Home > AAAdot1x Lab Sim

AAAdot1x Lab Sim

October 3rd, 2018 in Lab Sim, LabSim Go to comments

Question

Answer and Explanation

 

1) Configure ASW1

Enable AAA on the switch:
ASW1(config)#
aaa new-model

The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.

Define the server along with its secret shared password:
ASW1(config)#radius-server host 172.120.39.46 key rad123

ASW1(config)#aaa authentication dot1x default group radius
This command causes the RADIUS server defined on the switch to be used for 802.1x authentication.

Globally enable port-based authentication (802.1x) on a switch:
ASW1(config)#dot1x system-auth-control

Configure Fa0/1 to use 802.1x:

ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.

2) Configure DSW1:

Define an access-list:
DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )
DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit

DSW1(config)#vlan access-map MYACCMAP 20
DSW1(config-access-map)#action drop (drop other networks)
DSW1(config-access-map)#exit

Note: In fact, there is an implicit “deny all” command at the end of each VLAN access-map so we don’t need to deny other networks. Therefore there is no problem if you don’t enter the “vlan access-map MYACCMAP 20” above.

Apply a vlan-map into a vlan:
DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)

DSW1#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

Note: If the requirement of this sim states that “not to use named ACLs” then you should configure number ACL instead:

DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255

Other lab-sims in this site:

LACP with STP Sim
MLS and EIGRP Sim
VTP Lab 2
VTP Lab
Spanning Tree Lab Sim

Comments
Comment pages
1 42 43 44 41
  1. sniper
    November 24th, 2018

    Guys, please share the link for latest dumps. Thanks in advance

  2. Ethio
    November 29th, 2018

    I will take the CCNP 300-115 Switch at the end of this year, can anyone help me by dumping the resent exam questions pls

  3. Marx
    December 19th, 2018

    I believe the configuration is not completely correct .
    The description says:
    ” Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.”
    so the access list , assuming it has to be a numbered one it should be as follow :
    DSW1(config)#access-list 101 permit 172.120.40.0 0.0.0.255 172.120.40.0 0.0.0.255
    This is how I would restrict the devices to stay in vlan 20.

    Regarding the named/standard ACL this is the link talkng about those:
    https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#ipnamacl
    —-CUT—
    You can also add ACL lines to numbered standard or numbered extended ACLs by sequence number in Cisco IOS.
    Configure the extended ACL in this way:
    Router(config)#access-list 101 permit tcp any any
    —END CUT

    —CUT2—-
    IP named ACLs were introduced in Cisco IOS Software Release 11.2. This allows standard and extended ACLs to be given names instead of numbers.
    This is the command syntax format for IP named ACLs.
    ip access-list {extended|standard} name
    —END CUT2—-

  4. Richmond
    January 2nd, 2019

    Thank you all,
    JUST 20 $, TO GUARANTEE your Success.

    CCNA R&S
    200-125 CCNA = 587 Q&As DUMPs + LABs
    100-105 ICND1 = 554 Q&As DUMPs + LABs
    200-105 ICND2 = 268 Q&As DUMPs + LABs
    CCNP R&S
    ROUTE = 227 Q&As DUMPS + LABs
    SWITCH = 287 Q&As DUMPs + LABs
    TSHOOT = 180 Q&As DUMPs + Tickets
    CCIE R&S
    400-101 WRITTEN = 114 Q&As DUMPS

    At web :
    t2m.io/qkhTw5dQ

  5. Seed
    January 3rd, 2019

    i`ve tested this setup in real lab.After configuration result:
    host in vlan 20 can`t reach hosts in subnet 40 and 100 ( for testing I created vlan 100)
    hosts in vlan 40 are not able to get icmp-echo-reply from host in subnet 20

    Looks that this resolution is wrong !
    To ne honest – maybe I`m wrong – this statesments should be done not vla VACL but rather RACL ( on SVIs).

    need to think about it….Maybe you have some other ideas ?

  6. Seed
    January 3rd, 2019

    I think for test we can permit vlan 20 on 40, then ping and then change action in vlan 40 from forwarding to drop ( with log).

