web analytics
  • RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • « | Main | »

    CCNP BCMSN(642-812) Lab – AAA dot1x(New)

    By admin | April 11, 2009

    Acme is a small shipping company that has an existing enterprise network comprised of 2 switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:

    – Users connecting to ASW1’s port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:

    – Radius server host: 172.120.39.46

    – Radius key: rad123

    – Authentication should be implemented as close to the host device possible.

    – Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.

    – Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.

    – Packets from devices in any other address range should be dropped on VLAN 20.

    – Filtering should be implemented as close to the server farm as possible.

    The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.

    clip_image002

    The configuration:

    Step1: Console to ASW1 from PC console 1

    ASW1(config)#aaa new-model
    ASW1(config)#radius-server host 172.120.39.46 key rad123
    ASW1(config)#aaa authentication default group radius
    ASW1(config)#dot1x system-auth-control
    ASW1(config)#inter fastEthernet 0/1
    ASW1(config-if)#swithcport mode access
    ASW1(config-if)#dot1x port-control auto
    ASW1(config-if)#exit
    ASW1#copy run start

    Step2: Console to DSW1 from PC console 2

    DSW1(config)#ip access-list standard 10
    DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
    DSW1(config-ext-nacl)#exit
    DSW1(config)#vlan access-map PASS 10
    DSW1(config-access-map)#match ip address 10
    DSW1(config-access-map)#action forward
    DSW1(config-access-map)#exit
    DSW1(config)#vlan access-map PASS 20
    DSW1(config-access-map)#action drop
    DSW1(config-access-map)#exit
    DSW1(config)#vlan filter PASS vlan-list 20
    DSW1#copy run start

    That is all, hope to helpful for you. Best Luck for ur Exam.

    If you need the complete pass4sure test questions for 642-812 Exam, you can visit Latest Pass4sure 642-812,maye it helpful for ur exam!

             

    Share and Enjoy:
    • Print
    • Digg
    • StumbleUpon
    • del.icio.us
    • Facebook
    • Yahoo! Buzz
    • Twitter
    • Google Bookmarks
    • LinkedIn
    • email
    • Live
    • MySpace

    Topics: 642-812 Exam, CCNP | 53 Comments »

    53 Responses to “CCNP BCMSN(642-812) Lab – AAA dot1x(New)”

    1. Guido Says:
      April 23rd, 2009 at 5:23 am

      Thisis wrong. Why vlan 40? why a second access map? anything else but access-mapSwitch close to Servers DSW1:
      —————————-

      ip access-list standard 10
      permit ip 172.120.40.0 0.0.0.255
      exit

      vlan access-map PASS 10
      match ip address 10
      action forward
      exit

      vlan filter PASS vlan-list 20

      copy runn start

      Switch close to Clients ASW1:
      —————————–

      aaa new-model
      radius-server host 172.120.39.46 key rad123
      aaa authentication dot1x default group radius
      dot1x system-authentication-control

      interface fa0/1
      switchport mode acccess
      dot1x port-control auto
      end

      copy runn start PASS will be dropped.

    2. Ajane Says:
      April 23rd, 2009 at 8:01 pm

      Hi,

      The access config should be for all access interfaces(Fa0/1, Fa0/2 and Fa0/3) with using interface range ?

      Thanks to reply

    3. Aman Says:
      April 24th, 2009 at 7:04 am

      Ajane

      Authentication is done on fa0/1 and not on fa0/2 and fa0/3 because it says in the question that we need to restrict access to vlan 20 and fa0/1 is on vlan 20. Fa0/2 and f0/3 are not on vlan 20.

    4. Ajane Says:
      April 24th, 2009 at 3:41 pm

      Thanks for the answer,

      I don’t see any information stipulating that in fa 0/1 is the only interface on vlan 20, or should we trust the schematic?

    5. Mike Says:
      May 7th, 2009 at 7:12 pm

      please which one of the answers is correct?

