Configure a reflexive access list on R6 and apply it to the R6-a3/0 internal interface, allowing BGP and any other interesting traffic.
Consider having a server with an IP address of 160.10.33.1 on VLAN_33 and configure R3 to intercept all TCP traffic to this server. Also, configure R3 to drop random connections.
Configure Sw1-fa0/17 to allow only the host MAC address 0010.DE48.2223 to access the switch through this interface. If a security violation occurs, force the interface to go into restrict mode.