CCNA STP Questions

75 of 104 questions · Page 1/2 · STP topic · Answers revealed

1
Multi-Selectmedium

Which three statements about the Spanning Tree Protocol (STP) are true? (Choose three.)

Select 3 answers
.STP uses Bridge Protocol Data Units (BPDUs) to exchange topology information.
.STP elects a root bridge based on the lowest bridge ID.
.STP places redundant ports in blocking state to prevent loops.
.STP always uses the highest port cost to select the root port.
.STP converges instantly after a topology change.
.STP is used to increase the number of broadcast domains.

Why this answer

All three statements are correct because STP relies on Bridge Protocol Data Units (BPDUs) to share topology information between switches, elects a root bridge by comparing bridge IDs (a combination of priority and MAC address, with the lowest value winning), and prevents loops by placing redundant ports into a blocking state (discarding state in Rapid PVST+). These are fundamental behaviors of the 802.1D Spanning Tree Protocol.

Exam trap

Cisco often tests the fact that STP does not use timers to elect the root bridge (it uses bridge ID comparison) and that blocking state is the mechanism for loop prevention, not disabling the port entirely or relying on TCN BPDUs alone.

2
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a switch access port, and then recover after a BPDU Guard error-disable event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order starts with global and interface configuration mode, then enabling PortFast, followed by BPDU Guard. After an error-disable event due to BPDU Guard, the proper manual recovery is to first issue the 'shutdown' command on the interface, then issue the 'no shutdown' command; simply using 'no shutdown' alone will not clear the errdisable state.

Exam trap

Remember that PortFast must be configured before BPDU Guard on an interface. Also, after an error-disable event due to BPDU Guard, the default recovery is manual: you must issue both 'shutdown' and then 'no shutdown' on the interface, not just 'no shutdown'. Do not confuse global default commands with recovery steps.

3
MCQmedium

Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?

A.Blocking
B.Listening
C.Learning
D.Forwarding
AnswerB

Correct. Listening occurs before learning and forwarding.

Why this answer

In the classic 802.1D sequence, the listening state processes BPDUs and prepares for forwarding decisions, but it does not populate the MAC address table yet.

Exam trap

Be careful not to confuse the listening state with learning, as both involve BPDU processing but differ in MAC address table updates.

Why the other options are wrong

A

In the blocking state, the port does not participate in STP actively; it only receives BPDUs but does not send them or transition toward forwarding. The question specifies a state that listens for BPDUs and participates in STP, which is the listening state, not blocking.

C

The learning state populates the MAC address table by learning source MAC addresses from incoming frames, which directly contradicts the question's requirement that the state does not learn MAC addresses. Learning occurs after listening and before forwarding.

D

The forwarding state both learns MAC addresses and forwards traffic, which violates the condition that the state does not learn MAC addresses. Forwarding is the final state where the port is fully operational.

4
MCQhard

A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?

A.BPDU Guard disabled the PortFast-enabled access port after it received a BPDU.
B.Port security shut down the port because the VLAN was wrong.
C.DHCP snooping disabled the interface because a host requested an address.
D.EtherChannel suspended the interface because the bundle was incomplete.
AnswerA

This is correct because the event message explicitly identifies a BPDU Guard violation.

Why this answer

The strongest reason is a BPDU Guard violation on a PortFast-enabled access port. In practical terms, the port was expected to face an end host, not a switching device that emits BPDUs. When BPDUs appeared, the switch treated that as a topology-policy violation and error-disabled the interface to protect the network.

This is one of the most classic access-layer protection patterns on the CCNA exam.

Exam trap

Be careful not to confuse BPDU Guard with other port security features or network issues like duplex mismatches.

Why the other options are wrong

B

Port security restricts access based on MAC addresses, not VLANs, and the event message explicitly mentions BPDU Guard, not port security. The exhibit shows a spanning-tree BPDU Guard error, not a port security violation.

C

DHCP snooping does not cause err-disabled state due to BPDU reception; it filters DHCP messages and can disable ports for DHCP attacks, but the exhibit clearly shows a spanning-tree BPDU Guard event.

D

EtherChannel suspension occurs due to configuration mismatches or link failures, not BPDU reception. The exhibit's syslog message explicitly identifies BPDU Guard, not EtherChannel issues.

5
MCQhard

A switch port connected to an edge host immediately transitions to forwarding and then later goes err-disabled after a BPDU is received. Which feature combination most likely produced this behavior?

B.NetFlow with SNMP traps
C.OSPF passive-interface with EUI-64
D.WPA3 with CAPWAP
AnswerA

This is correct because PortFast speeds forwarding and BPDU Guard disables the edge port if a BPDU appears.

Why this answer

The most likely combination is PortFast with BPDU Guard. In practical terms, PortFast explains why the port moved quickly into forwarding when the host connected. BPDU Guard explains why the same port later shut down after seeing a BPDU that should not normally appear on an edge port.

This is a very common enterprise edge-port design pattern and a classic exam scenario.

Exam trap

Beware of confusing BPDU Guard with other protection mechanisms like Root Guard or Loop Guard; each serves a different purpose.

Why the other options are wrong

B

NetFlow is used for traffic monitoring and analysis, while SNMP traps are used for network management notifications. Neither feature affects STP behavior or port state transitions; they do not cause a port to go err-disabled upon receiving a BPDU.

C

OSPF passive-interface prevents OSPF from sending routing updates on an interface but does not affect STP or port security. EUI-64 is used for IPv6 address generation. Neither feature relates to BPDU handling or err-disable behavior.

D

WPA3 is a wireless security protocol, and CAPWAP is a control and provisioning protocol for wireless access points. These are entirely unrelated to wired switch port STP behavior and cannot cause a port to go err-disabled due to BPDU reception.

6
Multi-Selectmedium

Which TWO statements correctly describe the behavior of Root Guard, Loop Guard, and BPDU Guard in a Rapid PVST+ environment?

Select 2 answers
A.Root Guard is applied to a port that should never become a root port; if a superior BPDU is received, the port is placed into a root-inconsistent state.
B.Loop Guard is used on root ports to monitor BPDU reception; if BPDUs stop, the port is immediately placed into forwarding mode to maintain connectivity.
C.BPDU Guard is typically configured on access ports and error-disables the port if a BPDU is received, protecting against unauthorized switch connections.
D.Root Guard and BPDU Guard can be enabled simultaneously on the same port to provide both root protection and BPDU filtering.
E.Loop Guard is only effective when configured on ports that are in a blocking state; it prevents them from transitioning to forwarding if BPDUs are not received.
AnswersA, C

Root Guard forces a port to be a designated port. When a superior BPDU is received, the port enters a root-inconsistent (blocked) state to prevent it from becoming a root port.

Why this answer

Option A is correct because Root Guard, applied to a port that should never become a root port, places that port into a root-inconsistent state upon receiving a superior BPDU, blocking traffic to prevent an unauthorized root bridge. Option C is correct because BPDU Guard is typically configured on access ports and error-disables the port if any BPDU is received, protecting against rogue switch connections. Option B is incorrect: when BPDUs stop on a port with Loop Guard, the port is placed into a loop-inconsistent state (blocked), not immediately forwarded, to prevent loops.

Option D is incorrect because Root Guard and BPDU Guard are mutually exclusive and cannot be enabled simultaneously on the same port due to conflicting protective behaviors. Option E is incorrect because Loop Guard is effective on any port that is expected to receive BPDUs, including root ports and alternate/backup ports; it is not limited to ports already in a blocking state, and the statement's use of 'only' makes it false.

Exam trap

Cisco often tests the misconception that Loop Guard immediately forwards traffic when BPDUs stop, but in reality it blocks the port to prevent loops, and that Root Guard and BPDU Guard can coexist on the same port, which they cannot due to conflicting behaviors.

Why the other options are wrong

B

Loop Guard is applied to non-designated ports (alternate or backup ports), not root ports. When BPDUs stop arriving, the port is placed into a loop-inconsistent state (blocked) to prevent loops, not into forwarding mode.

D

Root Guard and BPDU Guard have conflicting behaviors: Root Guard allows BPDU processing to detect superior BPDUs, while BPDU Guard disables the port upon receiving any BPDU. They cannot be enabled simultaneously on the same port because their actions are mutually exclusive.

E

Loop Guard is effective on ports that are in a blocking state (alternate or backup ports), but it does not prevent them from transitioning to forwarding; instead, if BPDUs stop, the port remains in a loop-inconsistent state (blocked) to prevent loops. The statement incorrectly implies that Loop Guard prevents transition, but it actually causes the port to stay blocked.

7
Multi-Selectmedium

Which TWO of the following statements about Spanning Tree Protocol (STP) and Rapid PVST+ are true?

Select 2 answers
A.The root bridge in STP is elected based on the lowest bridge ID.
B.The root bridge in STP is elected based on the highest bridge ID.
C.PortFast automatically enables BPDU Guard on an interface.
D.BPDU Guard places a PortFast-enabled port into an error-disabled state if a BPDU is received.
E.Rapid PVST+ uses a different root bridge election process than traditional STP.
AnswersA, D

The bridge ID consists of priority and MAC address; the switch with the lowest bridge ID becomes the root bridge.

Why this answer

Option A is correct because the root bridge in STP is elected based on the numerically smallest bridge ID (priority + MAC address). Option D is correct because BPDU Guard, when enabled on a PortFast-enabled port, immediately error-disables the port if a BPDU is received, protecting against accidental loops. Option B is incorrect because the root bridge is chosen by the lowest bridge ID, not the highest.

Option C is incorrect because PortFast and BPDU Guard are independent features; PortFast does not automatically enable BPDU Guard. Option E is incorrect because both traditional STP (802.1D) and Rapid PVST+ (RSTP-based) use the same root bridge election process—lowest bridge ID.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are automatically linked, when in fact they are separate features that must be configured independently, and the trap is that candidates assume enabling PortFast also enables BPDU Guard.

Why the other options are wrong

B

The root bridge is elected based on the lowest bridge ID, not the highest.

C

PortFast does not automatically enable BPDU Guard; they must be configured separately.

E

Rapid PVST+ uses the same root bridge election process (lowest bridge ID) as traditional STP.

8
MCQhard

A switch port configured with PortFast and BPDU Guard receives a BPDU and transitions to an error-disabled state. Which statement best explains why this is considered useful protection?

A.It prevents a port expected to be an edge port from accidentally becoming part of the switching topology and causing loops.
B.It increases the port's bandwidth by combining multiple links.
C.It automatically enables VLAN trunking on the port.
D.It forces the port to use Rapid Spanning Tree Protocol for faster convergence.
AnswerA

This matches the purpose of PortFast combined with BPDU Guard: to protect the network when an edge port unexpectedly receives BPDUs, indicating a potential loop condition.

Why this answer

PortFast is used on edge ports to bypass STP listening/learning, but if a BPDU is received, the assumption that the port is an edge port is violated. BPDU Guard then error-disables the port to prevent potential loops or topology disruptions. This protects the network when an edge port unexpectedly connects to another switch, which could cause a bridging loop.

The other options describe unrelated features or incorrect mechanisms.

Exam trap

Remember that BPDU Guard disables the port, not just logs or adjusts its role. It's a protective measure, not a monitoring tool.

Why the other options are wrong

B

Increasing port bandwidth by combining links is done via EtherChannel, not related to BPDU Guard or loop prevention.

C

VLAN trunking is automatically negotiated via DTP or manually configured, not triggered by BPDU Guard or PortFast.

D

Forcing Rapid Spanning Tree Protocol is not a function of PortFast or BPDU Guard; they are separate STP optimizations.

9
MCQhard

After configuring a trunk port to allow VLAN 40, a technician finds that VLAN 40 is not listed among the VLANs in spanning tree forwarding state in the show interfaces trunk output. What is the most likely cause?

A.The trunk port is using ISL encapsulation, which does not support VLAN 40.
B.The technician omitted the 'add' keyword when adding VLAN 40 to the allowed list, so the trunk no longer permits VLAN 40.
C.VLAN 40 has not been created in the VLAN database on the switch.
D.VTP pruning is enabled, and VLAN 40 is not needed by any downstream neighbor, so it is pruned from this trunk.
AnswerC

A VLAN must be defined in the local VLAN database for the switch to build a spanning-tree instance and forward frames for that VLAN. If it is permitted on the trunk but does not exist, the switch marks it as pruned and it will not appear in the 'VLANs in spanning tree forwarding state' list. This is the exact symptom presented.

Why this answer

Even if a VLAN is included in the trunk's allowed list, the switch cannot forward frames for that VLAN unless it exists in the local VLAN database. A non-existent VLAN is placed in a pruned state and will not appear as forwarding in show interfaces trunk. The allowed-list command worked, but the missing VLAN definition prevents the VLAN from being active on the trunk.

Exam trap

Option B: the classic mistake of omitting the 'add' keyword when modifying the allowed list is tempting because it is a very common trunk configuration error. However, that error would result in the VLAN not even appearing in the allowed list column, not simply missing from the forwarding state. The question states the VLAN was added to the allowed list, so the missing VLAN database entry is the correct culprit.

Why the other options are wrong

A

Candidates might associate VLAN support with trunk encapsulation types, but ISL fully supports VLAN 40. This is a distractor.

B

This is a common operational mistake, but the resulting output would show VLAN 40 missing from the 'Vlans allowed' column, not from the forwarding list.

D

Candidates might confuse local pruning (due to non-existent VLAN) with VTP pruning. VTP pruning would also require a multi-switch VTP domain and is less likely in a standalone troubleshooting scenario.

10
PBQhard

You are connected to R1, a multilayer switch running Rapid PVST+. The current root bridge for VLAN 10 has priority 24586 and for VLAN 20 has priority 24676. Configure R1 so that it becomes the root bridge for VLAN 10 and VLAN 20. Then enable PortFast and BPDU Guard on interface FastEthernet0/1, which connects to an access switch. Finally, diagnose why interface FastEthernet0/2 has entered an err-disabled state and recover it.

Network Topology
Fa0/1Fa0/2Access SwitchSiR1Another Switch

Hints

  • Set root priority to a value lower than 24586 for VLAN 10 and 24676 for VLAN 20.
  • PortFast and BPDU Guard must be configured under the interface.
  • An interface in err-disabled state due to BPDU Guard requires a manual shutdown/no shutdown to recover.
A.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown then no shutdown.
B.Configure spanning-tree vlan 10,20 root primary; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
C.Configure spanning-tree vlan 10,20 priority 8192; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
D.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown.
AnswerA
solution
! R1
configure terminal
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface FastEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet0/2
shutdown
no shutdown
end

Why this answer

To become the root bridge, R1’s priority must be lower than the current root’s priority. Setting the priority to 4096 (or any value lower than 24586/24676) accomplishes this. Option A correctly uses `spanning-tree vlan 10,20 priority 4096` (though the actual command per VLAN is `spanning-tree vlan 10 priority 4096` and `spanning-tree vlan 20 priority 4096`).

