Network Infrastructure Policy Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V10R3

Published: 2022-06-07

Updated At: 2022-08-25 11:38:37

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-251333r805954_rule NET0160 CCI-001101 HIGH Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.). Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating
    SV-251334r805957_rule NET0140 CCI-001121 LOW The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment. DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.
    SV-251335r805960_rule NET-IDPS-016 CCI-001097 MEDIUM An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS te
    SV-251336r805963_rule NET-IDPS-018 CCI-001097 MEDIUM An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers. Attacks can originate within the enclave boundary. Hence, deploying an IDPS on the network segment hosting web, application, and database servers is imperative. The servers are critical resource and the network segment hosting them will receive the most t
    SV-251337r805966_rule NET-IDPS-019 CCI-001097 MEDIUM An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS te
    SV-251338r805969_rule NET-IDPS-021 CCI-001097 MEDIUM An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave. Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, "DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to incidents, intrusions, disruption of services, or other unaut
    SV-251339r805972_rule NET-IDPS-024 CCI-000366 MEDIUM Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations. User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and altered.
    SV-251340r805975_rule NET-IDPS-025 CCI-000366 MEDIUM Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic. All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on the Network Management subnet.
    SV-251341r805978_rule NET-IDPS-027 CCI-000366 LOW Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly. Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. The ISSM is required to have the enclave prepared for readiness by raising
    SV-251342r805981_rule NET-IDPS-029 CCI-000366 MEDIUM If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow r
    SV-251343r805984_rule NET-IDPS-030 CCI-000366 MEDIUM If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the management network. The file server should be configured to
    SV-251344r805987_rule NET-IDPS-031 CCI-000366 LOW The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., r
    SV-251345r805990_rule NET-IDPS-032 CCI-000366 LOW The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., r
    SV-251346r805993_rule NET-IDPS-033 CCI-000366 MEDIUM The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data. IDPS data needs to be backed up to ensure preservation in the case a loss of data due to hardware failure or malicious activity.
    SV-251347r805996_rule NET-IDPS-035 CCI-000366 LOW The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor. Keeping the IDPS software updated with the latest engine and attack signatures will allow for the IDPS to detect all forms of known attacks. Not maintaining the IDPS properly could allow for attacks to go unnoticed.
    SV-251348r819076_rule NET-TUNL-026 CCI-001414 HIGH Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network. Allowing encapsulated traffic to bypass the enclave's network perimeter without being filtered and inspected leaves the enclave vulnerable to malicious traffic that could result in compromise and denial of service. The destination of these packets could b
    SV-251349r806002_rule NET-TUNL-028 CCI-002396 MEDIUM Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation. CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transportin
    SV-251350r835280_rule NET-TUNL-030 CCI-002366 HIGH DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure. CJCSI 6211.02E instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A obtain DSAWG approval before tunnel
    SV-251351r806008_rule NET-TUNL-031 CCI-002396 MEDIUM Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15. When transporting classified data over an unclassified IP network, it is imperative that traffic from the classified enclave or community of interest is encrypted prior reaching the point of presence or service delivery node of the unclassified network. C
    SV-251352r806011_rule NET-VLAN-001 CCI-000366 MEDIUM The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked. Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an enclosed cabinet that is kept locked. This will also preven
    SV-251353r806014_rule NET0090 CCI-001098 MEDIUM Network topology diagrams for the enclave must be maintained and up to date at all times. To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity. Topology maps are important because they show the overall layout of the network infrastructure and where devices are ph
    SV-251354r806017_rule NET0130 CCI-001121 MEDIUM All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements. Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted to the Connection Approval Process (CAP) for approval to
    SV-251355r806020_rule NET0131 CCI-001121 MEDIUM Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established. Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with each other.
    SV-251356r806023_rule NET0135 CCI-001121 MEDIUM External connections to the network must be reviewed and the documentation updated semi-annually. A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated as untrusted networks. Reviewing who or what the network is
    SV-251357r806026_rule NET0168 CCI-001101 MEDIUM If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router. The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In order to ensure that an attempted or existing attack goes unno
    SV-251358r806029_rule NET0170 CCI-001102 MEDIUM External network connections must not bypass the enclaves perimeter security. Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, thi
    SV-251359r806032_rule NET0180 CCI-000366 MEDIUM All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC). If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resources. Allowing subscribers onto the network whose IP addres
    SV-251360r808530_rule NET0185 CCI-000366 MEDIUM Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave. The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of NAT and private IP address space inhibits the view of specialized DI
    SV-251361r809044_rule NET0198 CCI-001932 MEDIUM Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year. In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server, in addition to standard data such as IP address and date/time.
    SV-251362r806041_rule NET0199 CCI-001902 LOW Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days. In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.
    SV-251363r806044_rule NET0210 CCI-000921 MEDIUM All network infrastructure devices must be located in a secure room with limited access. If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security compromise. It is not sufficient to limit access to only the out
    SV-251364r806047_rule NET0346 CCI-002395 MEDIUM All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ). Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network,
    SV-251365r806050_rule NET0348 CCI-000366 MEDIUM All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension. Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network,
    SV-251366r806053_rule NET0351 CCI-000262 MEDIUM When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ). The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.
    SV-251367r806056_rule NET0365 CCI-001116 HIGH The organization must implement a deep packet inspection solution when protecting perimeter boundaries. Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the application or service. DPI searches for illegal statements, predefined criteria, malformed packets, and malicious code, thereby enabling t
    SV-251368r806059_rule NET0369 CCI-002080 HIGH A deny-by-default security posture must be implemented for traffic entering and leaving the enclave. To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known
