STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

SV-221144r622190_rule

Vulnerability Number

V-221144

Group Title

SRG-NET-000018-RTR-000007

Rule Version

CISC-RT-000920

Severity

CAT III

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the MSDP switch to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below:

SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 10 deny 224.0.1.3/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 15 deny 224.0.1.24/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 20 deny 224.0.1.22/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 25 deny 224.0.1.2/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 30 deny 224.0.1.35/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 35 deny 224.0.1.60/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 40 deny 224.0.1.39/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 45 deny 224.0.1.40/32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 50 deny 232.0.0.0/8 le 32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 55 deny 239.0.0.0/8 le 32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 60 deny 10.0.0.0/8 le 32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 165 deny 127.0.0.0/8 le 32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 70 deny 172.16.0.0/12 le 32
SW1(config)# ip prefix-list INBOUND_MSDP_SA_FILTER seq 75 permit 0.0.0.0/0 ge 8
SW1(config)# exit
SW1(config)# ip msdp sa-policy x.1.28.2 prefix-list INBOUND_MSDP_SA_FILTER in
SW1(config)# end

Check Contents

Review the switch configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.

Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.

ip msdp peer x.1.28.2 connect-source Ethernet2/1 remote-as nn
ip msdp sa-policy x.1.28.2 prefix-list INBOUND_MSDP_SA_FILTER in

Step 2: Review the prefix-list or route-map referenced by the source-active filter to verify that undesirable multicast groups, auto-RP, single source multicast (SSM) groups, and advertisements from undesirable sources are blocked.

ip prefix-list INBOUND_MSDP_SA_FILTER seq 10 deny 224.0.1.3/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 15 deny 224.0.1.24/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 20 deny 224.0.1.22/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 25 deny 224.0.1.2/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 30 deny 224.0.1.35/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 35 deny 224.0.1.60/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 40 deny 224.0.1.39/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 45 deny 224.0.1.40/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 50 deny 232.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 55 deny 239.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 60 deny 10.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 70 deny 172.16.0.0/12 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 75 permit 0.0.0.0/0 ge 8

If the switch is not configured with an import policy to filter undesirable SA multicast advertisements, this is a finding.

Vulnerability Number

V-221144

Documentable

False

Rule Version

CISC-RT-000920

Severity Override Guidance

Review the switch configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.

Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.

ip msdp peer x.1.28.2 connect-source Ethernet2/1 remote-as nn
ip msdp sa-policy x.1.28.2 prefix-list INBOUND_MSDP_SA_FILTER in

Step 2: Review the prefix-list or route-map referenced by the source-active filter to verify that undesirable multicast groups, auto-RP, single source multicast (SSM) groups, and advertisements from undesirable sources are blocked.

ip prefix-list INBOUND_MSDP_SA_FILTER seq 10 deny 224.0.1.3/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 15 deny 224.0.1.24/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 20 deny 224.0.1.22/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 25 deny 224.0.1.2/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 30 deny 224.0.1.35/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 35 deny 224.0.1.60/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 40 deny 224.0.1.39/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 45 deny 224.0.1.40/32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 50 deny 232.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 55 deny 239.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 60 deny 10.0.0.0/8 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 70 deny 172.16.0.0/12 le 32
ip prefix-list INBOUND_MSDP_SA_FILTER seq 75 permit 0.0.0.0/0 ge 8

If the switch is not configured with an import policy to filter undesirable SA multicast advertisements, this is a finding.

Check Content Reference

M

Target Key

4075

Comments