Step-by-Step Configuration Tutorials

Why Learn from These Labs?

• Real IOS output — every command and screenshot is captured from actual lab environments (GNS3, Cisco Packet Tracer, and physical hardware)
• Explanation-first approach — you understand the concept before you type a single command
• Verification built in — every lab includes the show commands to confirm your configuration worked
• CCNA-aligned — topics are mapped directly to Cisco's 200-301 exam blueprint
• Enterprise best practices — configurations follow real-world standards, not just exam shortcuts
• No assumptions — labs are written for beginners but detailed enough for professionals reviewing fundamentals

Recommended Study Method

1. Read the full explanation first — understand what the lab achieves before touching any CLI
2. Build the topology — recreate the network diagram in Cisco Packet Tracer or GNS3
3. Type every command manually — do not copy-paste; muscle memory matters in exams and real jobs
4. Verify with show commands — compare your output with the lab screenshots line by line
5. Break it and fix it — intentionally misconfigure something, then troubleshoot it back to working
6. Repeat without the guide — close the tutorial and rebuild from memory to confirm retention

Recommended Lab Tools

• Cisco Packet Tracer — free, beginner-friendly simulator. Download via the Cisco Networking Academy (free registration). Ideal for all CCNA topics.
• GNS3 — open-source network emulator. Runs real Cisco IOS images. Better for advanced labs and closer to real hardware behavior.
• EVE-NG — enterprise-grade network emulation platform. Supports multi-vendor topologies. Preferred in professional environments.
• Physical lab — used Cisco 2960 switches and 1841/2811 routers can be found for under $50 on eBay. Nothing beats real hardware experience.

🖥️ Device Basics & IOS Fundamentals

Foundation configuration every Cisco device needs. Start here if you are new to Cisco IOS — these labs apply to every router and switch you will ever configure.

• Hostname, Banner & Password Configuration

  Configure device identity, MOTD banners, console/enable passwords, and enable secret. The mandatory first step on any Cisco device before any other configuration.

• Basic Interface Configuration (IP Addressing)

  Assign IP addresses to router interfaces, bring them up with no shutdown, and verify reachability with ping and show ip interface brief.

• Console & VTY Line Configuration

  Secure console and remote access lines. Configure exec-timeout, logging synchronous, and restrict VTY access with ACLs.

• SSH Configuration & Telnet Hardening

  Enable SSHv2, generate RSA keys, disable Telnet, and verify with show ip ssh and show ssh.

• Saving & Managing Cisco Configurations

  Understand running-config vs startup-config. Use copy run start, back up configs to a TFTP server, and restore after a factory reset.

• IOS Upgrade via TFTP

  Copy a new IOS image from a TFTP server to flash, verify the MD5 checksum, update the boot statement, and reload into the new image using show version to confirm.

• ROMMON & Password Recovery

  Recover lost enable passwords by booting into ROMMON mode, modifying the config-register, and bypassing startup-config on Cisco routers and switches.

🔀 Switching & VLANs

Layer 2 switching configuration covering VLANs, trunking, STP, EtherChannel, and port security — core topics for CCNA and real enterprise LANs.

• VLAN Creation and Management

  Create, name, verify, and delete VLANs on Cisco switches using vlan database and show vlan brief.

• Assigning VLANs to Switch Ports

  Configure access ports, assign them to VLANs, and verify with show interfaces switchport and show vlan.

• Trunk Port Configuration (802.1Q)

  Configure inter-switch trunk links, set native VLAN, allow specific VLANs, and verify with show interfaces trunk.

• Inter-VLAN Routing — Router-on-a-Stick

  Configure subinterfaces on a router to route between VLANs over a single trunk link. Includes full topology, IP addressing, and verification.

• Inter-VLAN Routing — Layer 3 Switch (SVI)

  Create SVIs on a multilayer switch to route between VLANs at wire speed without a dedicated router.

• Voice VLAN Configuration

  Configure a dedicated voice VLAN on an access port for IP phones, allowing both data and voice traffic on the same physical port.

• Private VLANs (PVLAN)

  Configure primary, isolated, and community VLANs to restrict Layer 2 communication between ports in the same VLAN. Common in service provider and DMZ environments.

