Home > AAAdot1x Lab Sim

AAAdot1x Lab Sim

October 3rd, 2018 in Lab Sim, LabSim Go to comments

Question

Answer and Explanation

 

1) Configure ASW1

Enable AAA on the switch:
ASW1(config)#
aaa new-model

The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.

Define the server along with its secret shared password:
ASW1(config)#radius-server host 172.120.39.46 key rad123

ASW1(config)#aaa authentication dot1x default group radius
This command causes the RADIUS server defined on the switch to be used for 802.1x authentication.

Globally enable port-based authentication (802.1x) on a switch:
ASW1(config)#dot1x system-auth-control

Configure Fa0/1 to use 802.1x:

ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.

2) Configure DSW1:

Define an access-list:
DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )
DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit

DSW1(config)#vlan access-map MYACCMAP 20
DSW1(config-access-map)#action drop (drop other networks)
DSW1(config-access-map)#exit

Note: In fact, there is an implicit “deny all” command at the end of each VLAN access-map so we don’t need to deny other networks. Therefore there is no problem if you don’t enter the “vlan access-map MYACCMAP 20” above.

Apply a vlan-map into a vlan:
DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)

DSW1#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

Note: If the requirement of this sim states that “not to use named ACLs” then you should configure number ACL instead:

DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255

Other lab-sims in this site:

LACP with STP Sim
MLS and EIGRP Sim
VTP Lab 2
VTP Lab
Spanning Tree Lab Sim

Comments
Comment pages
1 42 43 44 41
  1. Marx
    December 19th, 2018

    I believe the configuration is not completely correct .
    The description says:
    ” Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.”
    so the access list , assuming it has to be a numbered one it should be as follow :
    DSW1(config)#access-list 101 permit 172.120.40.0 0.0.0.255 172.120.40.0 0.0.0.255
    This is how I would restrict the devices to stay in vlan 20.

    Regarding the named/standard ACL this is the link talkng about those:
    https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#ipnamacl
    —-CUT—
    You can also add ACL lines to numbered standard or numbered extended ACLs by sequence number in Cisco IOS.
    Configure the extended ACL in this way:
    Router(config)#access-list 101 permit tcp any any
    —END CUT

    —CUT2—-
    IP named ACLs were introduced in Cisco IOS Software Release 11.2. This allows standard and extended ACLs to be given names instead of numbers.
    This is the command syntax format for IP named ACLs.
    ip access-list {extended|standard} name
    —END CUT2—-

  2. Richmond
    January 2nd, 2019

    Thank you all,
    JUST 20 $, TO GUARANTEE your Success.

    CCNA R&S
    200-125 CCNA = 587 Q&As DUMPs + LABs
    100-105 ICND1 = 554 Q&As DUMPs + LABs
    200-105 ICND2 = 268 Q&As DUMPs + LABs
    CCNP R&S
    ROUTE = 227 Q&As DUMPS + LABs
    SWITCH = 287 Q&As DUMPs + LABs
    TSHOOT = 180 Q&As DUMPs + Tickets
    CCIE R&S
    400-101 WRITTEN = 114 Q&As DUMPS

    At web :
    t2m.io/qkhTw5dQ

  3. Seed
    January 3rd, 2019

    i`ve tested this setup in real lab.After configuration result:
    host in vlan 20 can`t reach hosts in subnet 40 and 100 ( for testing I created vlan 100)
    hosts in vlan 40 are not able to get icmp-echo-reply from host in subnet 20

    Looks that this resolution is wrong !
    To ne honest – maybe I`m wrong – this statesments should be done not vla VACL but rather RACL ( on SVIs).

    need to think about it….Maybe you have some other ideas ?

  4. Seed
    January 3rd, 2019

    I think for test we can permit vlan 20 on 40, then ping and then change action in vlan 40 from forwarding to drop ( with log).

  5. Seed
    January 3rd, 2019

    Ok Guyzs, tested for full.
    Looks like this resolution works.

    1. created exted access list with 2 ACE:
    Extended IP access list 100
    10 permit ip 172.120.40.0 0.0.0.255 172.120.20.0 0.0.0.255
    20 permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255
    2. VACL MAP:
    Vlan access-map “MYMAP” 10
    Match clauses:
    ip address: 100
    Action:
    forward
    Vlan access-map “MYMAP” 20
    Match clauses:
    Action:
    drop
    3.VLAn Filter:
    VLAN Map MYMAP is filtering VLANs:
    20
    ———————————————-
    Results:
    From vlan 20 ( host 172.120.20.2 pings 172.120.40.2)
    _20#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    !!!!!
    SUCCESS

    From vlan 40 (host 172.120.40.2 ping 172.120.20.2)
    40#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    !!!!!

