Limiting hosts on a network

Question

I am in need of some networking advice and hopefully some of you will be able to help me. My network is shown in this block diagram: The ethernet switches are from Microchip, model KSZ9897, which is a managed layer 2 switch. The switch has multiple features, for example it supports IEEE 802.1X (port-based authentication and Access Control List (ACL) filtering) and IEEE 802.1Q (VLAN). All hosts are Windows 10 PCs. I need the following:

• Hosts 1A, 1B and 1C must have the same fixed IP address (this is due to an initialization process, where hosts 2A, 2B and 2C not yet know if they are located in Unit A, Unit B or Unit C. This information is communicated from host 1, which is why I need Hosts 1A, 1B and 1C to have the same IP address, in order for Host 2 to know where to send the identification request)
• Host 1A can communicate with Host 2A and no other host
• Host 2A can communicate with all hosts except Host 1B and Host 1C
• Host 1B can communicate with Host 2B and no other host
• Host 2B can communicate with all hosts except Host 1A and Host 1C
• Host 1C can communicate with Host 2C and no other host
• Host 2C can communicate with all hosts except Host 1A and Host 1B

Right now all the hosts are on the same subnet, let's say 192.168.1.X, subnet mask 255.255.255.0. My first idea was to give hosts 1A, 1B and 1C an IP address on another subnet, say 192.168.2.1, and give hosts 2A, 2B and 2C an alias IP address on that same subnet. This way Hosts 2 will be able to communicate on both subnets. However, this will not work, as e.g. Host 2A will be able to communicate with both 1B and 1C. This will cause IP dublicate addresses on the same subnet. But placing Host 1A, Host 1B and Host 1C on three different subnets is also an issue, because of the identification issue outlined in the first point in the list. It seems to me like a chicken and egg problem, but hopefully I am missing something that can remedy the problem, maybe VLANs, access control or something else.

Answer 1

Depending on what that switch actually supports for ACLs (can't find any manual), port-bound ACLs should do the trick - no VLANs or routing required. I'm assuming hosts are configured statically, without DHCP. The syntax likely varies but I hop you get the idea. Simply apply the ACL to all ports on all switches. Alternatively, applying the ACL to the default VLAN might also work.

• hosts 1A-5A use IP addresses 192.168.1.1/24 - 192.168.1.5/24
• hosts 1B-5B use IP addresses 192.168.1.11/24 - 192.168.1.15/24
• hosts 1C-5C use IP addresses 192.168.1.21/24 - 192.168.1.25/24
• hosts 1D-5D use IP addresses 192.168.1.31/24 - 192.168.1.35/24

ACL:

1000 permit ip 192.168.1.1/32 192.168.1.2/32
1010 deny ip 192.168.1.2/32 192.168.1.11/32
1020 deny ip 192.168.1.2/32 192.168.1.21/32
1030 permit ip 192.168.1.2/32 any
1040 permit ip 192.168.1.11/32 192.168.1.12/32
1050 deny ip 192.168.1.12/32 192.168.1.1/32
1060 deny ip 192.168.1.12/32 192.168.1.21/32
1070 permit ip 192.168.1.12/32 any
1080 permit ip 192.168.1.21/32 192.168.1.22/32
1090 deny 192.168.1.22/32 192.168.1.1/32
1100 deny 192.168.1.22/32 192.168.1.11/32
1110 permit 192.168.1.22/32 any

Note that there's an implied deny any any rule at the end of the ACL, so if you don't explicitly permit something it's denied. You need to permit both directions of a communication - ACLs are stateless. Rules are evaluated on a first fit basis from top to bottom, so if a previous deny matches, a subsequent permit isn't used.

If the switch doesn't accept the /32 (no wildcard bits) you need to use 0.0.0.0 instead. The wildcard bits have no direct relation to the subnet mask. Instead, they define bits that are ignored while matching. 192.168.1.2/31 or 192.168.1.2 0.0.0.1 matches 192.168.1.2 and 192.168.1.3. 192. 192.168.1.3 0.0.0.2 matches 192.168.1.1 and 192.168.1.3.