STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Dell OS10 Switch Router Security Technical Implementation Guide

V-269866

CAT III (Low)

The Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.

Rule ID

SV-269866r1137932_rule

STIG

Dell OS10 Switch Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001414

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.

Check Content

Verify the RP router is configured to filter PIM join messages for any undesirable multicast groups. 

!
interface vlan100
 no shutdown
 ip pim sparse-mode
 ip pim join-filter PIM_JOINFILTER

!
ip access-list PIM_JOINFILTER
 seq 10 permit ip 10.10.10.0/24 226.1.1.0/24
 seq 20 permit ip any 225.1.1.0/24

If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

Fix Text

Configure the RP to filter PIM join messages for any undesirable multicast groups.

Step 1: Configure an ACL that identifies which groups are allowed to join.

OS10(config)# ip access-list PIM_JOINFILTER
OS10(config-ipv4-acl)# permit ip 10.10.10.0/24 226.1.1.0/24
OS10(config-ipv4-acl)# permit ip any 225.1.1.0/24

Step 2: Configure a PIM join filter on the PIM interfaces. 

OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip pim join-filter PIM_JOINFILTER

NOTES:

* Dell Technologies recommends not using the IP PIM join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source. Excessive traffic generates when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are sent to the CPU.

* Do not to configure a PIM join-filter on a source connected interface (IIF) on first hop router (FHR) node. Applying PIM join-filter with the rule, deny ip any any might block creation of the S,G entries.

* When configuring a join filter, it applies for both incoming and outgoing joins. There is no option to specify in or out parameters while configuring a join filter.