3.7 Troubleshooting IP Connectivity
Key Takeaways
- Use a structured approach: verify Layer 1 (physical), then Layer 2 (data link), then Layer 3 (network).
- Ping tests Layer 3 reachability; traceroute reveals where along the path packets are lost.
- Common routing issues include missing routes, wrong subnet masks, bad next-hop, and passive interfaces.
- ARP resolution failures break connectivity even when routes are correct.
- Always verify both directions of traffic; a missing return route silently fails a ping.
Troubleshooting is a heavily weighted CCNA 200-301 skill — expect simulation and scenario items that hand you symptoms and command output and ask for the root cause. A disciplined, layered method beats random guessing.
Structured Troubleshooting (Bottom-Up)
Work up the OSI stack so you never chase a Layer 3 problem caused by a Layer 1 fault.
Layer 1 (Physical)
- Cable seated? Link lights on?
- Interface up/up? (
show ip interface brief) - Speed/duplex mismatch or input/CRC errors? (
show interfaces)
Layer 2 (Data Link)
- MAC learned in the switch table? (
show mac address-table) - Port in the right VLAN? (
show vlan brief) - Trunk passing the VLAN? (
show interfaces trunk) - STP not blocking the port? (
show spanning-tree) - ARP resolving? (
show ip arp)
Layer 3 (Network)
- Correct IP and mask? (
show ip interface brief) - Route to the destination present? (
show ip route) - Default gateway reachable? (
ping) - ACL blocking traffic? (
show access-lists) - NAT translating? (
show ip nat translations)
Essential Troubleshooting Commands
| Command | What It Shows |
|---|---|
show ip interface brief | Interface IPs and up/down status (fast scan) |
show interfaces | Errors, speed/duplex, drops |
show ip route | Routing table |
show ip arp | IP-to-MAC mappings |
show mac address-table | Switch MAC table |
show cdp neighbors | Directly attached Cisco devices |
show ip ospf neighbor | OSPF adjacency states |
ping <ip> | Layer 3 reachability test |
traceroute <ip> | Hop-by-hop path discovery |
Interface Status Combinations
The two-word Status / Protocol output is a direct diagnostic clue.
| Status / Protocol | Meaning | Likely Cause |
|---|---|---|
| up / up | Fully operational | Normal |
| up / down | L1 up, L2 protocol down | Encapsulation mismatch, keepalive/clocking issue |
| down / down | Physically down | No cable, bad cable, far end shut |
| administratively down / down | Manually shut | shutdown was entered — needs no shutdown |
Reading Ping and Traceroute Output
ping returns characters that tell you what happened:
| Symbol | Meaning |
|---|---|
! | Reply received (success) |
. | Timeout — no reply in time |
U | Destination Unreachable (no route at some hop) |
Q | Source quench (congestion) |
M | Could not fragment (MTU issue) |
A result like ..!!! means the first packets failed while ARP/route resolution completed, then succeeded — usually normal. All dots with U mixed in points to a missing route. traceroute shows each hop by sending packets with incrementing TTL; the hop where replies stop is where the path breaks.
Common Connectivity Problems and Fixes
| Symptom | Likely Cause | Verify With | Fix |
|---|---|---|---|
| Can't ping default gateway | Wrong IP/mask, interface down | show ip interface brief | Correct IP, no shutdown |
| Can ping gateway, not remote host | Missing route | show ip route | Add static route or fix OSPF |
| Intermittent / slow link | Duplex mismatch | show interfaces (errors) | Match duplex both sides |
| One VLAN works, another doesn't | Trunk not allowing VLAN | show interfaces trunk | Add VLAN to allowed list |
| OSPF neighbor won't form | Timer/area mismatch, passive int | show ip ospf neighbor | Match timers/area, unset passive |
Extended Ping and the Return Path
The extended ping lets you set source, size, and count — essential for testing realistic flows:
Router# ping
Protocol [ip]:
Target IP address: 10.1.1.1
Repeat count [5]: 100
Datagram size [100]: 1500
Extended commands [n]: y
Source address or interface: 192.168.10.1 ! Force a specific source
Setting the source matters because the return traffic must have a route back to that source address. A ping using the egress interface IP can succeed while a ping sourced from a LAN subnet fails — proving the remote side lacks a return route.
On the Exam: Always reason about both directions. If Router A reaches Router B but B has no return route to A's source subnet, the ping fails. Missing return routes are one of the single most common troubleshooting scenarios tested.
Duplex Mismatch: The Silent Performance Killer
A duplex mismatch happens when one side of a link is set to full duplex and the other to half (often from one end hard-coded and the other left on autonegotiation). The link comes up — show ip interface brief reads up/up — so it is easy to overlook, yet throughput collapses under load. The half-duplex side sees the full-duplex side transmitting while it is transmitting and registers collisions and late collisions, while the full-duplex side logs FCS/CRC errors and runts. The tell-tale signature in show interfaces is rising late collisions on one end and CRC errors on the other.
The fix is to make both ends match — ideally both on autonegotiation, or both hard-set identically.
ARP Failures Even When Routing Is Correct
Layer 3 reachability can be perfect and a host still cannot communicate if ARP fails to resolve the next hop's MAC. Check show ip arp: an entry showing Incomplete means the router sent ARP requests but got no reply, usually because the neighbor is down, on a different VLAN, or behind a port-security violation. Because the router cannot build the Layer 2 frame without the destination MAC, packets are dropped despite a valid route. This is why troubleshooting must descend through Layer 2 — a clean routing table is necessary but not sufficient.
Reading traceroute Carefully
traceroute increments TTL by one for each round of probes, so the device that drops a TTL-expired packet reveals each hop. Three asterisks (* * *) at a hop usually mean that router is configured not to send ICMP Time Exceeded (common on firewalls), not necessarily that the path is broken — later hops may still respond. A trace that stops responding entirely at a given hop and never recovers points to the real break just beyond that device. Combine traceroute with show ip route on the last responding hop to confirm whether that router lacks a forward route.
A router interface shows status up/down. What is the most likely cause?
You can ping a host from the router but cannot reach a remote server, and the routing table shows no route to the server's network. What should you do?
Which command gives the fastest summary of all interfaces, their IP addresses, and their up/down status?
During a ping, the output shows '.....' (all periods). What does this most likely indicate?