CCNA Foundations: OSPF Day 6 — Route Summarization at the ABR
A compact, enterprise-clean, 5-node CML lab that builds on OSPF multi-area design. You will enable OSPF across a small core–ABR–branch topology, advertise multiple branch networks in area 10, and summarize them at the ABR using 'area range'. You will verify that specific inter-area routes are replaced by a single summary in area 0 while preserving end-to-end reachability between hosts.
Archive preview only
CCNA Foundations: OSPF Day 5 — Multi-Area OSPF & the ABR
Build and verify a compact, enterprise-clean multi-area OSPF network with an ABR. Configure area 0 and a non-backbone area, advertise loopbacks and LANs, enforce OSPF hygiene (passive LANs, explicit router-ids), and verify O IA inter-area routes from the endpoints.
Archive preview only
CCNA Foundations: OSPF Day 4 — Cost & Deterministic Path Selection
Build a 5-node triangle OSPF topology with a branch and a data center connected by two paths: a direct link and an indirect path via a core router. Implement OSPFv2 with clean hygiene (router-ids, passive on LANs), then influence path selection by adjusting interface cost so branch-to-DC traffic prefers the core path. Verify the chosen path from the end hosts using traceroute and confirm symmetric routing by validating the reverse path.
Archive preview only
CCNA Foundations: OSPF Day 3 — DR/BDR Election on a Broadcast Segment
Three IOS routers share a true broadcast multi-access segment through a Layer-2 switch. You will deploy OSPFv2, influence the DR/BDR election using interface priorities, and verify full adjacencies to the DR. An alpine client behind RTR-HQ-R3 must reach loopbacks on RTR-HQ-R1 and RTR-HQ-R2 via OSPF-learned routes. The lab emphasizes proper multi-access deployment hygiene (router-ids, passive default, interface selection) and realistic verification from the end host.
Archive preview only
CCNA Foundations: OSPF Day 2 — Router IDs & Neighbor States
Build a two-router OSPFv2 lab, assign deterministic router-ids using loopbacks, form a clean adjacency from Down through Exchange to FULL, and verify neighbor state and router-ids. End-to-end reachability is validated from real hosts across an enterprise-clean topology.
Archive preview only
CCNA Foundations: OSPF Day 1 — Single-Area Adjacency
Bring up OSPFv2 adjacency between two branch routers over a point-to-point /30, advertise each site’s user LAN and router loopback in area 0, and verify end-to-end pings succeed from the hosts. The baseline ships with addressing and SSH management ready; you will enable and tune OSPF only.
Archive preview only
Securing Discovery on Edge Ports
Harden Cisco IOS edge interfaces by disabling CDP/LLDP toward untrusted endpoints while keeping discovery active on trusted infrastructure links. Routers share a management LAN with a server and form a direct router-to-router adjacency for CDP/LLDP. The learner enables discovery globally, selectively suppresses it on the client-facing edge, and verifies the outcome with show commands.
L2 Security Troubleshooting Capstone: Trust Boundary
Advanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.
Storm Control for Multicast & Unicast
Harden the Layer-2 access edge by limiting multicast and unknown-unicast floods on host-facing ports with a non-disruptive trap action. You will apply storm-control multicast and unicast thresholds to SW1 access interfaces while leaving the uplink trusted and unrestricted for gateway/DHCP. Verify the configuration with show commands and end-to-end host reachability.
Storm Control on Broadcast Traffic
Harden the campus access edge by capping broadcast traffic per-port with storm control. In this lab you will apply a broadcast ceiling on the user-facing access ports only, choosing a shutdown action if exceeded, and verify that normal host connectivity remains intact. The uplink to the default gateway/DHCP server is trusted and must not be rate-limited.
Dynamic ARP Inspection — Validation Checks
Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.
Dynamic ARP Inspection
Harden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.
DHCP Snooping Rate Limiting
Harden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.
DHCP Snooping Trust Boundary
Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.
Defense in Depth: DHCP Snooping + DAI
Harden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.
