CCNA Troubleshooting Scenarios

OSPF ABR Not Advertising Summary Routes to Backbone

Remote networks behind an OSPF ABR are not reachable from the backbone area, even though the ABR has full routing information for those networks.

OSPF Adjacency Flapping Due to Unstable Interface

OSPF neighbor adjacency repeatedly transitions between FULL and DOWN states, causing routing table instability.

OSPF Area ID Mismatch Between Neighbors

OSPF neighbors are stuck in the INIT state and do not form a full adjacency.

OSPF Authentication Mismatch Preventing Adjacency

Two directly connected routers running OSPF fail to form an adjacency, remaining in the INIT or EXSTART state.

OSPF Causing High CPU Due to Constant SPF Recalculations

Router CPU utilization is consistently high (above 80%) and OSPF SPF runs are occurring multiple times per second, causing network instability and slow convergence.

OSPF Choosing Suboptimal Path Due to Cost Misconfiguration

Traffic from R1 to a destination behind R3 takes a suboptimal path via R2 instead of the direct link to R3.

OSPF Default Route Not Propagated to Other Areas

Hosts in a non-zero OSPF area cannot reach the internet, even though the Area Border Router (ABR) has a default route to the internet.

OSPF DR/BDR Election Choosing Wrong Router

The OSPF DR/BDR election results in a router with lower priority or lower router ID becoming the DR, causing suboptimal routing and potential instability.

OSPF Equal-Cost Paths Not Load Balancing Traffic

Traffic from R1 to R3 is not being load-balanced across two equal-cost OSPF paths, even though both paths have the same OSPF cost.

OSPF Hello/Dead Timer Mismatch Preventing Adjacency

OSPF neighbors are stuck in INIT state or never become FULL, and the network engineer observes that routers are not exchanging routing information.

OSPF Loopback Advertised as /32 Instead of Actual Subnet

A loopback interface configured with a /24 subnet mask is advertised in the OSPF database as a /32 host route instead of the actual subnet.

OSPF LSA Flooding Loop Causing CPU Spike

The router CPU utilization spikes to 100% and OSPF neighbors flap intermittently, causing network instability.

OSPF LSDB Incomplete — Missing LSA Types

The OSPF routing table is missing some routes, and the OSPF database shows incomplete LSA types (e.g., Type 3 or Type 5 LSAs missing) on some routers.

OSPF MTU Mismatch Causing Stuck in EXSTART

OSPF neighbors are stuck in EXSTART state and cannot form full adjacency.

OSPF Neighbor Adjacency Not Forming at All

OSPF neighbor adjacency is not forming between two directly connected routers; the neighbor state remains stuck in INIT or DOWN.

OSPF Neighbor Goes Down Repeatedly After Forming

OSPF neighbor adjacency repeatedly transitions from FULL to DOWN after forming, causing routing instability.

OSPF Neighbor Stuck in EXSTART/EXCHANGE State

OSPF neighbor adjacency is stuck in EXSTART/EXCHANGE state and does not transition to FULL.

OSPF Neighbor Stuck in LOADING State

An OSPF neighbor is stuck in the LOADING state and never transitions to FULL.

OSPF Neighbors on Different Subnets — No Adjacency

OSPF neighbors show in INIT state or never reach FULL state, and the adjacency is stuck in EXSTART/EXCHANGE or 2WAY.

OSPF Network Type Mismatch on Ethernet Segment

Two directly connected routers on the same Ethernet segment fail to form an OSPF neighbor adjacency.

OSPF NSSA Area Not Converting Type 7 LSA to Type 5

External routes redistributed into OSPF in an NSSA area are not appearing in the routing table of routers outside the NSSA area.

OSPF Passive-Interface Blocking Needed Adjacency

Two directly connected routers running OSPF fail to form an adjacency, with the neighbor state stuck in INIT or DOWN.

OSPF Redistribution Not Bringing in External Routes

External routes redistributed into OSPF are not appearing in the routing table of OSPF routers.

OSPF Reference Bandwidth Inconsistent Causing Wrong Path Selection

Traffic from Branch A to Branch B takes a suboptimal path via a slower link instead of the direct high-speed link, causing higher latency and lower throughput.

OSPF Route Not Appearing in Routing Table

A route for a specific network is missing from the routing table on a router running OSPF.

OSPF Router ID Conflict Causing Instability

OSPF neighbors are flapping between routers, causing intermittent routing table changes and network instability.

OSPF Stub Area Blocking External Routes Needed by Users

Users in the branch office cannot reach external networks (Internet) even though OSPF routes for internal networks are present.

OSPF Summary Routes Not Being Generated at ABR

Remote networks reachable via OSPF are not being summarized at the ABR; instead, individual /24 routes appear in the routing table of the backbone area.

OSPF Virtual Link to Disconnected Area Not Working

A router in area 1 cannot reach a router in area 0, even though OSPF is configured and neighbors are up.

Wrong Wildcard Mask in OSPF Network Statement

OSPF neighbors are not forming, and routes are missing from the routing table.

EIGRP AS Number Mismatch Preventing Adjacency

Two directly connected routers running EIGRP fail to form an adjacency; the neighbor relationship remains in the 'Init' state or never appears.

EIGRP Auto-Summary Creating Black Holes with Discontiguous Networks

Users in one branch office cannot reach servers in another branch office, even though both are in the same EIGRP autonomous system and have connectivity to the core.

EIGRP Backup Route Not Installing — Feasibility Condition Not Met

A backup route via EIGRP is not being installed in the routing table even though the neighbor is reachable and routes are being exchanged.

EIGRP Hold Timer Expired — Neighbor Keeps Dropping

EIGRP neighbor flapping every 15-20 seconds with 'Hold timer expired' error messages.

EIGRP K-Value Mismatch Preventing Adjacency

Two EIGRP-enabled routers fail to form an adjacency, and the neighbor state remains stuck in 'Init' or 'Loading'.

EIGRP MD5 Authentication Mismatch

EIGRP neighbors are not forming, and the network engineer sees routes missing from the routing table.

EIGRP Metric Wrong Due to Incorrect Bandwidth Statement

A directly connected EIGRP neighbor is not forming adjacency, or routes are missing from the routing table despite correct network statements.

EIGRP Named Mode vs Classic Mode Configuration Conflict

EIGRP neighbors are not forming between two routers configured with different EIGRP modes (named mode vs classic mode).

EIGRP Neighbor Adjacency Not Forming

EIGRP neighbor adjacency is not forming between two directly connected routers.

EIGRP Neighbor Goes Down Without Config Change

An EIGRP neighbor relationship unexpectedly goes down and does not re-establish, even though no configuration changes were made on either router.

EIGRP Network Statement with Wrong Wildcard Mask

Routers in an EIGRP network are not forming neighbor adjacencies or are missing routes for certain subnets.

EIGRP Passive-Interface Set on Wrong Interface

Routers in the EIGRP domain are not forming neighbor adjacencies, and routes are missing from the routing table.

