STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-216812r531087_rule
V-216812
SRG-NET-000019-RTR-000014
CISC-RT-000840
CAT III
10
Configure the RP to filter PIM join messages for any undesirable multicast groups as shown in the example below.
RP/0/0/CPU0:R2(config)#ipv4 access-list FILTER_PIM_JOINS
RP/0/0/CPU0:R2(config-ipv4-acl)#deny 239.8.0.0 0.0.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#permit any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
RP/0/0/CPU0:R2(config)#router pim
RP/0/0/CPU0:R2(config-pim)#address-family ipv4
RP/0/0/CPU0:R2(config-pim-default-ipv4)#allow-rp group-list FILTER_PIM_JOINS
RP/0/0/CPU0:R2(config-pim-default-ipv4)#end
Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are no allowed.
ipv4 access-list FILTER_PIM_JOINS
10 deny ipv4 239.8.0.0 0.0.255.255 any
20 permit ipv4 any any
…
…
…
router pim
address-family ipv4
allow-rp group-list FILTER_PIM_JOINS
If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.
V-216812
False
CISC-RT-000840
Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are no allowed.
ipv4 access-list FILTER_PIM_JOINS
10 deny ipv4 239.8.0.0 0.0.255.255 any
20 permit ipv4 any any
…
…
…
router pim
address-family ipv4
allow-rp group-list FILTER_PIM_JOINS
If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.
M
4029