STIGQter STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.

DISA Rule

SV-80861r1_rule

Vulnerability Number

V-66371

Group Title

NET2009

Rule Version

NET2009

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Block inbound and outbound Auto-RP discovery and announcement messages at external-facing PIM-enabled interfaces.

Check Contents

To prevent Auto-RP messages from entering or leaving the PIM domain, the ip multicast boundary command must be configured on a COI-facing PIM-enabled interface. Verify that the referenced ACL denies multicast addresses 224.0.1.39 and 224.0.1.40, as shown in the example below:

ip multicast-routing
!
interface FastEthernet0/0
ip address 199.36.92.1 255.255.255.252
ip pim sparse-mode
ip multicast boundary 1
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40

If COI-facing interfaces do not block inbound and outbound Auto-RP discovery and announcement messages, this is a finding.

Vulnerability Number

V-66371

Documentable

False

Rule Version

NET2009

Severity Override Guidance

To prevent Auto-RP messages from entering or leaving the PIM domain, the ip multicast boundary command must be configured on a COI-facing PIM-enabled interface. Verify that the referenced ACL denies multicast addresses 224.0.1.39 and 224.0.1.40, as shown in the example below:

ip multicast-routing
!
interface FastEthernet0/0
ip address 199.36.92.1 255.255.255.252
ip pim sparse-mode
ip multicast boundary 1
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40

If COI-facing interfaces do not block inbound and outbound Auto-RP discovery and announcement messages, this is a finding.

Check Content Reference

M

Target Key

838

Comments