The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to authenticate all received MSDP packets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272085 | CACI-RT-000025 | SV-272085r1114092_rule | Medium |
| Description |
| MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76135r1064206_chk) |
| Review the Management Access configuration to determine if received MSDP packets are authenticated: 1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access. 2. Verify the option for "Strict Security on APIC OOB Subnet" is selected. If the router does not require MSDP authentication, this is a finding. |
| Fix Text (F-76042r1114091_fix) |
| Enable the "Strict Security on APIC OOB Subnet" option within the Management Access settings on the APIC: 1. On the APIC GUI, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access to find the relevant settings. 2. Select "Strict Security on APIC OOB Subnet". |