Lab nf-01 - Cisco Modeling Labs Free Quick Start

This is the first lab in the PingLabz CCNA Labs library. There is no networking in it. The goal is to get Cisco Modeling Labs Free installed on your computer, import the PingLabz CCNA Base Topology, boot it, and log in to a router and a switch. Once you have that working, every other lab in the library starts the same way: download the .yaml, import, boot, type along.

The whole thing should take about 30 minutes the first time. Every subsequent lab in the library will take you under 90 seconds to bring up.

What you will learn

• What Cisco Modeling Labs Free is and how it differs from the paid Personal and Enterprise tiers
• How to download, install, and license CML Free on your computer
• How to import a PingLabz lab .yaml file into CML
• How to boot the lab and open a console to a router or switch
• The first set of CLI commands every CCNA lab assumes you can run on both a router and a managed switch

What this lab does NOT cover

• Networking. There is no routing, no addressing, no protocol configuration here. We are setting up the tooling.
• Building topologies from scratch. You will do that in later labs. Here you just import ours.
• The CML Personal or Enterprise editions. Their license tiers and node caps are different. CML Free is what we target across the entire library.

System requirements

CML Free is shipped as an OVA file that runs as a virtual appliance on VMware Workstation, VMware Fusion, VMware ESXi, or a Linux KVM host. You install it once and it lives on your machine until you uninstall it. The VM itself runs a Linux controller that orchestrates the network nodes.

CML Free is capped at 5 nodes per running lab. Unmanaged switches do not count toward the 5. Every PingLabz CCNA lab is sized to fit inside that limit.

Step 1: Create a Cisco account and download CML Free

1. Go to the CML Free landing page on Cisco Learning Network.
2. If you do not already have a Cisco account, create one. It is free.
3. Sign in and click the download link for the current CML Free release. You will get an OVA file (around 5 GB) and a small refplat.iso file for the node images.
4. Save both files somewhere you can find them again. You will not need to download them a second time.

Step 2: Import the OVA into your hypervisor

Open VMware Workstation (or Fusion on Mac, or ESXi if you are running a homelab server) and import the OVA. The defaults are sensible. The one setting you should adjust is the RAM allocation - bump it from 8 GB to 16 GB if you have it, and the controller will boot faster and run more nodes comfortably.

Once the VM is created, attach the refplat.iso as a CD/DVD to the VM. CML reads its node images off this disc the first time it boots. Without it, you will boot to a working controller but with no usable node types.

Power the VM on. The first boot takes a few minutes while the controller initializes. When you see a login prompt on the VM console, the controller is ready.

Step 3: First login to CML

The CML console will print the controller's IP address once it has finished booting. Open that URL in your browser:

https://<cml-controller-ip>/

You will get a self-signed-certificate warning. Click through it. The login page comes up. The default username is admin and the password is whatever you set during OVA import (Cisco's default suggestion is 1234QWer!).

You should land on the CML Workbench. It is empty - no labs yet.

Step 4: Download the PingLabz CCNA Base Topology .yaml

This is the reusable six-node topology that powers most labs in the library: three routers, one host, one managed switch (so you can run real CCNA switch commands), and one unmanaged switch as a spare L2 broadcast domain. Fully configured with the canonical PingLabz IP scheme so labs reinforce each other across the library.

Step 5: Import the topology into CML

1. In the CML Workbench, click the menu icon at the top left and pick Import Lab.
2. Drop the .yaml file you just downloaded into the import dialog (or click and browse to it).
3. Give the lab whatever title you like (the default "PingLabz CCNA Base Topology" is fine). Click Import.
4. The Workbench opens with six nodes on the canvas: R1, R2, R3, SW1, HOST1, SW2. The routers, SW1, and host are unstarted (gray). SW2 is pre-started (it is unmanaged, no boot needed).

Step 6: Start the lab

Click the play icon at the top of the Workbench to start every node. The router and SW1 nodes show a "BOOTING" state for about 60 seconds while IOS XE comes up. Once the icons turn green, the lab is running.

Step 7: Open a console to R1

1. Click the R1 node icon on the canvas.
2. In the right-hand panel, click Console. A serial console opens in a new tab.
3. You will see the boot scroll, then a PingLabz MOTD banner, then a username prompt.
4. Log in with the PingLabz canonical credentials: username pinglabz, password PingLabz!23.
5. Because pinglabz is a privilege-15 user, you land directly in privileged-exec mode (the prompt ends in #) - no enable needed.

Heads up: the .yaml also includes admin and sysadmin users with the password Cisco@123. Those are for PyATS automation tooling - you can ignore them for hands-on lab work. pinglabz / PingLabz!23 is the user you log in as.

Step 8: First commands on R1

These are the show commands you will run at the start of every lab in this library. Run them now and confirm the output matches what you see below. (Your ping times and timestamps will obviously differ.)

R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            10.20.0.1       YES TFTP   up                    up
Ethernet0/1            unassigned      YES unset  administratively down down
Ethernet0/2            unassigned      YES unset  administratively down down
Ethernet0/3            unassigned      YES unset  administratively down down
Loopback0              10.255.0.1      YES TFTP   up                    up

R1#ping 10.20.0.2 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 10.20.0.2, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 2/3/4 ms

R1#ping 10.20.0.10 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 10.20.0.10, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 1/2/3 ms

R1#show version | include Cisco IOS
Cisco IOS Software [IOSXE], Linux Software (X86_64BI_LINUX-ADVENTERPRISEK9-M), Version 17.18.2, RELEASE SOFTWARE (fc3)

The ping to R2 (10.20.0.2) works because R1 and R2 are on the same LAN via SW1. The ping to 10.20.0.10 reaches SW1's management SVI - confirming the switch is L3-reachable. No routing protocol is needed for any of this. This is the connectivity baseline every other lab builds on top of.

