From Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide
Part of SRG-NET-000019-RTR-000005
Associated with: CCI-001414
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.
Review the multicast topology diagram to determine if there are any documented Admin-Local (FFx4::/16), Site-Local (FFx5::/16), or Organization-Local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-Scope (239.255.0.0/16) boundaries for IPv4 traffic. Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces via an "ip multicast boundary" statement in the interface configuration. If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.
Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone. Defined multicast addresses are FFx4::/16, FFx5::/16, FFx8::/16, and 239.255.0.0/16. To create a PIM Boundary, create an access list by entering: ip access-list [name] [ip access list permit/deny statement] exit Then apply the boundary filter based on the accesslist to the PIM-enabled interface: int ethernet [X] ip multicast boundary [name-of-ACL]
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer