DELIGHTCCNA LAB GUIDE SERIES

🔬

CCNA 200-301 – Complete Lab Guide

Self-study step-by-step instructions for every lab

43 Labs · Full Instructions Week 0 → Week 16 Packet Tracer · Wireshark · DevNet · Real CLI CCNA 200-301 v1.1

Self-study lab guide · Based on CCNA 200-301 v1.1 Official Exam Blueprint · Recommended tools: Cisco Packet Tracer (free), Wireshark (free), Cisco DevNet Sandbox (free)

📑 Table of Contents

Week 0 – Pre-Course Induction

Month 1 – Network Fundamentals

Month 2 – Network Access

Month 3 – IP Connectivity

Month 4 – Services, Security, Automation

📒

Week 0 – Pre-Course Induction

Sessions 1–4 · Physical skills, cable termination, and your first Packet Tracer session

W0
L1

RJ45 Termination & Cable TestingSession 3 · Real Hardware · Physical Layer

▼

What you'll learnHow to physically terminate a network cable to the T568B standard and verify it with a cable tester — a fundamental real-world skill.

Equipment Needed

🛒

1× RJ45 crimp tool · 1× cable tester (with remote) · 1× reel of Cat5e or Cat6 UTP cable · 10× RJ45 connectors · 1× cable stripper · scissors

Step-by-Step Instructions

Cut the cable
Cut a piece of cable to around 1 metre. Use scissors or cable cutters — make a clean, straight cut.
Strip the outer jacket
Insert the cable into the cable stripper. Rotate once around and pull off 2–3 cm of the outer jacket. Do not nick the inner wires.
Separate and untwist the pairs
Spread out all four colour pairs. Untwist each pair just enough to arrange them — keep untwisting minimal to preserve noise cancellation.
Arrange in T568B order
Hold the wires flat between your fingers. Arrange left to right:
Pin 1: White/Orange · Pin 2: Orange · Pin 3: White/Green · Pin 4: Blue · Pin 5: White/Blue · Pin 6: Green · Pin 7: White/Brown · Pin 8: Brown
Memory tip: WO–O–WG–B–WB–G–WBr–Br
Trim to length
While holding all 8 wires flat and parallel, trim them to exactly 1.3 cm (½ inch) from the edge of the jacket.
Insert into the RJ45 connector
Slide the 8 wires into the connector — each wire into its own channel. All 8 tips must reach the front gold pins. The jacket must enter the back of the connector for strain relief.
Verify colour order before crimping
Look through the transparent body. Confirm the colour order matches T568B from left to right. Do NOT crimp if it's wrong — you cannot undo a crimp.
Crimp
Insert the connector into the crimping tool. Squeeze firmly until the ratchet clicks and releases automatically.
Repeat on the other end
Terminate the other end with the same T568B order to make a straight-through patch cable.
Test with the cable tester
Plug one end into the main tester unit and the other into the remote. Press the test button. All 8 LEDs should light in sequence: 1–2–3–4–5–6–7–8.

Understanding the Test Results

LED Sequence	Meaning
1–2–3–4–5–6–7–8	✅ Good straight-through cable (T568B both ends)
1–3–2–4–5–6–7–8	⚠️ Crossover cable (T568A one end, T568B other) — intentional or mistake?
Any LED missing	❌ Broken wire or bad crimp — re-terminate that end
Two LEDs light at once	❌ Short circuit — two wires touching — re-terminate

💡

Make at least 3 cables — you'll almost certainly get it wrong once or twice. The goal is clean consistent crimps. Most failures are caused by wires not reaching the front of the connector.

W0
L2

First Packet Tracer Topology – Basic IP & PingSession 4 · Packet Tracer · Introduction

▼

What you'll learnNavigate the Cisco Packet Tracer interface, build your first network, assign IP addresses, and confirm connectivity with ping.

📥

Download Cisco Packet Tracer for free at netacad.com — create a free Cisco Networking Academy account if you haven't already.

Topology to Build

PC1 ──────── Switch1 ──────── PC2
│
└──────── PC3

Open Packet Tracer and create a new project
File → New. You'll see the workspace in the centre and device palette at the bottom.
Add a switch
In the bottom palette, click Network Devices → Switches → drag a 2960 switch onto the workspace.
Add three PCs
Click End Devices → drag three PC icons onto the workspace.
Connect the devices
Click the lightning bolt (Connections) → select Copper Straight-Through. Click PC1 → choose FastEthernet0 → click Switch1 → choose FastEthernet0/1. Repeat for PC2 (Fa0/2) and PC3 (Fa0/3). Wait for the link lights to go green.
Assign IPs to the PCs
Click PC1 → Desktop tab → IP Configuration. Enter:
IP: 192.168.1.10 · Subnet: 255.255.255.0
Repeat: PC2 = 192.168.1.20, PC3 = 192.168.1.30 (same subnet mask).
Run a ping test
Click PC1 → Desktop → Command Prompt. Type: ping 192.168.1.20. You should see 4 replies. Also ping 192.168.1.30.
Check the switch MAC table
Click Switch1 → CLI tab. Press Enter, then type: show mac address-table. You'll see PC MAC addresses mapped to the ports they're connected to.

💡

The first ping often fails (1 packet lost) because of ARP. This is normal — the switch is learning MAC addresses. Subsequent pings succeed.

📘

Month 1 – Network Fundamentals (Domain 1)

Weeks 1–4 · OSI model, cabling, IP addressing, subnetting, IPv6, switching

W1
L1

Packet Tracer – Two-Tier LAN Topology ExplorationWeek 1 · Objectives 1.1, 1.2 · Packet Tracer

▼

ObjectiveBuild a two-tier campus LAN, label OSI layers, and verify end-to-end connectivity between hosts.

   PC1   PC2            PC3   PC4
    │    │              │    │
[Access-SW1]           [Access-SW2]
       └────── [Core-SW] ──────┘

Build the topology
Add 2× 2960 switches (Access-SW1, Access-SW2), 1× 3650 switch (Core-SW), and 4× PCs.
Connect devices
PC1 & PC2 → Access-SW1 (Fa0/1, Fa0/2). PC3 & PC4 → Access-SW2 (Fa0/1, Fa0/2). Access-SW1 Gi0/1 → Core-SW Gi0/1. Access-SW2 Gi0/1 → Core-SW Gi0/2. Use Copper Straight-Through for all.
Assign IP addresses
PC1: 192.168.1.10/24 · PC2: 192.168.1.20/24 · PC3: 192.168.1.30/24 · PC4: 192.168.1.40/24. No gateway needed (all same subnet).
Test connectivity
From PC1 CLI: ping 192.168.1.30 and ping 192.168.1.40. All should reply.
Label OSI layers in your notes
For each device, write down which OSI layer it operates at: PC NIC = Layer 1–4 · Access Switch = Layer 2 · Core Switch (3650) = Layer 2/3 · The IP addresses you assigned = Layer 3 · TCP/UDP in applications = Layer 4.

✅

Verify: All 4 PCs can ping each other. Run show mac address-table on Access-SW1 — confirm PC1 and PC2 MACs appear.

W1
L2

Wireshark – PDU Capture & OSI Layer AnalysisWeek 1 · Objective 1.1 · Wireshark

▼

ObjectiveCapture live network traffic and identify headers at each OSI layer inside a single packet.

📥

Download Wireshark free at wireshark.org. Run on a Windows or Linux machine with internet access.

Open Wireshark
Launch Wireshark. On the home screen, double-click your active network adapter (the one with the wave graph) to start capturing.
Generate ICMP traffic
Open a command prompt (Windows) or terminal (Linux/Mac). Type: ping 8.8.8.8. Let it run 4 pings.
Stop the capture
Click the red ■ stop button in Wireshark.
Filter for ICMP
In the filter bar at the top, type icmp and press Enter. You'll see only your ping packets.
Click one packet
Click any "Echo (ping) request" row. The middle panel expands into collapsible layers.
Identify each OSI layer
Expand each section and map it:
Frame X = Layer 1 (Physical — size, timing)
Ethernet II = Layer 2 (Source MAC, Destination MAC)
Internet Protocol Version 4 = Layer 3 (Source IP, Destination IP)
Internet Control Message Protocol = Layer 4/3 (ICMP type, code, checksum)
Capture a TCP connection
Clear the filter. Open a browser and visit http://example.com. In Wireshark filter bar type tcp. Find 3 packets labelled SYN, SYN-ACK, ACK — this is the TCP 3-way handshake.

💡

Write down the source and destination MAC from the Ethernet header and the source/destination IP from the IP header. Notice the MACs are local (your PC and gateway), while IPs are end-to-end (your PC and 8.8.8.8).

W2
L1

Packet Tracer – Interface Error Troubleshooting (Duplex Mismatch)Week 2 · Objective 1.4 · Packet Tracer

▼

ObjectiveDeliberately introduce a duplex mismatch, observe its symptoms in show interfaces output, and fix it.

Build a simple 2-switch topology
Add SW1 (2960) and SW2 (2960). Connect them: SW1 Gi0/1 → SW2 Gi0/1. Add PC1 to SW1 Fa0/1 and PC2 to SW2 Fa0/1. Assign IPs: PC1 192.168.1.1/24, PC2 192.168.1.2/24. Confirm ping works.

Introduce the mismatch on SW1

Click SW1 → CLI tab. Enter:

! Enter privileged mode, then interface config
SW1> enable
SW1# configure terminal
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# duplex half
SW1(config-if)# end

Observe the symptoms
Wait 10 seconds, then run: show interfaces GigabitEthernet0/1. Look for rising input errors, CRC errors, or collisions. Try pinging PC2 from PC1 — you may see packet loss.

Fix the mismatch

Set both switches to auto-negotiation (the correct setting):

SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# duplex auto
SW1(config-if)# speed auto

Repeat on SW2.

Verify recovery
Run show interfaces Gi0/1 again. Errors should stop incrementing. Ping should succeed consistently.

⚠️

Packet Tracer may not show real-time error counter increments as clearly as real hardware — focus on the concept and the commands. On real Cisco equipment this is one of the most common switch port problems.

W2
L2

Wireshark – TCP vs UDP ComparisonWeek 2 · Objective 1.5 · Wireshark

▼

ObjectiveCapture TCP and UDP traffic side by side, and identify the structural difference in your captures.

Capture TCP (web browsing)
Start a Wireshark capture on your active adapter. Open a browser and visit http://example.com. Stop capture after the page loads. Filter: tcp and ip.addr == 93.184.216.34 (example.com's IP — look it up with ping example.com first).
Find the 3-way handshake
Look for three consecutive packets: [SYN] → [SYN, ACK] → [ACK]. Click each one and note:
· The Flags field in the TCP header (SYN, ACK bits)
· The Sequence number and Acknowledgment number fields
Capture UDP (DNS)
Start a new capture. Open a command prompt and type: nslookup cisco.com. Stop capture. Filter: udp and port 53.
Compare the headers
Click one DNS UDP packet. Expand the UDP header. Notice: no sequence numbers, no flags, no acknowledgment field — just source port, destination port, length, and checksum.
Document your findings
In a table, write: TCP has [list fields you found] · UDP has [list fields you found] · TCP = reliable because [explain] · UDP = faster because [explain].

W3
L1

Subnetting Drill – Worksheet & Calculator ValidationWeek 3 · Objective 1.6 · Pencil & Paper Drill

▼

ObjectiveManually subnet 192.168.1.0/24 into 8 equal subnets and validate your answers.

The Task

You have been given 192.168.1.0/24. Divide it into 8 equal subnets. For each subnet, calculate: Network Address · Subnet Mask (CIDR) · First Usable Host · Last Usable Host · Broadcast Address.

Calculate the new prefix
You need 8 subnets. 2³ = 8, so you need to borrow 3 bits from the host portion. New prefix: /24 + 3 = /27. New subnet mask: 255.255.255.224.
Calculate the block size
256 − 224 = 32. Each subnet is 32 addresses wide. Subnets increment by 32.
Fill in the table
Work through all 8 subnets:

#	Network Address	First Host	Last Host	Broadcast
1	192.168.1.0/27	192.168.1.1	192.168.1.30	192.168.1.31
2	192.168.1.32/27	192.168.1.33	192.168.1.62	192.168.1.63
3	192.168.1.64/27	192.168.1.65	192.168.1.94	192.168.1.95
4–8	Complete these yourself, incrementing by 32 each time

💡

Validate your answers using subnet.us or the subnet calculator at calculator.net/ip-subnet-calculator.html — enter each network and confirm your host range matches.

Extra challenge
Repeat the exercise with 172.16.0.0/16 — divide it into 16 subnets. What is the new prefix? What is the block size?

W3
L2

Packet Tracer – VLSM Addressing LabWeek 3 · Objective 1.6 · Packet Tracer

▼

ObjectiveDesign a VLSM addressing scheme for a 4-router topology and configure all interfaces.

[PC-A]──[R1]──────[R2]──[PC-B]
└──────[R3]──[PC-C]
└──[R4]──[PC-D]

VLSM Address Plan (use these)

Segment	Hosts Needed	Subnet
LAN-A (R1)	50 hosts	10.0.0.0/26 (62 hosts)
LAN-B (R2)	25 hosts	10.0.0.64/27 (30 hosts)
LAN-C (R3)	10 hosts	10.0.0.96/28 (14 hosts)
LAN-D (R4)	5 hosts	10.0.0.112/29 (6 hosts)
R1–R2 link	2 hosts	10.0.0.120/30
R1–R3 link	2 hosts	10.0.0.124/30
R3–R4 link	2 hosts	10.0.0.128/30

Build the topology in Packet Tracer
Add 4× Router 1941, 4× PCs, connect using Serial or Gigabit as appropriate.

Configure R1 interfaces

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 10.0.0.1 255.255.255.192
R1(config-if)# no shutdown
R1(config-if)# interface GigabitEthernet0/1
R1(config-if)# ip address 10.0.0.121 255.255.255.252
R1(config-if)# no shutdown

Configure remaining routers
Apply the address plan to each router interface. Assign PC addresses from the first usable host in each LAN subnet. Set PC gateways to the router's LAN IP.
Add static routes
Add static routes so all routers know about all subnets. Example on R1: ip route 10.0.0.64 255.255.255.224 10.0.0.122.
Test
Ping from PC-A to PC-D. Use traceroute [IP] to see the path taken.

W3
L3

OS IP Verification LabWeek 3 · Objective 1.10 · Real CLI

▼

ObjectiveVerify IP configuration on Windows and Linux using CLI tools — an exam-tested skill.

Windows – Open Command Prompt
Press Win + R, type cmd, press Enter.
Run ipconfig
Type ipconfig. Note: IPv4 Address, Subnet Mask, Default Gateway for each adapter. Then run ipconfig /all — also note the DNS Servers and MAC address (Physical Address).
Linux – Open Terminal
On Ubuntu/Debian: press Ctrl+Alt+T.
Run ip commands
ip address show — shows all interfaces with IPs and prefix lengths.
ip route show — shows the routing table including default gateway.
cat /etc/resolv.conf — shows DNS server.
Test connectivity from both
Run ping 8.8.8.8 (Windows: 4 pings by default · Linux: Ctrl+C to stop). Run ping google.com — confirms DNS also works.
Document in a table
Record: IP Address · Subnet Mask · Default Gateway · DNS Server · MAC Address — for each OS. Compare the format differences between the two outputs.

W4
L1

Packet Tracer – IPv6 Static AddressingWeek 4 · Objectives 1.8, 1.9 · Packet Tracer

▼

ObjectiveConfigure IPv6 global unicast and link-local addresses on routers and PCs, then verify connectivity.

Build a 2-router topology
R1 — R2, with PC1 behind R1 and PC2 behind R2.
Enable IPv6 routing on routers
```
R1(config)# ipv6 unicast-routing
```

Configure IPv6 on R1

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ipv6 address 2001:DB8:1:1::1/64
R1(config-if)# no shutdown
R1(config-if)# interface GigabitEthernet0/1
R1(config-if)# ipv6 address 2001:DB8:1:12::1/64
R1(config-if)# no shutdown

Configure R2 similarly
Use 2001:DB8:1:2::1/64 for LAN and 2001:DB8:1:12::2/64 for the link to R1.
Assign IPv6 to PCs
Click PC1 → Desktop → IP Configuration → switch to Static IPv6. Enter: 2001:DB8:1:1::10/64, Gateway: 2001:DB8:1:1::1.

Add IPv6 static routes

R1(config)# ipv6 route 2001:DB8:1:2::/64 2001:DB8:1:12::2

And the reverse on R2.

Verify

Command	Expected Output
show ipv6 interface brief	Both interfaces show IPv6 address and [up/up]
ping 2001:DB8:1:2::10	5 replies from PC2's IPv6 address
show ipv6 route	C routes for connected, S routes for static

W4
L2

Packet Tracer – MAC Table Observation & Frame FloodingWeek 4 · Objective 1.13 · Packet Tracer

▼

ObjectiveObserve how a switch learns MAC addresses dynamically and what happens when it floods frames.

Build topology
1× 2960 switch + 4× PCs on Fa0/1 through Fa0/4. Assign IPs: 192.168.1.1–4/24.
Clear the MAC table first
```
SW1# clear mac address-table dynamic
```

Check the empty table

SW1# show mac address-table
Mac Address Table should show no dynamic entries yet

Generate traffic
From PC1, ping PC3: ping 192.168.1.3.
Check the table again
```
SW1# show mac address-table
```
You should now see PC1's MAC on Fa0/1 and PC3's MAC on Fa0/3.
Enable simulation mode to see flooding
In Packet Tracer: click the Simulation button (bottom right). Set filter to show only ICMP. Send a ping from PC1 to PC2 when the MAC table is empty. Click Auto Capture / Play and watch — the first frame floods to ALL ports.
Observe learning
After the first exchange, send another ping. This time the switch forwards directly to Fa0/2 only — no flooding.

💡

The MAC aging timer defaults to 300 seconds. After 5 minutes of no traffic from a device, its MAC entry is removed and the next frame to that device will flood again.

📗

Month 2 – Network Access (Domain 2)

Weeks 5–8 · VLANs, STP, EtherChannel, Wireless, Device Management

W5
L1

Packet Tracer – Multi-VLAN Network BuildWeek 5 · Objectives 2.1, 2.2 · Packet Tracer

▼

ObjectiveCreate three VLANs across two switches with an 802.1Q trunk, and verify VLAN isolation.

Build the topology
SW1 (2960) + SW2 (2960). Connect SW1 Gi0/1 → SW2 Gi0/1 (this will be the trunk). Add 6 PCs: PC1, PC2 on SW1; PC3, PC4 on SW2 (VLAN 10 and VLAN 20 respectively); PC5 on SW1 and PC6 on SW2 (VLAN 30).

Create VLANs on SW1

SW1(config)# vlan 10
SW1(config-vlan)# name Sales
SW1(config-vlan)# vlan 20
SW1(config-vlan)# name HR
SW1(config-vlan)# vlan 30
SW1(config-vlan)# name IT
SW1(config-vlan)# exit

Assign access ports on SW1

SW1(config)# interface Fa0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
! Repeat for Fa0/2 (VLAN 20) and Fa0/3 (VLAN 30)

Configure the trunk port on SW1

SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk native vlan 99

Repeat on SW2
Create the same VLANs, assign access ports, and configure Gi0/1 as trunk with native VLAN 99.
Assign IPs to PCs by VLAN
VLAN 10: 192.168.10.x/24 · VLAN 20: 192.168.20.x/24 · VLAN 30: 192.168.30.x/24.
Test VLAN isolation
PC1 (VLAN 10) ping PC2 (VLAN 10 on SW2) → ✅ success. PC1 ping PC3 (VLAN 20) → ❌ fails (correct — no routing yet).

Command	What to check
show vlan brief	All 3 VLANs exist, correct ports assigned
show interfaces trunk	Gi0/1 shows as trunk, VLANs 10,20,30 allowed

W5
L2

Packet Tracer – Router-on-a-Stick Inter-VLAN RoutingWeek 5 · Objective 2.1 · Packet Tracer

▼

ObjectiveAdd a router to the VLAN topology using subinterfaces to enable routing between all three VLANs.

Continue from the previous lab or rebuild it
Add a Router 1941 (R1). Connect R1 Gi0/0 → SW1 Fa0/24 (a free port on SW1).

Set SW1's Fa0/24 as a trunk

SW1(config)# interface Fa0/24
SW1(config-if)# switchport mode trunk

Configure subinterfaces on R1

R1(config)# interface GigabitEthernet0/0
R1(config-if)# no shutdown
R1(config)# interface GigabitEthernet0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config)# interface GigabitEthernet0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
R1(config)# interface GigabitEthernet0/0.30
R1(config-subif)# encapsulation dot1Q 30
R1(config-subif)# ip address 192.168.30.1 255.255.255.0

Set PC default gateways
VLAN 10 PCs → gateway 192.168.10.1 · VLAN 20 PCs → 192.168.20.1 · VLAN 30 PCs → 192.168.30.1.
Test inter-VLAN routing
PC1 (VLAN 10) ping PC3 (VLAN 20) → ✅ should now succeed.

⚠️

The encapsulation dot1Q [vlan-id] command must match the VLAN number exactly. Missing this command or using the wrong VLAN ID is the most common mistake in this lab.

W6
L1

Packet Tracer – STP Root Bridge ManipulationWeek 6 · Objective 2.5 · Packet Tracer

▼

ObjectiveObserve default root bridge election, then force a specific switch to become root and trace the port role changes.

Build a triangle topology
SW1, SW2, SW3 (all 2960). Connect: SW1 Gi0/1 → SW2 Gi0/1 · SW2 Gi0/2 → SW3 Gi0/1 · SW3 Gi0/2 → SW1 Gi0/2. This creates a loop.
Check the default root bridge
```
SW1# show spanning-tree vlan 1
```
Look for "This bridge is the root" or the Root ID section. The switch with the lowest MAC address (with default priority 32768) becomes root.
Check port roles on all switches
Run show spanning-tree vlan 1 on SW2 and SW3. Identify which port is Designated (FWD), Root (FWD), and Alternate/Blocked (BLK).
Force SW1 to become root
```
SW1(config)# spanning-tree vlan 1 priority 4096
```
Wait ~30 seconds for convergence.
Observe the change
Re-run show spanning-tree vlan 1 on all three switches. SW1 should now show "This bridge is the root." Watch which port moves from FWD to BLK on the other switches.
Test PortFast and BPDU Guard
On SW1, connect a PC to Fa0/1. Configure:
```
SW1(config)# interface Fa0/1
SW1(config-if)# spanning-tree portfast
SW1(config-if)# spanning-tree bpduguard enable
```
The PC port should come up instantly (no 30-second wait). If you connect a switch to that port, BPDU Guard will err-disable it.

W6
L2

Packet Tracer – LACP EtherChannel ConfigurationWeek 6 · Objective 2.4 · Packet Tracer

▼

ObjectiveBundle two physical links into one logical EtherChannel using LACP and verify redundancy.

Build the topology
SW1 and SW2. Connect two separate cables: SW1 Gi0/1 → SW2 Gi0/1 AND SW1 Gi0/2 → SW2 Gi0/2.

Configure EtherChannel on SW1

SW1(config)# interface range GigabitEthernet0/1-2
SW1(config-if-range)# channel-group 1 mode active
SW1(config-if-range)# exit
SW1(config)# interface Port-channel1
SW1(config-if)# switchport mode trunk

Repeat on SW2 (also active)

SW2(config)# interface range GigabitEthernet0/1-2
SW2(config-if-range)# channel-group 1 mode active

Verify the bundle
```
SW1# show etherchannel summary
```
Look for Po1(SU) — S = Layer 2, U = in use. The member ports should show (P) for bundled.
Test redundancy
Add PCs on each switch, assign same-subnet IPs, verify pinging works. Then right-click SW1 Gi0/1 → delete connection (simulating a link failure). Confirm pinging continues — traffic moved to Gi0/2.

W6
L3

CDP/LLDP Discovery LabWeek 6 · Objective 2.3 · Real CLI / Packet Tracer

▼

ObjectiveUse LLDP to discover all network neighbors and map the topology from CLI output alone.

Enable LLDP globally on all switches
```
SW1(config)# lldp run
```
Repeat on SW2 and SW3.
Wait 30 seconds
LLDP sends advertisements every 30 seconds by default.
Run neighbor discovery
```
SW1# show lldp neighbors
SW1# show lldp neighbors detail
```
The detail view shows: neighbor hostname, interface connected to, IP address, platform/capabilities.
Draw the topology from output only
On paper, draw boxes for each device discovered. Draw lines showing which port connects to which neighbor port. Compare to the actual Packet Tracer topology — they should match exactly.
CDP check
CDP is Cisco-only and on by default: show cdp neighbors detail. Compare the output to LLDP — same information, different protocol.

W7
L1

Packet Tracer – WLC WLAN SetupWeek 7 · Objective 2.9 · Packet Tracer

▼

ObjectiveCreate two WLANs on a WLC, mapped to different VLANs, and connect a wireless client.

Build the topology
Add: 1× WLC-3504 (from Network Devices → Wireless), 1× Lightweight AP (from Wireless Devices), 1× 2960 switch, 1× laptop (wireless-capable). Connect: AP → Switch Fa0/1 (access port), WLC → Switch Gi0/1 (trunk port).
Configure switch VLANs
Create VLANs 10 and 20. Set WLC uplink as trunk; AP uplink as access VLAN 1 (management).
Access the WLC GUI
Click the WLC → GUI tab. Default credentials: admin / Cisco123 (check the device info). Navigate to WLANs → Create New.
Create WLAN "Corp"
Profile Name: Corp · SSID: Corp · WLAN ID: 1 · Map to Interface: VLAN 10 · Security: WPA2-PSK → enter a passphrase (e.g. Cisco1234!) · Click Apply.
Create WLAN "Guest"
Repeat: Profile Name: Guest · SSID: Guest · WLAN ID: 2 · Interface: VLAN 20 · Security: WPA2-PSK or None.
Connect the wireless laptop
Click Laptop → Desktop → PC Wireless. Under Connect tab, find "Corp" in the site survey. Click Connect, enter the PSK. The laptop should receive an IP from VLAN 10's DHCP pool (configure one on a server or router if needed).

W7
L2

Wireless Network Design DiagramWeek 7 · Objective 2.7 · Design Exercise

▼

ObjectiveDesign a complete wireless deployment for a 2-floor office on paper, applying channel planning and port type rules.

Draw the building layout
Sketch a 2-floor office. Each floor has 3 APs. Place them in corners and centre of each floor to maximise coverage overlap.
Assign non-overlapping channels
Floor 1: AP1=Ch1 · AP2=Ch6 · AP3=Ch11. Floor 2: AP4=Ch1 · AP5=Ch6 · AP6=Ch11. Stagger placement so APs on the same channel do not have overlapping coverage zones.
Draw the wiring
Each AP has a cable going to an access switch on that floor. Label those switch ports as Access — VLAN 1 (management). The access switches uplink to the core switch via trunk ports.
Draw WLC placement
WLC sits in the server room on Floor 1 connected to the core switch. Label the WLC uplink as Trunk port (carries VLAN 10, 20, 30) or as a LAG (EtherChannel) for redundancy.
Annotate CAPWAP tunnels
Draw a dotted line from each AP to the WLC labelled "CAPWAP tunnel." This represents the logical management and data tunnels — not a physical cable.
Add the WLAN-to-VLAN mapping
In a small table on your diagram: SSID Corp → VLAN 10 · SSID HR → VLAN 20 · SSID Guest → VLAN 30.

W8
L1

Packet Tracer – SSH Hardening LabWeek 8 · Objective 2.8 · Packet Tracer

▼

ObjectiveConfigure SSH v2 from scratch on a Cisco switch and lock down VTY access — a mandatory production security step.

Set hostname and domain name

SW1(config)# hostname SW1
SW1(config)# ip domain-name ccna.lab

Generate RSA keys

SW1(config)# crypto key generate rsa modulus 2048
! When prompted "How many bits in the modulus?" enter 2048

Enforce SSH version 2
```
SW1(config)# ip ssh version 2
```

Create a local user account

SW1(config)# username admin privilege 15 secret Cisco123!

Configure VTY lines

SW1(config)# line vty 0 15
SW1(config-line)# transport input ssh
SW1(config-line)# login local
SW1(config-line)# exec-timeout 5 0

Assign management IP to the switch

SW1(config)# interface vlan 1
SW1(config-if)# ip address 192.168.1.100 255.255.255.0
SW1(config-if)# no shutdown

Test SSH from a PC
Click PC1 → Desktop → SSH. Enter IP: 192.168.1.100, User: admin, Password: Cisco123!. You should get a CLI session.
Verify Telnet is blocked
In PC1 → Desktop → Terminal (Telnet). Try connecting to 192.168.1.100 — it should refuse the connection.

Command	Expected Result
show ssh	Version 2.0, active sessions listed
show running-config \| section vty	transport input ssh (not telnet or all)
show ip ssh	SSH Enabled — version 2.0

W8
L2

Packet Tracer – Full Domain 2 Cumulative LabWeek 8 · All Domain 2 Objectives · Packet Tracer

▼

ObjectiveBuild a complete Month 2 topology combining VLANs, trunks, STP, EtherChannel, routing, WLAN, and SSH in one lab.

📋

This is your Month 2 capstone lab. Set aside 60–90 minutes. Build each element one section at a time and verify before moving to the next.

Build Checklist

Topology
3× 2960 switches (SW1 core, SW2, SW3), 1× 1941 router, 1× WLC, 1× Lightweight AP, 6× PCs, 1× wireless laptop.
VLANs & Trunks
Create VLANs 10, 20, 30 on all switches. Configure trunk ports between SW1–SW2 and SW1–SW3. Configure LACP EtherChannel between SW2 and SW3 (two links). Verify with show vlan brief and show etherchannel summary.
STP
Force SW1 to be root for all VLANs (priority 4096). Add PortFast + BPDU Guard on all access ports. Verify with show spanning-tree.
Inter-VLAN routing (router-on-a-stick)
Connect router to SW1. Configure subinterfaces .10, .20, .30. Verify cross-VLAN pinging.
WLAN
Connect WLC and AP. Create Corp WLAN (VLAN 10, WPA2 PSK). Connect wireless laptop to Corp. Verify it gets a VLAN 10 address.
SSH on all switches
Configure SSH v2, disable Telnet, create local user. Verify SSH login from a PC.
Final verification
Wired PC in VLAN 10 (SW2) should ping wireless laptop on Corp WLAN (VLAN 10). PC in VLAN 10 should NOT ping PC in VLAN 20 directly — only through the router.

