This is the first lab in the PingLabz CCNA Labs library. There is no networking in it. The goal is to get Cisco Modeling Labs Free installed on your computer, import the PingLabz CCNA Base Topology, boot it, and log in to a router and a switch. Once you have that working, every other lab in the library starts the same way: download the .yaml, import, boot, type along.
The whole thing should take about 30 minutes the first time. Every subsequent lab in the library will take you under 90 seconds to bring up.
What you will learn
- What Cisco Modeling Labs Free is and how it differs from the paid Personal and Enterprise tiers
- How to download, install, and license CML Free on your computer
- How to import a PingLabz lab .yaml file into CML
- How to boot the lab and open a console to a router or switch
- The first set of CLI commands every CCNA lab assumes you can run on both a router and a managed switch
What this lab does NOT cover
- Networking. There is no routing, no addressing, no protocol configuration here. We are setting up the tooling.
- Building topologies from scratch. You will do that in later labs. Here you just import ours.
- The CML Personal or Enterprise editions. Their license tiers and node caps are different. CML Free is what we target across the entire library.
System requirements
CML Free is shipped as an OVA file that runs as a virtual appliance on VMware Workstation, VMware Fusion, VMware ESXi, or a Linux KVM host. You install it once and it lives on your machine until you uninstall it. The VM itself runs a Linux controller that orchestrates the network nodes.
| Resource | Minimum | Recommended for the labs library |
|---|---|---|
| CPU | 4 cores with VT-x or AMD-V | 6+ cores |
| RAM | 8 GB allocated to CML | 16 GB allocated to CML |
| Disk | 20 GB free | 50 GB free (room for multiple labs) |
| Hypervisor | VMware Workstation Pro / Fusion / ESXi, or Linux KVM | Same |
| Browser | Modern Chrome, Firefox, Safari, or Edge | Same |
CML Free is capped at 5 nodes per running lab. Unmanaged switches do not count toward the 5. Every PingLabz CCNA lab is sized to fit inside that limit.
Step 1: Create a Cisco account and download CML Free
- Go to the CML Free landing page on Cisco Learning Network.
- If you do not already have a Cisco account, create one. It is free.
- Sign in and click the download link for the current CML Free release. You will get an OVA file (around 5 GB) and a small refplat.iso file for the node images.
- Save both files somewhere you can find them again. You will not need to download them a second time.
Step 2: Import the OVA into your hypervisor
Open VMware Workstation (or Fusion on Mac, or ESXi if you are running a homelab server) and import the OVA. The defaults are sensible. The one setting you should adjust is the RAM allocation - bump it from 8 GB to 16 GB if you have it, and the controller will boot faster and run more nodes comfortably.
Once the VM is created, attach the refplat.iso as a CD/DVD to the VM. CML reads its node images off this disc the first time it boots. Without it, you will boot to a working controller but with no usable node types.
Power the VM on. The first boot takes a few minutes while the controller initializes. When you see a login prompt on the VM console, the controller is ready.
Step 3: First login to CML
The CML console will print the controller's IP address once it has finished booting. Open that URL in your browser:
https://<cml-controller-ip>/You will get a self-signed-certificate warning. Click through it. The login page comes up. The default username is admin and the password is whatever you set during OVA import (Cisco's default suggestion is 1234QWer!).
You should land on the CML Workbench. It is empty - no labs yet.
Step 4: Download the PingLabz CCNA Base Topology .yaml
This is the reusable six-node topology that powers most labs in the library: three routers, one host, one managed switch (so you can run real CCNA switch commands), and one unmanaged switch as a spare L2 broadcast domain. Fully configured with the canonical PingLabz IP scheme so labs reinforce each other across the library.
| Node | Type | Role |
|---|---|---|
| R1 | iol-xe (router) | LAN gateway and primary loopback router |
| R2 | iol-xe (router) | Transit router (LAN side and P2P to R3) |
| R3 | iol-xe (router) | Remote router across the point-to-point link |
| SW1 | ioll2-xe (managed L2 switch) | LAN broadcast domain plus a management SVI at 10.20.0.10 |
| HOST1 | alpine (Linux host) | LAN client (assigned an IP per-lab) |
| SW2 | unmanaged switch | Spare LAN broadcast domain for dual-LAN labs (does not count toward the CML Free 5-node cap) |
Download the CCNA Base Topology .yaml
Drop this into CML's Import dialog. The reader needs no networking configuration to bring it up - the routers and SW1 come pre-configured with hostnames, IP addressing, and a vty user.
