STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.

DISA Rule

SV-216808r531087_rule

Vulnerability Number

V-216808

Group Title

SRG-NET-000019-RTR-000004

Rule Version

CISC-RT-000800

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure neighbor ACLs to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor ACLs to all PIM enabled interfaces.

Step 1: Configure ACL for PIM neighbors.

RP/0/0/CPU0:R2(config)#ipv4 access-list PIM_NEIGHBOR_1
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 host 10.1.1.2 any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit

Step 2: Apply the ACL to all interfaces enabled for PIM.

RP/0/0/CPU0:R2(config)#router pim
RP/0/0/CPU0:R2(config-pim)#address-family ipv4
RP/0/0/CPU0:R2(config-pim-default-ipv4)#int g0/0/0/1
RP/0/0/CPU0:R2(config-pim-ipv4-if)#neighbor-filter PIM_NEIGHBOR_1
RP/0/0/CPU0:R2(config-pim-ipv4-if)#exit
RP/0/0/CPU0:R2(config-pim-default-ipv4)#int g0/0/0/2
RP/0/0/CPU0:R2(config-pim-ipv4-if)#neighbor-filter PIM_NEIGHBOR_2
RP/0/0/CPU0:R2(config-pim-ipv4-if)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Step 1: Verify all interfaces enabled for PIM have a neighbor ACL bound to the interface as shown in the example below.

router pim
address-family ipv4
interface GigabitEthernet0/0/0/1
enable
neighbor-filter PIM_NEIGHBOR_1
!
interface GigabitEthernet0/0/0/2
enable
neighbor-filter PIM_NEIGHBOR_2
!
!
!

Step 2: Review the configured ACL for filtering PIM neighbors as shown in the example below.

ipv4 access-list PIM_NEIGHBOR_1
10 permit ipv4 host 10.1.1.2 any
!
ipv4 access-list PIM_NEIGHBOR_2
10 permit ipv4 host 10.1.2.8 any
!

If PIM neighbor ACLs are not bound to all interfaces that have PIM enabled, this is a finding.

Vulnerability Number

V-216808

Documentable

False

Rule Version

CISC-RT-000800

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Step 1: Verify all interfaces enabled for PIM have a neighbor ACL bound to the interface as shown in the example below.

router pim
address-family ipv4
interface GigabitEthernet0/0/0/1
enable
neighbor-filter PIM_NEIGHBOR_1
!
interface GigabitEthernet0/0/0/2
enable
neighbor-filter PIM_NEIGHBOR_2
!
!
!

Step 2: Review the configured ACL for filtering PIM neighbors as shown in the example below.

ipv4 access-list PIM_NEIGHBOR_1
10 permit ipv4 host 10.1.1.2 any
!
ipv4 access-list PIM_NEIGHBOR_2
10 permit ipv4 host 10.1.2.8 any
!

If PIM neighbor ACLs are not bound to all interfaces that have PIM enabled, this is a finding.

Check Content Reference

M

Target Key

4029

Comments