CCNA STP Questions

29 of 104 questions · Page 2/2 · STP topic · Answers revealed

76
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure BPDU Guard, Loop Guard, and Root Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order starts by entering global configuration mode, then globally enabling PortFast on all access ports to allow immediate transition to forwarding state. BPDU Guard is then enabled globally on all PortFast-enabled ports to protect against unauthorized switches. Next, Loop Guard is enabled globally to prevent loops from unidirectional links.

Afterwards, the specific uplink interface is selected and Root Guard is applied to prevent a rogue switch from becoming the root bridge. This sequence follows Cisco best practices: apply fast convergence first, then protect the edge with BPDU Guard, apply loop prevention globally, and finally secure core links with Root Guard.

77
MCQhard

A switch port connected to an end host is configured with both PortFast and BPDU Guard. What is the most likely outcome if a small switch is connected there and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port converts into a trunk for the attached switch.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

BPDU Guard places the port into an error-disabled state upon receiving a BPDU, because PortFast defines the port as an edge port that should never receive BPDUs. Option B is incorrect because receiving a BPDU does not automatically make a port a root port; root port selection depends on bridge ID and path cost, and BPDU Guard prevents further STP processing by disabling the port. Option C is incorrect because a port cannot convert to a trunk solely by receiving a BPDU; trunking requires manual configuration or Dynamic Trunking Protocol (DTP).

Option D is incorrect because PortFast does not disable STP entirely; it only speeds up initial convergence, and BPDU Guard actively responds to BPDUs by error-disabling the port.

Exam trap

Remember, BPDU Guard is about protection, not ignoring or processing BPDUs. It disables the port to prevent loops.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protective mechanism.

C

This option is incorrect because a port configured with PortFast and BPDU Guard does not convert to a trunk when receiving BPDUs; instead, BPDU Guard will disable the port to prevent potential loops.

D

This option is incorrect because PortFast does not disable Spanning Tree Protocol (STP) entirely; it only allows the port to transition to the forwarding state immediately without waiting for STP convergence. BPDU Guard will still take effect if BPDUs are received on a PortFast-enabled port.

78
Multi-Selectmedium

Which three of the following are functions of the Spanning Tree Protocol (STP) in a switched network? (Choose three.)

Select 3 answers
.STP prevents loops by placing redundant ports into a blocking state, leaving only one active path between any two network segments.
.STP elects a root bridge based on the lowest bridge ID (priority + MAC address).
.STP ensures that all ports on a non-root bridge eventually become root ports.
.STP uses BPDUs to exchange topology information between switches.
.STP automatically load-balances traffic across all redundant links equally.
.STP transitions a port from blocking to forwarding immediately after the Max Age timer expires.

Why this answer

STP prevents loops by placing redundant ports into a blocking state, ensuring only one active logical path exists between any two network segments (option A). It elects a root bridge based on the lowest bridge ID (priority + MAC address) to serve as the reference for all path calculations (option B). STP uses Bridge Protocol Data Units (BPDUs) to exchange topology information between switches (option D).

Option C is false because only one port per non-root bridge becomes the root port; the others are designated or alternate/blocking ports. Option E is false because STP does not load-balance; it blocks redundant links to prevent loops, and load-balancing requires techniques like EtherChannel or Multiple Spanning Tree. Option F is false because after Max Age expires, a port transitions from blocking to listening, then learning, and finally forwarding (each with its own timer); it does not transition immediately to forwarding.

Exam trap

Cisco often tests the misconception that STP makes all ports on a non-root bridge become root ports, when in fact only one port per bridge is elected as the root port, and the rest become designated or alternate/blocking ports.

79
MCQhard

A network engineer notices that an uplink port on a distribution switch has moved to a root-inconsistent state and is blocking traffic. The port is configured with Root Guard and is connected to a new access switch. The new access switch has a lower bridge priority than the current root bridge. What is the most likely cause?

A.BPDU Guard has errdisabled the port because a BPDU was received on an access port.
B.BPDU Filter is blocking inbound BPDUs, causing the switch to fail to detect the topology change and isolate the port.
C.Root Guard has placed the port into root-inconsistent state because the new switch advertised a superior BPDU.
D.Loop Guard has detected a unidirectional link and placed the port in a blocking state to prevent a loop.
AnswerC

Root Guard is designed to prevent the port from becoming a root port. Upon receiving a superior BPDU (lower bridge ID), it places the port in root-inconsistent state, effectively blocking traffic. This directly matches the symptom described.

Why this answer

The port moved to root-inconsistent because Root Guard is enabled. Root Guard detects superior BPDUs (lower bridge ID) and immediately places the port in a broken state (root-inconsistent) to prevent the new switch from becoming the root bridge, thereby blocking traffic. This matches the symptom perfectly.

Other features would manifest differently.

Exam trap

Option A (BPDU Guard) is the most common trap because both BPDU Guard and Root Guard react to BPDUs, but BPDU Guard errdisables the port when any BPDU is received, not specifically causing a root-inconsistent state. Candidates often confuse these two features.

Why the other options are wrong

A

Candidates mistakenly equate BPDU Guard with any BPDU-induced blocking, but the state 'root-inconsistent' is specific to Root Guard.

B

Candidates may think that filtering BPDUs leads to port isolation, but BPDU Filter would not trigger a protective state like root-inconsistent.

D

Candidates often confuse Loop Guard and Root Guard because both can cause inconsistent states, but Loop Guard triggers loop-inconsistent, not root-inconsistent, and is triggered by BPDU loss, not receipt of superior BPDUs.

80
MCQhard

After connecting a new switch to interface GigabitEthernet1/0/1 on a distribution switch, a network engineer notices that the interface is in err-disable state. The engineer checks the configuration and finds that spanning-tree portfast and spanning-tree bpduguard enable are applied to the interface. What is the most likely cause of the err-disable state?

