The multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272074 | CACI-RT-000014 | SV-272074r1114271_rule | Low |
| Description |
| Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups. In a Cisco ACI fabric, the border leaf switches are responsible for handling external multicast traffic and are where access control lists (ACLs) to filter PIM Join messages would be applied. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76124r1063617_chk) |
| View the configuration to verify PIM compliance. APIC1(config)#show running-configuration pim Example: ! ACL to deny specific multicast groups ip access-list extended PIM_JOIN_FILTER deny ip multicast group 224.0.0.1 deny ip multicast group 224.0.0.2 permit ip any any ! ACL to the L3Out interface on the border leaf switch interface L3Out_to_External ip access-group PIM_JOIN_FILTER in If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding. |
| Fix Text (F-76031r1114270_fix) |
| Configure ACLs on the border leaf switches that act as the PIM DRs, specifically targeting the multicast group addresses to be blocked. This essentially prevents unwanted multicast traffic from entering the fabric by filtering the Join messages at the entry point. 1. Create an ACL to deny specific multicast groups. ip access-list extended PIM_JOIN_FILTER deny ip multicast group 224.0.0.1 deny ip multicast group 224.0.0.2 permit ip any any 2. Apply the ACL to the L3Out interface on the border leaf switch. interface L3Out_to_External ip access-group PIM_JOIN_FILTER in |