CCNA Security 2.0 PT Practice SA - Part 1

CCNA Security 2.0 PT Practice SA – Part 1

CCNA Security 2.0 PT Practice SA – Part 1 question and answer will be revealed in this post. Hopefully this will helps you guys to pass this CCNA Security 2.0 Packet Tracer Practice SA Part 1 successfully. However, our current answer now only 84% correct. If you have complete 100% answer, please comment below or email to me.

CCNA Security 2.0 PT Practice SA – Part 1 A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any exam windows during the exam. 2. Do not close Packet Tracer when you are done. It will close automatically. 3. Click the Submit Assessment button to submit your work.

Introduction In this practice Packet Tracer Skills Based Assessment, you will: 

configure basic device hardening and secure network management



configure port security and disable unused switch ports



configure an IOS IPS



configure a Zone-based Policy Firewall (ZPF) to implement security policies

Addressing Table Device

Interface S0/0/0 Internet S0/0/1 G0/0 Public Svr NIC S0/0/0 External G0/0 External Web Svr NIC External User NIC S0/0/0 CORP S0/0/1 S0/0/1 G0/0 Internal G0/1.10 G0/1.25 G0/1.99 DMZ DNS Svr NIC DMZ Web Svr NIC PC0 NIC PC1 NIC AAA/NTP/Syslog NIC Svr PC2 NIC Net Admin NIC

IP Address 209.165.200.225 192.31.7.1 192.135.250.1 192.135.250.5 192.31.7.2 192.31.7.62 192.31.7.35 192.31.7.33 209.165.200.226 209.165.200.254 209.165.200.253 10.1.1.254 172.16.10.254 172.16.25.254 172.16.99.1 10.1.1.5 10.1.1.2 172.16.10.5 172.16.10.10

Subnet Mask 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.224 255.255.255.224 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway n/a n/a n/a 192.135.250.1 n/a n/a 192.31.7.62 192.31.7.62 n/a n/a n/a n/a n/a n/a n/a 10.1.1.254 10.1.1.254 172.16.10.254 172.16.10.254

DNS server

172.16.25.2

255.255.255.0

172.16.25.254

10.1.1.5

172.16.10.15 172.16.25.5

255.255.255.0 255.255.255.0

172.16.10.254 172.16.25.254

10.1.1.5 10.1.1.5

192.135.250.5 192.135.250.5

192.135.250.5 10.1.1.5 10.1.1.5 10.1.1.5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.

Step 1: Configure Basic Device Hardening for the CORP and the Internal Routers. a. Configure the CORP and the Internal routers to only accept passwords with a minimum length of 10 characters. b. Configure an encrypted privileged level password of ciscoclass. c. Enable password encryption for all clear text passwords in the configuration file. d. Configure the console port and all vty lines with the following requirements:Note: Both the CORP and the Internal routers are already configured with the username CORPADMIN and password Ciscoccnas. o Use the local database for login. o Disconnect after being idle for 20 minutes. e. Disable the CDP protocol on the CORP router on the link to the Internet router.

Step 2: Configure Secure Network Management for the CORP Router.

a. Configure the IOS login enhancement for all vty lines with the following requirements: 

Disable logins for 30 seconds after 3 failed login attempts within 60 seconds.

Step 3: Configure Secure Network Management for the Internal Router. a. Configure the Internal router: o as an NTP client to the AAA/NTP/Syslog server o to update the router calendar (hardware clock) from the NTP time source o to timestamp log messages o to send logging messages to the AAA/NTP/Syslog server b. Configure the IOS login enhancement for all vty lines with the following requirements: o Disable logins for 30 seconds after 3 failed login attempts within 60 seconds. o Log any failed or successful login to the syslog server. c. Configure the Internal router to accept SSH connections. Use the following guidelines:Note: Internal is already configured with the username SSHAccess and the secret password ciscosshaccess. o The domain name is theccnas.com. o RSA encryption key pair using a modulus of 1024 o SSH version 2, timeout of 90 seconds, and 2 authentication retries o All vty lines accept only SSH connections. d. Configure the Internal router with server-based AAA authentication and verify its functionality:Note: The AAA server is already configured with RADIUS service, a username CORPSYS, and the password LetSysIn. o The key to connect to the RADIUS server is corpradius. o AAA authentication uses the RADIUS server as the default for console line and vty lines access. o The local database is used as the backup if the RADIUS server connection cannot be established.

