Ten hands-on labs — DHCP snooping, Dynamic ARP Inspection, storm control, protected ports, and errdisable recovery — defending the switch access edge, on CML free-tier (5 nodes or fewer).
Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.
View lab detailsHarden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.
View lab detailsHarden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.
View lab detailsNew here? Start with the free study hub and step-by-step guides, then own the bundle to practice on real Cisco IOS.
10 hands-on, auto-graded CCNA labs spanning 17 topics — each one a real Cisco Modeling Labs scenario you build on Cisco IOS. It's a one-time $29.99 and every lab is yours to keep forever.
A one-time purchase — $29.99. Buy once and own every lab in the bundle permanently; it's separate from the daily-lab subscription, so there's nothing recurring.
Yes — each lab is a Cisco Modeling Labs (CML) topology you import and build on real Cisco IOS, and the CML free tier is enough. You download the topology and lab guide, then build it yourself.
Every lab ships as a problem to solve. You build it in CML, then submit your config to grade it against the answer key — you get a pass/fail on each objective, so you know exactly what's right and what to fix instead of guessing.
CCNA. The labs are sequenced to build the hands-on configuration and troubleshooting skills CCNA candidates are expected to demonstrate on real gear.
Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.
View lab detailsHarden the campus access edge by capping broadcast traffic per-port with storm control. In this lab you will apply a broadcast ceiling on the user-facing access ports only, choosing a shutdown action if exceeded, and verify that normal host connectivity remains intact. The uplink to the default gateway/DHCP server is trusted and must not be rate-limited.
View lab detailsHarden the Layer-2 access edge by limiting multicast and unknown-unicast floods on host-facing ports with a non-disruptive trap action. You will apply storm-control multicast and unicast thresholds to SW1 access interfaces while leaving the uplink trusted and unrestricted for gateway/DHCP. Verify the configuration with show commands and end-to-end host reachability.
View lab detailsHarden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.
View lab detailsHarden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.
View lab detailsCCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.
View lab detailsAdvanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.
View lab details