STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS XE Switch RTR Security Technical Implementation Guide

V-221068

CAT III (Low)

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.

Rule ID

SV-221068r1137903_rule

STIG

Cisco IOS XE Switch RTR Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-001368

Discussion

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP switch, the switch must be configured to limit the number of source-active messages it accepts from each peer.

Check Content

Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.

ip msdp peer x.1.28.2 remote-as nn
ip msdp sa-filter in 10.1.28.2 list MSDP_SA_FILTER
ip msdp sa-limit X.1.28.2 nnn

If the switch is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text

Configure the switch to limit the amount of source-active messages it accepts from each peer.

SW1(config)#ip msdp sa-limit x.1.28.2 nnn