Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-96851 | CISC-RT-000940 | SV-105989r1_rule | Low |
| Description |
|---|
| To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. |
| STIG | Date |
|---|---|
| Cisco IOS XR Router RTR Security Technical Implementation Guide | 2020-06-30 |
Details
| Check Text ( C-95687r1_chk ) |
|---|
| Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. router msdp … … … peer 4.4.4.4 remote-as 33 maximum external-sa 555 ! peer 5.5.5.5 remote-as 44 maximum external-sa 555 ! ! If the router is not configured to limit the source-active messages it accepts, this is a finding. |
| Fix Text (F-102531r1_fix) |
|---|
| Configure the router to limit the amount of source-active messages it accepts from each peer. RP/0/0/CPU0:R2(config)#router msdp RP/0/0/CPU0:R2(config-msdp)#peer x.14.2.1 RP/0/0/CPU0:R2(config-msdp-peer)#maximum external-sa nnn RP/0/0/CPU0:R2(config-msdp-peer)#exit RP/0/0/CPU0:R2(config-msdp)#peer x.15.3.5 RP/0/0/CPU0:R2(config-msdp-peer)#maximum external-sa nnn RP/0/0/CPU0:R2(config-msdp-peer)#end |