It also enables PortFast and BPDU Guard on Fa0/1 to prevent BPDU reception on an edge port, and recovers the err-disabled Fa0/2 by cycling `shutdown` then `no shutdown`. Options B and C fail because they do not enable BPDU Guard, leaving the interface vulnerable. Option D fails because it only shuts down Fa0/2 without the `no shutdown` command, so the interface remains administratively down.

Exam trap

Candidates often mistakenly believe that the priority must be set to the absolute lowest (e.g., 0) or that `root primary` always works, but the real requirement is simply a priority lower than the current root. Also, they may forget that an err-disabled interface requires both `shutdown` and `no shutdown` to recover.

Why the other options are wrong

B

The 'root primary' command sets priority to 24576, which is higher than the current root priority for VLAN 10 (24586) and VLAN 20 (24676) — actually 24576 is lower than 24586 and 24676, so it would become root. Wait, check: 24576 < 24586, so it would become root. But the command 'root primary' sets priority to 24576 only if the current root priority is above 24576; if the current root priority is 24586, it sets to 24576, which is lower, so R1 would become root.

However, the question states the current root has priority 24586 and 24676, so 'root primary' would set to 24576, which is lower than 24586 but not lower than 24676? Actually 24576 < 24676, so it would become root for both. But the correct answer uses 4096, which is even lower. The key is that 'root primary' might not guarantee becoming root if another switch has a lower priority.

Also, BPDU Guard is missing, and recovery requires shutdown first.

C

BPDU Guard is not configured on Fa0/1, leaving the port vulnerable to BPDU attacks. Also, the err-disabled recovery requires a shutdown command before no shutdown.

D

Simply shutting down the interface does not recover it from err-disable; you must also re-enable it with 'no shutdown'.

11
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure RSTP and enable PortFast with BPDU Guard on a switch port, then verify the state transitions.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Correct order: First configure RSTP globally because interface commands like PortFast and BPDU Guard depend on the spanning-tree mode being set. Next enable PortFast on the interface to immediately transition to forwarding. Then enable BPDU Guard as a protective feature for PortFast ports.

Finally verify state transitions. Other orders are incorrect: enabling PortFast or BPDU Guard before setting RSTP mode may cause the commands to be rejected or not take effect; enabling BPDU Guard before PortFast is not typical because BPDU Guard is designed to protect PortFast ports.

Exam trap

The exam trap is that candidates often confuse the order of configuration steps. They may enable PortFast or BPDU Guard before setting the global spanning-tree mode, or they may enable BPDU Guard before PortFast. Remember that global configurations come first, then interface-specific features, and BPDU Guard is typically enabled after PortFast.

12
PBQhard

You are connected to SW1 via the console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/1, which connects to a workstation. After configuration, the workstation is moved and the port goes err-disabled. Diagnose the cause and recover the port without reloading the switch.

Network Topology
Gi0/1Gi0/2SW1workstationother switch

Hints

  • Use 'spanning-tree vlan <vlan> priority <value>' to set root bridge priority (lower values are preferred).
  • A port in err-disabled due to BPDU Guard must be manually recovered with 'shutdown' and 'no shutdown' after removing the BPDU source.
  • Check which VLANs the switch is currently root for using 'show spanning-tree'.
A.Configure spanning-tree vlan 10 priority 4096 and spanning-tree vlan 20 priority 4096. Then on interface GigabitEthernet0/1, configure spanning-tree portfast and spanning-tree bpduguard enable. After removing the BPDU source, use 'shutdown' and 'no shutdown' to recover the port.
B.Configure spanning-tree vlan 10,20 root primary and spanning-tree portfast on Gi0/1; then use 'errdisable recovery cause bpduguard' to automatically recover the port.
C.Configure spanning-tree vlan 10,20 priority 0 and spanning-tree bpduguard enable on Gi0/1; then use 'no spanning-tree bpduguard' to recover the port.
D.Configure spanning-tree vlan 10,20 priority 4096 and spanning-tree portfast on Gi0/1; then use 'clear spanning-tree detected-protocols' to recover the port.
AnswerA
solution
! SW1
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface GigabitEthernet0/1
shutdown
no shutdown

Why this answer

SW1 is currently the root for VLAN 10 but not for VLAN 20. To become root for both VLANs, set the spanning-tree priority to a lower value (e.g., 4096) for each VLAN. The port Gi0/1 went err-disabled because it received a BPDU, which is unexpected on a PortFast edge port with BPDU Guard enabled.

To recover, first identify and remove the BPDU source (likely another switch connected to that port), then use 'shutdown' followed by 'no shutdown' on the interface to bring it back up.

Exam trap

Do not confuse 'root primary' with a guaranteed root election; always check for lower priorities. Also, remember that err-disabled ports require manual intervention (shutdown/no shutdown) unless you configure errdisable recovery. BPDU Guard err-disables the port; simply disabling BPDU Guard does not recover it.

Why the other options are wrong

B

The 'root primary' command does not guarantee root status if another switch has a priority lower than 24576. The question expects manual recovery, not automatic.

C

Priority 0 is not incorrect but is not the standard recommendation. The recovery method is wrong: disabling BPDU Guard does not clear the err-disabled state.

D

The command 'clear spanning-tree detected-protocols' does not clear the err-disabled state; it only resets the port's protocol state.

13
Drag & Dropmedium

Which of the following sequences correctly configures and verifies PortFast and BPDU Guard on a Cisco IOS-XE switch interface, and then recovers after a BPDU guard violation?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then the specific interface, enable PortFast, then BPDU Guard; verification confirms settings; recovery after error-disable requires administrative shutdown and no shutdown.

Exam trap

The exam trap is that candidates may confuse the order of PortFast and BPDU Guard, or think that recovery requires a switch reload or a special clear command. Remember: PortFast first, then BPDU Guard; recovery is always 'shutdown/no shutdown' on the interface.

14
PBQhard

You are connected to R1, a multilayer switch acting as the root bridge for VLAN 10. The network has experienced a loop, and interface GigabitEthernet0/1 on R1 is currently in err-disabled state due to a BPDU guard violation. Configure the switch to recover automatically from err-disable state after 300 seconds, then verify that the interface comes back up.

Hints

  • The errdisable recovery command is in global configuration mode.
  • Use the 'show errdisable recovery' command to check the current causes and timers.
  • The interface will not recover immediately; you can use 'clear errdisable interface Gi0/1' to test manually.
A.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' globally, then verify with 'show interfaces status'.
B.Configure 'spanning-tree portfast bpduguard default' and 'errdisable recovery interval 300' globally, then verify with 'show spanning-tree'.
C.Configure 'errdisable recovery cause all' and 'errdisable recovery interval 300' globally, then verify with 'show errdisable recovery'.
D.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' on interface GigabitEthernet0/1, then verify with 'show interfaces GigabitEthernet0/1'.
AnswerA
solution
! R1
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The interface Gi0/1 is in err-disabled state because BPDU Guard detected an unexpected BPDU on a PortFast-enabled access port. To recover automatically, configure errdisable recovery cause bpduguard and set the recovery interval to 300 seconds with errdisable recovery interval 300. After applying these commands, the interface will automatically come out of err-disable state after 300 seconds.

The blocking port on Gi0/2 is expected because R1 is the root bridge and Gi0/2 is an alternate port providing redundancy; no action is needed for that blocking state.

Exam trap

The trap is that candidates may confuse enabling BPDU guard with configuring recovery, or they may think recovery commands are applied per-interface. Remember that errdisable recovery is a global setting, and you must specify the exact cause unless you want to recover from all causes.

Why the other options are wrong

B

The specific factual error: 'spanning-tree portfast bpduguard default' enables BPDU guard, not recovery. Recovery requires 'errdisable recovery cause bpduguard'.

C

The specific factual error: Using 'cause all' is not the best practice; the question implies a specific cause. Also, the verification command is correct but the configuration is not precise.

D

The specific factual error: errdisable recovery is a global configuration command, not interface-specific.

15
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PortFast and BPDU Guard on a Cisco switch?

Select 2 answers
A.PortFast immediately transitions a port from blocking to forwarding state, bypassing listening and learning.
B.BPDU Guard disables a PortFast-enabled port if it receives any BPDU.
C.PortFast allows BPDUs to pass through the port normally, but the port remains in forwarding state.
D.BPDU Guard prevents the port from becoming a root port or designated port by ignoring superior BPDUs.
E.BPDU Guard is typically configured on trunk ports to prevent loops between switches.
AnswersA, B

This is correct. PortFast allows a port to go directly to forwarding, reducing the time a host takes to start sending traffic.

Why this answer

PortFast immediately transitions an access port from blocking to forwarding, bypassing listening and learning (Option A). BPDU Guard errdisables a PortFast-enabled port if any BPDU is received, protecting against accidental loops (Option B). Option C is incorrect because PortFast does not alter BPDU handling; the port still processes BPDUs and reverts to normal STP if one is received.

Option D is false because BPDU Guard disables the port entirely rather than ignoring BPDUs. Option E is incorrect because BPDU Guard is typically configured on access ports connected to end devices, not on trunk ports.

Exam trap

Cisco often tests the misconception that PortFast itself blocks or filters BPDUs, when in fact it only accelerates the transition to forwarding; BPDU Guard is a separate feature that must be explicitly enabled to disable the port upon BPDU reception.

Why the other options are wrong

C

PortFast does not filter BPDUs; it still processes them normally. If a BPDU is received on a PortFast port, the port will still participate in STP and may transition to a blocking state, defeating the purpose of PortFast. The statement incorrectly claims BPDUs pass through while the port remains forwarding, which is not true.

D

BPDU Guard does not affect STP election processes; it simply err-disables the port upon receiving any BPDU. It does not ignore superior BPDUs or prevent the port from becoming a root or designated port. That behavior is associated with Root Guard, not BPDU Guard.

E

BPDU Guard is intended for access ports with PortFast, not for trunk ports. Trunk ports between switches are expected to exchange BPDUs for normal STP operation; applying BPDU Guard on a trunk would cause the port to err-disable upon receiving legitimate BPDUs, disrupting the network.

16
MCQhard

A network engineer notices that a root port on a switch has transitioned to a loop-inconsistent state. The port was previously receiving BPDUs normally, but after a suspected unidirectional fiber cut, it no longer receives BPDUs. What is the most likely cause?

A.BPDU Guard is enabled on the port, causing it to be placed in error-disabled state.
B.Loop Guard is active on the root port and transitioned it to loop-inconsistent state upon BPDU loss.
C.UDLD has detected a unidirectional link and has shut down the port.
D.Root Guard is preventing the port from transitioning to designated forwarding after losing BPDUs.
AnswerB

Loop Guard is precisely designed to monitor BPDU reception on blocked or alternate ports. When a unidirectional link failure occurs and BPDUs are no longer received, Loop Guard places the port into the loop-inconsistent state, blocking all traffic to prevent a potential loop. The 'loop-inconsistent' state is a clear indicator of this feature.

Why this answer

Loop Guard is an STP enhancement that monitors the reception of BPDUs on a blocked port. When BPDUs stop arriving (due to a unidirectional link failure), Loop Guard moves the port to loop-inconsistent state, preventing it from transitioning to the forwarding state and thus avoiding a switching loop.

Exam trap

UDLD is tempting because it also detects unidirectional links, but UDLD would place the port in err-disable or shut down state, not the STP loop-inconsistent state. The appearance of 'loop-inconsistent' specifically indicates Loop Guard is active.

Why the other options are wrong

A

BPDU Guard is a protective feature that disables a port upon receiving a BPDU, not upon losing BPDUs. The symptom here is a loss of BPDUs, not a reception of unexpected BPDUs.

C

UDLD acts by shutting down the port or putting it in errdisable state, while the scenario explicitly shows the port in a loop-inconsistent state, indicating an STP-based protection mechanism.

D

Root Guard would block a port if it received a BPDU with better root information, not when BPDUs stop arriving. It also does not produce a loop-inconsistent state.

17
PBQhard

You are connected to R1, a multilayer switch acting as the STP root bridge. Configure Root Guard on the designated port toward R2 (G0/1), Loop Guard on the uplink port G0/2, and BPDU Guard on PortFast-enabled access port G0/3. After configuration, a superior BPDU is received on G0/1, causing it to be blocked by Root Guard; later, an unauthorized BPDU on G0/3 triggers err-disable. Troubleshoot and verify the expected port states.

Hints

  • Root Guard only blocks a port when it receives a superior BPDU; it does not affect normal operation.
  • Loop Guard prevents alternate or root ports from becoming designated in case of BPDU loss.
  • BPDU Guard err-disables a PortFast port immediately upon BPDU reception.
A.G0/1 is in blocking state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
B.G0/1 is in forwarding state (Root Guard), G0/2 is in blocking state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
C.G0/1 is in err-disable state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in blocking state (BPDU Guard).
D.G0/1 is in blocking state (Root Guard), G0/2 is in loop-inconsistent state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
AnswerA
solution
! R1
interface GigabitEthernet0/1
no spanning-tree guard root
spanning-tree guard root
end
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The root guard on G0/1 correctly blocked the port when a superior BPDU was received, preventing an unauthorized root bridge. Loop Guard was applied specifically to the uplink port G0/2 to prevent forwarding loops in case of uni-directional link failure. BPDU Guard on G0/3 placed the port into err-disable state upon receiving an unexpected BPDU, which protects the PortFast edge port.

To restore G0/3, you must manually shut/no shut the interface after removing the offending device.

Exam trap

Do not confuse the actions of Root Guard (blocking) with BPDU Guard (err-disable). Root Guard blocks the port temporarily; BPDU Guard err-disables the port until manual intervention. Also, Loop Guard does not block immediately; it only reacts when BPDUs stop.

Why the other options are wrong

B

Root Guard blocks the port upon receiving a superior BPDU, not forwards. Loop Guard transitions to blocking only after BPDU loss, not while BPDUs are still received.

C

Root Guard results in a blocking state, not err-disable. BPDU Guard results in err-disable, not blocking.

D

Loop Guard does not immediately place the port in loop-inconsistent state; it only does so after BPDU loss. Here, BPDUs are still being received.

18
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled due to BPDU Guard.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins with Root Guard on designated ports to prevent them from becoming root ports upon receiving superior BPDUs. Next, Loop Guard is applied to non-designated ports (alternate/backup) to protect against unidirectional link failures. Then, BPDU Guard is placed on PortFast-enabled ports to shut them down if a BPDU is received, preventing rogue switch connections.

Finally, recovery from BPDU Guard err-disable requires a manual interface reset (shutdown/no shutdown) because the errdisable cause 'bpduguard' has no automatic timeout.

Exam trap

Cisco exams often test the specific port roles for each STP protection feature. Remember: Root Guard is for designated ports, Loop Guard is for non-designated ports (alternate/backup), and BPDU Guard is for PortFast ports. Also, recovery from err-disabled due to BPDU Guard requires manual interface reset, not just waiting or removing the configuration.

19
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ on SW1, make it the root bridge, and enable PortFast with BPDU Guard on all access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins by entering global configuration mode, then enabling Rapid PVST+ so that subsequent spanning-tree commands operate under that mode. Next, the switch is designated as the root bridge for VLAN 1 using 'spanning-tree vlan 1 root primary', which sets a superior bridge priority. After the root election is influenced, PortFast is applied to all access interfaces to transition them directly into forwarding state.

Finally, BPDU Guard is enabled globally to protect all PortFast-enabled ports; if a BPDU is received on such a port, it is immediately put into err-disabled state, preventing potential loops. Each step builds on the previous one: enabling Rapid PVST+ must precede root setup, root selection should be completed before any access-port optimization, and BPDU Guard is applied last to secure the already-accelerated ports.

20
MCQhard

A technician is troubleshooting a network-wide broadcast storm that has caused severe performance issues. The technician notices that BPDU guard is globally enabled on the access layer switch, but no ports are in an err-disabled state. All access ports have PortFast enabled. What is the most likely cause?

A.Spanning tree is disabled globally, allowing the rogue switch to create a loop.
B.BPDU guard is misconfigured on the wrong ports, so it failed to block the rogue switch.
C.Root guard is incorrectly enabled on the access ports, causing the rogue switch to become the root bridge.
D.BPDU filter is globally enabled, causing the switch to suppress BPDUs on PortFast ports and preventing BPDU guard from triggering.
AnswerD

Global BPDU filter on a switch sets PortFast on all access ports and disables BPDU transmission and reception on those ports. The rogue switch’s BPDUs are never processed, so BPDU guard—which depends on receiving a BPDU—never err-disables the port, allowing a loop and broadcast storm.

Why this answer

When BPDU filter is enabled globally on a switch, it enables PortFast on all access ports and also prevents those ports from sending or receiving BPDUs. If a rogue switch is then connected to such a port, the switch does not detect any BPDU from it, so BPDU guard never triggers despite being enabled globally. This allows the rogue switch to create a bridging loop without STP intervention, leading to a broadcast storm.

Exam trap

Many candidates see that BPDU guard is globally enabled but no ports are err-disabled, and conclude that BPDU guard is misconfigured or not applied correctly. However, the true reason is that BPDU filter suppresses BPDUs on PortFast ports, rendering BPDU guard ineffective because no BPDU is ever received to trigger it.

Why the other options are wrong

A

This answer assumes STP is off entirely, but the presence of BPDU guard configuration indicates spanning tree is operational.

B

Candidates often assume that BPDU guard simply failed, overlooking the interaction with BPDU filter, which can neutralize guard by suppressing BPDUs.

C

Root guard is a different feature and not related to the suppression of BPDUs that would allow a loop to form undetected.

21
PBQhard

You are securing the spanning-tree topology on R1, the root bridge for VLAN 10. Intended configurations: Root Guard on GigabitEthernet1/0/3, Loop Guard on gigabit interfaces 1/0/1 and 1/0/2, and BPDU Guard on all PortFast-enabled interfaces. After initial configuration, a superior BPDU on G1/0/3 blocks the port (expected), and a host on G1/0/5 triggers BPDU Guard, causing err-disable (expected). However, you realize Loop Guard was not applied to the uplinks. Troubleshoot and apply the missing configuration.

Hints

  • Root Guard on the root bridge may cause blocking if a superior BPDU is received; this is correct behavior unless the port should be a root port.
  • Loop Guard prevents alternate or root ports from becoming designated in case of unidirectional link failure; it is safe on trunk uplinks.
  • BPDU Guard err-disables a PortFast port when a BPDU is received; re-enable with 'no shutdown' after fixing the cause.
A.Remove Root Guard from G1/0/3 and configure it with 'spanning-tree guard loop' to prevent the blockage.
B.Re-enable G1/0/5 with 'no shutdown' and apply 'spanning-tree bpduguard enable' on all PortFast-enabled interfaces to prevent future err-disable.
C.Configure Loop Guard on G1/0/1 and G1/0/2 with 'spanning-tree guard loop' and recover G1/0/5 from err-disable by issuing 'shutdown' followed by 'no shutdown'.
D.Remove BPDU Guard from all PortFast interfaces and configure 'spanning-tree portfast bpdufilter default' to prevent err-disable.
AnswerC
solution
! R1
interface GigabitEthernet1/0/1
spanning-tree guard loop
interface GigabitEthernet1/0/2
spanning-tree guard loop
interface GigabitEthernet1/0/5
shutdown
no shutdown

Why this answer

The candidate must first identify that Root Guard is correctly configured on G1/0/3, causing it to block (BKN*ROOT_Guard) upon receiving a superior BPDU, which is correct behavior. However, the task states to protect the root bridge role; since R1 is already root, Root Guard is appropriate. The err-disabled port G1/0/5 indicates BPDU Guard triggered; this is expected because a host connected to a PortFast port sent a BPDU.

To resolve, the candidate should re-enable the port with 'no shutdown' and ensure BPDU Guard is properly applied. Additionally, Loop Guard is missing on uplinks G1/0/1 and G1/0/2; it must be configured with 'spanning-tree guard loop' under each interface. No changes to Root Guard are needed; the blockage is intentional.

Exam trap

Do not assume that a blocked port due to Root Guard is a problem; it is intentional. Also, do not confuse BPDU Guard with BPDU Filter; BPDU Guard err-disables, while BPDU Filter suppresses BPDUs. Remember that err-disabled ports must be manually re-enabled with 'no shutdown'.

Why the other options are wrong

A

Root Guard is designed to block a port that receives superior BPDUs, which is exactly what happened. The configuration is correct and should not be removed.

B

BPDU Guard is correctly configured; the err-disable is expected behavior when a BPDU is received on a PortFast port. The solution is to re-enable the port and ensure the host is not a switch.

D

BPDU Filter is not a substitute for BPDU Guard; it prevents the port from sending or receiving BPDUs, which can cause bridging loops. The correct action is to re-enable the port, not change the protection mechanism.

22
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on SW3. A host connected to the same segment as SW3's GigabitEthernet0/0 interface cannot reach any network resources. The engineer issues the show spanning-tree vlan 10 command and receives the output shown. Based on the output, what is the most likely cause?

A.GigabitEthernet0/0 is administratively down, which prevents the host from communicating.
B.The port is in the Blocking state because the switch detected a loop and moved the port to error-disabled state.
C.The port is blocked because SW3 has a lower bridge priority than the root bridge and should be the designated port for that segment.
D.The interface GigabitEthernet0/0 is in the Blocking state because it received a superior BPDU, making it an alternate port to the root bridge.
AnswerD

The output explicitly shows role 'Altn' and state 'BLK' for Gi0/0. An alternate port is blocked because it receives better BPDUs on that interface than it can send, providing an alternate path to the root bridge. This is correct STP behavior, and the blocking state prevents the host from communicating.

Why this answer

The output shows that GigabitEthernet0/0 is in the Blocking state for VLAN 10. In Rapid PVST+ or classic STP, a port enters the Blocking state when it receives a superior BPDU (i.e., a BPDU with a lower bridge ID or lower path cost to the root), causing it to become an alternate (or backup) port rather than a designated or root port. This prevents the host from reaching network resources because the port does not forward traffic.

Exam trap

Cisco often tests the distinction between a port being blocked due to normal STP operation (receiving a superior BPDU) versus being error-disabled or administratively down, leading candidates to incorrectly assume a physical or administrative issue.

Why the other options are wrong

A

Candidates may incorrectly associate the blocked state with an administratively disabled interface.

B

Candidates often confuse error-disabled state (caused by features like BPDU guard) with the standard STP blocking state.

C

Candidates may misunderstand the root election process and assume a lower priority switch always becomes designated for all segments, ignoring the Altn role.

23
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with three redundant links to SW2: G0/1, G0/2, and G0/3. The network is experiencing loops, and STP is not configured. You need to enable STP and ensure that SW1 becomes the root bridge for VLAN 1. Configure STP on SW1 and set its priority to 4096 for VLAN 1.

Network Topology
G0/1G0/1SW1SW2

Hints

  • STP uses bridge priority to determine root bridge; lower priority wins.
  • The default priority is 32768; setting it to 4096 ensures SW1 becomes root.
A.spanning-tree vlan 1 priority 4096
B.spanning-tree vlan 1 root primary
C.spanning-tree vlan 1 priority 32768
D.spanning-tree vlan 1 priority 8192
AnswerA
solution
! SW1
spanning-tree vlan 1 priority 4096

Why this answer

By setting the STP priority to 4096 for VLAN 1, SW1 has a lower priority than the default, making it the root bridge for that VLAN.

Exam trap

The exam may test your ability to recall the exact command syntax for setting STP priority. Remember that 'spanning-tree vlan <vlan> priority <value>' sets the priority directly, while 'root primary' is a macro that sets it to 24576. Always check the exact value required.

Why the other options are wrong

B

The 'root primary' macro sets priority to 24576, not 4096.

C

A priority of 32768 is the default, so it does not guarantee root bridge status.

D

The requirement is to set priority to exactly 4096, not 8192.

24
MCQmedium

When spanning tree elects a root bridge, which value is considered first?

A.Lowest MAC address only
B.Lowest bridge priority only
C.Lowest bridge ID, which begins with priority
D.Highest interface bandwidth
AnswerC

Correct. STP compares the bridge ID, and priority is the leading field in that comparison.

Why this answer

The root bridge is the switch with the lowest bridge ID. The bridge ID is made up of priority and MAC address, so priority is considered first, then MAC address if priorities tie.

Exam trap

Remember that the bridge priority is evaluated before the MAC address in the root bridge election process.

Why the other options are wrong

A

The MAC address is only used as a tiebreaker when bridge priorities are equal. It is not the first value considered in root bridge election.

B

The bridge priority is only the first part of the bridge ID; the full bridge ID (priority + MAC address) is compared. If priorities are equal, the MAC address is used as a tiebreaker.

D

Interface bandwidth is used to calculate path cost, which influences port roles (root port, designated port) but does not affect root bridge election. Root bridge election is based solely on bridge ID.

25
MCQhard

A technician is troubleshooting a network issue where hosts in VLAN 20 on SW1 cannot communicate with hosts in VLAN 20 on SW2. Both switches are connected by an Ethernet trunk link that is up/up and configured as a trunk. The VLAN databases on both switches include VLAN 20, and the spanning tree for VLAN 20 is in a forwarding state on all ports. Hosts within VLAN 20 on each switch can communicate with each other locally. What is the most likely cause?

A.The native VLAN is mismatched on the two ends of the trunk.
B.VLAN 20 has not been created in the VLAN database on SW2.
C.The trunk encapsulation is mismatched between SW1 and SW2.
D.VLAN 20 is not in the switchport trunk allowed VLAN list on the trunk port between SW1 and SW2.
AnswerD

When a trunk port’s allowed VLAN list explicitly excludes a VLAN, the switch drops all frames tagged for that VLAN, even though the VLAN exists locally and the trunk is active. This results in the described symptom of local intra-VLAN communication working but no cross-switch communication for VLAN 20.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk port between SW1 and SW2. Even though the trunk is up/up and VLAN 20 exists in the VLAN database, the switchport trunk allowed vlan command restricts which VLANs can traverse the trunk. If VLAN 20 is omitted from this list, frames from VLAN 20 will be dropped at the trunk, preventing inter-switch communication for that VLAN.

Exam trap

Cisco often tests the distinction between VLAN existence in the database and VLAN permission on a trunk; candidates mistakenly think that if a VLAN is created and spanning tree is forwarding, it must work, but the trunk allowed list is an independent filter that can block traffic.

Why the other options are wrong

A

Candidates may think that a native VLAN mismatch breaks all trunk functions.

B

Candidates may assume that a missing VLAN on one switch explains inter-switch failures, ignoring that local communication would also fail.

C

Candidates might overlook that the trunk link is operational, which implies matching encapsulation.

26
MCQhard

A network administrator implements a set of spanning-tree enhancements to secure the switching infrastructure. Later, a help desk ticket reports that a user in a remote office cannot connect to any network resources. While investigating, the administrator notices that the switch port connecting the remote office switch to the distribution switch is in a 'root-inconsistent' state and is blocking traffic. Which protection feature, if misapplied, most likely caused this issue?

AnswerB

Root Guard ensures that a port cannot become a root port. When a superior BPDU is received on a Root Guard-enabled port, the port transitions to a root-inconsistent state and blocks traffic, exactly as described in the scenario.

Why this answer

Root Guard is the correct answer because it forces an interface to be a designated port. If a switch receives a superior BPDU (indicating a root bridge with a lower bridge ID) on a Root Guard-enabled port, the port is placed into a 'root-inconsistent' state and blocks traffic to prevent the attached switch from becoming the root bridge. This matches the symptom described: a port in 'root-inconsistent' state blocking traffic after spanning-tree enhancements were applied.

Exam trap

Cisco often tests the distinction between 'root-inconsistent' (Root Guard) and 'loop-inconsistent' (Loop Guard) states, and the trap here is that candidates confuse the two or assume BPDU Guard is responsible for any BPDU-related blocking.

Why the other options are wrong

A

A loop-inconsistent state is different from the root-inconsistent state observed. Loop Guard acts when BPDUs stop arriving, not when they appear with a superior root claim.

C

While BPDU Guard also reacts to incoming BPDUs, it puts the port in err-disabled (shutdown) state, not a blocking state named 'root-inconsistent'. The symptom described is not error-disabled.

D

BPDU Filter would not cause the port to show a root-inconsistent state. The symptom is a protective blocking state, which BPDU Filter does not provide.

27
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence applies STP protections to their proper port roles: Root Guard on designated ports to prevent unexpected superior BPDUs, Loop Guard on non-designated ports to prevent unidirectional link failure from causing loops, and BPDU Guard on PortFast ports to block rogue switches. Distractors B and D are wrong because they mismatch the guard types to port roles (e.g., B puts Loop Guard on designated, Root Guard on non-designated; D does the opposite). Distractor C incorrectly reverses the recovery steps by re-enabling the port before enabling errdisable recovery globally, and it also reorders protection configuration without logical benefit.

Exam trap

The exam trap is confusing which protection goes on which port role. Remember: Root Guard protects designated ports from becoming root; Loop Guard protects non-designated ports from becoming forwarding; BPDU Guard protects PortFast ports. Also, recovery order: global first, then interface re-enable.

28
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU Guard violation on a PortFast-enabled access port using Cisco IOS-XE CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence (A) configures PortFast globally, then enables BPDU Guard per interface, and recovers manually with shutdown/no shutdown. Option B attempts recovery with a non-existent 'clear spanning-tree bpduguard' command. Option C incorrectly uses 'spanning-tree portfast bpduguard default' which is a global command applied in interface mode, causing a syntax error.

Option D uses 'errdisable recovery cause bpduguard' in privileged EXEC mode, but this command is a global configuration command and does not manually recover the port; it enables automatic recovery after a timer.

Exam trap

Be careful not to confuse manual recovery (shutdown/no shutdown) with automatic recovery (errdisable recovery). Also, remember that BPDU Guard is configured per interface with 'spanning-tree bpduguard enable', not globally with 'default' in interface mode.

29
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Hosts on VLAN 10 connected to SwitchC cannot reach the VLAN 10 gateway, which is connected to SwitchA. The administrator checks the STP status on SwitchC and sees that the port connecting to the root bridge is in a blocking state. The administrator also notices that the VLAN 10 gateway is reachable from SwitchA, but not from SwitchC. What is the most likely cause of this issue?

A.Configure PortFast on interface Gi0/2 to bring it up immediately.
B.Change the STP priority on SwitchC to a lower value (e.g., 24576) to ensure it is not the root bridge.
C.Enable BPDU Guard on interface Gi0/2 to prevent BPDU attacks.
D.Configure the spanning-tree mode to PVST+ instead of Rapid PVST+.
AnswerB

By setting the priority to 24576, SwitchC's bridge ID becomes 24586 (24576+10), which is lower than the current root's 32778. This will cause SwitchC to become the root bridge if that is the intent, or by setting it to a higher priority (like 40960) it would lose the election. However, the correct action is to make SwitchC's priority higher (numerically lower) to correct the misconfiguration. In this case, the intended root (SwitchA) should have a lower priority, or SwitchC should have a higher priority (e.g., 32768) to not be root. Actually, the correct answer is to adjust the priority so that SwitchC is not root. Setting it to 24576 would make it root, which might be the desired outcome if SwitchA is misconfigured. But given the symptom, the most direct fix is to ensure the correct root bridge has the lowest priority. The exhibit shows SwitchC's priority is 40960, which is too high, so lowering it to a value less than the current root (32768) would make it root, but that might not be the intended design. The typical fix is to set the priority on the desired root switch to a lower value. However, since the question asks for the most likely cause, the answer is to correct the priority on SwitchC to match the intended root. Given the options, B is correct because it addresses the priority misconfiguration.

Why this answer

The root bridge for VLAN 10 is SwitchA, and SwitchC's port to the root bridge is in a blocking state due to STP. Since the VLAN 10 gateway is reachable from SwitchA but not from SwitchC, the issue is that SwitchC is not the root bridge and its path to the root is blocked, preventing traffic from reaching the gateway. Lowering the STP priority on SwitchC to 24576 would make it the root bridge for VLAN 10, ensuring its port to the gateway is in a forwarding state and restoring connectivity.

Exam trap

Cisco often tests the misconception that a blocked port is always a problem to be fixed with PortFast or BPDU Guard, when the real issue is STP root bridge election and the need to adjust priority to ensure the correct switch becomes root for that VLAN.

Why the other options are wrong

A

PortFast is used to bypass the listening and learning states on access ports, but it does not resolve the root bridge election issue. The port is blocking due to STP topology inconsistency, not because of slow convergence.

C

BPDU Guard is used to protect against unauthorized switches by disabling a port if a BPDU is received, but it does not fix the root bridge election issue. The port is blocking due to STP, not due to BPDU violations.

D

Both PVST+ and Rapid PVST+ use the same bridge ID election process. Changing the mode would not resolve the priority misconfiguration; the root bridge election is based on bridge priority and MAC address, not the STP variant.

30
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover from a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct configuration sequence applies PortFast and BPDU Guard directly in interface configuration mode with 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After a BPDU guard violation disables the port, manual recovery requires re-enabling the interface with 'shutdown' followed by 'no shutdown' (or configuring errdisable recovery). The other options incorrectly use global defaults, Root Guard, or false automatic recovery intervals.

Exam trap

Do not confuse BPDU Guard with Root Guard. BPDU Guard errdisables the port upon receiving any BPDU; Root Guard only prevents the port from becoming a root port. Also, remember that errdisable recovery is not automatic by default; you must configure it if you want automatic recovery.

31
Matchingmedium

Drag and drop the PortFast and BPDU protection commands on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Immediately transitions port to forwarding state

Err-disables port upon receiving a BPDU

Prevents port from becoming root port

Prevents port from becoming designated if BPDUs stop arriving

Drops all BPDUs sent and received on the port

Reverts port to normal STP listening/learning

Why these pairings

These commands are used to configure PortFast and BPDU protection on Cisco switches.

Exam trap

Be careful to distinguish between interface-level and global commands. The 'default' keyword applies globally, not per interface.

32
MCQhard

A network administrator recently configured BPDU Guard on all access ports of a switch to protect against rogue switches. After the change, users in VLAN 10 report intermittent connectivity issues and frequent link flaps. The administrator checks the switch and notices that several ports are in an err-disabled state. What is the most likely cause of the problem?

A.Root Guard is preventing the port from becoming a root port.
B.BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.
C.Loop Guard has detected a unidirectional link and placed the port into err-disabled state.
D.BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.
AnswerB

BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

Why this answer

BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them.

The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

Exam trap

A common mistake is believing BPDU Guard requires PortFast to function; in reality, BPDU Guard can be enabled per-interface without PortFast and will err-disable the port when a BPDU is received.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent state, not err-disabled. It does not cause link flaps or err-disable ports.

C

Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports. It places ports in a loop-inconsistent state, which is not err-disabled.

D

The global 'spanning-tree portfast bpduguard default' command only applies BPDU Guard to PortFast-enabled ports. If a port receives a BPDU and is not PortFast, it will not be err-disabled by this global command. The scenario states BPDU Guard was configured on all access ports, implying interface-level configuration.

33
MCQhard

An engineer lowers the spanning-tree path cost on one uplink of a nonroot switch. What is the expected result if all else stays equal?

A.The switch becomes the root bridge immediately.
B.That uplink becomes more likely to be the root port.
C.All designated ports on downstream switches immediately recalculate their port roles.
D.The switch will stop transmitting BPDUs on that port until convergence is complete.
AnswerB

Correct. Lower root-path cost is preferred.

Why this answer

Lowering the path cost on a nonroot switch's uplink makes that link more attractive to the root bridge, increasing its likelihood of being selected as the root port. Option A is wrong because root bridge election depends on bridge priority and MAC address, not local path cost changes. Option C is false because designated ports on downstream switches are determined by their own topology and are unaffected by cost changes on an upstream nonroot switch's uplink.

Option D is incorrect because BPDU transmission is governed by STP timers and port roles, not by adjusting path cost.

Exam trap

Remember, path cost adjustments influence root port selection, not root bridge election or port blocking.

Why the other options are wrong

A

Reducing path cost on a nonroot switch does not affect the root bridge election, which is determined by lowest bridge ID.

C

Changing cost on one uplink of a nonroot switch does not force all designated ports on downstream switches into blocking; only a topology change might trigger recalculations.

D

Path cost adjustment does not stop BPDUs; BPDUs continue to be sent from all ports in the spanning tree.

34
Multi-Selectmedium

Which three of the following are true regarding the operation of Rapid Spanning Tree Protocol (RSTP) compared to classic STP (802.1D)? (Choose three.)

Select 3 answers
.RSTP uses proposal/agreement to achieve faster convergence.
.RSTP reduces the number of port states from five to three.
.RSTP introduces the concept of alternate and backup ports.
.RSTP requires the use of the UplinkFast feature to speed up convergence.
.RSTP uses timer-based convergence identical to 802.1D.
.RSTP eliminates the blocking state entirely.

Why this answer

RSTP (802.1w) uses a proposal/agreement handshake process to rapidly transition ports to the forwarding state without relying on timers, achieving convergence in under a second in most switched networks. This is a fundamental improvement over classic STP (802.1D), which depends on slow timer-based convergence. Additionally, RSTP reduces the classic five port states (blocking, listening, learning, forwarding, disabled) to three (discarding, learning, forwarding) and introduces new port roles—alternate and backup—to provide faster failover by maintaining a ready alternative path to the root.

Exam trap

Cisco often tests the misconception that RSTP eliminates the blocking state entirely, when in fact it renames it to discarding and still uses it for alternate and backup ports.

35
MCQhard

In a network running STP, SW2 became the root bridge for VLAN 10. Both SW1 and SW2 have the same bridge priority. Why did SW2 become the root?

A.Because SW2 has the lower bridge ID due to the lower MAC address.
B.Because SW2 has the higher VLAN number configured.
C.Because SW2 has more trunk ports than SW1.
D.Because SW2 has the highest bridge priority.
AnswerA

This is correct because the priorities are equal, so the lower MAC address wins the root election.

Why this answer

SW2 became the root bridge because its bridge ID is lower. In practical terms, spanning tree elects the root bridge by comparing bridge IDs, which are based on priority plus MAC address. The device with the lowest bridge ID wins. In the exhibit, both switches use the same priority, so the tie is broken by the lower MAC address.

This is a classic STP interpretation question. Many learners focus only on priority, but if priorities match, the MAC address becomes decisive.

Exam trap

Remember, in STP, lower values are preferred. If priorities match, the MAC address decides the root bridge.

Why the other options are wrong

B

The VLAN number is not a factor in the STP root bridge election. The election is based solely on bridge ID, which consists of bridge priority and MAC address.

C

The number of trunk ports does not affect the root bridge election. STP uses bridge ID (priority and MAC address) to determine the root bridge, not port count or type.

D

The root bridge is elected based on the lowest bridge ID, not the highest. A higher bridge priority (numerically larger) makes a switch less likely to become root.

36
MCQmedium

A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?

A.The port received a BPDU and BPDU Guard shut it down.
B.DHCP snooping blocked the user's ARP requests.
C.Port security moved the port to protect mode.
D.The trunk native VLAN matched incorrectly.
AnswerA

This matches the symptom and the log message.

Why this answer

BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.

Exam trap

A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors.

The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.

Why the other options are wrong

B

Incorrect. DHCP snooping blocks unauthorized DHCP messages but does not cause BPDU Guard to err-disable a port. The log specifically mentions BPDU Guard, so DHCP snooping is unrelated here.

C

Incorrect. Port security violations cause err-disable states but are triggered by MAC address violations, not by receiving BPDUs. The log message points to BPDU Guard, not port security.

D

Incorrect. A trunk native VLAN mismatch causes VLAN tagging issues but does not trigger BPDU Guard or err-disable a port due to BPDU reception. This option does not explain the BPDU Guard log message.

37
Drag & Drophard

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard must be applied first on designated ports to prevent unwanted root bridge changes, then Loop Guard on non-designated ports to prevent loops, followed by BPDU Guard on PortFast ports. Recovery steps are last because they apply after a violation occurs.

Exam trap

The trap is that candidates may confuse the order of applying STP protections. Remember: Root Guard first (designated ports), then Loop Guard (non-designated), then BPDU Guard (PortFast), and recovery last. Do not place recovery first or mix up the sequence.

38
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on the designated port facing a downstream switch to prevent a rogue switch from becoming root. Also, enable Loop Guard on the uplink port to prevent STP loops, and configure BPDU Guard on a PortFast-enabled access port. Ensure that if a superior BPDU is received on the Root Guard port, it is blocked, and if a BPDU is received on the BPDU Guard port, it goes err-disabled.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30trunkG0/1192.168.10.1/24R2R1access vlan 10SW2PC

Hints

  • Root Guard is applied on designated ports to block superior BPDUs.
  • Loop Guard is applied on root or alternate ports to prevent loops if BPDUs stop.
  • BPDU Guard with PortFast err-disables the port upon receiving any BPDU.
A.The configuration is correct; no changes are needed.
B.Root Guard should be applied on G0/0 instead of G0/1, and Loop Guard on G0/1 instead of G0/0.
C.BPDU Guard should be configured on G0/1 instead of G0/2, and Loop Guard should be removed from G0/0.
D.Root Guard should be applied on G0/2 instead of G0/1, and BPDU Guard should be removed from G0/2.
AnswerA
solution
! R1

Why this answer

R1 is the STP root for VLAN 10. The downstream port (G0/1) is a designated port, so Root Guard is correctly applied to prevent a superior BPDU from being accepted. The uplink port (G0/0) is a root port, so Loop Guard should be applied there to prevent an STP loop if BPDUs stop arriving.

The access port (G0/2) has PortFast and BPDU Guard enabled, which will err-disable the port if a BPDU is received. The current configuration is correct; no changes are needed. If a superior BPDU arrives on G0/1, Root Guard will block the port.

If a BPDU arrives on G0/2, BPDU Guard will err-disable it.

Exam trap

The trap is that candidates may think changes are needed because they misapply STP protections to the wrong port types. Remember: Root Guard on designated ports, Loop Guard on root/alternate ports, BPDU Guard on PortFast access ports.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to a root port would not prevent a rogue switch from becoming root. Loop Guard on a designated port is unnecessary and could cause false positives.

C

BPDU Guard on a trunk port would err-disable it upon receiving a BPDU, which is normal for trunk ports. Loop Guard on the root port is essential for loop prevention; removing it would leave the network vulnerable.

D

Root Guard on an access port would block the port if a superior BPDU is received, but access ports should not receive BPDUs if PortFast is enabled. BPDU Guard already handles that by err-disabling the port.

39
MCQhard

A network engineer receives a call that users in VLAN 10 on Switch B cannot ping the default gateway, which is a router on a stick connected to Switch A. The engineer checks the Spanning Tree Protocol state on the interface connecting Switch A to Switch B (GigabitEthernet0/1) and finds it is in a root-inconsistent state. Which command output best explains the cause of the issue?

A.The interface is in err-disable state due to BPDU guard.
B.Root guard is enabled and the port received a superior BPDU, causing it to become root-inconsistent.
C.Loop guard is enabled and the port is in a blocking state due to missing BPDUs.
D.The port is in a forwarding state but the VLAN is misconfigured.
AnswerB

Root guard on the interface caused the port to be placed in root-inconsistent state when a superior BPDU was received, blocking the port.

Why this answer

Root guard, when enabled on a port, places that port into a root-inconsistent blocking state if it receives a superior BPDU, preventing the switch from becoming the root bridge. This root-inconsistent state stops forwarding traffic, which explains why users in VLAN 10 cannot reach the default gateway. The port remains physically up but is blocked by spanning tree, so normal interface status would not show a down state, making the root-inconsistent state the key indicator.

Exam trap

Candidates often confuse root guard with BPDU guard: BPDU guard err-disables a port upon receiving any BPDU on a PortFast port, while root guard responds to superior BPDUs by placing the port in root-inconsistent state, not err-disable.

Why the other options are wrong

A

BPDU guard causes an err-disable state, which would show the interface as down or err-disabled, not as root-inconsistent.

C

Loop guard places a port into loop-inconsistent blocking state when BPDUs stop being received, not when a superior BPDU is received.

D

A forwarding state would allow traffic; the problem here is that the port is in a blocked state due to root guard, not a misconfigured VLAN.

40
MCQhard

A network administrator is troubleshooting connectivity loss in a switched network. All switches run Rapid PVST+. A host connected to an access port on SwitchC can no longer reach the default gateway. The access port is configured with PortFast and BPDU Guard. The administrator checks the interface status and finds it in an err-disabled state. What is the most likely cause of this issue?

A.The root bridge election failed, causing a loop.
B.BPDU Guard detected a BPDU on a PortFast-enabled port and disabled it.
C.Rapid PVST+ is not compatible with PortFast.
D.The port is configured as a trunk but should be an access port.
AnswerB

BPDU Guard is enabled on Gi0/1, and a BPDU was received, causing the port to go err-disabled.

Why this answer

B is correct because BPDU Guard is designed to protect the spanning-tree topology by disabling a PortFast-enabled port if it receives a BPDU, placing the port in err-disabled state. Option A is incorrect: a root bridge election failure would not cause a port to err-disable; loops do not directly trigger this state without BPDU Guard. Option C is incorrect because PortFast and BPDU Guard work with all spanning-tree variants including Rapid PVST+.

Option D is incorrect: a trunk misconfiguration alone would not cause err-disable unless BPDU Guard detects a BPDU on a PortFast port.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are incompatible with Rapid PVST+, but in reality, PortFast is a port-level feature that works identically across all spanning-tree variants, and BPDU Guard is the mechanism that causes the err-disabled state when a BPDU is received.

Why the other options are wrong

A

A root bridge election failure would not place the port in err-disabled state; it would cause loops but not trigger BPDU Guard directly.

C

PortFast and BPDU Guard are fully compatible with Rapid PVST+; this option implies incompatibility, which is incorrect.

D

A trunk misconfiguration alone would not cause the port to go err-disable unless a BPDU is received on a PortFast-enabled port, and BPDU Guard is the specific mechanism for that.

41
Multi-Selectmedium

Which three statements accurately describe the operation of the Spanning Tree Protocol (STP) root bridge election? (Choose three.)

Select 3 answers
.The switch with the lowest bridge ID (priority + MAC address) becomes the root bridge.
.If two switches have the same priority, the one with the lowest MAC address is chosen.
.All ports on the root bridge are placed in the designated role.
.The root bridge is always the switch with the highest MAC address.
.The root bridge priority can be modified using the 'spanning-tree vlan vlan-id root secondary' command to force it to become root.
.The root bridge election occurs every 30 seconds by default.

Why this answer

The Spanning Tree Protocol (STP) root bridge election is based on the bridge ID, which combines a configurable priority (default 32768) and the switch's MAC address. The switch with the lowest bridge ID wins the election, making option 1 correct. If priorities are equal, the MAC address serves as the tiebreaker, so the switch with the lowest MAC address is chosen, confirming option 2.

Once elected, all ports on the root bridge become designated ports (forwarding), as they are the most efficient paths to the root, making option 3 correct.

Exam trap

Cisco often tests the misconception that the root bridge is elected periodically (e.g., every 30 seconds) or that the 'root secondary' command forces a switch to become root, when in fact the election is event-driven and the command only sets a specific priority for backup purposes.

42
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ with a designated root bridge, PortFast, and BPDU Guard on access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Set the spanning-tree mode to Rapid PVST+: This enables Rapid PVST+ globally, a prerequisite for the root primary command to function correctly. 2. Configure the switch as the root bridge for VLAN 1: Lowers the bridge priority to guarantee this switch becomes the root, defining the STP topology. 3.

Enter interface configuration mode for the access ports: Prepares the specific ports where PortFast and BPDU Guard are applied. 4. Enable PortFast on the interfaces: Allows immediate transition to forwarding state, bypassing listening/learning phases. 5. Enable BPDU Guard on the interfaces: Protects the network by err-disabling the port if a BPDU is received, which should occur only after PortFast is enabled on access ports.

43
PBQhard

You are connected to SW1. The network has experienced a spanning-tree topology change, and the new root bridge is not the intended core switch. Configure SW1 with a root primary priority, enable PortFast and BPDU Guard on interface GigabitEthernet0/3 (an edge port connected to a server), and verify that a specific port in the topology is blocking. Then, after a BPDU violation occurs on G0/3, recover the interface from err-disable state without reloading the switch.

Network Topology
G0/0G0/0G0/1G0/0G0/2G0/0G0/3SW1SW2SW3SW4Server

Hints

  • Use 'spanning-tree vlan 1 root primary' to set priority to 24576.
  • PortFast and BPDU Guard are configured under the interface.
  • To recover from err-disable, you can use 'shutdown' and 'no shutdown' on the interface.
A.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; shutdown; no shutdown
B.spanning-tree vlan 1 priority 4096; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; errdisable recovery cause bpduguard
C.spanning-tree vlan 1 root secondary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; no shutdown
D.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpdufilter enable; interface GigabitEthernet0/3; shutdown; no shutdown
AnswerA
solution
! SW1
configure terminal
spanning-tree vlan 1 root primary
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
end
configure terminal
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The current root bridge has priority 32769, but the intended root should be SW1 with a lower priority. First, configure SW1 as root primary using 'spanning-tree vlan 1 root primary' or manually set priority to 24576. For edge port Gi0/3, enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable'.

After the BPDU violation, the port is err-disabled. To recover, first shut down and then no shut the interface, or use 'errdisable recovery cause bpduguard' and wait for the recovery interval, but the most direct method is to manually bounce the interface.

Exam trap

Watch out for confusing root primary vs root secondary, BPDU Guard vs BPDU filter, and the correct method to recover an err-disabled port. Manual shutdown/no shutdown is immediate, while errdisable recovery relies on a timer.

Why the other options are wrong

B

The priority value 4096 is not used by the root primary command; it sets priority to 24576. Additionally, errdisable recovery does not immediately recover the port; it requires a timer.

C

Root secondary makes the switch a secondary root, not primary. An err-disabled port requires a shutdown before no shutdown to clear the error state.

D

BPDU filter does not trigger err-disable on BPDU reception; it silently drops BPDUs. BPDU Guard is needed to protect edge ports.

44
Matchingmedium

Match each wireless or edge-switch concept on the left to the description on the right that best fits it. Not all descriptions will be used. Concepts: • SSID • CAPWAP • Voice VLANPortFast Descriptions: A. Name of the wireless LAN shown to clients B. Communication relationship between lightweight APs and controller C. Separates phone traffic from ordinary data on an edge port D. Allows an endpoint-facing switchport to move quickly toward forwarding E. Delivers power to devices over Ethernet (PoE) F. Authenticates users before granting network access (802.1X) G. Aggregates multiple physical links for increased bandwidth (LACP/EtherChannel)

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless LAN shown to clients

Communication relationship between lightweight APs and controller

Separates phone traffic from ordinary data on an edge port

Allows an endpoint-facing switchport to move quickly toward forwarding

Why these pairings

SSID is the service set identifier, the human-readable name broadcast by access points so clients can identify the WLAN. CAPWAP (Control and Provisioning of Wireless Access Points) defines the split-MAC architecture and communication between lightweight APs and a wireless LAN controller. Voice VLAN is an access port feature that dynamically assigns IP phone traffic to a separate VLAN, isolating it from data traffic.

PortFast is a spanning-tree enhancement that bypasses listening and learning states on access ports to allow immediate forwarding, preventing connectivity delays for endpoints. Distractor E refers to Power over Ethernet, not a wireless or edge-switch naming concept; F describes 802.1X authentication, not a WLAN name or AP-controller protocol; G refers to link aggregation, not a VLAN or spanning-tree feature.

Exam trap

Do not confuse Voice VLAN with a trunk port that carries multiple VLANs — Voice VLAN actually uses the access port in conjunction with a voice VLAN ID, and PortFast is often mistaken for disabling spanning tree entirely rather than accelerating convergence.

45
Multi-Selectmedium

Which TWO statements correctly describe the configuration and effect of Root Guard and BPDU Guard on a Cisco switch?

Select 2 answers
A.Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.
B.BPDU Guard prevents loops by disabling a trunk port that receives a BPDU from an unauthorized switch.
C.Root Guard places a port in errdisable state when a superior BPDU is received.
D.BPDU Guard is commonly enabled on ports where PortFast is configured to prevent unexpected BPDUs from causing a bridging loop.
E.Both Root Guard and BPDU Guard filter BPDUs to prevent them from being processed by the switch CPU.
AnswersA, D

Root Guard is applied to a port (usually a designated port) and if a better BPDU arrives, the port enters a root-inconsistent state, blocking traffic and preventing the switch from becoming root.

Why this answer

Option A is correct because Root Guard is configured per interface using the 'spanning-tree guard root' command. When a port with Root Guard enabled receives a superior BPDU (one that would cause the switch to become a non-root bridge), the port is placed into a root-inconsistent state, effectively blocking traffic on that port and preventing the switch from accepting a new root bridge from that direction. This protects the spanning-tree topology from unauthorized or misconfigured switches attempting to become the root bridge.

Option D is correct because BPDU Guard is commonly enabled on ports with PortFast (typically access ports connected to end devices). When a BPDU is received on such a port, BPDU Guard places the port into errdisable state, preventing potential bridging loops that could result from an unauthorized switch connecting to the network. Option B is incorrect because BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports (often with PortFast) and disables the port upon receiving any BPDU, not just on trunk ports.

Option C is incorrect because Root Guard places the port into root-inconsistent state (not errdisable) when a superior BPDU is received; BPDU Guard uses errdisable. Option E is incorrect because neither Root Guard nor BPDU Guard filters BPDUs; Root Guard reacts to superior BPDUs by blocking the port, and BPDU Guard reacts to any BPDU by disabling the port. Both features allow BPDUs to be processed but then take action based on the received BPDUs.

Exam trap

Cisco often tests the distinction between the states triggered by Root Guard (root-inconsistent) versus BPDU Guard (errdisable), and candidates frequently confuse the two, assuming both place the port into errdisable or that Root Guard uses errdisable.

Why the other options are wrong

B

BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports with PortFast and disables the port upon receiving any BPDU.

C

Root Guard places the port into root-inconsistent state, not errdisable; errdisable is the state used by BPDU Guard.

E

Neither Root Guard nor BPDU Guard filters BPDUs; they both process received BPDUs and then take action (root-inconsistent for Root Guard, errdisable for BPDU Guard).

46
MCQhard

Refer to the exhibit. A network engineer expects SW1 to be the root bridge for VLAN 1, but the show spanning-tree vlan 1 output on SW2 shows that SW2 is the root. What is the most likely cause of this issue?

A.SW1 is configured with a priority of 32769 but has a higher MAC address than SW2.
B.Spanning tree is disabled on SW1 for VLAN 1.
C.SW1 has a bridge priority of 4096, but BPDU guard is configured on SW2's port to SW1, causing the port to be err-disabled.
D.The trunk link between SW1 and SW2 is down.
AnswerD

The missing root port and the fact that SW2 sees itself as root confirm that SW2 is not receiving any BPDUs from SW1. This is exactly the behavior when the inter-switch trunk is physically down, breaking the spanning-tree topology.

Why this answer

SW2 shows itself as the root (Root ID and Bridge ID are identical, and the text 'This bridge is the root'), and there is no root port listed. In a stable spanning-tree topology, a non-root switch must have a root port to reach the root. The absence of any root port indicates that SW2 is not receiving superior BPDUs from SW1.

The most likely cause is that the trunk link between SW1 and SW2 is down, preventing BPDU exchange.

Exam trap

Many candidates select option A because they notice both priority values are 32769 and assume a MAC-address tiebreaker makes SW2 root, but they fail to see that SW2 has no root port, which would exist if the link to SW1 were operational.

Why the other options are wrong

A

Candidates focus on the matching priority numbers and overlook the missing root port that indicates a complete loss of BPDUs.

B

Candidates may assume no BPDUs means STP is off, but the intended root designation suggests STP is on and a physical disconnect is the primary suspect.

C

Candidates recall that BPDU guard can block ports, but they fail to differentiate between a missing port due to err-disable and a missing port due to a physically down link, which looks identical in this output.

47
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including the recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is Option A because: 1) Root Guard is applied to designated ports to protect the root bridge election; 2) Loop Guard is applied to non-designated ports to prevent loops caused by unidirectional links; 3) BPDU Guard is applied to PortFast-enabled ports to shut down ports that receive BPDUs unexpectedly. Options B, C, and D incorrectly assign these guards to the wrong port roles (e.g., Option B places BPDU Guard on designated ports and Root Guard on non-designated ports, which violates the intended protection). Steps 4 and 5 apply only to BPDU Guard, as it transitions the port to err-disabled state upon BPDU reception; Root Guard and Loop Guard cause blocking states (root-inconsistent or loop-inconsistent), not err-disabled.

Therefore, the recovery steps (errdisable recovery and manual re-enable) are only relevant for ports configured with BPDU Guard.

Exam trap

Do not confuse the port roles: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Also remember that errdisable recovery requires both global configuration and manual interface re-enablement.

48
MCQhard

A switch receives BPDUs on a user-facing port configured as an edge port, but instead of just blocking the port role it fully error-disables it. Which protection feature most likely explains that behavior?

AnswerA

This is correct because BPDU Guard typically error-disables an edge port that receives BPDUs.

Why this answer

BPDU Guard most likely explains that behavior. In practical terms, BPDU Guard is used to protect ports that are expected to face ordinary endpoints, not other switches. If BPDUs appear on such a port, the device treats that as a serious topology-policy violation and shuts the port down.

This is different from features that merely influence spanning-tree role choice without fully error-disabling the interface.

Exam trap

Be careful not to confuse BPDU Guard with other spanning tree protection features that do not disable ports upon receiving BPDUs.

Why the other options are wrong

B

Root guard does not error-disable a port; instead, it places the port into a root-inconsistent state if a superior BPDU is received, preventing the port from becoming a root port. It is used to enforce the root bridge location, not to disable ports upon BPDU reception.

C

Port security restricts the number of MAC addresses learned on a port and can error-disable the port if a violation occurs (e.g., too many MAC addresses). It does not react to BPDUs; its focus is on MAC address learning, not spanning-tree BPDUs.

D

DHCP snooping is a security feature that filters DHCP messages and can error-disable a port if a DHCP violation occurs (e.g., rogue DHCP server). It does not inspect or react to BPDUs, which are layer 2 spanning-tree frames.

49
MCQhard

A network administrator has configured Rapid PVST+ on all switches and globally enabled BPDU Guard. After connecting a new access switch to an existing distribution switch, the distribution switch interface goes into err-disabled state. The new switch is configured with PortFast on its uplink port. What is the most likely cause of the err-disabled state?

A.Disable Root Guard on the distribution switch interface
B.Disable BPDU Guard on the distribution switch interface
C.Remove PortFast from the new access switch uplink interface
D.Configure the interface as an access port instead of trunk
AnswerB

BPDU Guard err-disables a PortFast-enabled port upon receiving any BPDU. Since this is a trunk port expecting BPDUs, BPDU Guard should not be enabled. Removing it allows the port to stay up while Root Guard still protects against an unwanted root bridge.

Why this answer

The distribution switch interface entered err-disabled because it received a BPDU while BPDU Guard was enabled. BPDU Guard is not automatically enabled with PortFast; it must be explicitly turned on, and the scenario assumes it is active. When a BPDU arrives on a BPDU Guard–enabled port, the switch err-disables it to prevent loops.

Disabling BPDU Guard on that interface resolves the condition. Disabling Root Guard (option A) would not stop the BPDU Guard trigger; removing PortFast (option C) would not disable the already-enabled BPDU Guard; and changing the port to access mode (option D) is irrelevant to BPDU Guard behavior.

Exam trap

Many learners incorrectly assume BPDU Guard is enabled by default on PortFast ports; in reality, it requires explicit configuration, so the exam may present a scenario where BPDU Guard is already enabled to test this distinction.

Why the other options are wrong

A

Root Guard does not cause err-disable; it only prevents the port from becoming a root port. The err-disabled state is triggered by BPDU Guard, not Root Guard.

C

PortFast on the access switch's uplink does not cause err-disable on the distribution switch. PortFast only affects the access switch's port state, not the distribution switch's interface.

D

The err-disable is caused by BPDU Guard, not by trunking misconfiguration. Changing the port mode to access would not resolve the BPDU Guard issue and could disrupt connectivity.

50
PBQeasy

You are connected to SW1 via the console. SW1 is a Layer 2 switch with an access port G0/1 connected to a server. The network administrator has noticed that the server is sending BPDUs, which could cause network instability. You need to configure PortFast and BPDU Guard on port G0/1 to prevent BPDU-related issues and ensure the port transitions to forwarding state immediately.

Network Topology
G0/1ServerSW1

Hints

  • PortFast enables immediate transition from blocking to forwarding state.
  • BPDU Guard disables the port if a BPDU is received.
  • These features are typically applied to access ports connected to end devices.
A.interface G0/1 spanning-tree portfast spanning-tree bpduguard enable
B.interface G0/1 spanning-tree portfast spanning-tree guard root
C.interface G0/1 spanning-tree portfast spanning-tree bpdufilter enable
D.interface G0/1 spanning-tree portfast spanning-tree bpduguard default
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to bypass STP listening/learning states, providing immediate connectivity. BPDU Guard protects the network by shutting down the port if a BPDU is received, preventing potential loops from unauthorized switches.

Exam trap

Cisco exams often test the exact syntax for STP features. Remember that BPDU Guard uses 'enable' at the interface level, while BPDU Filter uses 'enable' as well. Root Guard uses 'guard root'.

Do not confuse these or use global commands on interfaces.

Why the other options are wrong

B

The specific factual error is confusing Root Guard with BPDU Guard. Root Guard is used to enforce the root bridge position, not to protect against BPDUs.

C

The specific factual error is that BPDU Filter silently drops BPDUs instead of taking action, which can allow loops to form if an unauthorized switch is connected.

D

The specific factual error is using the global configuration command on an interface. The global command enables BPDU Guard on all PortFast-enabled ports, but the question asks to configure it on a specific port.

51
MCQmedium

Why is BPDU Guard commonly enabled on PortFast-enabled access ports?

A.To make STP root election happen faster
B.To disable STP permanently on access ports
C.To err-disable a port if it receives unexpected BPDUs
D.To allow only one MAC address on the access port
AnswerC

That is the core purpose of BPDU Guard.

Why this answer

PortFast ports are meant for end devices, not for switches. BPDU Guard protects the LAN by shutting down a PortFast port that unexpectedly starts receiving BPDUs, which usually means an unauthorized switch was connected.

Exam trap

Don't confuse BPDU Guard with PortFast or BPDU filtering; each has distinct roles.

Why the other options are wrong

A

BPDU Guard is a security feature that err-disables a port upon receiving BPDUs; it does not accelerate root election. Root election speed is influenced by STP timers and bridge priorities, not BPDU Guard.

B

BPDU Guard does not disable STP permanently; it only reacts to BPDU reception by err-disabling the port. STP remains active on other ports, and the port can be re-enabled after the violation is resolved.

D

Limiting MAC addresses on a port is the function of port security, not BPDU Guard. BPDU Guard specifically monitors for BPDU frames and takes action if any are received.

52
MCQmedium

A switch administrator enters the following commands on interface GigabitEthernet1/0/10: interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable A user connects a small managed switch to this port, and the access port immediately changes to an err-disabled state. Which feature caused the port to shut down?

C.Access VLAN 30 assignment
D.The interface being in access mode
AnswerB

Correct. BPDU Guard is correct because it is specifically designed to shut down an edge port that should not receive BPDUs. In plain terms, the switch sees evidence that another switch was attached and decides to protect the topology by disabling the port instead of allowing a possible loop or unexpected spanning-tree participation.

Why this answer

BPDU Guard is the feature that caused the shutdown. This question is really about separating two features that are often configured together on user-facing ports: PortFast and BPDU Guard. PortFast helps an edge port come up quickly, which is useful for PCs and phones.

BPDU Guard adds protection by watching for BPDUs on that same port. If a switch is connected where only an end device should exist, the newly connected switch may send BPDUs. The local switch interprets that as a topology risk and disables the port to protect the Layer 2 network.

The clues are the err-disabled state and the fact that another switch was connected. VLAN assignment and access mode are normal here and do not explain the shutdown.

Exam trap

Remember that BPDU Guard, not PortFast, causes a port to shut down when BPDUs are received. PortFast only affects port transition speed.

Why the other options are wrong

A

PortFast is a feature that allows a port to transition immediately to the forwarding state, bypassing the usual spanning-tree listening and learning phases. It does not cause a port to shut down or enter an err-disabled state; it only speeds up convergence for end-user devices.

C

Assigning an access VLAN (VLAN 30) simply places the port into a specific broadcast domain for user traffic. It has no mechanism to detect or react to BPDUs, and it does not cause a port to enter an err-disabled state. The port would remain operational regardless of the VLAN assignment.

D

Configuring a port as an access port is a standard practice for connecting end devices. It does not inherently cause any shutdown or err-disabled condition. The port remains up and forwarding traffic unless another feature, such as BPDU Guard, triggers a protective action.

53
MCQhard

A network engineer connects a new switch to an existing Rapid PVST+ campus network. The new switch is intended to serve as an additional access-layer switch, but after connecting its uplinks, the engineer discovers that the root bridge for VLAN 10 has changed to this new switch, and several access ports on other switches with PortFast and BPDU Guard enabled are now in err-disabled state. Some users report intermittent connectivity loss.

A.The new switch was connected to a port configured as a trunk with a native VLAN mismatch.
B.The new switch’s bridge priority is lower than the existing root bridge, and it was connected to a port with BPDU Guard enabled.
C.The new switch has PortFast enabled on its uplinks.
D.The BPDU Guard feature was globally enabled on all ports, including trunk ports.
AnswerB

A lower bridge priority causes the new switch to become the root for VLAN 10. Plugging it into a BPDU Guard-enabled port (which is normally an edge port with PortFast) results in the port receiving BPDUs and going err-disabled. This perfectly explains both symptoms.

Why this answer

The new switch's bridge priority is lower (numerically smaller) than the existing root bridge, so it becomes the new root for VLAN 10. When it sends superior BPDUs out its uplinks, the neighboring switch's access ports with PortFast and BPDU Guard enabled receive these BPDUs, triggering err-disable state on those ports, causing connectivity loss.

Exam trap

Cisco often tests the misconception that BPDU Guard only applies to access ports or that it prevents root bridge changes, when in fact it reacts to any BPDU received on a PortFast port, regardless of the BPDU's source or priority.

Why the other options are wrong

A

Attributing the issue to a native VLAN mismatch overlooks the root election change and the BPDU Guard-triggered err-disable state.

C

This answer ignores the root election shift and the BPDU Guard events; PortFast misconfiguration alone would not cause these symptoms.

D

This fails to account for the selective err-disable of only access ports and the concurrent root bridge change, which points to a targeted misconfiguration rather than a blanket global setting.

54
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Users on VLAN 10 report intermittent connectivity to the server farm. The network uses Rapid PVST+ as the spanning-tree protocol. The administrator examines the switch that is the root bridge for VLAN 10 and notices that one of the uplink interfaces to an access switch is in a blocking state. What is the most likely cause of this issue?

A.Change the port type of Gi0/3 to trunk to allow multiple VLANs.
B.Configure spanning-tree portfast on Gi0/3 to speed up convergence.
C.Check the spanning-tree priority on other switches to ensure the intended root bridge has the lowest priority for VLAN 10.
D.Enable BPDU guard on Gi0/3 to prevent unauthorized switches from affecting the network.
AnswerC

The root bridge is elected based on the lowest bridge priority. If another switch has a lower priority, it becomes the root, causing ports on the current root to block. Verifying and adjusting priorities will ensure the correct root bridge election.

Why this answer

In Rapid PVST+, the root bridge for a VLAN should have all its ports in a forwarding state. If an uplink interface on the root bridge is blocking, it indicates that another switch is being elected as the root bridge for VLAN 10, likely because it has a lower spanning-tree priority. By checking and adjusting the priority on other switches, the administrator can ensure the intended switch becomes the root bridge, resolving the intermittent connectivity caused by suboptimal path selection.

Exam trap

Cisco often tests the misconception that a blocking port on a root bridge indicates a physical or configuration issue with that specific port, when in fact it signals that the switch is not the root bridge due to a lower priority on another switch.

Why the other options are wrong

A

Changing the port type to trunk does not affect spanning-tree root bridge election or port roles. The blocking state is determined by spanning-tree topology, not by trunk configuration.

B

Portfast is intended for access ports connected to end devices to bypass listening/learning states; it is not used on uplinks and does not resolve a blocking state caused by spanning-tree topology.

D

BPDU guard is used on access ports to protect against rogue switches by disabling the port if a BPDU is received. It does not affect root bridge election or port roles on uplinks.

55
MCQeasy

What problem does Spanning Tree Protocol solve in a switched network?

A.IP address exhaustion
B.Layer 2 switching loops
C.Slow DNS lookups
D.Weak wireless encryption
AnswerB

Correct. Loop prevention is the core purpose of STP.

Why this answer

STP prevents Layer 2 loops by blocking redundant paths when necessary, which avoids broadcast storms and MAC table instability.

Exam trap

Avoid confusing STP with technologies like EtherChannel, IPsec, or QoS, which address different network concerns.

Why the other options are wrong

A

Spanning Tree Protocol (STP) operates at Layer 2 and has no mechanism to manage or allocate IP addresses; IP address exhaustion is addressed by protocols like DHCP or IPv6 transition technologies.

C

DNS lookups are application-layer processes that rely on IP connectivity and name resolution servers; STP does not influence DNS performance or resolution speed.

D

Wireless encryption is a security feature implemented at the data link layer (e.g., WPA2/3) and is unrelated to STP, which deals with physical topology loop prevention.

56
MCQmedium

SW1 is the root bridge for VLAN 10. A user switch receives a BPDU on an access port connected to a desk-side unmanaged switch. What should happen if BPDU Guard is enabled on that port?

A.The port transitions to forwarding more quickly
B.The port is moved to err-disabled state
C.The switch elects a new root bridge
D.The port becomes a trunk automatically
AnswerB

BPDU Guard shuts the port down when a BPDU is seen on an edge port.

Why this answer

BPDU Guard is designed to protect edge ports. If a BPDU is received on a PortFast access port, the switch places the interface into the err-disabled state to stop a potential Layer 2 loop or rogue switch.

Exam trap

Remember that BPDU Guard actively disables ports, it doesn't just log or ignore BPDUs.

Why the other options are wrong

A

PortFast allows a port to transition to forwarding immediately upon link up, but it does not react to BPDU reception. BPDU Guard is a separate feature that disables the port upon receiving a BPDU, not accelerate forwarding.

C

Receiving a BPDU on a single edge port does not trigger a root bridge election. Root bridge election is based on bridge ID comparison across the entire spanning-tree domain, not on a single BPDU on a port.

D

BPDU Guard does not change the port mode; it only reacts to BPDU reception by disabling the port. Port mode (access or trunk) is configured separately and is not affected by STP protection features.

57
MCQhard

SW2 receives the following STP details for VLAN 10: The root bridge ID is 32768:0001.0001.0001 (SW1), and SW2's bridge ID is 32768:0002.0002.0002. Its interface Gi0/1 has a path cost of 4 to the root, while Gi0/2 has a path cost of 19. Based on this information, which statement is correct?

A.SW2 is the root bridge for VLAN 10.
B.Gi0/1 on SW2 is the root port.
C.All SW2 ports in VLAN 10 must be designated ports.
D.STP is disabled because the priorities are equal.
AnswerB

The output states that the root is reached through Port 1, which maps to Gi0/1.

Why this answer

The root bridge has the lowest bridge ID. SW1 is the root because its bridge ID is lower than SW2's local bridge ID. On a non-root switch, the port with the best path toward the root becomes the root port, so Gi0/1 is the root port here.

Exam trap

A common exam trap is to incorrectly conclude that STP is disabled when bridge priorities are equal. Candidates may mistakenly believe that equal priorities cause STP to fail or not elect a root bridge. However, STP always elects a root bridge by comparing the MAC addresses as a tiebreaker when priorities match.

Another trap is assuming all ports on a non-root switch must be designated ports, ignoring the existence of a root port that leads toward the root bridge. Misreading the root port can lead to incorrect answers about port roles and network topology.

Why the other options are wrong

A

This option is incorrect because the root bridge ID shown in the STP details differs from SW2's local bridge ID, indicating SW2 is not the root bridge for VLAN 10.

C

This option is wrong since a non-root switch does not have all ports as designated ports; it must have one root port and may have other ports as designated or blocked.

D

This is incorrect because equal priorities do not disable STP; the protocol uses the MAC address portion of the bridge ID to break ties and continue operation.

58
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via redundant links. All switches run IEEE 802.1D Spanning Tree Protocol. The network administrator wants SW1 to become the root bridge for VLAN 1. Currently, the root bridge is SW2. Configure SW1 to achieve this and ensure that port G0/1, which connects to an end device, immediately transitions to forwarding state upon link up and is protected from BPDU attacks.

