to block local source-active multicast advertisements.

Step 1: Verify that an outbound source-active filter is bound to each MSDP peer as shown in the example below:

ip msdp peer 10.1.28.8 remote-as 8
ip msdp sa-filter out 10.1.28.8 list OUTBOUND_MSDP_SA_FILTER

Step 2: Review the access lists referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local.

ip access-list extended OUTBOUND_MSDP_SA_FILTER
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any

If the switch is not configured with an export policy to filter local source-active multicast advertisements, this is a finding.

Check Content Reference

M

Target Key

4074

Comments