A Policy-Correct Multi-VLAN Trunk
Build a single 802.1Q trunk between two Layer-2 switches that correctly carries three VLANs with an explicit allow-list and a dedicated non-default native VLAN. Place hosts in Users (VLAN 10) across both switches and a server in Servers (VLAN 20). Verify that the trunk allows VLANs 10, 20, and 99, that the native VLAN matches on both ends, and that same-VLAN hosts communicate across the trunk. Then intentionally break and restore the configuration to practice troubleshooting trunk allow-lists, native VLAN alignment, and host VLAN placement.
CCNA: Pruning the Allowed VLAN List on Trunks
Hands-on CCNA lab focusing on 802.1Q trunk allow-lists. Build a realistic three-switch campus with two user hosts in VLAN 10. First bring up trunks carrying all VLANs by default, then implement an explicit allowed VLAN list and prune a non-used VLAN. Intentionally remove VLAN 10 from one trunk to observe an outage, verify with Linux pings and IOS show commands, and restore service by fixing the allow-list. Reinforce native VLAN alignment and compare default vs explicit trunk policy.
CCNA Port Security: Maximum Secure MACs on Access Ports
Deploy and verify port security maximum settings on host-facing access ports in a pure Layer-2 campus with two access switches uplinked to a distribution switch. You will raise the allowed secure MAC count to 2 on each user port to support a PC and a potential downstream device (e.g., a dock), then verify with show commands. No Layer-3, SVIs, or routing are used; focus purely on access VLANs, trunks, and the port-security maximum behavior.
Port Security: Err-Disable Auto Recovery
Configure port security in shutdown mode on host-facing access ports and enable automatic errdisable recovery for psecure-violation. The lab uses two Layer-2 switches connected by a trunk and three Linux hosts in the same VLAN to validate baseline L2 connectivity. You will deploy and verify the global errdisable recovery timer and cause while keeping the trunk healthy. Focus is on deterministic configuration and verification via show commands rather than attempting to trigger live violations.
CCNA Port Security: Violation Protect vs Restrict
Deploy and compare the two non-disabling port-security violation modes on host-facing access ports. Build a small Layer-2 topology with a trunk between two switches and same-VLAN hosts. Configure violation protect on one access port and restrict on another using deterministic sticky MAC entries. Validate baseline reachability, then observe the different behaviors: protect silently drops with no counter/logs; restrict drops and increments the violation counter.
802.1Q Trunk Fundamentals: Static Trunk and VLANs
Build a static 802.1Q trunk between two Layer-2 switches to carry VLANs 10 and 20. Map hosts to access ports, verify trunk encapsulation and allowed VLANs, demonstrate same-VLAN reachability across the trunk, and confirm inter-VLAN isolation. Then simulate an allow-list drift fault, diagnose with show commands, and restore service.
CCNA Port-Sec 9: Multi-Port Sticky Restrict Policy
Advanced CCNA switchport port-security rollout on multiple access ports across two Layer-2 switches with a trunk. You will standardize a consistent edge policy (sticky MAC learning, maximum 1, violation restrict) on all host-facing access ports while leaving the uplink trunk exempt from port-security. Includes a realistic drift on the trunk allow-list and VLAN database to fix before validating end-to-end user VLAN transport. Pure Layer-2: no SVIs or routing.
CCNA Port Security 5: Violation Shutdown & Manual Recovery
Hands-on CCNA L2 switching lab: build a small campus with a distribution switch and two access switches carrying a shared user VLAN over 802.1Q trunks. Harden access ports with sticky port-security in violation shutdown mode. Intentionally seed and diagnose broken trunks/host VLANs, restore end-to-end host reachability, then trigger a port-security violation to observe err-disabled behavior and perform manual recovery.
CCNA Port Security 2: Sticky Secure MAC Learning
Two access-layer switches have a VLAN 20 connectivity problem: users in one wiring closet cannot reach users in the other. Diagnose and repair the issue, then deploy sticky secure MAC learning on the host-facing access ports so each port dynamically learns and persists its connected host's MAC. Verify sticky entries in show commands and confirm same-VLAN host connectivity end-to-end.
CCNA Port-Sec 7: Static Secure MAC Binding
Troubleshoot a Layer-2 forwarding fault that breaks a user VLAN between access/distribution switches, then implement static secure MAC binding on the client-facing access port. You will restore end-to-end VLAN 20 reachability and enforce a single authorized MAC on the user port using port-security with violation restrict.
Port Security: Voice + Data on One Access Port
Harden a real desk port that carries both data (PC) and voice (IP phone) using switchport voice vlan and access vlan on a single access port. Apply port security with a maximum that accounts for two MAC addresses (phone + PC) so a third device is restricted. A deliberate trunk allow-list drift on the inter-switch link initially blocks the Voice VLAN; learners must repair the trunk and then verify port-security state on the desk port.