A.BPDU Guard was incorrectly enabled on a port that should be a trunk link.
B.The connected switch is sending BPDUs with a lower bridge priority.
C.Spanning-tree PortFast is enabled on a port that connects to another switch.
D.The port is configured as an access port, but should be a trunk.
AnswerC

PortFast skips the listening and learning STP states and is designed for end hosts. When combined with BPDU Guard, the switch was instructed to disable the port upon receiving any BPDU. The downstream switch naturally sends BPDUs, causing BPDU Guard to react and place the port in err-disable. Removing PortFast (and leaving BPDU Guard alone, or disabling BPDU Guard on that link) would resolve the issue.

Why this answer

Option C is correct because PortFast is designed for end-host ports that should not receive BPDUs. When PortFast is enabled on a port connecting to another switch, the switch will immediately transition the port to forwarding state, but if it then receives a BPDU from the connected switch, BPDU Guard will error-disable the port. This is the most common cause of err-disable state when both PortFast and BPDU Guard are configured on an inter-switch link.

Exam trap

Cisco often tests the misconception that BPDU Guard alone causes err-disable, but the trap here is that PortFast must be enabled for BPDU Guard to trigger err-disable on a port receiving BPDUs from another switch.

Why the other options are wrong

A

Candidates often associate BPDU Guard exclusively with access ports and assume configuring it on a trunk is itself a misconfiguration, overlooking that PortFast is the real culprit.

B

Students may confuse root bridge placement with BPDU Guard operation, thinking that a BPDU from a superior switch might cause a port to be disabled, when in fact BPDU Guard is content-agnostic.

D

Candidates may think that because a link between switches should be a trunk, the access mode misconfiguration is the root cause. However, they miss the fact that BPDU Guard acts on the BPDU regardless of the port mode, and the real misconfiguration is PortFast.

81
MCQhard

A switch should automatically disable any access port that receives a BPDU from an attached device. Which feature directly provides that behavior?

AnswerC

BPDU Guard disables an edge port if it receives a BPDU.

Why this answer

BPDU Guard is designed for edge ports that should never see BPDUs. If a BPDU arrives, the port is placed into an err-disabled state to protect the topology. Root Guard and Loop Guard solve different STP problems.

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it involves BPDUs and port blocking, but Root Guard only prevents a port from becoming a root port and does not err-disable the port. Loop Guard is often mistaken as it protects against unidirectional link failures but does not disable ports on BPDU receipt.

The key distinction is that BPDU Guard immediately disables the port upon receiving any BPDU, which is the behavior the question describes. Misunderstanding these differences can lead to incorrect answers.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port if superior BPDUs are received, maintaining the root bridge position, but it does not err-disable the port upon BPDU receipt. Therefore, it does not fulfill the requirement to disable access ports that receive BPDUs.

B

Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding state if BPDUs stop arriving on non-designated ports. It does not disable ports upon receiving BPDUs, so it does not meet the behavior described in the question.

D

PortFast is a feature that allows ports to transition quickly to forwarding state, bypassing the usual STP listening and learning states. It does not disable ports upon receiving BPDUs and therefore does not provide the behavior described.

82
PBQhard

You are connected to SW1. The network has three switches (SW1, SW2, SW3) running Rapid-PVST+. SW1 should be the root bridge for VLAN 10. PortFast and BPDU Guard must be enabled on all edge ports connected to end hosts. An err-disabled port (G0/1) has occurred due to a BPDU violation on an edge port. Recover the port and ensure it is configured correctly to prevent recurrence.

Network Topology
Gi0/0Gi0/0Gi0/2Gi0/0Gi0/1SW1SW2SW3Host

Hints

  • The port is in err-disabled state. You need to manually recover it by cycling the interface.
  • After recovery, verify the port is forwarding and still has PortFast and BPDU Guard enabled.
  • If the err-disabled condition recurs, the connected device may be sending BPDUs; consider removing BPDU Guard from that port if it is not truly an edge port.
A.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree bpduguard disable' on the interface.
B.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable' on the interface.
C.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree guard root' on the interface.
D.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then verify that the connected device is not a switch or remove it from the network.
AnswerD
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
shutdown
no shutdown
end

Why this answer

The port Gi0/1 is in err-disabled state because BPDU Guard disabled it after receiving a BPDU on a PortFast edge port. First, shut down the interface and then re-enable it with 'no shutdown' to recover from err-disabled. However, to prevent recurrence, the root cause must be addressed: the connected device (likely another switch) should not be sending BPDUs on an edge port.

Optionally, you can disable BPDU Guard on that specific port if it is not truly an edge port, but the task requires PortFast and BPDU Guard on edge ports. The correct fix is to ensure no BPDUs are sent from the downstream device or use 'spanning-tree bpduguard disable' on that port if it is not an edge port (but the task mandates BPDU Guard). Since the scenario requires BPDU Guard, the candidate should recover the port and then verify that the connected device is not a switch (or remove it from the topology).

Exam trap

The exam trap is that candidates may focus on recovering the port (shutdown/no shutdown) but forget to address why the BPDU was received. Simply re-enabling BPDU Guard or reapplying PortFast will not prevent recurrence. The key is to ensure the connected device is not sending BPDUs, either by removing it or reclassifying the port.

Why the other options are wrong

A

The specific factual error is that BPDU Guard should not be disabled on a port that is supposed to be an edge port with BPDU Guard enabled.

B

The specific factual error is that simply re-enabling the same features does not prevent recurrence; the source of BPDUs must be removed or the port must be reconfigured as a non-edge port.

C

The specific factual error is that Root Guard and BPDU Guard serve different purposes; Root Guard does not stop BPDU Guard from disabling the port.

83
PBQhard

You are connected to SW1 via the console. The network has three switches connected in a triangle: SW1 (G0/1 to SW2 G0/1), SW1 (G0/2 to SW3 G0/1), and SW2 (G0/2 to SW3 G0/2). SW1 is the root bridge. A PC is connected to SW3's G0/3 port, which should be an edge port. However, the PC has been sending BPDUs, causing the port to go err-disabled. Configure SW3 to prevent this in the future: enable PortFast and BPDU Guard on G0/3. Then, verify that the port recovers from err-disabled state and that a specific blocked port on SW2 is identified. Use the provided show output to determine the current state and necessary commands.

Network Topology
G0/1 to SW2 G0/1G0/2 to SW3 G0/2G0/2 to SW3 G0/2G0/3 to PCSW2SW1SW3

Hints

  • The err-disabled port must be manually recovered with shutdown/no shutdown.
  • PortFast is configured at the interface level.
  • BPDU Guard is also configured at the interface level using 'spanning-tree bpduguard enable'.
A.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown no shutdown
B.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable no shutdown
C.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable end copy running-config startup-config
D.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown
AnswerA
solution
! SW3
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
shutdown
no shutdown

Why this answer

The PC connected to SW3's G0/3 was sending BPDUs, causing the port to go err-disabled due to BPDU Guard. To prevent this, enable PortFast and BPDU Guard on that interface. First, move to interface configuration mode for G0/3, then issue 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.

After configuration, the port will remain err-disabled until manually recovered by issuing 'shutdown' followed by 'no shutdown'. The blocked port on SW2 is G0/2, as shown by the 'Altn BLK' role/status in its spanning-tree output.

Exam trap

A common trap is forgetting that err-disabled ports require a manual shutdown/no shutdown cycle to recover. Simply enabling BPDU Guard or saving the configuration does not restore the port. Always remember to reset the interface after correcting the cause.

Why the other options are wrong

B

The err-disabled state requires a manual interface reset (shutdown followed by no shutdown) to recover; a single 'no shutdown' command is insufficient.

C

Saving the configuration preserves the settings but does not affect the current operational state of the interface; the port stays err-disabled.

D

The shutdown command disables the interface but does not automatically re-enable it; the err-disabled state is cleared only after a shutdown/no shutdown cycle.

84
PBQhard

You are connected to a multilayer switch MLSW1. PortFast and BPDU Guard have already been enabled on interface GigabitEthernet0/1, which connects to an end device, and a BPDU received on that interface placed it in the err-disabled state. Configure Rapid PVST+ so that MLSW1 becomes the root bridge for VLAN 10 with a priority of 4096. Recover the interface by re-enabling it. Finally, verify which port is blocking on VLAN 10 by connecting to MLSW2 and executing the appropriate show command.

Network Topology
G0/1 to PCG0/2 to MLSW3 G0/1G0/2 to MLSW3 G0/1G0/2 to MLSW1 G0/3SiMLSW2SiMLSW1SiMLSW3

Hints

  • Check the current root priority and adjust with 'spanning-tree vlan <vlan> priority <value>'.
  • An err-disabled interface can be recovered by administrative shutdown and no shutdown.
  • Look at the spanning-tree topology to find which port is blocking; it will be in 'ALT' role with 'BLK' state.
A.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show spanning-tree vlan 10
B.spanning-tree vlan 10 root primary; interface GigabitEthernet0/1; no shutdown; show spanning-tree vlan 10
C.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; no shutdown; show interfaces status
D.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show running-config
AnswerA
solution
! MLSW1
spanning-tree vlan 10 priority 4096
interface gigabitEthernet 0/1
shutdown
no shutdown

Why this answer

The correct solution sets the spanning-tree priority for VLAN 10 to 4096 on MLSW1, ensuring it becomes the root bridge. PortFast and BPDU Guard are already configured on G0/1, which caused the interface to go err-disabled when a BPDU was received. To recover, you must issue the 'shutdown' followed by 'no shutdown' commands on the interface.

Because MLSW1 is the root bridge, it has no blocking ports; the blocking port (alternate) will be seen on a downstream switch like MLSW2. Therefore, verification must be done on MLSW2 using 'show spanning-tree vlan 10' to view the alternate blocking port. Option A correctly includes all required steps.

Option B uses 'root primary' (priority 24576) instead of the specified 4096, lacks the recovery commands, and verifies on the wrong device. Option C omits the err-disabled recovery and uses the wrong verification command. Option D also verifies with 'show running-config', which does not display STP port roles.

Exam trap

Remember that 'spanning-tree vlan <vlan> root primary' sets priority to 24576, not a custom value. Also, err-disabled recovery requires a shutdown followed by no shutdown. Always use 'show spanning-tree vlan <vlan>' to verify port roles, not 'show interfaces status' or 'show running-config'.

Why the other options are wrong

B

The specific factual error: 'root primary' sets priority to 24576, not 4096. Also, err-disabled recovery requires a shutdown followed by no shutdown.

C

The specific factual error: err-disabled recovery requires a shutdown before no shutdown. 'show interfaces status' does not display STP port roles.

D

The specific factual error: 'show running-config' does not display STP port roles or blocking status.

85
MCQmedium

Why is PortFast typically enabled on switch ports connected to end devices?

A.To let end-device ports reach forwarding state more quickly
B.To make access ports participate in OSPF
C.To convert all access ports into trunks
D.To disable Ethernet addressing on PCs
AnswerA

This is correct because PortFast speeds transition to forwarding on suitable edge ports.

Why this answer

PortFast is enabled so access ports connected to end devices can move to forwarding more quickly instead of waiting through the normal spanning-tree listening and learning transitions. In plain language, it helps a user’s PC, printer, or similar endpoint start communicating sooner after the link comes up. That can reduce delays at startup and prevent certain device timeout problems.

PortFast is not intended as a loop-prevention mechanism by itself, and it should not normally be used carelessly on links to other switches. That is why it is commonly paired with BPDU Guard on edge ports. The correct answer is the one focused on faster transition for end-device access links rather than on unrelated routing or VLAN functions.

Exam trap

Do not confuse PortFast with disabling spanning-tree or improving routing; it specifically speeds up access port transitions.

Why the other options are wrong

B

This option is incorrect because PortFast does not enable access ports to participate in OSPF; OSPF is a routing protocol that requires Layer 3 interfaces, while PortFast is a feature for Layer 2 switch ports.

C

This option is wrong because PortFast does not convert access ports into trunk ports; it is designed to bypass the Spanning Tree Protocol (STP) listening and learning states to allow end devices to connect more quickly.