• Spanning Tree Protocol (STP) — Root Bridge Election

  Influence root bridge election with bridge priority, verify with show spanning-tree, and understand port roles (root, designated, alternate).

• RSTP / Rapid Spanning Tree Configuration

  Configure Rapid PVST+ to achieve faster STP convergence than classic 802.1D. Understand edge ports, link types, and verify rapid transitions with show spanning-tree detail.

• PortFast & BPDU Guard Configuration

  Enable PortFast on access ports to skip STP convergence, protect with BPDU Guard to prevent rogue switch connections.

• EtherChannel (LACP) Configuration

  Bundle multiple physical links into a single logical channel using LACP (802.3ad). Configure, verify, and troubleshoot with show etherchannel summary.

• Port Security & Sticky MAC

  Limit devices per port, configure sticky MAC address learning, set violation modes (shutdown, restrict, protect), and monitor with show port-security.

• Storm Control

  Protect the network from broadcast, multicast, and unicast storms by configuring storm control thresholds on switch ports and verify with show storm-control.

• MAC Address Table Management

  Explore dynamic vs static MAC entries, configure static MAC bindings, set aging timers, and use show mac address-table to map devices to switch ports.

• SPAN & RSPAN — Port Mirroring

  Mirror traffic from one or more source ports to a destination port for packet capture and analysis. Configure local SPAN for same-switch monitoring and RSPAN to forward mirrored traffic across trunk links to a remote switch.

🌎 Routing

Static and dynamic routing configuration. From basic static routes to full OSPF, EIGRP, BGP deployments, route summarization, and VRF-Lite.

• Static Route Configuration

  Configure static routes, default routes, and floating static routes. Verify with show ip route and trace traffic paths.

• RIP v2 Configuration

  Configure RIPv2, enable auto-summary, set passive interfaces, and understand its limitations compared to OSPF and EIGRP.

• OSPF Single-Area Configuration

  Configure OSPFv2 in a single area, advertise networks, verify neighbor adjacency with show ip ospf neighbor, and check the routing table.

• OSPF Multi-Area Configuration

  Build a multi-area OSPF topology with Area 0 backbone, configure ABRs, and verify LSA types and route summarization.

• EIGRP Configuration

  Configure EIGRP, set router IDs, advertise networks, verify neighbor relationships, and understand the DUAL algorithm and successor/feasible successor.

• BGP Basics — eBGP Between Two Routers

  Configure an external BGP session between two autonomous systems, advertise networks, and verify with show bgp summary and show ip bgp. Essential for understanding internet routing fundamentals.

• Default Route Redistribution into OSPF

  Inject a default route into OSPF using default-information originate and verify that downstream routers receive the 0.0.0.0/0 route.

• Route Summarization & Aggregation

  Reduce routing table size by summarizing contiguous networks into a single advertisement in OSPF and EIGRP. Calculate the correct summary address and verify with show ip route.

• Policy-Based Routing (PBR)

  Override the routing table to forward traffic based on source IP, protocol, or port using route maps and ip policy route-map. Useful for traffic engineering and multi-ISP scenarios.

• HSRP — First Hop Redundancy

  Configure HSRP between two routers for default gateway redundancy. Set priority, preempt, and verify active/standby roles.

• FHRP Comparison — HSRP vs VRRP vs GLBP

  Compare the three First Hop Redundancy Protocols side by side. Configure VRRP and GLBP, understand load-balancing differences, and verify gateway failover behavior.

• VRF-Lite (Virtual Routing & Forwarding)

  Create multiple isolated routing tables on a single router using VRF-Lite. Assign interfaces to VRFs and verify full isolation between VRF routing domains with show ip route vrf.

🔧 IPv6

IPv6 addressing, dynamic address assignment, routing protocols, and security hardening — all the IPv6 skills needed for CCNA and modern enterprise networks.

• IPv6 Basic Configuration

  Enable IPv6 routing, assign global unicast and link-local addresses to interfaces, configure EUI-64, and verify with show ipv6 interface brief and ping ipv6.

• IPv6 DHCPv6 — Stateful & Stateless (SLAAC)

  Configure stateless address autoconfiguration (SLAAC) and stateful DHCPv6 on a Cisco router. Compare both models and verify client addressing with show ipv6 dhcp binding.

• IPv6 Routing — OSPFv3 & EIGRPv6

  Enable IPv6 unicast routing, configure OSPFv3 or EIGRPv6 between routers, and verify neighbor adjacency and the IPv6 routing table with show ipv6 route.

• IPv6 Security — RA Guard & DHCPv6 Guard

  Mitigate rogue Router Advertisement and unauthorized DHCPv6 server attacks on IPv6 networks. Configure RA Guard and DHCPv6 Guard policies on switch ports and verify with show ipv6 nd raguard policy.

⚙️ IP Services

Essential IP services that support real-world network operation — DHCP, DNS, NAT/PAT, NTP, IP SLA, and GRE tunneling.

• DHCP Server Configuration on a Cisco Router

  Configure a Cisco router as a DHCP server, define pools, exclude addresses, and verify with show ip dhcp binding and show ip dhcp pool.

• DHCP Relay Agent (ip helper-address)

  Forward DHCP requests across routed network boundaries using ip helper-address and verify clients receive addresses from a remote server.

• DNS Client Configuration on Cisco IOS

  Configure a router to resolve hostnames via DNS. Set the name-server IP, enable ip domain-lookup, and test with ping by hostname.

• NTP Configuration

  Synchronize device clocks with an NTP server, verify with show ntp status and show clock. Essential for accurate log timestamps.

• Static NAT Configuration

  Map a private internal IP address to a fixed public IP address. Configure inside/outside interfaces and verify with show ip nat translations.

• Dynamic NAT & PAT (NAT Overload)

  Configure PAT to allow multiple internal hosts to share a single public IP. Use ACLs to define the inside pool and verify active translations.

• IP SLA Configuration & Object Tracking

  Use IP SLA to continuously probe network reachability and link it to object tracking to automatically adjust static routes or HSRP priority on failure. Verify with show ip sla statistics.

• IP SLA with Syslog Alerting

  Combine IP SLA probes with EEM applets to generate automatic syslog alerts when a monitored target becomes unreachable. Useful for proactive WAN link monitoring without a full NMS platform.

• GRE Tunnel Configuration

  Build a Generic Routing Encapsulation tunnel between two routers to carry private traffic across a public network. Configure tunnel source/destination, assign IP addresses, and route traffic through the tunnel.

🔒 Security

Securing Cisco devices and network traffic — ACLs, AAA, 802.1X, IPsec VPN, Zone-Based Firewall, CoPP, and Layer 2 attack mitigation.

• Standard ACL Configuration

  Create numbered and named standard ACLs to filter traffic by source IP. Apply to interfaces and verify with show ip access-lists.

• Extended ACL Configuration

  Filter traffic by source, destination, protocol, and port number. Control HTTP, FTP, ICMP, and Telnet traffic with extended ACL rules.

• Login Security — Brute-Force Protection

  Configure login block-for, login delay, quiet-mode ACL bypass, and login failure logging to harden device access against brute-force attacks.

• AAA with TACACS+ Configuration

  Configure aaa new-model, define a TACACS+ server, create method lists, apply to VTY lines, and test with a fallback local account.

• AAA with RADIUS Configuration

  Set up RADIUS-based authentication for network device access. Configure server group, method list, and verify with debug aaa authentication.

• 802.1X Port-Based Authentication

  Configure IEEE 802.1X on switch ports to require RADIUS authentication before granting network access. Set authentication host-mode, configure a RADIUS server, and verify supplicant sessions with show dot1x all.

• DHCP Snooping & Dynamic ARP Inspection

  Protect against rogue DHCP servers and ARP spoofing attacks on Layer 2. Configure trusted/untrusted ports and verify binding tables.

• Zone-Based Firewall (ZBF) Basics

  Introduce Cisco's Zone-Based Policy Firewall — define zones, configure class maps and policy maps, and apply a zone-pair for stateful inspection.

• Site-to-Site IPsec VPN

  Build an encrypted tunnel between two Cisco routers using IKEv1/IKEv2 and IPsec. Configure ISAKMP policy, transform sets, and crypto maps, then verify with show crypto isakmp sa and show crypto ipsec sa.

