STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221134r622190_rule
V-221134
SRG-NET-000019-RTR-000005
CISC-RT-000810
CAT III
10
Step 1: Configure an ingress and egress ACL to block administratively scoped multicast traffic.
SW1(config)# ip access-list FILTER_TRAFFIC_IN
SW1(config-acl)# deny 239.0.0.0/8
SW1(config-acl)# permit tcp any any established
SW1(config-acl)# …
SW1(config-acl)# deny ip any any log
SW1(config-acl)# exit
SW1(config)# ip access-list FILTER_TRAFFIC_OUT
SW1(config-acl)# deny 239.0.0.0/8
SW1(config-acl)# …
SW1(config-acl)# permit ip any any
SW1(config-acl)# exit
Step 2: Apply the ingress and egress ACL to the applicable interfaces.
SW1(config)# int e2/1
SW1(config-if)# ip access-group FILTER_TRAFFIC_IN in
SW1(config-if)# ip access-group FILTER_TRAFFIC_OUT out
SW1(config-if)# end
Multicast boundary for NX-OS can be established via combination of the border command along with an ACL to filter admin-scoped multicast traffic.
Step 1: Verify that the interface at the multicast domain edge has been configured with both an ingress and egress ACL.
interface Ethernet2/1
no switchport
ip access-group FILTER_TRAFFIC_IN in
ip access-group FILTER_TRAFFIC_OUT out
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim border
Note: The command ip pim border enables the interface to be on the border of PIM domain so that no bootstrap, candidate-RP, or Auto-RP messages are sent or received on the interface.
Step 2: Verify that the ingress and egress ACLs block the address range for administratively scoped multicast traffic.
ip access-list FILTER_TRAFFIC_IN
10 deny ip any 239.0.0.0/8
20 permit tcp any any established
…
…
…
90 deny ip any any log
ip access-list FILTER_TRAFFIC_OUT
10 deny ip any 239.0.0.0/8
20 deny ip …
…
80 permit ip any any
If the switch is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
V-221134
False
CISC-RT-000810
Multicast boundary for NX-OS can be established via combination of the border command along with an ACL to filter admin-scoped multicast traffic.
Step 1: Verify that the interface at the multicast domain edge has been configured with both an ingress and egress ACL.
interface Ethernet2/1
no switchport
ip access-group FILTER_TRAFFIC_IN in
ip access-group FILTER_TRAFFIC_OUT out
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim border
Note: The command ip pim border enables the interface to be on the border of PIM domain so that no bootstrap, candidate-RP, or Auto-RP messages are sent or received on the interface.
Step 2: Verify that the ingress and egress ACLs block the address range for administratively scoped multicast traffic.
ip access-list FILTER_TRAFFIC_IN
10 deny ip any 239.0.0.0/8
20 permit tcp any any established
…
…
…
90 deny ip any any log
ip access-list FILTER_TRAFFIC_OUT
10 deny ip any 239.0.0.0/8
20 deny ip …
…
80 permit ip any any
If the switch is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
M
4075