EIGRP Query Storm Causing Network-Wide Instability

Users across multiple remote sites report intermittent connectivity and slow application performance; network-wide EIGRP routes are flapping, causing instability.

EIGRP Redistribution from OSPF Not Appearing

Routes redistributed from OSPF into EIGRP are not appearing in the EIGRP topology table or routing table of other EIGRP routers.

EIGRP Route Not in Topology Table or Routing Table

A route that should be learned via EIGRP is not present in the topology table or the routing table.

EIGRP Route Stuck in Active State (SIA)

An EIGRP route remains in active state for longer than expected, causing network instability and packet loss.

EIGRP Split Horizon Blocking Routes on Hub-and-Spoke

Remote spoke routers cannot reach each other via the hub router, but each spoke can reach the hub and the hub can reach all spokes.

EIGRP Stub Router Not Advertising Necessary Routes

Remote branch users report that they cannot reach a specific subnet (192.168.10.0/24) located behind the branch EIGRP stub router, although other subnets are reachable.

EIGRP Topology Table Has No Successor or FS

The EIGRP topology table shows routes in active state with no successor or feasible successor, causing routing black holes.

EIGRP Unequal-Cost Load Balancing Not Working

EIGRP unequal-cost load balancing is not working; traffic is only using the best path even though feasible successors exist.

RIP Auto-Summary Summarizing to Classful Boundary — Route Missing

A router in a discontiguous network cannot reach a remote subnet, and show ip route shows only the classful summary route instead of the specific prefix.

RIP Default Route Not Being Distributed to Spoke Sites

Spoke sites in a hub-and-spoke RIP network cannot reach the internet because the default route configured on the hub router is not being advertised to the spokes.

RIP Network Statement Not Including All Interfaces

A router running RIP is not advertising routes for some directly connected subnets, causing reachability issues to those networks.

RIP Passive Interface Stopping Route Updates on Right Interface

A router configured with RIP is not advertising a directly connected network to its neighbor, even though the interface is up/up and RIP is enabled.

RIP Route Not Installing Due to 16-Hop Limit

A route to a remote network is missing from the routing table, even though the RIP routing protocol is configured on all routers in the path.

RIP Routes Not Propagating Between Routers

RIP routes learned from one router are not being propagated to other routers in the same RIP domain.

RIP Routing Loop — Count-to-Infinity Problem

Users in Branch B report intermittent connectivity to the main office; pings to the main office gateway succeed but then fail after a few seconds, and the network becomes unreachable for extended periods.

RIP Split Horizon Blocking Routes on Hub-and-Spoke Frame Relay

Remote branch routers cannot reach each other via the hub router, but each branch can ping the hub and the hub can ping all branches.

RIPv1/v2 Version Mismatch Causing No Updates

Routers configured with RIPv1 and RIPv2 are not exchanging routing updates, resulting in missing routes in the routing table.

RIPv2 Authentication Mismatch — No Route Updates

Routers configured for RIPv2 authentication do not exchange routing updates, resulting in missing routes in the routing table.

Default Route Missing — Remote Users Losing Internet

Remote users report they cannot access the internet, but internal network resources are reachable.

Floating Static Route Not Activating When Primary Fails

The backup floating static route does not appear in the routing table when the primary route fails, causing loss of connectivity to the remote network.

IPv6 Static Route Not Working — Missing ipv6 unicast-routing

IPv6 static routes are configured but traffic to the destination network fails; ping to the next-hop or remote network returns 'Destination unreachable' or no reply.

Static Route and Dynamic Route Conflict — Wrong AD

Users in the branch office cannot reach the remote server at 10.10.10.0/24, although both a static route and an OSPF-learned route exist for that network.

Static Route Not in Routing Table After Configuration

A static route configured on a Cisco router does not appear in the routing table.

Static Route Recursive Lookup Failing — Route Flaps

A static route configured on a router intermittently disappears from the routing table, causing traffic to be dropped for a few seconds before reappearing.

Static Route with Wrong Next-Hop IP — Packets Dropped

Users in Branch A cannot reach the server in Branch B, and pings from Branch A router to Branch B server fail.

Static Summary Route Too Broad — Black Holing Traffic

Traffic destined for a specific subnet is being dropped (black holed) even though a route exists in the routing table.

Access Port Assigned to Wrong VLAN — Users in Wrong Segment

Users in a specific department cannot communicate with other devices in the same VLAN, but they can reach devices in other VLANs.

Double-Tagged 802.1Q Frame Bypassing VLAN Segregation

A host in VLAN 10 can communicate with a host in VLAN 20 across a trunk link, despite VLAN access control lists and interface configurations that should prevent inter-VLAN traffic.

DTP Auto Mode Preventing Trunk from Forming

A trunk link between two switches fails to form, and the interface remains in access mode despite configuring switchport mode trunk on one side.

Extended Range VLAN (1006-4094) Not in VTP Database

A VLAN in the extended range (1006-4094) cannot be created or added to the VTP database; the switch reports that the VLAN ID is out of range or not allowed.

Inter-VLAN Routing Not Working — No Route Between VLANs

Hosts on different VLANs cannot communicate with each other, even though they can ping their default gateway.

Layer 3 Switch SVI Interface Not Coming Up

A host connected to an access switch cannot ping the default gateway IP address configured on a Layer 3 switch SVI, and the SVI interface shows as administratively down.

MAC Address Not Learning in Correct VLAN

A host in VLAN 10 cannot communicate with the default gateway, and the switch does not show the host's MAC address in the MAC address table for VLAN 10.

Native VLAN Mismatch on Trunk — CDP Warning / STP Issues

Users in VLAN 10 report intermittent connectivity to the server farm, and CDP shows 'Native VLAN mismatch discovered' errors on the trunk link between two switches.

New Switch with Higher VTP Revision Wiping VLAN Database

After connecting a new switch to the network, all switches in the VTP domain lose their VLAN configurations, and end-user connectivity is disrupted.

Router-on-a-Stick Subinterface Misconfigured — VLAN Traffic Fails

Hosts in different VLANs cannot communicate with each other through the router, even though the router has subinterfaces configured for each VLAN.

VLAN Not in Trunk Allowed List — Users Isolated

Users in VLAN 20 cannot communicate with users in VLAN 10, even though both VLANs exist on the same switch and the trunk between switches is up.

VLAN Not in VLAN Database — Traffic Dropped

Hosts in a VLAN cannot communicate with hosts in other VLANs, and the switch drops traffic destined for that VLAN.

VLAN Port Showing Inactive in show vlan brief

A VLAN port shows as 'inactive' in the output of 'show vlan brief', and the connected device cannot communicate on the VLAN.

VLAN Traffic Not Passing Across Trunk Link

Hosts in VLAN 10 cannot ping hosts in VLAN 20, even though both VLANs exist on the same trunk link between two switches.

