Question 574 of 1,819
Switching and Network AccesshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that BPDU Guard causes the err-disabled state on access ports that unexpectedly receive BPDUs. This occurs because BPDU Guard is a security feature designed to protect the network from rogue switches or misconfigurations; when an access port configured with BPDU Guard detects a Bridge Protocol Data Unit, it immediately places that port into an err-disabled state to prevent potential loops or unauthorized bridging. On the CCNA 200-301 v2 exam, this scenario tests your understanding that BPDU Guard does not require PortFast to function—the key trigger is the receipt of BPDUs on a port expected to be an end-user access port. A common trap is assuming the issue stems from a missing PortFast configuration, but the real problem is that BPDUs are being received, often from a misconfigured device or an actual rogue switch. Remember the memory tip: "BPDU Guard catches BPDUs—if it sees one, the port is done."

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

SW1# show interfaces status 
Port      Name   Status       Vlan       Duplex Speed Type
Gi0/1            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/2            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/3            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/4            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/5            connected    trunk      auto   auto  10/100/1000BaseTX
Gi0/6            connected    1          auto   auto  10/100/1000BaseTX
Gi0/7            connected    1          auto   auto  10/100/1000BaseTX

SW1# show running-config interface gi0/1
Building configuration...

Current configuration : 83 bytes
!
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree bpduguard enable
end

SW1# show running-config | include bpduguard
spanning-tree portfast bpduguard default

A network administrator recently configured BPDU Guard on all access ports of a switch to protect against rogue switches. After the change, users in VLAN 10 report intermittent connectivity issues and frequent link flaps. The administrator checks the switch and notices that several ports are in an err-disabled state. What is the most likely cause of the problem?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Exhibit

SW1# show interfaces status 
Port      Name   Status       Vlan       Duplex Speed Type
Gi0/1            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/2            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/3            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/4            err-disabled 10         auto   auto  10/100/1000BaseTX
Gi0/5            connected    trunk      auto   auto  10/100/1000BaseTX
Gi0/6            connected    1          auto   auto  10/100/1000BaseTX
Gi0/7            connected    1          auto   auto  10/100/1000BaseTX

SW1# show running-config interface gi0/1
Building configuration...

Current configuration : 83 bytes
!
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree bpduguard enable
end

SW1# show running-config | include bpduguard
spanning-tree portfast bpduguard default

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.

BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them. The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Root Guard is preventing the port from becoming a root port.

    Why it's wrong here

    Root Guard is used to prevent a port from becoming a root port; it would not cause err-disabled state.

  • BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.

    Why this is correct

    BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Loop Guard has detected a unidirectional link and placed the port into err-disabled state.

    Why it's wrong here

    Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports.

  • BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.

    Why it's wrong here

    BPDU Guard is explicitly enabled on the interface (spanning-tree bpduguard enable), not just globally. The global command only applies to PortFast ports.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.Correct answer

Why this is correct

BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

Root Guard is preventing the port from becoming a root port.Wrong answer — click to see why

Why this is wrong here

Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent state, not err-disabled. It does not cause link flaps or err-disable ports.

Why candidates choose this

Students may confuse Root Guard with BPDU Guard because both are STP security features, and the term 'guard' suggests protection, leading to the assumption that it could cause err-disable.

Loop Guard has detected a unidirectional link and placed the port into err-disabled state.Wrong answer — click to see why

Why this is wrong here

Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports. It places ports in a loop-inconsistent state, which is not err-disabled.

Why candidates choose this

Loop Guard also deals with BPDU issues and can cause port blocking, so students might mistakenly think it causes err-disable, especially since both features are related to STP protection.

BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.Wrong answer — click to see why

Why this is wrong here

The global 'spanning-tree portfast bpduguard default' command only applies BPDU Guard to PortFast-enabled ports. If a port receives a BPDU and is not PortFast, it will not be err-disabled by this global command. The scenario states BPDU Guard was configured on all access ports, implying interface-level configuration.

