CCNA Security 2.

0 PT Practice SA Part 1

CCNA Security 2.0 PT Practice SA Part 1 question and answer will be revealed in this post. Hopefully this will
helps you guys to pass this CCNA Security 2.0 Packet Tracer Practice SA Part 1 successfully. However, our
current answer now only 84% correct. If you have complete 100% answer, please comment below or email to
me.

CCNA Security 2.0 PT Practice SA Part 1

A few things to keep in mind while completing this activity:

1. Do not use the browser Back button or close or reload any exam windows during the exam.

2. Do not close Packet Tracer when you are done. It will close automatically.

3. Click the Submit Assessment button to submit your work.

Introduction
In this practice Packet Tracer Skills Based Assessment, you will:

configure basic device hardening and secure network management

configure port security and disable unused switch ports

configure an IOS IPS

 configure a Zone-based Policy Firewall (ZPF) to implement security policies

Addressing Table
Device Interface IP Address Subnet Mask Gateway DNS server
S0/0/0 209.165.200.225 255.255.255.252 n/a
Internet S0/0/1 192.31.7.1 255.255.255.252 n/a
G0/0 192.135.250.1 255.255.255.0 n/a
Public Svr NIC 192.135.250.5 255.255.255.0 192.135.250.1
S0/0/0 192.31.7.2 255.255.255.252 n/a
External
G0/0 192.31.7.62 255.255.255.224 n/a
External Web Svr NIC 192.31.7.35 255.255.255.224 192.31.7.62 192.135.250.5
External User NIC 192.31.7.33 255.255.255.224 192.31.7.62 192.135.250.5
S0/0/0 209.165.200.226 255.255.255.252 n/a
CORP
S0/0/1 209.165.200.254 255.255.255.252 n/a
S0/0/1 209.165.200.253 255.255.255.252 n/a
G0/0 10.1.1.254 255.255.255.0 n/a
Internal G0/1.10 172.16.10.254 255.255.255.0 n/a
G0/1.25 172.16.25.254 255.255.255.0 n/a
G0/1.99 172.16.99.1 255.255.255.0 n/a
DMZ DNS Svr NIC 10.1.1.5 255.255.255.0 10.1.1.254 192.135.250.5
DMZ Web Svr NIC 10.1.1.2 255.255.255.0 10.1.1.254 10.1.1.5
PC0 NIC 172.16.10.5 255.255.255.0 172.16.10.254 10.1.1.5
PC1 NIC 172.16.10.10 255.255.255.0 172.16.10.254 10.1.1.5
AAA/NTP/Syslog
NIC 172.16.25.2 255.255.255.0 172.16.25.254 10.1.1.5
Svr
PC2 NIC 172.16.10.15 255.255.255.0 172.16.10.254 10.1.1.5
Net Admin NIC 172.16.25.5 255.255.255.0 172.16.25.254 10.1.1.5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been
properly implemented.

Step 1: Configure Basic Device Hardening for the CORP and the
Internal Routers.
a. Configure the CORP and the Internal routers to only accept passwords with a minimum length
of 10 characters.

b. Configure an encrypted privileged level password of ciscoclass.

c. Enable password encryption for all clear text passwords in the configuration file.

d. Configure the console port and all vty lines with the following requirements:Note: Both the CORP and
the Internal routers are already configured with the username CORPADMIN and password Ciscoccnas.

o Use the local database for login.

o Disconnect after being idle for 20 minutes.

e. Disable the CDP protocol on the CORP router on the link to the Internet router.

Step 2: Configure Secure Network Management for the CORP Router.

 a. Configure the IOS login enhancement for all vty lines with the following requirements:

Disable logins for 30 seconds after 3 failed login attempts within 60 seconds.

Step 3: Configure Secure Network Management for the Internal

Router.
a. Configure the Internal router:

o as an NTP client to the AAA/NTP/Syslog server

o to update the router calendar (hardware clock) from the NTP time source

o to timestamp log messages

o to send logging messages to the AAA/NTP/Syslog server

b. Configure the IOS login enhancement for all vty lines with the following requirements:

o Disable logins for 30 seconds after 3 failed login attempts within 60 seconds.

o Log any failed or successful login to the syslog server.

c. Configure the Internal router to accept SSH connections. Use the following guidelines:Note: Internal is
already configured with the username SSHAccess and the secret password ciscosshaccess.

o The domain name is theccnas.com.

o RSA encryption key pair using a modulus of 1024

o SSH version 2, timeout of 90 seconds, and 2 authentication retries

o All vty lines accept only SSH connections.

d. Configure the Internal router with server-based AAA authentication and verify its functionality:Note: The
AAA server is already configured with RADIUS service, a username CORPSYS, and the
password LetSysIn.

o The key to connect to the RADIUS server is corpradius.

o AAA authentication uses the RADIUS server as the default for console line and vty lines access.

o The local database is used as the backup if the RADIUS server connection cannot be established.

