Acme is a small shipping company that has an existing enterprise network comprised of 2 switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:
– Radius server host: 172.120.39.46
– Radius key: rad123
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
– Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.
– Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
The configuration:
Step1: Console to ASW1 from PC console 1
| ASW1(config)#aaa new-model ASW1(config)#radius-server host 172.120.39.46 key rad123 ASW1(config)#aaa authentication dot1x default group radius ASW1(config)#dot1x system-auth-control ASW1(config)#inter fastEthernet 0/1 ASW1(config-if)#swithcport mode access ASW1(config-if)#dot1x port-control auto ASW1(config-if)#exit ASW1#copy run start |
Step2: Console to DSW1 from PC console 2
| DSW1(config)#ip access-list standard 10 DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255 DSW1(config-ext-nacl)#exit DSW1(config)#vlan access-map PASS 10 DSW1(config-access-map)#match ip address 10 DSW1(config-access-map)#action forward DSW1(config-access-map)#exit DSW1(config)#vlan access-map PASS 20 DSW1(config-access-map)#action drop DSW1(config-access-map)#exit DSW1(config)#vlan filter PASS vlan-list 20 DSW1#copy run start … |
That is all, hope to helpful for you. Best Luck for ur BCMSN 642-812 Exam.
If you need the complete pass4sure test questions for 642-812 Exam, you can visit Latest Pass4sure 642-812,maye it helpful for ur exam!
Thisis wrong. Why vlan 40? why a second access map? anything else but access-mapSwitch close to Servers DSW1:
—————————-
ip access-list standard 10
permit ip 172.120.40.0 0.0.0.255
exit
vlan access-map PASS 10
match ip address 10
action forward
exit
vlan filter PASS vlan-list 20
copy runn start
Switch close to Clients ASW1:
—————————–
aaa new-model
radius-server host 172.120.39.46 key rad123
aaa authentication dot1x default group radius
dot1x system-authentication-control
interface fa0/1
switchport mode acccess
dot1x port-control auto
end
copy runn start PASS will be dropped.
Hi,
The access config should be for all access interfaces(Fa0/1, Fa0/2 and Fa0/3) with using interface range ?
Thanks to reply
Ajane
Authentication is done on fa0/1 and not on fa0/2 and fa0/3 because it says in the question that we need to restrict access to vlan 20 and fa0/1 is on vlan 20. Fa0/2 and f0/3 are not on vlan 20.
Thanks for the answer,
I don’t see any information stipulating that in fa 0/1 is the only interface on vlan 20, or should we trust the schematic?
please which one of the answers is correct?
ip access-list standard 10
permit ip 172.120.40.0 0.0.0.255
exit
wrong.
it should be
ip access-list standard 10
permit 172.120.40.0 0.0.0.255
exit
Check it out.
Checked, you are right, thanks.
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
Shouldnt the prompt be config-std-nacl as it is a standard access list?
Hi, cool post. I have been wondering about this topic,so thanks for writing.
Hi
Can someone give me the definite answer to the vlan filter vlan-list #
P4S has vlan-list 40
but i see vlan 20 in other places.
Please help and explain.
Thanks
The correct answer is vlan 20, you need study the question carefully(there is no vlan 40).
And i see the P4S hase vlan-list 20 also :)(In latest version)
Good luck!
Regards,
Kachy
Hi Kachy
Thanks for your answer.I got the latest P4S 642-892 v6.99 (composite)and this is question 348 and it has the answer vlan filter vlan-list 40.
This was the source of my confusion.I guess the confusion comes from the problem stems from the question statement that says “…Vlan 40 is a new vlan that is used to provide the shipping personnel access to the server.Foe security reasons is is necessary to restrict access to Vlan 20 in the following manner…”
Thanks
Ps any additonal information welcome from those who took the exam and passed this.
I saw this on my 892 test today is could be tagged for that section of teh site as well.
FYI There were NO hotspot qurstions on my particular test. There were hoever at least five perhaps six simulations. T had seen all of them from eother the 812 or 901 sections.
pls what is the passing score for the 812 exam
804
pls kachy can you go to the spanning tree lab section and answer my question pls.
pls kachy can you go to the spanning tree NEW lab section and answer my question pls
Could any one help out with the HSRP simlet in pass 4 sure.. its really confusing… The answers are incorrect in the dumps… so need help
Hi Friends.
which one is correct please help me.
642-892 do1x lab question
DSW1#vlan filter PASS vlan-list 40
or
DSW1#vlan filter PASS vlan-list 20
642-812) Lab – AAA dot1x(New)
=========================================
ASW1#conf t
ASW1#aaa new model
ASW1#radius server host 172.120.39.46 key rad123
ASW1#aaa authentication dot1x default group radius
ASW1#dot1x system auth controA
SW1#interface fa0/1
ASW1#switchport mode access
ASW1#dot1x port control auto
ASW1#exit
ASW1#copy run start
DSW1#conf t
DSW1#ip Access-list standard 10
DSW1#permit ip 172.160.40.0 0.0.0.255
DSW1#vlan access-map PASS 10
DSW1#match ip address 10
DSW1#action forward
DSW1#exit
DSW1#vlan access-map PASS 20
DSW1#action drop
DSW1#exit
DSW1#vlan filter PASS vlan-list 40
DSW1#copy run start
Hey guys, wrote BCMSN today and passed with 1000, i got this simulation question. It was exactly the same(IP and vlan no’s as well).