• Control Plane Policing (CoPP)

  Protect the router CPU from denial-of-service attacks by rate-limiting control plane traffic. Define class maps for routing protocols, management traffic, and undesirable packets, and verify with show policy-map control-plane.

📡 Wireless

Wireless LAN configuration covering access point setup, WLC management, SSID/VLAN integration, FlexConnect branches, and guest access.

• Configuring a Wireless LAN Controller (WLC) — Getting Started

  Initial WLC setup wizard, management interface, and connecting your first lightweight access point (LAP) via CAPWAP.

• Creating SSIDs and Mapping to VLANs on a WLC

  Create WLANs on a Cisco WLC, assign SSIDs to dynamic interfaces (VLANs), and configure WPA2/WPA3 security policies.

• Autonomous Access Point Configuration

  Configure a standalone (autonomous) Cisco AP via CLI — set SSID, channel, power, and WPA2 pre-shared key.

• FlexConnect AP Configuration

  Configure access points in FlexConnect mode to switch traffic locally at the branch even when the WLC connection is lost. Assign FlexConnect groups and verify local switching with show ap config general.

• Guest WLAN with Web Authentication (WebAuth)

  Create a guest WLAN on a Cisco WLC with web-based authentication portal. Isolate guest traffic in a dedicated VLAN, configure a redirect ACL, and validate the captive portal login flow.

• Wireless RF Channel & Power Planning

  Understand channel overlap for 2.4 GHz (channels 1, 6, 11) and 5 GHz bands, configure RRM on a WLC for automatic channel and power assignment, and use the WLC RF dashboard to identify coverage gaps.

📊 Network Management & Monitoring

Monitor, log, and manage your network infrastructure with SNMP, Syslog, NetFlow, CDP/LLDP, IP SLA, and EEM scripting.

• Syslog Configuration

  Forward IOS log messages to a syslog server. Set severity levels, configure timestamps, and verify with show logging.

• SNMP v2c & v3 Configuration

  Configure SNMP community strings (v2c) and secure SNMPv3 with authentication and encryption. Set trap destinations and verify with a MIB browser.

• NetFlow Configuration & Traffic Analysis

  Enable NetFlow on router interfaces, export flow records to a collector, and use the data to understand traffic patterns and top talkers.

• CDP & LLDP — Network Discovery

  Use CDP and LLDP to discover neighbors, map topology, and gather device information. Understand when to disable CDP for security.

• EEM — Embedded Event Manager Scripting

  Automate IOS responses to network events using EEM applets. Trigger actions like sending a syslog alert, executing CLI commands, or sending an email when an interface goes down or a threshold is crossed.

🏛 WAN & SD-WAN

Wide area network technologies from classic PPPoE and MPLS fundamentals to modern SD-WAN and DMVPN overlay designs.

• PPPoE Client Configuration

  Configure a Cisco router as a PPPoE client to connect to an ISP. Set up a dialer interface, authenticate with CHAP/PAP, and verify the WAN session with show pppoe session and show ip interface dialer.

• MPLS Fundamentals

  Understand Label Switched Paths, LDP neighbor establishment, and the role of PE/P/CE routers in an MPLS network. Configure basic MPLS forwarding and verify with show mpls ldp neighbor and show mpls forwarding-table.

• DMVPN Phase 1, 2 & 3

  Build a Dynamic Multipoint VPN hub-and-spoke overlay using mGRE and NHRP. Progress through Phase 1 (hub routing), Phase 2 (spoke-to-spoke shortcuts), and Phase 3 (summarization with NHRP redirect).

• Cisco SD-WAN (Viptela) Overview

  Introduction to the Cisco SD-WAN architecture — vManage, vSmart, vBond, and vEdge roles. Understand the control and data plane separation, onboard a vEdge router, and apply a basic application-aware routing policy.

🎭 Quality of Service (QoS)

Classify, mark, queue, and prioritize network traffic to guarantee performance for voice, video, and critical applications.

• MQC — Modular QoS CLI Basics

  Learn the three-step Cisco MQC framework: define traffic classes with class-map, set actions with policy-map, and apply to an interface with service-policy. Verify with show policy-map interface.

• DSCP Marking & Classification

  Mark traffic at the network edge using DSCP values (EF, AF, CS classes), configure classification based on ACL or NBAR application recognition, and verify markings are preserved across the network.

• Traffic Shaping vs Policing

  Understand the difference between shaping (buffering excess traffic) and policing (dropping or remarking excess traffic). Configure both on a WAN interface and observe the effect on burst traffic.

• LLQ — Low Latency Queuing for Voice

  Configure a priority queue for VoIP traffic using Low Latency Queuing to guarantee bandwidth and minimize jitter. Define the voice class, set the strict priority queue, and verify queue statistics with show policy-map interface.

🤖 Network Automation & Programmability

Introduction to network automation — Python scripting, REST APIs, Ansible playbooks, NETCONF, and Jinja2 templates for Cisco environments.

• Python Netmiko — Connect and Run Show Commands

  Use Python and the Netmiko library to SSH into a Cisco device, run show ip interface brief, and parse the output automatically.

• Python NAPALM — Multi-Vendor Network Automation

  Use the NAPALM library to retrieve facts, interfaces, and routing tables from Cisco IOS devices in a vendor-neutral way. Compare config states and push configuration changes programmatically.

• Ansible Playbook — Automate IOS Configuration

  Write an Ansible playbook to configure hostnames, VLANs, and interfaces across multiple Cisco devices simultaneously without logging in manually.

• Cisco IOS REST API — RESTCONF Basics

  Use Postman or Python requests to query and configure a Cisco device via RESTCONF. Retrieve interface data in JSON format.

• NETCONF with ncclient (Python)

  Connect to a NETCONF-enabled Cisco IOS-XE device using the Python ncclient library, retrieve configuration in XML format, and push structured config changes using YANG data models.

• Jinja2 Templates for Config Generation

  Build reusable Jinja2 templates to dynamically generate Cisco IOS configurations for routers and switches. Feed in a CSV or YAML variable file to produce consistent, error-free device configs at scale.

🔍 Troubleshooting

Systematic troubleshooting labs using real IOS diagnostic commands. Learn the OSI-layer methodology, not just the fix — each lab presents a broken network for you to diagnose and repair.

• Troubleshooting Layer 1 — Physical Connectivity Issues

  Diagnose cable faults, interface errors, duplex/speed mismatches using show interfaces, LED indicators, and cable testers.

• Troubleshooting Layer 2 — VLAN & Trunk Issues

  Fix VLAN mismatch, native VLAN mismatch, and trunk negotiation failures using show vlan, show interfaces trunk, and debug dtp.

• Troubleshooting EtherChannel

  Resolve EtherChannel bundle failures caused by mismatched speed/duplex, VLAN configuration, or LACP/PAgP mode incompatibility. Use show etherchannel summary and show etherchannel detail to diagnose and fix.

• Troubleshooting Layer 3 — Routing & IP Issues

  Diagnose missing routes, misconfigured static routes, and OSPF neighbor failures using show ip route, ping, and traceroute.

• Troubleshooting OSPF Neighbor Adjacency

  Identify why OSPF neighbors won't form — mismatched hello/dead timers, area IDs, MTU, or network types. Use show ip ospf neighbor and debug ip ospf events.

• Troubleshooting DHCP — Clients Not Getting Addresses

  Walk through DORA process failures — pool exhaustion, missing helper-address, excluded ranges — with show ip dhcp binding and debug ip dhcp server.

• Troubleshooting NAT/PAT Issues

  Diagnose common NAT failures — wrong inside/outside interface assignment, missing ACL entries, pool exhaustion, and route issues — using show ip nat translations, show ip nat statistics, and debug ip nat.

• Troubleshooting ACL Misconfigurations

  Identify and fix incorrectly ordered ACL entries, missing permit statements, wrong interface application direction, and implicit deny issues using show ip access-lists and debug ip packet.

• Troubleshooting Wireless Connectivity

  Systematically diagnose wireless client association failures — SSID mismatch, wrong PSK, VLAN mapping errors, DHCP failures, and RF interference — using WLC event logs and show wireless client detail.

• Full End-to-End Network Troubleshooting Scenario

  A multi-fault lab scenario covering Layer 1 through Layer 3 issues. Diagnose and fix multiple simultaneous problems using a structured OSI-layer methodology.