Question 1,168 of 1,819
Switching and Network AccesshardConfigurationObjective-mapped

Quick Answer

The answer is to configure Root Guard on Gi0/2, Loop Guard on the same uplink, and BPDU Guard on the PortFast-enabled ports Gi0/1 and Gi0/3. This is correct because Root Guard is applied to designated ports to block any port that receives a superior BPDU, preventing an unauthorized switch from becoming root, while Loop Guard protects against unidirectional link failures by placing the port into a loop-inconsistent state if BPDUs stop arriving. BPDU Guard must be enabled on all PortFast ports to immediately err-disable them upon receiving any BPDU, enforcing the access-layer assumption that no switch should connect there. On the CCNA 200-301 v2 exam, this scenario tests your ability to distinguish where each protection feature applies: Root Guard and Loop Guard share the same uplink port, but BPDU Guard is strictly for edge ports. A common trap is applying Loop Guard to a PortFast port, which can cause false positives, or forgetting that Root Guard only works on designated ports. Remember the mnemonic: “Root and Loop guard the trunk, BPDU guard the edge.”

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Network Topology
Gi0/010.0.0.0/30Gi0/1Gi0/2Gi0/3R1R2SwitchASwitchBSwitchC

You are connected to R1, a multilayer switch with three directly connected switches. Configure Root Guard on the designated port to prevent an unauthorized switch from becoming root. Configure Loop Guard on the uplink to protect against unidirectional links. Configure BPDU Guard on all PortFast-enabled ports. Troubleshoot the scenario where a port receives a superior BPDU and is blocked by Root Guard, and another port goes err-disabled after BPDU Guard triggers.

Question 1hardConfiguration
Read the full NAT/PAT explanation →

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 description Uplink to R2
 no switchport
 ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet0/1
 description Access port to SwitchA
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/2
 description Uplink to SwitchB
 switchport mode trunk
!
interface GigabitEthernet0/3
 description Access port to SwitchC
 switchport mode access
 spanning-tree portfast
!

R1# show spanning-tree
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0000.0c12.3456
             This bridge is the root
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0000.0c12.3456
  Interface        Role Sts Cost      Prio.Nbr Type
  ---------------- ---- --- --------- -------- --------------------------------
  Gi0/1            Desg FWD 4         128.2    P2p Edge
  Gi0/2            Desg FWD 4         128.3    P2p
  Gi0/3            Desg FWD 4         128.4    P2p Edge

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.

The scenario requires three STP protection features. Root Guard should be applied on designated port Gi0/2 (uplink) to prevent an external switch from becoming root if it sends superior BPDUs. Loop Guard should be applied on the same uplink to protect against unidirectional link failure. BPDU Guard must be enabled on all PortFast ports (Gi0/1 and Gi0/3) to immediately err-disable them if a BPDU is received. After configuration, if a superior BPDU arrives on Gi0/2, Root Guard will block it (root-inconsistent state). If a BPDU arrives on Gi0/1 or Gi0/3, BPDU Guard will put the port in err-disable state, requiring manual or automatic recovery.

Key principle: NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.

    Why this is correct

    Root Guard is applied on designated ports to prevent external switches from becoming root; Loop Guard protects against unidirectional links on the same uplink; BPDU Guard is applied on PortFast-enabled ports to err-disable them upon BPDU reception. This matches the scenario requirements.

    Related concept

    Static NAT maps one inside address to one outside address.

  • Configure Root Guard on Gi0/1 and Gi0/3, Loop Guard on Gi0/2, and BPDU Guard on Gi0/2.

    Why it's wrong here

    This is incorrect because Root Guard should be on designated ports (uplinks), not on PortFast ports; BPDU Guard should be on PortFast ports, not on uplinks.

  • Configure Root Guard on Gi0/1, Loop Guard on Gi0/3, and BPDU Guard on Gi0/2.

    Why it's wrong here

    This is incorrect because Root Guard should be on the uplink (Gi0/2), not on an access port; Loop Guard should be on the uplink, not on an access port; BPDU Guard should be on PortFast ports, not on the uplink.

  • Configure Root Guard on Gi0/3, Loop Guard on Gi0/1, and BPDU Guard on Gi0/2.

    Why it's wrong here

    This is incorrect because Root Guard should be on the designated port (Gi0/2), not on an access port; Loop Guard should be on the uplink, not on an access port; BPDU Guard should be on PortFast ports, not on the uplink.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.Correct answer

Why this is correct

Root Guard is applied on designated ports to prevent external switches from becoming root; Loop Guard protects against unidirectional links on the same uplink; BPDU Guard is applied on PortFast-enabled ports to err-disable them upon BPDU reception. This matches the scenario requirements.

Configure Root Guard on Gi0/1 and Gi0/3, Loop Guard on Gi0/2, and BPDU Guard on Gi0/2.Wrong answer — click to see why

Why this is wrong here

Root Guard is only effective on designated ports; applying it to access ports does not prevent an external switch from becoming root via the uplink. BPDU Guard on an uplink would err-disable it unnecessarily.

Why candidates choose this

Candidates may confuse the placement of protection features, thinking Root Guard should protect all ports or that BPDU Guard should be on all ports.

Configure Root Guard on Gi0/1, Loop Guard on Gi0/3, and BPDU Guard on Gi0/2.Wrong answer — click to see why

Why this is wrong here

Root Guard on an access port does not protect against superior BPDUs from an external switch on the uplink. Loop Guard on an access port is unnecessary as unidirectional links typically affect trunk links.

Why candidates choose this

Candidates may think any port can be protected with any feature, ignoring the specific purpose of each.

Configure Root Guard on Gi0/3, Loop Guard on Gi0/1, and BPDU Guard on Gi0/2.Wrong answer — click to see why

Why this is wrong here

Root Guard on an access port does not prevent an external switch from becoming root via the uplink. Loop Guard on an access port is not standard practice. BPDU Guard on the uplink would cause unnecessary err-disable.

Why candidates choose this

Candidates may misassign features based on port numbers rather than port roles.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: NAT rules depend on direction and matching traffic

NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.

Detailed technical explanation

How to think about this question

NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.

KKey Concepts to Remember

  • Static NAT maps one inside address to one outside address.
  • PAT allows many inside hosts to share one public address using ports.
  • Inside local and inside global describe the private and translated addresses.
  • NAT ACLs identify traffic for translation, not always security filtering.

TExam Day Tips

  • Identify inside and outside interfaces first.
  • Check whether the scenario needs static NAT, dynamic NAT or PAT.
  • Do not confuse NAT matching ACLs with normal packet-filtering intent.

Key takeaway

NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related 200-301 NAT questions on configuration and troubleshooting.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Static NAT maps one inside address to one outside address..

What is the correct answer to this question?

The correct answer is: Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3. — The scenario requires three STP protection features. Root Guard should be applied on designated port Gi0/2 (uplink) to prevent an external switch from becoming root if it sends superior BPDUs. Loop Guard should be applied on the same uplink to protect against unidirectional link failure. BPDU Guard must be enabled on all PortFast ports (Gi0/1 and Gi0/3) to immediately err-disable them if a BPDU is received. After configuration, if a superior BPDU arrives on Gi0/2, Root Guard will block it (root-inconsistent state). If a BPDU arrives on Gi0/1 or Gi0/3, BPDU Guard will put the port in err-disable state, requiring manual or automatic recovery.

What should I do if I get this 200-301 question wrong?

Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related 200-301 NAT questions on configuration and troubleshooting.

What is the key concept behind this question?

Static NAT maps one inside address to one outside address.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 6, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.