The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-97011	CISC-RT-000810	SV-106149r1_rule		Low

Description
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Description

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

STIG	Date
Cisco IOS XE Router RTR Security Technical Implementation Guide	2019-12-20

Details

Check Text ( C-95847r1_chk )
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below: interface GigabitEthernet1/2 ip address x.1.12.2 255.255.255.252 ip pim sparse-mode ip multicast boundary MULTICAST_SCOPE … … … ip access-list standard MULTICAST_SCOPE deny 239.0.0.0 0.255.255.255 permit any If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.

Check Text ( C-95847r1_chk )

Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below:

interface GigabitEthernet1/2
ip address x.1.12.2 255.255.255.252
ip pim sparse-mode
ip multicast boundary MULTICAST_SCOPE
…
…
…
ip access-list standard MULTICAST_SCOPE
deny 239.0.0.0 0.255.255.255
permit any

If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.

Fix Text (F-102691r1_fix)
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below: R2(config)#ip access-list standard MULTICAST_SCOPE R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255 R2(config-std-nacl)#permit any R2(config-std-nacl)#exit Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below: R2(config)#int g1/2 R2(config-if)#ip multicast boundary MULTICAST_SCOPE R2(config-if)#end

Fix Text (F-102691r1_fix)

Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below:

R2(config)#ip access-list standard MULTICAST_SCOPE
R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit

Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below:

R2(config)#int g1/2
R2(config-if)#ip multicast boundary MULTICAST_SCOPE
R2(config-if)#end