Ten hands-on device-security labs — SSH, local/AAA authentication, privilege levels, login hardening, and secure management — on CML free-tier (5 nodes or fewer).
Bring up secure remote management (SSH) on a single Cisco IOS router using a dedicated management LAN. You will configure the deterministic set of running-config lines that enable SSH with a local admin account, restrict VTY to SSH, and verify from a Linux workstation. RSA key generation is performed as an exec step and is not graded; the grading focuses on the presence of the configuration lines that make SSH functional and secure.
View lab detailsHarden a Cisco IOS router so remote management is allowed only via SSH. You will remove Telnet from the VTY lines, keep local authentication, and add an idle-session timeout. Verify success from a Linux ADMIN host by confirming SSH works and Telnet is refused.
View lab detailsHarden privileged access on a single IOS router by configuring a hashed enable secret, creating a local admin user with privilege 15 and a secret, and enabling service password-encryption. Verify that privileged access requires the secret and that the running-config contains no cleartext passwords.
New here? Start with the free study hub and step-by-step guides, then own the bundle to practice on real Cisco IOS.
10 hands-on, auto-graded CCNA labs spanning 24 topics — each one a real Cisco Modeling Labs scenario you build on Cisco IOS. It's a one-time $29.99 and every lab is yours to keep forever.
A one-time purchase — $29.99. Buy once and own every lab in the bundle permanently; it's separate from the daily-lab subscription, so there's nothing recurring.
Yes — each lab is a Cisco Modeling Labs (CML) topology you import and build on real Cisco IOS, and the CML free tier is enough. You download the topology and lab guide, then build it yourself.
Every lab ships as a problem to solve. You build it in CML, then submit your config to grade it against the answer key — you get a pass/fail on each objective, so you know exactly what's right and what to fix instead of guessing.
CCNA. The labs are sequenced to build the hands-on configuration and troubleshooting skills CCNA candidates are expected to demonstrate on real gear.
Harden a single IOS router’s management plane and create tiered CLI access using custom privilege levels. Build two local accounts: a full admin (level 15) and a junior operator (level 5). Elevate only specific exec commands to level 5 so the operator can run them without gaining full configuration rights. Verify behavior from a Linux admin workstation over SSH.
View lab detailsHarden the console and VTY lines on a single Cisco IOS router so idle sessions close automatically and every access path requires authentication. You will configure login local on both console and VTY, set 5-minute exec timeouts, enable logging synchronous on the console, and restrict VTY to SSH. Verification uses show outputs; grading evaluates the deterministic running-config.
View lab detailsHarden the management plane of a single IOS router by throttling brute-force login attempts and presenting a legal-warning banner. You will enable SSH-based management, configure login block-for and delay to resist password-guessing, and verify behavior from an ADMIN Linux workstation.
View lab detailsHarden R1’s management plane by moving SSH login authentication and exec authorization under the IOS AAA framework using the local user database. You will start from a secure SSH-only baseline that still uses login local, enable aaa new-model, define default AAA methods that point at local, and bind VTY lines to AAA. Success is proven by authenticating from the ADMIN host over SSH and landing at the user’s privilege level.
View lab detailsHarden a single Cisco IOS router’s management plane using AAA named method lists applied per-line. Create VTY-AUTH (local then enable) to protect remote SSH access without lockout risk, and CONSOLE-AUTH (local only) to secure the console independently. Verify using show/run sections and test SSH from the ADMIN workstation.
View lab detailsHarden the management-plane SSH service on a single Cisco IOS router so only SSHv2 is permitted and session limits are tightened. The baseline lab already has working SSH. You will enforce SSH version 2, set a 60-second authentication timeout, and limit authentication retries to 2. You will also regenerate a 2048-bit RSA key (an exec-only step) and validate with show commands.
View lab detailsAdvanced CCNP management-plane troubleshooting on a single IOS router. You inherit a pre-broken remote-management config where SSH access is completely failing despite a hostname, domain name, and local admin user. Two independent VTY faults are seeded: the wrong transport and an incorrect login method. Your job is to diagnose with show commands, fix both issues, and validate SSH access from the ADMIN workstation.
View lab details