The Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to filter source-active (SA) multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-272066 | CACI-RT-000006 | SV-272066r1115725_rule | Low |
Description |
To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. |
STIG | Date |
Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
Check Text (C-76116r1063593_chk) |
If the ACI implementation does not use MSDP, this is not applicable. ip msdp sa-filter in <msdp_peer_address> list OUTBOUND_MSDP_SA_FILTER If the device is not configured with an export policy to filter local source-active multicast advertisements, this is a finding. |
Fix Text (F-76023r1115724_fix) |
Configure the switch to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups. 1. Filter all SA messages coming from peer 10.1.1.2 except those for group 224.0.0.1. in the CLI, where <peer-ip> is the IP address of the external MSDP peer. apic1(config)# ip msdp sa-filter in 10.1.1.2 list OUTBOUND_MSDP_SA_FILTER 2. ACL definition. apic1(config)# ip access-list extended OUTBOUND_MSDP_SA_FILTER permit ip any 224.0.0.1 any |