STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-216624r531085_rule
V-216624
SRG-NET-000019-RTR-000005
CISC-RT-000810
CAT III
10
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below.
R2(config)#ip access-list standard MULTICAST_SCOPE
R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below.
R2(config)#int g1/2
R2(config-if)#ip multicast boundary MULTICAST_SCOPE
R2(config-if)#end
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below.
interface GigabitEthernet1/2
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
V-216624
False
CISC-RT-000810
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below.
interface GigabitEthernet1/2
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
M
4027