Step 5: Import the topology into CML
- In the CML Workbench, click the menu icon at the top left and pick Import Lab.
- Drop the .yaml file you just downloaded into the import dialog (or click and browse to it).
- Give the lab whatever title you like (the default "PingLabz CCNA Base Topology" is fine). Click Import.
- The Workbench opens with six nodes on the canvas: R1, R2, R3, SW1, HOST1, SW2. The routers, SW1, and host are unstarted (gray). SW2 is pre-started (it is unmanaged, no boot needed).
Step 6: Start the lab
Click the play icon at the top of the Workbench to start every node. The router and SW1 nodes show a "BOOTING" state for about 60 seconds while IOS XE comes up. Once the icons turn green, the lab is running.
Step 7: Open a console to R1
- Click the R1 node icon on the canvas.
- In the right-hand panel, click Console. A serial console opens in a new tab.
- You will see the boot scroll, then a PingLabz MOTD banner, then a username prompt.
- Log in with the PingLabz canonical credentials: username
pinglabz, passwordPingLabz!23. - Because
pinglabzis a privilege-15 user, you land directly in privileged-exec mode (the prompt ends in#) - noenableneeded.
Heads up: the .yaml also includes admin and sysadmin users with the password Cisco@123. Those are for PyATS automation tooling - you can ignore them for hands-on lab work. pinglabz / PingLabz!23 is the user you log in as.
Step 8: First commands on R1
These are the show commands you will run at the start of every lab in this library. Run them now and confirm the output matches what you see below. (Your ping times and timestamps will obviously differ.)
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.20.0.1 YES TFTP up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Loopback0 10.255.0.1 YES TFTP up up
R1#ping 10.20.0.2 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 10.20.0.2, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 2/3/4 ms
R1#ping 10.20.0.10 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 10.20.0.10, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 1/2/3 ms
R1#show version | include Cisco IOS
Cisco IOS Software [IOSXE], Linux Software (X86_64BI_LINUX-ADVENTERPRISEK9-M), Version 17.16.1a, RELEASE SOFTWARE (fc1)The ping to R2 (10.20.0.2) works because R1 and R2 are on the same LAN via SW1. The ping to 10.20.0.10 reaches SW1's management SVI - confirming the switch is L3-reachable. No routing protocol is needed for any of this. This is the connectivity baseline every other lab builds on top of.
The Method column shows TFTP for the configured interfaces - that is how CML pushes the startup config to the node at boot. It is normal and only shows up in CML, not on physical hardware.
Step 9: First commands on SW1 (the managed switch)
Open a console to SW1 the same way you did R1. Log in with the same credentials (pinglabz / PingLabz!23). Then run the L2-side equivalents of the verification commands you just ran on R1:
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
Vlan1 10.20.0.10 YES TFTP up up
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 5254.007a.b1c6 DYNAMIC Et0/2
1 aabb.cc00.2f00 DYNAMIC Et0/1
1 aabb.cc00.3100 DYNAMIC Et0/0
Total Mac Addresses for this criterion: 3
SW1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address aabb.cc00.2e00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.2e00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p Edge
Et0/1 Desg FWD 100 128.2 P2p Edge
Et0/2 Desg FWD 100 128.3 P2p Edge
Et0/3 Desg FWD 100 128.4 P2p Edge
SW1#show interfaces status
Port Name Status Vlan Duplex Speed Type
Et0/0 LAN access port connected 1 full auto 10/100/1000BaseTX
Et0/1 LAN access port connected 1 full auto 10/100/1000BaseTX
Et0/2 LAN access port connected 1 full auto 10/100/1000BaseTX
Et0/3 LAN access port connected 1 full auto 10/100/1000BaseTXThis is what a managed switch actually exposes. show vlan brief tells you which ports belong to which VLAN - all four Ethernet ports sit in VLAN 1 because they are access mode by default. show mac address-table shows the L2 forwarding table: SW1 has learned the MAC addresses of R1 (Et0/0, prefix aabb.cc00 is the iol-xe convention), R2 (Et0/1), and HOST1 (Et0/2, prefix 5254.00 is the KVM-derived alpine convention). show spanning-tree confirms rapid-pvst is running and SW1 has elected itself the root bridge with priority 32769 - all ports are designated forwarding in P2p Edge mode (the result of spanning-tree portfast on the access ports).