Network Topology
G0/1 to PCSW2SW1SW3

Hints

  • The 'root primary' macro sets the priority lower than any other switch.
  • PortFast allows a port to skip listening/learning states.
  • BPDU Guard err-disables the port if a BPDU is received.
A.Configure 'spanning-tree vlan 1 root primary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
B.Configure 'spanning-tree vlan 1 priority 4096' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree guard root'.
C.Configure 'spanning-tree vlan 1 root secondary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
D.Configure 'spanning-tree vlan 1 priority 32768' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpdufilter enable'.
AnswerA
solution
! SW1
spanning-tree vlan 1 root primary
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The 'spanning-tree vlan 1 root primary' command reduces the bridge priority to 24576 (or lower) to ensure SW1 becomes root for VLAN 1. PortFast on G0/1 speeds up access port convergence, and BPDU Guard protects against rogue switches by disabling the port upon BPDU reception.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. Also, remember that BPDU Guard is for access port security, while Root Guard protects the root bridge position. BPDU Filter suppresses BPDUs and is not a security feature.

Why the other options are wrong

B

The specific factual error: 'spanning-tree guard root' is a root guard feature, not BPDU guard. Also, manually setting priority to 4096 may not guarantee root if another switch has lower priority.

C

The specific factual error: 'root secondary' is for backup root, not primary. It sets priority to 28672, which is higher than the default priority of 32768 but not low enough to become root if another switch has a lower priority.

D

The specific factual error: priority 32768 is default and does not change root status. BPDU filter is not a security feature against BPDU attacks; it suppresses BPDUs entirely.

59
MCQhard

A switch receives superior BPDUs on a port where the design requires that no downstream device ever become the root path for that segment. Which feature is the best fit for that requirement?

AnswerA

This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.

Why this answer

Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not.

This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.

Exam trap

A common exam trap is selecting BPDU guard instead of root guard because both involve BPDU handling. BPDU guard disables a port immediately upon receiving any BPDU, which is suitable for edge ports but not for ports where topology control is required. Root guard, on the other hand, only blocks ports that receive superior BPDUs, allowing normal BPDUs from the current root bridge.

Confusing these features can lead to incorrect answers, as BPDU guard does not protect the root path role but rather protects against unauthorized devices on edge ports.

Why the other options are wrong

B

BPDU guard is incorrect because it disables a port upon receiving any BPDU, which is suitable for edge ports but does not control root path roles or topology changes.

C

Port security is unrelated to STP root path control; it manages MAC address access on a port and does not affect BPDU processing or root bridge election.

D

DHCP snooping protects against rogue DHCP servers by filtering DHCP messages and does not interact with STP or root bridge election mechanisms.

60
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via trunk links. The network administrator wants to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Currently, SW2 is the root for both VLANs. Configure SW1 to become the root bridge for these VLANs using the Cisco-recommended macro STP commands.

Network Topology
trunktrunkSW2SW1SW3

Hints

  • Use the 'root primary' macro to set the bridge priority to 24576.
  • Ensure VLANs 10 and 20 exist on SW1.
A.spanning-tree vlan 10 root primary; spanning-tree vlan 20 root primary
B.spanning-tree vlan 10 root secondary; spanning-tree vlan 20 root secondary
C.spanning-tree vlan 10 priority 4096; spanning-tree vlan 20 priority 4096
D.spanning-tree vlan 10 root; spanning-tree vlan 20 root
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The 'spanning-tree vlan <vlan> root primary' command is the Cisco-recommended macro that sets the bridge priority to 24576, which is lower than the default 32768, making SW1 the root bridge for those VLANs. Option A correctly uses this macro. Option C, while it could achieve the same goal by setting priority to 4096, is not the macro command and would be considered a static configuration; the question specifically asks for the appropriate macro commands.

Option B sets priority to 28672 as a secondary root, and Option D is invalid syntax.

Exam trap

Do not confuse 'root primary' with 'root secondary'. 'root primary' sets priority to 24576 to become root; 'root secondary' sets priority to 28672 to act as backup. Also, remember that the 'root' keyword must be followed by 'primary' or 'secondary'.

Why the other options are wrong

B

Option B uses 'root secondary', which sets the priority to 28672, making SW1 a backup root, not the primary root bridge.

C

Option C uses a static priority assignment of 4096, which would also make SW1 root, but the question expects the Cisco-recommended macro command 'root primary'.

D

Option D uses incomplete syntax 'spanning-tree vlan 10 root' without 'primary' or 'secondary', which is invalid.

61
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on switchport GigabitEthernet 0/1 (connected to an unauthorized switch) so that if a superior BPDU is received, the port is blocked instead of causing a topology change. Also enable Loop Guard on uplink GigabitEthernet 0/2 (connected to the root bridge) to prevent unidirectional link issues. Finally, enable BPDU Guard on PortFast-enabled access port GigabitEthernet 0/3 (connected to a host) so that if a BPDU is received, the port goes err-disabled. After configuration, a superior BPDU is received on G0/1 and the port is blocked; a BPDU is received on G0/3 and the port goes err-disabled. Verify these protections are active.

Hints

  • Root Guard is configured per interface under interface configuration mode using 'spanning-tree guard root'.
  • Loop Guard is configured per interface using 'spanning-tree guard loop'.
  • BPDU Guard is enabled on PortFast ports with 'spanning-tree bpduguard enable'.
A.Root Guard on G0/1, Loop Guard on G0/2, BPDU Guard on G0/3
B.Root Guard on G0/1, UplinkFast on G0/2, BPDU Guard on G0/3
C.BPDU Guard on G0/1, Loop Guard on G0/2, Root Guard on G0/3
D.Root Guard on G0/1, Loop Guard on G0/2, PortFast on G0/3
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

Root Guard was correctly configured on G0/1, so when a superior BPDU arrived, the port entered root-inconsistent state instead of becoming root port. Loop Guard on G0/2 prevents alternate port from becoming root if BPDUs stop. BPDU Guard on G0/3 correctly triggered err-disable upon receiving a BPDU on a PortFast port.

To restore G0/3, use 'shutdown' then 'no shutdown' after removing the BPDU source. Verification commands confirm the protections are working.

Exam trap

Trap: Mixing up which protection goes where. Root Guard is for ports that should never become root (e.g., facing unauthorized switches). Loop Guard is for ports that are alternate or root ports (uplinks).

BPDU Guard is for PortFast-enabled access ports. Also, remember that BPDU Guard triggers err-disable, while Root Guard triggers root-inconsistent (blocking) state.

Why the other options are wrong

B

UplinkFast is not designed to detect or prevent unidirectional links; it only accelerates failover.

C

The protections are applied to the wrong ports: BPDU Guard should be on access ports, Root Guard on ports facing potential rogue switches, and Loop Guard on uplinks.

D

PortFast does not prevent BPDU reception; it only skips the listening and learning states. Without BPDU Guard, the port would still process BPDUs and could become a root port.

62
MCQhard

Exhibit: SW2 receives superior BPDUs on both uplinks. One uplink becomes the root port and the other becomes alternate. Which factor is considered first when SW2 chooses the root port?

A.Lowest local interface MAC address
B.Lowest root path cost
C.Highest duplex setting
D.Lowest configured VLAN number
AnswerB

That is the first major comparison.

Why this answer

STP chooses the best path to the root bridge based first on the lowest root path cost. If the cost ties, it then checks the sender bridge ID and sender port ID as tie-breakers.

Exam trap

Remember that STP prioritizes root path cost first, not bridge or port IDs. Misunderstanding the order of evaluation can lead to incorrect answers.

Why the other options are wrong

A

This option is wrong because the selection of the root port is based on the lowest root path cost, not the local interface MAC address. The MAC address is not a factor in determining the root port in the Spanning Tree Protocol (STP) process.

C

This option is wrong because the selection of the root port in Spanning Tree Protocol (STP) is based on the lowest root path cost, not the duplex settings of the interfaces. Duplex settings do not influence the port selection process in STP.

D

The lowest configured VLAN number is not a factor in determining the root port in Spanning Tree Protocol (STP). The selection process prioritizes path cost, not VLAN configuration.

63
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PortFast and BPDU guard are configured first; violation is induced; recovery requires an interface shutdown/no shutdown; verification confirms the fix.

Exam trap

The trap is that candidates may confuse the order of configuration, violation, recovery, and verification. Remember that configuration always comes first, then the event, then recovery, then verification.

64
MCQmedium

Which spanning-tree port role receives the best BPDU toward the root bridge on a nonroot switch?

A.Designated port
B.Alternate port
C.Root port
D.Disabled port
AnswerC

Correct. The root port points toward the root bridge.

Why this answer

The root port is the port on a nonroot switch with the lowest path cost to the root bridge.

Exam trap

Be careful not to confuse port roles. Remember, the root port is specifically for receiving the best BPDU toward the root bridge, not for forwarding or redundancy.

Why the other options are wrong

A

The designated port is responsible for forwarding traffic to and from a network segment and does not receive the best BPDU toward the root bridge; instead, it sends BPDUs to other ports. Therefore, it cannot be the correct answer for identifying the port role that receives the best BPDU on a nonroot switch.

B

The alternate port does not receive the best BPDU toward the root bridge; instead, it serves as a backup path to the root bridge when the primary path fails. It is in a blocking state and does not forward traffic.

D

A Disabled port does not participate in the Spanning Tree Protocol (STP) and does not receive any BPDUs, making it incapable of receiving the best BPDU toward the root bridge.

65
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure spanning-tree protection features including BPDU Guard, Root Guard, and Loop Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: (1) Identify edge ports connected to end devices. (2) Configure spanning-tree portfast on those interfaces. (3) Enable BPDU Guard using the spanning-tree portfast bpduguard default global command. (4) Identify ports connected to other switches that should never become the root bridge. (5) Enable Root Guard on those interfaces with spanning-tree guard root. (6) Identify point-to-point non-edge ports susceptible to unidirectional link failures. (7) Enable Loop Guard on those interfaces with spanning-tree guard loop. This sequence first secures edge ports with PortFast and BPDU Guard to prevent accidental network loops and BPDU-based attacks, then applies Root Guard on ports where a superior BPDU should never be received to protect the root bridge placement, and finally implements Loop Guard on non-edge point-to-point links to guard against unidirectional link failures that could cause bridging loops. Identifying the ports before applying configurations ensures proper placement of each protection mechanism.

66
Multi-Selectmedium

Which TWO of the following statements accurately describe the configuration and behavior of Root Guard, Loop Guard, and BPDU Guard in Rapid PVST+ environments?

Select 2 answers
A.Root Guard, when enabled on a port, prevents that port from becoming the root port by placing it in a root-inconsistent state if a superior BPDU is received.
B.Root Guard automatically shuts down the port when a superior BPDU is received, similar to BPDU Guard.
C.Loop Guard, when enabled, disables a port if BPDUs are no longer received on it, preventing a unidirectional link failure.
D.BPDU Guard, when enabled, puts the port in an errdisable state if a BPDU is received, which is typically used on access ports to prevent unauthorized switches from connecting.
E.BPDU Guard places the port in a blocking state (loop-inconsistent) when a BPDU is received, similar to Loop Guard.
AnswersA, D

Root Guard ensures the designated port does not become a root port. Upon receiving a superior BPDU, the port enters a root-inconsistent state, blocking traffic until the superior BPDUs stop.

Why this answer

Option A is correct because Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent (blocking) state upon receiving a superior BPDU, protecting the root bridge placement. Option D is correct because BPDU Guard errdisables a port upon receiving a BPDU, a feature typically applied to access ports to block unauthorized switches. Option B is wrong: Root Guard does not shut down the port; it places it in a blocked state, unlike BPDU Guard's errdisable action.

Option C is wrong: Loop Guard does not disable a port when BPDUs stop being received; instead, it moves the port to a loop-inconsistent (blocking) state to guard against unidirectional link failures. Option E is wrong: BPDU Guard errdisables ports, whereas the loop-inconsistent blocking state is used by Loop Guard or Root Guard, not BPDU Guard.

Exam trap

Cisco often tests the distinction between 'shutdown' (errdisable) and 'blocking' (inconsistent state) — candidates confuse BPDU Guard's errdisable behavior with Root Guard's or Loop Guard's blocking behavior, leading them to incorrectly select Option B.

Why the other options are wrong

B

Root Guard does not shut down the port; it places the port in a root-inconsistent state, which effectively blocks traffic but does not disable the port. BPDU Guard, on the other hand, errdisables the port.

C

Loop Guard does not disable the port; it places the port into a loop-inconsistent state, blocking traffic on that port until BPDUs are received again. The port remains administratively up.

E

BPDU Guard errdisables the port, not just blocks it. Loop Guard uses a loop-inconsistent state, which is different from errdisable. BPDU Guard is a more severe reaction.

67
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches: SW2 and SW3. The interface GigabitEthernet0/1 already has PortFast and BPDU Guard enabled. Configure MLS1 as the root bridge for VLAN 10 and VLAN 20 using the root primary command. After configuration, verify that the interface is not in err-disabled state and that the root bridge role is correctly assigned.

Network Topology
Gi0/1Gi0/2Gi0/3SiMLS1PCSW2SW3

Hints

  • Use spanning-tree vlan root primary to set the switch as root for specified VLANs.
  • Verify with show spanning-tree vlan <vlan> to confirm root bridge priority is 24576.
  • Check interface status with show interfaces gigabitethernet 0/1 status to ensure it is not err-disabled.
A.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
B.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root secondary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
C.Configure 'spanning-tree vlan 10 priority 4096' and 'spanning-tree vlan 20 priority 4096' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
D.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Then configure 'spanning-tree portfast default' and 'spanning-tree bpduguard default' globally. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
AnswerA
solution
! MLS1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The interface Gi0/1 already has PortFast and BPDU Guard configured, so no additional configuration is needed for that step. Using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' sets the priority to 24576, ensuring MLS1 becomes root for both VLANs. Verify with 'show spanning-tree vlan 10' to see the priority changed and 'show interfaces gigabitEthernet0/1 status' to confirm the port is not err-disabled.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. The 'root primary' command automatically sets the priority to 24576, which is the recommended value. Also, avoid adding unnecessary global commands when the interface already has the required features configured.

Why the other options are wrong

B

Using 'root secondary' for VLAN 20 sets priority to 28672, leaving MLS1 as backup root, not the primary root.

C

Manually setting priority to 4096 is valid but not the recommended method; 'root primary' is simpler and ensures proper value.

D

Global portfast and bpduguard are not required because the interface is already configured with those features; this adds unnecessary commands.

68
PBQhard

You are connected to R1, a multilayer switch with three directly connected switches. Configure Root Guard on the designated port to prevent an unauthorized switch from becoming root. Configure Loop Guard on the uplink to protect against unidirectional links. Configure BPDU Guard on all PortFast-enabled ports. Troubleshoot the scenario where a port receives a superior BPDU and is blocked by Root Guard, and another port goes err-disabled after BPDU Guard triggers.