Voice VLAN and Data VLAN Not Both Working on IP Phone Port

PC connected to an IP phone cannot access the data VLAN, but the phone works fine on the voice VLAN.

VTP Domain Name Mismatch — VLANs Not Synchronizing

VLANs configured on the VTP server are not appearing on VTP client switches; show vlan brief shows only default VLANs on clients.

VTP Pruning Removing Active VLAN from Trunk

A trunk port between two switches stops carrying traffic for a specific VLAN, even though the VLAN is configured on both switches and the trunk is up.

VTP Transparent Mode Not Forwarding VTP Messages

VTP clients in a VLAN domain are not receiving VTP advertisements from the VTP server, even though a VTP transparent mode switch is in the path.

All Switches with Same STP Priority — Random Root Election

The network experiences intermittent connectivity and suboptimal traffic flow, with no single switch consistently acting as the root bridge in the Spanning Tree Protocol (STP) topology.

BPDU Filter Accidentally Hiding BPDUs — Loop Risk

After configuring BPDU filter on an access port, the switch experiences a loop that causes network instability, even though BPDU filter is supposed to prevent loops.

BPDU Guard Putting Port in err-disabled State

A switch port configured with PortFast and BPDU Guard goes into err-disabled state after receiving a BPDU from another switch.

Continuous STP Topology Changes Causing Network Instability

Users in VLAN 10 experience intermittent connectivity drops and slow network performance, while the switch logs show repeated STP topology change notifications every few seconds.

Layer 2 Loop Detected — Broadcast Storm

Users in multiple VLANs report network connectivity issues, and the switch console shows high CPU utilization with rapidly incrementing interface counters.

Loop Guard Putting Port in Loop-Inconsistent State

A switch port that should be forwarding traffic is stuck in the loop-inconsistent state, preventing traffic from passing through that link.

MST Instance to VLAN Mapping Mismatch Between Switches

Some workstations in VLAN 10 cannot communicate with servers in VLAN 20 across the network, while other VLANs work fine.

MST Region Configuration Mismatch — Treated as Different Regions

Spanning-tree topology loops occur intermittently, and some VLANs are unreachable despite all switches being configured with the same MST region name and revision number.

PortFast Accidentally Enabled on Trunk Port

A workstation connected to a trunk port experiences intermittent connectivity and excessive MAC address flapping notifications on the switch.

PortFast Port Not Transitioning Directly to Forwarding

A port configured with PortFast does not transition directly to forwarding state; instead, it goes through listening and learning states, causing a delay in connectivity.

Rapid PVST+ and PVST Compatibility Issues

A switch in the network experiences frequent topology changes, causing MAC address table flapping and intermittent connectivity for end devices.

Root Guard Blocking Intended Uplink

A switch port configured as an intended uplink is in a blocking state despite having a superior BPDU, causing connectivity loss to the root bridge.

STP Convergence Too Slow — Traffic Black-Holed During Failover

After a link failure in the access layer, end-user traffic is black-holed for 30-50 seconds before converging, causing application timeouts.

STP Port Cost Change Not Influencing Path Selection

After increasing the port cost on a redundant link, the STP root port selection does not change as expected, and traffic continues to use the higher-cost path.

STP Port Stuck in Blocking State — Users Can't Reach Server

Users in VLAN 10 report they cannot reach the server at 192.168.10.100, and the switch port connected to the server shows a blocking state.

UplinkFast Not Accelerating Convergence After Uplink Failure

After an uplink failure on a switch, the backup uplink does not transition to forwarding state within the expected 1-5 seconds, causing prolonged network downtime.

Wrong Port Elected as STP Designated Port

A switch port that should be in blocking state for STP is forwarding, causing a temporary loop and high CPU utilization on the root bridge.

Wrong Switch Elected as STP Root Bridge

End users in VLAN 10 report intermittent connectivity issues, and network monitoring shows high CPU utilization on a low-end access switch that is unexpectedly acting as the root bridge for the spanning tree.

Both Sides Set to LACP Passive — No Bundle Forming

An EtherChannel between two switches does not form, and both sides show the port-channel interface in a down/down state.

EtherChannel Member Port in Suspended State

An EtherChannel member port is in the 'suspended' state, causing traffic to not pass through that port.

EtherChannel Member Port Speed/Duplex Inconsistency

An EtherChannel interface is down or only partially operational, with some member ports showing as 'err-disabled' or 'suspended'.

EtherChannel Member Ports with Different VLAN Configs

Pings between hosts on the same VLAN across an EtherChannel fail intermittently, and the EtherChannel shows some member ports are down or not bundled.

EtherChannel Mode Mismatch — LACP vs PAgP vs Static

EtherChannel does not come up; interfaces show as 'down/down' or 'err-disabled' in the channel-group, and no traffic is load-balanced across the bundle.

EtherChannel Not Bundling — Ports Stay Individual

Ports configured in an EtherChannel remain individual (not bundled) and the port-channel interface is down/down.

EtherChannel Not Load Balancing Across All Links

An EtherChannel between two switches shows all member links up/up, but traffic is not load-balanced across all links; one link carries most traffic while others are underutilized.

EtherChannel Trunk Native VLAN Mismatch Between Ends

Hosts in the same VLAN cannot communicate across an EtherChannel trunk, and the trunk is not forwarding traffic for some VLANs.

Only Some Ports Bundling in EtherChannel — Not All Members Active

An EtherChannel is configured between two switches, but only some member ports are bundled; the remaining ports remain in standalone mode, causing inconsistent load balancing and potential loops.

STP Blocking One EtherChannel Member Port

One member port of an EtherChannel is in STP blocking state while the other member ports are forwarding, causing traffic to be dropped on that link.

DHCP Assigning IPs from Wrong Pool to Multi-VLAN Network

Clients in VLAN 20 receive IP addresses from the DHCP pool intended for VLAN 10, causing connectivity issues.

DHCP Assigning Router IP to Client — No Exclusion Configured

A DHCP client receives an IP address that belongs to the router's LAN interface instead of a valid host address from the pool.

DHCP Assigning Wrong Default Gateway to Clients

Clients in VLAN 10 receive an IP address from DHCP but cannot reach the internet or other subnets because the default gateway assigned is incorrect.

DHCP Client Not Getting IP Address

A client PC connected to a switch port in VLAN 10 is unable to obtain an IP address via DHCP; the client reports 'No IP address' or receives an APIPA address (169.254.x.x).

DHCP Conflict Detection Blocking IP Assignment

Clients are unable to obtain an IP address via DHCP; the DHCP server logs show 'DHCP conflict detected' messages.

DHCP Lease Not Renewing — Clients Losing Connectivity

Clients on a specific VLAN lose IP connectivity after the DHCP lease expires; they fail to renew and obtain a new IP address.

DHCP Relay Agent Not Forwarding Requests to Server

Clients in VLAN 20 cannot obtain IP addresses via DHCP, while clients in VLAN 10 (same router) succeed.

