Browse previously published labs by topic, track, and difficulty. Open any lab to read its objectives and troubleshooting focus. A subscription lets you download and run every daily lab published since you subscribed — the current one and each new drop — while it's active; earlier labs unlock permanently with a bundle.
Prefer to browse by theme? See all practice topics or certification tracks.
Build a router-on-a-stick design with three VLANs (SALES, HR, GUEST) on a single router and single access switch, then enforce guest isolation using a single extended ACL applied inbound on the Guest subinterface. SALES and HR can reach each other; GUEST can reach only its default gateway and is blocked from internal subnets. The lab focuses on correct 802.1Q tagging, trunking, access port assignments, ACL placement/order, and end-host verification.
+3 more objectives · 6 troubleshooting scenarios
Hands-on fundamentals with Cisco port security on host-facing access ports. Build a small two-switch campus with a trunk, place two Linux hosts in the same user VLAN, then enable port security with the explicit defaults (maximum 1, violation shutdown) on both host ports. Verify secure-up state and baseline host connectivity.
+2 more objectives · 3 troubleshooting scenarios
Advanced CCNA switching capstone centered on restoring end-to-end VLAN 20 transport across three Layer-2 switches using 802.1Q trunks. The starter ships intentionally broken: after a simulated maintenance window, two Alpine hosts in VLAN 20 can no longer reach each other across the inter-switch trunks. Learners diagnose with show interfaces trunk, show interfaces switchport, and show vlan brief, then identify and correct the trunking faults in the right order and verify with host pings.
+3 more objectives · 3 troubleshooting scenarios
Build a single 802.1Q trunk between two Layer-2 switches that correctly carries three VLANs with an explicit allow-list and a dedicated non-default native VLAN. Place hosts in Users (VLAN 10) across both switches and a server in Servers (VLAN 20). Verify that the trunk allows VLANs 10, 20, and 99, that the native VLAN matches on both ends, and that same-VLAN hosts communicate across the trunk. Then intentionally break and restore the configuration to practice troubleshooting trunk allow-lists, native VLAN alignment, and host VLAN placement.
+3 more objectives · 3 troubleshooting scenarios
Hands-on CCNA lab focusing on 802.1Q trunk allow-lists. Build a realistic three-switch campus with two user hosts in VLAN 10. First bring up trunks carrying all VLANs by default, then implement an explicit allowed VLAN list and prune a non-used VLAN. Intentionally remove VLAN 10 from one trunk to observe an outage, verify with Linux pings and IOS show commands, and restore service by fixing the allow-list. Reinforce native VLAN alignment and compare default vs explicit trunk policy.
+3 more objectives · 3 troubleshooting scenarios
Advanced CCNA port-security troubleshooting on a pure Layer-2 design. Two access switches linked by an 802.1Q trunk carry a Users VLAN across closets. Three Alpine Linux hosts are pre-addressed. The lab is intentionally shipped with multiple classic faults: one access port is err-disabled due to a prior port-security shutdown, one user-facing port lacks port-security altogether, another has the wrong violation mode and an overly restrictive maximum, and one port has an incorrect static secure-MAC configured. Your job is to diagnose using show commands, restore connectivity, and implement the intended security posture with sticky MACs, the correct maximum, the proper violation mode, and errdisable auto-recovery—without placing port-security on the trunk.
+4 more objectives · 5 troubleshooting scenarios
Deploy and verify port security maximum settings on host-facing access ports in a pure Layer-2 campus with two access switches uplinked to a distribution switch. You will raise the allowed secure MAC count to 2 on each user port to support a PC and a potential downstream device (e.g., a dock), then verify with show commands. No Layer-3, SVIs, or routing are used; focus purely on access VLANs, trunks, and the port-security maximum behavior.
+2 more objectives · 4 troubleshooting scenarios
Build a 5-node edge/DMZ topology. Implement a named extended ACL on the EDGE router to allow only TCP/80, TCP/443, and ICMP echo from the Inside LAN to a DMZ web server, deny all other traffic to that server with logging, and still permit general traffic elsewhere. Apply the ACL inbound on the EDGE inside LAN interface. Harden router SSH management with a standard ACL. Verify with wget, ping, and an intentionally denied SSH attempt that increments the deny log counter.
+3 more objectives · 3 troubleshooting scenarios
Deploy a 5-node OSPFv2 lab featuring a redundant area 0 triangle (R1–R2–R3) and an ABR (R3) connecting to area 1 with branch networks on R4. A client on R1’s area 0 LAN validates reachability to branch loopback networks summarized by the ABR. You will set explicit router-ids from Loopback0, use passive-interface default, advertise R4’s loopbacks as /24s using ip ospf network point-to-point, and summarize area 1 into a /23 on the ABR. Verify FULL adjacencies, a single O IA summary on R1, and end-to-end connectivity. Troubleshoot an introduced area mismatch and interface/addressing issues.
+5 more objectives · 3 troubleshooting scenarios
Build a 3-router triangle with two branch LANs and real Alpine clients. Deploy primary static routes via the hub and floating backup statics over a direct branch-to-branch link. Verify reachability, path selection, and failover by simulating a hub outage.
+3 more objectives · 3 troubleshooting scenarios
Deploy and compare the two non-disabling port-security violation modes on host-facing access ports. Build a small Layer-2 topology with a trunk between two switches and same-VLAN hosts. Configure violation protect on one access port and restrict on another using deterministic sticky MAC entries. Validate baseline reachability, then observe the different behaviors: protect silently drops with no counter/logs; restrict drops and increments the violation counter.
+2 more objectives · 5 troubleshooting scenarios
Configure port security in shutdown mode on host-facing access ports and enable automatic errdisable recovery for psecure-violation. The lab uses two Layer-2 switches connected by a trunk and three Linux hosts in the same VLAN to validate baseline L2 connectivity. You will deploy and verify the global errdisable recovery timer and cause while keeping the trunk healthy. Focus is on deterministic configuration and verification via show commands rather than attempting to trigger live violations.
+2 more objectives · 4 troubleshooting scenarios