web analytics
  • RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • « | Main | »

    CCNP SWITCH(642-813) Lab – AAA dot1x(New)

    By admin | February 14, 2011

    [Scenario]

    Acme is a small shipping company that has an existing enterprise network comprised of 2 switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:

    – Users connecting to ASW1’s port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:

    – Radius server host: 172.120.39.46

    – Radius key: rad123

    – Authentication should be implemented as close to the host device possible.

    – Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.

    – Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.

    – Packets from devices in any other address range should be dropped on VLAN 20.

    – Filtering should be implemented as close to the server farm as possible.

    The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.

    [Scenario]

    image

    [Solution]

    1. Verification of Pre-configuration:

    a. Check that the denoted vlan [vlan20] is created in both switches and ports [fa0/1 of ASW1] are assigned.

    b. Take down the radius-server ip [172.120.39.46] and the key [rad123].

    c. Take down the IP range [172.120.40.0/24] to be allowed the given vlan [vlan20]

    2. Configure the Port based authentication on ASW1:

    aaa new-model

    radius-server host 172.120.39.46 key rad123

    aaa authentication dot1Q default group radius

    dot1Q system-auth-control

    int fa 0/1

    switchport mode access

    switchport access vlan 20

    dot1x port-control auto

    copy running-config startup-config

    3. Filter the traffic and create vlan access-map to restrict the traffic only for a range on DSW1

    ip access-list standard allow

    permit 172.120.40.0 0.0.0.255

    vlan access-map vamap 5

    match ip address allow

    action forward

    vlan acces-map vamap 10

    action drop

    vlan filter vamap vlan-list 20

    copy running-config startup-config

    4. Note:

    It is not possible to verify the configuration in this lab. All we have do the correct configurations.

    Most of the exam takers report that “ copy running-config startup-config” is not working. It does not a matter.

    Do not try unwanted/wrong commands in the consoles. They are not real switches.

    Packet tracer is not supporting this LAB.

             

    Topics: 642-813 Exam, CCNP | 1 Comment »

    One Response to “CCNP SWITCH(642-813) Lab – AAA dot1x(New)”

    1. candinase Says:
      February 22nd, 2011 at 3:17 pm

      1) Configure ASW1

      Enable AAA on the switch:
      ASW1(config)#aaa new-model

      The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.

      Define the server along with its secret shared password:
      ASW1(config)#radius-server host 172.120.39.46 key rad123

      ASW1(config)#aaa authentication dot1x default group radius
      This command causes the RADIUS server defined on the switch to be used for 802.1x authentication.

      Enable 802.1x on the switch:
      ASW1(config)#dot1x system-auth-control

      Configure Fa0/1 to use 802.1x:

      ASW1(config)#interface fastEthernet 0/1
      ASW1(config-if)#switchport mode access
      ASW1(config-if)#dot1x port-control auto
      Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.

      ASW1(config-if)#exit
      ASW1#copy running-config startup-config

      2) Configure DSW1:

      Define an access-list:
      DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
      DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
      DSW1(config-ext-nacl)#exit

      Define an access-map which uses the access-list above:
      DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )
      DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})
      DSW1(config-access-map)#action forward
      DSW1(config-access-map)#exit

      DSW1(config)#vlan access-map MYACCMAP 20
      DSW1(config-access-map)#action drop (drop other networks)
      DSW1(config-access-map)#exit

      Apply a vlan-map into a vlan:
      DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)

      DSW1#copy running-config startup-config

      this is an example for this lab

    Comments

    You must be logged in to post a comment.