DHCP Scope Exhausted — No IPs Available

Clients in the branch office cannot obtain IP addresses via DHCP; they receive APIPA addresses (169.254.x.x) or no IP at all.

DHCP Server Unreachable Due to Routing Issue

Clients are unable to obtain IP addresses from the DHCP server, receiving 'No DHCPOFFER' messages.

DHCP Snooping Binding Table Full — New Clients Blocked

New DHCP clients fail to obtain IP addresses, while existing clients continue to work; error messages indicate DHCP snooping binding table is full.

DHCP Snooping Dropping Legitimate DHCP Server Offers

Clients in a VLAN are not receiving IP addresses from the legitimate DHCP server, even though the server is reachable and configured correctly.

Rogue DHCP Server Handing Out Wrong IPs on LAN

Clients on VLAN 10 are receiving IP addresses in the 192.168.20.0/24 subnet instead of the expected 192.168.10.0/24, causing connectivity issues.

NAT Asymmetric Routing — Packets Arriving on Wrong Interface

Users report intermittent connectivity failures; traffic from certain sources fails to reach internal servers, while other traffic succeeds, and the NAT translations table shows entries with inconsistent interface mappings.

NAT Configured But Internet Access Not Working

Internal hosts can ping the router's inside interface but cannot access the internet or ping the outside interface IP.

NAT Hairpin Issue — Internal Clients Cannot Reach Public IP

Internal clients cannot reach a public web server when using its public IP address, but they can reach it using the private IP address.

NAT inside/outside Applied to Wrong Interfaces

Internal hosts can reach the internet, but external hosts cannot reach internal servers through the public IP address.

NAT on Tunnel Interface Not Translating Traffic Correctly

Traffic sent through a tunnel interface is not being translated by NAT, causing connectivity failures for hosts behind the tunnel.

NAT Overload ACL Denying Traffic That Should Be NAT'd

Internal hosts cannot reach the internet, but NAT overload is configured and the ACL appears to permit the traffic.

NAT Pool Exhausted — New Sessions Failing

New outbound connections from internal hosts to the internet are failing, while existing connections continue to work.

NAT Translation Table Full — Sessions Being Dropped

Users report that new outbound connections to the internet are failing, while existing connections continue to work.

NAT64 Translation Not Working for IPv6 Clients

IPv6 clients cannot reach IPv4-only servers on the internet; NAT64 translations are not being created.

PAT UDP Timeout Too Short — Gaming/Streaming Sessions Dropping

Users report that online gaming sessions and video streaming services drop after a few minutes of inactivity, requiring manual reconnection.

Static NAT Entry Not Translating Inbound Connections

External hosts cannot reach internal servers via the configured static NAT public IP address.

Using debug ip nat to Trace Why Traffic Is Not Being Translated

Internal hosts can access the internet but external hosts cannot initiate connections to internal servers, and 'show ip nat translations' shows no entries for the expected traffic.

ACL Accidentally Blocking OSPF Hello Packets

OSPF neighbors are stuck in INIT state and do not form adjacency, even though Layer 2 connectivity is confirmed.

ACL and NAT Order Causing Traffic to Not Be Translated

Internal hosts cannot reach the internet; NAT translations are not being created for traffic that should be translated.

ACL Applied to Wrong Interface or Direction

Users in VLAN 10 cannot reach the internet, but they can reach other internal subnets.

ACL Blocking All Traffic — Implicit Deny Hit

Users in VLAN 10 cannot reach any external network resources, including the internet and remote sites, while internal VLAN 10 resources are reachable.

ACL Blocking DHCP Discovery Broadcasts

Clients on VLAN 10 cannot obtain an IP address via DHCP; DHCP discovery packets are not reaching the DHCP server.

ACL Deny Entries Without log Keyword — Can't Identify Blocked Traffic

Network engineer observes that traffic is being blocked by an ACL but cannot identify which specific deny entry is dropping the traffic because the deny entries lack the 'log' keyword.

ACL Entries in Wrong Order — Permit Before More Specific Deny

Users in the 192.168.1.0/24 subnet can access the internet, but users in the 192.168.2.0/24 subnet cannot, despite an ACL applied to the WAN interface.

ACL on VTY Lines Locking Out Admin Access

An administrator is unable to SSH or Telnet into a Cisco router from a remote management workstation, even though the IP connectivity is verified.

ACL Supposed to Block Telnet But SSH Also Blocked

Telnet connections to the router are blocked, but SSH connections are also unexpectedly blocked.

ACL with Wrong Wildcard Mask Blocking Unintended Hosts

Hosts in the 192.168.1.0/24 subnet are unable to reach the server at 10.0.0.10, while hosts in other subnets can reach it.

Extended ACL Blocking Return Traffic from Server

Users can initiate connections to the server, but the server's responses are not reaching the clients, causing timeouts or incomplete data transfers.

IPv6 ACL Blocking Traffic That Should Be Permitted

Hosts on a specific VLAN cannot reach an IPv6 server, but IPv4 traffic to the same server works fine.

Named ACL and Numbered ACL Applied to Same Interface

Traffic from a specific subnet is unexpectedly permitted through an interface despite a numbered ACL denying it, while a named ACL on the same interface permits the same traffic.

Reflexive ACL Not Allowing Return Traffic for Established Sessions

Internal hosts can initiate outbound TCP connections, but return traffic for established sessions is dropped, causing connections to time out.

Time-Based ACL Not Activating at Correct Time

Users report that the time-based ACL intended to block web access during business hours is not activating at the scheduled time, allowing access outside of the configured window.

High CRC Error Count on Interface — Layer 1 or Duplex Issue

High CRC error count observed on an interface, causing packet loss and performance degradation.

High Input Errors on Interface — Root Cause and Fix

The network engineer observes that an interface on a Cisco switch shows a high number of input errors, including runts, CRC errors, and frame errors, leading to packet loss and performance degradation.

Interface Accidentally Shut Down — How to Detect and Fix

A host on VLAN 10 cannot ping its default gateway, and the interface on the switch shows 'administratively down'.

Interface Bandwidth Misconfigured Causing Wrong Routing Metric

Traffic from Branch A to Branch B is taking a suboptimal path through the main campus instead of the direct link, causing increased latency and packet loss.

Interface Constantly Flapping Up and Down

A switch interface repeatedly goes up and down, causing network instability and intermittent connectivity for connected devices.

Interface in err-disabled State — Cannot Bring Up

A switch port that was previously operational is now down, and the interface status shows 'err-disabled'.

Interface Missing IP Address — Connectivity Fails

PCs in VLAN 10 cannot ping the default gateway (router interface 192.168.10.1), and the router interface shows 'line protocol is down'.

Interface MTU Too Large — Fragmentation or Black Hole Routing

Users report that large file transfers or certain applications fail intermittently, while small packets (e.g., ping with size 100) succeed.

Interface Shows Down/Down — Layer 1 Physical Issue

The interface shows 'down/down' in the output of 'show interfaces' or 'show ip interface brief'.

