CCNA Troubleshooting Commands: The Complete Reference Guide for Network Engineers
Keywords: CCNA Troubleshooting Commands • Cisco IOS Show Commands • Network Troubleshooting Cisco • CCNA Debug Commands • Cisco Switch Troubleshooting • OSPF Troubleshooting Commands • VLAN Troubleshooting Cisco • Ping Traceroute Cisco • Routing Troubleshooting Commands • Cisco Router Commands • DHCP Troubleshooting Cisco • NAT Troubleshooting IOS • STP Troubleshooting • Cisco ACL Debug • Interface Troubleshooting Cisco
Passing the CCNA exam is one thing. Sitting across from a senior engineer during a network outage with a console cable in your hand is another. The commands in this guide are the ones that get typed at 2am when something’s broken and users are calling. Each entry includes what the command shows, what to look for in the output, and the follow-up question that comes next.
May 2026 | ⏱ 35 min read | Cisco IOS • IOS-XE • Catalyst • ISR • CCNA 200-301 | ⚙ CCNA Students • Network Technicians • Help Desk Engineers
How to Use This Guide
Commands are organized by OSI layer and function. Use the table of contents to jump to the specific problem area. Every command includes the expected output fields and what a problem looks like in those fields. Debug commands are marked separately — use them carefully in production and always disable them when done.
Sections in This Guide
|
1. The Troubleshooting Methodology 2. Layer 1 — Physical & Interface Commands 3. Layer 2 — Switching, VLANs & STP 4. Layer 3 — IP, ARP & Routing Table 5. Routing Protocols — OSPF & EIGRP 6. VLAN & Trunk Troubleshooting 7. DHCP Troubleshooting |
8. NAT Troubleshooting 9. ACL Troubleshooting 10. CDP & LLDP Discovery 11. Connectivity Testing — Ping & Traceroute 12. Debug Commands Reference 13. System & Device Health Commands 14. Master Quick-Reference Table 15. FAQ |
1. The Troubleshooting Methodology
Before running a single command, know what problem you’re trying to solve. Typing show running-config on every device until something looks wrong is not troubleshooting — it’s searching. Start with a question. Then run the command that answers that question.
| Layer | Symptom Points Here | First Command | Key Field to Check |
| L1 Physical | Interface down, cable issue, CRC errors | show interfaces | Line/protocol status, CRC, input errors |
| L2 Data Link | VLAN mismatch, STP issue, trunk problem | show vlan brief | VLAN membership, trunk status |
| L3 Network | Ping fails, no route, ARP issue | show ip route | Default route, specific prefix, AD/metric |
| L4–7 Upper | Ping works, but application fails | show ip access-lists | ACL hit counters, NAT table |
Bottom-up vs top-down: Bottom-up (start at Layer 1) is systematic but slow. Top-down (start at Layer 7) finds the failure faster but requires experience to know where to start. Most working engineers use divide-and-conquer: if ping works, Layer 1–3 are fine — look at ACLs and NAT. If ping fails, start at Layer 3 (routing table) and work down. Know the symptom well enough to skip layers.
2. Layer 1 — Physical & Interface Commands
|
show interfaces Also: show interfaces GigabitEthernet0/1 | show interfaces status The single most important troubleshooting command for interface problems. Shows physical state, protocol state, error counters, and utilization. Run it before touching any cable or configuration. # Key output lines and what they mean: GigabitEthernet0/0 is up, line protocol is up ← L1 up, L2 up (normal) GigabitEthernet0/1 is down, line protocol is down ← No cable or cable unplugged GigabitEthernet0/2 is up, line protocol is down ← Cable connected, L2 problem GigabitEthernet0/3 is administratively down ← Shutdown command applied 5 minute input rate 1000 bits/sec, 2 packets/sec ← current utilization Input errors: 247, CRC: 190, frame: 0 ← CRC = bad cable/duplex mismatch Output queue drops: 1847 ← congestion, QoS issue Late collisions: 102 ← duplex mismatch on GigE link
|
show interfaces status
Switch-specific command that gives a compact view of all ports: connection status, VLAN assignment, speed, and duplex. The fastest way to see which ports are connected, which are down, and what speed they negotiated.
