Loading ...« Internetworking/Networks | Main | 10 Things You Should Know About the Cisco CCNA Voice Certification »
CCNP BCMSN(642-812) Lab – AAA dot1x(New)
By admin | April 11, 2009
Acme is a small shipping company that has an existing enterprise network comprised of 2 switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:
– Radius server host: 172.120.39.46
– Radius key: rad123
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
– Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.
– Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
The configuration:
Step1: Console to ASW1 from PC console 1
| ASW1(config)#aaa new-model ASW1(config)#radius-server host 172.120.39.46 key rad123 ASW1(config)#aaa authentication dot1x default group radius ASW1(config)#dot1x system-auth-control ASW1(config)#inter fastEthernet 0/1 ASW1(config-if)#swithcport mode access ASW1(config-if)#dot1x port-control auto ASW1(config-if)#exit ASW1#copy run start |
Step2: Console to DSW1 from PC console 2
| DSW1(config)#ip access-list standard 10 DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255 DSW1(config-ext-nacl)#exit DSW1(config)#vlan access-map PASS 10 DSW1(config-access-map)#match ip address 10 DSW1(config-access-map)#action forward DSW1(config-access-map)#exit DSW1(config)#vlan access-map PASS 20 DSW1(config-access-map)#action drop DSW1(config-access-map)#exit DSW1(config)#vlan filter PASS vlan-list 20 DSW1#copy run start … |
That is all, hope to helpful for you. Best Luck for ur BCMSN 642-812 Exam.
If you need the complete pass4sure test questions for 642-812 Exam, you can visit Latest Pass4sure 642-812,maye it helpful for ur exam!
Topics: 642-812 Exam, CCNP | 53 Comments »
53 Responses to “CCNP BCMSN(642-812) Lab – AAA dot1x(New)”
Comments
You must be logged in to post a comment.
April 23rd, 2009 at 5:23 am
Thisis wrong. Why vlan 40? why a second access map? anything else but access-mapSwitch close to Servers DSW1:
—————————-
ip access-list standard 10
permit ip 172.120.40.0 0.0.0.255
exit
vlan access-map PASS 10
match ip address 10
action forward
exit
vlan filter PASS vlan-list 20
copy runn start
Switch close to Clients ASW1:
—————————–
aaa new-model
radius-server host 172.120.39.46 key rad123
aaa authentication dot1x default group radius
dot1x system-authentication-control
interface fa0/1
switchport mode acccess
dot1x port-control auto
end
copy runn start PASS will be dropped.
April 23rd, 2009 at 8:01 pm
Hi,
The access config should be for all access interfaces(Fa0/1, Fa0/2 and Fa0/3) with using interface range ?
Thanks to reply
April 24th, 2009 at 7:04 am
Ajane
Authentication is done on fa0/1 and not on fa0/2 and fa0/3 because it says in the question that we need to restrict access to vlan 20 and fa0/1 is on vlan 20. Fa0/2 and f0/3 are not on vlan 20.
April 24th, 2009 at 3:41 pm
Thanks for the answer,
I don’t see any information stipulating that in fa 0/1 is the only interface on vlan 20, or should we trust the schematic?
May 7th, 2009 at 7:12 pm
please which one of the answers is correct?
May 7th, 2009 at 7:34 pm
ip access-list standard 10
permit ip 172.120.40.0 0.0.0.255
exit
wrong.
it should be
ip access-list standard 10
permit 172.120.40.0 0.0.0.255
exit
Check it out.
May 20th, 2009 at 9:31 am
Checked, you are right, thanks.
August 5th, 2009 at 3:22 am
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
Shouldnt the prompt be config-std-nacl as it is a standard access list?
May 28th, 2009 at 10:02 am
Hi, cool post. I have been wondering about this topic,so thanks for writing.
June 2nd, 2009 at 8:55 pm
Hi
Can someone give me the definite answer to the vlan filter vlan-list #
P4S has vlan-list 40
but i see vlan 20 in other places.
Please help and explain.
Thanks
June 3rd, 2009 at 8:14 am
The correct answer is vlan 20, you need study the question carefully(there is no vlan 40).
And i see the P4S hase vlan-list 20 also :)(In latest version)
Good luck!