  7. Seed
    January 3rd, 2019

    Ok Guyzs, tested for full.
    Looks like this resolution works.

    1. created exted access list with 2 ACE:
    Extended IP access list 100
    10 permit ip 172.120.40.0 0.0.0.255 172.120.20.0 0.0.0.255
    20 permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255
    2. VACL MAP:
    Vlan access-map “MYMAP” 10
    Match clauses:
    ip address: 100
    Action:
    forward
    Vlan access-map “MYMAP” 20
    Match clauses:
    Action:
    drop
    3.VLAn Filter:
    VLAN Map MYMAP is filtering VLANs:
    20
    ———————————————-
    Results:
    From vlan 20 ( host 172.120.20.2 pings 172.120.40.2)
    _20#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    !!!!!
    SUCCESS

    From vlan 40 (host 172.120.40.2 ping 172.120.20.2)
    40#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    !!!!!

    SUCCESS

    Other networks can`t rech host in vlan 20 ( in my test there was a vlan 100):
    R1_100#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    So traffic from vlan 100 to vlan 20 is not allowed. But beteen 100 and 40 – works well:
    R1_100#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/14 ms

    After removing ACE 20 in access-list 100:
    no permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255

    tested once again.
    R1_20#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    R1_40#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    Pings between v20 and v40 fails, coz there are no matching criteria for reply from vlan 20 to vlan 40.

    So for next tes purposes I decided to create one more vlan access-map to allow for icmp from vlan 20 to 40.

    S1(config)#ip access-list extended 101
    S1(config-ext-nacl)#permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255
    S1(config-ext-nacl)#exit

    S1(config)#vlan access-map ICMPMAP 10
    S1(config-access-map)#match ip address 101
    S1(config-access-map)#action forward
    S1(config-access-map)#exit

    S1(config)#vlan access-map ICMPMAP 20
    S1(config-access-map)#action dro
    S1(config-access-map)#action drop
    S1(config-access-map)#exit

    S1(config)#vlan filter ICMPMAP vlan-list 20
    S1(config)#end

    And then – it works, but from vlan 100 vlan 20 was still unreachable.

    it means resolutuion describen on certprepare – works well.

    Thank you and wish me luck on my exam :)

  8. Simon
    January 10th, 2019

    guys , its this lab changed? if someone have premium account here, can he pass here the actual questions about this Lab?

  9. Neil
    January 17th, 2019

    I have bought the premium file (ete file) of the dump on Prepaway. It really contains all the questions of the whole exam, since I failed the first attempt of my exam.

    I am going to do it next week.

    Let me know if you need the premium dump by putting an e-mail if the comments.

  10. Abdul
    January 18th, 2019

    Dear,
    Anyone pass CCNP Switching 300-115 exam in Jan-2019.
    Kindly share latest Dumps.

  11. MAQ
    January 18th, 2019

    Hi Neil: Can you please share the CCNP SWITCH 300-115 dumps: ahmadqaisar at hotmail dot com

  12. Akly21
    January 19th, 2019

    Hi Neil,

    Kindly share CCNP SWITCH 300-115 dump premium file to {email not allowed}. I have my exam on Tuesday. Thanks

  13. Akly21
    January 19th, 2019

    Hi Neil,

    Kindly share CCNP SWITCH 300-115 dump premium file to akinloye2183 at gmail dot com. I have my exam on Tuesday. Thanks

  14. Kazi
    January 20th, 2019

    Please share me the dump to kaziDOTshabbirDOTahmedATgmailDOTcom as I am sitting for 300 115 this week.Thanks in advance

  15. Glory
    January 20th, 2019

    please send dump to florigor at hotmail dot com

  16. SBHAK
    January 20th, 2019

    Hi Neil

    please share the CCNP SWITCH 300-115 dumps s_alkaseri at yahoo dot com

    Thanks

  17. Anonymous
    January 21st, 2019

    Please give me valid dump {email not allowed}

Comment pages
1 42 43 44 41
  1. No trackbacks yet.