STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-216709r531086_rule

Vulnerability Number

V-216709

Group Title

SRG-NET-000362-RTR-000119

Rule Version

CISC-RT-000710

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain.

R1(config)#bridge-domain 100
R1(config-bdomain)#ip igmp snooping
R1(config-bdomain)#end

Check Contents

Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain.

Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping

Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below:

bridge-domain 100
no ip igmp snooping
!

If the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.

Vulnerability Number

V-216709

Documentable

False

Rule Version

CISC-RT-000710

Severity Override Guidance

Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain.

Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping

Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below:

bridge-domain 100
no ip igmp snooping
!

If the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.

Check Content Reference

M

Target Key

4028

Comments