Answer: Ping Doesn’t Work

 In 200-301 V1 Ch18: Troubleshooting Routing, 200-301 V1 Part 5: IPv4 Routing, CCENT-OLD, Q&A

Here’s the answer and explanation for Monday’s seemingly simple ping question. This one is a bit tougher than most, though, because it opens up the possibilities to pretty much anything that would cause a ping failure. As usual, the details are below the fold.

Answer(s): A

The question stated that, by design, the hosts are supposed to be in the same VLAN. As a result, the hosts should also be in the same subnet. Keeping both facts in mind, the following items list CCENT and CCNA level details that could cause the problem:

  • SW1’s F0/7 and F0/8 should both be assigned to the same VLAN (using the switchport access vlan interface subcommand).
  • That VLAN must exist on that switch. Note that the switchport access vlan x interface subcommand will create the VLAN automatically, assuming the switch is not also configured to be a VTP client.
  • Whatever that VLAN is, it must be enabled. VLANs may be disabled with the shutdown command from VLAN config mode; the VLAN must not be configured with the shutdown command. (Note: I consider this point to be an ICND2 or CCNA topic, not a ICND1 or CCENT topic.)
  • The two hosts must have IP addresses and masks such that they both believe the other IP address is in the same subnet. Such a belief makes each host try to send packets to the other host directly, rather than send the packet to the host’s default gateway.
  • If port security is enabled, it must not filter the packets going between the two hosts.

Moving through the answers, answer A results in port F0/7 in VLAN 2, and port F0/8 in (default) VLAN 1. The design calls for both to be in the same VLAN; assuming their IP addresses are in the same subnet, then the pings will fail, because an ARP broadcast sent by one host will not reach the other host.

For answer B, having IP addresses and does not tell us whether the addresses are or are not in the same subnet. Masks from /14 and shorter happen to put the addresses in the same subnet. Masks from /15 and longer put these addresses in different subnets. So, the information in this answer does not definitively cause the problem.

The VLAN interface on a switch, configured using the interface vlan 1 command, is a layer 3 interface on which an engineer can configure an IP address for the switch itself. This interface, its status, and its IP configuration has absolutely nothing to do with how the swith performs layer 2 switching.

Answer D lists a case that should be avoided, because hosts in the same subnet should use the same mask. However, if the hosts use different masks, and they both think that the other host is in their same subnet, then they still ARP, and still ping directly without using a router. For instance, imagine host A uses IP address, and host B uses, with the masks shown in this answer. Host A thinks is in its same subnet, and host B thinks is in its subnet. So, the two hosts still ARP for each other as needed, and both send packets directly to each other without attempting to use a default gateway (router).

Port security could cause the ping failure. However, as worded in answer E, port security will not cause a ping failure. That answer states that SW1 matches host A’s MAC address, with the logic enabled on the switch’s F0/7 interface. Port security logic matches a MAC address for the purpose of allowing traffic sourced from that address; port security does not match MAC addresses for the purpose of discarding the traffic.


Question: Ping Doesn't Work in a Simple Network
Happy 25th to Cisco Live!
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

I am not understanding your answer for choice E

I thought once you enable port security on an interface only traffic from the dynamically, sticky or manually entered MAC will be allowed so any traffic from host B would be discarded.

I understand that port security does not filter/ignore/drop frames by comparing the incoming frame to a list of frames in a table and only discarding the frame if the source MAC of the incoming frame is listed in a table of “do not allow these MACs in”

Or do you mean that the configuration on port f0/7 might list Host A’s MAC as allowed, but since the sentence does not explicitly state that port-security is actually enabled, that no frames would be filtered despite what port-security settings have been entered?


Hi Grant,
Think once again about the flow of frames, and the source MAC of each frame. What’s the source MAC of frames that enter the switch’s F0/7? Host A’s MAC. frames with host B’s MAC as a source MAC wouldn’t enter the switch’s F0/7 port. So, per your own 2nd paragraph: “…so that any traffic from host B would be discarded”, well, traffic from (aka w/ source MAC of host B’s MAC) would not enter F0/7, so that traffic would not be filtered.
Hope this helps!


HI Wendell,

According to your Explanation, The echo reply from host B should not be allowed in to F0/7 since it uses PC’s B MAC which should cause the ping to fail.


Never mind Wendell. Cleared up my confusion

“port-security watches incoming frames only”. i’ll suggest this disclaimer be added to the section of the book on port-security.


You made the point, Wendell. That was a good one!!
I think that somehow the question seems to be a liitle bit tricky. Mainly because we pass by the word “definitly” (big difference with “might”). Thanks


So the answer is A?

“the figure shows a simple small network in which all users should be in the same VLAN.”

When reading this in the question we should not assume that all users are in the same VLAN?


By that turn of phrase – “…all users should be in the same VLAN.” – I imagine that I meant that short phrase to mean the same thing as this longer phrase:
“by design, they should be in the same VLAN, but this is a troubleshooting question, so you should think about all the things that could be done incorrectly.”
Note that the statement doesn’t say something like “the ports have just been verified that they are configured to be in the same VLAN”.




“the figure shows a simple small network in which all users should be in the same VLAN.”

So after seeing the answer its safe to assume that even though it says they SHOULD be in the same VLAN they were in fact not…


Sorry, didn’t see your 2nd comment till I answered the first… seems like we’re on the same page now.


Wouldn’t B and D together also cause the ping to fail?


I agree, if you could combine B and D’s conditions into one answer, that’d be a correct answer. But individually, each is incorrect.


Only A is definitive.

B – That would “not be true if the Class A address had a default Class A mask, – as it does not state the mask, we cannot say 100% this would be true, so rule out this one.

C – if the devices were configured to use Vlan1 then this would be true, but as it does not state what VLAN they are part of (as it could be different) rule this out.

D – My understanding is if the devices had IP’s within .126 and the PC’s considered the IP to still be within the Default gateway range, this would not be the cause, so again, rule out….(I may be misunderstanding here though)

E – Port security even if configured, would not affect frames being sent to host A, seen as host A and B have not switched ports and A is still on Fa0/7 – then only of another device replacing host A (if 1 max mac address and that being host A’s mac, was configured in port security) – one example could be Host A PC has been replaced with another Host A PC because of some Windows blue screen or whatever, but there was no mention of Host A PC having been replaced/swapped, so again, rule this out.

To be honest I answered on a piece of paper then clicked for answer, so thought I would come back and answer why I got only A….

P.S Thanks for all these blogs, they are very good!

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Would love your thoughts, please comment.x