    6. Ya Man Says:
      May 7th, 2009 at 7:34 pm

      ip access-list standard 10
      permit ip 172.120.40.0 0.0.0.255
      exit

      wrong.

      it should be

      ip access-list standard 10
      permit 172.120.40.0 0.0.0.255
      exit

      Check it out.

    7. admin Says:
      May 20th, 2009 at 9:31 am

      Checked, you are right, thanks.

    8. Boy_Racer Says:
      August 5th, 2009 at 3:22 am

      DSW1(config)#ip access-list standard 10
      DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255

      Shouldnt the prompt be config-std-nacl as it is a standard access list?

    9. ApplyCreditCards Says:
      May 28th, 2009 at 10:02 am

      Hi, cool post. I have been wondering about this topic,so thanks for writing.

    10. Joe Says:
      June 2nd, 2009 at 8:55 pm

      Hi
      Can someone give me the definite answer to the vlan filter vlan-list #
      P4S has vlan-list 40
      but i see vlan 20 in other places.
      Please help and explain.
      Thanks

    11. Kachy Says:
      June 3rd, 2009 at 8:14 am

      The correct answer is vlan 20, you need study the question carefully(there is no vlan 40).
      And i see the P4S hase vlan-list 20 also :)(In latest version)
      Good luck!
      Regards,
      Kachy

    12. Joe Says:
      June 3rd, 2009 at 11:08 am

      Hi Kachy
      Thanks for your answer.I got the latest P4S 642-892 v6.99 (composite)and this is question 348 and it has the answer vlan filter vlan-list 40.
      This was the source of my confusion.I guess the confusion comes from the problem stems from the question statement that says “…Vlan 40 is a new vlan that is used to provide the shipping personnel access to the server.Foe security reasons is is necessary to restrict access to Vlan 20 in the following manner…”
      Thanks
      Ps any additonal information welcome from those who took the exam and passed this.

    13. dugger Says:
      June 12th, 2009 at 8:34 am

      I saw this on my 892 test today is could be tagged for that section of teh site as well.

      FYI There were NO hotspot qurstions on my particular test. There were hoever at least five perhaps six simulations. T had seen all of them from eother the 812 or 901 sections.

    14. mike Says:
      June 25th, 2009 at 4:59 pm

      pls what is the passing score for the 812 exam

    15. Kachy Says:
      June 25th, 2009 at 5:16 pm

      804

    16. mike Says:
      June 25th, 2009 at 5:25 pm

      pls kachy can you go to the spanning tree lab section and answer my question pls.

    17. mike Says:
      June 25th, 2009 at 5:38 pm

      pls kachy can you go to the spanning tree NEW lab section and answer my question pls

    18. Habib Says:
      June 26th, 2009 at 1:04 am

      Could any one help out with the HSRP simlet in pass 4 sure.. its really confusing… The answers are incorrect in the dumps… so need help

    19. SGN Says:
      June 30th, 2009 at 7:43 pm

      Hi Friends.
      which one is correct please help me.

      642-892 do1x lab question

      DSW1#vlan filter PASS vlan-list 40
      or
      DSW1#vlan filter PASS vlan-list 20

      642-812) Lab – AAA dot1x(New)
      =========================================
      ASW1#conf t
      ASW1#aaa new model
      ASW1#radius server host 172.120.39.46 key rad123
      ASW1#aaa authentication dot1x default group radius
      ASW1#dot1x system auth controA
      SW1#interface fa0/1
      ASW1#switchport mode access
      ASW1#dot1x port control auto
      ASW1#exit
      ASW1#copy run start

      DSW1#conf t
      DSW1#ip Access-list standard 10
      DSW1#permit ip 172.160.40.0 0.0.0.255
      DSW1#vlan access-map PASS 10
      DSW1#match ip address 10
      DSW1#action forward
      DSW1#exit
      DSW1#vlan access-map PASS 20
      DSW1#action drop
      DSW1#exit
      DSW1#vlan filter PASS vlan-list 40
      DSW1#copy run start

    20. ogarlick Says:
      July 2nd, 2009 at 2:01 am

      Hey guys, wrote BCMSN today and passed with 1000, i got this simulation question. It was exactly the same(IP and vlan no’s as well).

