Browse previously published labs by topic, track, and difficulty. Open any lab to read its objectives and troubleshooting focus. A subscription lets you download and run every daily lab published since you subscribed — the current one and each new drop — while it's active; earlier labs unlock permanently with a bundle.
Prefer to browse by theme? See all practice topics or certification tracks.
Build and verify a compact, enterprise-clean multi-area OSPF network with an ABR. Configure area 0 and a non-backbone area, advertise loopbacks and LANs, enforce OSPF hygiene (passive LANs, explicit router-ids), and verify O IA inter-area routes from the endpoints.
+3 more objectives · 3 troubleshooting scenarios
Archive preview only
Build a 5-node triangle OSPF topology with a branch and a data center connected by two paths: a direct link and an indirect path via a core router. Implement OSPFv2 with clean hygiene (router-ids, passive on LANs), then influence path selection by adjusting interface cost so branch-to-DC traffic prefers the core path. Verify the chosen path from the end hosts using traceroute and confirm symmetric routing by validating the reverse path.
+3 more objectives · 3 troubleshooting scenarios
Archive preview only
Three IOS routers share a true broadcast multi-access segment through a Layer-2 switch. You will deploy OSPFv2, influence the DR/BDR election using interface priorities, and verify full adjacencies to the DR. An alpine client behind RTR-HQ-R3 must reach loopbacks on RTR-HQ-R1 and RTR-HQ-R2 via OSPF-learned routes. The lab emphasizes proper multi-access deployment hygiene (router-ids, passive default, interface selection) and realistic verification from the end host.
+2 more objectives · 3 troubleshooting scenarios
Archive preview only
Build a two-router OSPFv2 lab, assign deterministic router-ids using loopbacks, form a clean adjacency from Down through Exchange to FULL, and verify neighbor state and router-ids. End-to-end reachability is validated from real hosts across an enterprise-clean topology.
+3 more objectives · 3 troubleshooting scenarios
Archive preview only
Bring up OSPFv2 adjacency between two branch routers over a point-to-point /30, advertise each site’s user LAN and router loopback in area 0, and verify end-to-end pings succeed from the hosts. The baseline ships with addressing and SSH management ready; you will enable and tune OSPF only.
+2 more objectives · 3 troubleshooting scenarios
Archive preview only
Harden Cisco IOS edge interfaces by disabling CDP/LLDP toward untrusted endpoints while keeping discovery active on trusted infrastructure links. Routers share a management LAN with a server and form a direct router-to-router adjacency for CDP/LLDP. The learner enables discovery globally, selectively suppresses it on the client-facing edge, and verifies the outcome with show commands.
+3 more objectives · 4 troubleshooting scenarios
Advanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.
+2 more objectives · 3 troubleshooting scenarios
Harden the campus access edge by capping broadcast traffic per-port with storm control. In this lab you will apply a broadcast ceiling on the user-facing access ports only, choosing a shutdown action if exceeded, and verify that normal host connectivity remains intact. The uplink to the default gateway/DHCP server is trusted and must not be rate-limited.
+3 more objectives · 3 troubleshooting scenarios
Harden the Layer-2 access edge by limiting multicast and unknown-unicast floods on host-facing ports with a non-disruptive trap action. You will apply storm-control multicast and unicast thresholds to SW1 access interfaces while leaving the uplink trusted and unrestricted for gateway/DHCP. Verify the configuration with show commands and end-to-end host reachability.
+2 more objectives · 5 troubleshooting scenarios
Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.
+2 more objectives · 5 troubleshooting scenarios
Harden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.
+3 more objectives · 5 troubleshooting scenarios
Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.
+2 more objectives · 4 troubleshooting scenarios