- A
Root guard
This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.
- B
BPDU Guard
Why wrong: This is wrong because BPDU Guard is typically used on edge ports to disable them when BPDUs appear unexpectedly.
- C
Port security
Why wrong: This is wrong because port security controls MAC address behavior, not STP root-path conditions.
- D
DHCP Snooping
Why wrong: This is wrong because DHCP Snooping is unrelated to STP root-role protection.
Quick Answer
The answer is root guard, because it is specifically designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. This feature protects the intended STP topology by forcing the port into a root-inconsistent state if a superior BPDU arrives, ensuring that no downstream device can hijack the root role on that segment. On the CCNA 200-301 v2 exam, this concept tests your ability to distinguish between STP security mechanisms: root guard preserves the existing root bridge’s authority, while BPDU guard shuts down an edge port entirely if any BPDU appears. A common trap is confusing the two, but remember that root guard cares about *which* BPDU is superior, not just the presence of any BPDU. For a quick memory tip, think “Root guard guards the root’s path, BPDU guard guards the edge’s wrath.”
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A switch receives superior BPDUs on a port where the design requires that no downstream device ever become the root path for that segment. Which feature is the best fit for that requirement?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Root guard
Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not. This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.
Key principle: Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Root guard
Why this is correct
This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
- ✗
BPDU Guard
Why it's wrong here
This is wrong because BPDU Guard is typically used on edge ports to disable them when BPDUs appear unexpectedly.
When this WOULD be correct
In a scenario where the question asks about protecting edge ports from receiving BPDUs while allowing them to remain operational, BPDU Guard would be the correct answer. For example, if the question specified that the goal was to prevent accidental topology changes on access ports, BPDU Guard would fit.
- ✗
Port security
Why it's wrong here
This is wrong because port security controls MAC address behavior, not STP root-path conditions.
When this WOULD be correct
In a scenario where the question asks about securing a switch port against unauthorized devices connecting, while ensuring that only specific MAC addresses are allowed, port security would be the correct answer. This could involve a network segment where only known devices should be permitted to communicate.
- ✗
DHCP Snooping
Why it's wrong here
This is wrong because DHCP Snooping is unrelated to STP root-role protection.
When this WOULD be correct
In a scenario where a question asks about securing a network against rogue DHCP servers and ensuring that only trusted DHCP servers can assign IP addresses, DHCP Snooping would be the correct answer. This would involve configuring the switch to allow DHCP responses only from specific trusted ports.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Root guardCorrect answer▾
Why this is correct
This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.
✗BPDU GuardWrong answer — click to see why▾
Why this is wrong here
BPDU Guard is designed to protect against receiving BPDUs on ports configured as edge ports, but it does not prevent a downstream device from becoming the root bridge. It simply disables the port if a BPDU is received, which does not align with the requirement of preventing a downstream device from becoming the root path.
★ When this WOULD be the correct answer
In a scenario where the question asks about protecting edge ports from receiving BPDUs while allowing them to remain operational, BPDU Guard would be the correct answer. For example, if the question specified that the goal was to prevent accidental topology changes on access ports, BPDU Guard would fit.
Why candidates choose this
Candidates may confuse BPDU Guard with Root Guard due to their similar functions in protecting the network topology, leading them to mistakenly believe that BPDU Guard can also prevent a downstream device from becoming the root bridge.
✗Port securityWrong answer — click to see why▾
Why this is wrong here
Port security is used to restrict the number of MAC addresses allowed on a port and prevent unauthorized devices from connecting. It does not specifically prevent a downstream device from becoming the root bridge in a Spanning Tree Protocol (STP) topology.
★ When this WOULD be the correct answer
In a scenario where the question asks about securing a switch port against unauthorized devices connecting, while ensuring that only specific MAC addresses are allowed, port security would be the correct answer. This could involve a network segment where only known devices should be permitted to communicate.
