- A
Root Guard
Why wrong: Distractor.
- B
PortFast
Why wrong: Distractor.
- C
BPDU Guard
Correct choice.
- D
Loop Guard
Why wrong: Distractor.
Quick Answer
The answer is BPDU Guard. This feature is the correct choice because it immediately places an access-layer interface into an err-disabled state upon receiving any BPDU, which signals that an unauthorized switch has been connected to what should be an edge port. BPDU Guard protects the Spanning Tree Protocol (STP) topology by preventing rogue switches from participating in the root bridge election or causing topology loops. On the CCNA 200-301 v2 exam, this concept often appears in questions about securing STP at the access layer, and a common trap is confusing BPDU Guard with Root Guard—remember that BPDU Guard shuts down the port, while Root Guard only prevents the port from becoming a root port. A useful memory tip is to think of BPDU Guard as a "bouncer" that kicks out any switch that tries to send BPDUs through an edge port.
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: bPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An administrator wants an access-layer interface to shut down immediately if another switch is connected accidentally. Which feature best meets that requirement?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Clue:
"immediately / without restart"Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
BPDU Guard
BPDU Guard is designed for edge ports. If the port receives a BPDU, the switch treats that as a sign that another switch has been connected and places the interface into an err-disabled state to protect the spanning-tree topology.
Key principle: BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Root Guard
Why it's wrong here
Distractor.
When this WOULD be correct
If the question asked for a feature that prevents a switch from becoming the root bridge in a spanning tree topology, Root Guard would be the correct answer. It would be applicable in a situation where maintaining a specific switch as the root bridge is critical.
- ✗
PortFast
Why it's wrong here
Distractor.
When this WOULD be correct
In a scenario where the question asks for a feature that allows a switch port to transition quickly to forwarding mode without waiting for Spanning Tree Protocol (STP) timers, PortFast would be the correct answer. This would apply in a situation where the administrator wants to optimize the connection time for end devices like PCs or printers.
- ✓
BPDU Guard
Why this is correct
Correct choice.
Clue confirmation
The clue words "best", "immediately / without restart" in the question point toward this answer.
Related concept
BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.
- ✗
Loop Guard
Why it's wrong here
Distractor.
When this WOULD be correct
In a scenario where a question asks for a feature that maintains network stability by preventing loops while still allowing ports to function normally, Loop Guard would be the correct answer. For instance, if the question focused on preventing broadcast storms due to misconfigured switches, Loop Guard would apply.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓BPDU GuardCorrect answer▾
Why this is correct
Correct choice.
✗Root GuardWrong answer — click to see why▾
Why this is wrong here
Root Guard is used to prevent a switch from becoming the root bridge in the spanning tree, not to shut down an interface when another switch is connected. It enforces the root bridge position on a port, but does not disable the port upon switch connection.
★ When this WOULD be the correct answer
If the question asked for a feature that prevents a switch from becoming the root bridge in a spanning tree topology, Root Guard would be the correct answer. It would be applicable in a situation where maintaining a specific switch as the root bridge is critical.
Why candidates choose this
Students may confuse Root Guard with BPDU Guard because both are STP security features. The name 'Guard' might imply protection against unauthorized switches, but Root Guard's purpose is different.
✗PortFastWrong answer — click to see why▾
Why this is wrong here
PortFast is used to immediately transition an access port to the forwarding state, bypassing the listening and learning states. It does not shut down the interface when another switch is connected; in fact, it can cause loops if BPDU Guard is not also enabled.
★ When this WOULD be the correct answer
In a scenario where the question asks for a feature that allows a switch port to transition quickly to forwarding mode without waiting for Spanning Tree Protocol (STP) timers, PortFast would be the correct answer. This would apply in a situation where the administrator wants to optimize the connection time for end devices like PCs or printers.
Why candidates choose this
PortFast is often associated with access ports, and students might think it provides protection against switch connections. However, PortFast alone does not prevent loops or shut down the port.
✗Loop GuardWrong answer — click to see why▾
Why this is wrong here
Loop Guard is used to prevent alternate or root ports from becoming designated ports in the absence of BPDUs, which can cause loops. It does not shut down an interface when a switch is connected; rather, it places the port into a loop-inconsistent state if BPDUs stop being received.
★ When this WOULD be the correct answer
In a scenario where a question asks for a feature that maintains network stability by preventing loops while still allowing ports to function normally, Loop Guard would be the correct answer. For instance, if the question focused on preventing broadcast storms due to misconfigured switches, Loop Guard would apply.
