STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.

DISA Rule

SV-221137r622190_rule

Vulnerability Number

V-221137

Group Title

SRG-NET-000019-RTR-000014

Rule Version

CISC-RT-000840

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the RP to filter PIM join messages for any undesirable multicast groups as shown in the example below:

Step 1: Configure a PIM Join filter as shown in the example below:

SW1(config)# route-map PIM_JOIN_FILTER deny
SW1(config-route-map)# match ip multicast group 239.8.0.0/8
SW1(config-route-map)# route-map PIM_JOIN_FILTER permit 20
SW1(config-route-map)# match ip multicast group 224.0.0.0/4
SW1(config-route-map)# exit

Step 2: Apply the PIM Join filter to the appropriate interfaces.

SW1(config)# int e2/1
SW1(config-if)# ip pim jp-policy PIM_JOIN_FILTER in
SW1(config-if)# end

Check Contents

Verify that the RP switch is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.

route-map PIM_JOIN_FILTER deny 10
match ip multicast group 239.0.0.0/8
route-map PIM_JOIN_FILTER permit 20
match ip multicast group 224.0.0.0/4
…
…
…
interface Ethernet2/1
no switchport
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim jp-policy PIM_JOIN_FILTER in

If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Vulnerability Number

V-221137

Documentable

False

Rule Version

CISC-RT-000840

Severity Override Guidance

Verify that the RP switch is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.

route-map PIM_JOIN_FILTER deny 10
match ip multicast group 239.0.0.0/8
route-map PIM_JOIN_FILTER permit 20
match ip multicast group 224.0.0.0/4
…
…
…
interface Ethernet2/1
no switchport
ip address 10.1.12.1/24
ip pim sparse-mode
ip pim jp-policy PIM_JOIN_FILTER in

If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Check Content Reference

M

Target Key

4075

Comments