STP 5: PortFast on Access Ports (VLAN 50 Triangle)
Configure PortFast correctly on access ports in a triangle switch loop while maintaining normal STP protection on inter-switch trunks. Force SW1 as the root for VLAN 50 and verify that only edge ports are fast-tracked. Observe the difference in host convergence with and without PortFast.
STP Lab 6: BPDU Guard — Protecting the Edge
Continue the STP series on a three-switch triangle with a real loop. SW1 is the deterministic root for VLAN 60, and access ports already use PortFast. In this lab you will harden the edge by enabling BPDU Guard on the two host-facing access ports on SW2 and SW3, while leaving the inter-switch trunks untouched. Verify with show commands that BPDU Guard is active only on the edge and that hosts still communicate normally.
CCNA Day 4: Inter-VLAN Routing (Router-on-a-Stick)
Deploy router-on-a-stick inter-VLAN routing across a compact branch topology with a distribution and access switch, a hardened 802.1Q trunk, and two user VLANs. Configure VLANs and access/trunk ports, build router subinterfaces, verify end-to-end user reachability, and troubleshoot trunk/native-VLAN/subinterface mismatches.
Archive preview only
Multi-Dept Campus Inter-VLAN with Router-on-a-Stick
Design and implement a three-department campus edge using a single router-on-a-stick to provide inter-VLAN routing for Sales (VLAN 10), Engineering (VLAN 20), and Servers (VLAN 30). Map the addressing plan directly to router subinterfaces and build an 802.1Q trunk on the access switch. Verify end-to-end reachability and troubleshoot an allow-list drift scenario.
Native VLAN on a Router-on-a-Stick Trunk
Build and verify inter-VLAN routing using router-on-a-stick with a native (untagged) VLAN on the trunk. Configure one router (subinterfaces only), one Layer-2 access switch (VLANs, access ports, and a single 802.1Q trunk), and two end hosts in different VLANs. The management VLAN 99 rides untagged as the trunk's native VLAN, so the router subinterface must use 'encapsulation dot1Q 99 native' and the switch trunk must match 'switchport trunk native vlan 99'. Verify from Linux hosts and IOS 'show' commands, then practice troubleshooting common native-VLAN faults.
Switch Trunk and Access Ports for Router-on-a-Stick
Configure the Layer-2 switch side of a router-on-a-stick design. A single IOS router already provides inter-VLAN routing on Ethernet0/0.10 (10.0.10.1/24) and Ethernet0/0.20 (10.0.20.1/24). Bring up VLAN transport by creating VLANs on the switch, assigning host access ports, and converting the router-facing link into an 802.1Q trunk that carries VLANs 10 and 20. Validate with show commands on the switch and with cross-VLAN pings from the hosts.
CCNA Port Security 1: Enable & Verify on Access Ports
Hands-on fundamentals with Cisco port security on host-facing access ports. Build a small two-switch campus with a trunk, place two Linux hosts in the same user VLAN, then enable port security with the explicit defaults (maximum 1, violation shutdown) on both host ports. Verify secure-up state and baseline host connectivity.
802.1Q Trunking Troubleshooting Capstone
Advanced CCNA switching capstone centered on restoring end-to-end VLAN 20 transport across three Layer-2 switches using 802.1Q trunks. The starter ships intentionally broken: after a simulated maintenance window, two Alpine hosts in VLAN 20 can no longer reach each other across the inter-switch trunks. Learners diagnose with show interfaces trunk, show interfaces switchport, and show vlan brief, then identify and correct the trunking faults in the right order and verify with host pings.
A Policy-Correct Multi-VLAN Trunk
Build a single 802.1Q trunk between two Layer-2 switches that correctly carries three VLANs with an explicit allow-list and a dedicated non-default native VLAN. Place hosts in Users (VLAN 10) across both switches and a server in Servers (VLAN 20). Verify that the trunk allows VLANs 10, 20, and 99, that the native VLAN matches on both ends, and that same-VLAN hosts communicate across the trunk. Then intentionally break and restore the configuration to practice troubleshooting trunk allow-lists, native VLAN alignment, and host VLAN placement.
CCNA Capstone: Port Security Troubleshooting
Advanced CCNA port-security troubleshooting on a pure Layer-2 design. Two access switches linked by an 802.1Q trunk carry a Users VLAN across closets. Three Alpine Linux hosts are pre-addressed. The lab is intentionally shipped with multiple classic faults: one access port is err-disabled due to a prior port-security shutdown, one user-facing port lacks port-security altogether, another has the wrong violation mode and an overly restrictive maximum, and one port has an incorrect static secure-MAC configured. Your job is to diagnose using show commands, restore connectivity, and implement the intended security posture with sticky MACs, the correct maximum, the proper violation mode, and errdisable auto-recovery—without placing port-security on the trunk.
CCNA Port Security: Maximum Secure MACs on Access Ports
Deploy and verify port security maximum settings on host-facing access ports in a pure Layer-2 campus with two access switches uplinked to a distribution switch. You will raise the allowed secure MAC count to 2 on each user port to support a PC and a potential downstream device (e.g., a dock), then verify with show commands. No Layer-3, SVIs, or routing are used; focus purely on access VLANs, trunks, and the port-security maximum behavior.