Step 4: Configure ACLs on the Internal Router to Implement Secure

Management Access.
a. Create ACL 12 to implement the security policy regarding the access to the vty lines:

Only users logged on to the Net Admin PC are allowed access to the vty lines.

Step 5: Configure Device Hardening for Switch1 and Switch4

 a. Access Switch1 and Switch4 with username CORPADMIN, password Ciscoccnas, and the enable secret
password of ciscoclass.

b. Configure Switch1 to protect against STP attacks.

o Configure PortFast on FastEthernet ports 0/1 to 0/22.

o Enable BPDU guard on FastEthernet ports 0/1 to 0/22.

c. Configure Switch1 port security and disable unused ports.

o Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/22. Allow
the MAC address to be learned dynamically and to be retained in the running-config. Shutdown
the port if a violation occurs.

o Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-22).

d. Configure the trunk link on Fa0/23 and Fa0/24 on both Switch1 and Switch4

o Disable DTP negotiation on the trunking ports.

o Set the native VLAN as VLAN 50 for the trunk links.

Step 6: Configure an IOS IPS on the Internal Router.

a. On the Internal router, if asked to login, then login as CORPSYS with password LetSysIn. The enable
secret password is ciscoclass.

b. Use the IPS signature storage location at flash:.

c. Create an IPS rule named corpips.

d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire
the ios_ips basic category.

e. Apply the IPS rule to the Gi0/0 interface in the out direction.

f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004,
subsig 0); enable the signature; modify the signature event-action to produce an alert and deny packets
that match the signature.

g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ
Web Svr, however, can ping Net Admin.

Step 7: Configure ZPF on the CORP Router.

a. Access the CORP router with username CORPADMIN, password Ciscoccnas, and the enable secret
password of ciscoclass.

b. Create the firewall zones.

o Create an internal zone named CORP-INSIDE.

o Create an external zone named INTERNET.

 c. Define a traffic class to allow traffic from the Internal network to access services in the Internet.

o Create a class map using the option of class map type inspect with the match-any keyword.
Name the class map INSIDE_PROTOCOLS.

o Match the protocols, http, tcp, udp, icmp, dns (Please note, the order of match statements is
significant only because of the scoring need in Packet Tracer.)

d. Specify firewall policies to allow internal hosts to access Internet.

o Create a policy map named INSIDE_TO_INTERNET.

o Use the INSIDE_PROTOCOLS class map.

o Specify the action of inspect for this policy map.

e. Define a traffic class to allow traffic from the Internet to access services in the DMZ network.

o Create a class map using the option of class map type inspect with the match-any keyword.
Name the class map DMZ_WEB.

o Match the protocols, http and dns (Please note, the order of match statements is significant
only because of the scoring need in Packet Tracer.)

f. Specify firewall policy to allow Internet traffic to access DMZ services.

o Create a policy map named INTERNET_TO_DMZWEB.

o Use the DMZ_WEB class map.

o Specify the action of pass for this policy map.

g. Apply the firewall.

o Create a pair of zones named IN_TO_OUT_ZONE with the source as CORP-INSIDE and
destination as INTERNET.

o Specify the policy map INSIDE_TO_INTERNET for handling the traffic between the two
zones.

o Create a pair of zones named INTERNET_TO_DMZ_ZONE with the source

as INTERNET and destination as CORP-INSIDE.

o Assign interfaces to the appropriate security zones.

h. Verify the ZPF configuration.

o The External user can access the URLs http://www.theccnas.com and

http://www.externalone.com.

o The External user cannot ping the DMZ Web Svr.

o The PCs in the internal network can ping and access the External Web Svr URL.

