DISA STIGS Viewer

The Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to filter source-active (SA) multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

Overview

Finding ID Version Rule ID IA Controls Severity
V-272066 CACI-RT-000006 SV-272066r1115725_rule   Low
Description
To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.
STIG Date
Cisco ACI Router Security Technical Implementation Guide 2025-06-18

Details

Check Text (C-76116r1063593_chk)
If the ACI implementation does not use MSDP, this is not applicable.

ip msdp sa-filter in <msdp_peer_address> list OUTBOUND_MSDP_SA_FILTER

If the device is not configured with an export policy to filter local source-active multicast advertisements, this is a finding.
Fix Text (F-76023r1115724_fix)
Configure the switch to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

1. Filter all SA messages coming from peer 10.1.1.2 except those for group 224.0.0.1. in the CLI, where <peer-ip> is the IP address of the external MSDP peer.

apic1(config)# ip msdp sa-filter in 10.1.1.2 list OUTBOUND_MSDP_SA_FILTER

2. ACL definition.

apic1(config)# ip access-list extended OUTBOUND_MSDP_SA_FILTER permit ip any 224.0.0.1 any