D

Disabling Ethernet addressing on PCs is not related to the function of PortFast, which is designed to expedite the transition of switch ports to the forwarding state. PortFast does not alter how Ethernet addressing operates on connected devices.

86
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent forwarding loops on unidirectional links, and BPDU Guard on PortFast-enabled GigabitEthernet0/3 to shut down the port if a BPDU is received. After configuration, troubleshoot the scenario: a superior BPDU is received on G0/1, causing it to be blocked by Root Guard, and an unauthorized switch sends a BPDU to G0/3, placing it in err-disable state. Verify the final configuration and state.

Network Topology
G0/1G0/2G0/3SiR1AccessSwitchCoreSwitchServer

Hints

  • Root Guard is configured with 'spanning-tree guard root' on the interface that should never become a non-designated port. It will block the port if a superior BPDU is received.
  • Loop Guard is enabled with 'spanning-tree guard loop' on interfaces where BPDU loss could cause a loop. It prevents the port from transitioning to forwarding if BPDUs stop.
  • BPDU Guard is configured with 'spanning-tree bpduguard enable' on PortFast ports. Any BPDU received will error-disable the port, requiring manual recovery with 'shutdown' followed by 'no shutdown'.
A.[CORRECT] Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link. BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.
B.Root Guard on G0/1 is incorrectly configured; it should be configured on the root port, not the designated port. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is correctly configured, but the port should automatically recover from err-disable state after a timeout.
C.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is incorrectly configured because Loop Guard should be applied to root ports, not uplink ports. BPDU Guard on G0/3 is correctly configured, but the port should be in a blocking state, not err-disabled.
D.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is incorrectly configured because BPDU Guard should be applied to trunk ports, not access ports, and the port should be placed in a root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The scenario demonstrates three STP protection mechanisms. Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link.

BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.

Exam trap

Watch out for confusion between Root Guard and BPDU Guard states: Root Guard causes root-inconsistent (BKN*), while BPDU Guard causes err-disable. Also, remember Root Guard is for designated ports, not root ports. Loop Guard can be applied to any port expecting BPDUs, not just root ports.

Why the other options are wrong

B

The specific factual error: Root Guard is applied to designated ports, not root ports. BPDU Guard does not auto-recover by default.

C

The specific factual error: Loop Guard is not restricted to root ports; it can be used on any port where BPDUs are expected. BPDU Guard results in err-disable, not blocking.

D

The specific factual error: BPDU Guard is not limited to access ports; it works on any PortFast-enabled port. The state is err-disable, not root-inconsistent.

87
PBQhard

You are connected to R1, a Catalyst 3650 multilayer switch running IOS-XE. Configure Root Guard on all designated ports, Loop Guard on uplink interfaces, and BPDU Guard on all PortFast-enabled ports. Troubleshoot the current issue: one port is receiving a superior BPDU and is being blocked by Root Guard, and a different PortFast port has gone err-disabled after BPDU Guard triggered. Verify that Root Guard is active on port Gi1/0/1, Loop Guard is active on Gi1/0/2, and BPDU Guard is enabled on Gi1/0/3.

Network Topology
Gi1/0/1Gi1/0/2Gi1/0/3R1R2Core SwitchHost

Hints

  • Root Guard should be on the port that is designated, not receiving superior BPDUs.
  • Loop Guard should be on the port that is a root port or alternate root port.
  • An err-disabled port must be manually recovered with shutdown/no shutdown.
A.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
B.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
C.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/1, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
D.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
AnswerA
solution
! R1
interface GigabitEthernet1/0/1
no spanning-tree guard root
spanning-tree guard loop
interface GigabitEthernet1/0/2
no spanning-tree guard loop
spanning-tree guard root
interface GigabitEthernet1/0/3
shutdown
no shutdown

Why this answer

The network requires Root Guard on designated ports, Loop Guard on uplink (root/alternate) ports, and BPDU Guard on PortFast ports. Gi1/0/1 is receiving a superior BPDU and being blocked by Root Guard, indicating Root Guard is misapplied to a non-designated port; it should be moved to the designated port Gi1/0/2. Loop Guard belongs on the uplink port Gi1/0/1, not Gi1/0/2, so the configuration is swapped.

The PortFast port Gi1/0/3 experienced a BPDU Guard violation and is err-disabled; recovering it requires a shutdown followed by a no shutdown command, not just no shutdown. Finally, verification must confirm the correct new placement: Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, and BPDU Guard on Gi1/0/3.

Exam trap

Be careful not to confuse the purpose of Root Guard and Loop Guard. Root Guard is for designated ports, Loop Guard is for root/alternate ports. Also, remember that an err-disabled port requires a shutdown/no shutdown sequence to recover, not just no shutdown.

Why the other options are wrong

B

Issuing only 'no shutdown' will not recover an interface from the err-disabled state caused by BPDU Guard; it must be administratively shut down first with 'shutdown', then re-enabled with 'no shutdown'.

C

The verification step checks Root Guard on Gi1/0/1 and Loop Guard on Gi1/0/2, which is the original incorrect configuration before the swap; after the fix, Root Guard should be on Gi1/0/2 and Loop Guard on Gi1/0/1.

D

The verification step incorrectly states that Loop Guard is active on Gi1/0/2. After swapping the configurations, Loop Guard is now on Gi1/0/1, not Gi1/0/2, so this option validates the wrong port.

88
MCQhard

A network engineer notices that a new switch, SW3, was connected to port GigabitEthernet0/1 on SW1, but the port immediately went into an err-disabled state. The network uses Rapid PVST+ with BPDU Guard enabled globally on all access ports. The engineer checks the logs and sees 'bpduguard error detected' messages. What is the most likely cause of the err-disabled state?

A.The port is configured as an access port, but BPDU Guard should be disabled on all access ports.
B.A BPDU was received on port GigabitEthernet0/1, triggering BPDU Guard.
C.Configure Root Guard on the interface to prevent the err-disabled state.
D.Enable Loop Guard on the interface to prevent the err-disabled state.
AnswerB

BPDU Guard err-disables a port immediately when a BPDU is received on an access port where it is enabled, which is exactly the scenario described.

