interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable
A switch administrator enters the following commands on interface GigabitEthernet1/0/10:
interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable
A user connects a small unmanaged switch to this port, and the access port immediately changes to an err-disabled state.
Which feature caused the port to shut down?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
PortFast
PortFast is related to the scenario, but it is not the feature that performs the protective shutdown. PortFast simply lets a user-facing port skip the usual long spanning-tree transition period so connected hosts can communicate sooner. In many networks it is paired with BPDU Guard, which is why candidates sometimes confuse the two. The actual disabling action comes from BPDU Guard after a BPDU is received.
BPDU Guard
Correct. BPDU Guard is correct because it is specifically designed to shut down an edge port that should not receive BPDUs. In plain terms, the switch sees evidence that another switch was attached and decides to protect the topology by disabling the port instead of allowing a possible loop or unexpected spanning-tree participation.
Access VLAN 30 assignment
Putting the port in VLAN 30 only decides which broadcast domain the user traffic belongs to. It does not create an err-disabled condition. A port can remain in an access VLAN indefinitely without shutting down. The shutdown happened because the connected device introduced switch control traffic, not because of the VLAN number chosen for the access port.
The interface being in access mode
Access mode is a normal configuration for an end-device port. It tells the interface to carry one access VLAN rather than trunk multiple VLANs. That setting alone does not disable the interface. The decisive event in the scenario is that another switch sent a BPDU, which triggered the BPDU Guard protection mechanism.
Common exam trap
A frequent exam trap is mistaking PortFast as the feature that disables the port when a BPDU is received. PortFast only accelerates the transition of a port to the forwarding state for faster host connectivity and does not cause shutdowns. Candidates often confuse the two because PortFast and BPDU Guard are commonly configured together on access ports. The actual shutdown is caused by BPDU Guard detecting BPDUs on a port that should only connect to end devices. Misidentifying PortFast as the cause leads to incorrect answers and misunderstanding of STP protection mechanisms.
Technical deep dive
BPDU Guard is a Cisco feature designed to protect the Spanning Tree Protocol (STP) topology by disabling ports that receive unexpected Bridge Protocol Data Units (BPDUs). Typically, ports connected to end devices like PCs or printers are configured with PortFast to skip the STP listening and learning states, allowing faster network access. However, if a switch or another device that sends BPDUs is connected to such a port, it can cause topology loops or instability. BPDU Guard detects this condition and immediately places the port into an err-disabled state to prevent potential network issues. When BPDU Guard is enabled on a PortFast-configured access port, the switch continuously monitors for incoming BPDUs. If any BPDU is detected, the port is considered to be connected to another switch or a device that could affect the spanning tree topology. To protect the network, BPDU Guard shuts down the port by placing it in an err-disabled state, requiring manual or automatic recovery depending on the configuration. This behavior ensures that only legitimate end devices connect to these ports, maintaining network stability and preventing loops. A common exam trap is confusing PortFast with BPDU Guard. While PortFast speeds up port activation for end devices, it does not disable ports upon receiving BPDUs. BPDU Guard is the feature that enforces topology protection by shutting down ports receiving BPDUs unexpectedly. In practical networks, connecting an unmanaged switch to a PortFast and BPDU Guard-enabled port triggers BPDU Guard, causing the port to err-disable. Understanding this distinction is critical for CCNA candidates to correctly identify the cause of port shutdowns in STP-related scenarios.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
BPDU Guard detects Bridge Protocol Data Units (BPDUs) on ports configured as PortFast and immediately disables the port to prevent potential Layer 2 loops.
The correct answer is: BPDU Guard — BPDU Guard is the feature that caused the shutdown. This question is really about separating two features that are often configured together on user-facing ports: PortFast and BPDU Guard. PortFast helps an edge port come up quickly, which is useful for PCs and phones. BPDU Guard adds protection by watching for BPDUs on that same port. If a switch is connected where only an end device should exist, the newly connected switch may send BPDUs. The local switch interprets that as a topology risk and disables the port to protect the Layer 2 network. The clues are the err-disabled state and the fact that another switch was connected. VLAN assignment and access mode are normal here and do not explain the shutdown.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.