The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272065 | CACI-RT-000005 | SV-272065r1115723_rule | Low |
| Description |
| The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. MSDP helps ACI border leaf switches identify the location of multicast sources in external networks, allowing them to properly route multicast traffic to interested receivers within the ACI fabric. MSDP within a layer 3 context, allowing the ACI fabric to discover multicast sources located in other multicast domains when connecting to external networks through "L3Out" connections, enabling efficient multicast traffic forwarding across different network segments. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76115r1063590_chk) |
| If this is a DODIN or JRSS system, this is not applicable. Verify the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration is configured to block any unwanted multicast prefixes from being advertised as shown in the example below: router bgp 100 neighbor 10.1.1.2 remote-as 200 address-family ipv4 unicast route-map BLOCK_MULTICAST permit If the ACI is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding. |
| Fix Text (F-76022r1115722_fix) |
| Use the ip route-map command with specific filter criteria under the relevant BGP neighbor configuration to block any unwanted multicast prefixes from being advertised. 1. Navigate to BGP neighbor configuration. apci1(config)# router bgp <AS number> apci1(config-router)# neighbor <peer-IP> remote-as <peer-AS> 2. Create a route map. apci1(config-router)# ip route-map <route-map-name> permit 10 apci1(config-router)# match ip address prefix <undesirable-multicast-prefix> exit 3. Apply route-map to BGP neighbor. apci1(config)# address-family ipv4 unicast apci1(config)# route-map <route-map-name> permit |