Question 636 of 1,819
Network Services and SecuritymediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that BPDU Guard placed the port into err-disabled state because it received a BPDU from the small switch. This happens because BPDU Guard is a security feature typically enabled on PortFast-enabled access ports, which are meant to connect only to end hosts like PCs. When a BPDU arrives, the switch assumes an unauthorized switch has been connected, violating the edge port’s role, and immediately shuts the port down to prevent potential bridging loops or topology changes. On the CCNA 200-301 v2 exam, this scenario tests your understanding of spanning-tree protection mechanisms at the access layer, often appearing in troubleshooting questions where a user’s port fails after connecting a hub or switch. A common trap is confusing BPDU Guard with Root Guard—remember that BPDU Guard err-disables the port, while Root Guard only prevents the port from becoming a root bridge. Memory tip: BPDU Guard = “Block Port, Disconnect Unauthorized” switch.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The port received a BPDU and BPDU Guard shut it down.

BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.

Key principle: BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The port received a BPDU and BPDU Guard shut it down.

    Why this is correct

    This matches the symptom and the log message.

    Clue confirmation

    The clue words "most likely", "immediately / without restart" in the question point toward this answer.

    Related concept

    BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.

  • DHCP snooping blocked the user's ARP requests.

    Why it's wrong here

    That would not produce a BPDU Guard err-disable event.

    When this WOULD be correct

    In a scenario where a user connects a device that sends DHCP requests and the switch is configured with DHCP snooping, a question could ask about the impact of DHCP snooping on ARP requests. If the switch detects invalid ARP requests from a rogue device, it could block those requests, making this option correct.

  • Port security moved the port to protect mode.

    Why it's wrong here

    The log explicitly points to BPDU Guard.

    When this WOULD be correct

    If the question described a scenario where a switch port was configured with port security and a device connected had a MAC address not previously seen, resulting in a violation, then port security could indeed place the port in protect mode. This would be a valid context for option C to be correct.

  • The trunk native VLAN matched incorrectly.

    Why it's wrong here

    That would not directly trigger BPDU Guard on an edge port.

    When this WOULD be correct

    In a different question setup, if a user reports that a trunk port is not passing traffic and the logs indicate a native VLAN mismatch, then this option would be correct. The question would need to focus on trunk configurations and VLAN settings to validate this scenario.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The port received a BPDU and BPDU Guard shut it down.Correct answer

Why this is correct

This matches the symptom and the log message.

DHCP snooping blocked the user's ARP requests.Wrong answer — click to see why

Why this is wrong here

DHCP snooping is a security feature that filters DHCP messages and can block ARP requests only if Dynamic ARP Inspection (DAI) is also configured. It does not cause an err-disable state or generate a BPDU Guard log message. The log explicitly mentions BPDU Guard, not DHCP snooping.

★ When this WOULD be the correct answer

In a scenario where a user connects a device that sends DHCP requests and the switch is configured with DHCP snooping, a question could ask about the impact of DHCP snooping on ARP requests. If the switch detects invalid ARP requests from a rogue device, it could block those requests, making this option correct.

Why candidates choose this

Students might confuse DHCP snooping with BPDU Guard because both are security features that can block traffic. However, DHCP snooping operates at Layer 2/3 for DHCP messages, while BPDU Guard specifically handles BPDUs and err-disables the port.

Port security moved the port to protect mode.Wrong answer — click to see why

Why this is wrong here

Port security can place a port in protect mode, which drops traffic from unauthorized MAC addresses but does not err-disable the port. The log message mentions BPDU Guard, not port security. Additionally, port security protect mode does not generate a BPDU Guard log entry.

★ When this WOULD be the correct answer

If the question described a scenario where a switch port was configured with port security and a device connected had a MAC address not previously seen, resulting in a violation, then port security could indeed place the port in protect mode. This would be a valid context for option C to be correct.

Why candidates choose this

Port security and BPDU Guard are both common access port security features. A student might think that connecting a switch triggers port security due to multiple MAC addresses, but the log explicitly points to BPDU Guard, making this incorrect.

The trunk native VLAN matched incorrectly.Wrong answer — click to see why

Why this is wrong here

A native VLAN mismatch on a trunk can cause connectivity issues but does not directly trigger BPDU Guard on an access port. BPDU Guard is configured on access ports, not trunks, and the log message specifically indicates BPDU Guard, not a native VLAN mismatch.

★ When this WOULD be the correct answer

In a different question setup, if a user reports that a trunk port is not passing traffic and the logs indicate a native VLAN mismatch, then this option would be correct. The question would need to focus on trunk configurations and VLAN settings to validate this scenario.

Why candidates choose this

Students might associate VLAN mismatches with spanning-tree issues, but BPDU Guard is a separate mechanism. The scenario describes a desk port (access port) and a small switch, which is more likely to trigger BPDU Guard than a native VLAN mismatch.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors. The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.

Detailed technical explanation

How to think about this question

BPDU Guard is a critical Spanning Tree Protocol (STP) security feature designed to protect the Layer 2 topology from accidental or malicious loops. It is typically enabled on access ports configured with PortFast, which are intended to connect only end devices like PCs or printers. PortFast allows these ports to bypass the usual STP listening and learning states, enabling faster network connectivity. However, if a BPDU is received on such a port, it indicates that another switch or bridging device has been connected, which could cause topology loops or instability. When BPDU Guard detects a BPDU on a PortFast-enabled port, it immediately places the port into an err-disabled state, effectively shutting it down to prevent potential network issues. This automatic shutdown is a protective measure to maintain STP integrity by preventing unintended switches from participating in the spanning tree. The port remains disabled until an administrator intervenes or a configured err-disable recovery mechanism re-enables it. This behavior ensures that edge ports remain isolated from STP topology changes unless explicitly configured. A common exam trap is confusing BPDU Guard with other security features like DHCP snooping or port security. DHCP snooping filters DHCP messages to prevent rogue servers but does not interact with BPDUs or cause err-disabled states related to BPDU Guard. Similarly, port security limits MAC addresses on a port and triggers err-disable for violations unrelated to BPDUs. Another confusion arises with trunk native VLAN mismatches, which cause VLAN tagging problems but do not trigger BPDU Guard. Understanding these distinctions is essential for accurate troubleshooting and exam success.

KKey Concepts to Remember

  • BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
  • Ports configured with PortFast are intended for end devices and should not receive BPDUs; receiving a BPDU indicates a potential switch connection, triggering BPDU Guard to err-disable the port.
  • When BPDU Guard places a port into err-disabled state, the port stops forwarding traffic until manually or automatically re-enabled, preventing possible Layer 2 loops.
  • BPDU Guard helps maintain network stability by preventing unintended switches from connecting to edge ports, which could cause STP topology changes or loops.
  • DHCP snooping protects against rogue DHCP servers but does not interact with BPDU Guard or cause BPDU-related err-disabled states.
  • Port security controls MAC address access on a port and can err-disable a port for security violations, but it does not trigger BPDU Guard events.
  • Incorrect trunk native VLAN mismatches cause VLAN tagging issues but do not cause BPDU Guard to err-disable a port since BPDUs are unrelated to native VLAN mismatches.
  • Understanding the difference between BPDU Guard and other security features like DHCP snooping and port security is critical for troubleshooting err-disabled ports in Cisco networks.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology..

What is the correct answer to this question?

The correct answer is: The port received a BPDU and BPDU Guard shut it down. — BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.

What should I do if I get this 200-301 question wrong?

Review bPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely", "immediately / without restart". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.