Why this answer

The err-disabled state is caused by BPDU Guard triggering when a BPDU is received on an access port. Option A is incorrect because BPDU Guard is intentionally enabled on access ports to prevent unauthorized switches from joining the network. Option C is wrong because Root Guard prevents a port from becoming the root, not from receiving BPDUs.

Option D is wrong because Loop Guard prevents loops on blocked ports in case of unidirectional links, not relevant to BPDU reception.

Exam trap

Cisco often tests the confusion between BPDU Guard, Root Guard, and Loop Guard; candidates may incorrectly attribute the err-disable to Root Guard or Loop Guard, but the true cause is receiving a BPDU on a BPDU-Guard-enabled port.

Why the other options are wrong

A

BPDU Guard is designed to be enabled on access ports to protect against unauthorized switches, so disabling it on all access ports would defeat its purpose.

C

Root Guard prevents a port from becoming the root bridge, but does not block BPDU reception that causes err-disable with BPDU Guard.

D

Loop Guard detects and prevents loops on blocked ports due to unidirectional links, not related to the BPDU Guard err-disable mechanism.

89
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and to recover a port that enters err-disabled due to a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard on designated, Loop Guard on non-designated, then BPDU Guard on PortFast; recovery requires interface reset after violation.

Exam trap

Candidates often confuse the port roles for Root Guard and Loop Guard, or think that disabling the protection feature will recover an err-disabled port. Remember: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Err-disabled recovery requires manual reset or global errdisable recovery configuration.

90
MCQhard

A port connected to an end host is configured with PortFast and BPDU Guard. What is the most likely result if a small unmanaged switch is connected and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port is converted into a trunk.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables an edge port when it receives a BPDU.

Why this answer

The most likely result is that the port is placed into an err-disabled state by BPDU Guard. In practical terms, PortFast tells the switch to treat the interface like an edge port for a normal endpoint, which is why it starts forwarding quickly. BPDU Guard protects that assumption. If the port suddenly receives a spanning-tree BPDU, the switch treats that as a sign that the port is no longer connected to a simple end device.

This combination is common in enterprise access-layer design because it improves user startup time while still protecting the topology. The correct answer is the one that describes the port being shut down automatically when BPDUs appear unexpectedly.

Exam trap

Remember, BPDU Guard disables the port, it doesn't use spanning-tree states like blocking or learning.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protection mechanism.

C

This option is wrong because a port configured with PortFast does not automatically convert to a trunk port when it receives BPDUs; instead, it remains in access mode. BPDU Guard will cause the port to be error-disabled upon receiving BPDUs, preventing any trunking behavior.

D

This option is wrong because PortFast does not disable Spanning Tree Protocol (STP) entirely; it merely allows the port to transition to the forwarding state immediately without participating in STP calculations. BPDUs are still processed, and BPDU Guard will take action if they are received.

91
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on a designated port, Loop Guard on a non-designated port, and BPDU Guard on a PortFast port, along with the recovery steps when a port enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order follows the logical sequence: enter config mode, then configure each guard feature on its respective port, and finally set the errdisable recovery to automatically re-enable ports after a BPDU Guard violation.

Exam trap

The trap is that candidates may think the order of configuring the guards is arbitrary, but the question explicitly requires a specific sequence. Pay close attention to the order in which features are listed in the stem.

92
MCQmedium

An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs. Which combination of features best meets that requirement?

C.Root Guard and VTP pruning
D.Port security and CDP
AnswerA

Correct. This is correct. PortFast provides fast host connectivity, and BPDU Guard protects the port by shutting it down if BPDUs are received from a connected switch.

Why this answer

PortFast and BPDU Guard are the classic edge-port combination for this requirement. PortFast helps a user-facing interface begin forwarding quickly so a PC or phone does not wait through the normal spanning-tree transition delay. BPDU Guard adds protection by monitoring that same port for BPDUs.

If a switch is accidentally or intentionally connected and starts participating in spanning tree, BPDU Guard reacts by disabling the port to protect the Layer 2 topology. In plain language, users get quick connectivity when the port is used correctly, but the network still protects itself against someone plugging in a switch where only an endpoint should exist. That is exactly what the requirement asks for.

Exam trap

Avoid confusing BPDU Guard with other guard features like Root Guard or Loop Guard, which serve different purposes.

Why the other options are wrong

B

DHCP snooping and DAI (Dynamic ARP Inspection) do not address the requirement of disabling a port upon receiving BPDUs; they focus on protecting against rogue DHCP servers and ARP spoofing, respectively.

C

Root Guard and VTP pruning do not address the requirement of quickly enabling access ports and disabling them upon receiving BPDUs. Root Guard is used to prevent a port from becoming a root port, while VTP pruning optimizes VLAN traffic, neither of which directly manage port states based on BPDU reception.

D

Port security and CDP do not provide the necessary functionality to disable a port when BPDUs are received. Port security can limit the number of MAC addresses but does not specifically address BPDU handling.

93
MCQhard

A network engineer notices that after adding a new switch to the network, a different switch unexpectedly becomes the STP root bridge, disrupting all VLANs. The new switch has the default priority (32768) but has a lower MAC address than all existing switches. What is the most likely cause?

A.The new switch is running PVST+ while the existing switches use Rapid PVST+
B.Root Guard is enabled on the new switch’s uplink ports facing the existing root
C.The existing root bridge has a bridge priority lower than the default value of 32768
D.The new switch was added with a bridge priority of 4096
AnswerC

If the existing root bridge’s priority is less than 32768 (e.g., 4096 or 0), its Bridge ID is lower than the new switch’s default 32768 + lower MAC. STP always elects the switch with the lowest Bridge ID as the root bridge. Thus, despite the new switch’s lower MAC, the manually lowered priority keeps the existing switch as root.

Why this answer

In STP, bridge priority is the primary parameter for root election. If the existing root bridge has a bridge priority lower than the default 32768, it will have a lower Bridge ID regardless of its MAC address, so it remains the root. The new switch’s lower MAC would only win if all bridge priorities are equal (default).

This explains why a different switch becomes root even though the new one has a lower MAC.

Exam trap

Many candidates focus solely on the MAC address tie-breaker and forget that bridge priority is compared first. They may also confuse root guard functionality—root guard prevents a port from becoming a root port, but does not cause another switch to become the root.

Why the other options are wrong

A

Candidates may think that STP version incompatibility disrupts root election, but both versions use the same BPDU format and root election rules.

B

Candidates often associate Root Guard with preventing a switch from becoming the root. However, it does not cause another switch to become root; it just protects the network from unexpected superior BPDUs.

D

Candidates may confuse the symptom and think that a low priority on the new switch causes the problem, but this would make the new switch the root, not another switch.

94
PBQeasy

You are connected to SW1, a Layer 2 switch. The network administrator wants to prevent unauthorized switches from being connected to access ports. Port G0/1 is an access port in VLAN 10. You need to configure BPDU Guard on this port to protect against STP loops caused by rogue switches. Additionally, enable PortFast for immediate transition to forwarding.

Hints

  • PortFast should be applied to access ports to reduce STP convergence time.
  • BPDU Guard disables the port if a BPDU is received.
  • Both commands are under the interface configuration.
A.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard enable
B.SW1(config)# spanning-tree portfast default SW1(config)# spanning-tree bpduguard default
C.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree guard root
D.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard disable
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to skip STP listening/learning and transition immediately to forwarding. BPDU Guard protects against STP loops by error-disabling the port if a BPDU is received, which would indicate an unauthorized switch connection.

Exam trap

Be careful to distinguish between interface-level and global commands for PortFast and BPDU Guard. Also, remember that BPDU Guard uses 'bpduguard enable' (not 'disable') and is different from Root Guard ('guard root').

Why the other options are wrong

B

The specific factual error is that global commands affect all ports, not a single interface.

C

The specific factual error is confusing Root Guard with BPDU Guard; they serve different purposes.

D

The specific factual error is using the 'disable' keyword instead of 'enable' to activate BPDU Guard.

95
MCQeasy

Which STP port state on a classic 802.1D switch listens for BPDUs and prepares to participate in the topology, but does not yet learn MAC addresses?

A.Listening
B.Learning
C.Forwarding
D.Disabled
AnswerA

Listening comes before learning and does not yet learn MACs.

Why this answer

In classic STP, the listening state processes BPDUs and waits before learning begins. The learning state is when the switch starts populating the MAC table.

Exam trap

Do not confuse the listening state with the learning state; remember that listening involves BPDU processing without MAC address learning.

How to eliminate wrong answers

Eliminate 'Learning' because it involves MAC address table updates. 'Blocking' can be ruled out as it does not prepare to forward traffic. 'Forwarding' is incorrect because it involves active data transmission and MAC learning. 'Listening' is correct as it processes BPDUs without learning MAC addresses.

96
PBQhard

You are connected to the multilayer switch SW1. Configure Root Guard on the designated port towards the access switch SW2, Loop Guard on the uplink port towards the distribution switch SW3, and BPDU Guard on the PortFast-enabled port connected to a workstation. After configuration, a superior BPDU is received on the designated port, causing it to be blocked by Root Guard. Later, a BPDU is received on the PortFast port, triggering err-disable state. Identify and resolve these issues.

Network Topology
Gi0/0192.168.1.1/24Gi0/0192.168.1.2/24Gi0/110.10.10.1/30Gi0/110.10.10.2/30Gi0/2172.16.1.1/24SW1SW2SW3Workstation

Hints

  • Root Guard should only be placed on ports that are not expected to receive superior BPDUs — check if Gi0/0 is a designated port.
  • A port err-disabled by BPDU Guard requires manual intervention: shutdown/no shutdown.
  • Loop Guard is correctly applied to the trunk uplink; no changes needed there.
A.Remove Root Guard from interface Gi0/0 and re-enable interface Gi0/2 with a shutdown/no shutdown sequence.
B.Disable BPDU Guard on interface Gi0/2 and increase the root bridge priority on SW1 to prevent superior BPDUs.
C.Apply Root Guard to interface Gi0/2 instead of Gi0/0 and configure Loop Guard on Gi0/0.
D.Remove Loop Guard from interface Gi0/1 and configure it on Gi0/0 instead, then re-enable Gi0/2 using the 'errdisable recovery cause bpduguard' command.
AnswerA
solution
! SW1
interface GigabitEthernet0/0
no spanning-tree guard root
end
configure terminal
interface GigabitEthernet0/2
shutdown
no shutdown
end

Why this answer

The issue is that Root Guard was incorrectly applied to the designated port (Gi0/0) which should normally be the root port if a superior BPDU is received. Root Guard blocks the port when a superior BPDU arrives, but this is expected on a designated port; instead, Root Guard should be applied to ports that should never become root ports. In this scenario, the superior BPDU is legitimate (from a root bridge with lower priority), so Root Guard should be removed from Gi0/0.

For the PortFast port (Gi0/2), BPDU Guard correctly err-disabled the port upon receiving a BPDU, indicating an unauthorized switch connection. To restore the port, you must shut/no shut the interface and then investigate why a BPDU was received. The solution involves removing Root Guard from Gi0/0 and re-enabling Gi0/2 after verifying the connecting device.

Exam trap

Do not confuse the purpose of Root Guard (to prevent a port from becoming root port) with BPDU Guard (to protect PortFast ports). Root Guard should be applied to ports that should never be root ports, not to designated ports that may legitimately receive superior BPDUs. Also, remember that err-disable ports require manual intervention or errdisable recovery configuration.

Why the other options are wrong

B

The specific factual error is that BPDU Guard should remain enabled on PortFast ports, and changing root bridge priority does not address the Root Guard misapplication.

C

The specific factual error is that Root Guard is not appropriate for PortFast ports, and Loop Guard is already correctly placed on the uplink port.

D

The specific factual error is that Loop Guard is already correctly placed, and automatic recovery does not replace the need to investigate the unauthorized BPDU on Gi0/2.

97
MCQhard

Refer to the exhibit. An engineer configured PortFast on interface GigabitEthernet0/1, which connects to a server that does not participate in spanning tree. However, the port remains in the listening state for the full forward delay period before transitioning to forwarding. The engineer issues the show spanning-tree vlan 10 detail command. Based on the output, what is the most likely cause?

A.The port is configured as a trunk, so PortFast is not active.
B.BPDU Guard is enabled on the port, causing it to block.
C.The forward delay timer is set too high, and PortFast cannot override it.
D.The server is sending BPDUs, causing the port to lose its PortFast state.
AnswerA

PortFast is only effective on access ports. The exhibit shows ‘Edge port: no (default) portfast: no (default)’ despite the engineer enabling PortFast, indicating the port is operating as a trunk (or not an access port). Therefore, PortFast has no effect and the normal STP listening/learning states apply.

Why this answer

The exhibit shows that GigabitEthernet0/1 is in ‘listening’ state with a forward delay timer of 12 seconds, and the lines ‘Edge port: no (default) portfast: no (default)’ indicate that PortFast is disabled. PortFast only takes effect on access ports; since the port is configured as a trunk (implied by the disconnected state of PortFast despite the engineer’s configuration), it does not skip listening/learning. The port is not in err-disabled state (no BPDU Guard block), and no BPDUs have been received (BPDU: received 0), ruling out other options.

Exam trap

Candidates often assume that the forward delay timer always causes slow convergence, but PortFast bypasses that timer entirely on access ports. Here, PortFast is disabled, so the timer runs normally, but the root cause is that PortFast is not active due to the port being a trunk.

Why the other options are wrong

B

The port is not in an err-disabled state; BPDU Guard causes the port to be shut down, not to stay in listening.

C

Misunderstanding that PortFast bypasses timers completely on access ports; the high forward delay is irrelevant if PortFast were active.

D

The assumption that the server is sending BPDUs is contradicted by the output showing zero BPDUs received.

98
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port in RSTP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Configure PortFast and BPDU guard on the access port. Then trigger a violation by connecting an unauthorized switch, which causes the port to error-disable. Diagnose by checking the error-disabled status.

To recover, first remove the offending device, then cycle the port with shutdown and no shutdown; otherwise the port will immediately go error-disabled again.

Exam trap

Do not confuse the order: configuration must precede the violation. Also, recovery requires removing the rogue switch before bouncing the interface; failing to do so will cause the port to trip again.

99
MCQeasy

Which STP role identifies the port on a non-root switch that has the best path back to the root bridge?

A.Designated port
B.Root port
C.Alternate port
D.Disabled port
AnswerB

That is the correct STP role.

Why this answer

The root port is the single port on a non-root switch that provides the lowest-cost path toward the root bridge. Designated ports forward away from the root for a segment, and alternate ports are backup paths.

Exam trap

A frequent exam trap is mistaking the designated port for the root port. While both forward traffic, the designated port is selected per LAN segment to forward frames away from the root bridge, not necessarily providing the best path back to the root. Another trap is confusing the alternate port with the root port; alternate ports are backup paths kept in blocking state and do not forward traffic unless the root port fails.

Candidates often overlook that the root port is unique per non-root switch and always represents the lowest-cost path to the root bridge, which is the key to answering this question correctly.

Why the other options are wrong

A

Designated ports are selected for each LAN segment to forward traffic away from the root bridge, but they do not represent the best path back to the root bridge on a non-root switch. Therefore, this option is incorrect.

C

Alternate ports serve as backup paths and remain in a blocking state unless the root port fails. They do not identify the best path back to the root bridge, so this option is incorrect.

D

Disabled ports do not participate in STP forwarding or path selection and are not related to identifying the best path back to the root bridge, making this option incorrect.

100
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent loops, and BPDU Guard on PortFast-enabled GigabitEthernet0/3. After configuration, a superior BPDU arrives on G0/1, blocking the port; verify the Root Guard state and ensure BPDU Guard triggers err-disable on G0/3.

Network Topology
G0/1: designated portG0/2: uplinkG0/3: PortFastR1Access SwitchCore SwitchEnd Device

Hints

  • Root Guard is applied on ports that should never become root; use 'spanning-tree guard root'.
  • Loop Guard prevents alternate or root ports from becoming designated when BPDUs stop; use 'spanning-tree guard loop' on uplinks.
  • BPDU Guard combined with PortFast err-disables a port upon BPDU reception; enable with 'spanning-tree bpduguard enable' under the interface.
A.G0/1 is in root-inconsistent state; G0/3 is in err-disabled state.
B.G0/1 is in blocking state; G0/3 is in err-disabled state.
C.G0/1 is in root-inconsistent state; G0/3 is in blocking state.
D.G0/1 is in err-disabled state; G0/3 is in root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree bpduguard enable

Why this answer

Root Guard is needed on the designated port (G0/1) to prevent an unauthorized switch from becoming root by sending superior BPDUs. Loop Guard on the uplink (G0/2) prevents loops if BPDUs stop arriving. BPDU Guard on PortFast ports (G0/3) immediately err-disables them upon BPDU reception.

The configuration uses 'spanning-tree guard root' on G0/1, 'spanning-tree guard loop' on G0/2, and 'spanning-tree bpduguard enable' on G0/3. Verification shows G0/1 blocked by root-inconsistent state and G0/3 in err-disabled state.

Exam trap

Do not confuse the states caused by Root Guard (root-inconsistent) and BPDU Guard (err-disable). Also, remember that Root Guard is applied to designated ports, not root or alternate ports.

Why the other options are wrong

B

Root Guard uses a specific 'root-inconsistent' state, not the generic 'blocking' state.

C

BPDU Guard triggers err-disable, not blocking. Blocking is an STP state, not an error state.

D

Root Guard and BPDU Guard have different effects: root-inconsistent vs. err-disable. Mixing them up is a common error.

