Cisco Exam Questions

You have been tasked with implementing the above access control…

CORRECT TEXT
SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates
their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. Corporate polices do not allow layer 3
functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
· Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a Radius
server:
· Radius server host: 172.120.40.46
· Radius key: rad123
· Authentication should be implemented as close to the host as possible.
· Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.
· Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.
· Packets from devices in any other address range should be dropped on VLAN 20.
· Filtering should be implemented as close to the serverfarm as possible.

The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to
installing the servers. You must use the available IOS switch features.

Answer: See the explanation

Explanation:
The configuration:
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model

ASW1(config)#radius-server host 172.120.39.46 key rad123 ASW1(config)#aaa authentication dot1x default group radius ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start