I'm using the 3/2/1 network segmentation model from the open pci dss scoping toolkit and I'm running into a bit of a mental roadblock. I have a phone system (Mitel 5000 series, if it matters) that is on my segmented internal network.
The phone system appears to be firewalled. nmap shows only standard web and SSH management ports. However this system technically is level 1 as we do take a large number of calls that contain cardholder information.
Based on the toolkit this is technically a breach since L3 systems can potentially access a L1. At the same time the only access across the network is encrypted management traffic. That meets the PCI-DSS specs for any publicly available network.
How do I treat this situation? Why?
Note - I'm aware that the QSA is the final answer on this as any PCI related question. I'm looking more for best practice and the logic behind it for these kind of cases.