ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-115 All Questions

View all questions & answers for the 300-115 exam
Go to Exam

Exam 300-115 topic 2 question 32 discussion

Actual exam question from Cisco's 300-115
Question #: 32
Topic #: 2
[All 300-115 Questions]

SIMULATION -
SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
✑ Users connecting to VLAN 20 via port f0/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a
Radius server:
- Radius server host: 172.120.40.46
- Radius key: rad123
- Authentication should be implemented as close to the host as possible.
✑ Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.
- Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.
- Packets from devices in any other address range should be dropped on VLAN 20.
- Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
Note: Named access list is not supported.



Show Suggested Answer Hide Answer
Suggested Answer: Here is the solution below
Step1: Console to ASW1 from PC console 1

ASW1(config)#aaa new-model -
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto

ASW1(config-if)#exit -

ASW1#copy run start -
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255

DSW1(config-ext-nacl)#exit -
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward

DSW1(config-access-map)#exit -
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop

DSW1(config-access-map)#exit -
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start
by Alex at Feb. 4, 2019, 10:52 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Boek
Highly Voted 5 years, 8 months ago
Note: Named access list is not supported. Creating a Standard IP Access List Using Numbers but not a Standard IP Access List Using Names conf t access-list 10 permit ip 172.120.40.0 0.0.0.255 exit
upvoted 5 times
...
Boek
Most Recent 5 years, 8 months ago
Note: Named access list is not supported. Creating a Standard IP Access List Using Numbers but not a Standard IP Access List Using Names conf t access-list 10 permit 172.120.40.0 0.0.0.255 exit
upvoted 3 times
...
Alex
5 years, 10 months ago
in this simulation we use two layer 2 only switches. How cam we apply ip-access list - it is layer 3, not layer 2 ?
upvoted 1 times
Jothi
5 years, 9 months ago
Here the command ip access-list means you are using a Named ACL rather than using a normal one. Nothing relates to layer 3 capability.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago