The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272073 | CACI-RT-000013 | SV-272073r1114086_rule | Low |
| Description |
| Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76123r1063614_chk) |
| View the configuration to check for PIM compliance. APIC1(config)#show running-configuration pim Example: ip access-list extended PIM_REGISTER_FILTER deny ip any 232.0.0.0 0.255.255.255 permit ip host 10.1.2.6 any permit ip host 10.1.2.7 any deny ip any any ip pim accept-register list PIM_REGISTER_FILTER If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding. |
| Fix Text (F-76030r1114085_fix) |
| Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration through the APIC's CLI using the "accept-register" command with the desired access list applied to the RP. Specify group or group and source addresses with the match ip multicast command. Perform the following for each interface that uses IP multicast: 1. Create an extended access list with the desired filter criteria. # ip access-list extended <access-list-name> permit ip <source-ip> <multicast-group> <optional: protocol and port> ... (add other allowed source-group combinations) deny ip any <undesirable-multicast-group> 2. Access the PIM configuration mode on the RP. APIC1 (config-if)# ip pim sparse-mode 3. Apply the access list. # accept-register <access-list-name> |