The PingLabz CCNA Labs - Security Fundamentals pillar closes out the CCNA 200-301 blueprint. Ten labs covering device hardening, traffic filtering, L2 attack defense, secure remote access, centralized authentication, port-based authentication, and an overview of the two big "concept-only" topics (IPsec site-to-site and wireless WPA security). This pillar is where you move from "the network works" to "the network is locked down."
One lab (sec-02, Standard ACL) is free preview. Eight labs use the PingLabz CCNA Base Topology; two are concept-only with no CML lab needed (sec-09 IPsec and sec-10 Wireless security). The pillar emphasizes modern hardening patterns: scrypt-hashed enable secrets, SSH version 2 only, AAA with local fallback, DHCP snooping + Dynamic ARP Inspection at the access layer.
What this pillar covers
Security Fundamentals is the discipline-of-defense pillar. Every other pillar in the labs library is about making something work; this pillar is about making sure unauthorized actors cannot make it work for them. The CCNA security domain is intentionally broad - covering device-level access control (passwords, SSH), traffic filtering (ACLs), L2 attack defense (port security, DHCP snooping, ARP inspection), centralized authentication (AAA), and the protocols that secure remote access and wireless (IPsec, WPA2/WPA3).
The labs in this pillar pair production-realistic configuration with the modern hardening rationale. You will configure scrypt-hashed enable secrets (not the older type-5 or type-7 forms), 2048-bit RSA SSH keys (not the legacy 768-bit), AAA with local fallback (the canonical TACACS+ replacement pattern), and DHCP snooping + DAI together (the L2 attack-defense triad).
What you will learn across this cluster
- Modern password hardening: scrypt secrets, per-user accounts, console + vty discipline
- Standard ACLs (numbered) and extended ACLs (named) with wildcard mask math
- Port security with sticky MAC learning and violation modes
- DHCP snooping + Dynamic ARP Inspection - the L2 attack-defense triad
- SSH v2 configuration with 2048-bit RSA keys and the cipher-suite expectations
- AAA new-model with named method lists and local fallback
- 802.1X port-based authentication on the switch (authenticator) side
- IPsec site-to-site concepts: IKE phases, ESP vs AH, tunnel vs transport, GRE-over-IPsec
- Wireless security generations: WEP, WPA, WPA2, WPA3, OWE, and the SAE improvement
Lab categories in this pillar
Device hardening (2 labs)
Device-level access control. Lab sec-01: Line and Enable Passwords configures scrypt-hashed enable secret, per-user privilege-15 accounts, console + vty hardening with login local. Lab sec-06: SSH and Disable Telnet generates RSA keys, configures SSH version 2 with modern ciphers, and restricts vty to SSH only.
Traffic filtering with ACLs (2 labs)
How a router decides which packets to forward and which to drop. Lab sec-02: Standard ACL (Numbered) (the free preview lab) configures a classic numbered standard ACL with deny-by-host, permit-by-subnet, and explicit deny + log. Lab sec-03: Extended ACL (Named) moves to the modern named extended ACL with TCP/UDP/ICMP matching, port keywords, and the established trick.
L2 attack defense (2 labs)
Protecting the access layer from rogue devices and ARP poisoning. Lab sec-04: Port Security and MAC Pinning configures port security with sticky MAC learning and the three violation modes. Lab sec-05: DHCP Snooping and Dynamic ARP Inspection covers the trusted/untrusted port model and how DAI uses the snooping binding table to validate ARP.
Centralized authentication (1 lab)
The AAA framework that lets a network device defer to a central RADIUS or TACACS+ server. Lab sec-07: AAA New-Model with Local Fallback walks through aaa new-model, named method lists, and the canonical "TACACS+ first, local fallback" pattern.
Port-based authentication (1 lab)
802.1X - the IEEE standard for authenticating devices at the access port. Lab sec-08: 802.1X Port-Based Authentication configures the switch as authenticator with port-control auto and dot1x pae authenticator. (The supplicant and RADIUS server sides are out of CML Free scope.)
Concept-only labs (2 labs)
Topics that need more infrastructure than CML Free supports - covered conceptually with configuration templates. Lab sec-09: IPsec Site-to-Site Overview covers IKE Phase 1 + Phase 2, ESP/AH, tunnel/transport modes, and the GRE-over-IPsec pattern. Lab sec-10: Wireless Security WPA2 vs WPA3 compares the two generations with focus on SAE, forward secrecy, and the WPA3 improvements over the KRACK-vulnerable WPA2.
The full lab library, in reading order
| # | Lab | What it teaches | Tier |
|---|---|---|---|
| sec-01 | Line and Enable Passwords | scrypt secret, per-user accounts, login local, exec-timeout | Pro |
| sec-02 | Standard ACL (Numbered) | Wildcard masks, top-down evaluation, implicit deny | Free |
| sec-03 | Extended ACL (Named) | TCP/UDP/ICMP matching, port keywords, established trick | Pro |
| sec-04 | Port Security and MAC Pinning | Three violation modes, sticky MAC learning | Pro |
| sec-05 | DHCP Snooping and DAI | Trusted/untrusted ports, binding table, ARP validation | Pro |
| sec-06 | SSH and Disable Telnet | RSA 2048, SSHv2 ciphers, transport input ssh on vty | Pro |
| sec-07 | AAA with Local Fallback | aaa new-model, named method lists, group + local pattern | Pro |
| sec-08 | 802.1X Port-Based Authentication | Authenticator config, port-control modes, EAP flow | Pro |
| sec-09 | IPsec Site-to-Site Overview | IKE Phase 1/2, ESP, GRE-over-IPsec, IKEv2/FlexVPN (concept) | Pro |
| sec-10 | Wireless Security WPA2 vs WPA3 | SAE, forward secrecy, Personal vs Enterprise, OWE (concept) | Pro |
What you will need
- Cisco Modeling Labs Free. All hands-on labs run on the Base Topology.
