Rule ID
SV-283834r1203751_rule
Version
V1R1
CCIs
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
Review the Nokia router configuration to determine if the "SA Limit" has been configured to limit the number of source-active messages it accepts on a per-peer basis.
Verify the source-active limit, as shown in the example below:
- show router msdp status | match "SA Limit"
SA Limit : 2
SA Limit Excd : 0
If the router is not configured to limit the source-active messages it accepts, this is a finding.Configure the MSDP router to limit the amount of source-active messages it accepts from each peer. Configure the active-source limit, as shown in the example below: - configure router msdp active-source-limit 2