Imagine you're a network engineer and two hosts on the same VLAN can't ping each other. You might suspect a cable issue, a misconfigured IP address, or a firewall rule—but which one is it? This chapter builds a systematic troubleshooting methodology for no IP connectivity between hosts, covering Layer 1 through Layer 3. Mastering this is critical for the CCNA 200-301 exam (Objective 1.6: Troubleshoot no IP connectivity between hosts) and for real-world network problem resolution.
Jump to a section
Think of sending a letter from your home to a neighbor's house. You write the address (source/destination IP), put it in an envelope (frame), and drop it in your mailbox (NIC). The postal carrier picks it up and checks the street name (VLAN) to ensure it's the right neighborhood. If the street name is wrong (wrong VLAN assignment), the letter goes to the wrong neighborhood and never arrives. Next, the carrier checks the house number (MAC address). If the house number is unknown, the carrier asks the neighborhood directory (ARP) to find it. If the directory is missing or corrupted (ARP cache issue), the letter can't be delivered. The carrier then walks the letter to the correct house (switching based on MAC table). If the sidewalk is broken (bad cable or port), the carrier stumbles and the letter is lost. If the house has a screen door that's locked (access control list or firewall), the letter is returned or discarded. Finally, if the house number is correct but the street name is actually a different city (wrong subnet), the letter gets sent to a different postal hub (router) and may never reach the neighbor. This analogy mirrors the OSI model: Layer 1 (cable/wireless), Layer 2 (switching, VLANs, ARP), and Layer 3 (IP addressing, routing). Troubleshooting requires checking each layer systematically.
What is 'No IP Connectivity Between Hosts'?
This is a broad troubleshooting scenario where two devices configured with IP addresses cannot communicate. The problem can exist at any layer: physical (cable, port), data link (VLAN mismatch, MAC table issue, duplex mismatch), or network (IP address/subnet mask misconfiguration, missing default gateway, ARP failure, ACL blocking). The CCNA exam expects you to isolate the layer using a systematic approach.
Step-by-Step Packet Flow
When Host A (10.1.1.1/24) tries to ping Host B (10.1.1.2/24):
Host A checks if destination IP is on the same subnet by comparing its own IP and mask with destination. Since both are /24 and same network, Host A determines it's local.
Host A needs the MAC address of Host B. It checks its ARP cache. If not present, it sends an ARP request (broadcast, destination MAC FFFF.FFFF.FFFF) with target IP 10.1.1.2.
The switch receives the broadcast and floods it out all ports in the same VLAN (unless it has the destination MAC in its MAC table). Host B receives the ARP request and sends an ARP reply (unicast) with its MAC.
Host A now has the MAC and sends an ICMP echo request (ping) encapsulated in an Ethernet frame with destination MAC = Host B's MAC.
The switch looks up the destination MAC in its MAC address table. If found, it forwards the frame out the corresponding port. If not, it floods the frame.
Host B receives the frame, processes the ICMP echo request, and sends an echo reply back to Host A using the same process.
Any break in this chain results in no connectivity.
Key Verification Commands
#### On the Host (Windows/Linux)
ipconfig /all (Windows)
ifconfig (Linux)Check IP address, subnet mask, default gateway.
arp -a (Windows)
arp -n (Linux)View ARP cache. Look for incomplete entries.
#### On the Switch
show interfaces status
show interfaces [interface] switchport
show mac address-table
show vlan brief
show spanning-tree#### On the Router (if inter-VLAN)
show ip interface brief
show ip route
show access-listsCommon Failure Points
Layer 1: Bad cable, wrong cable type (straight-through vs crossover), port is shutdown, duplex mismatch (causes collisions and CRC errors).
Layer 2: VLAN mismatch – switch port configured in wrong VLAN, or access port vs trunk mismatch. MAC address table not learning (sticky MAC or port security). STP blocking port (listening/learning state).
Layer 3: Wrong IP address/subnet mask – hosts on different subnets think they are on the same subnet. Missing or wrong default gateway. ARP cache stale or poisoned. ACL blocking ICMP.
Interaction with Spanning Tree Protocol (STP)
STP can cause temporary or permanent connectivity loss if a port is in blocking state. Use show spanning-tree to see port states. A port in blocking state will not forward frames, causing no connectivity even if everything else is correct.
Step 1: Verify Physical Connectivity
Check link lights on both hosts and switch. Use `show interfaces status` on the switch to see if the port is up/up. If the port is down/down, suspect bad cable, wrong cable type, or device powered off. If the port is up/down (line protocol down), check for duplex mismatch or keepalive issues. Use `show interfaces [interface]` to see input/output errors, CRC errors, and collisions. High CRC errors often indicate a bad cable or duplex mismatch. For wireless, ensure both hosts are on the same SSID and have valid IP addresses from DHCP.
