Static routes are the foundation of IP routing—simple, predictable, and entirely under your control. Yet on the CCNA 200-301 exam and in real networks, static routes fail more often than you'd expect, usually due to simple misconfigurations or incorrect assumptions. This chapter covers exam objective 3.2, focusing on systematic troubleshooting of static route failures, from checking next-hop reachability to verifying recursive routing and administrative distance conflicts.
Jump to a section
Imagine you're a delivery driver with a GPS that has only one pre-programmed route: from your warehouse to a specific customer. The GPS doesn't learn new roads; it only follows what you manually entered. If that road is closed for construction (link down), the GPS just sits there saying 'Route unavailable'—it won't reroute. That's a static route with a down next-hop. Now, suppose your GPS says 'Turn left at Main Street,' but Main Street doesn't exist on the map (the next-hop IP is not in the routing table). The GPS will keep trying to give you directions that can't be followed. That's a recursive route failure. Finally, imagine you have two GPS units: one with your manual route, and another that learns roads dynamically. If the dynamic GPS says 'Go via Elm Street' but your manual GPS says 'Go via Oak Street,' you might follow the wrong one if the manual GPS has a lower priority. That's an administrative distance conflict. In networking, static routes are like that manual GPS—they work perfectly when the path is valid and consistent, but they fail silently when conditions change, because they don't adapt. Troubleshooting is about checking each condition: is the road open (interface up), does the next turn exist (next-hop reachable), and is this the route you should be following (correct AD)?
What Is a Static Route and Why Does It Fail?
A static route is a manually configured path to a destination network. Unlike dynamic routing protocols, static routes have no built-in failure detection or automatic re-routing. They work perfectly when the network topology is stable, but they can fail in several ways:
Next-hop unreachable: The router cannot reach the next-hop IP address via any directly connected network.
Interface down: The outgoing interface is administratively down or physically disconnected.
Recursive routing failure: The next-hop IP is not in the routing table, so the router cannot resolve where to send packets.
Administrative distance conflict: Another route (static or dynamic) with a lower AD overrides the intended static route.
Incorrect subnet mask or destination: A typo in the network address or mask causes the route to match the wrong destination.
Return path issue: The route works for outbound traffic, but the return traffic is not routed back, causing one-way communication.
Step-by-Step Packet Forwarding with a Static Route
When a router receives a packet destined for a network that matches a static route, it performs the following steps:
Routing table lookup: The router checks its routing table for the longest prefix match. If the static route is present, it proceeds.
Next-hop resolution: The router looks at the next-hop IP address. If the next-hop is directly connected (i.e., the router has an interface on the same subnet), it can forward directly. If the next-hop is not directly connected, the router must perform recursive routing—it looks up the next-hop IP in the routing table to find a route to that IP.
ARP resolution: If the next-hop is reachable via a directly connected Ethernet interface, the router sends an ARP request to get the MAC address of the next-hop.
Frame encapsulation: The router encapsulates the IP packet into a frame with the destination MAC address of the next-hop router.
Transmission: The frame is sent out the appropriate interface.
Key Verification Commands
The primary command to check static routes is show ip route static. This displays only the static routes in the routing table. For example:
R1# show ip route static
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.1.1.0/24 [1/0] via 192.168.1.2The output shows the destination network, mask, administrative distance (1), metric (0), and next-hop (192.168.1.2).
To see all routes and look for missing or overridden static routes:
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0
S 10.2.2.0/24 [1/0] via 192.168.1.2If a static route is missing from the routing table, check if it was configured:
R1# show running-config | include ip route
ip route 10.2.2.0 255.255.255.0 192.168.1.2If it's in the config but not in the routing table, the next-hop is likely unreachable. Verify connectivity to the next-hop:
R1# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)If ping fails, check the directly connected interface:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 unassigned YES unset administratively down downInteraction with Dynamic Routing
Static routes have a default administrative distance of 1. Dynamic routes (e.g., OSPF has AD 110, EIGRP has AD 90) have higher ADs by default. This means a static route will always be preferred over a dynamic route to the same destination, unless you change the static route's AD. This can cause issues if you intend to use a dynamic route as a backup. Conversely, if a dynamic route with a lower AD (like a directly connected interface) exists, the static route will be ignored.
Common Misconfiguration: Missing Next-Hop
If you configure a static route with an incorrect next-hop IP, the router will still install it in the routing table if the next-hop is reachable (even if it's the wrong router). The route will forward packets to the wrong device, causing blackholing. Always verify the next-hop is the correct adjacent router.
Default Routes
A default static route (0.0.0.0/0) is used as a gateway of last resort. It matches all destinations not in the routing table. The command is:
ip route 0.0.0.0 0.0.0.0 192.168.1.1If the default route is missing, traffic to unknown networks will be dropped. Check with show ip route for a line like:
S* 0.0.0.0/0 [1/0] via 192.168.1.1The asterisk indicates it is a candidate default route.
1. Identify the Problem
Start by confirming the exact symptoms. Is the destination completely unreachable, or is there one-way communication? Use ping and traceroute from the source device to the destination. If ping fails, try from the router closest to the source. If ping succeeds from the router but not from the source, the problem is likely on the source device (e.g., wrong default gateway). If ping fails from the router, the problem is in the routing path. Document the exact IP addresses and subnets involved.
2. Verify the Static Route Exists
On the router that should have the static route, use `show ip route static` to see if the route is present. If not, check the running configuration with `show running-config | include ip route`. If the route is configured but not in the routing table, the next-hop is likely unreachable. If the route is not configured at all, you need to add it. Also check for typos in the destination network or mask. For example, `ip route 10.2.2.0 255.255.255.0 192.168.1.2` is correct; `ip route 10.2.2.0 255.255.255.0 192.168.1.2` with a wrong mask like 255.255.0.0 would match a different range.
3. Check Next-Hop Reachability
If the static route is configured but not in the routing table, the most common cause is that the next-hop IP address is not reachable. Use `ping` to the next-hop from the router. If it fails, check the directly connected interface that should provide connectivity to the next-hop. Use `show ip interface brief` to see if the interface is up/up. If the interface is down, troubleshoot the physical layer. If the interface is up but ping fails, check for IP addressing mismatches or ACLs blocking ICMP. Also ensure the next-hop router has a route back to the source network.
4. Verify Recursive Routing (If Applicable)
If the next-hop IP is not directly connected, the router must have a route to that next-hop network. Use `show ip route` to see if there is a route to the next-hop IP. For example, if the static route says `via 10.0.0.2` and 10.0.0.2 is not directly connected, the router needs a route to 10.0.0.0/24. If that route is missing, the static route will not be installed. This is called recursive routing failure. The solution is to either use a directly connected next-hop or add the necessary route.
5. Check for Administrative Distance Conflicts
A static route might be present in the routing table but not used because another route with a lower administrative distance (AD) exists for the same destination. Use `show ip route` and look for multiple entries for the same network. The one with the lowest AD will be used. For example, a directly connected route (AD 0) will override a static route (AD 1). An OSPF route (AD 110) will not override a static route, but an EIGRP route (AD 90) will. If you want the static route to be preferred, you can increase its AD to be higher than the dynamic route, or remove the dynamic route. Alternatively, you can use a floating static route by setting a higher AD (e.g., 130) so it only appears when the dynamic route disappears.
6. Verify Return Path
Even if outbound routing works, traffic may not return if the destination router does not have a route back to the source. Use traceroute from the source to the destination and see if the packets make it to the destination. Then from the destination, ping the source to check the return path. If the return ping fails, the issue is on the destination router or intermediate routers. Ensure that all routers along the path have appropriate static or dynamic routes for the return traffic. This is especially common with asymmetric routing.
7. Check for Packet Filtering or NAT
If routing looks correct but traffic still fails, check for access control lists (ACLs) or firewall rules that might be blocking traffic. On Cisco routers, use `show access-lists` to see if any ACLs are applied to interfaces. Also check if NAT is configured correctly. For example, if the destination is a private IP and the source is on the internet, NAT must be in place. Use `debug ip packet` with caution in a lab environment to see if packets are being dropped. Remember that ACLs can silently drop traffic, and the routing table will still show the route as valid.
In enterprise networks, static routes are commonly used for point-to-point links, such as connecting a branch office to a headquarters over a WAN link. For example, a branch router might have a default static route pointing to the HQ router. If the WAN link goes down, the static route becomes invalid, and all internet traffic from the branch fails. To provide redundancy, network engineers often use floating static routes with a higher administrative distance that kick in when the primary link fails. For instance, an OSPF-learned route might have AD 110, and a static backup route might have AD 120. When the OSPF route disappears, the static route appears.
Another common scenario is using static routes for VPN tunnels. When a site-to-site VPN is configured, you often need a static route to the remote subnet via the tunnel interface. If the tunnel goes down, the static route should be removed. Engineers sometimes use IP SLA (Service Level Agreement) to track the tunnel's health and adjust the static route accordingly. Without IP SLA, the static route remains in the routing table even if the tunnel is down, causing traffic to be blackholed.
Misconfiguration of static routes can lead to network outages. A classic mistake is typing the wrong next-hop IP, which causes traffic to be forwarded to the wrong router. Another is forgetting to add a return route on the remote router, resulting in one-way communication. In large networks, static route misconfigurations can be difficult to find because the routing table looks correct, but traffic doesn't flow. This is why many enterprises prefer dynamic routing for scalability, but static routes remain essential for simple, predictable paths.
The CCNA 200-301 exam tests troubleshooting of static routes in objective 3.2, which covers 'Interpret the components of routing table' and 'Troubleshoot static routes.' Expect scenario-based questions where you must identify why a static route is not working. Common traps include:
Assuming a static route is always in the routing table: Candidates forget that if the next-hop is unreachable, the route is not installed. The show ip route output will not show the route at all.
