Blockin SQL traffic within the same VLAN

Answered Question
Sep 15th, 2008
User Badges:

Dear All,


I've got a Cisco 4503 Core Switch with two VLANs configured.

All is going OK with access lists management between the two VLANS, but now I have a scenario where I need to block only SQL traffic between two hosts on the same VLAN.

Is this supported?


To make it simple: I have two subnets 192.168.5.0 and 192.168.6.0 on VLANs 5 and 6 respectively.

VLAN 5 is defined on 8 physical ports of the switch and VLAN 6 on 4 physical ports of the switch.

I want to stop only SQL traffic between the two hosts 192.168.6.15 and 192.168.6.20 that are both on VLAN 6.


How can this be done on a Cisco 4503?

Thank you.


Regards,

Raymond

Correct Answer by rohitrattan about 8 years 10 months ago

Dear Raymond,


We configure mac based access-lists and implement it using an Access Map thus VLAN Access Maps are essentially used to filter Layer 2 information. It will not work in your case.


Regards

Rohit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rohitrattan Mon, 09/15/2008 - 04:57
User Badges:

Hello Raymond,


If you want to filter specific protocol traffic between two hosts, you do it on the basis of layer 4 information. We usually implement ACL's on a VLAN in "in or out" direction based on where and which way we the filtering is to be done. In your case communication between two PC's on a common VLAN can not be filtered as the Traffic does not cross the Vlan boundary where it can be filtered. A VLAN is a Layer 2 entity moreover the ports are Layer 2 switch ports, so filtering based on layer 4 information is not possible. You can though filter some traffic by configuring your Windows or Third Party firewall that resides on host machines but if the users have privileges to modify the Firewall settings then that may not be a good solution otherwise you could look forward to this solution also.



Regards

Rohit

interedlb Mon, 09/15/2008 - 05:07
User Badges:

Hello Rohit,


Thank you for your reply.


So if I'm getting you correctly, you're confirming that there's absolutely NOWAY to block SQL traffic between two hosts on the same VLAN using the Cisco 4503? Not even using Access Maps?


Regards,

Raymond

Correct Answer
rohitrattan Mon, 09/15/2008 - 05:28
User Badges:

Dear Raymond,


We configure mac based access-lists and implement it using an Access Map thus VLAN Access Maps are essentially used to filter Layer 2 information. It will not work in your case.


Regards

Rohit

interedlb Mon, 09/15/2008 - 06:45
User Badges:

Rohit,


Thank you for your help.


Regards,

Raymond

Actions

This Discussion