Port Name Status Vlan Duplex Speed Type Gi0/1 PC-Accounting connected 10 a-full a-100 10/100/1000BaseTX Gi0/2 IP-Phone-101 connected voice a-full a-100 10/100/1000BaseTX Gi0/3 notconnect 1 auto auto 10/100/1000BaseTX Gi0/4 UPLINK-DISTRIB connected trunk a-full a-1000 10/100/1000BaseTX Gi0/5 err-disabled 10 auto auto 10/100/1000BaseTX ← BPDU Guard triggered
show interfaces counters errors
Shows error counters per port in a clean tabular format. Particularly useful on switches where you need to check errors across multiple ports without running show interfaces on each port individually. CRC errors incrementing on a Gigabit port indicate a bad cable, dirty SFP, or duplex mismatch.
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscard Gi0/1 0 0 0 0 0 0 ← Clean Gi0/2 0 1847 0 0 0 0 ← CRC: bad cable Gi0/3 0 0 0 0 0 5821 ← Output drops: congestion
show errdisable recovery | show interfaces status err-disabled
When a port goes err-disabled, this command shows the reason and whether automatic recovery is configured. The reason tells you exactly what triggered the shutdown: bpduguard (a switch connected to an access port), psecure-violation (MAC limit exceeded), udld (unidirectional link), arp-inspection, dhcp-snooping, and others.
# Show reason for each err-disabled port show interfaces status err-disabled Port Name Status Reason Err-disabled Vlans Gi0/5 err-disabled bpduguard ← switch plugged into access port # Fix: unplug the rogue switch, then recover the port interface GigabitEthernet0/5 shutdown no shutdown # Configure automatic recovery (use carefully — removes protection if not fixed) errdisable recovery cause bpduguard errdisable recovery interval 300
3. Layer 2 — Switching, VLANs & STP Commands
show mac address-table
Also: show mac address-table address <MAC> | show mac address-table vlan <id> | show mac address-table dynamic
The MAC address table (CAM table) maps MAC addresses to the switch port where they were last seen. Use it to find which port a specific device is connected to. If the MAC appears on an uplink (trunk) port, the device is on a downstream switch — connect to that switch and repeat.
# Find which port a specific MAC is on show mac address-table address 0050.56aa.1234 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 0050.56aa.1234 DYNAMIC Gi0/3 ← Device is on Gi0/3, VLAN 10 # Clear stale entries (forces re-learning) clear mac address-table dynamic clear mac address-table dynamic address 0050.56aa.1234 clear mac address-table dynamic interface GigabitEthernet0/3
show spanning-tree
Also: show spanning-tree vlan 10 | show spanning-tree summary | show spanning-tree detail
Shows the STP topology for each VLAN: root bridge identity, port roles (root, designated, alternate, backup), and port states (forwarding, blocking, learning). Critical for diagnosing connectivity loops, unexpected blocking, or slow convergence after a link change.
VLAN0010 Spanning tree enabled protocol rstp Root ID Priority 24586 ← 24576 + VLAN 10 (STP port priority) Address 0050.56aa.0001 This bridge is the root ← This switch is root for VLAN 10 Bridge ID Priority 24586 Address 0050.56aa.0001 Interface Role Sts Cost Prio.Nbr Type Gi0/1 Desg FWD 4 128.1 P2p ← Designated, Forwarding (normal) Gi0/2 Desg FWD 4 128.2 P2p Gi0/4 Root FWD 4 128.4 P2p ← Root port (toward root bridge) Gi0/5 Altn BLK 4 128.5 P2p ← Alternate = Blocked (backup path)
Broadcast storm indicator: If a port that should be forwarding is blocking, connectivity in that VLAN is broken. If a port that should be blocking is forwarding on both links of a redundant path, you have a loop. Use show spanning-tree detail to see TCN (Topology Change Notification) counts — rapidly incrementing TCNs indicate a flapping link causing frequent STP reconvergence.
show spanning-tree inconsistentports | show spanning-tree blockedports
Inconsistent ports are ports in a “root inconsistent” state — they received a superior BPDU from a device that should not be the root bridge. PortFast with BPDU Guard handles the most common case. Root Guard handles cases where a specific port should never accept a superior BPDU. Run this when devices on a VLAN can’t reach each other despite physical connectivity.
show interfaces trunk
Shows all trunk ports, the VLANs they’re allowed to carry, the VLANs actually active, and which are forwarding. A VLAN missing from the “VLANs allowed and active” column means traffic for that VLAN cannot cross this trunk link. The most common cause is the VLAN not existing in the VLAN database on one switch.
Port Mode Encapsulation Status Native vlan Gi0/4 on 802.1q trunking 1 ← Native VLAN 1 = security risk Gi0/5 auto 802.1q not-trunking 1 ← DTP failed to negotiate trunk Port VLANs allowed on trunk Gi0/4 1-4094 Port VLANs allowed and active in management domain Gi0/4 1,10,20,30,99 ← VLANs passing on this trunk Port VLANs in spanning tree forwarding state and not pruned Gi0/4 1,10,20,30,99
4. Layer 3 — IP, ARP & Routing Table Commands
show ip interface brief
The fastest overview of all IP addresses and interface states on a router or Layer 3 switch. Always run this first on a router when troubleshooting — it tells you in 10 lines what 20 minutes of reading the running config would tell you. An IP showing as “unassigned” means DHCP hasn’t assigned an address yet or the interface was misconfigured.
Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 203.0.113.1 YES NVRAM up up ← Normal GigabitEthernet0/1 192.168.10.1 YES NVRAM up up GigabitEthernet0/2 unassigned YES unset down down ← No cable Loopback0 10.0.0.1 YES NVRAM up up Vlan10 192.168.10.1 YES NVRAM up up Vlan20 192.168.20.1 YES NVRAM up down ← No active ports in VLAN 20
show ip route
Also: show ip route 192.168.1.0 | show ip route ospf | show ip route static
The routing table is the decision engine for all Layer 3 forwarding. If a route isn’t here, traffic to that destination is dropped. The code letter at the start of each line tells you the source: C=connected, S=static, O=OSPF, D=EIGRP, B=BGP, R=RIP. The number in square brackets is [administrative distance/metric].
Codes: C - connected, S - static, O - OSPF, D - EIGRP, B - BGP Gateway of last resort is 203.0.113.9 to network 0.0.0.0 ← Default route exists Gateway of last resort is not set ← NO default route = no internet C 192.168.10.0/24 is directly connected, GigabitEthernet0/1 S 0.0.0.0/0 [1/0] via 203.0.113.9 ← Static default [AD1/metric0] O 10.2.0.0/24 [110/2] via 10.0.0.2, 00:14:32, Gi0/0 ← OSPF [AD110/cost2] D 172.16.0.0/24 [90/156160] via 10.0.0.3, Gi0/0 ← EIGRP [AD90/composite metric] # Check specific destination prefix: show ip route 8.8.8.8 Routing entry for 0.0.0.0/0, supernet Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 203.0.113.9, via GigabitEthernet0/0 ← Next hop and exit interface
show arp | show ip arp
Also: show ip arp 192.168.1.100 | clear arp-cache
The ARP cache maps IP addresses to MAC addresses for directly connected subnets. If a host’s IP address is in the routing table but not in the ARP cache, the router can’t forward traffic to it — it’ll send an ARP request and wait. An incomplete ARP entry (shown as “Incomplete”) means the router sent an ARP request but got no reply, indicating the host is unreachable at Layer 2.
Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.10.1 - 0050.56aa.0001 ARPA GigabitEthernet0/1 ← Router itself Internet 192.168.10.100 12 0050.56ff.1234 ARPA GigabitEthernet0/1 ← Known host Internet 192.168.10.200 0 Incomplete ARPA GigabitEthernet0/1 ← Host unreachable! # If host is unreachable, clear stale entry and retry: clear arp-cache # Then ping 192.168.10.200 and check show ip arp again
5. Routing Protocols — OSPF & EIGRP Troubleshooting
OSPF Troubleshooting Commands
show ip ospf neighbor
Shows all OSPF neighbor adjacencies and their current state. The state should be FULL for normal operation. Any other state indicates the adjacency is stuck: 2WAY (normal for DROther routers on Ethernet), EXSTART/EXCHANGE/LOADING (temporarily during LSDB exchange, but should complete in seconds), or DOWN/INIT (no adjacency).
Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:38 10.0.0.2 Gi0/0 ← Full adjacency (DR role) 10.0.0.3 1 FULL/BDR 00:00:35 10.0.0.3 Gi0/0 ← Full adjacency (BDR role) 10.0.0.4 0 INIT 00:00:35 10.0.0.4 Gi0/1 ← Receiving Hellos, not seen in theirs 10.0.0.5 1 EXSTART 00:00:40 10.0.0.5 Gi0/2 ← MTU mismatch likely cause # OSPF adjacency troubleshooting checklist: # 1. Same subnet? → show ip interface brief # 2. Same area? → show ip ospf interface Gi0/0 # 3. Same timers? → show ip ospf interface (hello/dead interval must match) # 4. Same MTU? → ip ospf mtu-ignore (workaround) or fix MTU mismatch # 5. Same auth? → show ip ospf interface (authentication type must match)
show ip ospf interface brief | show ip ospf interface
Shows OSPF-enabled interfaces, their areas, roles (DR/BDR/DROther), hello/dead timer values, and neighbor count. This is the command to run when OSPF neighbors won’t form — mismatched Hello/Dead intervals between two routers will prevent adjacency. The cost on each interface determines which path OSPF prefers.
Interface PID Area IP Address/Mask Cost State Nbrs F/C Gi0/0 1 0 10.0.0.1/30 1 DR 2/2 Gi0/1 1 1 10.1.0.1/30 1 P2P 1/1 Lo0 1 0 10.0.0.254/32 1 LOOP 0/0 # Full detail per interface — check hello/dead timers: show ip ospf interface GigabitEthernet0/0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 ← Hello must match on both sides (10 sec default on Ethernet) Network Type BROADCAST, Cost: 1 DR: 10.0.0.1 BDR: 10.0.0.2 Nbr Count: 2
EIGRP Troubleshooting Commands
show ip eigrp neighbors
Shows EIGRP neighbor adjacencies with their address, hold time, uptime, and number of routes queued. A rapidly resetting hold timer or a neighbor that keeps dropping and reforming indicates a flapping link or mismatched K-values (metric components). EIGRP neighbors will not form if K-values don’t match — this is a common exam question and a real-world issue.
EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq 0 10.0.0.2 Gi0/0 11 02:14:33 1 100 0 147 ← Normal 1 10.1.0.2 Gi0/1 9 01:02:15 2 200 0 98 ← Normal # If no neighbors appear, verify: show ip eigrp interfaces # Which interfaces are EIGRP-enabled show ip protocols # Verify AS number, networks, K-values, passive interfaces
show ip eigrp topology | show ip eigrp topology all-links
Shows the EIGRP topology table including the successor (best path) and feasible successors (backup paths) for each destination. A prefix stuck in Active state (marked as “A”) means EIGRP is querying neighbors for an alternative path and hasn’t received replies — this is called SIA (Stuck in Active) and usually indicates a reachability problem to a downstream router.
EIGRP-IPv4 Topology Table for AS(100) Codes: P - Passive (good), A - Active (problem), U - Update, Q - Query P 192.168.1.0/24, 1 successors, FD is 28160 ← Passive = normal via 10.0.0.2 (28160/2816), GigabitEthernet0/0 ← Successor (best path) via 10.1.0.2 (30720/2816), GigabitEthernet0/1 ← Feasible Successor (backup) A 172.16.0.0/24, 0 successors, FD is Infinity ← Active = STUCK, problem!
6. VLAN & Trunk Troubleshooting Commands
show vlan brief
Shows all VLANs defined in the VLAN database and which switch ports are assigned to each VLAN. If a VLAN is missing from this list, it doesn’t exist on this switch and cannot carry traffic, even if the trunk port is configured to allow it. A VLAN that exists but has no ports assigned to it will show as active but carry no local traffic.
VLAN Name Status Ports ---- -------------------------------- --------- ---------------------------- 1 default active Gi0/3, Gi0/6, Gi0/7, Gi0/8 10 Corporate-Users active Gi0/1, Gi0/2 20 Voice-VLAN active Gi0/1, Gi0/2 30 IoT-Devices active ← No ports! VLAN exists but unused 99 Management act/lshut ← VLAN shutdowm command applied 1002 fddi-default act/unsup 1003 token-ring-default act/unsup
VLAN Troubleshooting Sequence
1. show vlan brief — Does the VLAN exist on this switch?
2. show interfaces GigabitEthernet0/1 switchport — Is the port an access port? Correct VLAN?
3. show interfaces trunk — Is the VLAN in the allowed and active lists?
4. show ip interface brief — Does the SVI for this VLAN exist and is it up/up?
5. Ping the SVI from a host in that VLAN. If ping fails, Layer 2 connectivity issue. If ping to SVI works but inter-VLAN fails, check routing on the Layer 3 switch or router.
show interfaces GigabitEthernet0/1 switchport
Shows the switchport configuration of a specific port: whether it’s access or trunk, which VLAN it’s in, and whether DTP is negotiating. The most common issue found here: a port configured as an access port in VLAN 1 (the default) when it should be in a different VLAN.
Name: Gi0/1 Switchport: Enabled Administrative Mode: static access ← Hardcoded as access (good) Operational Mode: static access Administrative Trunking Encapsulation: negotiate Access Mode VLAN: 10 (Corporate-Users) ← Should this be 10? Check device config Trunking Native Mode VLAN: 1 (default) Voice VLAN: 20 ← IP phone voice VLAN correct # Common findings here: # Administrative Mode: dynamic auto → DTP enabled, security risk # Access Mode VLAN: 1 → port is in VLAN 1 (probably wrong) # Trunking VLANs Enabled: ALL → trunk not filtered (check if intended)
7. DHCP Troubleshooting Commands
show ip dhcp pool | show ip dhcp binding | show ip dhcp conflict
Three essential DHCP server-side commands. Pool shows the defined ranges and how many addresses are available vs leased. Binding shows active leases (which client has which IP). Conflict shows IP addresses that were found in use during a probe — the DHCP server won’t assign these. A growing conflict table indicates IP conflicts in the network.
# Check pool utilization show ip dhcp pool Pool VLAN10: Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 100 Leased addresses : 100 ← Pool EXHAUSTED — clients can't get IPs Excluded addresses : 20 ← Addresses excluded from pool Pending event : none # View active leases show ip dhcp binding IP address Client-ID/ Lease expiration Type Hardware address 192.168.10.100 0100.5056.ff12.34 May 12 2026 08:14 PM Automatic 192.168.10.101 0100.5056.ff56.78 May 12 2026 09:22 PM Automatic # Check conflicts (addresses being avoided) show ip dhcp conflict IP address Detection method Detection time VRF 192.168.10.50 Ping May 12 2026 07:11 AM ← IP already in use! # Clear conflict entries (after resolving the static IP conflict) clear ip dhcp conflict *
show ip dhcp snooping statistics | show ip dhcp snooping binding
When DHCP snooping is enabled, these commands reveal whether DHCP packets are being dropped and why. A high drop count on a specific interface often means DHCP traffic is arriving on an untrusted port (the DHCP server’s uplink is configured as untrusted, or a rogue DHCP server is present). The binding table built by DHCP snooping is also used by DAI (Dynamic ARP Inspection) and IP Source Guard.
show ip dhcp snooping statistics Packets Processed by DHCP Snooping 4712 Packets Dropped: Packets with wrong type on untrusted port 847 ← DHCP offers on untrusted ports (check trust config) Server replies on untrusted port 847 Packets from untrusted host on trusted port 0 # Verify which ports are trusted show ip dhcp snooping | include Trust
8. NAT Troubleshooting Commands
show ip nat translations | show ip nat translations verbose
The NAT translation table shows active sessions: inside local (private source IP), inside global (public IP the private is translated to), outside local, and outside global. If a host can reach the internet from the router itself but not from behind the router, the NAT translation table is the first place to check. An empty table when traffic should be flowing means NAT isn’t matching the traffic — check the ACL in the NAT rule and the ip nat inside / ip nat outside interface assignments.
