AAAdot1x Lab Sim
Acme is a small shipping company that has an existing enterprise network comprised of 2 switches DSW1 and
ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to
provide the shipping personnel access to the server. For security reasons, it is necessary to restrictaccess to
VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate before they are given access to the network.
– Authentication is to be done via a Radius server:
– Radius server host: 172.120.39.46
– Radius key: rad123
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
– Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.
– Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with
implementing the above access control as a pre-condition to installing the servers.
You must use the available IOS switch features.
Answer:
Explanation:
Step1: Console to ASW1 from PC console 1
enable
conf t
aaa new-model
radius-server host 172.120.39.46 key rad123
aaa authentication dot1x default group radius
dot1x system-auth-control
int fastethernet 0/1
switchpost mode access
dot1x port-control auto
end
copy running-config startup-config
Step2: Console to DSW1 from PC console 2
enable
conf t
ip access-list standard 10
permit 172.120.40.0 0.0.0.225
exit
vlan access-map pass 10
match ip address 10
action forward
exit
vlan access-map pass 20
action drop
exit
vlan filter pass vlan-list 20
eixt
copy runnung-config startup-config