UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221142 CISC-RT-000900 SV-221142r622190_rule Medium
Description
MSDP peering with customer network switches presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled switch. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP switches must be configured to only accept MSDP packets from known MSDP peers.
STIG Date
Cisco NX-OS Switch RTR Security Technical Implementation Guide 2021-03-29

Details

Check Text ( C-22857r409915_chk )
Review the switch configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example below:

interface Ethernet2/3
no switchport
ip access-group EXTERNAL_ACL_INBOUND in
ip address x.1.28.8/24
ip pim sparse-mode

Step 2: Verify that the ACL restricts MSDP peering to only known sources.

ip access-list EXTERNAL_ACL_INBOUND
10 permit tcp any any established
20 permit tcp x.1.28.2/32 x.1.28.8/32 eq 639
30 deny tcp any x.1.28.8/32 eq 639 log
40 permit tcp x.1.28.2/32 10.x.28.8/32 eq bgp
50 permit tcp x.1.28.2/32 eq bgp x.1.28.8/32
60 permit pim x.1.28.2/32 x.1.28.8/32



120 deny ip any any log

Note: MSDP connections are via TCP port 639.

If the switch is not configured to only accept MSDP packets from known MSDP peers, this is a finding.
Fix Text (F-22846r409916_fix)
Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers.

SW1(config)# ip access-list EXTERNAL_ACL_INBOUND
SW1(config-acl) # permit tcp any any established
SW1(config-acl) # permit tcp host x.1.28.2 host x.1.28.8 eq 639
SW1(config-acl) # deny tcp any host x1.28.8 eq 639
SW1(config-acl) # permit tcp host x.1.28.2 host x.1.28.8 eq bgp
SW1(config-acl) # permit tcp host x.1.28.2 eq bgp host x.1.28.8
SW1(config-acl) # permit pim host x.1.28.2 host x.1.28.8



SW1(config-acl)# deny ip any any