Free DISA STIG and SRG Library | Vaulted

V-30578

The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.

Finding ID
NET-MCAST-002
Rule ID
SV-40315r1_rule
Severity
Cat II
CCE
(None)
Group Title
PIM neighbor filter is not configured
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution tress for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled.

Fix Text

If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.

Check Content

Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram. IPv4 Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the following example: ip access-list standard PIM_NEIGHBORS permit 192.0.2.1 permit 192.0.2.3 deny any log Step 2: Verify that a pim neighbor-filter command is configured on all PIM-enabled interfaces that is referencing the PIM neighbor ACL similar to the following example: interface FastEthernet0/3 ip address 192.0.2.2 255.255.255.0 ip pim sparse-mode ip pim neighbor-filter PIM_NEIGHBORS IPv6 Step 1: Verify that an ACL is configured that will specify the allowable PIM neighbors similar to the following example: ipv6 access-list PIM_NEIGHBORS permit host FE80::1 any permit host FE80::3 any deny any any log Note: IPv6 PIM adjacenencies are created using the router unicast link-local addresses Step 2: Verify that a pim neighbor-filter global command is configured ipv6 pim neighbor-filter list PIM_NEIGHBORS

Responsibility

Information Assurance Officer