Step 4: Configure ACLs on the Internal Router to Implement Secure Management Access. a. Create ACL 12 to implement the security policy regarding the access to the vty lines: 

Only users logged on to the Net Admin PC are allowed access to the vty lines.

Step 5: Configure Device Hardening for Switch1 and Switch4

a. Access Switch1 and Switch4 with username CORPADMIN, password Ciscoccnas, and the enable secret password of ciscoclass. b. Configure Switch1 to protect against STP attacks. o Configure PortFast on FastEthernet ports 0/1 to 0/22. o Enable BPDU guard on FastEthernet ports 0/1 to 0/22. c. Configure Switch1 port security and disable unused ports. o Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/22. Allow the MAC address to be learned dynamically and to be retained in the running-config. Shutdown the port if a violation occurs. o Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-22). d. Configure the trunk link on Fa0/23 and Fa0/24 on both Switch1 and Switch4 o Disable DTP negotiation on the trunking ports. o Set the native VLAN as VLAN 50 for the trunk links.

Step 6: Configure an IOS IPS on the Internal Router. a. On the Internal router, if asked to login, then login as CORPSYS with password LetSysIn. The enable secret password is ciscoclass. b. Use the IPS signature storage location at flash:. c. Create an IPS rule named corpips. d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category. e. Apply the IPS rule to the Gi0/0 interface in the out direction. f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and deny packets that match the signature. g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin.

Step 7: Configure ZPF on the CORP Router. a. Access the CORP router with username CORPADMIN, password Ciscoccnas, and the enable secret password of ciscoclass. b. Create the firewall zones. o Create an internal zone named CORP-INSIDE. o Create an external zone named INTERNET.

c. Define a traffic class to allow traffic from the Internal network to access services in the Internet. o Create a class map using the option of class map type inspect with the match-any keyword. Name the class map INSIDE_PROTOCOLS. o Match the protocols, http, tcp, udp, icmp, dns (Please note, the order of match statements is significant only because of the scoring need in Packet Tracer.) d. Specify firewall policies to allow internal hosts to access Internet. o Create a policy map named INSIDE_TO_INTERNET. o Use the INSIDE_PROTOCOLS class map. o Specify the action of inspect for this policy map. e. Define a traffic class to allow traffic from the Internet to access services in the DMZ network. o Create a class map using the option of class map type inspect with the match-any keyword. Name the class map DMZ_WEB. o Match the protocols, http and dns (Please note, the order of match statements is significant only because of the scoring need in Packet Tracer.) f. Specify firewall policy to allow Internet traffic to access DMZ services. o Create a policy map named INTERNET_TO_DMZWEB. o Use the DMZ_WEB class map. o Specify the action of pass for this policy map. g. Apply the firewall. o Create a pair of zones named IN_TO_OUT_ZONE with the source as CORP-INSIDE and destination as INTERNET. o Specify the policy map INSIDE_TO_INTERNET for handling the traffic between the two zones. o Create a pair of zones named INTERNET_TO_DMZ_ZONE with the source as INTERNET and destination as CORP-INSIDE. o Assign interfaces to the appropriate security zones. h. Verify the ZPF configuration. o The External user can access the URLs http://www.theccnas.com and http://www.externalone.com. o The External user cannot ping the DMZ Web Svr. o The PCs in the internal network can ping and access the External Web Svr URL. **** End Of Question ****

security passw ords min-length enable secret ciscoclass service passw ord-encryption line console 0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

security passwords min-length 10 enable secret ciscoclass service password-encryption line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 zone security CORP-INSIDE exit zone security INTERNET exit class-map type inspect match-any INSIDE_PROTOCOLS match protocol http match protocol tcp match protocol udp

22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

match protocol icmp match protocol dns exit policy-map type inspect INSIDE_TO_INTERNET class type inspect INSIDE_PROTOCOLS inspect exit exit class-map type inspect match-any DMZ_WEB match protocol http match protocol dns exit policy-map type inspect INTERNET_TO_DMZWEB class type inspect DMZ_WEB pass exit exit zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET service-policy type inspect INSIDE_TO_INTERNET exit zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE service-policy type inspect INTERNET_TO_DMZWEB exit interface serial0/0/0 zone-member security INTERNET exit interface serial0/0/1 zone-member security CORP-INSIDE exit

security passw ords min-length enable secret ciscoclass service passw ord-encryption login on-failure log