The Method column shows TFTP for the configured interfaces - that is how CML pushes the startup config to the node at boot. It is normal and only shows up in CML, not on physical hardware.

Step 9: First commands on SW1 (the managed switch)

Open a console to SW1 the same way you did R1. Log in with the same credentials (pinglabz / PingLabz!23). Then run the L2-side equivalents of the verification commands you just ran on R1:

SW1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up
Ethernet0/1            unassigned      YES unset  up                    up
Ethernet0/2            unassigned      YES unset  up                    up
Ethernet0/3            unassigned      YES unset  up                    up
Vlan1                  10.20.0.10      YES TFTP   up                    up

SW1#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    5254.0064.48d9    DYNAMIC     Et0/2
   1    aabb.cc00.1800    DYNAMIC     Et0/1
   1    aabb.cc00.1a00    DYNAMIC     Et0/0
Total Mac Addresses for this criterion: 3

SW1#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     aabb.cc00.0500
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0500
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    P2p Edge
Et0/1               Desg FWD 100       128.2    P2p Edge
Et0/2               Desg FWD 100       128.3    P2p Edge
Et0/3               Desg FWD 100       128.4    P2p Edge

SW1#show interfaces status

Port         Name               Status       Vlan       Duplex  Speed Type
Et0/0        LAN access port    connected    1            full   auto 10/100/1000BaseTX
Et0/1        LAN access port    connected    1            full   auto 10/100/1000BaseTX
Et0/2        LAN access port    connected    1            full   auto 10/100/1000BaseTX
Et0/3        LAN access port    connected    1            full   auto 10/100/1000BaseTX

One heads-up before you compare: the exact MAC addresses in this output vary with every CML import. iol-xe MAC addresses (the aabb.cc00.xxxx values) are assigned dynamically by the CML server, and HOST1's KVM-style 5254.00xx.xxxx MAC is randomized too. Match the structure and the port mappings, not the digits.

This is what a managed switch actually exposes. show vlan brief tells you which ports belong to which VLAN - all four Ethernet ports sit in VLAN 1 because they are access mode by default. show mac address-table shows the L2 forwarding table: SW1 has learned the MAC addresses of R1 (Et0/0, prefix aabb.cc00 is the iol-xe convention), R2 (Et0/1), and HOST1 (Et0/2, prefix 5254.00 is the KVM-derived alpine convention). show spanning-tree confirms rapid-pvst is running and SW1 has elected itself the root bridge with priority 32769 - all ports are designated forwarding in P2p Edge mode (the result of spanning-tree portfast on the access ports).

Every Pillar 2 lab in this library leans on these commands. You will see them a lot.

Verification: what success looks like

If you can read this output yourself on your R1 and SW1 consoles, you are done with the quick-start:

• R1 boots without errors
• SW1 boots without errors
• You can log in to both with pinglabz / PingLabz!23 and land directly at the # prompt
• On R1, show ip interface brief shows Loopback0 at 10.255.0.1 and Ethernet0/0 at 10.20.0.1, both "up / up"
• On R1, ping 10.20.0.2 and ping 10.20.0.10 both return 3/3 successful
• On SW1, show vlan brief lists VLAN 1 with all four Ethernet ports
• On SW1, show mac address-table shows at least the R1 and R2 MAC addresses

That is the green light for the rest of the library.

Troubleshooting matrix

Beyond CML Free

CML Free is the perfect starting point for these labs, but it is not the only tier Cisco offers. CML Personal lifts the cap to 20 nodes for a one-time fee; CML Enterprise scales further and is licensed per-instance. Most engineers running these labs never need anything beyond Free - all PingLabz CCNA labs are sized to fit. If you find yourself drawn to topology designs with more than 5 routers, the Personal tier is worth considering.

One real-world note: the IOS XE in iol-xe and ioll2-xe runs as a userspace process inside the CML controller, not as a full virtual machine. That keeps boot time fast (60 seconds vs several minutes for a full VM image), and lets you run multiple devices comfortably inside a single laptop's worth of RAM. The behaviour is identical to full virtual IOS XE images for the operations that matter to a CCNA lab. The one caveat: ioll2-xe (the switch) does not expose 802.1X exec commands like show authentication sessions. Our 802.1X lab uses a dedicated reference topology with a different image to work around this.

Related reading on PingLabz

• The PingLabz lab IP scheme - the canonical addressing used across every lab
• CCNA Labs: Network Fundamentals - the cluster this lab opens
• Lab nf-04: IPv4 subnetting with VLSM - the next free lab, takes 45 minutes

Key takeaways

• CML Free is capped at 5 counted nodes per lab. Unmanaged switches do not count. Every PingLabz CCNA lab fits this limit.
• The whole library uses a downloadable .yaml as the lab's starting point. Import once per lab, run.
• The PingLabz IP scheme is consistent across the library so labs reinforce each other.
• R1 and SW1 share the same documented login: pinglabz / PingLabz!23. Privilege-15 user lands straight at the # prompt.
• SW1 is a managed L2 switch with a working CLI - you can show vlan, show mac address-table, show spanning-tree, configure trunks, run port security, all the real CCNA L2 commands.

Up next

Now that the tooling works, the rest of the library is networking. The natural next lab is Lab nf-04: IPv4 subnetting with VLSM - which uses the same topology you just imported.