      I did the sim exactly like in the post and it must be right because i got 1000.

    21. Kachy Says:
      July 2nd, 2009 at 10:49 am

      Congratulations~~~
      You can share your experience on “Share & Care”.

    22. Rathinam Says:
      July 7th, 2009 at 9:48 am

      Hello Mike , Ya man & Admin

      Please I’m going to take the Exam next week, I need the latest pass4sure version. If any one have it, please do share it as i’m in need of it.

      Pass4sure 642-812 Exam
      * Questions and Answers : 387 Q&As
      * Updated: July 2nd , 2009

      Hi Friends.
      & Please confirm me the below is correct

      642-812) Lab – AAA dot1x(New)
      =========================================

      ASW1#
      conf t
      aaa new model
      radius server host 172.120.39.46 key rad123
      aaa authentication dot1x default group radius
      dot1x system auth control
      interface fa0/1
      switchport mode access
      dot1x port control auto
      exit
      copy run start
      DSW1#conf t
      ip Access-list standard 10
      permit 172.160.40.0 0.0.0.255
      vlan access-map PASS 10
      match ip address 10
      action forward
      exit
      vlan access-map PASS 20
      action drop
      vlan filter PASS vlan-list 20
      DSW1#exit
      DSW1#copy run start

      Thanks in advance.

    23. mike Says:
      July 2nd, 2009 at 6:20 pm

      please be informed that the 642-812 pass4sure has been changed today to 387 Q and A

    24. Chang Says:
      July 8th, 2009 at 11:14 am

      Latest p4s is 6.87, but you cannot get it and it cannot be cracked. You need a sales order and a serial key.

      I ended up buying it today, it’s got 387 questions. There is only one .exe file now, not like the old one where you could click on a .jar file to open it. Nope, unless someone posts screen shots of the p4s, you are out of luck.

      I don’t have the time to do it with work and studying. Once I am done however, I might consider it.

    25. Rathinam Says:
      July 10th, 2009 at 6:24 am

      thx for the update chang.
      I ready to wait , please If any one have it, please do share it

      thx

    26. ccnp2 Says:
      July 11th, 2009 at 9:30 pm

      @ Admin,

      You share & care section is not working.Its vital please

    27. Kachy Says:
      July 13th, 2009 at 9:26 am

      I have modify it, working now.

      Thanks

    28. hendra Says:
      July 12th, 2009 at 4:20 pm

      I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct.

    29. chang Says:
      July 13th, 2009 at 3:07 am

      copy run start was supported on all my other exams (ccna, and the CCNP so far) I never tried wr, or write. I never used write memory, I always do wr in my lab at home but can’t say if that works on exam or not.

    30. Rapfame Says:
      July 12th, 2009 at 8:43 pm

      Can someone confirm with me that
      copy run start does not work in the lab anymore?

      Thanks

    31. chang Says:
      July 13th, 2009 at 3:05 am

      it works, so does using the ? mark, and using TAB to complete commands.

    32. chang Says:
      July 13th, 2009 at 3:04 am

      I am not sure whats up with latest pass4sure, it seems that I have about a dozen or more questions on BGP and OSPF and what not on this newest version I bought. I don’t have the older version to compare, so I wonder if thats the new change. I know that those q’s will NOT be in the test, as I had those EXACT questions on the BSCI exam last month. This version has 387 and is version Latest p4s is 6.87 I wonder if older version had these BSCI questions in there as well?

    33. chang Says:
      July 13th, 2009 at 3:29 am

      Share & Care section is down.

    34. Kachy Says:
      July 13th, 2009 at 9:26 am

      Working now, thanks.

    35. lenovoy430 Says:
      July 14th, 2009 at 6:40 am

      is “copy runn start” really not working or it really doesnt matter? i got into the same situation as hendra twice!

      I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct

      is there anyone that can attest that issuing the copy runn start command work for them?

