The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-272073	SRG-NET-000019-RTR-000013	CACI-RT-000013	SV-272073r1168393_rule	2025-12-11	1

Description
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected.

Description

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected.

ℹ️ Check
View the configuration to check for PIM compliance on the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP. If the CISCO ACI peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

ℹ️ Check

View the configuration to check for PIM compliance on the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP. If the CISCO ACI peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

✔️ Fix
Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration. Configure the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP.

✔️ Fix

Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration. Configure the relevant multicast enabled interfaces by configuring a route map on the PIM settings for the VRF on the GUI. Navigate to Tenants >> {{your_Tenants}} >> Networking >> VRFs>> {{Your_VRF}} >> multicast >> Configuration >> PIM settings >> Reserved Route MAP.