    SUCCESS

    Other networks can`t rech host in vlan 20 ( in my test there was a vlan 100):
    R1_100#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    So traffic from vlan 100 to vlan 20 is not allowed. But beteen 100 and 40 – works well:
    R1_100#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/14 ms

    After removing ACE 20 in access-list 100:
    no permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255

    tested once again.
    R1_20#ping 172.120.40.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.40.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    R1_40#ping 172.120.20.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.120.20.2, timeout is 2 seconds:
    …..
    Success rate is 0 percent (0/5)

    Pings between v20 and v40 fails, coz there are no matching criteria for reply from vlan 20 to vlan 40.

    So for next tes purposes I decided to create one more vlan access-map to allow for icmp from vlan 20 to 40.

    S1(config)#ip access-list extended 101
    S1(config-ext-nacl)#permit icmp 172.120.20.0 0.0.0.255 172.120.40.0 0.0.0.255
    S1(config-ext-nacl)#exit

    S1(config)#vlan access-map ICMPMAP 10
    S1(config-access-map)#match ip address 101
    S1(config-access-map)#action forward
    S1(config-access-map)#exit

    S1(config)#vlan access-map ICMPMAP 20
    S1(config-access-map)#action dro
    S1(config-access-map)#action drop
    S1(config-access-map)#exit

    S1(config)#vlan filter ICMPMAP vlan-list 20
    S1(config)#end

    And then – it works, but from vlan 100 vlan 20 was still unreachable.

    it means resolutuion describen on certprepare – works well.

    Thank you and wish me luck on my exam :)

  6. Simon
    January 10th, 2019

    guys , its this lab changed? if someone have premium account here, can he pass here the actual questions about this Lab?

  7. Neil
    January 17th, 2019

    I have bought the premium file (ete file) of the dump on Prepaway. It really contains all the questions of the whole exam, since I failed the first attempt of my exam.

    I am going to do it next week.

    Let me know if you need the premium dump by putting an e-mail if the comments.

  8. Abdul
    January 18th, 2019

    Dear,
    Anyone pass CCNP Switching 300-115 exam in Jan-2019.
    Kindly share latest Dumps.

  9. MAQ
    January 18th, 2019

    Hi Neil: Can you please share the CCNP SWITCH 300-115 dumps: ahmadqaisar at hotmail dot com

  10. Akly21
    January 19th, 2019

    Hi Neil,

    Kindly share CCNP SWITCH 300-115 dump premium file to {email not allowed}. I have my exam on Tuesday. Thanks

  11. Akly21
    January 19th, 2019

    Hi Neil,

    Kindly share CCNP SWITCH 300-115 dump premium file to akinloye2183 at gmail dot com. I have my exam on Tuesday. Thanks

  12. Kazi
    January 20th, 2019

    Please share me the dump to kaziDOTshabbirDOTahmedATgmailDOTcom as I am sitting for 300 115 this week.Thanks in advance

  13. Glory
    January 20th, 2019

    please send dump to florigor at hotmail dot com

  14. SBHAK
    January 20th, 2019

    Hi Neil

    please share the CCNP SWITCH 300-115 dumps s_alkaseri at yahoo dot com

    Thanks

  15. Anonymous
    January 21st, 2019

    Please give me valid dump {email not allowed}

  16. Kani
    January 22nd, 2019

    @Neil share me i sit exam soon my email abdikanipd @ gmail . com

  17. Neil
    January 23rd, 2019

    I have sent the dump files to you guys. Be sure to thank me or send me any BTC donation. Also if you can’t make an ETE email address via gmail/hotmail, make one via TempMail.

  18. kazi
    January 24th, 2019

    Hi,
    Any body can help me the valid dump to kaziDOTshabbirDOTahmedATgmailDOTcom as I will sit for exam this week.Thanks in advance

  19. netvet
    January 25th, 2019

    @neil I also have the switch exam next week and would be grateful if you could share the dump files retejal @ heximail . com

  20. boyet
    January 27th, 2019

    @neil, please also send to {email not allowed}. Thanks and appreciate it in advance

  21. Anonymous
    January 27th, 2019

    @neil, please also send to boyetpellejena @ gmail . com Thanks and appreciate it in advance

  22. Anonymous
    January 28th, 2019

    @Neil pls also send to djvallin at yahoo dot com…. Thanks in advance

  23. Strange IPs
    January 30th, 2019

    How come the IPs are different from radius server and access-list. Doesn’t make any sense.

