DISA STIGS Viewer

The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis.

Overview

Finding ID Version Rule ID IA Controls Severity
V-272067 CACI-RT-000007 SV-272067r1113973_rule   Low
Description
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.
STIG Date
Cisco ACI Router Security Technical Implementation Guide 2025-06-18

Details

Check Text (C-76117r1063596_chk)
If the ACI implementation does not use MSDP, this is not applicable.

Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.

show ip msdp

If the ACI is not configured to limit the source-active messages it accepts, this is a finding.
Fix Text (F-76024r1063597_fix)
To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example:

api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTER