(EDIT): forest for the trees
This is why I love StackExchange! I have several great ideas to try, none of which were my original.
I asked here based on an assumption I probably shouldn't make: my cheap network gear cannot help in a more standard way. I've been seeing them as dumb switches–one still hasn't arrived, so can't yet be certain.
Points I should've added (sorry) but didn't because the question was already getting too long:
- Most of the building's network is VLAN-segregated on PoE Juniper gear.
- I wired the patch panel and wall ports four years ago–they're already standard.
- The rack has no switch, so I got a couple cheapies–one for connectivity and one for PoE to a handful of phones (for tenants, in the office where intranet is required.
- We can't afford a Juniper at this location, would resolve all concerns.
- I pulled three runs from another closet on this floor, patching to the Juniper there. All three cables are spoken for, even though two days ago I only needed one (things change around here).
- There's a ton of furniture/equipment in the way now, but I suppose I could pull a fourth, dedicated to the port I'm trying to protect.
- I didn't think of pulling another run, because my "cheap gear" assumption had me thinking the dongle thing would be simpler. I was probably wrong twice.
I'll assess the PoE switch when it arrives today, and if it's too dumb to help I'll either pull more cable or insert a small router/firewall.
original question
nutshell
I want to make a scrambled Ethernet dongle (or cable) that must be inserted before a network drop can bring data. My question primarily stems from
- how safe PoE is for devices connected with a "bad" cable and
- if anyone has one pinout recommended over another because of PoE.
why
I'm wiring a room for rented dinners and conferencing, with several network drops to be made available as guest Internet. In the same building as our business network.
The room has a VOIP phone †† on a non-guest network, with access to the internal LAN. Clearly, giving guests this access is undesirable. I hope no one would unplug the phone to connect their laptop…but I'm planning for that contingency.
the idea
If I intentionally mis-wire a cable (e.g. not T568B), A patch cable at the rack can reverse the "error," giving a valid connection. The phone works–but if someone unplugs and connects their laptop †† the port will not help them.
At a job back in 2001, the senior network engineer had little dongles we'd issue to conference room visitors. He wired the wall ports wrong, and the dongle reversed it. Joe's a smart guy.
Since my VOIP phone is always in this room, that dongle would be of little use, since anyone could swap their laptop into it. ††
device safety
But that was before PoE.
Naturally a fried laptop is not the result we want; if Power over Ethernet didn't exist, I'd simply make a couple cables–probably a simple shift cipher. From what I read on the Wikipedia page on PoE, the switch should refrain from providing power…but I'd prefer to not experiment with expensive hardware. And that brings me to StackExchange. :,)
babysitting/security-through-obscurity
I'm often tasked with setup, but I'll rarely be present at these events, so I won't be there to keep an eye on people. The wait staff is busy and uninterested in security, so I'd prefer to remove infosec discipline from the equation.
I realize that anyone knowing the secret can simply unplug the cable from the phone and use that…but the conspicuous nature of wrestling with the phone base †† is at least more a deterrent than simply unplugging a cable from the wall. My hope is that anyone who wants wired network will have their own cable–or will use one we've already provided.
summary
If I'm worrying too much (and PoE devices are highly reliable at detecting a connection they shouldn't provide power for), then lemmeno–I'll just build something and be done with it.
I'll post here if requested. The switch is a TP-Link TL-SG108PE
Previously asked at Networking.StackExchange, ruled off-topic. It's admittedly a grey area, I suppose.
†† The phone is a Polycom and uses PoE. The cables are annoyingly cumbersome to unplug–making it far more likely someone will disconnect at the wall. I also can't plan for someone bringing an axe to penetrate the server room–but I can still lock the door.
Best Answer
They are reliable at that; at least standards-compliant ones, and my guess is that if your switch and your phones are from different manufacturers, they are compatible because they stick to the POE(+) standards, which requires detection before power.
Put all the phone-dedicated ports on a VLAN. Managed switches can do that, and the overlap of "cheap managed switch" and "affordable PoE injecting switch" is relatively large, so check whether your switch can already do that.
That VLAN doesn't get access to arbitrary internal services; instead, a firewall rule on the single computer (or server, or router) that you also assign to that VLAN says "if the VLAN tag is set, drop all packets but these that are going to the VoIP servers"; done.
This all might be free.
Your trust in being able to modify ethernet at wire speed is admirable, but I think you'll find that you can't just change arbitrary things about your packet without breaking its transportability through ethernet. So, if you wanted to encrypt your traffic, you'd need to wrap it in a valid ethernet frame afterwards.
And for that there's already a million solutions – from IPsec to OpenVPN to Wireguard… really really no reason to invest in hardware development (my gosh you're underestimating this) of a one-shot security-by-obscurity system...