Rule ID
SV-256007r882363_rule
Version
V2R2
CCIs
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. Satisfies: SRG-NET-000019-RTR-000013, SRG-NET-000019-RTR-000014
Verify that the RP router is configured to filter PIM register and join messages.
Step 1: To verify the ACL is configured to filter the multicast groups, execute the command "show ip access-lists".
ip access-list standard ALLOWED_MULTICAST_GROUP
10 permit 224.0.0.0/8
20 deny any
Step 2: To verify the ACL is applied to the PIM process, execute the command "show run section router pim".
router pim sparse-mode
ipv4
rp address 100.2.1.6 access-list ALLOWED_MULTICAST_GROUP
If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and sources, this is a finding.Configure the RP router to filter PIM register and join messages received from a multicast DR for any undesirable multicast groups or sources. Step 1: Configure an ACL to filter the multicast groups. LEAF-1A(config)#ip access-list standard ALLOWED_MULTICAST_GROUP LEAF-1A(config-std-acl-ALLOWED_MULTICAST_GROUP)#10 permit 224.0.0.0/8 LEAF-1A(config-std-acl-ALLOWED_MULTICAST_GROUP)#20 deny any Step 2: Apply the ACL in the PIM process globally. LEAF-1A(config)#router pim sparse-mode LEAF-1A(config-router-pim-sparse)#ipv4 LEAF-1A(config-router-pim-sparse-ipv4)#rp address 100.2.1.6 access-list ALLOWED_MULTICAST_GROUP