📙

Month 3 – IP Connectivity (Domain 3)

Weeks 9–12 · Routing tables, static routes, OSPFv2, FHRP

W9
L1

Packet Tracer – Routing Table AnalysisWeek 9 · Objectives 3.1, 3.2 · Packet Tracer

▼

ObjectiveRead and interpret routing table output, identify route sources, and answer forwarding questions.

Build a 3-router topology
R1 — R2 — R3. Each router has one LAN: R1 LAN = 10.1.0.0/24, R2 LAN = 10.2.0.0/24, R3 LAN = 10.3.0.0/24. Links: R1–R2 = 10.0.12.0/30, R2–R3 = 10.0.23.0/30.

Configure OSPF on all routers

R1(config)# router ospf 1
R1(config-router)# network 10.0.0.0 0.255.255.255 area 0

Repeat on R2 and R3.

Add a default route on R1 toward "ISP"
```
R1(config)# ip route 0.0.0.0 0.0.0.0 10.0.12.2
```
Redistribute into OSPF: default-information originate under the OSPF process.
Read the routing table on R3
```
R3# show ip route
```
Identify each line: C = directly connected · O = OSPF · S* = static default. The [110/X] format = [AD/metric].
Answer these forwarding questions for R3
Q1: Where does R3 send packets to 10.1.0.5? → (answer: Gi0/1 toward R2)
Q2: Where does R3 send packets to 8.8.8.8? → (answer: via default route)
Q3: Where does R3 send packets to 10.3.0.99? → (answer: directly connected, Gi0/0)
Q4: What happens to a packet for 192.168.99.1 with NO default route? → (dropped — ICMP unreachable)

W9
L2

Longest Prefix Match DrillWeek 9 · Objective 3.2 · Paper Drill

▼

ObjectivePractice selecting the correct route by applying longest prefix match — the most important routing decision rule.

Given Routing Table

Destination         Next-Hop
10.0.0.0/8          via Gi0/0
10.1.0.0/16         via Gi0/1
10.1.1.0/24         via Gi0/2
10.1.1.128/25       via Gi0/3
0.0.0.0/0           via Gi0/4  (default)

Questions — Which interface?

Destination: 10.1.1.200
Matches /8, /16, /24, AND /25 → longest match = /25 → Gi0/3
Destination: 10.1.1.50
Matches /8, /16, /24 but NOT /25 (50 is in .0–.127) → longest = /24 → Gi0/2
Destination: 10.1.5.1
Matches /8, /16 but NOT /24 or /25 → longest = /16 → Gi0/1
Destination: 10.5.0.1
Matches /8 only → Gi0/0
Destination: 172.16.0.1
No specific match → default route → Gi0/4
Create your own 10 questions
Generate random IPs and determine which interface they use. Practice until it feels instinctive — this is tested heavily on the real exam.

W10
L2

Packet Tracer – Floating Static / Backup RouteWeek 10 · Objective 3.3 · Packet Tracer

▼

ObjectiveConfigure a floating static route as a backup path that only activates when the primary route fails.

[PC-A]──[R1]──Gi0/1──[R2]──Gi0/1──[PC-B]
└──Gi0/2──[R3]──Gi0/1──┘

Build the topology
R1 connects to R2 (primary path) and R3 (backup path). Both R2 and R3 connect to the same destination LAN (192.168.2.0/24) where PC-B lives.
Configure the primary static route on R1 (AD 1)
```
R1(config)# ip route 192.168.2.0 255.255.255.0 10.0.12.2
```
This is the default AD for static routes (1). It will always be preferred.

Configure the floating static route on R1 (AD 200)

R1(config)# ip route 192.168.2.0 255.255.255.0 10.0.13.2 200
! AD 200 — higher than 1, so this only installs if the primary is gone

Verify only the primary appears in the routing table

R1# show ip route
! Only the AD 1 route to 192.168.2.0 should appear — NOT the floating static

Test primary path
Ping from PC-A to PC-B — should succeed via R2. Run traceroute 192.168.2.x — confirm the path goes through R2.

Simulate primary failure

R1(config)# interface GigabitEthernet0/1
R1(config-if)# shutdown   ! shut the R1-R2 link

Verify the floating static has installed

R1# show ip route
! Now the AD 200 route via R3 should appear — it was invisible before

Test backup path
Ping from PC-A to PC-B again. Should still succeed — now via R3. Run traceroute to confirm the path changed.
Restore primary and observe
```
R1(config-if)# no shutdown
```
The AD 1 route returns. The floating static disappears from the table again.

💡

Floating static routes are commonly used as a backup to a dynamic routing protocol. For example: primary via OSPF (AD 110) → floating static at AD 115 only kicks in if the OSPF route disappears.

W10
L1

Packet Tracer – Static Route Full MeshWeek 10 · Objective 3.3 · Packet Tracer

▼

ObjectiveConfigure all four types of static route (default, host, network, floating) on a multi-router topology.

Build the topology
3× Router 1941. R1 LAN: 192.168.1.0/24 · R2 LAN: 192.168.2.0/24 · R3 LAN: 192.168.3.0/24. Links: R1–R2 = 10.0.12.0/30, R1–R3 = 10.0.13.0/30, R2–R3 = 10.0.23.0/30. Connect a PC to each LAN.
Configure interfaces on all routers
Assign IPs to all interfaces. Enable no shutdown.

Add static routes on R1

R1(config)# ip route 192.168.2.0 255.255.255.0 10.0.12.2
R1(config)# ip route 192.168.3.0 255.255.255.0 10.0.13.2
R1(config)# ip route 0.0.0.0 0.0.0.0 10.0.12.2  ! default route

Repeat on R2 and R3
Each router needs static routes pointing to the other two LANs.
Test full mesh connectivity
From PC1, ping PC2 (192.168.2.x) and PC3 (192.168.3.x). Both should succeed.

Add a floating static (backup) route on R1

R1(config)# ip route 192.168.2.0 255.255.255.0 10.0.13.2 200
! AD 200 = higher than primary (AD 1) — only installs if primary fails

Test failover
Shut R1's interface toward R2: interface Gi0/1 → shutdown. Check show ip route — the floating static should now be active. Ping PC2 — should still work via R3.

W11
L1

Packet Tracer – OSPFv2 Basic ConfigurationWeek 11 · Objective 3.4 · Packet Tracer

▼

ObjectiveConfigure single-area OSPFv2 on a 4-router topology and verify all neighbors reach FULL state.

Build a 4-router topology
R1 — R2 — R3 — R4 in a line. Each router has a loopback for a LAN simulation. Links use /30 subnets.

Configure OSPF on R1

R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.0.0 0.0.0.3 area 0   ! link to R2
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0  ! LAN
R1(config-router)# passive-interface GigabitEthernet0/0  ! LAN port — no hellos

Repeat on R2, R3, R4
Use router IDs 2.2.2.2, 3.3.3.3, 4.4.4.4 respectively. Include all connected networks in the network statement.
Verify neighbor adjacencies
```
R1# show ip ospf neighbor
```
All neighbors should show state FULL. If you see 2-WAY or EXSTART, wait 30 seconds and try again.
Verify routes are installed
```
R1# show ip route ospf
```
You should see O routes for all remote LANs.
Test end-to-end ping
Ping from R1's LAN to R4's LAN — should succeed.

W11
L2

Packet Tracer – DR/BDR Election LabWeek 11 · Objective 3.4 · Packet Tracer

▼

ObjectiveObserve and control DR/BDR election on a broadcast (multi-access) OSPF segment.

Connect 3 routers to a shared switch
SW1 (2960) in the centre. R1, R2, R3 each connect to SW1. Assign IPs from 10.0.1.0/24: R1=.1, R2=.2, R3=.3.
Configure OSPF on all three
Use process ID 1, area 0. Include the 10.0.1.0/24 network. Set Router IDs manually: R1=1.1.1.1, R2=2.2.2.2, R3=3.3.3.3.
Observe default election
```
R1# show ip ospf interface GigabitEthernet0/0
```
Look for DR and BDR IP addresses. By default, highest Router ID = DR (R3 = 3.3.3.3 wins).

Manipulate the election

Force R1 to become DR:

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf priority 255

Set R3 to never become DR:

R3(config-if)# ip ospf priority 0

Reset OSPF to force re-election
```
R1# clear ip ospf process
```
Type yes to confirm. Do this on all three routers.
Verify new DR/BDR
```
R1# show ip ospf interface GigabitEthernet0/0
```
R1 should now be DR. R2 should be BDR. R3 should show DROTHER.

W11
L3

Packet Tracer – OSPF Cost TuningWeek 11 · Objective 3.4 · Packet Tracer

▼

ObjectiveManipulate OSPF cost to influence path selection and verify the change with show commands and traceroute.

Build a dual-path topology
R1 connects to R3 via R2 (path 1) and also directly to R3 (path 2). Both paths have equal cost initially.
Fix the reference bandwidth
```
R1(config)# router ospf 1
R1(config-router)# auto-cost reference-bandwidth 1000
```
Repeat on all routers. This makes GigabitEthernet cost = 1, FastEthernet cost = 10.

Check current path

R1# show ip route ospf
R1# traceroute 10.3.0.1

Note which path is being used.

Increase cost on the direct R1–R3 link

R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip ospf cost 100

Verify path has changed
```
R1# show ip route ospf
```
The route to R3's LAN should now show a higher metric and route via R2.

W12
L1

Packet Tracer – HSRP Active/Standby LabWeek 12 · Objective 3.5 · Packet Tracer

▼

ObjectiveConfigure HSRP on two routers to provide a redundant default gateway and test transparent failover.

Build the topology
R1 and R2 both connected to SW1 (LAN side) and SW2 (uplink/WAN side). Add 2 PCs on SW1's LAN. LAN subnet: 192.168.1.0/24.

Configure HSRP on R1 (Active)

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.168.1.2 255.255.255.0
R1(config-if)# standby 1 ip 192.168.1.1       ! virtual IP
R1(config-if)# standby 1 priority 110
R1(config-if)# standby 1 preempt
R1(config-if)# no shutdown

Configure HSRP on R2 (Standby)

R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip address 192.168.1.3 255.255.255.0
R2(config-if)# standby 1 ip 192.168.1.1       ! same virtual IP
R2(config-if)# standby 1 priority 100          ! lower = standby
R2(config-if)# no shutdown

Set PC gateways to the virtual IP
Both PCs use gateway 192.168.1.1 (the virtual IP — never the real R1 or R2 IP).
Verify HSRP state
```
R1# show standby brief
```
R1 should show Active, R2 should show Standby.
Test failover
Shut R1's LAN interface: interface Gi0/0 → shutdown. Run continuous pings from PC1. After ~10 seconds, R2 takes over as Active. Pings resume. Bring R1 back up — due to preempt, R1 reclaims Active.

W12
L2

Packet Tracer – Full Domain 3 Cumulative LabWeek 12 · All Domain 3 Objectives · Packet Tracer

▼

ObjectiveCombine OSPF, static routes, and HSRP in a single routed topology for Month 3 consolidation.

Topology
4× routers. R1 and R2 are dual-homed to the LAN (HSRP). R3 and R4 extend the OSPF domain. A simulated WAN cloud connects to R1.
Step 1 – Configure all interface IPs
Assign /30 subnets on all inter-router links. Assign /24 subnets on all LAN segments.
Step 2 – Configure OSPF on R1–R4
All in Area 0. Set Router IDs. Use passive-interface on all LAN-facing interfaces.
Step 3 – Add default routes
Configure a static default route on R1 toward the WAN. Redistribute with default-information originate in OSPF so all routers learn it.
Step 4 – Configure HSRP on R1 and R2
Virtual IP for the LAN. R1 = active (priority 110, preempt). R2 = standby (default priority 100).
Verify everything

Check	Command	Expected
OSPF neighbors	show ip ospf neighbor	All FULL
All routes visible	show ip route	O routes for all remote LANs
HSRP state	show standby brief	R1 Active, R2 Standby
End-to-end ping	ping [remote LAN PC]	100% success
HSRP failover	Shut R1 LAN int, ping again	Pings recover in ~10s

📓

Month 4 – IP Services, Security, Automation & Revision

Weeks 13–16 · Domains 4, 5, 6 + Mock Exams

W13
L1

Packet Tracer – PAT (NAT Overload) ConfigurationWeek 13 · Objective 4.1 · Packet Tracer

▼

ObjectiveConfigure PAT so multiple inside hosts share a single public IP address using unique port numbers.

Build the topology
R1 (edge router) with Gi0/0 = inside LAN (192.168.1.0/24) and Gi0/1 = outside (203.0.113.1/30 toward ISP). Add 3 PCs on the inside. Add a server on the outside (simulating the internet).

Create an ACL defining inside hosts

R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Configure NAT overload (PAT)

R1(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

Mark inside and outside interfaces

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip nat inside
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip nat outside

Add a default route

R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.2

Test from all PCs
Ping the outside server from PC1, PC2, PC3. Each should succeed.
Verify NAT translations
```
R1# show ip nat translations
```
You should see 3 entries — all showing inside global = 203.0.113.1 but with different port numbers (unique per inside host).

NAT Term	In This Lab
Inside Local	192.168.1.10 (PC1's real IP)
Inside Global	203.0.113.1:1025 (public IP + port)
Outside Global	The destination server IP

W13
L2

Packet Tracer – DHCP Server + Relay LabWeek 13 · Objectives 4.3, 4.6 · Packet Tracer

▼

ObjectiveConfigure a centralised DHCP server and use ip helper-address to serve remote subnets.

Topology
R1 (DHCP server router) has LAN 192.168.1.0/24. R2 is connected to R1 and has LAN 192.168.2.0/24 with PCs needing DHCP addresses. R1–R2 link: 10.0.12.0/30.

Configure DHCP pool on R1 for remote subnet

R1(config)# ip dhcp pool REMOTE-LAN
R1(dhcp-config)# network 192.168.2.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.2.1
R1(dhcp-config)# dns-server 8.8.8.8
R1(config)# ip dhcp excluded-address 192.168.2.1 192.168.2.10

Configure the relay on R2's LAN interface
```
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip helper-address 10.0.12.1
```
This tells R2 to forward DHCP broadcasts as unicast to R1's IP.
Set PCs to DHCP
Click each PC → Desktop → IP Configuration → select DHCP. They should receive IPs from the 192.168.2.11+ range.
Verify on R1
```
R1# show ip dhcp binding
```
Each PC's MAC address should appear with the assigned IP and lease time.

💡

The ip helper-address command is one of the most exam-tested IP Services topics. Remember: it goes on the router interface CLOSEST to the clients, not the DHCP server.

W13
L3

Packet Tracer – Syslog + NTP ConfigurationWeek 13 · Objectives 4.2, 4.5 · Packet Tracer

▼

ObjectiveSynchronise a router's clock with NTP and send log messages to a centralised syslog server.

Add a syslog server to the topology
In Packet Tracer, add a generic Server. Click it → Services → SYSLOG → enable it. Note the server's IP (e.g. 192.168.1.200).