Why candidates choose this

Students may not fully understand the difference between global and interface BPDU Guard configuration, and might think global application alone can cause err-disable on any port receiving a BPDU.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common mistake is believing BPDU Guard requires PortFast to function; in reality, BPDU Guard can be enabled per-interface without PortFast and will err-disable the port when a BPDU is received.

Trap categories for this question

  • Command / output trap

    BPDU Guard is explicitly enabled on the interface (spanning-tree bpduguard enable), not just globally. The global command only applies to PortFast ports.

Detailed technical explanation

How to think about this question

PortFast bypasses the normal spanning-tree listening and learning states, allowing a port to transition immediately to forwarding. BPDU Guard relies on PortFast's assumption that no BPDUs should be received; if a BPDU arrives, the port is err-disabled. Without PortFast, the port expects BPDUs as part of normal STP operation, so enabling BPDU Guard alone will cause false positives and err-disable the port upon receiving legitimate BPDUs from a connected switch or even from a host that inadvertently sends a BPDU (e.g., due to misconfiguration). In real-world scenarios, this often happens when an administrator globally enables 'spanning-tree portfast bpduguard default' but forgets to also enable PortFast on the access ports, or when they apply BPDU Guard to trunk ports.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state. — BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them. The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

What should I do if I get this 200-301 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?

hard
  • A.BPDU Guard disabled the PortFast-enabled access port after it received a BPDU.
  • B.Port security shut down the port because the VLAN was wrong.
  • C.DHCP snooping disabled the interface because a host requested an address.
  • D.EtherChannel suspended the interface because the bundle was incomplete.

Why A: The strongest reason is a BPDU Guard violation on a PortFast-enabled access port. In practical terms, the port was expected to face an end host, not a switching device that emits BPDUs. When BPDUs appeared, the switch treated that as a topology-policy violation and error-disabled the interface to protect the network. This is one of the most classic access-layer protection patterns on the CCNA exam.

Variation 2. Exhibit: After a new switch was connected, the access-layer port went into err-disabled state immediately. Which feature most likely caused this?

hard
  • A.Root Guard
  • B.UDLD aggressive
  • C.BPDU Guard
  • D.Storm control

Why C: BPDU Guard is the most likely cause because it immediately places a PortFast-enabled port into the err-disabled state upon receiving any BPDU, which is exactly what happens when a new switch is connected to an access port meant for end devices. Root Guard does not err-disable a port; instead, it puts the port into a root-inconsistent state when a superior BPDU is received, preventing the port from becoming a root port but still allowing traffic. UDLD aggressive can cause err-disabled states, but it is specifically designed to detect unidirectional links on fiber connections and requires a delay or misconfiguration, making it less immediate than BPDU Guard in this scenario. Storm control can err-disable a port if traffic exceeds thresholds, but this is not immediate upon connection unless a broadcast storm is already occurring, which is not indicated in the scenario.

Variation 3. SW1 is the root bridge for VLAN 10. A user switch receives a BPDU on an access port connected to a desk-side unmanaged switch. What should happen if BPDU Guard is enabled on that port?

medium
  • A.The port transitions to forwarding more quickly
  • B.The port is moved to err-disabled state
  • C.The switch elects a new root bridge
  • D.The port becomes a trunk automatically

Why B: BPDU Guard is designed to protect edge ports. If a BPDU is received on a PortFast access port, the switch places the interface into the err-disabled state to stop a potential Layer 2 loop or rogue switch.

Variation 4. Why is BPDU Guard commonly enabled on PortFast-enabled access ports?

medium
  • A.To make STP root election happen faster
  • B.To disable STP permanently on access ports
  • C.To err-disable a port if it receives unexpected BPDUs
  • D.To allow only one MAC address on the access port

Why C: PortFast ports are meant for end devices, not for switches. BPDU Guard protects the LAN by shutting down a PortFast port that unexpectedly starts receiving BPDUs, which usually means an unauthorized switch was connected.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.