Transparent PC port [SOLVED]

[jolouis]

(11-25-2014 10:00 PM)Ret Wrote:  In a hub every port receives all traffic on the network. In a switch each port receives only its corresponding traffic (based on IP). That's why I used those two terms.

A switch typically operates on Layer 2 (MAC addresses) not Layer 3 (IP addresses). It maintains a MAC table of what devices are connected to what ports, and forwards traffic to those ports as required. I suppose in theory that provides a bit of security, but in reality the way switches discover devices on ports is so trivial and low level that any "attacker" could easily spoof an ARP request and convince the switch that it should also receive the data intended for another device.

Quote:My understanding is that "Span to PC" forwards ALL traffic to PC port. It evens forwards the packets from the internal "phone itself" port and that's where I see a small "security issue" (although it has VLAN tags). This is a hub behavior.

Have you tested that assumption by using wireshark to listen on the PC port and see if VLAN traffic shows up? Keep in mind you'd have to do layer 2 sniffing since your NIC will otherwise normally drop the packets before even presenting them to a higher layer (the IP stack).

Since the Yealink phones are all running a flavour of Linux I suspect you'll find that your assumptions are not correct. As I suggested previously, I would strongly believe that the phone is creating a bridge between the PC port and the Internet port. In Linux a bridge has it's own MAC table and operates just like a switch, keeping track of what target MACs exist on which port, and forwarding traffic accordingly. If it doesn't know what port the destined packet should go out of, it sends an ARP request and figures it out, just like a normal switch.

If you are worried that someone connected to the PC port could in theory reconfigure their PC to be on the voice VLAN and thus intercept traffic ("a security concern") I would argue that they could do that simply by yanking the cable out of the phone and connecting it directly to their computer (which is a trivial matter since you're assuming they'd know how to configure the VLAN on their PC and the phone is sitting on their desk).

All in all just trying to say don't go under the belief that VLANs themselves are providing you with network security.