The Cisco IOS XE router must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74099	CISR-RT-000003	SV-88773r2_rule		Medium

Description
Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. Protocol Independent Multicast traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, an unauthorized routers can join the PIM domain and discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service by traffic flooding or result in the unauthorized transfer of data.

Description

Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. Protocol Independent Multicast traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, an unauthorized routers can join the PIM domain and discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service by traffic flooding or result in the unauthorized transfer of data.

STIG	Date
Cisco IOS XE Release 3 RTR Security Technical Implementation Guide	2018-12-20

Details

Check Text ( C-74185r2_chk )
Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the following example: ip access-list standard PIM-NEIGHBORS permit 192.0.2.1 permit 192.0.2.3 Step 2: Verify that a pim neighbor-filter command is configured on all PIM enabled interfaces that is referencing the PIM neighbor ACL similar to the following example: interface GigabitEthernet0/3 ip address 192.0.2.2 255.255.255.0 ip pim sparse-mode pim neighbor-filter PIM-NEIGHBORS If the Cisco IOS XE router has not been configured with PIM neighbor filter on all PIM-enabled interfaces, this is a finding.

Check Text ( C-74185r2_chk )

Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the following example:

ip access-list standard PIM-NEIGHBORS
permit 192.0.2.1
permit 192.0.2.3

Step 2: Verify that a pim neighbor-filter command is configured on all PIM enabled interfaces that is referencing the PIM neighbor ACL similar to the following example:

interface GigabitEthernet0/3
ip address 192.0.2.2 255.255.255.0
ip pim sparse-mode
pim neighbor-filter PIM-NEIGHBORS

If the Cisco IOS XE router has not been configured with PIM neighbor filter on all PIM-enabled interfaces, this is a finding.

Fix Text (F-80641r2_fix)
Configure the Cisco IOS XE router with PIM neighbor filters on all PIM-enabled interfaces as shown in the example below: ip access-list standard PIM-NEIGHBORS permit 192.0.2.1 permit 192.0.2.3 ... ... ... interface GigabitEthernet0/3 ip address 192.0.2.2 255.255.255.0 ip pim sparse-mode ip pim neighbor-filter PIM-NEIGHBORS