Why candidates choose this
Candidates may confuse port security with STP features, thinking that limiting MAC addresses could also prevent topology changes. This misunderstanding can lead them to select port security when they are actually looking for a solution related to STP behavior.
✗DHCP SnoopingWrong answer — click to see why▾
Why this is wrong here
DHCP Snooping is designed to prevent unauthorized DHCP servers from distributing IP addresses on a network, not to manage or control the role of switches in the Spanning Tree Protocol (STP). In this context, it does not address the requirement of preventing downstream devices from becoming the root bridge.
★ When this WOULD be the correct answer
In a scenario where a question asks about securing a network against rogue DHCP servers and ensuring that only trusted DHCP servers can assign IP addresses, DHCP Snooping would be the correct answer. This would involve configuring the switch to allow DHCP responses only from specific trusted ports.
Why candidates choose this
Candidates might confuse DHCP Snooping with general network security features, thinking it could relate to controlling device roles in STP due to its focus on preventing unauthorized access, leading them to mistakenly select it.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common exam trap is selecting BPDU guard instead of root guard because both involve BPDU handling. BPDU guard disables a port immediately upon receiving any BPDU, which is suitable for edge ports but not for ports where topology control is required. Root guard, on the other hand, only blocks ports that receive superior BPDUs, allowing normal BPDUs from the current root bridge. Confusing these features can lead to incorrect answers, as BPDU guard does not protect the root path role but rather protects against unauthorized devices on edge ports.
Detailed technical explanation
How to think about this question
Spanning Tree Protocol (STP) is a Layer 2 network protocol that prevents loops by electing a root bridge and calculating the best paths to it. Switch ports are assigned roles such as root port, designated port, or blocked port based on BPDU (Bridge Protocol Data Unit) information. When a switch receives a superior BPDU (one indicating a better path to the root bridge), it may change its port roles and topology accordingly to maintain a loop-free environment. Root guard is a Cisco feature designed to enforce the network topology by preventing a port from becoming a root port if it receives superior BPDUs. When root guard is enabled on a port, if that port receives a superior BPDU, the port is placed into a root-inconsistent state, effectively blocking it from forwarding traffic and preventing the downstream device from becoming the root bridge or influencing the root path. This preserves the intended STP topology and prevents topology changes caused by unauthorized or misconfigured switches. A common exam trap is confusing root guard with BPDU guard. BPDU guard disables a port if any BPDU is received, typically used on edge ports to protect against accidental switches or loops. Root guard, however, only blocks ports receiving superior BPDUs, allowing normal BPDUs from the current root bridge. Understanding this distinction is critical for correctly applying STP protection features and answering related CCNA questions accurately.
KKey Concepts to Remember
- Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
- Superior BPDUs indicate a better path to the root bridge and can cause topology changes if not controlled.
- BPDU guard disables a port entirely when any BPDU is received, protecting edge ports from unexpected switches.
- Port security controls MAC address access on a port and does not influence STP root path decisions.
- DHCP snooping protects against rogue DHCP servers and does not affect STP or root bridge election.
- STP uses BPDUs to elect the root bridge and determine port roles to maintain a loop-free topology.
- Root guard places a port into a root-inconsistent state to block forwarding when superior BPDUs are detected.
- Proper use of root guard maintains the intended STP topology by preventing downstream devices from becoming the root.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Review root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Switching and Network Access — study guide chapter
Learn the concepts, then practise the questions
- →
Switching and Network Access practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Switching and Network Access — This question tests Switching and Network Access — Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs..
What is the correct answer to this question?
The correct answer is: Root guard — Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not. This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.
What should I do if I get this 200-301 question wrong?
Review root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More 200-301 practice questions
- A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port.…
- What problem is HSRP designed to solve?
- Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as see…
- You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The curren…
- Which TWO statements accurately describe how AI/ML concepts are applied to network operations in modern enterprise netwo…
- Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access p…
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.