Yealink Forums

Full Version: Transparent PC port [SOLVED]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Basically I'd like the phone to act as a transparent switch (or a hub) for the PC port and Internet port

I wonder why I should "configure" the PC port on the IP phones. I agree there has to be an "Enable ON/OFF" setting but not more than that.
I don't want the phone to interfere or change any of the network access the LAN port already provides.

This is one example:
I have a dedicated voice VLAN. While testing phones, I wanted to plug some phones serially (piggyback). For this to work I have to configure (ie VLAN) each PC port on each phone. The first phone can normally use tagged VLAN, the phones behind it not.
The expected behavior should be that each phone doesn't notice that they are plugged into another phone (They should all use the same configuration settings.)

It seems devices plugged into the PC port cannot access VLANs other than the one set up on the phone.
Hi Ret,

I think If a network device plugged into PC port use the same configuration settings as Internet port then it's impossible to make a phone and a PC into two difference VLAN?

The port is designed to connect a PC and use different configuration setting to make phone and PC in different VLAN.

Regards,
James
I'm not trying to connect a device into the pc port using the same configuration settings as internet port while expecting to be on 2 different VLANs.

I just want the phone to let ethernet traffic go through undisturbed. It should be up to the network switch to handle all traffic on its port. What if I have several VLANs that I want to access from a device connected to PC port? On current phone settings my tagged traffic would not be admitted as it is not declared on phone.

Besides, I may need to access Data VLAN and Voice VLAN at the same time from the same device connected to the internet port. For example to check Call detail records on PBX (running on voice vlan). With current settings the phone won't allow this (as far as I know). Repeating my example above: two phones configured to work on voice vlan in its internet port won't work if they are piggybacked. The pc port on one has to be configured to allow this and on the other the internet port should not be configured to us voice vlan.

My point is that we should have an option that the pc port should behave as if the phone is not in the middle of the ethernet wiring.
Ok, I think I've found a solution!

For anyone interested:
I've disabled "VLAN PC port" and enabled "Span to PC"

I guess "Span to PC" let's the phone act as a hub between Internet port and the PC port.

For security reasons it would be better to act as a switch, but I guess it's not that bad.
Yealink used to have the option "Routed" vs "Bridge" mode for the PC port. In my mind that terminology still makes far more sense than the PC port options they list now.

In any case I expect the underlying function is still the same. When you set it to "VLAN PC" you're telling the phone to create two sub interfaces: one for the phone itself, and one for the PC port, each with their own VLANs. The internet port itself doesn't have any VLAN configured, but the routing on the phone firmware forwards each packet either to the internal port (the phone itself), the PC port, or nowhere depending on what VLAN is tagged in each received packet. When you set it to "Span to PC" my guess is that the phone just leaves the PC Port as untagged/trunk, meaning it passes all received packets out that port.

I don't understand your statement about "For security reasons it would be better to act as a switch". What security are you talking about? You should also check your terminology as I think you've got the terms "Switch" and "hub", mixed up with "router" and "switch".
My understanding is that "Span to PC" forwards ALL traffic to PC port. It evens forwards the packets from the internal "phone itself" port and that's where I see a small "security issue" (although it has VLAN tags).
This is a hub behavior. In a hub every port receives all traffic on the network. In a switch each port receives only its corresponding traffic (based on IP). That's why I used those two terms.

A router is a different thing. It refers to IP routes, networks, gateways, etc which is not the case on these phones.

PS: I don't like Yealink implementation of VLAN ports, because it only allows for one VLAN to the PC port.
(11-25-2014 10:00 PM)Ret Wrote: [ -> ]In a hub every port receives all traffic on the network. In a switch each port receives only its corresponding traffic (based on IP). That's why I used those two terms.
A switch typically operates on Layer 2 (MAC addresses) not Layer 3 (IP addresses). It maintains a MAC table of what devices are connected to what ports, and forwards traffic to those ports as required. I suppose in theory that provides a bit of security, but in reality the way switches discover devices on ports is so trivial and low level that any "attacker" could easily spoof an ARP request and convince the switch that it should also receive the data intended for another device.

Quote:My understanding is that "Span to PC" forwards ALL traffic to PC port. It evens forwards the packets from the internal "phone itself" port and that's where I see a small "security issue" (although it has VLAN tags). This is a hub behavior.

Have you tested that assumption by using wireshark to listen on the PC port and see if VLAN traffic shows up? Keep in mind you'd have to do layer 2 sniffing since your NIC will otherwise normally drop the packets before even presenting them to a higher layer (the IP stack).

Since the Yealink phones are all running a flavour of Linux I suspect you'll find that your assumptions are not correct. As I suggested previously, I would strongly believe that the phone is creating a bridge between the PC port and the Internet port. In Linux a bridge has it's own MAC table and operates just like a switch, keeping track of what target MACs exist on which port, and forwarding traffic accordingly. If it doesn't know what port the destined packet should go out of, it sends an ARP request and figures it out, just like a normal switch.

If you are worried that someone connected to the PC port could in theory reconfigure their PC to be on the voice VLAN and thus intercept traffic ("a security concern") I would argue that they could do that simply by yanking the cable out of the phone and connecting it directly to their computer (which is a trivial matter since you're assuming they'd know how to configure the VLAN on their PC and the phone is sitting on their desk).

All in all just trying to say don't go under the belief that VLANs themselves are providing you with network security.
You're right about switches being layer2 devices: When I wrote "based on IP", it was for the sake of simplifying my argument. It meant ARP protocol and MAC address lists.
Thank you for the information on the Yealink phones and Linux. I didn't do further tests as I am not worried about the inner working of these phones (I just want them to work for me) Wink
About security: I know it's really a minor issue, well, maybe not even an issue Wink
Thanks you for support!
Reference URL's