An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs.
Which combination of features best meets that requirement?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
PortFast and BPDU Guard
Correct. This is correct. PortFast provides fast host connectivity, and BPDU Guard protects the port by shutting it down if BPDUs are received from a connected switch.
DHCP snooping and DAI
DHCP snooping and Dynamic ARP Inspection are useful security features, but they solve different problems. They help protect address assignment and ARP behavior, not the specific combination of fast access-port startup and protection against a rogue or accidental switch connection.
Root Guard and VTP pruning
Root Guard can help in spanning-tree design, but it is not the standard feature used to give quick edge-port startup. VTP pruning is unrelated to the core requirement. The question is specifically describing the common edge-port hardening pair, which is PortFast with BPDU Guard.
Port security and CDP
Port security controls allowed MAC addresses, and CDP provides device information. Neither pair directly matches the two-part requirement as completely as PortFast and BPDU Guard do.
Common exam trap
A common exam trap is selecting Root Guard or DHCP snooping as the solution for fast link-up and port protection. Root Guard only prevents switches from becoming root bridges but does not speed up port activation or disable ports on BPDU reception. DHCP snooping and Dynamic ARP Inspection secure IP and ARP traffic but do not influence STP behavior or port states. Another trap is assuming PortFast alone is sufficient; without BPDU Guard, a rogue switch could still cause loops. The correct combination is PortFast for fast forwarding and BPDU Guard to disable ports receiving BPDUs, exactly matching the question’s requirements.
Technical deep dive
PortFast is a Cisco Catalyst switch feature that allows access ports to bypass the usual Spanning Tree Protocol (STP) listening and learning states, enabling immediate transition to the forwarding state. This is critical for endpoints like PCs or IP phones that require fast network connectivity without waiting for STP convergence, which normally takes 30 to 50 seconds. PortFast is only intended for ports connected directly to end devices, not other switches, to prevent Layer 2 loops. BPDU Guard complements PortFast by monitoring access ports for Bridge Protocol Data Units (BPDUs). If a BPDU is received on a PortFast-enabled port, BPDU Guard immediately disables the port (puts it into err-disable state) to protect the network topology from potential loops caused by unauthorized or accidental switch connections. This combination ensures fast link-up for legitimate hosts while securing the network against rogue switches. A common exam trap is confusing PortFast and BPDU Guard with other security features like Root Guard or DHCP snooping. PortFast alone speeds up connectivity but does not protect against rogue switches. BPDU Guard specifically disables ports receiving BPDUs on PortFast ports, which is the exact behavior required. Understanding this distinction is crucial for correctly answering questions about fast link-up and Layer 2 security in CCNA exams.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
PortFast enables immediate forwarding on access ports by bypassing STP listening and learning states to speed up host connectivity.
The correct answer is: PortFast and BPDU Guard — PortFast and BPDU Guard are the classic edge-port combination for this requirement. PortFast helps a user-facing interface begin forwarding quickly so a PC or phone does not wait through the normal spanning-tree transition delay. BPDU Guard adds protection by monitoring that same port for BPDUs. If a switch is accidentally or intentionally connected and starts participating in spanning tree, BPDU Guard reacts by disabling the port to protect the Layer 2 topology. In plain language, users get quick connectivity when the port is used correctly, but the network still protects itself against someone plugging in a switch where only an endpoint should exist. That is exactly what the requirement asks for.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.