The RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.

Check for SA filter on MSDP peer: ICX# show msdp peer x.x.x.x | include Output  Output SA Filter:Applicable Output (S,G) route-map:out_MSDP_SA_filter Output RP route-map:None If any configured MSDP peer is not configured to filter outbound advertisements to avoid local-only multicast sources and groups, this is a finding.

Create access list to filter source-active multicast advertisements for any undesirable multicast groups and sources: ip access-list extended out_MSDP_SA_filter sequence 10 deny ip 10.0.0.0/8 any sequence 20 permit ip any any route-map out_MSDP_SA_filter permit 10 match ip address out_MSDP_SA_filter router msdp msdp-peer x.x.x.x sa-filter originate route-map out_MSDP_SA_filter !