UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216727 CISC-RT-000890 SV-216727r855833_rule Medium
Description
ASM can have many sources for the same groups (many-to-many). For many receivers, the path via the RP may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific SPT to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) Protocol Independent Multicast (PIM) Join toward S (the source). When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.
STIG Date
Cisco IOS XE Router RTR Security Technical Implementation Guide 2022-11-22

Details

Check Text ( C-17960r288123_chk )
Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over).

ip pim rp-address 10.2.2.2
ip pim spt-threshold infinity

If the DR is not configured to increase the SPT threshold or set to infinity to minimalize (S, G) state, this is a finding.
Fix Text (F-17958r288124_fix)
Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed.

R3(config)#ip pim spt-threshold infinity