====== Phone Hardening ======
{{cucm-phhdn1.png|}}

===== PC Port =====
  * Disable PC Port access e.g. in a lobby

===== Setting Access =====
  * Disable setting access and deactivates the settings button completely.
  * Or restricted option grants access to contrast and ringer menu only

===== GARP =====
  * Disable Gratuitous ARP
  * Usually ARP operates in request-response fashion
  * Learned MAC addresses are added to a local ARP cache.
  * GARP packets are ARP packets that have not been requested:
    * Sent by a station that announces its own MAC address.
    * Allow update of ARP caches in receiving devices.
    * Usually sent after MAC address changes.
    * Can be misused for packet redirection in a man-in-the-middle attack.
{{cucm-phhdn2.png|}}

===== PC Voice VLAN access =====
  * Disable PC Voice VLAN access
  * By default, the IP phone forwards all frames it receives from the switch to the PC and vice versa:
    * Includes voice VLAN traffic
    * Includes all other VLANs allowed on the port (if configured as a trunk)
    * Allows the PC to sniff phone conversations or other traffic
    * Allows the PC to send data to voice and other VLANs
{{cucm-phhdn3.png|}}\\
{{..:g-ipphones7.png|}}

  * There are two options
  * Disabling PC Voice VLAN Access
    * Only Voice VLAN traffic is blocked
    * Available on all phones
  * Disablign Span to PC Port
    * Does not forward any tagged frame
    * Only untagged traffic is permitted
    * Not available on 7940 or 7960

===== Web Access =====
  * Disable IP Phone Web Service