Rule ID
SV-272073r1168393_rule
Version
V1R2
CCIs
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected.
View the configuration to check for PIM compliance on the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP.
If the CISCO ACI peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration.
Configure the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP.