The PingLabz CCNA Labs - Network Access pillar is the Layer 2 switching tier of the labs library. Fourteen labs that cover VLANs, 802.1Q trunks, spanning tree, EtherChannel, port security, neighbor discovery, and inter-VLAN routing - the campus LAN features that every enterprise still runs at scale. This pillar is where you learn to configure a switch like a network engineer, not just memorize the commands for an exam.
This pillar maps to Domain 2 of the CCNA 200-301 blueprint (20% of the exam). The labs use the dedicated PingLabz STP and VLAN Reference Lab - three IOSvL2 switches in a triangle with VLANs 10/20/99, dot1q trunks, rapid-PVST root election, and an LACP EtherChannel - for ten of the fourteen labs. The other four use the PingLabz CCNA Base Topology. One lab (na-03, VLANs + trunks + VTP) is free preview.
What this pillar covers
Network Access is about the switched LAN: how a switch learns MAC addresses, how VLANs segment broadcast domains, how trunks carry multiple VLANs across a single physical link, how spanning tree prevents loops while preserving redundancy, and how EtherChannel bonds multiple links into one for both bandwidth and resilience. Every modern campus network is built on these primitives, and they are still the most-asked-about topics in a CCNA-level interview.
Beyond the protocol mechanics, this pillar teaches the hardening discipline: PortFast and BPDU Guard on access ports, Root Guard on uplinks, port security to constrain MAC counts, DHCP snooping and Dynamic ARP Inspection to defeat common L2 attacks. By the end of the pillar you will configure a campus access switch the way a security-conscious enterprise actually configures one in 2026.
What you will learn across this cluster
- How a switch builds its CAM (MAC address) table dynamically and how to read it
- How to create VLANs and assign access ports
- How to configure 802.1Q trunks with native VLAN hardening
- VTP basics and why transparent mode is the modern best practice
- DTP modes and how to harden trunks against VLAN-hopping attacks
- Voice VLAN - the special access port that carries two VLANs at once
- LACP and PAgP EtherChannel - active-active link bundling
- Rapid-PVST root election, port roles, and convergence
- PortFast, BPDU Guard, and Root Guard - the access-port hardening triad
- CDP and LLDP - neighbor discovery for inventory and topology mapping
- Inter-VLAN routing two ways: router-on-a-stick and SVI on an L3 switch
- Wireless architecture: WLC, lightweight APs, CAPWAP, split-MAC
Lab categories in this pillar
L2 switching fundamentals (2 labs)
Two labs that build the foundation: how a switch actually works at the L2 forwarding level. Lab na-01: Switching Fundamentals and the CAM Table teaches you to read the MAC address table, watch entries populate as traffic flows, and configure static entries. Lab na-02: VLANs and Access Ports introduces VLAN segmentation and access-port configuration on a single switch.
VLANs, trunks, and trunk discipline (3 labs)
Multi-switch VLANs require trunks, and modern enterprises configure trunks with discipline. Lab na-03: VLANs, Trunks, and VTP (the free preview lab) covers 802.1Q trunking with native VLAN 99 hardening and VTP transparent mode - the production default. Lab na-04: DTP and Static Trunking examines the Dynamic Trunking Protocol and the reasons every production environment should disable it on access ports. Lab na-05: Voice VLAN on Access Ports shows how a single port can carry two VLANs - data untagged and voice tagged - for IP phone deployments.
Link aggregation (2 labs)
EtherChannel bundles multiple links into one for both bandwidth and redundancy. Lab na-06: LACP Active EtherChannel walks through the modern open-standard protocol with mode-matrix reference and bundle health verification. Lab na-07: PAgP vs LACP compares Cisco's proprietary PAgP to LACP with a side-by-side configuration demo.
Spanning tree (3 labs)
STP prevents L2 loops while preserving redundant paths. The modern variant is Rapid-PVST. Lab na-08: Configure Rapid-PVST walks through root election, priority manipulation, port roles, and the four port states. Lab na-09: PortFast and BPDU Guard covers the two access-port hardening features that work alongside Rapid-PVST. Lab na-10: Root Guard protects uplinks against unauthorized root claims from rogue switches.
Neighbor discovery (1 lab)
How devices announce themselves to neighbors and how inventory tools collect that data. Lab na-11: CDP vs LLDP enables both protocols on Cisco gear, reads the neighbor tables, and walks through the comparison: Cisco-proprietary CDP versus the IEEE open-standard LLDP.
Inter-VLAN routing (2 labs)
How a router moves traffic between VLANs - two architectures, two trade-offs. Lab na-12: Router-on-a-Stick Inter-VLAN Routing covers the classic design: a router with 802.1Q subinterfaces and a switch trunk carrying all VLANs to it. Lab na-13: SVI on L3 Switch covers the modern design: a multilayer switch with virtual interfaces (SVIs) per VLAN routing in hardware.
Wireless (1 lab, concept-only)
Lab na-14: Wireless Architecture Overview walks through the modern enterprise wireless architecture: Wireless LAN Controller (Catalyst 9800), lightweight access points, CAPWAP tunneling, split-MAC functions. This lab is concept-only because a full WLC deployment requires more nodes than CML Free supports.
The full lab library, in reading order
| # | Lab | What it teaches | Tier |
|---|---|---|---|
| na-01 | Switching Fundamentals + CAM Table | How a switch learns MACs, dynamic vs static entries | Pro |
| na-02 | VLANs and Access Ports | Create VLANs, assign access ports, read show vlan | Pro |
| na-03 | VLANs, Trunks, and VTP | 802.1Q trunks, native VLAN hardening, VTP transparent | Free |
| na-04 | DTP and Static Trunking | DTP modes, switchport nonegotiate, VLAN-hop defense | Pro |
| na-05 | Voice VLAN on Access Ports | Data + voice VLAN on one access port, CDP signaling | Pro |
| na-06 | LACP Active EtherChannel | LACP mode matrix, bundle verification, flag reading | Pro |
| na-07 | PAgP vs LACP | Side-by-side protocol comparison and when to use each | Pro |
| na-08 | Configure Rapid-PVST | Root election, port roles, priority manipulation | Pro |
| na-09 | PortFast and BPDU Guard | Access-port hardening pair, err-disable recovery | Pro |
| na-10 | Root Guard | Defend uplinks from rogue root claims | Pro |
| na-11 | CDP vs LLDP | Neighbor discovery, inventory automation | Pro |
| na-12 | Router-on-a-Stick | dot1Q subinterfaces, classic inter-VLAN routing | Pro |
| na-13 | SVI on L3 Switch | ip routing, VLAN interfaces, no-switchport routed port | Pro |
| na-14 | Wireless Architecture Overview | WLC + lightweight AP + CAPWAP + split-MAC (concept) | Pro |
What you will need
- Cisco Modeling Labs Free. Same 5-node cap as the other pillars.
- PingLabz STP and VLAN Reference Lab .yaml. Three IOSvL2 switches in a triangle. Used by labs na-01 through na-10. Linked in each of those lab posts.
- PingLabz CCNA Base Topology .yaml. Used by labs na-11 (CDP/LLDP), na-12 (router-on-a-stick), and na-13 (SVI on L3 switch).
- 30 to 90 minutes per lab. The STP labs (na-08-10) lean longer; the wireless concept lab (na-14) is more reading than configuration.
How these labs map to CCNA 200-301
Network Access is Domain 2 of the official Cisco CCNA 200-301 exam blueprint, worth 20% of the exam.
| Blueprint sub-domain | Labs that cover it |
|---|---|
| 2.1 VLANs (data and voice) | na-02, na-03, na-05 |
| 2.2 Interswitch connectivity | na-03, na-04 |
| 2.3 Layer 2 discovery protocols (CDP, LLDP) | na-11 |
| 2.4 EtherChannel (Layer 2) | na-06, na-07 |
| 2.5 Spanning Tree (Rapid-PVST+) | na-08, na-09, na-10 |
| 2.6 Wireless architectures, AP modes | na-14 |
| 2.7 Wireless WLAN configuration | na-14 (concept-level) |
| Inter-VLAN routing (some blueprints place this in 3.0) | na-12, na-13 |
Frequently asked questions
Should I learn router-on-a-stick or skip to SVI on L3 switch?
Learn both. Router-on-a-stick is on the CCNA exam and the concepts (trunk + dot1Q + subinterface) transfer to every other tunneling technology. SVI on L3 switch is what you will actually configure in production. The two labs together give you the conceptual understanding plus the modern best practice.
Is VTP server/client mode worth learning?
For the CCNA exam, yes - you need to recognize the configuration and the failure modes (a wiped server can wipe every client's VLAN database). For production, no - every modern enterprise uses VTP transparent mode and configures VLANs locally per switch. Lab na-03 covers both with appropriate weighting.
What is the difference between LACP and PAgP?
LACP is the IEEE open standard (802.3ad). PAgP is Cisco-proprietary. Both negotiate EtherChannel between two switches. LACP works between vendors; PAgP works only between Cisco. Modern best practice is LACP everywhere. Older networks may have PAgP on Cisco-only segments; migration to LACP is straightforward but requires a maintenance window. Lab na-07 compares them side by side.
Why is Rapid-PVST the default instead of standard RSTP or MST?
Rapid-PVST = Rapid Spanning Tree per VLAN. It is the Cisco default because per-VLAN topology decisions are more flexible than running a single instance for all VLANs (standard RSTP) and less complex to operate than MST (Multiple Spanning Tree). For CCNA-level networks (typically <100 VLANs), Rapid-PVST scales fine. For very large networks, MST is the right answer but it is CCNP territory.
Why do you recommend disabling DTP on access ports?
DTP can negotiate a port from access mode to trunk mode if the device on the other end says "let's trunk." That is a VLAN-hopping attack surface: an attacker with access to a single port could potentially access every VLAN trunked on the switch. The hardening pattern (covered in na-04) is switchport mode access + switchport nonegotiate on every user-facing port. Two commands; zero attack surface.
How is the STP + VLAN Reference Lab different from the Base Topology?
The Base Topology has one managed switch and two unmanaged switches - enough for router-side work and basic L2 inspection. The STP + VLAN Reference Lab has three IOSvL2 switches in a triangle - the right topology for multi-switch STP demonstrations, EtherChannel, and root election. Both .yamls are free downloads linked in the respective lab posts.
Key takeaways
- Network Access is the Layer 2 switching pillar - VLANs, trunks, STP, EtherChannel, port security, neighbor discovery, inter-VLAN routing.
- Fourteen labs total. One (na-03 VLANs+Trunks+VTP) is free preview.
- Ten labs use the PingLabz STP and VLAN Reference Lab; four use the Base Topology.
- The pillar emphasizes production-realistic hardening: native VLAN 99, switchport nonegotiate, PortFast + BPDU Guard everywhere on access, Root Guard on uplinks.
- Wireless is covered conceptually only - full WLC labs are too large for CML Free.
Ready to start?
Start with Lab na-01: Switching Fundamentals and the CAM Table. From there work through the cluster in order.
When you finish Network Access, move to Pillar 3: IP Connectivity - static routing, OSPF, EIGRP, and the FHRP trilogy (HSRP, VRRP, GLBP) - the routing protocols that move traffic between subnets at scale.