SkarpSkarp

Chapter 26 of 27

End-to-End Troubleshooting: Layered Approach Across CCNA Domains

Practice thinking like a network engineer by walking through multi-layer troubleshooting scenarios that tie together switching, routing, and services.

27 min readen

Layered Troubleshooting Mindset

Why a layered approach?

Troubleshooting must be systematic. A layered approach keeps you from skipping obvious issues while chasing complex ones.

Two mental models

Use OSI (Application to Physical) or TCP/IP (Application, Transport, Internet, Network Access) as a structure for your checks.

Practical sequence

Check Physical, then Data Link, then Network, then Transport/Application. This maps to CCNA switching, routing, and services.

Goal of this module

You will learn an end-to-end checklist and apply it to VLAN, routing, and service problems like a working network engineer.

Step 1: Physical and Link Basics

Start at the bottom

Many “advanced” problems are just bad cables, powered-off devices, or disabled interfaces. Always check these first.

Key IOS commands

Use `show ip interface brief`, `show interfaces status`, and `show interfaces` to verify line status, errors, and speed/duplex.

Data Link basics

After link is up, confirm VLAN assignment and MAC learning with `show mac address-table interface` on the switch.

Typical symptoms

No LEDs or no MAC entries often means wrong VLAN, disabled port, or physical connection issues. Fix these before higher layers.

Step 2: VLANs, Trunks, and STP

Access port basics

Check that host ports are access ports in the correct VLAN and that the VLAN exists: `show vlan brief`, `show interfaces switchport`.

Trunk verification

Use `show interfaces trunk` to confirm trunking mode, native VLAN, and allowed VLANs. Pruned VLANs break inter-switch traffic.

STP definition

Spanning Tree Protocol prevents Layer 2 loops by blocking redundant paths while keeping a loop-free logical topology.

STP symptoms

Blocked or err-disabled ports, intermittent pings, or partial reachability often point to STP or BPDU Guard issues.

Scenario 1: VLAN / Trunk / STP Walkthrough

Scenario setup

Two switches, SW1 and SW2, both with VLAN 10. PC-A on SW1 and PC-B on SW2 should talk in VLAN 10 but only reach the gateway.

Layered checks

Physical is fine. VLAN membership looks correct on both switches. The issue must be on the path between SW1 and SW2.

Finding the fault

`show interfaces trunk` on SW1 shows VLANs 1,20,30 allowed. VLAN 10 is missing, so VLAN 10 traffic cannot cross the trunk.

Fix and lesson

Add VLAN 10 to the allowed list, verify, and retest. Result: pings work. Always check trunks whenever inter-switch VLAN traffic fails.

Step 3: IP Addressing, Default Gateway, and Inter-VLAN Routing

Default gateway role

The default gateway is the router interface IP that hosts use to reach remote networks. It must be in the host’s subnet.

Host checks

Confirm IP, mask, default gateway, and DNS. Mis-typed gateways or wrong masks are very common exam and real-world errors.

Inter-VLAN routing

Each VLAN needs an SVI or subinterface with the correct IP and `no shutdown`. Ensure `ip routing` is enabled on L3 switches.

Ping ladder

Ping self, then gateway, then other VLAN SVIs, then remote hosts. This ladder helps you localize where connectivity breaks.

Step 4: Routing and OSPFv2 Reachability

When to check routing

If hosts in different networks or sites cannot reach each other, verify routing tables and the path between them.

Routing table basics

Use `show ip route` to confirm there is a route to the destination and a valid next-hop. No route means traffic is dropped.

OSPFv2 definition

OSPFv2 is a link-state interior gateway protocol for exchanging IPv4 routes within a single autonomous system.

OSPFv2 checks

Confirm neighbors with `show ip ospf neighbor`, consistent areas, timers, and correct `network` or interface OSPF commands.

Scenario 2: OSPFv2 Misconfiguration

Scenario overview

Two routers, R1 and R2, run OSPFv2. LANs behind each should communicate, but one LAN cannot reach the other.

Routing and neighbors

R1’s route table lacks 192.168.20.0/24, but OSPF neighbors are `FULL`. So adjacencies work, yet a route is missing.

Finding the mismatch

Checking R2’s interfaces reveals the LAN is actually 192.168.200.0/24. The mental diagram was wrong; OSPF is fine.

Exam twist

Alternatively, the LAN is correct, but the OSPF wildcard mask excludes it. Fix the `network` statement to advertise it.

Step 5: IP Services – DHCP, DNS, NAT

Key IP services

DHCP assigns IP settings, DNS maps names to IPs, and NAT translates private addresses to public for internet access.

DHCP issues

APIPA addresses or missing IPs suggest DHCP problems. Check server reachability, pools, and `ip helper-address` on SVIs.

DNS issues

If IP pings work but name pings fail, verify DNS server reachability and correct DNS configuration or DHCP options.

NAT issues

For internet failures, check inside/outside interface roles, NAT rules, translation table, and the router’s default route.

Step 6: Security Features – ACLs and Port Security

ACL behavior

ACLs are ordered permit/deny rules. They match top-down, and anything not matched hits an implicit deny at the end.

Finding ACL issues

Use `show ip interface` to see applied ACLs and `show access-lists` to review entries and directions.

Port security symptoms

A port in `err-disabled` or a host losing connectivity after a move often points to port security violations.

Port security fixes

Check `show port-security interface`, clear violations or sticky MACs, and bounce the port with shutdown/no shutdown.

Quiz 1: Layer 2 and Inter-VLAN Troubleshooting

Test your understanding of VLAN, trunks, and inter-VLAN routing.

A host in VLAN 30 on Switch A cannot reach a host in the same VLAN 30 on Switch B. Both access ports are correctly assigned to VLAN 30, and IP settings are correct. Which is the MOST likely cause?

  1. The default gateway on both hosts is incorrect.
  2. VLAN 30 is not allowed on the trunk between Switch A and Switch B.
  3. Spanning Tree Protocol is disabled globally on both switches.
  4. The OSPFv2 process IDs on the two switches do not match.
Show Answer

Answer: B) VLAN 30 is not allowed on the trunk between Switch A and Switch B.

If hosts in the same VLAN on different switches cannot communicate, and access ports and IPs are correct, the trunk is a prime suspect. If VLAN 30 is not allowed on the trunk, traffic for VLAN 30 cannot cross between switches. Default gateway and OSPFv2 are not required for same-VLAN traffic, and STP being disabled would more likely cause loops, not just isolation of a single VLAN.

Quiz 2: Routing, OSPFv2, and Services

Check your understanding of routing, OSPFv2, and IP services troubleshooting.

Users in a branch LAN can ping their default gateway and remote branch networks over an OSPFv2-based WAN, but they cannot access any websites by hostname. Pinging 8.8.8.8 works. What is the MOST likely root cause?

  1. NAT is not configured on the branch router.
  2. The OSPFv2 process is not advertising the default route.
  3. DNS server settings on clients are incorrect or unreachable.
  4. An inbound ACL on the LAN interface is blocking HTTP traffic.
Show Answer

Answer: C) DNS server settings on clients are incorrect or unreachable.

If users can ping internet IPs (like 8.8.8.8) but cannot resolve hostnames, routing and NAT are likely working. The problem is almost certainly DNS: either the DNS server IP is wrong, not reachable, or not configured on the clients. OSPFv2 default route issues or ACLs would typically also break IP pings to the internet, not just name resolution.

Thought Exercise: Build Your Own Troubleshooting Runbook

Apply what you have learned by designing a personal troubleshooting checklist you can use in labs and on the exam.

Imagine a ticket: "Users on VLAN 20 in Building A cannot reach a web application hosted in Building B. Other VLANs are fine."

Without running commands yet, outline your step-by-step plan, from Physical up to Application. Use this prompt to think it through:

  1. Physical / Link
  • What will you check on the access ports for VLAN 20 in Building A?
  • How will you verify the uplinks between switches?
  1. VLAN / Trunk / STP
  • How do you confirm VLAN 20 exists and is active on all relevant switches?
  • Which commands show you if VLAN 20 is allowed on trunks and not blocked by STP?
  1. IP / Inter-VLAN routing
  • How will you verify hosts’ IP, mask, and default gateway on VLAN 20?
  • What will you check on the Layer 3 device (SVIs, `ip routing`, routes)?
  1. Routing / OSPFv2
  • How will you confirm that the network containing the web server is reachable from the VLAN 20 gateway?
  • Which OSPFv2 commands will you use to verify neighbors and routes?
  1. Services (DNS, DHCP, NAT)
  • How will you test whether the issue is name resolution vs raw IP connectivity?
  • What DHCP or DNS checks make sense for this scenario?
  1. Security (ACLs, port security)
  • Where might ACLs block VLAN 20 but not other VLANs?
  • Could port security be affecting only some users?

Write your checklist in your notes as a numbered list. In later labs and mock exams, follow your own runbook before improvising. This habit is what separates guesswork from professional troubleshooting.

Key Term Flashcards

Flip through these cards to reinforce essential troubleshooting-related terms.

VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
Spanning Tree Protocol (STP)
Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
First three troubleshooting layers to check
1) Physical (cables, power, link), 2) Data Link (VLANs, trunks, STP, MAC learning), 3) Network (IP addressing, default gateway, routing).
Command: show interfaces trunk
Displays interfaces configured as trunks, their encapsulation, native VLAN, and list of allowed VLANs. Essential for diagnosing inter-switch VLAN issues.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
OSI model
A seven-layer reference model for networking: Application, Presentation, Session, Transport, Network, Data Link, Physical.
TCP/IP model
A four-layer model used on the internet: Application, Transport, Internet, Network Access.
Port security
A switch feature that limits and identifies the MAC addresses allowed on a port and can take actions (protect, restrict, shutdown) on violations.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Spanning Tree Protocol (STP)
Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself