09-15-2008 04:15 AM - edited 03-06-2019 01:23 AM
Dear All,
I've got a Cisco 4503 Core Switch with two VLANs configured.
All is going OK with access lists management between the two VLANS, but now I have a scenario where I need to block only SQL traffic between two hosts on the same VLAN.
Is this supported?
To make it simple: I have two subnets 192.168.5.0 and 192.168.6.0 on VLANs 5 and 6 respectively.
VLAN 5 is defined on 8 physical ports of the switch and VLAN 6 on 4 physical ports of the switch.
I want to stop only SQL traffic between the two hosts 192.168.6.15 and 192.168.6.20 that are both on VLAN 6.
How can this be done on a Cisco 4503?
Thank you.
Regards,
Raymond
Solved! Go to Solution.
09-15-2008 05:28 AM
Dear Raymond,
We configure mac based access-lists and implement it using an Access Map thus VLAN Access Maps are essentially used to filter Layer 2 information. It will not work in your case.
Regards
Rohit
09-15-2008 04:57 AM
Hello Raymond,
If you want to filter specific protocol traffic between two hosts, you do it on the basis of layer 4 information. We usually implement ACL's on a VLAN in "in or out" direction based on where and which way we the filtering is to be done. In your case communication between two PC's on a common VLAN can not be filtered as the Traffic does not cross the Vlan boundary where it can be filtered. A VLAN is a Layer 2 entity moreover the ports are Layer 2 switch ports, so filtering based on layer 4 information is not possible. You can though filter some traffic by configuring your Windows or Third Party firewall that resides on host machines but if the users have privileges to modify the Firewall settings then that may not be a good solution otherwise you could look forward to this solution also.
Regards
Rohit
09-15-2008 05:07 AM
Hello Rohit,
Thank you for your reply.
So if I'm getting you correctly, you're confirming that there's absolutely NOWAY to block SQL traffic between two hosts on the same VLAN using the Cisco 4503? Not even using Access Maps?
Regards,
Raymond
09-15-2008 05:28 AM
Dear Raymond,
We configure mac based access-lists and implement it using an Access Map thus VLAN Access Maps are essentially used to filter Layer 2 information. It will not work in your case.
Regards
Rohit
09-15-2008 06:45 AM
Rohit,
Thank you for your help.
Regards,
Raymond
09-15-2008 07:37 AM
My pleasure dear Raymond, thanks for the rating :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide