Question 798 of 1,819
Switching and Network AccessmediumMultiple SelectObjective-mapped

Quick Answer

The correct answer is that Root Guard is configured per-port and places the port into a root-inconsistent state upon receiving a superior BPDU, while BPDU Guard places the port into errdisable state upon receiving any BPDU. Root Guard protects the spanning-tree topology by preventing an unauthorized switch from becoming the root bridge; when a superior BPDU arrives, the port is blocked in a root-inconsistent state rather than forwarding traffic. BPDU Guard is typically enabled on PortFast access ports and instantly errdisables the port if any BPDU is received, stopping loops from rogue switches. On the CCNA 200-301 v2 exam, this distinction tests your understanding of how each feature reacts to BPDUs—Root Guard only reacts to superior BPDUs, while BPDU Guard reacts to any BPDU. A common trap is confusing the resulting states: Root Guard uses root-inconsistent, not errdisable. For a memory tip, think “Root Guard roots out superior BPDUs, BPDU Guard bans all BPDUs.”

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which TWO statements correctly describe the configuration and effect of Root Guard and BPDU Guard on a Cisco switch?

Question 1mediummulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.

Option A is correct because Root Guard is configured per interface using the 'spanning-tree guard root' command. When a port with Root Guard enabled receives a superior BPDU (one that would cause the switch to become a non-root bridge), the port is placed into a root-inconsistent state, effectively blocking traffic on that port and preventing the switch from accepting a new root bridge from that direction. This protects the spanning-tree topology from unauthorized or misconfigured switches attempting to become the root bridge. Option D is correct because BPDU Guard is commonly enabled on ports with PortFast (typically access ports connected to end devices). When a BPDU is received on such a port, BPDU Guard places the port into errdisable state, preventing potential bridging loops that could result from an unauthorized switch connecting to the network. Option B is incorrect because BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports (often with PortFast) and disables the port upon receiving any BPDU, not just on trunk ports. Option C is incorrect because Root Guard places the port into root-inconsistent state (not errdisable) when a superior BPDU is received; BPDU Guard uses errdisable. Option E is incorrect because neither Root Guard nor BPDU Guard filters BPDUs; Root Guard reacts to superior BPDUs by blocking the port, and BPDU Guard reacts to any BPDU by disabling the port. Both features allow BPDUs to be processed but then take action based on the received BPDUs.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.

    Why this is correct

    Root Guard is applied to a port (usually a designated port) and if a better BPDU arrives, the port enters a root-inconsistent state, blocking traffic and preventing the switch from becoming root.

    Related concept

    Read the scenario before looking for a memorised answer.

  • BPDU Guard prevents loops by disabling a trunk port that receives a BPDU from an unauthorized switch.

    Why it's wrong here

    BPDU Guard is applied to access ports (often with PortFast) and places the port in errdisable state if any BPDU is received; it does not target trunk ports or specifically prevent loops—that is the role of Loop Guard.

  • Root Guard places a port in errdisable state when a superior BPDU is received.

    Why it's wrong here

    Root Guard uses a root-inconsistent state (not errdisable) to block traffic while still allowing the port to recover automatically when the superior BPDUs stop.

  • BPDU Guard is commonly enabled on ports where PortFast is configured to prevent unexpected BPDUs from causing a bridging loop.

    Why this is correct

    BPDU Guard is often used with PortFast on access ports to immediately error-disable the port if a BPDU is received, preventing potential loops from unauthorized devices.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Both Root Guard and BPDU Guard filter BPDUs to prevent them from being processed by the switch CPU.

    Why it's wrong here

    Neither Root Guard nor BPDU Guard filters BPDUs. Root Guard reacts to superior BPDUs by changing port state, and BPDU Guard reacts by error-disabling the port. They do not prevent BPDUs from reaching the CPU.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.Correct answer

Why this is correct

Root Guard is applied to a port (usually a designated port) and if a better BPDU arrives, the port enters a root-inconsistent state, blocking traffic and preventing the switch from becoming root.

