Score:0

Routing different subnets on a switch

jp flag

My setup: I have a layer 2 managed 7-port Ethernet switch (KSZ9897). The switch features dot1Q (VLAN) and dot1X (ACL). ACL is advertised to be able to filter on layer 3 (IP) and 4 (TCP/UDP). Is it possible, with these features, to ensure that a specific IP address is only forwarded to a specific port on the switch? Say, if a packet with source IP 192.168.1.2 enters port 5, it can only be forwarded to port 6, etc.

Ron Maupin avatar
us flag
That is a layer-2 switch, and layer-2 switches do not route, so there is no routing on the switch. Layer-2 switches bridge frames, not route packets. You need a router (layer-3 switches have a routing module) to route packets between networks.
Tilman Schmidt avatar
bd flag
Your headline appears to be an entirely different question than what you describe in the text. I guess you just got the terminology wrong. Neither routing nor subnets seem to be involved in the problem you describe.
Lunde avatar
jp flag
I am aware that layer2 is only MAC addresses, but in the data sheet of the switch section 4.4.16, under ACL filtering, it is stated that the switch can: “perform filtering on incoming layer 2 MAC, layer 3 IP or layer 4 TCP/UDP packets.” Maybe my terminology wasn’t clear, but what I need is to ensure that ingress traffic on port 5 with source IP 192.168.1.1 is only allowed to be forwarded to port 4 and ingress traffic on port 5 with source IP 192.168.2.1 is only allowed to be forwarded to port 3. These two IPs are on different subnets, which is where the title came from. Sorry for the confusion
Lunde avatar
jp flag
Specifically what I was wondering is to apply ACL on the ingress port (would be port 5 from my previous comment), matching on the IP address (as specified in table 4-18 in the data sheet) and applying the action to only forward to a specific port (as specified in table 4-20 in the data sheet). But I have never tried this before, so I am not sure that it would work in practice.
Score:0
ru flag

ACLs filter by IP address, transport-layer protocol and L4 port number. They don't use switch port numbers.

What you're asking for needs to be done on source and destination IP address/L4 proto+port alone.

Other methods to restrict traffic between end nodes include VLANs (where you restrict traffic on an intermediate router), private VLANs (where access ports can only talk to uplink ports) or source-port filtering (similar to private VLANs), depending on switch type and feature set.

Lunde avatar
jp flag
Thank you for clearing that up. Can you suggest a method, if any exist, for restricting traffic using VLANs? I guess it would be easy if I could specify e.g. port 5 and 6 to be in VLAN 10 and the remaining ports to be in VLAN 20. That would ensure that port 6 could not communicate with e.g. port 3. But I need port 5 to be able to communicate with all ports, but to restrict traffic based on the source IP. Maybe it could work if port 5 was a trunk port and the host on that port was able to perform VLAN tagging, based on the source IP?
Zac67 avatar
ru flag
With VLANs, you separate hosts by security zone, each resembled by a VLAN and IP subnet. Communication across VLANs requires a router/gateway where you can control/filter the traffic. Perhaps you should add a comprehensible diagram to your question, including intended traffic flows, that would allow us to understand your problem. Currently, I think you're better off with ACLs.
Lunde avatar
jp flag
Ok, this is my setup. I have the following IPs connected the switch. Port 1 - 4: 192.168.1.X and 192.168.2.X, Port 5 + 6: 192.168.1.1, 192.168.2.1 and 192.168.3.1, Port 7: 192.168.3.10. Traffic from port 7 should only be allowed to ports 5 + 6. From port 5+6 192.168.1.1 and 192.168.2.1 should be allowed to ports 1-4 and 192.168.3.1 should only be allowed on port 7. I need these restrictions to avoid IP duplicates from devices connected on ports 1-4 (these IPs are fixed, so I am unable to change them).
Lunde avatar
jp flag
For instance, 192.168.3.10 will also be present downstream on port 1-4, which is why I need the switch to block traffic to this IP on those ports.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.