Free DISA STIG and SRG Library | Vaulted

V-30578

The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.

Finding ID
NET-MCAST-002
Rule ID
SV-40316r1_rule
Severity
Cat II
CCE
(None)
Group Title
PIM neighbor filter is not configured
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution tress for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled.

Fix Text

If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.

Check Content

Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram. JUNOS does not have a PIM neighbor filter; Hence, a firewall filter will have to be used similar to the example shown below. Step 1: Verify that an input filter is configured that will specify the allowable PIM neighbors similar to the following example. firewall { filter input-filter { term pim-neighbors { from { source-address { 192.0.2.1/32; 192.0.2.3/32; } destination-address { 224.0.0.13/32; } protocol pim; } then accept; } term … Step 2: Verify that an input filter is applied to all PIM enabled interfaces. The configuration should look similar to the following: interfaces fe-1/1/1 { unit 0 { family inet { filter { input input-filter; } address 192.0.2.2/32; } } } To determine which interfaces are enabled for PIM, review the interface section within the protocols pim hierarchy that will look similar to the following example: protocols { … pim { interface all { mode sparse; } } }

Responsibility

Information Assurance Officer