**** End Of Question ****

 security passw ords min-length
enable secret ciscoclass
service passw ord-encryption
line console 0

1 security passwords min-length 10

2 enable secret ciscoclass
3 service password-encryption
4 line console 0
5 login local
6 exec-timeout 20 0
7 line vty 0 15
8 login local
9 exec-timeout 20 0
10 exit
11 interface serial0/0/0
12 no cdp enable
13 login block-for 30 attempts 3 within 60
14 zone security CORP-INSIDE
15 exit
16 zone security INTERNET
17 exit
18 class-map type inspect match-any INSIDE_PROTOCOLS
19 match protocol http
20 match protocol tcp
21 match protocol udp
22 match protocol icmp
23 match protocol dns
24 exit
25 policy-map type inspect INSIDE_TO_INTERNET
26 class type inspect INSIDE_PROTOCOLS
27 inspect
28 exit
29 exit
30 class-map type inspect match-any DMZ_WEB
31 match protocol http
32 match protocol dns
33 exit
34 policy-map type inspect INTERNET_TO_DMZWEB
35 class type inspect DMZ_WEB
36 pass
37 exit
38 exit
39 zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET
40 service-policy type inspect INSIDE_TO_INTERNET
41 exit
42 zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE
43 service-policy type inspect INTERNET_TO_DMZWEB
44 exit
45 interface serial0/0/0
46 zone-member security INTERNET
47 exit
48 interface serial0/0/1
49 zone-member security CORP-INSIDE
50 exit
security passw ords min-length
enable secret ciscoclass
service passw ord-encryption
login on-failure log

1 security passwords min-length 10

2 enable secret ciscoclass
3 service password-encryption
4 login on-failure log
5 login on-success log
6 line console 0
7 login local
8 exec-timeout 20 0
9 line vty 0 15
10 login local
11 exec-timeout 20 0
12 exit
13 interface serial0/0/0
14 no cdp enable
15 login block-for 30 attempts 3 within 60
16 ntp server 172.16.25.2 key 0
17 ntp update-calendar
18 service timestamps log datetime msec
19 logging host 172.16.25.2
20 ip domain-name theccnas.com
21 crypto key generate rsa
22 1024
23 ip ssh version 2
24 ip ssh time-out 90
25 ip ssh authentication-retries 2
26 line vty 0 4
27 transport input ssh
28 exit
29 line vty 5 15
30 transport input ssh
31 exit
32 aaa new-model
33 Radius-server host 209.165.200.252 key corpradius
34 aaa authentication login default group radius local
35 aaa authentication login default local
36 aaa authorization exec default local
37 line vty 0 4
38 login authentication default
39 line vty 0 15
40 login authentication default
41 line con 0
42 login authentication default
43 exit
44 ip ips config location flash:
45 ip ips name corpips
46 ip ips signature-category
47 category all
48 retired true
49 exit
50 category ios_ips basic
51 retired false
52 exit
53 exit
54 interface Gig0/0
55
56 //Press ENTER
interface range fastEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enabl
sw itchport port-security

1 interface range fastEthernet0/1-22

2 spanning-tree portfast
3 spanning-tree bpduguard enable
4 switchport port-security
5 switchport port-security violation shutdown
6 switchport port-security mac-address sticky
7 switchport port-security maximum 2
8 exit
9 interface range fastethernet 0/2-4
10 shutdown
11 interface range fastethernet 0/6-10
12 shutdown
13 interface range fastethernet 0/13-22
14 shutdown
15 exit
16 interface range fa0/23-24
17 switchport nonegotiate
18 switchport trunk native vlan 50
interface range fa0/23-24
sw itchport mode trunk
sw itchport nonegotiate
sw itchport trunk native vlan 50

1 interface range fa0/23-24

2 switchport mode trunk
3 switchport nonegotiate
4 switchport trunk native vlan 50

To ending:

Network:Internal:AAA:Authentication:1

Network:Internal:RADIUS Client:RADIUS Server Hosts:0

Network:Internal:VTY Lines:0:Access Class In

Network:Internal:ACL:12

Network:Internal:IPS:Signature:Retired

Network:Internal:IPS:Signature:Icmp Signature Id

Network:Internal:IPS:Signature:Icmp Sub Id

Update from Commenter for 100%

access-list 12 permit host 172.16.25.5
line vty 0 15
access-class 12 in
exit

For Internal Config is continuing with:

interface Gi0/0
ip ips corpips out
exit
(config)#ip ips signature-definition
(config-sigdef)# signature 2004 0
(config-sigdef-sig)# status
(config-sigdef-sig-status)# retired false
(config-sigdef-sig-status)# enable true
(config-sigdef-sig-status)# exit
(config-sigdef-sig)# engine
(config-sigdef-sig-engine)# event-action produce-alert
(config-sigdef-sig-engine)# event-action deny-packet-inline
(config-sigdef-sig-engine)# exit
(config-sigdef-sig)# exit
(config-sigdef)# exit
(config)# exit

If you want to score a 100%, you must put one single line authentication aaa (first line) :

aaa authentication login default group radius local > good

aaa authentication login default local > bad, because if you put both lines you delete the first line, that
is the correct option.

Below config contributed by Alexander R Fernandez claims to be 100%. Please test it out

Router CORP
configure terminal
security passw ords min-length
enable secret ciscoclass

1 Router CORP
2 configure terminal
3 security passwords min-length 10
4 enable secret ciscoclass
5 service password-encryption
6 line console 0
7 login local
8 exec-timeout 20 0
9 line vty 0 15
10 login local
11 exec-timeout 20 0
12 exit
13 interface serial0/0/0
14 no cdp enable
15 login block-for 30 attempts 3 within 60
16 zone security CORP-INSIDE
17 exit
18 zone security INTERNET
19 exit
20 class-map type inspect match-any INSIDE_PROTOCOLS
21 match protocol http
22 match protocol tcp
23 match protocol udp
24 match protocol icmp
25 match protocol dns
26 exit
27 policy-map type inspect INSIDE_TO_INTERNET
28 class type inspect INSIDE_PROTOCOLS
29 inspect
30 exit
31 exit
32 class-map type inspect match-any DMZ_WEB
33 match protocol http
34 match protocol dns
35 exit
36 policy-map type inspect INTERNET_TO_DMZWEB
37 class type inspect DMZ_WEB
38 pass
39 exit
40 exit
41 zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET
42 service-policy type inspect INSIDE_TO_INTERNET
43 exit
44 zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE
45 service-policy type inspect INTERNET_TO_DMZWEB
46 exit
47 interface serial0/0/0
48 zone-member security INTERNET
49 exit
50 interface serial0/0/1
51 zone-member security CORP-INSIDE
52 exit
53
54 Router INTERNAL
55 configure terminal
56 security passwords min-length 10
57 enable secret ciscoclass
58 service password-encryption
59 login on-failure log
60 login on-success log
61 line console 0
62 login local
63 exec-timeout 20 0
64 line vty 0 15
65 login local
66 exec-timeout 20 0
67 exit
68 interface serial0/0/0
69 no cdp enable
70 login block-for 30 attempts 3 within 60
71 ntp server 172.16.25.2 key 0
72 ntp update-calendar
73 service timestamps log datetime msec
74 logging host 172.16.25.2
75 ip domain-name theccnas.com
76 crypto key generate rsa
77
78 1024
79
80 ip ssh version 2
81 ip ssh time-out 90
82 ip ssh authentication-retries 2
83 line vty 0 4
84 transport input ssh
85 exit
86 line vty 5 15
87 transport input ssh
88 exit
89 aaa new-model
90 Radius-server host 172.16.25.2 key corpradius
91 aaa authentication login default group radius local
92 aaa authorization exec default local
93 line vty 0 4
94 login authentication default
95 line vty 5 15
96 login authentication default
97 line con 0
98 login authentication default
99 exit
100 access-list 12 permit host 172.16.25.5
101 line vty 0 15
102 access-class 12 in
103 exit
104 ip ips config location flash:
105 ip ips name corpips
106 ip ips signature-category
107 category all
108 retired true
109 exit
110 category ios_ips basic
111 retired false
112 exit
113 exit
114 interface Gi0/0
115 ip ips corpips out
116 exit
117 ip ips signature-definition
118 signature 2004 0
119 status
120 retired false
121 enable true
122 exit
123 engine
124 event-action produce-alert
125 event-action deny-packet-inline
126 exit
127 exit
128 exit
129 exit
130
131 Switch 1
132 configure terminal
133 interface range fastEthernet0/1-22
134 spanning-tree portfast
135 spanning-tree bpduguard enable
136 switchport port-security
137 switchport port-security violation shutdown
138 switchport port-security mac-address sticky
139 switchport port-security maximum 2
140 exit
141 interface range fastethernet 0/2-4
142 shutdown
143 interface range fastethernet 0/6-10
144 shutdown
145 interface range fastethernet 0/13-22
146 shutdown
147 exit
148 interface range fa0/23-24
149 switchport nonegotiate
150 switchport trunk native vlan 50
151
152 Switch 4
153 configure terminal
154 interface range fa0/23-24
155 switchport mode trunk
156 switchport nonegotiate
157 switchport trunk native vlan 50

Please be reminded that the current answer (on top section earlier) is 84% correct. If you have complete config
that tested to be 100%, please let us know. Do drop comment below or email to admin@invialgo.com. Thank
you.

