Answer: Ping Doesn’t Work
Here’s the answer and explanation for Monday’s seemingly simple ping question. This one is a bit tougher than most, though, because it opens up the possibilities to pretty much anything that would cause a ping failure. As usual, the details are below the fold.
The question stated that, by design, the hosts are supposed to be in the same VLAN. As a result, the hosts should also be in the same subnet. Keeping both facts in mind, the following items list CCENT and CCNA level details that could cause the problem:
- SW1’s F0/7 and F0/8 should both be assigned to the same VLAN (using the switchport access vlan x interface subcommand).
- That VLAN must exist on that switch. Note that the switchport access vlan x interface subcommand will create the VLAN automatically, assuming the switch is not also configured to be a VTP client.
- Whatever that VLAN is, it must be enabled. VLANs may be disabled with the shutdown command from VLAN config mode; the VLAN must not be configured with the shutdown command. (Note: I consider this point to be an ICND2 or CCNA topic, not a ICND1 or CCENT topic.)
- The two hosts must have IP addresses and masks such that they both believe the other IP address is in the same subnet. Such a belief makes each host try to send packets to the other host directly, rather than send the packet to the host’s default gateway.
- If port security is enabled, it must not filter the packets going between the two hosts.
Moving through the answers, answer A results in port F0/7 in VLAN 2, and port F0/8 in (default) VLAN 1. The design calls for both to be in the same VLAN; assuming their IP addresses are in the same subnet, then the pings will fail, because an ARP broadcast sent by one host will not reach the other host.
For answer B, having IP addresses 10.1.1.1 and 10.2.2.2 does not tell us whether the addresses are or are not in the same subnet. Masks from /14 and shorter happen to put the addresses in the same subnet. Masks from /15 and longer put these addresses in different subnets. So, the information in this answer does not definitively cause the problem.
The VLAN interface on a switch, configured using the interface vlan 1 command, is a layer 3 interface on which an engineer can configure an IP address for the switch itself. This interface, its status, and its IP configuration has absolutely nothing to do with how the swith performs layer 2 switching.
Answer D lists a case that should be avoided, because hosts in the same subnet should use the same mask. However, if the hosts use different masks, and they both think that the other host is in their same subnet, then they still ARP, and still ping directly without using a router. For instance, imagine host A uses IP address 10.1.1.1, and host B uses 10.1.1.2, with the masks shown in this answer. Host A thinks 10.1.1.2 is in its same subnet, and host B thinks 10.1.1.1 is in its subnet. So, the two hosts still ARP for each other as needed, and both send packets directly to each other without attempting to use a default gateway (router).
Port security could cause the ping failure. However, as worded in answer E, port security will not cause a ping failure. That answer states that SW1 matches host A’s MAC address, with the logic enabled on the switch’s F0/7 interface. Port security logic matches a MAC address for the purpose of allowing traffic sourced from that address; port security does not match MAC addresses for the purpose of discarding the traffic.