Step 2: Verify VLAN Configuration on Switch
Use `show vlan brief` to confirm the VLAN exists and the switch port is assigned to the correct VLAN. Use `show interfaces [interface] switchport` to see the operational mode (access or trunk) and access VLAN. Common misconfigurations: port in wrong VLAN, port is trunking when it should be access, or allowed VLAN list on trunk does not include the needed VLAN. If hosts are on different VLANs, they require a router (or Layer 3 switch) to communicate.
Step 3: Verify IP Addressing and Subnet Masks
On each host, run `ipconfig /all` (Windows) or `ifconfig` (Linux). Ensure they are in the same subnet. For example, if Host A has IP 10.1.1.1/24 and Host B has IP 10.1.1.2/24, they are on the same subnet. If Host B has IP 10.1.2.2/24, they are on different subnets and need a router. Also check that the default gateway is set correctly if communicating off-subnet. A common mistake is a typo in the IP address or subnet mask (e.g., /25 instead of /24).
Step 4: Check ARP Resolution
From Host A, ping Host B's IP. Then run `arp -a` to see if Host B's MAC address appears. If the entry is incomplete or missing, ARP failed. Possible causes: Host B is down, Host B has a firewall blocking ARP (unlikely but possible), or the switch is not forwarding the ARP broadcast due to VLAN ACL (VACL) or storm control. Also check the switch MAC address table with `show mac address-table | include [Host B MAC]` to see if the switch learned Host B's MAC. If not, the switch may not be receiving frames from Host B.
Step 5: Test with Ping and Traceroute
From Host A, ping 127.0.0.1 to verify TCP/IP stack is working. Then ping its own IP address to ensure NIC and ARP are functioning. Then ping Host B's IP. If that fails, try pinging the switch's management IP (if in same VLAN) to isolate the problem. Use `tracert` (Windows) or `traceroute` (Linux) to see where packets stop. If the first hop is the default gateway and it fails, the problem is likely at Layer 3 (routing, ACL) or the gateway itself.
Step 6: Check Switch MAC Table and STP
On the switch, use `show mac address-table` to see if both hosts' MAC addresses are learned on the correct ports. If a MAC appears on the wrong port, there may be a loop or incorrect cabling. Use `show spanning-tree` to ensure the ports are in forwarding state. If a port is in blocking (BLK) or listening (LIS) state, STP is preventing forwarding. This can happen if there is a redundant link and the port is the alternate port. Also check for port security violations with `show port-security interface [interface]`.
In an enterprise network, 'no IP connectivity' is the most common ticket a network engineer handles. Consider a scenario where a new employee plugs their laptop into an office jack and cannot access the internet. The engineer first checks the switch port status. If the port is up, they check the VLAN configuration. Often, the port is in the wrong VLAN (e.g., voice VLAN instead of data VLAN) because the previous user had a VoIP phone. The engineer uses show interfaces switchport to verify and changes the access VLAN. Another scenario: two servers in the same data center subnet can't communicate. The engineer checks IP addresses and finds a duplicate IP address conflict (both servers have the same static IP). The fix is to assign unique IPs. A third scenario: a user on a different floor cannot ping the server. The engineer traces the path and finds that an intermediate switch has a VLAN ACL blocking ICMP. The ACL was implemented for security but inadvertently blocked necessary traffic. The engineer modifies the ACL to permit ICMP between the specific hosts. In production, scale matters: a misconfigured trunk can affect hundreds of users. Performance considerations include ensuring duplex settings match (auto-negotiation is recommended) and that switchports are not oversubscribed. When misconfigured, symptoms can be intermittent—e.g., a duplex mismatch causes collisions and slow throughput, but not a complete loss of connectivity. Systematic troubleshooting using the OSI model saves hours of guesswork.
