Rule ID
SV-256037r882453_rule
Version
V1R1
CCIs
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.
Review the Arista router configuration to determine if forwarding cache thresholds are defined. Step 1: To verify the ACL is configured to match the prefixes, execute the command "sh ip access-list". ip access-list PIM_NEIGHBOR_SA_FILTER 10 deny ip any 224.1.1.0/24 20 deny ip any 224.1.2.0/24 30 deny ip any 224.1.3.0/24 40 deny ip any 224.1.4.0/24 100 permit ip any any Step 2: To verify the thresholds are defined for multicast forwarding cache for source-active entries, execute the command "sh run sec router msdp". router msdp peer 10.1.12.2 sa-filter in PIM_NEIGHBOR_SA_FILTER sa-limit 500 If the Arista RP router is not configured to limit the multicast forwarding cache to ensure its resources are not saturated, this is a finding.
Configure the Arista MSDP-enabled RP routers to limit the multicast forwarding cache for source-active entries. Step 1: Configure the ACL. ip access-list PIM_NEIGHBOR_SA_FILTER 10 deny ip any 224.1.1.0/24 20 deny ip any 224.1.2.0/24 30 deny ip any 224.1.3.0/24 40 deny ip any 224.1.4.0/24 100 permit ip any any Step 2: Apply the ACL in MSDP peer and define the multicast forwarding cache for source-active entries. router msdp peer 10.1.12.2 sa-filter in PIM_NEIGHBOR_SA_FILTER sa-limit 500