    SV-251369r806062_rule NET0445 CCI-000765 MEDIUM Two-factor authentication must be implemented to restrict access to all network elements. Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the
    SV-251370r806065_rule NET0810 CCI-000366 LOW Two Network Time Protocol (NTP) servers must be deployed in the management network. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of fai
    SV-251371r806068_rule NET0928 CCI-000366 MEDIUM A policy must be implemented to keep Bogon/Martian rulesets up to date. A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and Martian addresses are commonly found as the source addresses of DDoS attacks. By not having a policy implemented to k
    SV-251372r806071_rule NET0998 CCI-000366 MEDIUM A dedicated management network must be implemented. To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block that will enable the management network to scale in propor
    SV-251373r806074_rule NET1025 CCI-001575 LOW A centralized syslog server must be deployed in the management network. Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.
    SV-251374r806077_rule NET1026 CCI-000167 LOW Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year. Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.
    SV-251375r806080_rule NET1040 CCI-001785 LOW Current and previous network element configurations must be stored in a secured location. If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a lon
    SV-251376r806083_rule NET1050 CCI-002345 MEDIUM The organization must encrypt all network device configurations while stored offline. If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer
    SV-251377r808534_rule NET1622 CCI-000366 MEDIUM An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management. From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band network. The biggest advantage to implementation of an OOB ne
    SV-251378r806089_rule NET1815 CCI-000366 MEDIUM All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA). The ISSM will ensure Releasable Local Area Network (REL LAN) environments are documented in the SSAA.
    SV-251379r806092_rule NET1816 CCI-000366 MEDIUM Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments. The ISSM will ensure Releasable Local Area Network (REL LAN) reviews are performed annually.
    SV-251380r806095_rule NET1826 CCI-000366 HIGH Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility. Having a circuit provisioned that connects the SIPRNet enclave to a non-DoD, foreign, or contractor network puts the enclave and the entire SIPRNet at risk. If the termination point is not operated by the government, there is no control to ensure that the
    SV-251381r806098_rule NET1827 CCI-000366 MEDIUM Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation. Any exception to use SIPRNet must be documented in an update to the enclave's accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
    SV-251382r806101_rule NET1832 CCI-000366 MEDIUM VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information. When transporting classified data over an unclassified IP network, it is imperative that the network elements deployed to provision the encrypted tunnels are located in a facility authorized to process the data at the proper classification level.
    SV-251383r806104_rule NET2000 CCI-000803 MEDIUM Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available. Spoofed TCP segments could be introduced into the connection streams for LDP sessions used to build LSPs. By configuring strict authentication between LSR peers, LDP TCP sessions can be restricted and the integrity of LSPs can be guarded using the TCP MD5
    SV-251384r806107_rule NET2001 CCI-001097 MEDIUM Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers. MPLS label exchange via Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP) with any external neighbor creates the risk of label spoofing that could disrupt optimum routing, or even drop packets that are encapsulated with a label tha
    SV-251385r806110_rule NET2002 CCI-001549 LOW Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. Packet loss can occur when an IGP adjacency is established and the router begins forwarding packets using the new adjacency before the LDP label exchange completes between the peers on that link. Packet loss can also occur if an LDP session closes and the
    SV-251386r806113_rule NET2004 CCI-000366 LOW Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches. Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent Layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. Conver
    SV-251387r806116_rule NET2005 CCI-001095 LOW A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic. Different applications have unique requirements and toleration levels for delay, jitter, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic
    SV-251388r806119_rule NET2006 CCI-001414 MEDIUM Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing. PIM is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM operates independent of any particular IP routing protocol but makes use of the IP unicast routing table--PIM does not keep a separate multicast routing table. The
    SV-251389r806122_rule NET2007 CCI-001414 LOW A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic. Protocol Independent Multicast (PIM) is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have
    SV-251390r806125_rule NET2008 CCI-001414 LOW The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge. A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that COI-facing interfaces on all PIM routers are configured to b
    SV-251391r806128_rule NET2009 CCI-001414 LOW The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge. With static RP, the RP address for any multicast group must be consistent across all routers in a multicast domain. A static configuration is simple and convenient. However, if the statically defined RP router becomes unreachable, there is no automatic fa
    SV-251392r806131_rule NET2010 CCI-001414 LOW Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups. Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP rout
    SV-251393r806134_rule NET2011 CCI-001414 LOW Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups. Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP rout
    SV-251394r806137_rule NET2012 CCI-001095 MEDIUM Multicast register messages must be rate limited per each source-group (S, G) entry. When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into register messages and forward them to the Rendezvous Point (RP) using unicast. This process can be taxing on the CPU for both the DR and
    SV-251395r806140_rule NET2013 CCI-001414 LOW Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization. Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption resulting in extrem
    SV-251396r806143_rule NET2014 CCI-001095 MEDIUM The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited. The current multicast paradigm can let any host join any multicast group at any time by sending an Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership report to the Designated Router (DR). In a PIM Sparse Mode networ
    SV-251397r806146_rule NET2015 CCI-001095 MEDIUM The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed. Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Rendezvous Point (RP) may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop rout
    SV-251398r806149_rule NET2016 CCI-001095 LOW Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer. The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default behavior for a Layer 2 switch is to forward all multicast traffic out every access switch port that belongs to the VLAN. IGMP sno
    SV-251399r806152_rule NET2017 CCI-000366 LOW First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize. The Layer 2 connection between the nodes providing first-hop redundancy comes up quickly. If the preemption takes effect prior to the routing protocol converging, traffic is black holed. Traffic will go to the active router that does not have full routing