  24. Faisalawi
    January 31st, 2019

    @Neil Could you please please please share the CCNP SWITCH 300-115 dumps: mff07 @ hotmail . com Thanks and appreciate it in advance ^^

  25. netvet
    February 1st, 2019

    @ Seed
    Although maybe not relevant or expected for the exam, I found after applying the VACL it broke spanning tree for VLAN 20 on DSW1. DSW1 where the VACL is applied will block STP BPDU’s for VLAN 20 unless a MAC ACL is also applied to the VLAN access map to allow BPDU’s, and prevent DSW1 and ASW1 both becoming root for VLAN 20.

    The solution was to add a MAC ACL to allow BPDU’s in addition to the IP ACL for the VACL on DSW1:

    mac access-list extended PVST+
    permit any any lsap 0xAAAA 0x0
    spanning-tree mode pvst

    access-list 10 permit 172.120.40.0 0.0.0.255

    vlan access-map MYACCMAP 10
    action forward
    match mac address PVST+
    match ip address 10
    vlan access-map MYACCMAP 20
    action drop
    vlan filter MYACCMAP vlan-list 20

    See the following link for more info:
    https://learningnetwork.cisco.com/message/290554#290554

  26. Anonymous
    February 7th, 2019

    Neil please send me dumps for SWITCH 300-115 at {email not allowed}. Thanks in advance and what will remain is to shake hands after exam

  27. Luis
    February 9th, 2019

    @Neil plz share your dump my email is luis1a2a3a(at)gmail(dot)com, thx

  28. Nony
    February 10th, 2019

    Hi Neil please send the dump at nonnykins23(at)yahoo(dot)com. I am writing the exam in 4 days please

  29. sae
    February 13th, 2019

    Hi Neil, Please send me the dump at kooldj99(at)yahoo(dot)com. thank u in advance

  30. Beau
    February 16th, 2019

    Hi Neil, good day! Appreciate if you could also send me your dumps at {email not allowed}.
    Thank you!

  31. Beau
    February 16th, 2019

    Hi Neil, good day! Appreciate if you could also send me your dumps at cisco.300115(at)gmail(dot)com…Thank you!

  32. Osya
    February 28th, 2019

    Valid CCNP materials.
    CCNP Switch 300-115
    Pass 21.02.2019
    969/1000
    Some questions were new. (5 of 47)
    And some old questions were with incorrect answers.(I have corrected answers in vce format only)

    Don’t worry!

    I used IPHelper dumps. I would like to recommend to you it!

    https : // dropmefiles . com / Ius8X

    Enter address without Spaces. I uploaded pdf.

  33. OldGuy
    March 9th, 2019

    @Neil plz share your dump my email is paybills0326(at)gmail(dot)com

  34. Taty
    March 11th, 2019

    Hi Osya, I tried to enter https : // dropmefiles . com / Ius8X and files are gone! Would you send it to tatypo92 at gm dot com

  35. Muhamad
    March 14th, 2019

    Pass on 13th march. My lab is HRSP and AAA dot1q. you should study them well.
    Few new questions, dump valid. Thanks certprepare!

    ====
    My email: muhamadawan1988(at)gmail(dot)com

  36. Anonymous
    March 14th, 2019

    Hi Osya, I tried to enter https : // dropmefiles . com / Ius8X and files are gone! Would you send it to le2luu at yahoo dot com

  37. Anonymous
    March 14th, 2019

    Anonymous March 14th, 2019
    Hi Neil, Would you please send it to le2luu at yahoo dot com

    thanks

  38. Anonymous
    March 17th, 2019

    Hi Neil , Osya,
    can you send me the new dumps please?
    nozeid (at) gmail (dot) com

  39. Master Dribbler
    March 18th, 2019

    Osaya, please send me too : kchambwa at gmail.com. I am taking the test tomorrow. Please bro

  40. Val
    March 18th, 2019

    Hi can someone send me the new dumps for this month, I have my exam in a couple of weeks, please please.

    my email is orangemargarita at live dot co uk.

    Thank you.

  41. Roldy
    March 20th, 2019

    Why 172.120.39.46 instead of 172.120.40.46 ?

  42. Animal
    March 20th, 2019

    I also wonder why 172.120.39.46 instead of 172.120.40.46 ? any comments please

  43. Anonymous
    March 21st, 2019

    i want to new vce 300-115 please send email grimace_2531@ hot mail(.)com

  44. Switchit
    March 21st, 2019

    172.120.39.46 (Radius server IP) is not permitted in the ACL
    DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
    DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255

    So, none of the devices on VLAN 20 could hit the RADIUS server and would fail authentication

Comment pages
1 42 43 44 41
  1. No trackbacks yet.