Configure NTP on the router

R1(config)# ntp server 192.168.1.200
! In a real lab, point to pool.ntp.org or a real NTP server

Configure syslog on the router

R1(config)# logging 192.168.1.200
R1(config)# logging trap informational   ! level 6 and below
R1(config)# service timestamps log datetime msec

Generate log events
Shut and bring back up an interface: interface Gi0/1 → shutdown → no shutdown. This generates link-state change messages.
Check the syslog server
Click the server → Services → SYSLOG. You should see timestamped entries like %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down.
Know the severity levels by memory

Level	Name	Example
0	Emergency	System unusable
1	Alert	Immediate action needed
2	Critical	Critical conditions
3	Error	Interface error
4	Warning	Config warning
5	Notice	Normal but significant
6	Informational	Link state change
7	Debug	Debug output

💡

Mnemonic: Every Awful Crash Eventually Wrecks Networked Infrastructure Databases

W14
L1

Packet Tracer – Extended ACL Traffic FilteringWeek 14 · Objective 5.6 · Packet Tracer

▼

ObjectiveWrite and apply an extended named ACL that permits specific traffic while denying all else.

Topology
R1 with VLAN 10 LAN (192.168.10.0/24) on Gi0/0 and a server (10.0.0.100) on Gi0/1. PCs in VLAN 10 should only be allowed to access HTTP (80) and DNS (53) on the server.

Create a named extended ACL

R1(config)# ip access-list extended VLAN10-TO-SERVER
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 10.0.0.100 eq 80
R1(config-ext-nacl)# permit udp 192.168.10.0 0.0.0.255 host 10.0.0.100 eq 53
! implicit deny any any at the end — no need to type it

Apply to the correct interface and direction

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group VLAN10-TO-SERVER in
! "in" = filtering traffic coming FROM the VLAN 10 LAN

Test HTTP access
From a PC, open the web browser (Desktop → Web Browser) and go to 10.0.0.100. Should load.
Test ICMP (ping) — should be denied
From PC, ping 10.0.0.100. Should fail because ICMP is not permitted in the ACL.
Check hit counters
```
R1# show access-lists VLAN10-TO-SERVER
```
Each ACE shows how many packets have matched it.

⚠️

Common trap: Every ACL ends with an implicit deny any any. If you forget to permit return traffic or DNS, everything breaks. Test each permitted service explicitly.

W14
L2

Packet Tracer – DHCP Snooping + DAI LabWeek 14 · Objective 5.7 · Packet Tracer

▼

ObjectiveProtect the network against rogue DHCP servers and ARP spoofing using Layer 2 security features.

Topology
SW1 connected to: real DHCP server (Gi0/1 — trusted uplink), PC1, PC2 (access ports — untrusted), and a rogue DHCP server on Fa0/5.

Enable DHCP snooping globally and per VLAN

SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10

Mark the legitimate DHCP server uplink as trusted
```
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# ip dhcp snooping trust
```
All other ports are untrusted by default.
Test rogue DHCP is blocked
Set the rogue server on Fa0/5 to serve 192.168.1.200–210. Set PC1 and PC2 to DHCP. Verify they receive IPs from the legitimate server (192.168.1.11+), NOT from the rogue.

Enable DAI (Dynamic ARP Inspection)

SW1(config)# ip arp inspection vlan 10
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# ip arp inspection trust

Verify

SW1# show ip dhcp snooping binding
SW1# show ip arp inspection vlan 10

W14
L3

Packet Tracer – Port Security ConfigurationWeek 14 · Objective 5.7 · Packet Tracer

▼

ObjectiveLimit which MAC addresses can connect to an access port using port security with sticky learning.

Connect two PCs to a switch access port
PC1 and PC2 on Fa0/1 (via a hub or by swapping cables in simulation mode).

Enable port security

SW1(config)# interface FastEthernet0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security maximum 2
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# switchport port-security violation restrict

Let PC1 and PC2 learn (send a ping)
PC1 pings the gateway. PC2 pings the gateway. The switch learns and saves both MACs as sticky.

Verify the learned MACs

SW1# show port-security interface Fa0/1
SW1# show port-security address

Plug in a third device (violation)
Change PC1's MAC address (in Packet Tracer, click PC → Config → FastEthernet → change MAC) or swap with a third PC. The port should increment the violation counter. With restrict mode, the port stays up but drops the violating frames.
Compare violation modes

Mode	Port State	Logging	When to use
shutdown (default)	err-disabled (port goes down)	Yes	Maximum security
restrict	Port stays up, frames dropped	Yes	Visible but non-disruptive
protect	Port stays up, frames dropped	No	Silent drop

W15
L1

REST API Lab – Cisco DevNet Always-On SandboxWeek 15 · Objective 6.5 · DevNet / Postman

▼

ObjectiveSend real REST API GET requests to a live Cisco IOS XE device and interpret JSON responses — no installation on the device needed.

🔗

Go to devnetsandbox.cisco.com → select IOS XE on Cat8000v — Always On. No reservation needed. Credentials are shown on the sandbox page (typically: developer / C1sco12345).

Install Postman
Download from postman.com (free). Create a free account or skip login.
Disable SSL verification
In Postman: Settings → General → toggle off SSL certificate verification. The sandbox uses a self-signed cert.
Send your first GET request
Method: GET
URL: https://sandbox-iosxe-latest-1.cisco.com/restconf/data/Cisco-IOS-XE-native:native/hostname
Headers: Accept: application/yang-data+json
Auth: Basic Auth → username/password from sandbox page. Click Send.
Read the JSON response
You'll receive something like:
{"Cisco-IOS-XE-native:hostname": "Cat8000v"}
Identify the key (hostname) and the value (Cat8000v).
Get interface list
URL: https://sandbox-iosxe-latest-1.cisco.com/restconf/data/ietf-interfaces:interfaces. The response will be a JSON object containing an array of interfaces. Count how many are listed. Identify which ones are iana-if-type:ethernetCsmacd.
Identify CRUD → HTTP verb mappings

CRUD Operation	HTTP Verb	Use Case
Read	GET	Retrieve config or operational data
Create	POST	Add a new resource (e.g. new VLAN)
Update	PUT / PATCH	Replace or modify existing config
Delete	DELETE	Remove a resource

W15
L2

JSON Parsing ExerciseWeek 15 · Objective 6.7 · Drill

▼

ObjectiveRead a JSON API response and extract specific data values — a directly exam-tested skill.

Sample JSON — Read this carefully

{
  "interfaces": [
    {
      "name": "GigabitEthernet1",
      "ip_address": "10.0.0.1",
      "status": "up",
      "input_errors": 0
    },
    {
      "name": "GigabitEthernet2",
      "ip_address": "192.168.1.1",
      "status": "up",
      "input_errors": 42
    },
    {
      "name": "GigabitEthernet3",
      "ip_address": "null",
      "status": "down",
      "input_errors": 7
    }
  ]
}

Answer These Questions

How many interfaces are in the list?
Count the objects inside the [ ] array → Answer: 3
How many interfaces have status "up"?
Look for "status": "up" → Answer: 2
What is the IP address of GigabitEthernet2?
Find the object where name = GigabitEthernet2 → Answer: 192.168.1.1
Which interface has the highest input_errors?
Compare all input_errors values → Answer: GigabitEthernet2 (42 errors)
What data type is the "input_errors" value?
No quotes around the number → Answer: Integer (number)
JSON structure review
Write in your notes: { } = object (key-value pairs) · [ ] = array (ordered list) · "key": "value" = string · "key": 42 = number · "key": true/false = boolean

W15
L3

Ansible Playbook Exploration (Read-Only)Week 15 · Objective 6.6 · Analysis Exercise

▼

ObjectiveRead and understand an Ansible playbook structure — no installation required. CCNA tests recognition, not execution.

