STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221133r622190_rule
V-221133
SRG-NET-000019-RTR-000004
CISC-RT-000800
CAT II
10
Configure neighbor prefix lists to only accept PIM control plane traffic from documented PIM neighbors.
Step 1: Configure prefix list for each PIM neighbor.
SW1(config)# ip prefix-list PIM_NEIGHBOR seq 5 permit 10.1.12.2/32
SW1(config)# ip prefix-list PIM_NEIGHBOR deny 0.0.0.0/0 le 32
Step 2: Apply a prefix to all interfaces enabled for PIM.
SW1(config)# int e2/1
SW1(config-if)# ip pim neighbor-policy prefix-list PIM_NEIGHBOR
SW1(config-if)# end
Step 1: Verify all interfaces enabled for PIM have a neighbor policy bound to the interface as shown in the example below:
interface Ethernet2/1
no switchport
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim neighbor-policy prefix-list PIM_NEIGHBOR
no shutdown
Step 2: Review the configured prefix list for filtering PIM neighbors as shown in the example below:
ip prefix-list PIM_NEIGHBOR seq 5 permit 10.1.12.2/32
ip prefix-list PIM_NEIGHBOR seq 10 deny 0.0.0.0/0 le 32
If PIM neighbor ACLs are not bound to all interfaces that have PIM enabled, this is a finding.
V-221133
False
CISC-RT-000800
Step 1: Verify all interfaces enabled for PIM have a neighbor policy bound to the interface as shown in the example below:
interface Ethernet2/1
no switchport
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim neighbor-policy prefix-list PIM_NEIGHBOR
no shutdown
Step 2: Review the configured prefix list for filtering PIM neighbors as shown in the example below:
ip prefix-list PIM_NEIGHBOR seq 5 permit 10.1.12.2/32
ip prefix-list PIM_NEIGHBOR seq 10 deny 0.0.0.0/0 le 32
If PIM neighbor ACLs are not bound to all interfaces that have PIM enabled, this is a finding.
M
4075