Interface Shows Up/Down — Layer 2 Issue or No Carrier

The interface shows up/down status, indicating Layer 1 is operational but Layer 2 is not, or there is no carrier signal.

Loopback Interface Advertised as /32 Causing Routing Issues

Remote routers cannot reach the loopback interface IP address of a router, even though the loopback is configured and OSPF is running.

Output Drops on Interface — Queue Full Under Load

The network engineer observes output drops incrementing on a GigabitEthernet interface under load, causing packet loss and degraded application performance.

Runts and Giants Appearing on Interface — What They Mean

The network engineer observes a high number of runts and giants in the interface counters of a Cisco router or switch, along with possible CRC errors and input errors.

Speed/Duplex Mismatch Causing CRC Errors and Low Throughput

Users report slow file transfers and intermittent connectivity; the interface shows increasing CRC errors and runts.

Subinterface Wrong or Missing encapsulation dot1Q

Hosts in the same VLAN cannot communicate across a router-on-a-stick configuration, but inter-VLAN routing fails for one specific VLAN.

AAA Authentication Locking Out Administrative Access

After configuring AAA authentication on a Cisco router, the network engineer is unable to log in via SSH or console, receiving 'Authentication failed' errors even with correct credentials.

DHCP Snooping Blocking Legitimate Server on Untrusted Port

Clients in VLAN 10 are unable to obtain IP addresses via DHCP, and the DHCP server (10.10.10.5) is reachable but not responding to requests.

Dynamic ARP Inspection Dropping Valid ARP Packets

Hosts on a specific VLAN are unable to communicate with each other or the default gateway, while hosts on other VLANs work fine.

Locked Out of Router — Enable Secret Unknown

Unable to enter privileged EXEC mode on a Cisco router; the enable secret password is unknown and the password recovery process fails.

login block-for Activated — Admin Locked Out Temporarily

The network engineer is unable to SSH or Telnet into a Cisco router; the connection is refused with 'Authentication failed' or 'Connection closed by foreign host' after a few failed login attempts.

Passwords Visible in show running-config in Clear Text

When viewing the running configuration, passwords for line console, line vty, and enable secret appear in clear text instead of being encrypted.

Port Security Triggering err-disabled on User Port

A user's PC connected to a switch port loses network connectivity, and the port LED shows solid amber; the switch reports the port is in err-disabled state.

Port Security Violation Mode Set Wrong — No Shutdown on Violation

A host connected to a switch port is unable to communicate on the network, and the port shows an err-disabled state after a security violation, but the port does not automatically recover.

RADIUS Server Not Responding — Authentication Failing

Users are unable to authenticate to the network via 802.1X, and RADIUS authentication requests are timing out.

RSA Key Too Small for SSHv2 — SSH Connection Refused

SSH connection to the Cisco router is refused with the error 'Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: ssh-rsa'.

SSH Not Working — Unable to Connect to Router/Switch

A network engineer is unable to establish an SSH connection to a Cisco router or switch, receiving 'Connection refused' or 'Connection timed out' errors.

Sticky MAC Address Table Full — New Devices Blocked

New devices cannot connect to the network; existing devices work fine, but switch logs show 'Security violation occurred' messages.

Storm Control Blocking Legitimate Broadcast Traffic

Broadcast traffic such as ARP requests is being dropped on a switch port, causing hosts to fail to communicate across VLANs.

TACACS+ Authentication Failing for All Users

All users are unable to authenticate via TACACS+ for device administration, and local fallback authentication also fails.

Telnet Active When Only SSH Should Be Permitted

Users can connect to the router via Telnet, even though only SSH should be permitted for remote management.

User at Wrong Privilege Level — Cannot Run Needed Commands

A network engineer is unable to execute certain commands (e.g., 'show running-config', 'configure terminal') on a Cisco router, receiving '% Invalid input detected' or 'Command rejected' errors.

VTY ACL Lockout — All Remote Access Blocked

Remote engineers cannot SSH or Telnet into the router, but local console access works fine.

EUI-64 Address Calculated Incorrectly — Wrong IPv6 Address

A host configured with IPv6 stateless address autoconfiguration (SLAAC) using EUI-64 cannot reach the default gateway or other hosts on the same subnet.

IPv6 6in4 Tunnel Not Forwarding Traffic

IPv6 traffic is not being forwarded through a 6in4 tunnel configured between two routers.

IPv6 ACL Blocking NDP — Neighbor Discovery Fails

Hosts on the same VLAN cannot communicate via IPv6; pings fail and neighbor solicitations are unanswered.

IPv6 Address Not Showing on Interface After Configuration

After configuring an IPv6 address on a router interface, the 'show ipv6 interface brief' command does not display the address, and the interface shows 'unassigned'.

IPv6 Default Route Missing — No Internet for IPv6 Clients

IPv6 clients on the internal network cannot reach the internet, but IPv4 connectivity works fine.

IPv6 Duplicate Address Detection (DAD) Failure

A host fails to obtain an IPv6 address via SLAAC or DHCPv6, and the network engineer observes 'Duplicate Address Detection' failures in the logs.

IPv6 Neighbor Table Empty — NDP Not Working

The IPv6 neighbor table is empty, and hosts cannot communicate over IPv6 despite IPv6 being configured on interfaces.

IPv6 Route Not Being Preferred Over IPv4 Route

IPv6 traffic is not being forwarded over the IPv6 route, but IPv4 traffic works fine for the same destination.

IPv6 Traffic Not Routing — Missing ipv6 unicast-routing Command

IPv6 traffic is not being routed between subnets; devices can ping their default gateway but cannot reach devices on other VLANs or remote networks.

IPv6 Wrong Prefix Length Causing Wrong Subnet Calculation

Hosts on the same IPv6 subnet cannot communicate with each other, and pings to the default gateway fail.

Only Link-Local IPv6 Address Present — No Global Unicast

A host on the IPv6-enabled network can only obtain a link-local address (fe80::/10) and does not receive a global unicast address (2000::/3).

OSPFv3 Neighbor Not Forming in IPv6 Network

OSPFv3 neighbors are not forming between two directly connected routers in an IPv6 network.

RA Guard Blocking Router Advertisements on Correct Interface

IPv6 hosts on a VLAN are not receiving Router Advertisements (RAs) and cannot autoconfigure IPv6 addresses or set a default gateway.

SLAAC Clients Not Getting IPv6 Address From RA

IPv6-enabled hosts on a VLAN are not receiving IPv6 addresses via SLAAC, despite the router being configured to send Router Advertisements.

Autonomous AP Not Joining WLC — CAPWAP Issue

An autonomous access point (AP) fails to join the wireless LAN controller (WLC), remaining in 'Downloading' or 'Discovery' state indefinitely.

Band Steering Not Moving Clients from 2.4GHz to 5GHz

Wireless clients remain connected to the 2.4GHz band even when they are within range of a 5GHz access point that supports band steering.

