2.7 Network Access Troubleshooting

A Methodical Layer 2 Approach

Network-access troubleshooting on the CCNA is mostly about reading show output and matching symptoms to causes. Work bottom-up: confirm the physical link (show interfaces status), then VLAN assignment, then trunking, then STP, then upper layers. The single most common test trap is treating a Layer 2 problem (wrong VLAN) as a Layer 3 problem (routing/NAT) — same-VLAN hosts never need a router.

VLAN and Trunk Faults

Use this symptom-to-cause table; it covers the majority of access simlets:

For the second row, if VLAN 10 is missing under "VLANs allowed and active," run switchport trunk allowed vlan add 10. For a native VLAN mismatch, align both ends with switchport trunk native vlan 999.

Physical-Layer Errors: Duplex and Speed

A duplex mismatch (one side full, one half) is a silent killer: throughput collapses under load and you see late collisions on the half-duplex side plus CRC/FCS errors and runts. Speed mismatch usually drops the link entirely. The fix is to hard-set both ends identically or let both auto-negotiate. Read counters with show interfaces gi0/1 — focus on input errors, CRC, collisions, and late collisions.

Err-Disabled Ports and STP

A port in err-disabled state forwards nothing. Common triggers: BPDU Guard caught a BPDU on a PortFast port, or port security saw a violation. show interfaces status err-disabled and show errdisable recovery reveal the reason. Recover by fixing the cause, then shutdown / no shutdown. If a port that should forward is blocking, check show spanning-tree — STP may have made it an alternate port, or a lower-priority switch may have unexpectedly become root.

EtherChannel and DHCP

In show etherchannel summary, a member flagged (s) is suspended due to a configuration mismatch — verify identical speed, duplex, VLAN, native VLAN, and trunk mode across all members. Independent (I) ports mean incompatible negotiation modes (e.g., LACP one side, PAgP the other).

Finally, the cross-subnet DHCP case: a client gets no address because its DHCP DISCOVER is a broadcast that routers do not forward. The fix is ip helper-address on the client VLAN's gateway SVI, pointing to the DHCP server's IP. This turns the broadcast into a unicast relay. Without it, clients on a routed VLAN fall back to a 169.254.x.x APIPA address — a tell-tale sign in any DHCP-relay scenario.

Wireless Access Troubleshooting

Layer 2 access troubleshooting on CCNA now includes basic wireless faults. The most common ones map to clear causes. A client that associates but gets no IP usually means the WLAN's VLAN is not trunked to the WLC or the DHCP scope/relay is missing — the same ip helper-address logic as wired. A client that cannot authenticate points to a wrong pre-shared key or a RADIUS server unreachable on UDP 1812. An AP that never comes online typically cannot reach the WLC: check DHCP, the CAPWAP path on UDP 5246/5247, Option 43/DNS discovery, and a software-version mismatch.

Poor coverage or roaming problems are RF issues (channel overlap, low power) handled by the WLC's RF management.

Reading the Right show Command

Matching the symptom to the correct verification command is half the battle. Keep this map handy:

Top Troubleshooting Traps

Internalize the patterns examiners reuse. Same-VLAN failure across switches is a trunk allowed-list problem, not routing. Wrong-VLAN delivery of untagged traffic with a CDP warning is a native VLAN mismatch. Late collisions plus CRC errors equal a duplex mismatch. A 169.254 client address equals a missing DHCP relay. An EtherChannel (s) member equals a config mismatch, and an (I) member equals a negotiation-mode mismatch. A port stuck in err-disabled after a host plugs in usually means BPDU Guard or port security fired — fix the cause, then shutdown/no shutdown (or enable errdisable recovery).

Always isolate the layer first: confirm physical and VLAN before blaming routing, because most "network access" faults never leave Layer 2.