STIGQter STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.

DISA Rule

SV-216722r531086_rule

Vulnerability Number

V-216722

Group Title

SRG-NET-000019-RTR-000014

Rule Version

CISC-RT-000840

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the RP to filter PIM join messages for any undesirable multicast groups as shown in the example below:

R2(config)#ip access-list standard PIM_JOIN_FILTER
R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER
R2(config)#end

Check Contents

Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.

ip pim rp-address 10.2.2.2
ip pim accept-rp 10.2.2.2 FILTER_PIM_JOINS



ip access-list standard FILTER_PIM_JOINS
deny 239.8.0.0 0.0.255.255
permit any
!

If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Vulnerability Number

V-216722

Documentable

False

Rule Version

CISC-RT-000840

Severity Override Guidance

Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.

ip pim rp-address 10.2.2.2
ip pim accept-rp 10.2.2.2 FILTER_PIM_JOINS



ip access-list standard FILTER_PIM_JOINS
deny 239.8.0.0 0.0.255.255
permit any
!

If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Check Content Reference

M

Target Key

4028

Comments