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

security passwords min-length 10 enable secret ciscoclass service password-encryption login on-failure log login on-success log line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 ntp server 172.16.25.2 key 0 ntp update-calendar service timestamps log datetime msec logging host 172.16.25.2 ip domain-name theccnas.com crypto key generate rsa 1024

23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

ip ssh version 2 ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit aaa new-model Radius-server host 209.165.200.252 key corpradius aaa authentication login default group radius local aaa authentication login default local aaa authorization exec default local line vty 0 4 login authentication default line vty 0 15 login authentication default line con 0 login authentication default exit ip ips config location flash: ip ips name corpips ip ips signature-category category all retired true exit category ios_ips basic retired false exit exit interface Gig0/0 //Press ENTER

interface range fastEthernet0/1 spanning-tree portfast spanning-tree bpduguard enabl sw itchport port-security

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

interface range fastEthernet0/1-22 spanning-tree portfast spanning-tree bpduguard enable switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security maximum 2 exit interface range fastethernet 0/2-4 shutdown interface range fastethernet 0/6-10 shutdown interface range fastethernet 0/13-22 shutdown exit interface range fa0/23-24 switchport nonegotiate

18

switchport trunk native vlan 50

interface range fa0/23-24 sw itchport mode trunk sw itchport nonegotiate sw itchport trunk native vlan 50

1 2 3 4

interface range fa0/23-24 switchport mode trunk switchport nonegotiate switchport trunk native vlan 50

To ending: Network:Internal:AAA:Authentication:1 Network:Internal:RADIUS Client:RADIUS Server Hosts:0 Network:Internal:VTY Lines:0:Access Class In Network:Internal:ACL:12 Network:Internal:IPS:Signature:Retired Network:Internal:IPS:Signature:Icmp Signature Id Network:Internal:IPS:Signature:Icmp Sub Id

Update from Commenter for 100% access-list 12 permit host 172.16.25.5 line vty 0 15 access-class 12 in exit

For Internal Config is continuing with: interface Gi0/0 ip ips corpips out exit (config)#ip ips signature-definition (config-sigdef)# signature 2004 0 (config-sigdef-sig)# status (config-sigdef-sig-status)# retired false (config-sigdef-sig-status)# enable true (config-sigdef-sig-status)# exit (config-sigdef-sig)# engine (config-sigdef-sig-engine)# event-action produce-alert (config-sigdef-sig-engine)# event-action deny-packet-inline (config-sigdef-sig-engine)# exit (config-sigdef-sig)# exit

(config-sigdef)# exit (config)# exit

If you want to score a 100%, you must put one single line authentication aaa (first line) : aaa authentication login default group radius local –> good aaa authentication login default local ————> bad, because if you put both lines you delete the first line, that is the correct option.

Below config contributed by Alexander R Fernandez claims to be 100%. Please test it out Router CORP configure terminal security passw ords min-length enable secret ciscoclass

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Router CORP configure terminal security passwords min-length 10 enable secret ciscoclass service password-encryption line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 zone security CORP-INSIDE exit zone security INTERNET exit class-map type inspect match-any INSIDE_PROTOCOLS match protocol http match protocol tcp match protocol udp match protocol icmp match protocol dns exit policy-map type inspect INSIDE_TO_INTERNET class type inspect INSIDE_PROTOCOLS inspect exit exit class-map type inspect match-any DMZ_WEB match protocol http match protocol dns exit

36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

policy-map type inspect INTERNET_TO_DMZWEB class type inspect DMZ_WEB pass exit exit zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET service-policy type inspect INSIDE_TO_INTERNET exit zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE service-policy type inspect INTERNET_TO_DMZWEB exit interface serial0/0/0 zone-member security INTERNET exit interface serial0/0/1 zone-member security CORP-INSIDE exit Router INTERNAL configure terminal security passwords min-length 10 enable secret ciscoclass service password-encryption login on-failure log login on-success log line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 ntp server 172.16.25.2 key 0 ntp update-calendar service timestamps log datetime msec logging host 172.16.25.2 ip domain-name theccnas.com crypto key generate rsa 1024 ip ssh version 2 ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit aaa new-model Radius-server host 172.16.25.2 key corpradius aaa authentication login default group radius local aaa authorization exec default local

