The required VVoIP endpoint VLANs are NOT configured on this network element

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19633	VVoIP 5525 (LAN)	SV-21774r1_rule		Medium

Description
VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices.

Description

VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices.

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-23959r1_chk )
Inspect the configurations of the LAN devices supporting VVoIP endpoints or their traffic to determine compliance with the following requirement: In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device: > Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required.

Check Text ( C-23959r1_chk )

Inspect the configurations of the LAN devices supporting VVoIP endpoints or their traffic to determine compliance with the following requirement:

In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device:
> Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one.
> Software endpoints on workstations: multiples as with hardware endpoints.

NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required.

Fix Text (F-20337r1_fix)
In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device: > Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required.

Fix Text (F-20337r1_fix)

In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device:
> Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one.
> Software endpoints on workstations: multiples as with hardware endpoints.

NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required.