Answer: Ping Doesn’t Work

certskills
By certskills May 28, 2014 09:05

Here’s the answer and explanation for Monday’s seemingly simple ping question. This one is a bit tougher than most, though, because it opens up the possibilities to pretty much anything that would cause a ping failure. As usual, the details are below the fold.

Answer(s): A

The question stated that, by design, the hosts are supposed to be in the same VLAN. As a result, the hosts should also be in the same subnet. Keeping both facts in mind, the following items list CCENT and CCNA level details that could cause the problem:

  • SW1’s F0/7 and F0/8 should both be assigned to the same VLAN (using the switchport access vlan interface subcommand).
  • That VLAN must exist on that switch. Note that the switchport access vlan x interface subcommand will create the VLAN automatically, assuming the switch is not also configured to be a VTP client.
  • Whatever that VLAN is, it must be enabled. VLANs may be disabled with the shutdown command from VLAN config mode; the VLAN must not be configured with the shutdown command. (Note: I consider this point to be an ICND2 or CCNA topic, not a ICND1 or CCENT topic.)
  • The two hosts must have IP addresses and masks such that they both believe the other IP address is in the same subnet. Such a belief makes each host try to send packets to the other host directly, rather than send the packet to the host’s default gateway.
  • If port security is enabled, it must not filter the packets going between the two hosts.

Moving through the answers, answer A results in port F0/7 in VLAN 2, and port F0/8 in (default) VLAN 1. The design calls for both to be in the same VLAN; assuming their IP addresses are in the same subnet, then the pings will fail, because an ARP broadcast sent by one host will not reach the other host.

For answer B, having IP addresses 10.1.1.1 and 10.2.2.2 does not tell us whether the addresses are or are not in the same subnet. Masks from /14 and shorter happen to put the addresses in the same subnet. Masks from /15 and longer put these addresses in different subnets. So, the information in this answer does not definitively cause the problem.

The VLAN interface on a switch, configured using the interface vlan 1 command, is a layer 3 interface on which an engineer can configure an IP address for the switch itself. This interface, its status, and its IP configuration has absolutely nothing to do with how the swith performs layer 2 switching.

Answer D lists a case that should be avoided, because hosts in the same subnet should use the same mask. However, if the hosts use different masks, and they both think that the other host is in their same subnet, then they still ARP, and still ping directly without using a router. For instance, imagine host A uses IP address 10.1.1.1, and host B uses 10.1.1.2, with the masks shown in this answer. Host A thinks 10.1.1.2 is in its same subnet, and host B thinks 10.1.1.1 is in its subnet. So, the two hosts still ARP for each other as needed, and both send packets directly to each other without attempting to use a default gateway (router).

Port security could cause the ping failure. However, as worded in answer E, port security will not cause a ping failure. That answer states that SW1 matches host A’s MAC address, with the logic enabled on the switch’s F0/7 interface. Port security logic matches a MAC address for the purpose of allowing traffic sourced from that address; port security does not match MAC addresses for the purpose of discarding the traffic.

 

Question: Ping Doesn't Work in a Simple Network
Happy 25th to Cisco Live!
certskills
By certskills May 28, 2014 09:05
Write a comment

11 Comments

  1. Grant June 12, 13:54

    I am not understanding your answer for choice E

    I thought once you enable port security on an interface only traffic from the dynamically, sticky or manually entered MAC will be allowed so any traffic from host B would be discarded.

    I understand that port security does not filter/ignore/drop frames by comparing the incoming frame to a list of frames in a table and only discarding the frame if the source MAC of the incoming frame is listed in a table of “do not allow these MACs in”

    Or do you mean that the configuration on port f0/7 might list Host A’s MAC as allowed, but since the sentence does not explicitly state that port-security is actually enabled, that no frames would be filtered despite what port-security settings have been entered?

    Reply to this comment
    • CCENTSkills June 13, 08:24

      Hi Grant,
      Think once again about the flow of frames, and the source MAC of each frame. What’s the source MAC of frames that enter the switch’s F0/7? Host A’s MAC. frames with host B’s MAC as a source MAC wouldn’t enter the switch’s F0/7 port. So, per your own 2nd paragraph: “…so that any traffic from host B would be discarded”, well, traffic from (aka w/ source MAC of host B’s MAC) would not enter F0/7, so that traffic would not be filtered.
      Hope this helps!
      WEndell

      Reply to this comment
      • Peter September 14, 10:04

        HI Wendell,

        According to your Explanation, The echo reply from host B should not be allowed in to F0/7 since it uses PC’s B MAC which should cause the ping to fail.

        Reply to this comment
      • Peter September 14, 11:30

        Never mind Wendell. Cleared up my confusion

        “port-security watches incoming frames only”. i’ll suggest this disclaimer be added to the section of the book on port-security.

        Reply to this comment
  2. HectorJ January 26, 16:39

    You made the point, Wendell. That was a good one!!
    I think that somehow the question seems to be a liitle bit tricky. Mainly because we pass by the word “definitly” (big difference with “might”). Thanks

    Reply to this comment
  3. JamesS April 13, 16:00

    So the answer is A?

    “the figure shows a simple small network in which all users should be in the same VLAN.”

    When reading this in the question we should not assume that all users are in the same VLAN?

    Reply to this comment
    • CCENTSkills April 14, 10:20

      James,
      By that turn of phrase – “…all users should be in the same VLAN.” – I imagine that I meant that short phrase to mean the same thing as this longer phrase:
      “by design, they should be in the same VLAN, but this is a troubleshooting question, so you should think about all the things that could be done incorrectly.”
      Note that the statement doesn’t say something like “the ports have just been verified that they are configured to be in the same VLAN”.

      Wendell

      Reply to this comment
  4. JamesS April 13, 16:02

    Question:

    “the figure shows a simple small network in which all users should be in the same VLAN.”

    So after seeing the answer its safe to assume that even though it says they SHOULD be in the same VLAN they were in fact not…

    Reply to this comment
  5. sylas August 7, 18:33

    Wouldn’t B and D together also cause the ping to fail?

    Reply to this comment
    • CCENTSkills August 10, 11:21

      Sylas,
      I agree, if you could combine B and D’s conditions into one answer, that’d be a correct answer. But individually, each is incorrect.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories