- A
The port received a BPDU and BPDU Guard shut it down.
This matches the symptom and the log message.
- B
DHCP snooping blocked the user's ARP requests.
Why wrong: That would not produce a BPDU Guard err-disable event.
- C
Port security moved the port to protect mode.
Why wrong: The log explicitly points to BPDU Guard.
- D
The trunk native VLAN matched incorrectly.
Why wrong: That would not directly trigger BPDU Guard on an edge port.
Quick Answer
The answer is that BPDU Guard placed the port into err-disabled state because it received a BPDU from the small switch. This happens because BPDU Guard is a security feature typically enabled on PortFast-enabled access ports, which are meant to connect only to end hosts like PCs. When a BPDU arrives, the switch assumes an unauthorized switch has been connected, violating the edge port’s role, and immediately shuts the port down to prevent potential bridging loops or topology changes. On the CCNA 200-301 v2 exam, this scenario tests your understanding of spanning-tree protection mechanisms at the access layer, often appearing in troubleshooting questions where a user’s port fails after connecting a hub or switch. A common trap is confusing BPDU Guard with Root Guard—remember that BPDU Guard err-disables the port, while Root Guard only prevents the port from becoming a root bridge. Memory tip: BPDU Guard = “Block Port, Disconnect Unauthorized” switch.
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Clue:
"immediately / without restart"Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The port received a BPDU and BPDU Guard shut it down.
BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.
Key principle: BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
The port received a BPDU and BPDU Guard shut it down.
Why this is correct
This matches the symptom and the log message.
Clue confirmation
The clue words "most likely", "immediately / without restart" in the question point toward this answer.
Related concept
BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
- ✗
DHCP snooping blocked the user's ARP requests.
Why it's wrong here
That would not produce a BPDU Guard err-disable event.
When this WOULD be correct
In a scenario where a user connects a device that sends DHCP requests and the switch is configured with DHCP snooping, a question could ask about the impact of DHCP snooping on ARP requests. If the switch detects invalid ARP requests from a rogue device, it could block those requests, making this option correct.
- ✗
Port security moved the port to protect mode.
Why it's wrong here
The log explicitly points to BPDU Guard.
When this WOULD be correct
If the question described a scenario where a switch port was configured with port security and a device connected had a MAC address not previously seen, resulting in a violation, then port security could indeed place the port in protect mode. This would be a valid context for option C to be correct.
- ✗
The trunk native VLAN matched incorrectly.
Why it's wrong here
That would not directly trigger BPDU Guard on an edge port.
When this WOULD be correct
In a different question setup, if a user reports that a trunk port is not passing traffic and the logs indicate a native VLAN mismatch, then this option would be correct. The question would need to focus on trunk configurations and VLAN settings to validate this scenario.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The port received a BPDU and BPDU Guard shut it down.Correct answer▾
Why this is correct
This matches the symptom and the log message.
✗DHCP snooping blocked the user's ARP requests.Wrong answer — click to see why▾
Why this is wrong here
DHCP snooping is a security feature that filters DHCP messages and can block ARP requests only if Dynamic ARP Inspection (DAI) is also configured. It does not cause an err-disable state or generate a BPDU Guard log message. The log explicitly mentions BPDU Guard, not DHCP snooping.
★ When this WOULD be the correct answer
In a scenario where a user connects a device that sends DHCP requests and the switch is configured with DHCP snooping, a question could ask about the impact of DHCP snooping on ARP requests. If the switch detects invalid ARP requests from a rogue device, it could block those requests, making this option correct.
Why candidates choose this
Students might confuse DHCP snooping with BPDU Guard because both are security features that can block traffic. However, DHCP snooping operates at Layer 2/3 for DHCP messages, while BPDU Guard specifically handles BPDUs and err-disables the port.
✗Port security moved the port to protect mode.Wrong answer — click to see why▾
Why this is wrong here
Port security can place a port in protect mode, which drops traffic from unauthorized MAC addresses but does not err-disable the port. The log message mentions BPDU Guard, not port security. Additionally, port security protect mode does not generate a BPDU Guard log entry.