Why candidates choose this
The name 'Loop Guard' suggests it prevents loops, and students might think it would shut down a port to prevent loops caused by connecting a switch. However, its mechanism is different and does not involve immediate shutdown upon switch connection.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting Root Guard or Loop Guard instead of BPDU Guard. Root Guard only blocks a port from becoming a root port but does not disable the port immediately upon receiving BPDUs. Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs are lost but does not shut down the port. Candidates may also confuse PortFast as it is related to edge ports but it only speeds up STP convergence and does not disable ports. Understanding that BPDU Guard uniquely disables the port immediately upon receiving BPDUs on an edge port is essential to avoid this trap.
Detailed technical explanation
How to think about this question
BPDU Guard is a Cisco switch feature designed to protect the Spanning Tree Protocol (STP) topology by monitoring edge ports, typically access-layer interfaces connected to end devices. These ports are expected not to receive BPDUs because they connect to hosts, not switches. If a BPDU is received on such a port, it indicates that another switch might have been connected accidentally or maliciously, which could cause loops or topology changes. When BPDU Guard is enabled on a PortFast-enabled port, it immediately places the interface into an err-disabled state upon receipt of a BPDU. This automatic shutdown prevents the port from participating in STP and stops potential loops or topology instability. The err-disabled state requires manual intervention or configured automatic recovery to bring the port back up, ensuring that network administrators are alerted to the issue. A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Root Guard blocks ports from becoming root ports but does not disable them immediately. Loop Guard prevents ports from transitioning to forwarding when BPDUs are lost but also does not shut down ports. BPDU Guard’s immediate shutdown behavior is unique and critical for protecting access ports from accidental switch connections, making it the best choice for the scenario described.
KKey Concepts to Remember
- BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.
- PortFast enables a switch port to transition quickly to the forwarding state but does not shut down the port upon receiving BPDUs.
- Root Guard prevents a port from becoming a root port by blocking superior BPDUs but does not disable the port immediately.
- Loop Guard protects against indirect link failures by preventing a port from transitioning to a forwarding state when BPDUs are lost, but it does not shut down the port.
- BPDU Guard is typically enabled on access-layer ports configured with PortFast to protect the spanning-tree topology from unauthorized switches.
- When BPDU Guard is triggered, the port enters an err-disabled state, requiring manual or automatic recovery to re-enable the interface.
- The presence of BPDUs on a PortFast-enabled port indicates a potential network topology change or misconfiguration, which BPDU Guard addresses by disabling the port.
- Using BPDU Guard helps maintain network stability by preventing loops caused by unintended switch connections at the access layer.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.
Real-world example
How this comes up in practice
A practitioner preparing for the 200-301 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Review bPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections..
What is the correct answer to this question?
The correct answer is: BPDU Guard — BPDU Guard is designed for edge ports. If the port receives a BPDU, the switch treats that as a sign that another switch has been connected and places the interface into an err-disabled state to protect the spanning-tree topology.
What should I do if I get this 200-301 question wrong?
Review bPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best", "immediately / without restart". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
BPDU Guard immediately disables a port if it receives a Bridge Protocol Data Unit (BPDU) on an edge port, preventing accidental switch connections.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on 200-301
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs. Which combination of features best meets that requirement?
medium- ✓ A.PortFast and BPDU Guard
- B.DHCP snooping and DAI
- C.Root Guard and VTP pruning
- D.Port security and CDP
Why A: PortFast and BPDU Guard are the classic edge-port combination for this requirement. PortFast helps a user-facing interface begin forwarding quickly so a PC or phone does not wait through the normal spanning-tree transition delay. BPDU Guard adds protection by monitoring that same port for BPDUs. If a switch is accidentally or intentionally connected and starts participating in spanning tree, BPDU Guard reacts by disabling the port to protect the Layer 2 topology. In plain language, users get quick connectivity when the port is used correctly, but the network still protects itself against someone plugging in a switch where only an endpoint should exist. That is exactly what the requirement asks for.
Variation 2. A switch should automatically disable any access port that receives a BPDU from an attached device. Which feature directly provides that behavior?
hard- A.Root Guard
- B.Loop Guard
- ✓ C.BPDU Guard
- D.PortFast
Why C: BPDU Guard is designed for edge ports that should never see BPDUs. If a BPDU arrives, the port is placed into an err-disabled state to protect the topology. Root Guard and Loop Guard solve different STP problems.
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.