show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 203.0.113.1:1025 192.168.10.5:1025 8.8.8.8:53 8.8.8.8:53 tcp 203.0.113.1:1026 192.168.10.5:1026 104.16.0.0:443 104.16.0.0:443 tcp 203.0.113.1:1027 192.168.10.10:1027 1.1.1.1:443 1.1.1.1:443 # No entries = NAT not translating. Check: show ip nat statistics # Look for: Hits (translations successful) vs Misses (no match found) # Inside interfaces: should show your LAN interface # Outside interfaces: should show your WAN interface # Clear NAT table (use carefully in production) clear ip nat translation *
show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended) Peak translations: 47, occurred 00:12:44 ago Outside interfaces: GigabitEthernet0/0 ← Must be marked ip nat outside Inside interfaces: GigabitEthernet0/1 ← Must be marked ip nat inside Hits: 1847 Misses: 0 Expired translations: 41 Dynamic mappings: -- Inside Source [Id: 1] access-list NAT-ACL interface GigabitEthernet0/0 refcount 3 ^ This ACL must match traffic from LAN clients # If Misses is incrementing rapidly: # → The NAT ACL doesn't match the LAN traffic # → Check: show access-list NAT-ACL (is the LAN subnet in the permit?)
9. ACL Troubleshooting Commands
show access-lists | show ip access-lists
Also: show access-lists ACLNAME | show ip interface GigabitEthernet0/0 (to see applied ACLs)
The match counters (in parentheses after each ACE) show how many packets matched each line. This is how you determine whether an ACL is actually matching traffic: if a deny line has a match count that keeps increasing while you’re testing connectivity, that deny is causing your problem. A match count of zero on the permit you think should be working means traffic is either not reaching the interface with the ACL, or it’s matching an earlier deny rule.
show ip access-lists Extended IP access list OUTBOUND-FILTER 10 permit ip 192.168.10.0 0.0.0.255 any (4821 matches) ← Lots of matches (good) 20 deny ip 10.0.0.0 0.255.255.255 any (0 matches) ← Never matched 30 permit ip any any (0 matches) ← Never reached Extended IP access list INBOUND-BLOCK 10 deny tcp any 192.168.10.0 0.0.0.255 eq 23 (0 matches) ← Block telnet 20 deny tcp any 192.168.10.0 0.0.0.255 eq 3389 (1082 matches) ← RDP being blocked here! 30 permit ip any any (843 matches) # Find which interface the ACL is applied to: show ip interface GigabitEthernet0/0 Inbound access list is INBOUND-BLOCK Outbound access list is OUTBOUND-FILTER # Clear ACL match counters (for a clean test): clear ip access-list counters INBOUND-BLOCK
ACL direction matters: An inbound ACL filters traffic arriving on the interface before it hits the routing table. An outbound ACL filters traffic after routing but before it exits the interface. A common mistake: applying an inbound ACL on a LAN interface to block traffic from the internet — that ACL will instead block outbound traffic from LAN hosts, which is the opposite of the intent. Draw the traffic direction before applying an ACL.
10. CDP & LLDP Discovery Commands
show cdp neighbors detail | show lldp neighbors detail
CDP (Cisco proprietary) and LLDP (IEEE standard) reveal directly connected device identity, IP address, device model, IOS version, and which port the connection uses on both sides. Used to build network diagrams without having physical access to trace cables, and to verify that devices are connected where you think they are.
show cdp neighbors detail Device ID: SW-DISTRIB-01 Entry address(es): IP address: 10.0.0.2 ← Neighbor's management IP Platform: cisco WS-C3750X-48P, Capabilities: Switch Interface: GigabitEthernet0/4, Port ID (outgoing port): GigabitEthernet0/1 ^ Local port ^ Remote port Holdtime : 153 sec Version : Cisco IOS Software, Version 15.2(4)E7 Native VLAN: 1 ← Check native VLAN matches on trunk Duplex: full # Quick view — compact table of all neighbors show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID SW-DISTRIB-01 Gi 0/4 153 S I WS-C3750X Gi 0/1 RTR-CORE-01 Gi 0/0 142 R ISR4451 Gi 0/0
11. Connectivity Testing — Ping & Traceroute
ping & extended ping
Standard ping from a Cisco router sources from the closest interface IP. Extended ping (press Enter after typing ping) lets you specify the source interface or IP — essential for testing NAT, VPN, or routing from a specific path. The ping characters returned tell you exactly what happened.
# Standard ping Router# ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! ← 5/5 success Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/15 ms # Extended ping — source from LAN interface (tests NAT) Router# ping 8.8.8.8 source GigabitEthernet0/1 !!!!! ← NAT is working if this succeeds # Large packet ping (tests MTU / fragmentation) Router# ping 8.8.8.8 size 1500 df-bit M.M.M ← M = MTU exceeded, DF bit set (fragmentation needed but not allowed) # Ping output character meanings: ! = ICMP Echo Reply received (success) . = Timeout (no reply) — destination unreachable or filtered U = Unreachable (ICMP Destination Unreachable received from intermediate router) M = MTU exceeded with DF bit set C = Congestion (ICMP Source Quench — rare) ? = Unknown packet type & = TTL exceeded (routing loop or too many hops)
traceroute & extended traceroute
Traceroute discovers the path packets take and measures RTT at each hop by sending probes with incrementing TTL. On Cisco IOS, traceroute uses UDP probes by default (not ICMP). Three asterisks at a hop mean that hop’s device isn’t responding to TTL-exceeded ICMP — this doesn’t necessarily mean the path is broken if the final destination responds.
Router# traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 1 203.0.113.9 2 msec 1 msec 2 msec ← ISP gateway (hop 1) 2 72.14.234.1 12 msec 11 msec 12 msec ← ISP backbone 3 * * * ← Router not responding to TTL-exceeded (OK if path continues) 4 8.8.8.8 14 msec 13 msec 14 msec ← Destination reached # Extended traceroute — source from LAN interface Router# traceroute 8.8.8.8 source 192.168.10.1 # If traceroute stops and never reaches destination: # Check what the last responding hop is — that router may have no route # Or the destination is filtering UDP/ICMP (common for security appliances)
12. Debug Commands Reference
⚠ CRITICAL WARNING BEFORE USING DEBUG COMMANDS
Debug commands generate real-time output of events inside the router. On a busy production device, enabling a broad debug can consume 100% CPU and crash the router. Always: (1) check CPU before enabling debug (show processes cpu sorted), (2) use the most specific filter available (debug with a specific IP or interface), (3) enable terminal monitor if on SSH, (4) disable debug immediately after with undebug all or no debug all.
| Debug Command | Shows | CPU Risk |
| debug ip icmp | ICMP send/receive events (ping traffic) | LOW |
| debug ip packet <ACL> | Layer 3 packet forwarding events (filter with ACL!) | VERY HIGH — use ACL filter |
| debug ip ospf adj | OSPF adjacency formation and Hello processing | MEDIUM |
| debug ip ospf events | OSPF state machine events | MEDIUM |
| debug eigrp packets | EIGRP Hello, Update, Query, Reply packets | MEDIUM |
| debug ip dhcp server events | DHCP DORA process and lease assignments | LOW |
| debug ip nat | NAT translation events (every packet) | HIGH on busy links |
| undebug all (u all) | Disables ALL debug immediately | Run this when done! |
# Safe way to use debug ip packet (filter with ACL first)
# Create an ACL that matches only the traffic you want to see ip access-list extended DEBUG-FILTER permit ip host 192.168.10.5 any ← Only debug traffic from this specific host permit ip any host 192.168.10.5 # Enable debug with the filter (much safer than debug ip packet without filter) debug ip packet DEBUG-FILTER detail # On SSH sessions: make sure terminal monitor is on first terminal monitor # After debugging — ALWAYS do this: undebug all # Confirm: show debug # Should show: All possible debugging has been turned off
13. System & Device Health Commands
| Command | Shows | What to Look For |
| show version | IOS version, uptime, hardware model, RAM, flash | Recent reload? Reason for reload (crash vs power)? |
| show processes cpu sorted | CPU usage by process (5s/1m/5m averages) | CPU >70% sustained = problem. Which process is top? |
| show processes cpu history | 72-hour CPU history graph | Identify when the high CPU started |
| show memory statistics | Processor and I/O memory usage | Free memory <10% = risk of crash |
| show logging | System log buffer (last N log messages) | Error/warning messages, interface flaps, STP changes |
| show running-config | Current active configuration | Verify intended config is actually applied (not just saved) |
# show version — key fields for troubleshooting
Router# show version Cisco IOS XE Software, Version 17.09.04a ← Exact IOS version ROM: IOS-XE ROMMON Router uptime is 2 weeks, 3 days, 14 hours ← When did it last restart? Last reload reason: Reload command ← Or "Unknown" (crash) / "Power-on" Cisco ISR4451-X/K9 processor (revision V02) Cisco IOS-XE Software, 8192K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. Configuration register is 0x2102 ← Normal. 0x2142 = boot bypass (password recovery)
14. Master Quick-Reference Table
The commands every CCNA candidate and working technician needs to know cold — organized by the problem type, not by protocol.
