The Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272092	SRG-NET-000362-RTR-000122	CACI-RT-000032	SV-272092r1168163_rule	2025-12-11	1

Description
Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit that would apply across all interfaces, or it may be necessary to configure limits on individual interfaces.

Description

Limiting mroute states helps prevent excessive multicast traffic flooding on the network by controlling the number of multicast groups a segment can join. By limiting multicast routes, the APIC can better manage its internal resources and prevent potential performance issues due to excessive multicast traffic. Depending on the ACI configuration, set a global IGMP state limit that would apply across all interfaces, or it may be necessary to configure limits on individual interfaces.

ℹ️ Check
Review the relevant BD configuration. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.

ℹ️ Check

Review the relevant BD configuration. Verify it is configured to limit the number of multicast routes (mroute states) generated by IGMP or MLD reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries If the ACI is not limiting multicast requests via IGMP or MLD on a global or interfaces basis, this is a finding.

✔️ Fix
Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries Note: This setting is used to limit the mroute states for the BD or interface created by IGMP reports. Default is disabled, no limit enforced. Valid range is 1-4294967295.

✔️ Fix

Configure a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. Tenants >> {{your_Tenant}} >> Networking >> Bridge Domain >> {{your_Bridge_Domain}} >> Policy >> General >> IGMP Policy >> set the Maximum Multicast Entries Note: This setting is used to limit the mroute states for the BD or interface created by IGMP reports. Default is disabled, no limit enforced. Valid range is 1-4294967295.