The RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273576 | RCKS-RTR-000080 | SV-273576r1110885_rule | Low |
| Description |
| To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77667r1109748_chk) |
| Check for SA filter on MSDP peer: ICX# show msdp peer x.x.x.x | include OutputĀ Output SA Filter:Applicable Output (S,G) route-map:out_MSDP_SA_filter Output RP route-map:None If any configured MSDP peer is not configured to filter outbound advertisements to avoid local-only multicast sources and groups, this is a finding. |
| Fix Text (F-77572r1109749_fix) |
| Create access list to filter source-active multicast advertisements for any undesirable multicast groups and sources: ip access-list extended out_MSDP_SA_filter sequence 10 deny ip 10.0.0.0/8 any sequence 20 permit ip any any route-map out_MSDP_SA_filter permit 10 match ip address out_MSDP_SA_filter router msdp msdp-peer x.x.x.x sa-filter originate route-map out_MSDP_SA_filter ! |