| Problem / Goal | Command | Key Field |
| Interface & Physical Problems | ||
| Interface is down | show interfaces | Line / protocol status |
| All port states at once | show interfaces status | Connected / notconnect / err-disabled |
| CRC / error counters | show interfaces counters errors | FCS-Err, Align-Err |
| Port is err-disabled | show interfaces status err-disabled | Reason column |
| Switching & VLAN Problems | ||
| Find where a device is connected | show mac address-table address <MAC> | Port column |
| VLAN doesn’t exist | show vlan brief | VLAN in list? Status active? |
| Trunk not passing VLAN | show interfaces trunk | VLANs allowed and active column |
| STP loop / blocking issue | show spanning-tree vlan <id> | Port roles, states (FWD/BLK) |
| Routing Problems | ||
| All IPs and interface states | show ip interface brief | IP / Status / Protocol |
| No internet / no route | show ip route | Default route present? |
| Host unreachable at Layer 2 | show ip arp | Incomplete entries |
| OSPF neighbors not forming | show ip ospf neighbor | State = FULL? |
| EIGRP neighbors missing | show ip eigrp neighbors | Hold time, uptime stable? |
| ⚙️ DHCP, NAT & ACL Problems | ||
| DHCP pool exhausted | show ip dhcp pool | Leased vs total addresses |
| NAT not translating | show ip nat translations | Empty = NAT not matching |
| NAT hit/miss count | show ip nat statistics | Misses incrementing = ACL wrong |
| ACL blocking traffic | show ip access-lists | Match counters on deny lines |
15. Frequently Asked Questions
What is the difference between show running-config and show startup-config?
running-config is what’s currently active in RAM — any changes you make with config t take effect immediately here. startup-config is saved to NVRAM and loads on boot. If they’re different, a reload will restore the startup-config. Always save with copy running-config startup-config or write memory after making changes. Deliberately not saving is a safety technique: make a risky change, wait 10 minutes, if connectivity is lost the device will reload with the old config.
What does “show ip interface brief” NOT show that I might need?
show ip interface brief doesn’t show subnet masks (only the IP), doesn’t show secondary IPs, doesn’t show which ACL is applied, and doesn’t show error counters. For the full IP details including mask and applied ACLs, use show ip interface GigabitEthernet0/0 (without “brief”). For error counters, use show interfaces.
A user can ping the gateway but can’t reach the internet. What do I run?
1. ping 8.8.8.8 from the router — if this works, problem is NAT or routing for the client.
2. show ip nat translations — is the client’s traffic in the table?
3. show ip nat statistics — is the Misses counter incrementing?
4. show access-lists <NAT-ACL> — does the ACL permit the client’s subnet?
5. show ip interface brief — are ip nat inside and ip nat outside on the correct interfaces?
How do I see which VLAN a specific port is in without looking at the full running-config?
show interfaces GigabitEthernet0/1 switchport shows the access mode VLAN and voice VLAN for that specific port. Alternatively, show vlan brief lists all VLANs with their member ports in one output — scan for your port number in the Ports column. On newer IOS-XE: show running-config interface GigabitEthernet0/1 gives just that port’s config.
What commands do I use on a CCNA exam when asked to troubleshoot a scenario?
On the CCNA 200-301 exam troubleshooting questions, follow the OSI model systematically. For connectivity failures: start with show ip interface brief (interface states and IPs), then show ip route (routing table), then show vlan brief and show interfaces trunk for Layer 2 issues. For routing protocol questions: show ip ospf neighbor and show ip ospf interface. Know the output of each command and what a problem looks like — exam questions often show you command output and ask you to identify the fault.
What is the single most useful IOS troubleshooting command you can learn?
show ip interface brief. It answers the three most common questions in 5 seconds: does this interface have an IP address, is it physically connected, and is the protocol running. It’s the right first command on almost any router troubleshooting call. After that, show ip route is close behind — between those two commands you can identify the cause of about 60% of router connectivity problems.
