STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:SV-21788r2_rule
V-19647
Deficient imp'n: LAN switch maint. VLAN sepa’t’n
VVoIP 5535
CAT II
10
In the event the LAN access switch port supports a VVoIP or VTC endpoint with an embedded Ethernet switch, ensure the NE is capable of, and configured to, maintain the required VLAN separation from the endpoint and route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN.
NOTE: The NE may perform this function in various ways as determined by the overall VVoIP system and LAN design. However, the typical (or preferred) method used by an endpoint to maintain VLAN separation is 802.1Q VLAN tagging. As such, the LAN access port and NE needs to support the receipt of tagged packets and handle them appropriately to also maintain VLAN separation. While the NE may retag the packets thereby reassigning the VLAN based on some defined rule, the NE may not strip the tags and mix all traffic together.
NOTE: The LAN access layer Ethernet switch (discrete NE or module in a larger NE) supporting LAN cable drops will typically have a VLAN defined for each service (VVoIP, VTC, Data, PC Comm. Client) supported by the endpoints connected to the NE. Traffic within the respective VLANs may flow between different physical ports on the NE but may not change VLANs in the process. This must be done by a routing device (discrete NE or module in a larger NE) and must be controlled by an appropriate ACL. The LAN access layer Ethernet switch may be combined in the same unit with the routing device as in the case of a layer-3 switch or a router containing an Ethernet switch module.
Interview the IAO to determine if the VVoIP or VTC endpoints supported by this NE (or In general, all NEs) provide a PC Port (has an embedded Ethernet switch) and uses some method for assigning VLANs and maintaining VLAN separation for the traffic carried by the LAN cable drop.
V-19647
False
VVoIP 5535
Interview the IAO to determine if the VVoIP or VTC endpoints supported by this NE (or In general, all NEs) provide a PC Port (has an embedded Ethernet switch) and uses some method for assigning VLANs and maintaining VLAN separation for the traffic carried by the LAN cable drop.
I
3407