- PingLabz CCNA Base Topology .yaml. Used by sec-01 through sec-08. Same .yaml as Pillars 1, 3, and 4.
- No .yaml needed for sec-09 and sec-10. Concept-only labs with configuration templates and comparison tables.
- 30 to 60 minutes per lab. Concept labs are 20-30 minutes of reading.
How these labs map to CCNA 200-301
Security Fundamentals is Domain 5 of the official Cisco CCNA 200-301 exam blueprint, worth 15%.
| Blueprint sub-domain | Labs that cover it |
|---|---|
| 5.1 Key security concepts (threats, vulnerabilities) | sec-09 (concept review) |
| 5.2 Security program elements (user awareness, training) | Concept-level - not lab content |
| 5.3 Device access control (local + AAA) | sec-01, sec-06, sec-07 |
| 5.4 IPsec VPN concepts | sec-09 |
| 5.5 Access control lists (standard + extended) | sec-02, sec-03 |
| 5.6 Layer 2 security (port security, DHCP snooping, DAI) | sec-04, sec-05 |
| 5.7 AAA (RADIUS, TACACS+) | sec-07, sec-08 |
| 5.8 Wireless security (WPA, WPA2, WPA3) | sec-10 |
Frequently asked questions
Why scrypt enable secrets instead of just the standard enable secret?
Without specifying the algorithm, IOS XE may default to type 5 (MD5) or type 7 (Vigenere obfuscation) - both of which have known weaknesses. enable algorithm-type scrypt secret forces type 9 (scrypt), which is computationally hard to brute-force. Modern hardening guides all specify scrypt explicitly. Lab sec-01 shows the syntax.
Are standard ACLs still useful?
Mostly only for specific cases: route-map prefix-matching, redistribution filtering, distribute-lists. For data-plane traffic filtering on a router, extended ACLs cover everything standard ACLs do and more. But standard ACLs are on the exam and the concepts (top-down evaluation, implicit deny, wildcard masks) apply to all ACL types. Lab sec-02 is the free preview because it is the cleanest way to teach ACL basics.
What is the difference between port security and 802.1X?
Port security pins MAC addresses to specific ports (or limits how many MACs per port). It is a "trust by MAC" model - if your MAC is on the list, you can use the port. 802.1X authenticates the device or user via RADIUS before opening the port. It is a "trust by credential" model - you prove who you are, port opens. Port security is the cheap-and-easy baseline; 802.1X is the right answer for real environments with identity management. Many enterprises use both: 802.1X primary, port security fallback. Lab sec-04 and sec-08 cover them separately.
Why are DHCP snooping and DAI taught together?
Because DAI depends on the DHCP snooping binding table. When DHCP snooping is enabled, the switch records every legitimate IP-MAC-port mapping as it watches DHCP traffic. DAI then uses that table to validate ARP packets - if an ARP claims an IP that does not match a snooping entry, the ARP is dropped. The two features together neutralize rogue DHCP, DHCP starvation, and ARP poisoning attacks. Lab sec-05 configures both.
Why are IPsec and wireless WPA labs concept-only?
Both require infrastructure beyond what CML Free can run. A full IPsec lab needs at least three routers with consistent timing across all of them (Phase 1 IKE exchanges are sensitive to clock skew); a real wireless lab needs a WLC (Catalyst 9800-CL or similar - 8GB+ image), at least one access point image, and a wireless client - well past the five-node cap. We cover both topics conceptually with configuration templates so you can recognize the syntax and grasp the architecture for the exam. For hands-on, you need CML Personal or real hardware.
What is the right order to work through this pillar?
Numerical order works fine. The labs are independent enough that you could shuffle, but the natural progression is: passwords (sec-01) -> ACLs (sec-02, sec-03) -> L2 defense (sec-04, sec-05) -> SSH (sec-06) -> AAA (sec-07) -> 802.1X (sec-08) -> concepts (sec-09, sec-10). That progression goes from device hardening outward to network filtering to access-layer defense to centralized identity.
Key takeaways
- Security Fundamentals is the access-control + filtering + hardening pillar.
- Ten labs covering passwords, ACLs, port security, DHCP snooping + DAI, SSH, AAA, 802.1X, and concept overviews for IPsec and wireless WPA.
- One lab (sec-02 Standard ACL) is free preview.
- Eight labs use the Base Topology; two are concept-only.
- The pillar consistently uses modern hardening patterns: scrypt secrets, SSHv2 with 2048-bit RSA, AAA with local fallback, SNMPv3 (covered in Pillar 4), DHCP snooping + DAI as a pair.
Ready to start?
Start with Lab sec-01: Line and Enable Passwords. From there work in numerical order through the cluster.
When you finish Security Fundamentals, you have completed the entire 60-lab PingLabz CCNA Labs library across all five pillars. From here you are ready to sit the CCNA 200-301 exam with hands-on confidence. The natural next step is the CCNP track or any specialization (Security, DevNet, Service Provider) - PingLabz cluster pillars on OSPF, BGP, MPLS, SD-WAN, 802.1X, and Cisco ASA are the bridges.