Topic

SSH practice labs

9 hands-on SSH scenarios you build in your own Cisco Modeling Labs instance and grade against the answer key. Focused SSH configuration and troubleshooting practice for CCNA and CCNP.

IntermediateUnlock

Blocking Brute-Force Logins and Adding a Banner on R1

Harden the management plane of a single IOS router by throttling brute-force login attempts and presenting a legal-warning banner. You will enable SSH-based management, configure login block-for and delay to resist password-guessing, and verify behavior from an ADMIN Linux workstation.

Track
CCNA
Duration
35 min
AdvancedUnlock

SSH Hardening to Version 2

Harden the management-plane SSH service on a single Cisco IOS router so only SSHv2 is permitted and session limits are tightened. The baseline lab already has working SSH. You will enforce SSH version 2, set a 60-second authentication timeout, and limit authentication retries to 2. You will also regenerate a 2048-bit RSA key (an exec-only step) and validate with show commands.

Track
CCNA
Duration
35 min
IntermediateUnlock

AAA Authentication with a Local User Database

Harden R1’s management plane by moving SSH login authentication and exec authorization under the IOS AAA framework using the local user database. You will start from a secure SSH-only baseline that still uses login local, enable aaa new-model, define default AAA methods that point at local, and bind VTY lines to AAA. Success is proven by authenticating from the ADMIN host over SSH and landing at the user’s privilege level.

Track
CCNA
Duration
35 min
AdvancedUnlock

Secure-Access Troubleshooting Capstone: SSH VTY Fix

Advanced CCNP management-plane troubleshooting on a single IOS router. You inherit a pre-broken remote-management config where SSH access is completely failing despite a hostname, domain name, and local admin user. Two independent VTY faults are seeded: the wrong transport and an incorrect login method. Your job is to diagnose with show commands, fix both issues, and validate SSH access from the ADMIN workstation.

Track
CCNA
Duration
40 min
IntermediateUnlock

CCNA: Console and VTY Line Hardening

Harden the console and VTY lines on a single Cisco IOS router so idle sessions close automatically and every access path requires authentication. You will configure login local on both console and VTY, set 5-minute exec timeouts, enable logging synchronous on the console, and restrict VTY to SSH. Verification uses show outputs; grading evaluates the deterministic running-config.

Track
CCNA
Duration
35 min
AdvancedUnlock

AAA Named Method Lists with Fallback (VTY vs Console)

Harden a single Cisco IOS router’s management plane using AAA named method lists applied per-line. Create VTY-AUTH (local then enable) to protect remote SSH access without lockout risk, and CONSOLE-AUTH (local only) to secure the console independently. Verify using show/run sections and test SSH from the ADMIN workstation.

Track
CCNA
Duration
40 min
BeginnerUnlock

SSH-Only Management: Disabling Telnet on R1

Harden a Cisco IOS router so remote management is allowed only via SSH. You will remove Telnet from the VTY lines, keep local authentication, and add an idle-session timeout. Verify success from a Linux ADMIN host by confirming SSH works and Telnet is refused.

Track
CCNA
Duration
25 min
BeginnerUnlock

CCNA: SSH Access Fundamentals on R1

Bring up secure remote management (SSH) on a single Cisco IOS router using a dedicated management LAN. You will configure the deterministic set of running-config lines that enable SSH with a local admin account, restrict VTY to SSH, and verify from a Linux workstation. RSA key generation is performed as an exec step and is not graded; the grading focuses on the presence of the configuration lines that make SSH functional and secure.

Track
CCNA
Duration
35 min
IntermediateUnlock

Privilege Levels for Tiered CLI Access

Harden a single IOS router’s management plane and create tiered CLI access using custom privilege levels. Build two local accounts: a full admin (level 15) and a junior operator (level 5). Elevate only specific exec commands to level 5 so the operator can run them without gaining full configuration rights. Verify behavior from a Linux admin workstation over SSH.

Track
CCNA
Duration
45 min

Learn SSH

Study the theory behind these labs — the concept explainer and step-by-step guides.

Looking for something else? Browse the full lab archive or see today's daily lab.