Protected Ports for Host Isolation
Harden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.
Errdisable Recovery for L2 Security
CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.
LLDP for Multi-Vendor Discovery
Enable the open-standard LLDP on adjacent Cisco IOS routers over direct point-to-point links while also attaching the devices to a shared management LAN. Learners configure deterministic LLDP behavior (global enable plus per-interface transmit/receive) and verify neighbor discovery without adding any routing protocols or static routes.
CDP Neighbor Discovery and Edge Suppression
Enable Cisco Discovery Protocol (CDP) on R1 to map directly-connected Cisco neighbors while suppressing CDP advertisements on the untrusted management-edge interface. Routers are directly cabled for true CDP adjacency and also share a common management LAN via SW1 alongside an Alpine MGMT host.
Syslog Severity & Buffered Logging
Tune which syslog messages go where on Cisco IOS using severity levels: keep detailed logs locally in a 16 KB buffer, reduce console noise to warnings, and send notifications to a central server. Single management LAN, no routing. Grading focuses on three R1 commands steering severity: logging buffered 16384 debugging, logging console warnings, and logging trap notifications.
Discovery & Monitoring Troubleshooting Capstone
Troubleshoot a pre-broken monitoring deployment on a single shared management LAN. R1 is already configured for discovery and monitoring, but the NMS receives no syslog or SNMP traps from R1. Diagnose with show commands and correct the two seeded faults: wrong syslog target and missing SNMP trap generation. Deterministic, no-routing, single-subnet design for CML Free (5 nodes).
Centralized Syslog with Timestamps
Configure a Cisco IOS router (R1) to forward its logs to a central syslog server with accurate date/time and millisecond timestamps. Validate the remote host and trap level in show logging. This is Lab 4 of 10 in the Network Discovery & Monitoring series.
SNMPv2c Read-Only Monitoring
Configure Cisco IOS SNMPv2c read-only access on R1 so an NMS on a trusted management LAN can poll device status. You will add a read-only community string and device identity (location/contact), validate from IOS show commands, and confirm basic reachability from the MGMT host. No routing protocols or static routes are used; all devices share a single management subnet bridged by an L2 switch.
SNMP Trap Notifications to the NMS
Configure a Cisco IOS router (R1) to proactively send SNMPv2c trap notifications to a centralized NMS host. Learners practice the difference between polling and traps, add the trap destination and enable device-initiated notifications, and verify deterministically with show commands. Flat L2-only management LAN; no routing, no VLAN/STP complexity.
Practicing for the CCNA with hands-on labs
The CCNA exam rewards one thing above all: comfort on the command line. You can memorize the difference between a broadcast and a collision domain, but you pass — and keep the job the cert helps you land — by being able to configure VLANs, OSPF, ACLs, and static routing quickly and correctly, and to troubleshoot them when they break. These CCNA-aligned labs are built to give you that muscle memory.
Every lab in this track is a license-free Cisco Modeling Labs topology you import in one click and build on real Cisco IOS — VLANs and trunking, inter-VLAN routing, single-area OSPFv2, standard and extended ACLs, static and default routing, and the day-two troubleshooting the exam loves. Build each one, verify it with the same show commands the exam expects, then upload your CML export for grading against the answer key so you know it's genuinely correct. Do a lab a day and the CCNA objectives stop being a reading list and become reps you can perform under time pressure.
Frequently asked questions
Are these labs enough to pass the CCNA on their own?
They cover the hands-on configuration and troubleshooting objectives thoroughly, which is where most candidates are weakest. Pair them with a theory resource for the conceptual and subnetting questions and you have both halves of the exam covered.
Do I need real Cisco hardware for the CCNA labs?
No — just your own Cisco Modeling Labs instance. Every lab is a license-free YAML package built on CML free-tier images (IOL/IOL-L2) that imports in one click.
How should I sequence the CCNA labs?
Start with VLANs and static routing to get comfortable on the CLI, then move to OSPF and ACLs, then the troubleshooting labs. The daily cadence is designed so each lab builds on the last.