The multicast edge Cisco ACI must be configured to establish boundaries for administratively scoped multicast traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272070 | CACI-RT-000010 | SV-272070r1113976_rule | Low |
| Description |
| If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations. Administratively scoped multicast addresses fall within the range of 239.0.0.0 to 239.255.255.255. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76120r1063605_chk) |
| Verify the multicast routing table and troubleshoot any issues with multicast traffic flow. show ip mroute If the ACI is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding. |
| Fix Text (F-76027r1063606_fix) |
| Leverage the border leaf switches within the fabric, applying access control lists (ACLs) on the appropriate interfaces to filter multicast packets with administratively scoped addresses. Log in to the CLI of a border leaf switch within the ACI fabric. configure terminal ip multicast-routing access-list extended MULTICAST_FILTER deny ip 239.0.0.0 239.255.255.255 any permit ip any any Apply the created ACL to the outbound direction of the interface facing the external network. |