Regards,
Kachy
June 3rd, 2009 at 11:08 am
Hi Kachy
Thanks for your answer.I got the latest P4S 642-892 v6.99 (composite)and this is question 348 and it has the answer vlan filter vlan-list 40.
This was the source of my confusion.I guess the confusion comes from the problem stems from the question statement that says “…Vlan 40 is a new vlan that is used to provide the shipping personnel access to the server.Foe security reasons is is necessary to restrict access to Vlan 20 in the following manner…”
Thanks
Ps any additonal information welcome from those who took the exam and passed this.
June 12th, 2009 at 8:34 am
I saw this on my 892 test today is could be tagged for that section of teh site as well.
FYI There were NO hotspot qurstions on my particular test. There were hoever at least five perhaps six simulations. T had seen all of them from eother the 812 or 901 sections.
June 25th, 2009 at 4:59 pm
pls what is the passing score for the 812 exam
June 25th, 2009 at 5:16 pm
804
June 25th, 2009 at 5:25 pm
pls kachy can you go to the spanning tree lab section and answer my question pls.
June 25th, 2009 at 5:38 pm
pls kachy can you go to the spanning tree NEW lab section and answer my question pls
June 26th, 2009 at 1:04 am
Could any one help out with the HSRP simlet in pass 4 sure.. its really confusing… The answers are incorrect in the dumps… so need help
June 30th, 2009 at 7:43 pm
Hi Friends.
which one is correct please help me.
642-892 do1x lab question
DSW1#vlan filter PASS vlan-list 40
or
DSW1#vlan filter PASS vlan-list 20
642-812) Lab – AAA dot1x(New)
=========================================
ASW1#conf t
ASW1#aaa new model
ASW1#radius server host 172.120.39.46 key rad123
ASW1#aaa authentication dot1x default group radius
ASW1#dot1x system auth controA
SW1#interface fa0/1
ASW1#switchport mode access
ASW1#dot1x port control auto
ASW1#exit
ASW1#copy run start
DSW1#conf t
DSW1#ip Access-list standard 10
DSW1#permit ip 172.160.40.0 0.0.0.255
DSW1#vlan access-map PASS 10
DSW1#match ip address 10
DSW1#action forward
DSW1#exit
DSW1#vlan access-map PASS 20
DSW1#action drop
DSW1#exit
DSW1#vlan filter PASS vlan-list 40
DSW1#copy run start
July 2nd, 2009 at 2:01 am
Hey guys, wrote BCMSN today and passed with 1000, i got this simulation question. It was exactly the same(IP and vlan no’s as well).
I did the sim exactly like in the post and it must be right because i got 1000.
July 2nd, 2009 at 10:49 am
Congratulations~~~
You can share your experience on “Share & Care”.
July 7th, 2009 at 9:48 am
Hello Mike , Ya man & Admin
Please I’m going to take the Exam next week, I need the latest pass4sure version. If any one have it, please do share it as i’m in need of it.
Pass4sure 642-812 Exam
* Questions and Answers : 387 Q&As
* Updated: July 2nd , 2009
Hi Friends.
& Please confirm me the below is correct
642-812) Lab – AAA dot1x(New)
=========================================
ASW1#
conf t
aaa new model
radius server host 172.120.39.46 key rad123
aaa authentication dot1x default group radius
dot1x system auth control
interface fa0/1
switchport mode access
dot1x port control auto
exit
copy run start
DSW1#conf t
ip Access-list standard 10
permit 172.160.40.0 0.0.0.255
vlan access-map PASS 10
match ip address 10
action forward
exit
vlan access-map PASS 20
action drop
vlan filter PASS vlan-list 20
DSW1#exit
DSW1#copy run start
Thanks in advance.
July 2nd, 2009 at 6:20 pm
please be informed that the 642-812 pass4sure has been changed today to 387 Q and A
July 8th, 2009 at 11:14 am
Latest p4s is 6.87, but you cannot get it and it cannot be cracked. You need a sales order and a serial key.
I ended up buying it today, it’s got 387 questions. There is only one .exe file now, not like the old one where you could click on a .jar file to open it. Nope, unless someone posts screen shots of the p4s, you are out of luck.
I don’t have the time to do it with work and studying. Once I am done however, I might consider it.
July 10th, 2009 at 6:24 am
thx for the update chang.
