STIGQter STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.

DISA Rule

SV-80883r1_rule

Vulnerability Number

V-66393

Group Title

NET2016

Rule Version

NET2016

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to implement IGMP or MLD snooping, ensuring multicast traffic for any given multicast group is forwarded to only those hosts that have joined the group.

Check Contents

Review the access switches connected to multicast last-hop routers to determine if IGMP snooping is enabled. The following are switch configuration examples with IGMP snooping enabled globally and on a per-VLAN basis:

Enable IGMP Snooping globally: ip igmp snooping

Enable IGMP Snooping for VLAN: ip igmp snooping vlan 7

If any switches within the ICAN access layer do not have IGMP or MLD snooping enabled, this is a finding.

Vulnerability Number

V-66393

Documentable

False

Rule Version

NET2016

Severity Override Guidance

Review the access switches connected to multicast last-hop routers to determine if IGMP snooping is enabled. The following are switch configuration examples with IGMP snooping enabled globally and on a per-VLAN basis:

Enable IGMP Snooping globally: ip igmp snooping

Enable IGMP Snooping for VLAN: ip igmp snooping vlan 7

If any switches within the ICAN access layer do not have IGMP or MLD snooping enabled, this is a finding.

Check Content Reference

M

Target Key

838

Comments