I did the sim exactly like in the post and it must be right because i got 1000.
Congratulations~~~
You can share your experience on “Share & Care”.
Hello Mike , Ya man & Admin
Please I’m going to take the Exam next week, I need the latest pass4sure version. If any one have it, please do share it as i’m in need of it.
Pass4sure 642-812 Exam
* Questions and Answers : 387 Q&As
* Updated: July 2nd , 2009
Hi Friends.
& Please confirm me the below is correct
642-812) Lab – AAA dot1x(New)
=========================================
ASW1#
conf t
aaa new model
radius server host 172.120.39.46 key rad123
aaa authentication dot1x default group radius
dot1x system auth control
interface fa0/1
switchport mode access
dot1x port control auto
exit
copy run start
DSW1#conf t
ip Access-list standard 10
permit 172.160.40.0 0.0.0.255
vlan access-map PASS 10
match ip address 10
action forward
exit
vlan access-map PASS 20
action drop
vlan filter PASS vlan-list 20
DSW1#exit
DSW1#copy run start
Thanks in advance.
please be informed that the 642-812 pass4sure has been changed today to 387 Q and A
Latest p4s is 6.87, but you cannot get it and it cannot be cracked. You need a sales order and a serial key.
I ended up buying it today, it’s got 387 questions. There is only one .exe file now, not like the old one where you could click on a .jar file to open it. Nope, unless someone posts screen shots of the p4s, you are out of luck.
I don’t have the time to do it with work and studying. Once I am done however, I might consider it.
thx for the update chang.
I ready to wait , please If any one have it, please do share it
thx
@ Admin,
You share & care section is not working.Its vital please
I have modify it, working now.
Thanks
I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct.
copy run start was supported on all my other exams (ccna, and the CCNP so far) I never tried wr, or write. I never used write memory, I always do wr in my lab at home but can’t say if that works on exam or not.
Can someone confirm with me that
copy run start does not work in the lab anymore?
Thanks
it works, so does using the ? mark, and using TAB to complete commands.
I am not sure whats up with latest pass4sure, it seems that I have about a dozen or more questions on BGP and OSPF and what not on this newest version I bought. I don’t have the older version to compare, so I wonder if thats the new change. I know that those q’s will NOT be in the test, as I had those EXACT questions on the BSCI exam last month. This version has 387 and is version Latest p4s is 6.87 I wonder if older version had these BSCI questions in there as well?
Share & Care section is down.
Working now, thanks.
is “copy runn start” really not working or it really doesnt matter? i got into the same situation as hendra twice!
I didn’t pass this exam, because I couldn’t issuing command copy run start or write mem. And I got 0 for this lab. I wonder, is the program error, or it’s behave correctly. If it behave correctly, why I got 0%, while my configuration 90% correct
is there anyone that can attest that issuing the copy runn start command work for them?
I havent taken the exam yet so dont know if this works but copy run start is now obsolete, it has been superceded by this catchy number:
copy system:running-config nvram:startup-config
see here for more info:
http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd2002.html#wp1017432
Are these lines required?:
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
I thought they would be covered by an implicit drop??
Hi
I think these lines not required.
and also
on asw1, on int fa0/1 following lines are required:
#switch mode access
#switch access vlan 20
Once the user has authenticated successfully, they will be placed into VLAN20 so the ‘switch access vlan 20’ command is not required.
…although I am assuming these devices are already in VLAN20 as per the question… “Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24”
I would appreciate an answer to the “copy run start” issue as well as I am due to take my exam next week and after failing last time I am sure that I completed the 3 sims that I had perfectly with the exception of saving the config at the end.
Any ideas guys?
is the copy run start command still working for the exam?
You can see the answer of Boy_Racer in the 21st..
There is no way of saving the config when you are done, even with the copy system:running-config nvram:startup-config.
I got really worried in the exam but passed and got 100 on this bit.
Guy, congratulations!Keep on!
For the command:
vlan access-map PASS 10
I presume you can name the access-map anythng and it doesnt have to be called ‘PASS’? I wonder if it looks odd to Cisco if everyone uses the same access-map name?
Hi,
I still don’t understand these lines :
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#swithcport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
Where could I find explanations ?
Thanks in advance,
Anuloma
i just checked in the student guide and configured in the lab and it works fine with the following configuration:
vlan access-map CB 10
action forward
match ip address 1
access-list 1 permit 172.120.40.0 0.0.0.255
vlan filter CB vlan-list 20
i believe this is the right configuration although others might work too
Hi,
Please, whats a lastest version Pass4Sure of bcmsn 642-812 ?? only bcmsn, no composite!!
Thanks
Pass4sure has released the new version 642-812, you can have a look.
Raiy,
Do you have a new version?? know where I find?
I have the version 3.10…..will be trust??
Sorry, i donot have the new version.
hey people!!!
what about this part of task:
“- Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20.”
shouldn`t here be one more access list beside acl 10?