Topic

Layer 2 Security practice labs

10 hands-on Layer 2 Security scenarios you build in your own Cisco Modeling Labs instance and grade against the answer key. Focused Layer 2 Security configuration and troubleshooting practice for CCNA and CCNP.

AdvancedUnlock

Dynamic ARP Inspection — Validation Checks

Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.

Track
CCNA
Duration
25 min
AdvancedUnlock

L2 Security Troubleshooting Capstone: Trust Boundary

Advanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.

Track
CCNA
Duration
55 min
IntermediateUnlock

Storm Control for Multicast & Unicast

Harden the Layer-2 access edge by limiting multicast and unknown-unicast floods on host-facing ports with a non-disruptive trap action. You will apply storm-control multicast and unicast thresholds to SW1 access interfaces while leaving the uplink trusted and unrestricted for gateway/DHCP. Verify the configuration with show commands and end-to-end host reachability.

Track
CCNA
Duration
35 min
BeginnerUnlock

Storm Control on Broadcast Traffic

Harden the campus access edge by capping broadcast traffic per-port with storm control. In this lab you will apply a broadcast ceiling on the user-facing access ports only, choosing a shutdown action if exceeded, and verify that normal host connectivity remains intact. The uplink to the default gateway/DHCP server is trusted and must not be rate-limited.

Track
CCNA
Duration
35 min
AdvancedUnlock

Defense in Depth: DHCP Snooping + DAI

Harden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.

Track
CCNA
Duration
40 min
IntermediateUnlock

DHCP Snooping Rate Limiting

Harden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.

Track
CCNA
Duration
30 min
IntermediateUnlock

Protected Ports for Host Isolation

Harden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.

Track
CCNA
Duration
35 min
IntermediateUnlock

Dynamic ARP Inspection

Harden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.

Track
CCNA
Duration
35 min
IntermediateUnlock

Errdisable Recovery for L2 Security

CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.

Track
CCNA
Duration
35 min
BeginnerUnlock

DHCP Snooping Trust Boundary

Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.

Track
CCNA
Duration
30 min

Looking for something else? Browse the full lab archive or see today's daily lab.