A user-support troubleshooting lab on VLANs, trunking, and access ports.
You're a Tier 2 support engineer. Last night a junior tech ran a "configuration cleanup" against the access layer. This morning the queue is full. Work each ticket, find the misconfiguration, restore service, and document the fix.
Each ticket is solvable from the CLI on R1, SW1, or SW2 — no need to rebuild anything. Recommended commands: show vlan brief, show interfaces trunk, show interfaces status, show cdp neighbors, show ip interface brief.
Reporter: PC1 (Sales) · Switch: SW1 · Severity: High
"I can't get to the file server, can't reach the printer, and I can't even ping the gateway. Other Sales people are fine. I've rebooted twice."
PC1 is plugged into SW1 Gi0/2. Link is up. PC1 has its expected IP 10.0.10.10/24.
Show answer
Root cause
SW1 Gi0/2 is in the wrong VLAN — configured as access VLAN 20 (HR), should be VLAN 10 (Sales). The PC's IP doesn't match the VLAN it's actually trunked into, so ARP for the gateway never reaches anywhere useful.
SW1(config)# interface Gi0/2
SW1(config-if)# switchport access vlan 10
TKT-002
PC4 has zero connectivity
Reporter: PC4 (HR) · Switch: SW2 · Severity: High
"Nothing works. Can't ping anything, not even other HR computers." PC2 (also HR, but on SW1) is unaffected.
PC4 is on SW2 Gi0/2, link up, correct IP. The access port config on SW2 looks correct.
Show answer
Root cause
The SW1↔SW2 trunk allowed list on SW1 is 10,99 — VLAN 20 was dropped from the allowed VLANs. HR traffic can't cross between switches, so PC4 (HR on SW2) is isolated from PC2 (HR on SW1) and from the gateway on R1.
SW1(config)# interface Gi0/1
SW1(config-if)# switchport trunk allowed vlan add 20
Verify with show interfaces trunk — VLAN 20 must appear in the "allowed" and "active" lists on both ends.
TKT-003
PC3 says "no link / cable unplugged"
Reporter: PC3 (Sales) · Switch: SW2 · Severity: Medium
"Network icon shows a red X. The desktop tech replaced my cable yesterday but it's still down."
You confirmed: cable is good, NIC is healthy, port is SW2 Gi0/1.
Show answer
Root cause
The port is administratively shut down. show interfaces status on SW2 shows Gi0/1 in disabled state.
SW2(config)# interface Gi0/1
SW2(config-if)# no shutdown
Sanity check: line protocol should come up within a few seconds, and PC3 should pull link.
"My whole team can ping each other, but nobody can get to the internet or anything outside HR." Once TKT-002 is fixed, PC2 and PC4 can ping each other — but neither can reach 10.0.20.1.
Sales (VLAN 10) is unaffected and reaches its gateway fine.
Show answer
Root cause
On R1, the VLAN 20 subinterface has encapsulation dot1Q 200 — a typo. The router is tagging/expecting VLAN 200, which doesn't exist. VLAN 20 frames hit R1 but never match any subinterface, so they get dropped. VLAN 10 is fine because Gi0/0.10 is configured correctly.
R1(config)# interface Gi0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 10.0.20.1 255.255.255.0
IOS may require you to no the subinterface and recreate it, or remove the IP first before changing encapsulation.
SW1 is logging %CDP-4-NATIVE_VLAN_MISMATCH repeatedly against Gi0/1, paired with SW2. No user impact yet, but it's filling up the logs and CDP says the trunk is misconfigured.
Show answer
Root cause
SW1 Gi0/1 has switchport trunk native vlan 99. SW2 Gi0/0 has no native VLAN configured, so it defaults to VLAN 1. CDP detects the mismatch and warns. Untagged traffic on either side lands in different VLANs — a real security and stability issue, even if nothing is breaking yet.
SW2(config)# interface Gi0/0
SW2(config-if)# switchport trunk native vlan 99
Best practice: pick a non-default native VLAN, configure it explicitly on both ends, and don't carry user data on it.
Verification
Once all five tickets are resolved, every PC should ping every other PC, every PC should ping its gateway on R1, and show interfaces trunk on both switches should show VLANs 10, 20, and 99 allowed and active with native VLAN 99 on both ends.