UCF STIG Viewer Logo

The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30578 NET-MCAST-002 SV-40315r1_rule Medium
Description
Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution tress for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled.
STIG Date
Infrastructure L3 Switch - Cisco Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-39168r1_chk )
Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.

IPv4

Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the
following example:

ip access-list standard PIM_NEIGHBORS
permit 192.0.2.1
permit 192.0.2.3
deny any log


Step 2: Verify that a pim neighbor-filter command is configured on all PIM-enabled interfaces that is
referencing the PIM neighbor ACL similar to the following example:

interface FastEthernet0/3
ip address 192.0.2.2 255.255.255.0
ip pim sparse-mode
ip pim neighbor-filter PIM_NEIGHBORS


IPv6

Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the
following example:

ipv6 access-list PIM_NEIGHBORS
permit host FE80::1 any
permit host FE80::3 any
deny any any log

Note: IPv6 PIM adjacenencies are created using the router unicast link-local addresses

Step 2: Verify that a pim neighbor-filter global command is configured

ipv6 pim neighbor-filter list PIM_NEIGHBORS
Fix Text (F-34301r1_fix)
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.