DISA STIGS Viewer

The Cisco ACI multicast rendezvous point (RP) must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.

Overview

Finding ID Version Rule ID IA Controls Severity
V-272090 CACI-RT-000030 SV-272090r1114314_rule   Low
Description
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.
STIG Date
Cisco ACI Router Security Technical Implementation Guide 2025-06-18

Details

Check Text (C-76140r1064216_chk)
Review the PIM configuration:

ip pim register-rate-limit 10

If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.
Fix Text (F-76047r1114099_fix)
Configure the switch to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers. Use the command "ip pim register-rate-limit <rate>", where <rate> specifies the desired maximum number of register messages per second allowed to be sent.

Navigate to the global configuration mode.

[switch#] configure terminal
[switch(config)#] ip pim register-rate-limit 10