Answer CCNA Security Chapter 8 Test - CCNAS v2.0

Answer CCNA Security Chapter 3 Test CCNAS v2.0

Answer CCNA Security Chapter 9 Test CCNAS v2.0

Answer CCNA Security Chapter 2 Test - CCNAS v1.1

Answer CCNA Security Chapter 5 Test CCNAS v2.0

22 thoughts on CCNA Security 2.0 PT Practice SA Part 1

February 18, 2016 at 6:49 PM

The ACL 12 and then activating it is not so difficult (100% sure confirmed)

access-list 12 permit host 172.16.25.5

line vty 0 15
access-class 12 in
exit

Also you have to configure login local before you activate aaa (pretty sure)

line vty 0 15
login local
line con 0
login local
exit

Reply
 1. DAFRELUF says:

February 18, 2016 at 6:51 PM

I just saw that the second part is done in the config.. dont know whats wrong :D

Reply

1. InviAlgo says:

March 6, 2016 at 9:12 AM

yes. our friend Steam got 90%

Reply

2. Steam says:

February 19, 2016 at 10:36 PM

For Internal Config is continuing with:

interface Gi0/0
ip ips corpips out
exit
(config)#ip ips signature-definition
(config-sigdef)# signature 2004 0
(config-sigdef-sig)# status
(config-sigdef-sig-status)# retired false
(config-sigdef-sig-status)# enable true
(config-sigdef-sig-status)# exit
(config-sigdef-sig)# engine
(config-sigdef-sig-engine)# event-action produce-alert
(config-sigdef-sig-engine)# event-action deny-packet-inline
(config-sigdef-sig-engine)# exit
(config-sigdef-sig)# exit
(config-sigdef)# exit
(config)# exit

My score was 90.0 % . Thanks invialgo.com for all.

Reply

1. InviAlgo says:

March 6, 2016 at 9:12 AM

ur welcome. im happy for you.

Reply
3. dagafd says:

March 23, 2016 at 9:39 AM

Thanks for all the notes and comments. I got a 100% using the commands provided, using STEAM, and
DAFRELUF notes.

Reply

1. InviAlgo says:

April 10, 2016 at 1:34 PM

Thanks for the info Dagafd.

Reply

4. benito camela says:

March 29, 2016 at 3:25 AM

If you want to score a 100%, you must put one single line authentication aaa (first line) :

aaa authentication login default group radius local > good

aaa authentication login default local > bad, because if you put both lines you delete the first
line, that is the correct option.

100% proved

April 10, 2016 at 1:36 PM

Just asking as not sure, will this be the fianal graded exam we get? or is this only a
practise exam in which the marks dont count towards anything?

Reply

May 6, 2016 at 11:30 PM

Can you please type the entire Radius config?

209.165.200.252 is not a host address, it is the /30 network between CORP and INTERNAL.
On the radius host command we need to specify the AAA Radius server address which seems to
be 172.16.25.2, right?

Reply

1. Gravity says:
 June 6, 2016 at 6:40 PM

Yes it should be radius-server host 172.16.25.2.

Its working when you try to log in (y)

Reply

5. ciscoman says:

May 3, 2016 at 9:16 PM

I follow the configuration posted but I constantly get a 92% due to the following:

1. *radius server line on Internal seems incorrect

Do we really need to config the authentication line?
What else might be wrong?
2. *Switch 4 does not accept the switchport nonegotiate line (all is ok with Switch 1)
It returns an error: Command rejected: Conflict between nonegotiate and dynamic status.

Any ideas folks?

Reply

1. julio cesar quintero quevedo says:

July 17, 2016 at 6:14 AM

Becouse the port is in dynamic or trunking mode and cannot allow no negociate mode

first you need change the ports to mode accesss and later use mode no negociate and you router
will accept the comand

Reply

2. bebe_teo says:

February 15, 2017 at 9:50 PM

Radius server has the address 172.16.25.2 (AAA/NTP/Syslog Svr).

Before the command switchport nonegotiate must introduce the command switchport mode
access.

Reply

6. Kashif Javeed says:

May 6, 2016 at 4:02 AM

Network:Internal:RADIUS Client:RADIUS Server Hosts:0

Error Please Help

 Reply

7. Kashif Javeed says:

May 6, 2016 at 4:05 AM

AAA Authentication
Command Please Send

Reply

8. viv says:

May 18, 2016 at 9:03 PM

please where can we download the pt file for part 1 and 2

Reply

9. lisa says:

August 5, 2016 at 7:57 PM

hi is it possbile to get get the pka of this.

Reply

10. Alexander R Fernandez says:

March 4, 2017 at 11:38 AM

I made the changes and got 95%.

I removed this line,

aaa authentication login default local

and I added other lines below.

I got this:

AAA Authentication 0 5
Network:Internal:Console Line:AAA Method List Name Correct
Network:Internal:VTY Lines:0:AAA Method List Name Correct
Network:Internal:AAA:Authentication:1 Correct
Network:Internal:AAA:New-model Correct
Network:Internal:RADIUS Client:RADIUS Server Hosts:0 Incorrect

Reply

March 4, 2017 at 1:55 PM

This one works. I got 100%

Router CORP
configure terminal
security passwords min-length 10
enable secret ciscoclass
service password-encryption
line console 0
login local
exec-timeout 20 0
line vty 0 15
login local
exec-timeout 20 0
exit
interface serial0/0/0
no cdp enable
login block-for 30 attempts 3 within 60
zone security CORP-INSIDE
exit
zone security INTERNET
exit
class-map type inspect match-any INSIDE_PROTOCOLS
match protocol http
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
exit
policy-map type inspect INSIDE_TO_INTERNET
class type inspect INSIDE_PROTOCOLS
inspect
exit
exit
class-map type inspect match-any DMZ_WEB
match protocol http
match protocol dns
exit
policy-map type inspect INTERNET_TO_DMZWEB
class type inspect DMZ_WEB
pass
exit
exit
zone-pair security IN_TO_OUT_ZONE source CORP-INSIDE destination INTERNET
service-policy type inspect INSIDE_TO_INTERNET
exit
zone-pair security INTERNET_TO_DMZ_ZONE source INTERNET destination CORP-INSIDE
service-policy type inspect INTERNET_TO_DMZWEB
exit
interface serial0/0/0
zone-member security INTERNET
exit
interface serial0/0/1
zone-member security CORP-INSIDE
exit

Router INTERNAL
configure terminal
security passwords min-length 10
enable secret ciscoclass
service password-encryption
login on-failure log
login on-success log
line console 0
login local
exec-timeout 20 0
line vty 0 15
login local
exec-timeout 20 0
exit
interface serial0/0/0
no cdp enable
login block-for 30 attempts 3 within 60
ntp server 172.16.25.2 key 0
ntp update-calendar
service timestamps log datetime msec
logging host 172.16.25.2
ip domain-name theccnas.com
crypto key generate rsa

1024

ip ssh version 2
ip ssh time-out 90
ip ssh authentication-retries 2
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
aaa new-model
Radius-server host 172.16.25.2 key corpradius
aaa authentication login default group radius local
aaa authorization exec default local
line vty 0 4
login authentication default
line vty 5 15
login authentication default
line con 0
login authentication default
exit
access-list 12 permit host 172.16.25.5
line vty 0 15
access-class 12 in
exit
ip ips config location flash:
ip ips name corpips
ip ips signature-category
category all
retired true
exit
category ios_ips basic
retired false
exit
exit
interface Gi0/0
ip ips corpips out
exit
ip ips signature-definition
signature 2004 0
status
retired false
enable true
exit
engine
event-action produce-alert
event-action deny-packet-inline
exit
exit
exit
exit

Switch 1
configure terminal
interface range fastEthernet0/1-22
spanning-tree portfast
spanning-tree bpduguard enable
switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security maximum 2
exit
interface range fastethernet 0/2-4
shutdown
interface range fastethernet 0/6-10
shutdown
interface range fastethernet 0/13-22
shutdown
exit
interface range fa0/23-24
switchport nonegotiate
switchport trunk native vlan 50

Switch 4
configure terminal
interface range fa0/23-24
switchport mode trunk
switchport nonegotiate
switchport trunk native vlan 50