Every Pillar 2 lab in this library leans on these commands. You will see them a lot.
Verification: what success looks like
If you can read this output yourself on your R1 and SW1 consoles, you are done with the quick-start:
- R1 boots without errors
- SW1 boots without errors
- You can log in to both with
pinglabz / PingLabz!23and land directly at the#prompt - On R1,
show ip interface briefshows Loopback0 at 10.255.0.1 and Ethernet0/0 at 10.20.0.1, both "up / up" - On R1,
ping 10.20.0.2andping 10.20.0.10both return 3/3 successful - On SW1,
show vlan brieflists VLAN 1 with all four Ethernet ports - On SW1,
show mac address-tableshows at least the R1 and R2 MAC addresses
That is the green light for the rest of the library.
Troubleshooting matrix
| Symptom | Likely cause | Confirm with | Fix |
|---|---|---|---|
| OVA import says "no node images available" | refplat.iso not mounted to the CML VM | VM settings -> CD/DVD | Mount the refplat.iso, restart the CML VM |
| CML boots but cannot start nodes | Not enough RAM allocated to the VM | CML Workbench -> system status | Power off CML VM, raise RAM to 16 GB, power on |
| R1 boots but the console shows garbled text | Wrong terminal type, common with some browsers | Open the console in another browser | Try Chrome or Firefox; clear browser cache |
| Login prompt rejects pinglabz / PingLabz!23 | You are typing the password in console-disabled state, or caps-lock is on | Watch for "% Login invalid" message | Verify caps-lock; the password is case-sensitive |
| ping 10.20.0.2 fails with all dots | R2 has not finished booting yet | Check R2 console for the login prompt | Wait 30 more seconds, retry the ping |
| SW1 MAC address table is empty | R1 and R2 have not generated any traffic yet | Run a ping between them, then re-check | Ping 10.20.0.2 from R1, then "show mac address-table" on SW1 |
| First ping packet of every test shows as "." | ARP resolution for the destination - the first packet is dropped while ARP completes | Subsequent pings show all "!" | Expected behavior; not a fault. Run the ping a second time for a clean 3/3. |
| Lab shows "License: 6 nodes" warning when starting | You added an extra node by accident | Look at the node count in the Workbench header | Remove the extra node; CML Free is hard-capped at 5 counted nodes (unmanaged switches do not count) |
Beyond CML Free
CML Free is the perfect starting point for these labs, but it is not the only tier Cisco offers. CML Personal lifts the cap to 20 nodes for a one-time fee; CML Enterprise scales further and is licensed per-instance. Most engineers running these labs never need anything beyond Free - all PingLabz CCNA labs are sized to fit. If you find yourself drawn to topology designs with more than 5 routers, the Personal tier is worth considering.
One real-world note: the IOS XE in iol-xe and ioll2-xe runs as a userspace process inside the CML controller, not as a full virtual machine. That keeps boot time fast (60 seconds vs several minutes for a full VM image), and lets you run multiple devices comfortably inside a single laptop's worth of RAM. The behaviour is identical to full virtual IOS XE images for the operations that matter to a CCNA lab. The one caveat: ioll2-xe (the switch) does not expose 802.1X exec commands like show authentication sessions. Our 802.1X lab uses a dedicated reference topology with a different image to work around this.
Related reading on PingLabz
- The PingLabz lab IP scheme - the canonical addressing used across every lab
- CCNA Labs: Network Fundamentals - the cluster this lab opens
- Lab nf-04: IPv4 subnetting with VLSM - the next free lab, takes 45 minutes
Key takeaways
- CML Free is capped at 5 counted nodes per lab. Unmanaged switches do not count. Every PingLabz CCNA lab fits this limit.
- The whole library uses a downloadable .yaml as the lab's starting point. Import once per lab, run.
- The PingLabz IP scheme is consistent across the library so labs reinforce each other.
- R1 and SW1 share the same documented login:
pinglabz / PingLabz!23. Privilege-15 user lands straight at the#prompt. - SW1 is a managed L2 switch with a working CLI - you can
show vlan,show mac address-table,show spanning-tree, configure trunks, run port security, all the real CCNA L2 commands.
Up next
Now that the tooling works, the rest of the library is networking. The natural next lab is Lab nf-04: IPv4 subnetting with VLSM - which uses the same topology you just imported.
