Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
The port received a BPDU and BPDU Guard shut it down.
This matches the symptom and the log message.
B
Distractor review
DHCP snooping blocked the user's ARP requests.
That would not produce a BPDU Guard err-disable event.
C
Distractor review
Port security moved the port to protect mode.
The log explicitly points to BPDU Guard.
D
Distractor review
The trunk native VLAN matched incorrectly.
That would not directly trigger BPDU Guard on an edge port.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors. The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.
Technical deep dive
How to think about this question
BPDU Guard is a critical Spanning Tree Protocol (STP) security feature designed to protect the Layer 2 topology from accidental or malicious loops. It is typically enabled on access ports configured with PortFast, which are intended to connect only end devices like PCs or printers. PortFast allows these ports to bypass the usual STP listening and learning states, enabling faster network connectivity. However, if a BPDU is received on such a port, it indicates that another switch or bridging device has been connected, which could cause topology loops or instability. When BPDU Guard detects a BPDU on a PortFast-enabled port, it immediately places the port into an err-disabled state, effectively shutting it down to prevent potential network issues. This automatic shutdown is a protective measure to maintain STP integrity by preventing unintended switches from participating in the spanning tree. The port remains disabled until an administrator intervenes or a configured err-disable recovery mechanism re-enables it. This behavior ensures that edge ports remain isolated from STP topology changes unless explicitly configured. A common exam trap is confusing BPDU Guard with other security features like DHCP snooping or port security. DHCP snooping filters DHCP messages to prevent rogue servers but does not interact with BPDUs or cause err-disabled states related to BPDU Guard. Similarly, port security limits MAC addresses on a port and triggers err-disable for violations unrelated to BPDUs. Another confusion arises with trunk native VLAN mismatches, which cause VLAN tagging problems but do not trigger BPDU Guard. Understanding these distinctions is essential for accurate troubleshooting and exam success.
KKey Concepts to Remember
- BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
- Ports configured with PortFast are intended for end devices and should not receive BPDUs; receiving a BPDU indicates a potential switch connection, triggering BPDU Guard to err-disable the port.
- When BPDU Guard places a port into err-disabled state, the port stops forwarding traffic until manually or automatically re-enabled, preventing possible Layer 2 loops.
- BPDU Guard helps maintain network stability by preventing unintended switches from connecting to edge ports, which could cause STP topology changes or loops.
- DHCP snooping protects against rogue DHCP servers but does not interact with BPDU Guard or cause BPDU-related err-disabled states.
- Port security controls MAC address access on a port and can err-disable a port for security violations, but it does not trigger BPDU Guard events.
- Incorrect trunk native VLAN mismatches cause VLAN tagging issues but do not cause BPDU Guard to err-disable a port since BPDUs are unrelated to native VLAN mismatches.
- Understanding the difference between BPDU Guard and other security features like DHCP snooping and port security is critical for troubleshooting err-disabled ports in Cisco networks.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
BPDU Guard is a Cisco feature that disables a port immediately when it receives a Bridge Protocol Data Unit (BPDU) on a PortFast-enabled access port to protect the Spanning Tree Protocol (STP) topology.
What is the correct answer to this question?
The correct answer is: The port received a BPDU and BPDU Guard shut it down. — BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.