Ten hands-on switchport-security labs — static/sticky MAC, violation modes, err-disable recovery, and access-port hardening — on CML free-tier (5 nodes or fewer).
Hands-on fundamentals with Cisco port security on host-facing access ports. Build a small two-switch campus with a trunk, place two Linux hosts in the same user VLAN, then enable port security with the explicit defaults (maximum 1, violation shutdown) on both host ports. Verify secure-up state and baseline host connectivity.
View lab detailsTwo access-layer switches have a VLAN 20 connectivity problem: users in one wiring closet cannot reach users in the other. Diagnose and repair the issue, then deploy sticky secure MAC learning on the host-facing access ports so each port dynamically learns and persists its connected host's MAC. Verify sticky entries in show commands and confirm same-VLAN host connectivity end-to-end.
View lab detailsDeploy and verify port security maximum settings on host-facing access ports in a pure Layer-2 campus with two access switches uplinked to a distribution switch. You will raise the allowed secure MAC count to 2 on each user port to support a PC and a potential downstream device (e.g., a dock), then verify with show commands. No Layer-3, SVIs, or routing are used; focus purely on access VLANs, trunks, and the port-security maximum behavior.
New here? Start with the free study hub and step-by-step guides, then own the bundle to practice on real Cisco IOS.
10 hands-on, auto-graded CCNA labs spanning 18 topics — each one a real Cisco Modeling Labs scenario you build on Cisco IOS. It's a one-time $29.99 and every lab is yours to keep forever.
A one-time purchase — $29.99. Buy once and own every lab in the bundle permanently; it's separate from the daily-lab subscription, so there's nothing recurring.
Yes — each lab is a Cisco Modeling Labs (CML) topology you import and build on real Cisco IOS, and the CML free tier is enough. You download the topology and lab guide, then build it yourself.
Every lab ships as a problem to solve. You build it in CML, then submit your config to grade it against the answer key — you get a pass/fail on each objective, so you know exactly what's right and what to fix instead of guessing.
CCNA. The labs are sequenced to build the hands-on configuration and troubleshooting skills CCNA candidates are expected to demonstrate on real gear.
Deploy and compare the two non-disabling port-security violation modes on host-facing access ports. Build a small Layer-2 topology with a trunk between two switches and same-VLAN hosts. Configure violation protect on one access port and restrict on another using deterministic sticky MAC entries. Validate baseline reachability, then observe the different behaviors: protect silently drops with no counter/logs; restrict drops and increments the violation counter.
View lab detailsHands-on CCNA L2 switching lab: build a small campus with a distribution switch and two access switches carrying a shared user VLAN over 802.1Q trunks. Harden access ports with sticky port-security in violation shutdown mode. Intentionally seed and diagnose broken trunks/host VLANs, restore end-to-end host reachability, then trigger a port-security violation to observe err-disabled behavior and perform manual recovery.
View lab detailsConfigure port security in shutdown mode on host-facing access ports and enable automatic errdisable recovery for psecure-violation. The lab uses two Layer-2 switches connected by a trunk and three Linux hosts in the same VLAN to validate baseline L2 connectivity. You will deploy and verify the global errdisable recovery timer and cause while keeping the trunk healthy. Focus is on deterministic configuration and verification via show commands rather than attempting to trigger live violations.
View lab detailsTroubleshoot a Layer-2 forwarding fault that breaks a user VLAN between access/distribution switches, then implement static secure MAC binding on the client-facing access port. You will restore end-to-end VLAN 20 reachability and enforce a single authorized MAC on the user port using port-security with violation restrict.
View lab detailsHarden a real desk port that carries both data (PC) and voice (IP phone) using switchport voice vlan and access vlan on a single access port. Apply port security with a maximum that accounts for two MAC addresses (phone + PC) so a third device is restricted. A deliberate trunk allow-list drift on the inter-switch link initially blocks the Voice VLAN; learners must repair the trunk and then verify port-security state on the desk port.
View lab detailsAdvanced CCNA switchport port-security rollout on multiple access ports across two Layer-2 switches with a trunk. You will standardize a consistent edge policy (sticky MAC learning, maximum 1, violation restrict) on all host-facing access ports while leaving the uplink trunk exempt from port-security. Includes a realistic drift on the trunk allow-list and VLAN database to fix before validating end-to-end user VLAN transport. Pure Layer-2: no SVIs or routing.
View lab detailsAdvanced CCNA port-security troubleshooting on a pure Layer-2 design. Two access switches linked by an 802.1Q trunk carry a Users VLAN across closets. Three Alpine Linux hosts are pre-addressed. The lab is intentionally shipped with multiple classic faults: one access port is err-disabled due to a prior port-security shutdown, one user-facing port lacks port-security altogether, another has the wrong violation mode and an overly restrictive maximum, and one port has an incorrect static secure-MAC configured. Your job is to diagnose using show commands, restore connectivity, and implement the intended security posture with sticky MACs, the correct maximum, the proper violation mode, and errdisable auto-recovery—without placing port-security on the trunk.
View lab details