UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-60893 AMLS-L3-000130 SV-75351r1_rule Medium
Description
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.
STIG Date
Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide 2016-03-29

Details

Check Text ( C-61841r1_chk )
Review the multicast topology diagram to determine if there are any documented Admin-Local (FFx4::/16), Site-Local (FFx5::/16), or Organization-Local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-Scope (239.255.0.0/16) boundaries for IPv4 traffic.

Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces via an "ip multicast boundary" statement in the interface configuration.

If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.
Fix Text (F-66605r1_fix)
Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone. Defined multicast addresses are FFx4::/16, FFx5::/16, FFx8::/16, and 239.255.0.0/16.

To create a PIM Boundary, create an access list by entering:

ip access-list [name]
[ip access list permit/deny statement]
exit

Then apply the boundary filter based on the accesslist to the PIM-enabled interface:

int ethernet [X]
ip multicast boundary [name-of-ACL]