The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to authenticate all received MSDP packets.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272085 | SRG-NET-000343-RTR-000002 | CACI-RT-000025 | SV-272085r1114092_rule | 2025-06-18 | 1 |
| Description |
|---|
| MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream. |
| ℹ️ Check |
|---|
| Review the Management Access configuration to determine if received MSDP packets are authenticated: 1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access. 2. Verify the option for "Strict Security on APIC OOB Subnet" is selected. If the router does not require MSDP authentication, this is a finding. |
| ✔️ Fix |
|---|
| Enable the "Strict Security on APIC OOB Subnet" option within the Management Access settings on the APIC: 1. On the APIC GUI, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access to find the relevant settings. 2. Select "Strict Security on APIC OOB Subnet". |