Sample Ansible Playbook — Read Every Line

---
- name: Configure VLANs on all access switches
  hosts: access_switches        # which devices to target
  gather_facts: no
  connection: network_cli

  tasks:
    - name: Create VLAN 10
      cisco.ios.ios_vlans:          # the Ansible module
        config:
          - vlan_id: 10
            name: Sales
            state: active
        state: merged

    - name: Create VLAN 20
      cisco.ios.ios_vlans:
        config:
          - vlan_id: 20
            name: HR
            state: active
        state: merged

Identify the hosts section
hosts: access_switches — this tells Ansible which group of devices to run the playbook on. The group is defined in a separate inventory file (a list of IP addresses or hostnames).
Identify the tasks section
The tasks: block contains two tasks: create VLAN 10 and create VLAN 20. Each task has a human-readable name and a module call.
Identify the modules used
cisco.ios.ios_vlans — this is the Ansible module for managing VLANs on Cisco IOS devices. Ansible is agentless — it connects via SSH to push these changes. No software installed on the switches.
Key Ansible concepts to know for the exam

Concept	Meaning
Agentless	No software needed on managed devices — uses SSH
Playbook	YAML file defining the automation tasks
Inventory	List of target devices (IPs or hostnames)
Module	Pre-built function (ios_vlan, ios_config, etc.)
Idempotent	Running twice produces the same result — safe to repeat
Terraform (contrast)	HCL language, plan/apply, for infrastructure provisioning

W16
L1

MEGA LAB – Full CCNA Enterprise TopologyWeek 16 · All Domains · Packet Tracer — Allow 90–120 min

▼

ObjectiveBuild and verify a complete enterprise network from scratch, combining every major CCNA topic into one topology.

⏱️

Set aside 90–120 minutes for this lab. Work through the checklist in order. Verify each section before moving on. This is your final practice before the exam.

Full Topology Components

3× 2960 switches (SW1 core, SW2, SW3) · 2× routers on LAN (R1, R2 for HSRP) · 1× edge router (R-EDGE) · 1× WLC · 1× lightweight AP · 1× DHCP/Syslog server · 4× wired PCs · 1× wireless laptop

Build Checklist — Complete in Order

Layer 2 – VLANs, Trunks, STP
Create VLANs 10, 20, 30. Configure 802.1Q trunks between all switches. Set SW1 as STP root (priority 4096) for all VLANs. Apply PortFast + BPDU Guard to all access ports. Verify: show spanning-tree · show vlan brief.
Layer 2 – EtherChannel
Configure LACP EtherChannel (2 links) between SW2 and SW3. Verify: show etherchannel summary → SU flag.
Layer 3 – Inter-VLAN Routing
Configure router-on-a-stick on R1 (subinterfaces .10, .20, .30). Verify cross-VLAN pinging from PCs.
Layer 3 – OSPF
Configure OSPFv2 Area 0 on R1, R2, R-EDGE. Set Router IDs. Use passive-interface on all LAN-facing ports. Verify: show ip ospf neighbor → all FULL.
Layer 3 – HSRP
R1 = active (priority 110, preempt). R2 = standby. Virtual IP = gateway for each VLAN. Set PC gateways to virtual IPs. Verify: show standby brief.
IP Services – NAT/PAT
Configure PAT on R-EDGE. Multiple inside hosts share one public IP. Mark interfaces. Verify: show ip nat translations.
IP Services – DHCP Relay
Configure DHCP server on the server. Add ip helper-address on R1's VLAN interfaces. PCs get IPs via DHCP. Verify: show ip dhcp binding.
Security – SSH + ACL
SSH v2 on all switches. Extended ACL: permit only HTTP and DNS from VLAN 10 to server. Apply in correct direction. Verify SSH login; verify ping to server is blocked.
Security – Layer 2
DHCP snooping on all VLANs. Port security (max 2 MACs, sticky, restrict) on all access ports. Verify: show port-security interface.
Wireless
Create Corp WLAN on WLC (VLAN 10, WPA2 PSK). Connect wireless laptop. Verify it gets a VLAN 10 IP and can ping wired PCs in VLAN 10.
Management
Configure syslog pointing to server. Configure NTP client on all routers. Verify timestamps in log output.

W16
L2

Troubleshooting Gauntlet – 10 Hidden FaultsWeek 16 · All Domains · Target: Fix all 10 in 60 min

▼

ObjectiveSystematically find and fix 10 deliberately introduced faults across the MEGA LAB topology.

📋

Ask a study partner to introduce these faults, or introduce them yourself, save a copy, then come back to a "broken" version after a break. Use the systematic troubleshooting process: Define the problem → Gather facts → Analyse → Implement fix → Verify → Document.

The 10 Faults + Hints

#	Fault Type	Symptom	Diagnostic Command
1	Wrong VLAN on access port (PC in VLAN 1 instead of 10)	PC can't reach VLAN 10 gateway	show vlan brief
2	Missing OSPF network statement on one router	That router's LAN not in routing table of others	show ip ospf interface / show ip route
3	ACL applied in wrong direction (out instead of in)	ACL has zero matches / wrong traffic blocked	show access-lists / show run int
4	Native VLAN mismatch on a trunk	Native VLAN traffic tagged incorrectly / CDP warning	show interfaces trunk
5	Duplex mismatch on an uplink	High CRC errors / slow throughput	show interfaces [int]
6	Missing ip helper-address on a VLAN interface	PCs in that VLAN get APIPA (169.254.x.x)	show run int vlan [id]
7	Wrong STP root (wrong switch is root)	Suboptimal path / traffic not flowing as expected	show spanning-tree
8	Port security violation not cleared (port err-disabled)	PC connected but port shows err-disabled in red	show port-security int
9	SSH version 1 configured (not version 2)	SSH connects but exam requires v2	show ip ssh
10	NAT inside/outside reversed on router interfaces	No translations appear in show ip nat translations	show run int / show ip nat stats

💡

Work top-down: physical layer first → data link → network → application. Most faults will reveal themselves with show interfaces, show ip route, show vlan brief, and ping before you need deeper commands.

W16
L3

Mock Exam Strategy – 2× Full Timed Practice ExamsWeek 16 · All Domains · Exam Readiness

▼

ObjectiveSimulate real exam conditions with two full timed practice tests and a structured review process.

Recommended Free / Paid Resources

Resource	Type	Notes
Cisco Learning Network	Free	learningnetwork.cisco.com — official sample questions
Boson ExSim	Paid (~$100)	Closest to real exam — highly recommended
Jeremy's IT Lab (YouTube)	Free	Free Anki flashcard deck + practice questions
Packet Tracer Activities	Free	Cisco NetAcad has CCNA PT activities by topic

Mock Exam Week Plan

Day 1–2: Mock Exam #1
100 questions · 120 minutes · No pausing · No looking things up. Record your score by domain. Target: 75%+.
Day 3: Review every wrong answer
Don't just note the correct answer — understand WHY each wrong answer was wrong, and why the correct answer is right. This is the most important study step.
Day 4: Mock Exam #2
Focus on domains where you scored below 70% in Mock #1. Target 80%+.
Day 5: Light review only
Flashcard review: syslog levels, AD values, ACL placement rules, HSRP/OSPF commands. No new topics.
Day 6: Rest day
No heavy study. Review key mnemonics. Get 8 hours sleep. Eat well.
Exam Day
Arrive 30 minutes early. Bring valid photo ID. Time budget: simulation questions = 5–8 min each. Flag uncertain questions and return. Never leave blank — no penalty for guessing.

🎯

You're ready when: You can subnet any /24 in under 60 seconds · You can recite OSPF neighbor states in order · You know every syslog level by number and name · You can write an SSH config from memory · You score 80%+ consistently on practice exams.

Protected Workbook

📑 Table of Contents

Week 0 – Pre-Course Induction

Month 1 – Network Fundamentals (Domain 1)

Month 2 – Network Access (Domain 2)

Month 3 – IP Connectivity (Domain 3)

Month 4 – IP Services, Security, Automation & Revision