★ When this WOULD be the correct answer
If the question described a scenario where a switch port was configured with port security and a device connected had a MAC address not previously seen, resulting in a violation, then port security could indeed place the port in protect mode. This would be a valid context for option C to be correct.
Why candidates choose this
Port security and BPDU Guard are both common access port security features. A student might think that connecting a switch triggers port security due to multiple MAC addresses, but the log explicitly points to BPDU Guard, making this incorrect.
✗The trunk native VLAN matched incorrectly.Wrong answer — click to see why▾
Why this is wrong here
A native VLAN mismatch on a trunk can cause connectivity issues but does not directly trigger BPDU Guard on an access port. BPDU Guard is configured on access ports, not trunks, and the log message specifically indicates BPDU Guard, not a native VLAN mismatch.
★ When this WOULD be the correct answer
In a different question setup, if a user reports that a trunk port is not passing traffic and the logs indicate a native VLAN mismatch, then this option would be correct. The question would need to focus on trunk configurations and VLAN settings to validate this scenario.
Why candidates choose this
Students might associate VLAN mismatches with spanning-tree issues, but BPDU Guard is a separate mechanism. The scenario describes a desk port (access port) and a small switch, which is more likely to trigger BPDU Guard than a native VLAN mismatch.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors. The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.
Detailed technical explanation
How to think about this question
BPDU Guard is a critical Spanning Tree Protocol (STP) security feature designed to protect the Layer 2 topology from accidental or malicious loops. It is typically enabled on access ports configured with PortFast, which are intended to connect only end devices like PCs or printers. PortFast allows these ports to bypass the usual STP listening and learning states, enabling faster network connectivity. However, if a BPDU is received on such a port, it indicates that another switch or bridging device has been connected, which could cause topology loops or instability. When BPDU Guard detects a BPDU on a PortFast-enabled port, it immediately places the port into an err-disabled state, effectively shutting it down to prevent potential network issues. This automatic shutdown is a protective measure to maintain STP integrity by preventing unintended switches from participating in the spanning tree. The port remains disabled until an administrator intervenes or a configured err-disable recovery mechanism re-enables it. This behavior ensures that edge ports remain isolated from STP topology changes unless explicitly configured. A common exam trap is confusing BPDU Guard with other security features like DHCP snooping or port security. DHCP snooping filters DHCP messages to prevent rogue servers but does not interact with BPDUs or cause err-disabled states related to BPDU Guard. Similarly, port security limits MAC addresses on a port and triggers err-disable for violations unrelated to BPDUs. Another confusion arises with trunk native VLAN mismatches, which cause VLAN tagging problems but do not trigger BPDU Guard. Understanding these distinctions is essential for accurate troubleshooting and exam success.
KKey Concepts to Remember
- BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
- Ports configured with PortFast are intended for end devices and should not receive BPDUs; receiving a BPDU indicates a potential switch connection, triggering BPDU Guard to err-disable the port.
- When BPDU Guard places a port into err-disabled state, the port stops forwarding traffic until manually or automatically re-enabled, preventing possible Layer 2 loops.
- BPDU Guard helps maintain network stability by preventing unintended switches from connecting to edge ports, which could cause STP topology changes or loops.
- DHCP snooping protects against rogue DHCP servers but does not interact with BPDU Guard or cause BPDU-related err-disabled states.
- Port security controls MAC address access on a port and can err-disable a port for security violations, but it does not trigger BPDU Guard events.
- Incorrect trunk native VLAN mismatches cause VLAN tagging issues but do not cause BPDU Guard to err-disable a port since BPDUs are unrelated to native VLAN mismatches.
- Understanding the difference between BPDU Guard and other security features like DHCP snooping and port security is critical for troubleshooting err-disabled ports in Cisco networks.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
What to study next
Got this wrong? Here's your next step.
Review bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology..
What is the correct answer to this question?
The correct answer is: The port received a BPDU and BPDU Guard shut it down. — BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.
What should I do if I get this 200-301 question wrong?
Review bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely", "immediately / without restart". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More 200-301 practice questions
- A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port.…
- What problem is HSRP designed to solve?
- Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as see…
- You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The curren…
- Which TWO statements accurately describe how AI/ML concepts are applied to network operations in modern enterprise netwo…
- Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access p…
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.