CCNA Port Security: Violation Protect vs Restrict
Deploy and compare the two non-disabling port-security violation modes on host-facing access ports. Build a small Layer-2 topology with a trunk between two switches and same-VLAN hosts. Configure violation protect on one access port and restrict on another using deterministic sticky MAC entries. Validate baseline reachability, then observe the different behaviors: protect silently drops with no counter/logs; restrict drops and increments the violation counter.
Port Security: Err-Disable Auto Recovery
Configure port security in shutdown mode on host-facing access ports and enable automatic errdisable recovery for psecure-violation. The lab uses two Layer-2 switches connected by a trunk and three Linux hosts in the same VLAN to validate baseline L2 connectivity. You will deploy and verify the global errdisable recovery timer and cause while keeping the trunk healthy. Focus is on deterministic configuration and verification via show commands rather than attempting to trigger live violations.
802.1Q Trunk Fundamentals: Static Trunk and VLANs
Build a static 802.1Q trunk between two Layer-2 switches to carry VLANs 10 and 20. Map hosts to access ports, verify trunk encapsulation and allowed VLANs, demonstrate same-VLAN reachability across the trunk, and confirm inter-VLAN isolation. Then simulate an allow-list drift fault, diagnose with show commands, and restore service.
CCNA Port-Sec 9: Multi-Port Sticky Restrict Policy
Advanced CCNA switchport port-security rollout on multiple access ports across two Layer-2 switches with a trunk. You will standardize a consistent edge policy (sticky MAC learning, maximum 1, violation restrict) on all host-facing access ports while leaving the uplink trunk exempt from port-security. Includes a realistic drift on the trunk allow-list and VLAN database to fix before validating end-to-end user VLAN transport. Pure Layer-2: no SVIs or routing.
CCNA Port Security 2: Sticky Secure MAC Learning
Two access-layer switches have a VLAN 20 connectivity problem: users in one wiring closet cannot reach users in the other. Diagnose and repair the issue, then deploy sticky secure MAC learning on the host-facing access ports so each port dynamically learns and persists its connected host's MAC. Verify sticky entries in show commands and confirm same-VLAN host connectivity end-to-end.
Port Security: Voice + Data on One Access Port
Harden a real desk port that carries both data (PC) and voice (IP phone) using switchport voice vlan and access vlan on a single access port. Apply port security with a maximum that accounts for two MAC addresses (phone + PC) so a third device is restricted. A deliberate trunk allow-list drift on the inter-switch link initially blocks the Voice VLAN; learners must repair the trunk and then verify port-security state on the desk port.
CCNA Port-Sec 7: Static Secure MAC Binding
Troubleshoot a Layer-2 forwarding fault that breaks a user VLAN between access/distribution switches, then implement static secure MAC binding on the client-facing access port. You will restore end-to-end VLAN 20 reachability and enforce a single authorized MAC on the user port using port-security with violation restrict.
CCNA Port Security 5: Violation Shutdown & Manual Recovery
Hands-on CCNA L2 switching lab: build a small campus with a distribution switch and two access switches carrying a shared user VLAN over 802.1Q trunks. Harden access ports with sticky port-security in violation shutdown mode. Intentionally seed and diagnose broken trunks/host VLANs, restore end-to-end host reachability, then trigger a port-security violation to observe err-disabled behavior and perform manual recovery.
VLAN Trunking 6: DTP and Trunk Hardening
Hands-on DTP negotiation and trunk hardening across a 3-switch path. You will observe dynamic trunking behavior (auto vs desirable), fix an allow-list drift that blocks user VLAN transport, and then harden the trunks to static with nonegotiate and a non-default native VLAN. End-to-end host reachability in the same VLAN proves success.
CCNA VLAN Trunking 7: Trunking Across Three Switches
Build an end-to-end 802.1Q path across three Cisco IOS Layer-2 switches so VLAN 10 transports user traffic from an access port on the left switch to an access port on the right switch through a middle switch. Harden trunks (native VLAN 999, nonegotiate) and verify with show interfaces trunk. Then intentionally break the allow-list to see the outage and restore service.
Trunk Verification & Diagnosing a Silent VLAN
An advanced CCNA switching lab focused on verifying 802.1Q trunks and diagnosing a silent VLAN after a switch refresh. The topology uses three layer-2 switches (a distribution switch between two access closets) and two Alpine hosts, and users in VLAN 20 at one closet cannot reach their VLAN 20 peers at the other closet across the trunk path. Learners use show interfaces trunk, show interfaces switchport, and show vlan brief to locate the break and restore predictable Layer-2 forwarding without adding any Layer-3 configuration.
CCNA Lab 4: Native VLAN Mismatch Troubleshooting
Diagnose and remediate a trunk misconfiguration between an access switch and a distribution switch so that same-VLAN hosts across two access switches can communicate end-to-end. Use CDP and trunk verification commands to investigate the fault and restore proper trunk operation, without introducing any Layer-3 routing.
CCNA Trunking 2: Access Ports vs Trunk Ports
Hands-on CCNA switching lab contrasting single-VLAN access ports with 802.1Q trunks. You begin with the inter-switch link configured as a plain access port, so only one VLAN reaches the router-on-a-stick gateway while the other cannot. You will diagnose the connectivity problem, convert the link into a properly hardened 802.1Q trunk, and validate that both VLANs regain access to their gateway.