Topic

Security practice labs

13 hands-on Security scenarios you build in your own Cisco Modeling Labs instance and grade against the answer key. Focused Security configuration and troubleshooting practice for CCNA and CCNP.

AdvancedUnlock

SNMPv3 AuthPriv Monitoring

Harden the monitoring plane by replacing cleartext SNMPv2c with authenticated and encrypted SNMPv3 (authPriv) on R1. You will create a v3 group that requires privacy and a user with SHA authentication and AES-128 encryption, then verify the configuration. The flat management LAN avoids routing complexity so you can focus on the security mechanics of SNMPv3.

Track
CCNA
Duration
35 min
IntermediateUnlock

Securing NTP with MD5 Authentication

Configure NTP MD5 authentication so a client (R2) synchronizes only to a trusted, authenticated master (R1). R1 is already an authoritative clock (ntp master 3). You will enable NTP authentication on both routers, define and trust key 1, and bind the key on R2's ntp server statement. Verification focuses on authenticated associations and status; actual time lock may take minutes and is not graded.

Track
CCNA
Duration
35 min
IntermediateUnlock

Restricting NTP with an access-group

Configure a Cisco IOS router as an authoritative NTP master and restrict which clients it will serve using an NTP access-group with a standard ACL. One shared LAN (no routing) connects three routers through a Layer-2 switch. Only R2 is authorized to receive time from R1; R3 is denied. Learners deploy, verify, and troubleshoot the access-group behavior.

Track
CCNA
Duration
40 min
AdvancedUnlock

SSH Hardening to Version 2

Harden the management-plane SSH service on a single Cisco IOS router so only SSHv2 is permitted and session limits are tightened. The baseline lab already has working SSH. You will enforce SSH version 2, set a 60-second authentication timeout, and limit authentication retries to 2. You will also regenerate a 2048-bit RSA key (an exec-only step) and validate with show commands.

Track
CCNA
Duration
35 min
BeginnerUnlock

Enable Secret and Password Encryption on R1

Harden privileged access on a single IOS router by configuring a hashed enable secret, creating a local admin user with privilege 15 and a secret, and enabling service password-encryption. Verify that privileged access requires the secret and that the running-config contains no cleartext passwords.

Track
CCNA
Duration
30 min
IntermediateUnlock

CCNA: Console and VTY Line Hardening

Harden the console and VTY lines on a single Cisco IOS router so idle sessions close automatically and every access path requires authentication. You will configure login local on both console and VTY, set 5-minute exec timeouts, enable logging synchronous on the console, and restrict VTY to SSH. Verification uses show outputs; grading evaluates the deterministic running-config.

Track
CCNA
Duration
35 min
IntermediateUnlock

AAA Authentication with a Local User Database

Harden R1’s management plane by moving SSH login authentication and exec authorization under the IOS AAA framework using the local user database. You will start from a secure SSH-only baseline that still uses login local, enable aaa new-model, define default AAA methods that point at local, and bind VTY lines to AAA. Success is proven by authenticating from the ADMIN host over SSH and landing at the user’s privilege level.

Track
CCNA
Duration
35 min
AdvancedUnlock

AAA Named Method Lists with Fallback (VTY vs Console)

Harden a single Cisco IOS router’s management plane using AAA named method lists applied per-line. Create VTY-AUTH (local then enable) to protect remote SSH access without lockout risk, and CONSOLE-AUTH (local only) to secure the console independently. Verify using show/run sections and test SSH from the ADMIN workstation.

Track
CCNA
Duration
40 min
IntermediateUnlock

Securing HSRP with MD5

Harden an HSRP virtual default gateway with MD5 authentication so only trusted routers can participate. You’ll secure an existing HSRP group on two IOS routers that share a user VLAN via a single L2 switch. Validate the authentication state on both routers and confirm the endpoint still reaches the virtual IP.

Track
CCNA & CCNP
Duration
35 min
AdvancedUnlock

ACL Segmentation Policy on Multi-LAN Router

Deploy and verify multiple IPv4 ACLs on a single router that terminates three distinct LANs (Client, Server, and Management). You will place an extended ACL inbound on the Client interface to allow only specific services to the Server and block access to Management, a standard ACL outbound on the Management interface to enforce destination-side protection by source, and a VTY access-class to restrict router SSH to the Management subnet only. Validate with end-host tests that permitted flows succeed while denied flows are provably blocked, and use ACL hit counts and logs to troubleshoot.

Track
CCNA
Duration
70 min
IntermediateUnlock

ACL Wildcard Masks: Match Host, Subnet, and Range

Hands-on CCNA ACL practice using standard ACLs and wildcard masks to allow a single host, a contiguous range, and an entire subnet while proving a deny. You will place the ACL near the destination, order statements correctly, verify with end-host pings and ACL counters, and troubleshoot common mistakes.

Track
CCNA
Duration
55 min
IntermediateUnlock

CCNA: ACL Placement – Std Near Dest, Ext Near Source

Dual-router Branch/HQ lab with a branch client and an HQ server. You will apply an extended IPv4 ACL inbound near the source on the Branch LAN to block specific traffic (TCP/80) while permitting others (ICMP), and a standard IPv4 ACL outbound near the destination on the HQ LAN to admit only the approved source. Validate from real hosts, confirm ACL hitcounts, and keep inter-site connectivity via static routes over a /30 transit.

Track
CCNA
Duration
55 min
IntermediateUnlock

ACL App Filter: Permit SSH/HTTP, Block Telnet/ICMP

Build a two-router, one-access-switch lab with a client and a server. Establish basic IP connectivity with static routing, then implement an extended IPv4 ACL inbound on the client-facing interface to permit SSH and HTTP to the server while denying Telnet and ICMP echo. Validate from the client and review ACL hit counters for proof.

Track
CCNA
Duration
55 min

Looking for something else? Browse the full lab archive or see today's daily lab.