CAPWAP Tunnel Between AP and WLC Down

Wireless clients cannot connect to the network, and the AP shows 'Down' status in the WLC's AP list.

Client Connecting to Wrong SSID — No VLAN Separation

A wireless client connects to the guest SSID instead of the corporate SSID, but the client still receives a corporate IP address and has full access to internal resources.

Hidden SSID Client Cannot Connect Without Manual Profile

A wireless client cannot connect to a hidden SSID unless a manual profile is created on the client device.

Poor Wireless Signal — Client Roaming Issues

Wireless clients experience intermittent connectivity and fail to roam between access points, resulting in poor signal strength and frequent disconnections.

Wireless Channel Interference Causing Packet Loss

Wireless clients experience intermittent packet loss and high latency, especially during peak usage hours.

Wireless Client Not Associating to AP

A wireless client is unable to associate to an AP; it scans and finds the SSID but fails to connect, or it connects briefly and disconnects.

Wireless Clients Dropping During Roaming Between APs

Wireless clients experience intermittent connectivity drops when roaming between access points in the same SSID.

Wireless VLAN Tagging Wrong — Guest SSID on Wrong Network

Clients connecting to the Guest SSID are assigned IP addresses from the corporate VLAN instead of the guest VLAN, and cannot access the internet.

Wireless WPA2 Authentication Failing for Client

A wireless client fails to authenticate to the corporate WLAN using WPA2-PSK, repeatedly seeing 'Authentication failed' or 'Wrong password' message.

WLAN Profile Disabled on WLC — Clients Cannot Connect

Wireless clients cannot connect to the corporate SSID 'CorpNet' and receive 'Unable to join the network' errors.

All Traffic Hitting class-default — Classification Not Working

All traffic is being matched by the class-default class in a QoS policy, and no traffic is being classified into the user-defined classes.

CBWFQ Used for Voice Instead of LLQ — Voice Quality Poor

Voice calls experience poor quality with jitter and delay, despite QoS being configured on the WAN router.

CoS Marking Not Preserved Across Layer 3 Boundary

Voice traffic from an IP phone is not being prioritized across a router, resulting in poor call quality.

DSCP Marking Not Being Applied to Traffic

Traffic is not being marked with the expected DSCP value, and QoS policies are not applying the correct markings.

DSCP Trust Boundary Set at Wrong Device

Voice traffic from IP phones experiences jitter and packet loss, while data traffic is unaffected, and QoS markings are not being honored across the network.

Policing Rate Set Too Low — Legitimate Traffic Being Dropped

Users report intermittent connectivity and slow application performance, and monitoring shows legitimate traffic being dropped by the router.

QoS Bandwidth Guaranteed Exceeds Interface Capacity

Voice traffic experiences jitter and packet loss during peak hours, and call quality degrades despite QoS policies being configured.

QoS Policy Configured But Not Applied to Interface

Voice traffic experiences high jitter and packet loss on an interface, even though a QoS policy has been configured globally.

VoIP Calls Choppy — QoS Not Prioritizing Voice Traffic

VoIP calls are choppy with intermittent audio dropouts and jitter, especially during peak usage hours.

WFQ Not Configured — Interactive Traffic Getting Poor Performance

Interactive traffic (e.g., VoIP, Telnet) experiences high latency and jitter, while bulk data transfers perform well.

Broadcast Address Assigned to Host — Unexpected Behavior

A host configured with a static IP address that matches the subnet broadcast address cannot communicate with other devices on the same VLAN, and other hosts experience intermittent connectivity issues.

CIDR Aggregate Route Too Broad — Non-Existent Routes Advertised

Remote networks are unreachable, and routing tables show routes to networks that do not exist in the network.

Discontiguous Network with Classful Routing — Routes Missing

Pings from PC1 to PC2 fail intermittently, and some routes are missing from the routing table.

Host IP Address in Wrong Subnet — No Default Gateway Route

A host in VLAN 10 cannot ping the default gateway (192.168.10.1) or any devices outside its subnet, but can ping other hosts in the same VLAN.

Network Address Assigned as Host IP — Traffic Dropped

Hosts in VLAN 10 cannot communicate with hosts in VLAN 20, and pings from the router to the VLAN 10 gateway IP fail intermittently.

Overlapping Subnets Causing Routing Ambiguity

Users in the branch office report intermittent connectivity to the data center, with some traffic succeeding and other traffic failing unpredictably.

Private IP Range Being Routed to Internet — NAT Not Working

Hosts on the internal network cannot access the internet, and traffic destined for public IPs is being dropped or misrouted.

Public IP Exhaustion — Migrating to PAT for Multiple Users

Users in the branch office cannot access the internet, and the router logs show 'NAT: pool exhausted' messages.

Route Summarization Creating Black Hole for Specific Subnets

Users in subnet 10.1.2.0/24 cannot reach servers in subnet 10.1.3.0/24, while other subnets communicate normally.

VLSM Subnets Overlapping After Route Summarization

After configuring route summarization on a router, some remote networks become unreachable due to overlapping VLSM subnets.

Wrong Subnet Mask — Hosts Cannot Communicate

Two hosts on the same VLAN and subnet cannot ping each other, but each can ping its own default gateway.

GRE Tunnel Recursive Routing — Interface Goes Up/Down

The GRE tunnel interface on a Cisco router repeatedly goes up and down every few seconds, causing intermittent connectivity between two remote sites.

GRE Tunnel Up But Traffic Not Forwarding

The GRE tunnel is up/up, but traffic destined for the remote network is not being forwarded through the tunnel.

IPsec Crypto ACL Mismatch Between Peers — Tunnel Not Encrypting

Traffic between two sites is not encrypted by IPsec, and the tunnel shows as up but no packets are being encrypted or decrypted.

IPsec IKE Phase 1 (ISAKMP) Not Completing

IPsec VPN tunnel fails to establish; IKE Phase 1 (ISAKMP) negotiation does not complete, and the tunnel remains down.

IPsec IKE Phase 2 (IPsec SA) Not Completing

IPsec tunnel is up (IKE Phase 1 complete) but no traffic is encrypted; show crypto ipsec sa shows no active IPsec SAs.

IPsec NAT-T Not Working — VPN Behind NAT Failing

VPN tunnel fails to establish or drops intermittently when one peer is behind a NAT device, with no IPsec security associations (SAs) formed.

IPsec PFS (Perfect Forward Secrecy) Mismatch

IPsec VPN tunnel is established but no traffic passes; Phase 2 (IPsec SA) fails to establish with 'PFS mismatch' errors in the logs.

IPsec Pre-Shared Key Mismatch — Phase 1 Fails

IPsec VPN tunnel fails to establish; Phase 1 (IKE) negotiation does not complete and the tunnel remains down.

IPsec Transform Set Mismatch Between Peers

IPsec VPN tunnel fails to establish between two Cisco routers; Phase 2 negotiation fails with 'transform set proposal mismatch' error.

