The RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-273576 | SRG-NET-000018-RTR-000008 | RCKS-RTR-000080 | SV-273576r1110885_rule | 2025-06-03 | 1 |
| Description |
|---|
| To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. |
| ℹ️ Check |
|---|
| Check for SA filter on MSDP peer: ICX# show msdp peer x.x.x.x | include Output Output SA Filter:Applicable Output (S,G) route-map:out_MSDP_SA_filter Output RP route-map:None If any configured MSDP peer is not configured to filter outbound advertisements to avoid local-only multicast sources and groups, this is a finding. |
| ✔️ Fix |
|---|
| Create access list to filter source-active multicast advertisements for any undesirable multicast groups and sources: ip access-list extended out_MSDP_SA_filter sequence 10 deny ip 10.0.0.0/8 any sequence 20 permit ip any any route-map out_MSDP_SA_filter permit 10 match ip address out_MSDP_SA_filter router msdp msdp-peer x.x.x.x sa-filter originate route-map out_MSDP_SA_filter ! |