Question 1,072 of 1,819
Switching and Network AccesshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is root guard, because it is specifically designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. This feature protects the intended STP topology by forcing the port into a root-inconsistent state if a superior BPDU arrives, ensuring that no downstream device can hijack the root role on that segment. On the CCNA 200-301 v2 exam, this concept tests your ability to distinguish between STP security mechanisms: root guard preserves the existing root bridge’s authority, while BPDU guard shuts down an edge port entirely if any BPDU appears. A common trap is confusing the two, but remember that root guard cares about *which* BPDU is superior, not just the presence of any BPDU. For a quick memory tip, think “Root guard guards the root’s path, BPDU guard guards the edge’s wrath.”

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A switch receives superior BPDUs on a port where the design requires that no downstream device ever become the root path for that segment. Which feature is the best fit for that requirement?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Root guard

Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not. This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.

Key principle: Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Root guard

    Why this is correct

    This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.

  • BPDU Guard

    Why it's wrong here

    This is wrong because BPDU Guard is typically used on edge ports to disable them when BPDUs appear unexpectedly.

    When this WOULD be correct

    In a scenario where the question asks about protecting edge ports from receiving BPDUs while allowing them to remain operational, BPDU Guard would be the correct answer. For example, if the question specified that the goal was to prevent accidental topology changes on access ports, BPDU Guard would fit.

  • Port security

    Why it's wrong here

    This is wrong because port security controls MAC address behavior, not STP root-path conditions.

    When this WOULD be correct

    In a scenario where the question asks about securing a switch port against unauthorized devices connecting, while ensuring that only specific MAC addresses are allowed, port security would be the correct answer. This could involve a network segment where only known devices should be permitted to communicate.

  • DHCP Snooping

    Why it's wrong here

    This is wrong because DHCP Snooping is unrelated to STP root-role protection.

    When this WOULD be correct

    In a scenario where a question asks about securing a network against rogue DHCP servers and ensuring that only trusted DHCP servers can assign IP addresses, DHCP Snooping would be the correct answer. This would involve configuring the switch to allow DHCP responses only from specific trusted ports.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Root guardCorrect answer

Why this is correct

This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.

BPDU GuardWrong answer — click to see why

Why this is wrong here

BPDU Guard is designed to protect against receiving BPDUs on ports configured as edge ports, but it does not prevent a downstream device from becoming the root bridge. It simply disables the port if a BPDU is received, which does not align with the requirement of preventing a downstream device from becoming the root path.

★ When this WOULD be the correct answer

In a scenario where the question asks about protecting edge ports from receiving BPDUs while allowing them to remain operational, BPDU Guard would be the correct answer. For example, if the question specified that the goal was to prevent accidental topology changes on access ports, BPDU Guard would fit.

Why candidates choose this

Candidates may confuse BPDU Guard with Root Guard due to their similar functions in protecting the network topology, leading them to mistakenly believe that BPDU Guard can also prevent a downstream device from becoming the root bridge.

Port securityWrong answer — click to see why

Why this is wrong here

Port security is used to restrict the number of MAC addresses allowed on a port and prevent unauthorized devices from connecting. It does not specifically prevent a downstream device from becoming the root bridge in a Spanning Tree Protocol (STP) topology.

★ When this WOULD be the correct answer

In a scenario where the question asks about securing a switch port against unauthorized devices connecting, while ensuring that only specific MAC addresses are allowed, port security would be the correct answer. This could involve a network segment where only known devices should be permitted to communicate.

Why candidates choose this

Candidates may confuse port security with STP features, thinking that limiting MAC addresses could also prevent topology changes. This misunderstanding can lead them to select port security when they are actually looking for a solution related to STP behavior.

DHCP SnoopingWrong answer — click to see why

Why this is wrong here

DHCP Snooping is designed to prevent unauthorized DHCP servers from distributing IP addresses on a network, not to manage or control the role of switches in the Spanning Tree Protocol (STP). In this context, it does not address the requirement of preventing downstream devices from becoming the root bridge.

★ When this WOULD be the correct answer

In a scenario where a question asks about securing a network against rogue DHCP servers and ensuring that only trusted DHCP servers can assign IP addresses, DHCP Snooping would be the correct answer. This would involve configuring the switch to allow DHCP responses only from specific trusted ports.

Why candidates choose this

Candidates might confuse DHCP Snooping with general network security features, thinking it could relate to controlling device roles in STP due to its focus on preventing unauthorized access, leading them to mistakenly select it.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is selecting BPDU guard instead of root guard because both involve BPDU handling. BPDU guard disables a port immediately upon receiving any BPDU, which is suitable for edge ports but not for ports where topology control is required. Root guard, on the other hand, only blocks ports that receive superior BPDUs, allowing normal BPDUs from the current root bridge. Confusing these features can lead to incorrect answers, as BPDU guard does not protect the root path role but rather protects against unauthorized devices on edge ports.

Detailed technical explanation

How to think about this question

Spanning Tree Protocol (STP) is a Layer 2 network protocol that prevents loops by electing a root bridge and calculating the best paths to it. Switch ports are assigned roles such as root port, designated port, or blocked port based on BPDU (Bridge Protocol Data Unit) information. When a switch receives a superior BPDU (one indicating a better path to the root bridge), it may change its port roles and topology accordingly to maintain a loop-free environment. Root guard is a Cisco feature designed to enforce the network topology by preventing a port from becoming a root port if it receives superior BPDUs. When root guard is enabled on a port, if that port receives a superior BPDU, the port is placed into a root-inconsistent state, effectively blocking it from forwarding traffic and preventing the downstream device from becoming the root bridge or influencing the root path. This preserves the intended STP topology and prevents topology changes caused by unauthorized or misconfigured switches. A common exam trap is confusing root guard with BPDU guard. BPDU guard disables a port if any BPDU is received, typically used on edge ports to protect against accidental switches or loops. Root guard, however, only blocks ports receiving superior BPDUs, allowing normal BPDUs from the current root bridge. Understanding this distinction is critical for correctly applying STP protection features and answering related CCNA questions accurately.

KKey Concepts to Remember

  • Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.
  • Superior BPDUs indicate a better path to the root bridge and can cause topology changes if not controlled.
  • BPDU guard disables a port entirely when any BPDU is received, protecting edge ports from unexpected switches.
  • Port security controls MAC address access on a port and does not influence STP root path decisions.
  • DHCP snooping protects against rogue DHCP servers and does not affect STP or root bridge election.
  • STP uses BPDUs to elect the root bridge and determine port roles to maintain a loop-free topology.
  • Root guard places a port into a root-inconsistent state to block forwarding when superior BPDUs are detected.
  • Proper use of root guard maintains the intended STP topology by preventing downstream devices from becoming the root.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs..

What is the correct answer to this question?

The correct answer is: Root guard — Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not. This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.

What should I do if I get this 200-301 question wrong?

Review root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Root guard prevents a switch port from becoming a root port by blocking the port if it receives superior BPDUs.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.