CCNA: Native VLAN & Untagged Traffic on 802.1Q
Hands-on CCNA switching lab focused on the native VLAN and tagging behavior on 802.1Q trunks. Users in one VLAN currently cannot reach their peers across a switch-to-switch trunk; you will standardize the native VLAN away from VLAN 1 to a dedicated parking VLAN, diagnose and correct the trunk configuration, verify the untagged VLAN on both ends, and confirm same-VLAN host reachability across the trunk.
CCNA Trunking 2: Access Ports vs Trunk Ports
Hands-on CCNA switching lab contrasting single-VLAN access ports with 802.1Q trunks. You begin with the inter-switch link configured as a plain access port, so only one VLAN reaches the router-on-a-stick gateway while the other cannot. You will diagnose the connectivity problem, convert the link into a properly hardened 802.1Q trunk, and validate that both VLANs regain access to their gateway.
Trunk Verification & Diagnosing a Silent VLAN
An advanced CCNA switching lab focused on verifying 802.1Q trunks and diagnosing a silent VLAN after a switch refresh. The topology uses three layer-2 switches (a distribution switch between two access closets) and two Alpine hosts, and users in VLAN 20 at one closet cannot reach their VLAN 20 peers at the other closet across the trunk path. Learners use show interfaces trunk, show interfaces switchport, and show vlan brief to locate the break and restore predictable Layer-2 forwarding without adding any Layer-3 configuration.
CCNA VLAN Trunking 7: Trunking Across Three Switches
Build an end-to-end 802.1Q path across three Cisco IOS Layer-2 switches so VLAN 10 transports user traffic from an access port on the left switch to an access port on the right switch through a middle switch. Harden trunks (native VLAN 999, nonegotiate) and verify with show interfaces trunk. Then intentionally break the allow-list to see the outage and restore service.
VLAN Trunking 6: DTP and Trunk Hardening
Hands-on DTP negotiation and trunk hardening across a 3-switch path. You will observe dynamic trunking behavior (auto vs desirable), fix an allow-list drift that blocks user VLAN transport, and then harden the trunks to static with nonegotiate and a non-default native VLAN. End-to-end host reachability in the same VLAN proves success.
CCNA Foundations: L2 Day 7 — VLANs, Trunks & Port Security
Deploy VLANs, hardened 802.1Q trunks, router-on-a-stick inter-VLAN routing, and sticky port security in a compact branch topology. Verify from real hosts and troubleshoot common misconfigurations.
Archive preview only
CCNA Foundations Series: Layer 2 Day 6
Deploy and troubleshoot VLANs, 802.1Q trunks, and port security in a realistic small-branch ROAS design. You will stand up VLANs 10/20/99 with a hardened trunk native VLAN 999, configure sticky port security on access ports, correct a misassigned VLAN, and resolve an err-disabled port caused by a port security violation. Finish by verifying end-to-end host connectivity across VLANs.
Archive preview only
VLAN Troubleshooting Capstone: Native Mismatch & VLAN Drift
Advanced CCNA L2 troubleshooting in a compact branch. Some PCs can't reach their default gateway or other departments across two switches and a router-on-a-stick gateway, and your monitoring system has flagged a switching/trunking problem on the path. Validation is performed from the endpoints (Alpine hosts) using pings and ARP, and trunks are hardened with a non-default native VLAN.
VLAN Segmentation: Broadcast-Domain Isolation
Build VLANs across two access switches with an 802.1Q trunk and a router uplink. Verify that hosts in the same VLAN can communicate (even across switches) while hosts in different VLANs cannot. Then troubleshoot a failure caused by a trunk allow-list misconfiguration.
Voice & Data VLANs: Access + Trunk Allowed Lists
Configure a two-switch access layer with data and voice VLANs on access ports and an 802.1Q trunk between switches. Add a router-on-a-stick gateway for VLAN 10/20. Verify VLAN placement, trunk status, and observe a connectivity failure caused by an allow-list misconfiguration on the inter-switch trunk—then correct it to restore intra-VLAN reachability.
Native VLAN & Trunk Mismatch: Detection and Recovery
Configure VLANs and 802.1Q trunks across two access switches with a router-on-a-stick gateway. Intentionally misconfigure the native VLAN and trunk allow-list to observe loss of intra-VLAN connectivity, detect the mismatch using switch warnings and show commands, and then remediate to restore user reachability. Validates VLAN segmentation, trunking symmetry, and troubleshooting skills for CCNA candidates.
Trunk Allowed-VLAN Pruning Across L2 Switches
Configure VLANs and access ports on two Layer-2 switches, build 802.1Q trunks (with hardened native VLAN and an explicit allowed list), validate end-to-end reachability, intentionally prune a VLAN from the inter-switch trunk to observe segmentation, then restore the correct allow-list. Includes realistic router-on-a-stick gateways for VLAN 10/20/99 and switch management on VLAN 99.
CCNA: VLAN DB & Trunk Allow-List Drift Recovery
Hands-on CCNA VLAN lab: build VLANs with names, assign access ports, harden and verify 802.1Q trunks, and troubleshoot a broken allow-list that prevents a VLAN from traversing the SW1–SW2 trunk. Includes router-on-a-stick gateways, management VLAN, and end-host validation.