I ready to wait , please If any one have it, please do share it
thx
July 11th, 2009 at 9:30 pm
@ Admin,
You share & care section is not working.Its vital please
July 13th, 2009 at 9:26 am
I have modify it, working now.
Thanks
July 12th, 2009 at 4:20 pm
I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct.
July 13th, 2009 at 3:07 am
copy run start was supported on all my other exams (ccna, and the CCNP so far) I never tried wr, or write. I never used write memory, I always do wr in my lab at home but can’t say if that works on exam or not.
July 12th, 2009 at 8:43 pm
Can someone confirm with me that
copy run start does not work in the lab anymore?
Thanks
July 13th, 2009 at 3:05 am
it works, so does using the ? mark, and using TAB to complete commands.
July 13th, 2009 at 3:04 am
I am not sure whats up with latest pass4sure, it seems that I have about a dozen or more questions on BGP and OSPF and what not on this newest version I bought. I don’t have the older version to compare, so I wonder if thats the new change. I know that those q’s will NOT be in the test, as I had those EXACT questions on the BSCI exam last month. This version has 387 and is version Latest p4s is 6.87 I wonder if older version had these BSCI questions in there as well?
July 13th, 2009 at 3:29 am
Share & Care section is down.
July 13th, 2009 at 9:26 am
Working now, thanks.
July 14th, 2009 at 6:40 am
is “copy runn start” really not working or it really doesnt matter? i got into the same situation as hendra twice!
I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct
is there anyone that can attest that issuing the copy runn start command work for them?
August 6th, 2009 at 3:03 am
I havent taken the exam yet so dont know if this works but copy run start is now obsolete, it has been superceded by this catchy number:
copy system:running-config nvram:startup-config
see here for more info:
http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd2002.html#wp1017432
August 6th, 2009 at 3:08 am
Are these lines required?:
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
I thought they would be covered by an implicit drop??
August 8th, 2009 at 9:56 am
Hi
I think these lines not required.
and also
on asw1, on int fa0/1 following lines are required:
#switch mode access
#switch access vlan 20
September 20th, 2009 at 7:44 pm
Once the user has authenticated successfully, they will be placed into VLAN20 so the ‘switch access vlan 20’ command is not required.
September 20th, 2009 at 7:48 pm
…although I am assuming these devices are already in VLAN20 as per the question… “Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24”
August 10th, 2009 at 10:48 pm
I would appreciate an answer to the “copy run start” issue as well as I am due to take my exam next week and after failing last time I am sure that I completed the 3 sims that I had perfectly with the exception of saving the config at the end.
Any ideas guys?
August 25th, 2009 at 9:56 pm
is the copy run start command still working for the exam?
August 26th, 2009 at 4:23 pm
You can see the answer of Boy_Racer in the 21st..
August 28th, 2009 at 12:22 am
There is no way of saving the config when you are done, even with the copy system:running-config nvram:startup-config.
I got really worried in the exam but passed and got 100 on this bit.
August 28th, 2009 at 11:55 am
Guy, congratulations!Keep on!
September 20th, 2009 at 7:42 pm
For the command:
vlan access-map PASS 10
I presume you can name the access-map anythng and it doesnt have to be called ‘PASS’? I wonder if it looks odd to Cisco if everyone uses the same access-map name?
September 23rd, 2009 at 3:01 am
Hi,
I still don’t understand these lines :
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#swithcport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
Where could I find explanations ?
Thanks in advance,
Anuloma
September 27th, 2009 at 8:30 pm
i just checked in the student guide and configured in the lab and it works fine with the following configuration:
vlan access-map CB 10
action forward
match ip address 1
access-list 1 permit 172.120.40.0 0.0.0.255
vlan filter CB vlan-list 20
i believe this is the right configuration although others might work too
October 15th, 2009 at 11:10 am
Hi,
Please, whats a lastest version Pass4Sure of bcmsn 642-812 ?? only bcmsn, no composite!!
Thanks
October 16th, 2009 at 10:53 am
Pass4sure has released the new version 642-812, you can have a look.
October 16th, 2009 at 11:45 am
Raiy,
Do you have a new version?? know where I find?
I have the version 3.10…..will be trust??
October 16th, 2009 at 4:27 pm
Sorry, i donot have the new version.
May 30th, 2010 at 5:16 am
hey people!!!
what about this part of task:
“- Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.”
shouldn`t here be one more access list beside acl 10?