VPN Tunnel Up But Remote Network Not Reachable

The VPN tunnel is up and Phase 2 is established, but hosts on the remote network cannot be pinged from the local network.

CEF Disabled — High CPU Under Moderate Traffic Load

High CPU utilization (over 80%) on a Cisco switch under moderate traffic load, with packet drops and slow network performance.

ip routing Command Missing — L3 Switch Acting as L2 Only

A Layer 3 switch is unable to route between VLANs; hosts in different VLANs cannot ping each other even though SVIs are configured and up/up.

Layer 3 Switch Missing Default Route — Internet Unreachable

Hosts in VLAN 10 cannot reach the internet, but can communicate within the local VLAN and with other VLANs on the same Layer 3 switch.

Layer 3 Switch Not Routing Between VLANs

Hosts in different VLANs cannot ping each other through the Layer 3 switch, even though they can ping their default gateway.

MLS Routing Table Incorrect — Wrong Paths Being Used

Traffic from a VLAN to a remote network is taking an unexpected path, causing connectivity issues or suboptimal routing.

Routed Port vs SVI Confusion — Interface Not Routing

A host on VLAN 10 cannot ping the IP address of an SVI on a Layer 3 switch, even though the SVI is configured and the host is in the correct VLAN.

SVI Not Coming Up — Interface Shows Down

An SVI (Switch Virtual Interface) configured on a VLAN remains in down/down state even though the VLAN exists and ports are assigned.

Both HSRP Routers in Active State — Split Brain

Both HSRP routers show the Active state for the same standby group, causing duplicate default gateway IPs and intermittent connectivity.

Dual ISP Failover Not Switching When Primary ISP Fails

When the primary ISP link fails, traffic does not automatically fail over to the secondary ISP, causing internet connectivity loss.

Floating Static Route Not Activating After Primary Route Fails

After the primary link fails, traffic is not forwarded via the floating static route, resulting in connectivity loss.

GLBP Not Load Balancing as Expected

Clients in VLAN 10 are not load balancing across two GLBP routers; all traffic goes to the active AVG router.

HSRP Not Failing Over When Active Router Goes Down

When the active HSRP router is powered down or its interface is shut, the standby router does not take over as active, and hosts lose connectivity to the virtual IP address.

HSRP Preempt Not Set — Primary Router Not Resuming Active Role

After a failover event, the primary HSRP router does not regain the active role even after it recovers, leaving the standby router as active.

HSRP Wrong Router as Active Due to Misconfigured Priority

The HSRP standby router is acting as the active router, causing suboptimal traffic flow and potential connectivity issues.

IP SLA Track Object Not Triggering HSRP Failover

The standby router does not take over as active when the upstream WAN link on the active router fails, even though IP SLA tracking is configured.

Redundant Power Supply Failure — No Alert Generated

A network engineer notices that a critical switch in the data center is running on a single power supply, but no alert or syslog message was generated when the redundant power supply failed.

VRRP Group Not Forming Between Routers

The VRRP group is not forming between two routers; both routers remain in the Initialize state and do not transition to Master or Backup.

CDP Disabled Globally — No Layer 2 Neighbor Discovery

The network engineer cannot see any CDP neighbors on any directly connected Cisco device, even though physical connectivity is verified.

CDP Leaking Network Topology to Untrusted Segment — Security Risk

A network engineer notices that a switch connected to an untrusted segment (e.g., a guest network or external partner) is sending Cisco Discovery Protocol (CDP) advertisements, potentially leaking sensitive network topology information.

CDP Neighbors Not Appearing in show cdp neighbors

The 'show cdp neighbors' command returns no output or only lists the local device, indicating that no CDP neighbors are being discovered.

CDPv1 and CDPv2 Version Mismatch Between Devices

A network engineer observes that CDP neighbor information is missing or incomplete between two directly connected Cisco devices, even though both devices are physically connected and operational.

LLDP Not Enabled — IP Phones Not Being Discovered

IP phones connected to Cisco switches are not being discovered by the network management system, and they fail to receive voice VLAN configuration via LLDP.

LLDP-MED Not Providing Power/VLAN Info to IP Phones

IP phones connected to a Cisco switch are not receiving power or correct VLAN information via LLDP-MED, resulting in phones not powering on or not being placed in the voice VLAN.

Logging Buffer Full — Old Events Being Overwritten

The network engineer observes that recent syslog messages are missing from the logging buffer, and older messages are being overwritten.

NTP Access Group Blocking Legitimate NTP Server

The router's clock is not synchronizing with the configured NTP server, and 'show ntp status' shows the clock is unsynchronized.

NTP Authentication Key Mismatch — Peers Not Syncing

NTP peers show 'NTP is not syncing' and the clock remains unsynchronized despite correct NTP server configuration.

NTP Not Synchronizing — Clock Always Wrong

The router's clock shows the wrong time and date, and NTP synchronization fails to correct it.

NTP Stratum Too High — Devices Not Accepting as Server

A client device configured with 'ntp server 192.168.1.10' shows 'ntp associations' with '~' (stratum too high) and the server is not accepted.

NTP Time Offset Too Large — AAA Authentication Failing

Users are unable to authenticate via RADIUS/TACACS+, and AAA login attempts fail with 'Authentication failed' errors.

SNMP Traps Not Being Received at NMS

The NMS is not receiving SNMP traps from a Cisco router, although the router is configured to send them.

SNMPv3 Authentication Failure — Cannot Query OIDs

SNMPv3 queries from the NMS to the router return 'No response' or 'Authentication failure' errors, and no OIDs can be retrieved.

Syslog Messages Not Reaching External Server

Syslog messages generated by the router are not appearing on the external syslog server, although the server is reachable via ping.

Syslog Severity Level Too High — Critical Events Missing

Critical syslog messages (e.g., interface down, OSPF neighbor loss) are not appearing in the log, while lower-severity messages (e.g., debugging) are displayed.

Syslog Timestamps Showing Wrong Time Zone

Syslog messages on the Cisco router show timestamps that are consistently off by several hours from the actual local time.

Wrong SNMP Community String — NMS Cannot Poll Device

The NMS cannot poll the router via SNMP, returning 'No response from device' or 'Timeout' errors.

Ansible ios_command Module Failing to Connect

Ansible playbook using ios_command module fails with 'unable to connect to remote device' error.

EEM Applet Not Triggering on Expected Syslog Event

An EEM applet configured to trigger on a specific syslog message does not execute when the expected event occurs.

NETCONF Get Filter Returning Wrong Data Set

A NETCONF client receives incorrect or incomplete data when applying an XML filter to retrieve interface configurations.

NETCONF Over SSH Not Working

A network engineer cannot establish a NETCONF session over SSH to a Cisco IOS XE device, receiving 'Connection refused' or timeout errors.

Python Script Getting 401 Error from IOS XE RESTCONF

A Python script using RESTCONF to configure an IOS XE device returns a 401 Unauthorized error.