93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

line vty 0 4 login authentication default line vty 5 15 login authentication default line con 0 login authentication default exit access-list 12 permit host 172.16.25.5 line vty 0 15 access-class 12 in exit ip ips config location flash: ip ips name corpips ip ips signature-category category all retired true exit category ios_ips basic retired false exit exit interface Gi0/0 ip ips corpips out exit ip ips signature-definition signature 2004 0 status retired false enable true exit engine event-action produce-alert event-action deny-packet-inline exit exit exit exit Switch 1 configure terminal interface range fastEthernet0/1-22 spanning-tree portfast spanning-tree bpduguard enable switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security maximum 2 exit interface range fastethernet 0/2-4 shutdown interface range fastethernet 0/6-10 shutdown interface range fastethernet 0/13-22 shutdown exit interface range fa0/23-24 switchport nonegotiate

150 151 152 153 154 155 156 157

switchport trunk native vlan 50 Switch 4 configure terminal interface range fa0/23-24 switchport mode trunk switchport nonegotiate switchport trunk native vlan 50

Please be reminded that the current answer (on top section earlier) is 84% correct. If you have complete config that tested to be 100%, please let us know. Do drop comment below or email to [email protected]. Thank you.

Answer CCNA Security Chapter 8 Test - CCNAS v2.0

Answer CCNA Security Chapter 3 Test – CCNAS v2.0

Answer CCNA Security Chapter 9 Test – CCNAS v2.0

Answer CCNA Security Chapter 2 Test - CCNAS v1.1

Answer CCNA Security Chapter 5 Test – CCNAS v2.0

22 thoughts on “CCNA Security 2.0 PT Practice SA – Part 1” February 18, 2016 at 6:49 PM The ACL 12 and then activating it is not so difficult (100% sure – confirmed) access-list 12 permit host 172.16.25.5 line vty 0 15 access-class 12 in exit Also you have to configure login local before you activate aaa (pretty sure) line vty 0 15 login local line con 0 login local exit Reply

1.

DAFRELUF says: February 18, 2016 at 6:51 PM I just saw that the second part is done in the config.. don’t know whats wrong :’D Reply

1.

InviAlgo says: March 6, 2016 at 9:12 AM yes. our friend Steam got 90% Reply

2.

Steam says: February 19, 2016 at 10:36 PM For Internal Config is continuing with: interface Gi0/0 ip ips corpips out exit (config)#ip ips signature-definition (config-sigdef)# signature 2004 0 (config-sigdef-sig)# status (config-sigdef-sig-status)# retired false (config-sigdef-sig-status)# enable true (config-sigdef-sig-status)# exit (config-sigdef-sig)# engine (config-sigdef-sig-engine)# event-action produce-alert (config-sigdef-sig-engine)# event-action deny-packet-inline (config-sigdef-sig-engine)# exit (config-sigdef-sig)# exit (config-sigdef)# exit (config)# exit My score was 90.0 % . Thanks invialgo.com for all. Reply

1.

InviAlgo says: March 6, 2016 at 9:12 AM ur welcome. i’m happy for you. Reply

3.

dagafd says: March 23, 2016 at 9:39 AM Thanks for all the notes and comments. I got a 100% using the commands provided, using STEAM, and DAFRELUF notes. Reply

1.

InviAlgo says: April 10, 2016 at 1:34 PM Thanks for the info Dagafd. Reply

4.

benito camela says: March 29, 2016 at 3:25 AM If you want to score a 100%, you must put one single line authentication aaa (first line) : aaa authentication login default group radius local –> good aaa authentication login default local ————> bad, because if you put both lines you delete the first line, that is the correct option. 100% proved

April 10, 2016 at 1:36 PM Just asking as not sure, will this be the fianal graded exam we get? or is this only a practise exam in which the marks dont count towards anything? Reply May 6, 2016 at 11:30 PM Can you please type the entire Radius config? 209.165.200.252 is not a host address, it is the /30 network between CORP and INTERNAL. On the radius host command we need to specify the AAA Radius server address which seems to be 172.16.25.2, right? Reply

1.

Gravity says:

June 6, 2016 at 6:40 PM Yes it should be radius-server host 172.16.25.2. Its working when you try to log in (y) Reply

5.

ciscoman says: May 3, 2016 at 9:16 PM I follow the configuration posted but I constantly get a 92% due to the following: 1. *radius server line on Internal seems incorrect Do we really need to config the “authentication” line? What else might be wrong? 2. *Switch 4 does not accept the “switchport nonegotiate” line (all is ok with Switch 1) It returns an error: Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. Any ideas folks? Reply

1.

julio cesar quintero quevedo says: July 17, 2016 at 6:14 AM Becouse the port is in dynamic or trunking mode and cannot allow no negociate mode first you need change the ports to mode accesss and later use mode no negociate and you router will accept the comand Reply

2.

bebe_teo says: February 15, 2017 at 9:50 PM Radius server has the address 172.16.25.2 (AAA/NTP/Syslog Svr). Before the command “switchport nonegotiate” must introduce the command “switchport mode access”. Reply

6.

Kashif Javeed says: May 6, 2016 at 4:02 AM Network:Internal:RADIUS Client:RADIUS Server Hosts:0 Error Please Help

Reply

7.

Kashif Javeed says: May 6, 2016 at 4:05 AM AAA Authentication Command Please Send Reply

8.

viv says: May 18, 2016 at 9:03 PM please where can we download the pt file for part 1 and 2 Reply

9.

lisa says: August 5, 2016 at 7:57 PM hi is it possbile to get get the pka of this. Reply

10.

Alexander R Fernandez says: March 4, 2017 at 11:38 AM I made the changes and got 95%. I removed this line, aaa authentication login default local and I added other lines below. I got this: AAA Authentication 0 5 Network:Internal:Console Line:AAA Method List Name Correct Network:Internal:VTY Lines:0:AAA Method List Name Correct Network:Internal:AAA:Authentication:1 Correct Network:Internal:AAA:New-model Correct Network:Internal:RADIUS Client:RADIUS Server Hosts:0 Incorrect Reply March 4, 2017 at 1:55 PM

This one works. I got 100% Router CORP configure terminal security passwords min-length 10 enable secret ciscoclass service password-encryption line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 zone security CORP-INSIDE exit zone security INTERNET exit class-map type inspect match-any INSIDE_PROTOCOLS match protocol http match protocol tcp match protocol udp match protocol icmp match protocol dns exit policy-map type inspect INSIDE_TO_INTERNET class type inspect INSIDE_PROTOCOLS inspect exit exit class-map type inspect match-any DMZ_WEB match protocol http match protocol dns exit policy-map type inspect INTERNET_TO_DMZWEB class type inspect DMZ_WEB pass exit exit zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET service-policy type inspect INSIDE_TO_INTERNET exit zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE service-policy type inspect INTERNET_TO_DMZWEB exit interface serial0/0/0 zone-member security INTERNET exit interface serial0/0/1 zone-member security CORP-INSIDE exit Router INTERNAL configure terminal

security passwords min-length 10 enable secret ciscoclass service password-encryption login on-failure log login on-success log line console 0 login local exec-timeout 20 0 line vty 0 15 login local exec-timeout 20 0 exit interface serial0/0/0 no cdp enable login block-for 30 attempts 3 within 60 ntp server 172.16.25.2 key 0 ntp update-calendar service timestamps log datetime msec logging host 172.16.25.2 ip domain-name theccnas.com crypto key generate rsa 1024 ip ssh version 2 ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit aaa new-model Radius-server host 172.16.25.2 key corpradius aaa authentication login default group radius local aaa authorization exec default local line vty 0 4 login authentication default line vty 5 15 login authentication default line con 0 login authentication default exit access-list 12 permit host 172.16.25.5 line vty 0 15 access-class 12 in exit ip ips config location flash: ip ips name corpips ip ips signature-category category all retired true exit category ios_ips basic retired false exit

exit interface Gi0/0 ip ips corpips out exit ip ips signature-definition signature 2004 0 status retired false enable true exit engine event-action produce-alert event-action deny-packet-inline exit exit exit exit Switch 1 configure terminal interface range fastEthernet0/1-22 spanning-tree portfast spanning-tree bpduguard enable switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security maximum 2 exit interface range fastethernet 0/2-4 shutdown interface range fastethernet 0/6-10 shutdown interface range fastethernet 0/13-22 shutdown exit interface range fa0/23-24 switchport nonegotiate switchport trunk native vlan 50 Switch 4 configure terminal interface range fa0/23-24 switchport mode trunk switchport nonegotiate switchport trunk native vlan 50