Question:
CiscoSims is a small shipping company that has an existing enterprise network comprised of 2 switches, DSWI and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, It Is necessary to restrict access to VLAN 20 in the following manner:
- users connecting to ASW1's port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:
- Radius server host: 172. 120.39.46
- Radius key: rad123
- Authentication should be Implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to In the address range of 172.120.40.0/24.
- Packets from devices In the address range of 172.120.40.0/24 should be passed on VLAN 20.
- Packets from devices In any other address range should be dropped on VLAN 20.
- Filtering should be Implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with Implementing the above access control as a pre-condition to Installing the servers. You must use the available IOS switch features.
===========
Solution:
===========
ASW1#conf t
The question states that Authentication should be Implemented as close to the host device as possible. ASW1 is close to hosts, so we'll configure authentication on it.
The fist step to configuring the authenticator is to provide it with the address and key of the RADIUS server that will act as an authentication server. Enable Radius server authentication on ASW1 switch, and enter ip address and shared key of the radius server:-
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
The next step is to enable the 802.1X port authentication process. This step makes the switch an authenticator, allows it to send the EAP messages to the supplicant, proxy the information to the authentication (RADIUS) server configured in previous step, and act on the messages received from those servers to authorize ports. To configure the switch to act as an authenticator, use the following command:-
ASW1(config)#aaa authentication dot1x default group radius
Now we need to Globally enable 802.1x port-based authentication:-
ASW1(config)#dot1x system-auth-control
Now we can see that from 'sh run' command that Fa0/1 is access port for Vlan20, so we'll configure it.
ASW1(config)#int fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-If)#switchport access vlan 20
Enable 802.1X authentication on the interface:-
ASW1(config-If)#dot1x port-control auto
After a port is configured in auto mode, no clients connected to that port will be allowed to pass user traffic until the port has been authorized by the authorization server.
ASW1(conflg-If)#end
ASW1#copy run start
The question says that filtering should be Implemented as close to the server farm as possible, so we'll configure filtering on DSW1 switch.
Create a named-standard access-list which only permit network 172.120.40.0 and deny any other address range(implicit deny):-
DSW1#conf t
DSW1(config)#ip access-list standard 10
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit
To make sure that packets from devices in the address range of 172.120.40.0/24 passed on VLAN 20 and packets from devices in any other address range dropped on vlan20, create a vlan access-map:-
DSW1(config)#vlan access-map ciscosims 10
DSW1(config-access-map)#match ip address 10 (10 is the access-list number)
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
Apply vlan access-map to vlan 20:-
DSW1(config)#vlan filter ciscosims vlan-list 20
DSW1(config)#end
DSW1#copy run start
=================================================================
Monday, August 24, 2009
Subscribe to:
Post Comments (Atom)
i have in creating accesslist in vlan,suppose for this range--> permit 172.120.40.0 0.0.0.255
ReplyDeletei'm allowing this subnet to access but adding one more accesslist--> permit 10.0.0.0 0.0.0.255 for this subnet i want to blog them,
for this how i have create vlan access-map ?
Why is the configuration on ASW1 done only on FA 0/1 and not the other ports ??
ReplyDeleteHey,
ReplyDeleteFa 0/1 is access port for vlan 20, so we'll configure it.
You can see this by 'sh run' command on ASW1.
I am adding an extract from running configuration.
hi, doesn't we need to add
ReplyDeleteASW1(config)#dot1x system-auth-control command after this command
"ASW1(config)#aaa authentication dot1x default group radius"
@ Fazleabbas
ReplyDeleteYes! We need to add this command. Thanks for the notification. I have corrected it now.
DSW1#conf t
ReplyDeleteDSW1(config)#ip access-list standard 10
Why u use 10 ?? why not other number
@ above,
ReplyDeleteNot any specific reason.
You can use any number from 1 to 99 and 1300-1999.
hi
ReplyDeletein testinside there is anther access-map 20 is also define and action is taken dropp and also apply to vlan-list 20..
Why can anyone explain it ...is it nesassry
awais_afridi102@yahoo.com
thanks for
ReplyDeleteNot any specific reason.
You can use any number from 1 to 99 and 1300-1999.
Can any one explain the command
ReplyDeletevlan access-map ciscosims 10
why Ciscosims is gievn?
Hi,
ReplyDeleteYou need to attach a name to vlan access-map command. The name can be anything, it doesn't matter.
@ above,
ReplyDeleteThat's right !
You can use any name of your choice.
..
Hi Guys/CiscoSims,
ReplyDeleteDo we need to add the following commands to the DSW1 switch?
DSW1(config)#vlan access-map ciscosims 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
I think drop is implicit at the end if you don't do something to forward all...sort of like an ACL
ReplyDeleteHello CiscoSims,
ReplyDeleteI just need to know, when we permit ip 172.120.40.0 0.0.0.255. Suppose if IP comes 172.120.40.0/19 then in this case what i need to do. Should i permit same ip or same wildcard. So i need to do something else?? Pls clear this thing as soon as possible?? because tomorrow i am giving exam. Pls clear this thing i am bit confused.
1. Yes, drop is implicit. We don't need to add "action drop"
ReplyDelete2. @ sufi, You will enter the ip addresses which will be given to you in the exam. The actual exam doesn't contain the ip add. given above.
..
You don't really need the "10" in "DSW1(config)#vlan access-map ciscosims 10" do you? I mean, that just specifies a sequence # in the access-map right?
ReplyDeletewhy not use standart access-list ?
ReplyDeleteaccess-list 10 permit 172.120.40.0 0.0.0.255
do i require to add drop command or not ?????
ReplyDeleteif i give will the marks will be deducted ha ????? pls guide me on this ...