Browse previously published labs by topic, track, and difficulty. Open any lab to read its objectives and troubleshooting focus. A subscription lets you download and run every daily lab published since you subscribed — the current one and each new drop — while it's active; earlier labs unlock permanently with a bundle.
Prefer to browse by theme? See all practice topics or certification tracks.
CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.
+3 more objectives · 4 troubleshooting scenarios
Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.
+2 more objectives · 4 troubleshooting scenarios
Harden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.
+3 more objectives · 5 troubleshooting scenarios
Harden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.
+3 more objectives · 4 troubleshooting scenarios
Enable the open-standard LLDP on adjacent Cisco IOS routers over direct point-to-point links while also attaching the devices to a shared management LAN. Learners configure deterministic LLDP behavior (global enable plus per-interface transmit/receive) and verify neighbor discovery without adding any routing protocols or static routes.
+2 more objectives · 5 troubleshooting scenarios
Enable Cisco Discovery Protocol (CDP) on R1 to map directly-connected Cisco neighbors while suppressing CDP advertisements on the untrusted management-edge interface. Routers are directly cabled for true CDP adjacency and also share a common management LAN via SW1 alongside an Alpine MGMT host.
+3 more objectives · 4 troubleshooting scenarios
Configure a Cisco IOS router (R1) to forward its logs to a central syslog server with accurate date/time and millisecond timestamps. Validate the remote host and trap level in show logging. This is Lab 4 of 10 in the Network Discovery & Monitoring series.
+3 more objectives · 5 troubleshooting scenarios
Troubleshoot a pre-broken monitoring deployment on a single shared management LAN. R1 is already configured for discovery and monitoring, but the NMS receives no syslog or SNMP traps from R1. Diagnose with show commands and correct the two seeded faults: wrong syslog target and missing SNMP trap generation. Deterministic, no-routing, single-subnet design for CML Free (5 nodes).
+2 more objectives · 2 troubleshooting scenarios
Tune which syslog messages go where on Cisco IOS using severity levels: keep detailed logs locally in a 16 KB buffer, reduce console noise to warnings, and send notifications to a central server. Single management LAN, no routing. Grading focuses on three R1 commands steering severity: logging buffered 16384 debugging, logging console warnings, and logging trap notifications.
+3 more objectives · 5 troubleshooting scenarios
Configure a Cisco IOS router (R1) to proactively send SNMPv2c trap notifications to a centralized NMS host. Learners practice the difference between polling and traps, add the trap destination and enable device-initiated notifications, and verify deterministically with show commands. Flat L2-only management LAN; no routing, no VLAN/STP complexity.
+3 more objectives · 5 troubleshooting scenarios
Harden the monitoring plane by replacing cleartext SNMPv2c with authenticated and encrypted SNMPv3 (authPriv) on R1. You will create a v3 group that requires privacy and a user with SHA authentication and AES-128 encryption, then verify the configuration. The flat management LAN avoids routing complexity so you can focus on the security mechanics of SNMPv3.
+3 more objectives · 5 troubleshooting scenarios
Configure Cisco IOS SNMPv2c read-only access on R1 so an NMS on a trusted management LAN can poll device status. You will add a read-only community string and device identity (location/contact), validate from IOS show commands, and confirm basic reachability from the MGMT host. No routing protocols or static routes are used; all devices share a single management subnet bridged by an L2 switch.
+2 more objectives · 3 troubleshooting scenarios