BPDU Guard prevents loops by disabling a trunk port that receives a BPDU from an unauthorized switch.Wrong answer — click to see why

Why this is wrong here

BPDU Guard is applied to access ports (often with PortFast) and places the port in errdisable state if any BPDU is received. It does not target trunk ports; trunk ports are expected to receive BPDUs. The feature that prevents loops by disabling a port that receives BPDUs on a trunk is actually Loop Guard, not BPDU Guard.

Why candidates choose this

Students may confuse BPDU Guard with Loop Guard because both deal with BPDUs and loop prevention. The mention of 'trunk port' and 'unauthorized switch' might lead them to think BPDU Guard is used on trunks, but BPDU Guard is specifically for access ports.

Root Guard places a port in errdisable state when a superior BPDU is received.Wrong answer — click to see why

Why this is wrong here

Root Guard does not place a port in errdisable state; it uses a root-inconsistent state. The errdisable state is used by BPDU Guard and other features like UDLD. Root Guard's root-inconsistent state allows automatic recovery when superior BPDUs stop, whereas errdisable requires manual intervention or errdisable recovery configuration.

Why candidates choose this

Both Root Guard and BPDU Guard react to BPDUs, and students may mistakenly think both use errdisable. The term 'errdisable' is commonly associated with port security violations, so it's easy to confuse with Root Guard's action.

Both Root Guard and BPDU Guard filter BPDUs to prevent them from being processed by the switch CPU.Wrong answer — click to see why

Why this is wrong here

Neither Root Guard nor BPDU Guard filters BPDUs. Root Guard reacts to superior BPDUs by changing the port state, but the BPDU is still processed by the switch CPU. BPDU Guard reacts by error-disabling the port, but the BPDU is still received and processed. Filtering BPDUs is done by BPDU Filter, not these features.

Why candidates choose this

The word 'Guard' might imply protection by filtering, and students may think both features prevent BPDUs from reaching the CPU. However, they are reactive mechanisms, not filters. BPDU Filter is a separate feature that actually prevents BPDU transmission and reception.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between the states triggered by Root Guard (root-inconsistent) versus BPDU Guard (errdisable), and candidates frequently confuse the two, assuming both place the port into errdisable or that Root Guard uses errdisable.

Detailed technical explanation

How to think about this question

Root Guard works by monitoring incoming BPDUs on a per-port basis; if a superior BPDU (with a lower bridge ID than the current root) arrives, the port transitions to root-inconsistent (listening/blocking) to maintain the current root bridge. This is different from BPDU Guard, which uses the errdisable state and is typically applied to access ports to prevent unauthorized switch connections. In real-world scenarios, Root Guard is often deployed on ports connecting to end-user switches or distribution switches to prevent accidental or malicious root bridge hijacking, while BPDU Guard is used on ports where no BPDUs should ever appear, such as ports connected to hosts.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received. — Option A is correct because Root Guard is configured per interface using the 'spanning-tree guard root' command. When a port with Root Guard enabled receives a superior BPDU (one that would cause the switch to become a non-root bridge), the port is placed into a root-inconsistent state, effectively blocking traffic on that port and preventing the switch from accepting a new root bridge from that direction. This protects the spanning-tree topology from unauthorized or misconfigured switches attempting to become the root bridge. Option D is correct because BPDU Guard is commonly enabled on ports with PortFast (typically access ports connected to end devices). When a BPDU is received on such a port, BPDU Guard places the port into errdisable state, preventing potential bridging loops that could result from an unauthorized switch connecting to the network. Option B is incorrect because BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports (often with PortFast) and disables the port upon receiving any BPDU, not just on trunk ports. Option C is incorrect because Root Guard places the port into root-inconsistent state (not errdisable) when a superior BPDU is received; BPDU Guard uses errdisable. Option E is incorrect because neither Root Guard nor BPDU Guard filters BPDUs; Root Guard reacts to superior BPDUs by blocking the port, and BPDU Guard reacts to any BPDU by disabling the port. Both features allow BPDUs to be processed but then take action based on the received BPDUs.

What should I do if I get this 200-301 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.