RESTCONF API Not Responding on Cisco IOS XE

An automation script using RESTCONF to retrieve interface configurations from a Cisco IOS XE device returns a connection timeout or HTTP 404 error.

Terraform IOS XE Provider Not Applying Configuration

Terraform apply completes successfully but the intended IOS XE configuration (e.g., VLAN, interface IP) is not present on the device after the run.

YANG Model Structure Mismatch in RESTCONF PUT Request

A RESTCONF PUT request to modify a YANG data model on a Cisco IOS XE device fails with a 400 Bad Request error, and the device logs indicate a 'YANG model structure mismatch'.

BGP AS Number Misconfigured — Neighbor Rejects Session

BGP session between two routers remains in Idle state and never transitions to Established.

BGP Route Filtered by Prefix-List — Not Reaching Peer

A BGP route learned from an eBGP peer is not being installed in the routing table, even though the BGP session is established and the route is present in the BGP table.

BGP Route Not Being Advertised to Peer

A BGP route is not being advertised to a peer, even though it exists in the BGP table.

eBGP Neighbor Not Forming — TCP Session Failing

The eBGP neighbor session remains in the 'Idle' or 'Active' state and never transitions to 'Established'.

eBGP TTL Issue — Multihop Neighbor Not Connecting

An eBGP neighbor configured with a multihop connection remains in the Idle state and never transitions to Established.

ARP Resolution Failing — Hosts Cannot Communicate on Same Subnet

Hosts on the same subnet cannot ping each other, but each can ping its default gateway.

Duplicate IP Address Causing Intermittent Connectivity Loss

Users report intermittent connectivity loss to a server, with some devices able to reach it while others cannot, and the issue resolves temporarily after rebooting the server.

Firewall vs ACL — Determining Which is Blocking Traffic

Users in the branch office cannot reach the internet, but can reach internal servers across the WAN link.

Network Broke After Configuration Change — Rollback Procedure

After applying a configuration change, network connectivity to remote sites is lost and users report inability to reach resources across the WAN.

New Device Added — Cannot Reach Network Resources

A newly connected PC cannot ping the default gateway or any other network resources, while existing devices work fine.

Physical Layer Troubleshooting — Cable, SFP, and Port Issues

A workstation in the sales department cannot access the network; the link LED on the switch port is off, and the interface shows 'down/down'.

Route in Routing Table But Traffic Not Using It — CEF Issue

A route for a destination network exists in the routing table, but traffic to that network is not being forwarded using that route.

Systematic No-Connectivity Troubleshooting — OSI Top-Down

A user in the Sales VLAN cannot ping the server in the Server VLAN, while other users in the same VLAN can reach the server.

Systematic VLAN Connectivity Troubleshooting

Hosts in VLAN 10 cannot ping the default gateway or communicate with hosts in other VLANs, but intra-VLAN communication works.

Troubleshooting Intermittent Packet Drops on LAN

Users report intermittent packet drops and slow application performance during peak hours, but the network appears stable during off-peak times.

Troubleshooting One-Way Audio on VoIP Call

Users report that they can hear the remote party, but the remote party cannot hear them during VoIP calls.

Troubleshooting Slow Network — Finding the Bottleneck

Users report that accessing cloud applications and internet websites is extremely slow, with frequent timeouts, while internal network resources remain responsive.

Using Extended Ping and Traceroute to Isolate Network Faults

A user at a remote branch office cannot reach a server at the corporate headquarters, but other branches can reach the server.

DNS Resolution Failing — Users Cannot Reach Websites by Name

Users in the branch office cannot access websites by domain name (e.g., www.example.com), but can reach them by IP address.

FTP Active vs Passive Mode — ACL Blocking FTP Data Channel

FTP client can establish control connection and authenticate, but data transfer fails with timeout or '425 Can't open data connection' error.

HTTP Server on Router Not Accessible — Firewall or ACL Blocking

A user cannot access the HTTP server running on a Cisco router from a remote host, receiving a connection timeout or refused error.

IP SLA Probe Failing — Unable to Measure Network Performance

The IP SLA probe shows 'Timeout' or 'Over Threshold' in the statistics, and the network performance measurements are not being collected.

NetFlow Data Not Reaching Collector

NetFlow data is not being received by the collector, and no flow records appear in the collector's interface.

NFS Mount Timing Out — Layer 3 Reachability and ACL Issue

NFS mount requests from a client to an NFS server are timing out, preventing file system access.

TACACS+ Server Down — Falling Back to RADIUS Properly

Users in the branch office can authenticate for network access, but administrative login to network devices fails intermittently.

TFTP Transfer Failing — Timeout or Refused Connection

TFTP transfer to or from a Cisco router fails with 'Timeout' or 'Connection refused' error messages.

ACL Processing Order — Top-Down Implicit Deny Trap

Users in the Sales VLAN cannot reach the Internet, but they can reach other internal VLANs.

DHCP Relay Agent ip helper-address Placement on Exam

Clients on a remote VLAN are unable to obtain an IP address from the DHCP server located on a different subnet.

EIGRP Feasibility Condition Calculation on Exam

A router in the EIGRP domain is not installing a feasible successor route for a network, even though an alternate path exists with a reported distance less than the feasible distance of the successor.

EtherChannel LACP/PAgP Modes That Will vs Will Not Bundle

An EtherChannel between two switches fails to come up; the port-channel interface shows down/down or up/down, and member ports show err-disabled or not-negotiating.

IPv6 Prefix Length vs Subnet Mask on CCNA Exam

A router configured with an IPv6 address and prefix length cannot ping the IPv6 address of a directly connected neighbor, even though both interfaces are up and physically connected.

NAT Overload vs Static NAT — When to Use Which

Users in a branch office can access the internet but cannot reach a specific internal server using its public IP address, while external users can reach the server.

OSPF Cost Calculation on Exam — Common Mistakes

A router in an OSPF network is not learning routes from a neighbor, even though the neighbor adjacency is established and both routers are in the same area.

Port Security Violation Mode Behaviors on Exam

A host connected to a switchport that was previously working is now unable to communicate on the network, and the switchport shows an err-disabled state.

Reading show ip route Output Correctly on CCNA Exam

A network engineer notices that a remote network is not reachable, but the show ip route output shows a route with a next-hop IP that is not directly connected.

STP Port Roles and States Exam Trap — Root vs Designated vs Blocking

Hosts in VLAN 10 on switch SW3 cannot reach the default gateway (router) connected to switch SW1, but hosts in VLAN 20 can reach their gateway on the same router.

STP Root Bridge Election Tie-Breaker Exam Trap

A switch in the network becomes the root bridge unexpectedly, causing suboptimal traffic flow and potential loops, even though it has a lower priority configured than another switch that should be root.

VLAN Trunk Allowed List Exam Question Trap

PCs in VLAN 10 on switch A cannot communicate with PCs in VLAN 10 on switch B, but all other VLANs work fine across the trunk.