Network Topology
Gi0/010.0.0.0/30Gi0/1Gi0/2Gi0/3R1R2SwitchASwitchBSwitchC

Hints

  • Root Guard is configured per interface with 'spanning-tree guard root'.
  • Loop Guard is configured per interface with 'spanning-tree guard loop'.
  • BPDU Guard can be enabled per PortFast port with 'spanning-tree bpduguard enable'.
A.Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.
B.Configure Root Guard on Gi0/1 and Gi0/3, Loop Guard on Gi0/2, and BPDU Guard on Gi0/2.
C.Configure Root Guard on Gi0/1, Loop Guard on Gi0/3, and BPDU Guard on Gi0/2.
D.Configure Root Guard on Gi0/3, Loop Guard on Gi0/1, and BPDU Guard on Gi0/2.
AnswerA
solution
! R1
interface GigabitEthernet0/2
spanning-tree guard root
spanning-tree guard loop
exit
interface GigabitEthernet0/1
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
spanning-tree bpduguard enable
exit

Why this answer

The scenario requires three STP protection features. Root Guard should be applied on designated port Gi0/2 (uplink) to prevent an external switch from becoming root if it sends superior BPDUs. Loop Guard should be applied on the same uplink to protect against unidirectional link failure.

BPDU Guard must be enabled on all PortFast ports (Gi0/1 and Gi0/3) to immediately err-disable them if a BPDU is received. After configuration, if a superior BPDU arrives on Gi0/2, Root Guard will block it (root-inconsistent state). If a BPDU arrives on Gi0/1 or Gi0/3, BPDU Guard will put the port in err-disable state, requiring manual or automatic recovery.

Exam trap

Candidates often confuse where to apply each STP feature. Remember: Root Guard on designated ports (uplinks), Loop Guard on root or alternate ports (uplinks), BPDU Guard on PortFast ports (access ports). Also, Root Guard and Loop Guard can be applied on the same port, but BPDU Guard is exclusive to PortFast.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to access ports does not prevent an external switch from becoming root via the uplink. BPDU Guard on an uplink would err-disable it unnecessarily.

C

Root Guard on an access port does not protect against superior BPDUs from an external switch on the uplink. Loop Guard on an access port is unnecessary as unidirectional links typically affect trunk links.

D

Root Guard on an access port does not prevent an external switch from becoming root via the uplink. Loop Guard on an access port is not standard practice. BPDU Guard on the uplink would cause unnecessary err-disable.

69
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on the designated port facing another switch SW2 to prevent it from becoming root, configure Loop Guard on the uplink port to the core, and configure BPDU Guard on a PortFast-enabled access port. After configuration, a superior BPDU arrives on the designated port—confirm it is blocked by Root Guard. Then, simulate a BPDU on the access port to verify it goes err-disabled due to BPDU Guard.

Hints

  • Root Guard is configured per interface under the interface configuration mode.
  • Loop Guard uses the same command but with 'loop' keyword.
  • BPDU Guard on PortFast ports can be enabled globally or per interface; use per-interface for this task.
A.Root Guard on Gi0/2, Loop Guard on Gi0/1, BPDU Guard on Gi0/0
B.Root Guard on Gi0/1, Loop Guard on Gi0/2, BPDU Guard on Gi0/0
C.Root Guard on Gi0/0, Loop Guard on Gi0/1, BPDU Guard on Gi0/2
D.Root Guard on Gi0/2, Loop Guard on Gi0/0, BPDU Guard on Gi0/1
AnswerA
solution
! MLS1
interface GigabitEthernet0/2
spanning-tree guard root
exit
interface GigabitEthernet0/1
spanning-tree guard loop
exit
interface GigabitEthernet0/0
spanning-tree bpduguard enable
exit

Why this answer

First, Root Guard was applied on Gi0/2 (the designated port) with 'spanning-tree guard root' to prevent SW2 from becoming root. Second, Loop Guard was applied on the uplink Gi0/1 with 'spanning-tree guard loop' to protect against unidirectional links. Third, BPDU Guard was applied on the PortFast-enabled access port Gi0/0 with 'spanning-tree bpduguard enable'.

When a superior BPDU arrives on Gi0/2, Root Guard transitions it to a root-inconsistent (blocked) state. If a BPDU is received on Gi0/0, BPDU Guard err-disables the port. Verification shows the blocked state on Gi0/2 and err-disabled on Gi0/0.

Exam trap

Do not confuse the purposes of Root Guard, Loop Guard, and BPDU Guard. Root Guard blocks superior BPDUs on designated ports; Loop Guard prevents loops on root/alternate ports; BPDU Guard err-disables PortFast ports upon BPDU reception. Pay attention to port roles: designated, root, and access.

Why the other options are wrong

B

Root Guard is intended for ports that should not become root; applying it on the uplink would block legitimate superior BPDUs from the core. Loop Guard on the designated port would not protect against unidirectional links on the uplink.

C

Root Guard on an access port is unnecessary and would not prevent the switch from becoming root via other ports. BPDU Guard on the designated port would disable it instead of blocking the BPDU.

D

Loop Guard on an access port does not protect against unidirectional links on the uplink. BPDU Guard on the uplink would err-disable the core connection if a BPDU is received, which is undesirable.

70
PBQhard

You are connected to switch SW1. The network uses Rapid-PVST+ and SW1 has been accidentally configured with a low spanning-tree priority, causing it to become the root bridge for VLAN 10 even though it should not be. Additionally, an edge port connected to a server is repeatedly receiving BPDUs, causing it to go into err-disabled state. Configure SW1 so that it is never the root bridge for VLAN 10, and configure the edge port so that it automatically recovers from err-disabled state after 300 seconds. Finally, verify that SW1 is not the root bridge for VLAN 10.

Network Topology
Gi0/0Gi0/0Gi0/1SW1SW2Server

Hints

  • To prevent a switch from becoming root, set its priority to a value higher than the current root's priority (e.g., 32768).
  • The errdisable recovery cause command enables automatic recovery; the interval command sets the timeout.
  • After configuration, verify with 'show spanning-tree vlan 10' that the bridge ID priority is not the lowest.
A.spanning-tree vlan 10 priority 36864; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
B.spanning-tree vlan 10 priority 4096; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
C.spanning-tree vlan 10 root secondary; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
D.spanning-tree vlan 10 priority 32768; errdisable recovery cause all; errdisable recovery interval 300; show spanning-tree vlan 10
AnswerA
solution
! SW1
no spanning-tree vlan 10 priority 4096
spanning-tree vlan 10 priority 32768
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The issue is that SW1 has the spanning-tree priority for VLAN 10 set to 4096, which makes it the root bridge. To prevent this, you must set the priority higher than the current root bridge's priority (e.g., 32768 or higher). Additionally, the edge port (G0/1) is in err-disabled state because it received a BPDU while PortFast was enabled (BPDU Guard triggered).

To automatically recover from err-disabled, you need to configure errdisable recovery cause bpduguard and set the interval to 300 seconds. After configuration, verify with 'show spanning-tree vlan 10' that SW1 is no longer the root and 'show errdisable recovery' to confirm the recovery settings.

Exam trap

Students often confuse the priority values: lower priority is better to become root. To prevent a switch from becoming root, set its priority higher than the current root's. Also, remember that 'root secondary' sets a low priority (28672) and does not prevent root election.

For errdisable recovery, use the specific cause (bpduguard) rather than 'all'.

Why the other options are wrong

B

The priority 4096 is too low and would still result in SW1 being the root bridge.

C

The 'root secondary' command does not prevent the switch from becoming root; it only makes it the backup root.

D

Using 'cause all' is not the best practice; the requirement is to recover from bpduguard specifically.

71
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover after a BPDU violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enable PortFast to allow immediate transition to forwarding, then enable BPDU Guard to protect against BPDU reception. Recovery steps are configured last to automatically restore the port after a violation.

Exam trap

Do not confuse the order: PortFast must come before BPDU Guard. Also, recovery is configured last, not first. Remember that BPDU Guard requires PortFast to be enabled on the interface.

72
MCQhard

A switch should disable an edge port immediately if a BPDU is received on it. Which feature is intended for that specific behavior?

AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

The feature is BPDU Guard. In plain language, the administrator is treating the port as an end-device-only edge interface and wants the switch to react aggressively if it ever sees spanning-tree control traffic there. BPDU Guard does exactly that: if a BPDU appears on a protected edge port, the switch places the interface into an err-disabled state to help prevent accidental loops or rogue switch connections.

This is different from root guard and loop guard, which solve other spanning-tree control problems. BPDU Guard is the specific answer when the requirement is “if you ever hear a BPDU here, shut the port down quickly.”

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it also deals with BPDUs, but Root Guard only blocks ports from becoming root ports and does not disable the port immediately. Loop Guard protects against unidirectional link failures and does not shut down ports upon BPDU receipt.

Another mistake is thinking UDLD handles BPDU protection; however, UDLD only detects unidirectional physical link failures and is unrelated to STP BPDU processing. Understanding that BPDU Guard uniquely disables edge ports upon BPDU detection is critical to avoid this trap.

Why the other options are wrong

B

Loop Guard is incorrect because it protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs stop, but it does not disable a port upon BPDU receipt.

C

Root Guard is incorrect because it prevents a port from becoming a root port by blocking superior BPDUs but does not disable the port immediately when a BPDU is received on an edge port.

D

UDLD is incorrect because it detects unidirectional physical link failures and does not interact with BPDU processing or disable ports based on BPDU reception.

73
PBQhard

You are connected to switch SW1. Configure Rapid-PVST+ so that SW1 becomes the root bridge for VLAN 10 and VLAN 20. On interface GigabitEthernet0/2, enable PortFast and BPDUGuard. Then, a BPDU is received on that port, causing err-disable. Diagnose the issue and recover the interface without rebooting the switch.

Hints

  • Use 'spanning-tree vlan <vlan> root primary' to set priority to 24576 or 24596.
  • BPDUGuard will err-disable the port if a BPDU is received; use 'errdisable recovery cause bpduguard' to auto-recover.
  • After recovery, the port may need a manual shutdown/no shutdown to clear the err-disable state.
A.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'errdisable recovery cause bpduguard' to enable automatic recovery, or manually do 'shutdown' followed by 'no shutdown' on the interface.
B.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'clear spanning-tree detected-protocols' on the interface.
C.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'no spanning-tree bpduguard enable' on the interface, then re-enable it.
D.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'reload' on the switch to reset all interfaces.
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
errdisable recovery cause bpduguard
interface GigabitEthernet0/2
shutdown
no shutdown

Why this answer

First, configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. Then, on interface Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard defaults to shutting down a port when a BPDU is received.

To recover, use 'errdisable recovery cause bpduguard' to allow automatic recovery or 'shutdown' followed by 'no shutdown' on the interface. The blocking port is Gi0/2 in VLAN 20 because the current root has a higher priority than SW1's configured priority, but since SW1 becomes root, all ports are designated.

Exam trap

The exam trap is that candidates may confuse the recovery method for BPDUGuard err-disable with other STP commands. Remember: BPDUGuard err-disables the port; to recover, use 'errdisable recovery cause bpduguard' or manual shutdown/no shutdown. Do not use 'clear spanning-tree detected-protocols' or remove BPDUGuard alone.

Why the other options are wrong

B

The specific factual error is that 'clear spanning-tree detected-protocols' does not recover err-disabled ports; it only re-initiates STP negotiations.

C

The specific factual error is that disabling BPDUGuard does not automatically bring the port back up; the err-disable state must be cleared separately.

D

The specific factual error is that reloading is overkill and not the recommended recovery method; it disrupts all traffic unnecessarily.

74
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches SW1 and SW2 forming a triangle topology. Currently, SW1 is the root bridge but it should be SW2. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2 of MLS1, which connects to a host. Simulate a BPDU violation on that port and then recover the port from err-disabled state.

Network Topology
Gi0/0Gi0/0Gi0/1Gi0/1Gi0/2Gi0/2Gi0/2SiMLS1SW1SW2Host

Hints

  • Check which switch is currently root and change the priority on MLS1 to allow SW2 to become root.
  • The err-disabled port needs to be re-enabled with 'no shutdown' after the cause is removed.
  • Ensure PortFast and BPDU Guard are configured on the edge port.
A.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'shutdown' then 'no shutdown'.
B.On MLS1, set priority to 0 to make it root; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by removing BPDU Guard.
C.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by reloading MLS1.
D.On MLS1, set priority to 0; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'no shutdown'.
AnswerA
solution
! MLS1
configure terminal
no spanning-tree vlan 1 root primary
spanning-tree vlan 1 priority 4096
interface gigabitEthernet 0/2
no shutdown

Why this answer

Currently, SW1 is the root bridge per the topology, but the goal is to make SW2 the root. On MLS1, removing the 'spanning-tree vlan 1 root primary' command and setting a higher priority (4096) ensures it does not interfere. On SW2, set priority to 0 to make it root.

On MLS1 Gi0/2, configure PortFast and BPDU Guard. If a BPDU is received, the port goes err-disabled; to recover, issue 'shutdown' then 'no shutdown' after resolving the BPDU source.

Exam trap

Trap: Candidates may forget that the root bridge is determined by lowest priority. They might set the wrong switch to lower priority or use incorrect recovery methods like reloading or removing BPDU Guard.

Why the other options are wrong

B

The specific factual error: Setting MLS1 priority to 0 makes it root, opposite of the requirement. Removing BPDU Guard does not recover the port; 'no shutdown' is needed.

C

The specific factual error: Reloading the switch is not the standard recovery for an err-disabled port; 'no shutdown' is the proper command.

D

The specific factual error: MLS1 should have a higher priority (e.g., 4096) and SW2 a lower priority (e.g., 0) to make SW2 root. The option does the opposite.

75
MCQhard

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

A.Alternate port
B.Root port
C.Designated port
D.Disabled port
AnswerB

Correct. Lowest-cost path to the root becomes the root port.

Why this answer

On a non-root switch, the port with the lowest path cost toward the root bridge becomes the root port. The higher-cost uplink would become an alternate (blocked) port. A designated port is found on the upstream switch toward this switch, not on the non-root switch itself.

A disabled port is administratively shut down, which does not apply here.

Exam trap

Remember, the root port is determined by the lowest path cost to the root bridge, not by any other criteria.

Why the other options are wrong

A

The higher-cost uplink becomes an alternate (blocked) port, not the lower-cost one.

C

A designated port exists on the upstream switch toward this switch, not on the non-root switch.

D

A disabled port is administratively shut down, not a port with a lower STP cost.

Page 1 of 2 · 104 questions totalNext →

Ready to test yourself?

Try a timed practice session using only STP questions.