The Cisco ACI Multicast Source Discovery Protocol (MSDP) must be configured to filter source-active (SA) multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-272066 | SRG-NET-000018-RTR-000008 | CACI-RT-000006 | SV-272066r1115725_rule | 2025-06-18 | 1 |
| Description |
|---|
| To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. |
| ℹ️ Check |
|---|
| If the ACI implementation does not use MSDP, this is not applicable. ip msdp sa-filter in <msdp_peer_address> list OUTBOUND_MSDP_SA_FILTER If the device is not configured with an export policy to filter local source-active multicast advertisements, this is a finding. |
| ✔️ Fix |
|---|
| Configure the switch to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups. 1. Filter all SA messages coming from peer 10.1.1.2 except those for group 224.0.0.1. in the CLI, where <peer-ip> is the IP address of the external MSDP peer. apic1(config)# ip msdp sa-filter in 10.1.1.2 list OUTBOUND_MSDP_SA_FILTER 2. ACL definition. apic1(config)# ip access-list extended OUTBOUND_MSDP_SA_FILTER permit ip any 224.0.0.1 any |