Interesting interview question regarding Internet access...

Unanswered Question
Dec 2nd, 2007

I had an interview the other day before a panel of very knowledgeable people and the following question was put to me: Two PCs participating in the same VLAN can communicate within their VLAN and ipconfig /all returns a valid IP address, default gateway and DNS server for both. However one PC can connect to the Internet and the other cannot. There are no ACLs to prevent Interent access so the question is why can't the one PC access the Internet? I've been thinking about this and so far I have not come up with an answer, though I will probably say "d'oh" when presented with an answer or two. Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sun, 12/02/2007 - 11:46

Hi Chris

Could be a number of things.

1) You didn't mention subnet mask. Did they say whether the pc's had the correct subnet mask configured

2) Don't say whether PC's are using private addressing and therefore need NAT to go out on the Internet in which case is NAT set up for both of them.

I suspect you needed to ask a few more questions to get to the bottom of the problem. Is there any more info you can provide.


ccbootcamp Sun, 12/02/2007 - 13:38

possible causes:

1 mac security on the switch port (you'll have to think about this one, but without seeing the Layer1 diagram for this scenario, it's possible!)

2 subnet mask configured incorrectly.

3 nat range configured incorrectly on the gateway isp router

these are just a few off the top of my head


(please rate the post if this helps!)

ChrisM804 Sun, 12/02/2007 - 15:51

Thanks for the replies all. I had thought about the NAT address range being too small or incorrect but since both PCs received IP addresses dynamically via DHCP I discounted NAT configuration errors and the subnet mask being incorrect. Did I err in so doing?

ccbootcamp Sun, 12/02/2007 - 15:54

Could be either. NAT allowable IP range might not match the DHCP IP range. But I'd guess the answer "they" were looking for is probably the subnet mask.


(please rate the post if this helps!)

ChristopherMcGill Sun, 12/02/2007 - 16:03


I disagree with the subnet mask being the issue, as it states "Two PCs participating in the same VLAN can communicate within their VLAN", is they had different subnet masks, when one tried to communicate with the other, they would do a binary AND on the other's IP and their subnet and would send the packet to the default gateway not broadcast out to the VLAN. I think mac-address ACLs is to deep, as how many sites have you seen these used on? If I had to guess I would have to say it is a NAT issue (static NAT missing, or subnet incorrect for overloading ACL).

Jon Marshall Sun, 12/02/2007 - 23:46

Hi Christopher

Not necessarily eg.


subnet mask:


Host 1

Host 2

Host 2 wants to talk to Host 1. Host 2 compares with it's own subnet mask = network

So host 2 believes host 1 is in the same subnet and they communicate. Host 1 does the same comparison = network

So they can both communicate.

But the default-gateway is Host 1 sees that in the same nework.

Host 2 does not see that in the same network ie. =

so host 2 would think default-gateway is in a different subnet.



ccbootcamp Sun, 12/02/2007 - 23:58


Subnet mask could DEFINITELY be the issue here and is more than like the answer the person asking the question is looking for. It's a pretty old school question to see if someone understands subnetting/ip addressing.

Lab it up for yourself. What will happen if:

(no NAT in this situation, just public IPs on everything)

PC1 ip address: /28 (ie

PC2 ip address: /2 (ie

router IP (and default gateway for the PCs) /28

what happens when PC2 tries to ping PC1? everything is cool.

what happens when PC2 tries to ping DG?

no probs.

what happens when PC1 tries to ping DG?

no probs.

PC1 can ping no probs (random server on the internet)

Router (ie the DG) can ping no probs.

now, what happens when PC2 tries to ping where does the packet go? lab it up, check the debugs on the router, and let me know what you find...


(please rate the post!)

Tony.henry Sun, 12/02/2007 - 17:35


Seems to me like a "show your thought process" type question. How would you work something out. There might not even be a right answer, there may have been a right approach.

What questions did you ask? questions that fly to my mind are.

Whats not working. Email? WWW? chat? FTP?

Is a proxy being used? Not uncommon in many environments.

Is the Broken PC able to do everything it should be able to do locally? Access all local services and servers.

Whats different between the two machines? whats the same?

I mean its a common thing for users to ring helpdesks and report the internet is down, but it takes time and paitence to get down to what is actually going and whats stopped.



Danilo Dy Sun, 12/02/2007 - 18:13


Assumming IP address, Subnet Mask, Default Gateway, and DNS is correct, the common cause for this problem are;

1. Proxy settings.

2. IP address of the second PC is not included in the NAT pool.




This Discussion