A network engineer connects a new switch to an existing Rapid PVST+ campus network. The new switch is intended to serve as an additional access-layer switch, but after connecting its uplinks, the engineer discovers that the root bridge for VLAN 10 has changed to this new switch, and several access ports on other switches with PortFast and BPDU Guard enabled are now in err-disabled state. Some users report intermittent connectivity loss.
A lower bridge priority causes the new switch to become the root for VLAN 10. Plugging it into a BPDU Guard-enabled port (which is normally an edge port with PortFast) results in the port receiving BPDUs and going err-disabled. This perfectly explains both symptoms.
Why this answer
The new switch's bridge priority is lower (numerically smaller) than the existing root bridge, so it becomes the new root for VLAN 10. When it sends superior BPDUs out its uplinks, the neighboring switch's access ports with PortFast and BPDU Guard enabled receive these BPDUs, triggering err-disable state on those ports, causing connectivity loss.
Exam trap
Cisco often tests the misconception that BPDU Guard only applies to access ports or that it prevents root bridge changes, when in fact it reacts to any BPDU received on a PortFast port, regardless of the BPDU's source or priority.
Why the other options are wrong
Attributing the issue to a native VLAN mismatch overlooks the root election change and the BPDU Guard-triggered err-disable state.
This answer ignores the root election shift and the BPDU Guard events; PortFast misconfiguration alone would not cause these symptoms.
This fails to account for the selective err-disable of only access ports and the concurrent root bridge change, which points to a targeted misconfiguration rather than a blanket global setting.