The CCNA 200-301 exam tests Objective 1.6: Troubleshoot no IP connectivity between hosts. Expect scenario-based questions where you must identify the layer at which the problem occurs. The most common wrong answers: (1) 'The problem is at Layer 3' when it's actually a Layer 2 VLAN mismatch—candidates see different subnets but don't check if hosts are on same VLAN. (2) 'The default gateway is missing' when hosts are on the same subnet—candidates forget that default gateway is only needed for off-subnet traffic. (3) 'ARP cache is full' when the real issue is a firewall blocking ICMP—candidates jump to ARP because ping fails. (4) 'Duplex mismatch causes no connectivity'—while duplex mismatch causes performance issues, it rarely causes complete loss; high error rates are a clue. Specific values to memorize: default ARP cache timeout is 4 hours for dynamic entries (Windows) or 20 minutes (Cisco IOS). Default STP port costs: 10 Mbps = 100, 100 Mbps = 19, 1 Gbps = 4, 10 Gbps = 2. On the exam, you may see show interfaces output with many CRC errors—that points to a Layer 1 issue (bad cable). Calculation traps: if given IP 192.168.1.10/25 and 192.168.1.130/25, they are on different subnets (192.168.1.0/25 vs 192.168.1.128/25). A decision rule: if ping to local host fails, check ARP and switch MAC table; if ping to remote host fails but local works, check routing and ACLs. Eliminate options that blame Layer 3 when the destination is on the same subnet—routing is not involved.
Troubleshoot from Layer 1 up: physical, data link, network.
Use 'show interfaces status' to verify port up/up and 'show vlan brief' to check VLAN existence.
ARP resolves IP to MAC; incomplete ARP entry indicates failure at Layer 2 or below.
Default ARP cache timeout: 4 hours on Windows, 20 minutes on Cisco IOS.
Duplex mismatch causes CRC errors and collisions, not complete loss of connectivity.
STP blocking state prevents frame forwarding; use 'show spanning-tree' to check.
Hosts on same subnet do not need a default gateway for local communication.
These come up on the exam all the time. Here's how to tell them apart.
Same Subnet Communication
No default gateway needed
Uses ARP to get destination MAC
Switch forwards based on MAC table
No routing involved
Troubleshoot: check ARP, VLAN, MAC table
Different Subnet Communication
Requires default gateway
Uses ARP to get router's MAC
Router forwards based on routing table
Routing and ACLs involved
Troubleshoot: check routing, ACL, gateway IP
Mistake
If two hosts cannot ping, the problem is always at Layer 3 (IP).
Correct
The problem can be at Layer 1 (cable), Layer 2 (VLAN mismatch, STP blocking), or Layer 3. Always start with physical.
Candidates assume IP because ping uses IP, but lower layers must work first.
Mistake
A missing default gateway prevents communication between hosts on the same subnet.
Correct
Default gateway is only needed for off-subnet traffic. Hosts on the same subnet communicate directly via ARP and switching.
Candidates confuse local vs. remote communication.
Mistake
If ARP cache shows an entry, the host is reachable.
Correct
ARP cache only shows that ARP resolution succeeded at some point. The entry may be stale (expired) or the host may be down now.
Candidates trust ARP cache as current status.
Mistake
A duplex mismatch always causes complete loss of connectivity.
Correct
Duplex mismatch causes high error rates and poor performance, but connectivity often works with many retransmissions.
Candidates overstate the severity; duplex mismatch is a performance issue, not a connectivity killer.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Pinging your own IP tests the TCP/IP stack and local NIC. Failure to ping another host typically indicates a Layer 2 issue (VLAN mismatch, switch port problem, STP blocking) or a Layer 1 issue (bad cable). Check the switch port status, VLAN assignment, and MAC table. Also verify that the destination host is powered on and has no firewall blocking ICMP.
'Destination host unreachable' is an ICMP message from a router indicating that the router has no route to the destination. 'Request timed out' means no reply was received within the timeout period, often due to the destination being down or a firewall dropping the packet. For same-subnet communication, 'unreachable' usually means ARP failed.
Use 'show interfaces [interface] switchport' on the switch. Look for 'Operational Mode: access' and 'Access Mode VLAN: X' (the VLAN number). Also use 'show vlan brief' to see which VLANs exist and which ports are assigned.
An incomplete ARP entry means the ARP request was sent but no reply was received. Verify that the destination host is on and connected to the same VLAN. Check for ACLs blocking ARP (rare) or storm control limiting broadcast traffic. Also ensure the switch is not configured with port security that might be dropping frames.
Rarely. Duplex mismatch typically causes high error rates, collisions, and poor performance, but some frames still get through. However, in extreme cases with many errors, connectivity may appear lost. Check 'show interfaces' for CRC errors and collisions. Fix by setting both sides to auto-negotiate or manually set the same duplex.
Use 'show spanning-tree' on the switch. Look for the port state: 'BLK' (blocking) or 'LIS' (listening) indicate STP is preventing forwarding. Also check 'show spanning-tree interface [interface]' for the port's role (e.g., Altn) and state.
VLAN mismatch is the most common. The switch ports are in different VLANs, so Layer 2 communication fails. Always verify VLAN assignment first when hosts are on the same switch but cannot ping each other.
You've just covered Troubleshoot: No IP Connectivity Between Hosts — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?