Switch 642-813 Simulation - DOT1x and Class-Map

Say you want to filter 172.120.40.0 for Vlan 20.

Core Side
DLS1(Config)#Access-list 10 permit 172.120.40.0
DLS1(Config)#vlan access-map PASS 10
DLS1(Config-access-map)#match ip address 10
DLS1(Config-access-map)#action forward
DLS1(Config-access-map)#exit
DLS1(Config)#vlan access-map PASS 20

DLS1(Config-access-map)#action drop
DLS1(Config-access-map)#exit
DLS1(Config)#vlan filter PASS vlan-list 20 //Where 20 is the vlan you want to filter

Host Side
ALS1(Config)#aaa new-model
ALS1(Config)#radius-server host 172.120.1.1 key cisco
ALS1(Config)#aaa authentication dot1x default group radius
ALS1(Config)#aaa authorization network default group radius
ALS1(Config)#dot1x system-auth-control
ALS1(Config)#interface fa 0/1
ALS1(Config-if)#switchport mode access
ALS1(Config-if)#dot1x port-control auto

About Dot1x:

The first mode, force-authorized, is the default mode. In this mode, a port is always authorized and does not require any messages from either the supplicant or the authentication server. Force-authorized mode is used when you do not want to run 802.1X on a particular port. This is typically the case when connecting to another switch, a router ,or a server, and also when connecting to clients that do not support 802.1X. The next mode, auto, is the normal 802.1X mode. A port in auto mode sends EAP packets to the supplicant and will not become authorized unless it receives a positive response from the authentication server. The final mode, force-unauthorized, prevents a port from becoming authorized even if the user has the appropriate credentials. This mode essentially disables the port from use by any user or device. To configure the ports, use the following commands.