101
PBQhard

You are connected to switch SW1 via console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLANs 10 and 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2, which connects to an end host. Finally, diagnose why interface GigabitEthernet0/3 is in err-disabled state and bring it back operational.

Hints

  • PortFast and BPDU Guard are configured under the interface.
  • Err-disabled recovery often requires a manual shutdown/no shutdown.
  • Check the errdisable cause with 'show interfaces Gi0/3' to understand the specific issue.
A.Configure SW1 with spanning-tree vlan 10,20 priority 4096, enable PortFast and BPDU Guard on Gi0/2, and recover Gi0/3 by identifying the cause and using shutdown/no shutdown.
B.Set SW1's priority to 0 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by reloading the switch.
C.Configure SW1 with spanning-tree vlan 10,20 root primary, enable PortFast and BPDU Guard globally, and recover Gi0/3 by using the 'errdisable recovery cause all' command.
D.Set SW1's priority to 8192 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by removing and reinserting the cable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
shutdown
no shutdown
exit

Why this answer

To make SW1 the root bridge for VLANs 10 and 20, configure 'spanning-tree vlan 10,20 priority 4096' (a valid multiple of 4096). Interface Gi0/2 connects to an end host, so enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable' under the interface to protect against accidental BPDU reception. Gi0/3 is in err-disabled state.

Common causes include a port-security violation, UDLD misconfiguration, or a loopback detection. To recover, identify the cause with 'show interfaces status err-disabled', then administratively shut and no shut the interface. Option A correctly accomplishes these tasks.

Option B uses an invalid priority value (0) and reloading the switch is unnecessary. Option C configures 'root primary', which sets priority to 24576 but not 4096, and globally enabling PortFast and BPDU Guard is not recommended; also 'errdisable recovery cause all' might recover the port automatically but does not address the root cause. Option D uses priority 8192 (too high) and physical cable manipulation is not a valid recovery method.

Exam trap

Watch out for common mistakes: using invalid priority values (like 0), relying on 'root primary' which dynamically adjusts priority, forgetting BPDU Guard on edge ports, and attempting physical recovery instead of CLI commands. Always verify priority is a multiple of 4096 and that err-disable recovery uses administrative actions.

Why the other options are wrong

B

The specific factual error: Priority 0 is not a valid STP priority value; valid values are 0-61440 in increments of 4096, but 0 is reserved and not used in Cisco IOS. Also, reloading is not the recommended recovery for err-disable.

C

The specific factual error: 'root primary' does not set a fixed priority; it adjusts dynamically. Global PortFast and BPDU Guard can cause issues on trunk ports. 'errdisable recovery cause all' only enables automatic recovery after a timeout, not immediate recovery.

D

The specific factual error: Priority 8192 does not guarantee root bridge status if another switch has a lower priority. BPDU Guard is required on edge ports. Cable reseating does not clear err-disable state.

102
MCQhard

A Layer 2 switch port connected to an end host should move to forwarding quickly but also shut down if a BPDU is received. Which pair of features best supports that design?

AnswerA

This is correct because PortFast speeds edge-port forwarding and BPDU Guard disables the port if a BPDU is received.

Why this answer

PortFast and BPDU Guard are the right pair. In plain language, PortFast makes an edge port usable quickly for a real end device, while BPDU Guard protects that same port by shutting it down if spanning-tree control traffic appears unexpectedly.

This is a classic access-layer design. PortFast improves usability, and BPDU Guard improves safety. The best answer combines both functions.

Exam trap

Be careful not to confuse BPDU Guard with Root Guard or Loop Guard, as they serve different purposes in spanning tree protection.

Why the other options are wrong

B

Root Guard and UDLD do not directly address the requirement for a port to quickly transition to forwarding while shutting down upon receiving a BPDU. Root Guard is used to prevent a port from becoming a root port, while UDLD is for detecting unidirectional links.

C

Loop Guard and native VLAN do not directly address the requirement for a port to quickly transition to forwarding while shutting down upon receiving a BPDU. Loop Guard is designed to prevent loops by keeping a port in a loop-inconsistent state, and native VLAN is related to VLAN tagging, not port state management.

D

Port security and EtherChannel do not directly address the need for a switch port to quickly transition to forwarding mode while also shutting down upon receiving a BPDU. Port security focuses on limiting MAC addresses and EtherChannel is used for link aggregation, neither of which fulfill the specific requirements of this question.

103
MCQmedium

Exhibit: A user reports intermittent connectivity after a new switch was connected to an access port. Which feature would have prevented this by immediately disabling the port when a BPDU was received?

AnswerC

BPDU Guard is the standard protection for PortFast access ports.

Why this answer

BPDU Guard is the correct answer because it protects PortFast-enabled edge ports by immediately disabling the port upon receiving a BPDU, preventing accidental loops. Root Guard prevents the port from becoming a root port, not from BPDU reception. Loop Guard prevents alternate or root ports from becoming designated due to BPDU loss, unrelated to BPDU reception disabling.

UDLD detects unidirectional links but does not disable ports upon BPDU reception.

Exam trap

Be cautious not to confuse BPDU Guard with other guard features like Root Guard or Loop Guard, which serve different purposes.

Why the other options are wrong

A

Root Guard prevents a port from being elected as root port, not from receiving BPDUs on an access port.

B

Loop Guard prevents loops caused by BPDU loss on blocked ports, not from BPDU reception on access ports.

D

UDLD detects unidirectional links but does not disable a port when a BPDU is received.

104
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a switch interface, then verify and recover after a BPDU guard error-disable event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order is global config, interface, PortFast, BPDU Guard, then verification; recovery after a BPDU guard event requires clearing the error-disable state by cycling the interface.

Exam trap

Candidates often confuse the order of PortFast and BPDU Guard, or use incorrect verification commands like 'show running-config'. Remember: PortFast first, then BPDU Guard. Verification is 'show spanning-tree interface <int> detail'.

Recovery is interface cycle, not global commands or reload.

← PreviousPage 2 of 2 · 104 questions total

Ready to test yourself?

Try a timed practice session using only STP questions.