Confusing administrative distance: A static route with AD 1 will be overridden by a directly connected route (AD 0) but will beat OSPF (AD 110). Candidates often think static routes always win, but that's false.
Misreading the `show ip route` output: The code 'S' means static, but if there is an asterisk (S*), it's a candidate default route. Candidates may miss the asterisk and think it's not a default.
Forgetting the return path: Many questions give a scenario where ping from R1 to R2 works but ping from PC1 to PC2 fails. The issue is often that R2 has no route back to PC1's subnet.
Next-hop not directly connected: If the next-hop IP is not on a directly connected network, the router needs a route to that next-hop. Candidates sometimes assume the router can reach any IP without a route.
To eliminate wrong answers, always check the next-hop reachability first. If the route is missing, the next-hop is likely unreachable. If the route is present but traffic fails, check the return path and ACLs. Know the default AD values: connected 0, static 1, EIGRP 90, OSPF 110, RIP 120. On the exam, you may be asked to interpret show ip route output and identify why a specific static route is not being used.
Static routes have a default administrative distance of 1.
A static route is not installed in the routing table if the next-hop IP is unreachable.
Use 'show ip route static' to view only static routes.
Use 'show ip route' to see all routes and check for AD conflicts.
The next-hop IP must be reachable via a directly connected network or another route.
Floating static routes use a higher AD (e.g., 130) to act as backups.
Always verify the return path; one-way communication often indicates missing return route.
These come up on the exam all the time. Here's how to tell them apart.
Static Route
Manually configured by administrator
No automatic failure detection
Default AD of 1
Uses next-hop IP or exit interface
Best for simple, stable topologies
Dynamic Route (OSPF)
Learned automatically via OSPF
Detects link failures via hello packets (default 10 sec)
Default AD of 110
Uses next-hop IP calculated by SPF
Best for complex, redundant networks
Mistake
A static route is always present in the routing table once configured.
Correct
A static route is only installed if the next-hop is reachable. If the next-hop is unreachable, the route is not added to the routing table.
Candidates think the route appears immediately because they see it in the running config, but the routing table is dynamic.
Mistake
A static route with AD 1 will always be preferred over any dynamic route.
Correct
A static route with AD 1 is preferred over routes with higher AD, but a directly connected route (AD 0) will override it. Also, you can configure a static route with a higher AD to be a backup.
Candidates memorize that static routes have low AD but forget that connected routes are even lower.
Mistake
If a static route is in the routing table, traffic will always reach the destination.
Correct
The route might be correct for outbound traffic, but return traffic could fail if the destination router lacks a route back. Also, ACLs or NAT can block traffic even with a valid route.
Candidates focus only on the forward path and ignore the return path.
Mistake
The next-hop IP must be directly connected for a static route to work.
Correct
The next-hop can be indirectly connected, as long as the router has a route to that next-hop IP (recursive routing). However, it's a common best practice to use directly connected next-hops to avoid recursive lookup failures.
Many CCNA materials emphasize using directly connected next-hops, so candidates assume it's a requirement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A static route will only appear in the routing table if the next-hop IP is reachable. Check if the next-hop is directly connected or if there is a route to it. Use `ping` to test reachability. Also ensure the interface to the next-hop is up/up. If the next-hop is reachable but the route is still missing, check for administrative distance conflicts or that the route is actually configured in the running config.
A floating static route is a static route with a higher administrative distance than the primary dynamic route. It acts as a backup. For example, if you have an OSPF route with AD 110, you can configure a static route to the same destination with AD 120. The static route will only appear in the routing table when the OSPF route disappears. Configure it with `ip route 10.0.0.0 255.0.0.0 192.168.1.2 120`.
Yes, but it's generally recommended to use a next-hop IP on multi-access networks. On point-to-point interfaces, using just the exit interface works because the router knows the next-hop is the only device on the other end. On Ethernet, you should include both the exit interface and the next-hop IP to avoid ARP issues. Example: `ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/0 192.168.1.2`.
If ping works but other traffic fails, the issue is likely not the static route itself but something else like an ACL, firewall, or NAT. Ping uses ICMP, which may be permitted while other protocols are blocked. Check access lists on the routers along the path. Also verify that the return path is working for the specific traffic type.
The asterisk (*) next to a static route indicates that it is a candidate default route. This typically appears for a default static route (0.0.0.0/0). It means the route is a candidate for the gateway of last resort. The router will use the candidate default route with the lowest AD if no other default route is present.
Intermittent failures suggest a flapping interface or a routing loop. Check the interface status with `show interfaces` for errors or flaps. Use `debug ip routing` to see when the route is added/removed. Also check for routing loops by using traceroute. If the route depends on a dynamic next-hop, ensure that dynamic route is stable.
Yes, you can point a static route to a tunnel interface. For example, `ip route 10.0.0.0 255.0.0.0 Tunnel0`. However, the tunnel interface must be up. If the tunnel goes down, the static route will be removed from the routing table because the interface is down. This is a common way to route traffic over a VPN.
You've just covered Troubleshoot: Static Route Not Working — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?