Title

The Unified Communications Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled. (Cat II impact)

Discussion

Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.

Check Content

Verify the Unified Communications Endpoint PC port is configured to maintain VLAN separation from the voice video VLAN or is disabled. For networks with both VoIP and videoconferencing, best practice is to have a separate voice VLAN and video VLAN. If the Unified Communications Endpoint PC port is disabled, this is not a finding. If the Unified Communications Endpoint PC port does not maintain VLAN separation from the voice video VLAN, this is a finding.

Fix Text

Configure the Unified Communications Endpoint PC port to maintain VLAN separation from the voice video VLAN or be disabled.

Additional Identifiers

Rule ID: SRG-NET-000018-VVEP-00101_rule

Vulnerability ID: SRG-NET-000018-VVEP-00101

Group Title: SRG-NET-000018-VVEP-00101

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.