Topic

Cisco IOS practice labs — Page 2

44 hands-on Cisco IOS scenarios you build in your own Cisco Modeling Labs instance and grade against the answer key. Focused Cisco IOS configuration and troubleshooting practice for CCNA and CCNP.

AdvancedUnlock

NTP Troubleshooting Capstone

Advanced NTP troubleshooting on a two-router /30. R2 never synchronizes its clock. Use show commands to diagnose, then correct the design intent so R2 deterministically references R1, and R1 is an authoritative time source at the agreed stratum. The starter ships with a pre-broken NTP configuration already applied; your job is to find and fix two independent faults.

Track
CCNA
Duration
35 min
AdvancedUnlock

SSH Hardening to Version 2

Harden the management-plane SSH service on a single Cisco IOS router so only SSHv2 is permitted and session limits are tightened. The baseline lab already has working SSH. You will enforce SSH version 2, set a 60-second authentication timeout, and limit authentication retries to 2. You will also regenerate a 2048-bit RSA key (an exec-only step) and validate with show commands.

Track
CCNA
Duration
35 min
BeginnerUnlock

Enable Secret and Password Encryption on R1

Harden privileged access on a single IOS router by configuring a hashed enable secret, creating a local admin user with privilege 15 and a secret, and enabling service password-encryption. Verify that privileged access requires the secret and that the running-config contains no cleartext passwords.

Track
CCNA
Duration
30 min
AdvancedUnlock

Secure-Access Troubleshooting Capstone: SSH VTY Fix

Advanced CCNP management-plane troubleshooting on a single IOS router. You inherit a pre-broken remote-management config where SSH access is completely failing despite a hostname, domain name, and local admin user. Two independent VTY faults are seeded: the wrong transport and an incorrect login method. Your job is to diagnose with show commands, fix both issues, and validate SSH access from the ADMIN workstation.

Track
CCNA
Duration
40 min
BeginnerUnlock

SSH-Only Management: Disabling Telnet on R1

Harden a Cisco IOS router so remote management is allowed only via SSH. You will remove Telnet from the VTY lines, keep local authentication, and add an idle-session timeout. Verify success from a Linux ADMIN host by confirming SSH works and Telnet is refused.

Track
CCNA
Duration
25 min
IntermediateUnlock

AAA Authentication with a Local User Database

Harden R1’s management plane by moving SSH login authentication and exec authorization under the IOS AAA framework using the local user database. You will start from a secure SSH-only baseline that still uses login local, enable aaa new-model, define default AAA methods that point at local, and bind VTY lines to AAA. Success is proven by authenticating from the ADMIN host over SSH and landing at the user’s privilege level.

Track
CCNA
Duration
35 min
IntermediateUnlock

Privilege Levels for Tiered CLI Access

Harden a single IOS router’s management plane and create tiered CLI access using custom privilege levels. Build two local accounts: a full admin (level 15) and a junior operator (level 5). Elevate only specific exec commands to level 5 so the operator can run them without gaining full configuration rights. Verify behavior from a Linux admin workstation over SSH.

Track
CCNA
Duration
45 min
BeginnerUnlock

CCNA: SSH Access Fundamentals on R1

Bring up secure remote management (SSH) on a single Cisco IOS router using a dedicated management LAN. You will configure the deterministic set of running-config lines that enable SSH with a local admin account, restrict VTY to SSH, and verify from a Linux workstation. RSA key generation is performed as an exec step and is not graded; the grading focuses on the presence of the configuration lines that make SSH functional and secure.

Track
CCNA
Duration
35 min
AdvancedUnlock

AAA Named Method Lists with Fallback (VTY vs Console)

Harden a single Cisco IOS router’s management plane using AAA named method lists applied per-line. Create VTY-AUTH (local then enable) to protect remote SSH access without lockout risk, and CONSOLE-AUTH (local only) to secure the console independently. Verify using show/run sections and test SSH from the ADMIN workstation.

Track
CCNA
Duration
40 min
IntermediateUnlock

STP 4: Port Priority Tie-Break on Parallel Links

Guide Rapid-PVST+ to prefer a specific parallel trunk by tuning the sender’s port priority on the root bridge. Two ioll2-xe switches (SW1, SW2) form a physical loop via two equal-speed trunks. A third L2 switch (SW3) extends the user VLAN to a second closet. One Alpine host attaches to SW1 and another to SW3 in VLAN 40 (10.1.40.0/24). You will: force SW1 to be the root for VLAN 40, lower the port priority on SW1’s Gi0/2 (Ethernet0/1) to break the tie so SW2 selects its Gi0/2 as the Root Port, enable PortFast and BPDU Guard on host-facing ports, and verify with show spanning-tree outputs and host pings.

Track
CCNA
Duration
55 min
IntermediateUnlock

DHCP: Serving Two Subnets from Two Pools

Build and verify two independent DHCP address pools on a single Cisco IOS router, each serving a different LAN. Two Alpine Linux clients obtain leases from their respective pools via directly attached access switches. You will configure the pools, excluded addresses, default gateways, DNS, and domain names, then verify with IOS show commands and Linux tools. The focus is deterministic router DHCP configuration; clients lease dynamically and are verified rather than graded.

Track
CCNA
Duration
45 min
IntermediateUnlock

CCNA NAT4: PAT Overload onto a Pool

Implement Port Address Translation (PAT) using a one-address NAT pool so multiple inside hosts share a single public IP. Reuse the same 5-node topology and addressing as the prior lab; convert the pool to a single address and enable overload. Verify simultaneous connectivity from two inside hosts, observe translations and counters, and contrast with prior pool-exhaustion behavior.

Track
CCNA
Duration
45 min
IntermediateUnlock

NAT at the Internet Edge with Default Routing

Build an Internet-edge NAT design that reaches beyond the ISP to a real external network. You will configure dynamic PAT (overload) from a private LAN to a public /29 using a NAT pool on the edge router, with the router’s default route already pointing to the ISP. Verify that an inside host can reach a public server across the ISP and that translations, counters, and default routing reflect the expected state.

Track
CCNA
Duration
45 min
IntermediateUnlock

Static PAT: Port Forwarding to an Inside Server

Configure static PAT (port forwarding) on a Cisco IOS edge router so an outside client can reach an inside HTTP service on TCP/8080 using a dedicated public IP that is not the router's interface. Validate using curl from the outside host and NAT show commands on the router.

Track
CCNA
Duration
50 min
IntermediateUnlock

CCNA NAT9: Verifying & Clearing NAT

Operate, observe, and clear Cisco IOS PAT translations on an internet edge. You will configure a standard PAT overload on R1, generate multiple concurrent sessions from an inside host, read translation/state counters, and clear single and all entries to see how the table repopulates immediately under live traffic.

Track
CCNA
Duration
45 min
BeginnerUnlock

CCNA NAT1: Static One-to-One NAT with ISP

Build a small but realistic edge topology and configure static one-to-one NAT on R1 so the inside host PC-A (192.168.10.10) always translates to 203.0.113.3. Validate bidirectional reachability with an upstream ISP router and a public server one hop further. Verify translation state and counters on R1 and connectivity from both ends.

Track
CCNA
Duration
40 min
AdvancedUnlock

CCNA Port-Sec 9: Multi-Port Sticky Restrict Policy

Advanced CCNA switchport port-security rollout on multiple access ports across two Layer-2 switches with a trunk. You will standardize a consistent edge policy (sticky MAC learning, maximum 1, violation restrict) on all host-facing access ports while leaving the uplink trunk exempt from port-security. Includes a realistic drift on the trunk allow-list and VLAN database to fix before validating end-to-end user VLAN transport. Pure Layer-2: no SVIs or routing.

Track
CCNA
Duration
58 min
IntermediateUnlock

Secure Router VTY with ACL: Only Management Host Allowed

Configure a standard IPv4 ACL and bind it to the VTY lines on the HQ router so only the dedicated management host can SSH to it. Confirm that regular routed traffic between sites is unaffected, and prove both a permitted and a denied management attempt.

Track
CCNA
Duration
45 min
IntermediateUnlock

CCNA: ACL Placement – Std Near Dest, Ext Near Source

Dual-router Branch/HQ lab with a branch client and an HQ server. You will apply an extended IPv4 ACL inbound near the source on the Branch LAN to block specific traffic (TCP/80) while permitting others (ICMP), and a standard IPv4 ACL outbound near the destination on the HQ LAN to admit only the approved source. Validate from real hosts, confirm ACL hitcounts, and keep inter-site connectivity via static routes over a /30 transit.

Track
CCNA
Duration
55 min
IntermediateUnlock

ACL Logging & Order: Correct Permit/Deny Sequencing

Three-router static-routing lab with two Linux endpoints. An extended IPv4 ACL is intentionally misordered inbound near the source, causing Telnet to be permitted unexpectedly. Learners must observe first-match behavior via hit counters, enable buffered logging to see ACL log entries, and then correct the ACL sequence so Telnet is blocked while SSH and ICMP are permitted. All routers include a complete SSH management plane. The final solution forwards end-to-end and is enterprise-clean.

Track
CCNA
Duration
55 min

Looking for something else? Browse the full lab archive or see today's daily lab.