    36. Boy_Racer Says:
      August 6th, 2009 at 3:03 am

      I havent taken the exam yet so dont know if this works but copy run start is now obsolete, it has been superceded by this catchy number:

      copy system:running-config nvram:startup-config

      see here for more info:
      http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd2002.html#wp1017432

    37. Boy_Racer Says:
      August 6th, 2009 at 3:08 am

      Are these lines required?:

      DSW1(config)#vlan access-map PASS 20
      DSW1(config-access-map)#action drop

      I thought they would be covered by an implicit drop??

    38. alvaneli Says:
      August 8th, 2009 at 9:56 am

      Hi

      I think these lines not required.

      and also

      on asw1, on int fa0/1 following lines are required:

      #switch mode access
      #switch access vlan 20

    39. Boy_Racer Says:
      September 20th, 2009 at 7:44 pm

      Once the user has authenticated successfully, they will be placed into VLAN20 so the ‘switch access vlan 20’ command is not required.

    40. Boy_Racer Says:
      September 20th, 2009 at 7:48 pm

      …although I am assuming these devices are already in VLAN20 as per the question… “Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24”

    41. matty182 Says:
      August 10th, 2009 at 10:48 pm

      I would appreciate an answer to the “copy run start” issue as well as I am due to take my exam next week and after failing last time I am sure that I completed the 3 sims that I had perfectly with the exception of saving the config at the end.

      Any ideas guys?

    42. mikemomalife Says:
      August 25th, 2009 at 9:56 pm

      is the copy run start command still working for the exam?

    43. admin Says:
      August 26th, 2009 at 4:23 pm

      You can see the answer of Boy_Racer in the 21st..

    44. Jody Says:
      August 28th, 2009 at 12:22 am

      There is no way of saving the config when you are done, even with the copy system:running-config nvram:startup-config.

      I got really worried in the exam but passed and got 100 on this bit.

    45. admin Says:
      August 28th, 2009 at 11:55 am

      Guy, congratulations!Keep on!

    46. Boy_Racer Says:
      September 20th, 2009 at 7:42 pm

      For the command:
      vlan access-map PASS 10
      I presume you can name the access-map anythng and it doesnt have to be called ‘PASS’? I wonder if it looks odd to Cisco if everyone uses the same access-map name?

    47. anuloma_viloma Says:
      September 23rd, 2009 at 3:01 am

      Hi,

      I still don’t understand these lines :

      ASW1(config)#aaa new-model
      ASW1(config)#radius-server host 172.120.39.46 key rad123
      ASW1(config)#aaa authentication dot1x default group radius
      ASW1(config)#dot1x system-auth-control
      ASW1(config)#inter fastEthernet 0/1
      ASW1(config-if)#swithcport mode access
      ASW1(config-if)#dot1x port-control auto
      ASW1(config-if)#exit
      ASW1#copy run start

      Where could I find explanations ?
      Thanks in advance,
      Anuloma

    48. LTcisco Says:
      September 27th, 2009 at 8:30 pm

      i just checked in the student guide and configured in the lab and it works fine with the following configuration:

      vlan access-map CB 10
      action forward
      match ip address 1
      access-list 1 permit 172.120.40.0 0.0.0.255
      vlan filter CB vlan-list 20

      i believe this is the right configuration although others might work too

    49. deco Says:
      October 15th, 2009 at 11:10 am

      Hi,

      Please, whats a lastest version Pass4Sure of bcmsn 642-812 ?? only bcmsn, no composite!!

      Thanks

    50. Raiy Wong Says:
      October 16th, 2009 at 10:53 am

      Pass4sure has released the new version 642-812, you can have a look.

    51. deco Says:
      October 16th, 2009 at 11:45 am

      Raiy,

      Do you have a new version?? know where I find?

      I have the version 3.10…..will be trust??

    52. Raiy Wong Says:
      October 16th, 2009 at 4:27 pm

      Sorry, i donot have the new version.

    53. lubskogreg Says:
      May 30th, 2010 at 5:16 am

      hey people!!!

      what about this part of task:
      “- Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.

      – Packets from devices in any other address range should be dropped on VLAN 20.”

      shouldn`t here be one more access list beside acl 10?

    Comments

    You must be logged in to post a comment.