The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis.
Overview
Finding ID
Version
Rule ID
IA Controls
Severity
V-272067
CACI-RT-000007
SV-272067r1113973_rule
Low
Description
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.
If the ACI implementation does not use MSDP, this is not applicable.
Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.
show ip msdp
If the ACI is not configured to limit the source-active messages it accepts, this is a finding.
Fix Text (F-76024r1063597_fix)
To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example:
api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTER