The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to limit the amount of source-active (SA) messages it accepts on per-peer basis.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-272067	SRG-NET-000018-RTR-000009	CACI-RT-000007	SV-272067r1113973_rule	2025-06-18	1

Description
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.

Description

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command on the switch, specifying the maximum number of SA messages allowed per peer; this essentially acts as a per-peer limit to prevent overwhelming the device with multicast source information from a single source.

ℹ️ Check
If the ACI implementation does not use MSDP, this is not applicable. Review the switch configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. show ip msdp If the ACI is not configured to limit the source-active messages it accepts, this is a finding.

✔️ Fix
To limit the amount of SA messages a Cisco ACI switch accepts from each MSDP peer, configure the "ip msdp sa-limit" command specifying the maximum number of SA messages allowed per peer. The following is an example: api1(config)# ip msdp sa-limit 10.1.1.1 MSDP_SA_FILTER