STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.

DISA Rule

SV-221142r622190_rule

Vulnerability Number

V-221142

Group Title

SRG-NET-000364-RTR-000116

Rule Version

CISC-RT-000900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers.

SW1(config)# ip access-list EXTERNAL_ACL_INBOUND
SW1(config-acl) # permit tcp any any established
SW1(config-acl) # permit tcp host x.1.28.2 host x.1.28.8 eq 639
SW1(config-acl) # deny tcp any host x1.28.8 eq 639
SW1(config-acl) # permit tcp host x.1.28.2 host x.1.28.8 eq bgp
SW1(config-acl) # permit tcp host x.1.28.2 eq bgp host x.1.28.8
SW1(config-acl) # permit pim host x.1.28.2 host x.1.28.8



SW1(config-acl)# deny ip any any

Check Contents

Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:

interface Ethernet2/3
no switchport
ip access-group EXTERNAL_ACL_INBOUND in
ip address x.1.28.8/24
ip pim sparse-mode

Step 2: Verify that the ACL restricts MSDP peering to only known sources.

ip access-list EXTERNAL_ACL_INBOUND
10 permit tcp any any established
20 permit tcp x.1.28.2/32 x.1.28.8/32 eq 639
30 deny tcp any x.1.28.8/32 eq 639 log
40 permit tcp x.1.28.2/32 10.x.28.8/32 eq bgp
50 permit tcp x.1.28.2/32 eq bgp x.1.28.8/32
60 permit pim x.1.28.2/32 x.1.28.8/32



120 deny ip any any log

Note: MSDP connections are via TCP port 639.

If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Vulnerability Number

V-221142

Documentable

False

Rule Version

CISC-RT-000900

Severity Override Guidance

Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:

interface Ethernet2/3
no switchport
ip access-group EXTERNAL_ACL_INBOUND in
ip address x.1.28.8/24
ip pim sparse-mode

Step 2: Verify that the ACL restricts MSDP peering to only known sources.

ip access-list EXTERNAL_ACL_INBOUND
10 permit tcp any any established
20 permit tcp x.1.28.2/32 x.1.28.8/32 eq 639
30 deny tcp any x.1.28.8/32 eq 639 log
40 permit tcp x.1.28.2/32 10.x.28.8/32 eq bgp
50 permit tcp x.1.28.2/32 eq bgp x.1.28.8/32
60 permit pim x.1.28.2/32 x.1.28.8/32



120 deny ip any any log

Note: MSDP connections are via TCP port 639.

If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Check Content Reference

M

Target Key

4075

Comments