Question 1,004 of 2,015
Spanning Tree ProtocolhardMultiple ChoiceObjective-mapped

Quick Answer

The correct configuration is to set the spanning-tree priority to 61440 on the access switch and enable Root Guard on its uplink ports. Setting the priority to 61440, the highest possible value, ensures the switch will never become the root bridge for any VLAN, even if the current distribution-layer roots fail, because its bridge ID will always be inferior in the election process. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thereby protecting the existing root bridge topology. On the ENCOR 350-401 exam, this question tests your understanding of STP manipulation and security mechanisms; a common trap is to assume that simply lowering the priority or using BPDU Guard alone is sufficient, but BPDU Guard only protects against unexpected BPDUs on access ports, not against a superior BPDU on a trunk. Remember the memory tip: “61440 keeps you low, Root Guard keeps you safe.”

CCNP Spanning Tree Protocol Practice Question

This 350-401 practice question tests your understanding of spanning tree protocol. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An engineer is configuring a new access switch that connects to two distribution switches via trunk links. The distribution switches are configured with Rapid PVST+ and are both running as root bridges for different VLANs. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN, even if the distribution switches fail. The engineer also wants to prevent any unauthorized switch from becoming root. What configuration should the engineer apply on the access switch?

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.

Option A is correct because setting the spanning-tree priority to 61440 (the highest possible value) ensures the access switch will never become the root bridge, even if the current root bridges fail. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thus protecting the root bridge election.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.

    Why this is correct

    Correct because setting the priority to 61440 ensures the switch will not become root, and Root Guard on uplinks prevents any superior BPDUs from making the switch root.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Configure 'spanning-tree vlan 1-4094 priority 0' and enable BPDU Guard on the uplink ports.

    Why it's wrong here

    Incorrect because priority 0 makes the switch likely to become root, and BPDU Guard would disable the uplink ports if BPDUs are received, causing loss of connectivity.

  • Configure 'spanning-tree vlan 1-4094 priority 4096' and enable Loop Guard on the uplink ports.

    Why it's wrong here

    Incorrect because priority 4096 is low and could allow the switch to become root if distribution switches fail; Loop Guard does not prevent root bridge election.

  • Configure 'spanning-tree vlan 1-4094 priority 61440' and enable BPDU Guard on the uplink ports.

    Why it's wrong here

    Incorrect because BPDU Guard would disable the uplink ports upon receiving BPDUs, which is not desired on trunk links.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between Root Guard and BPDU Guard, where candidates mistakenly apply BPDU Guard (which shuts down ports receiving any BPDU) instead of Root Guard (which specifically protects the root bridge election) on trunk links.

Detailed technical explanation

How to think about this question

The spanning-tree bridge priority is a 4-bit value (0-61440 in increments of 4096) that determines root bridge election; the lowest priority wins. Root Guard works by monitoring incoming BPDUs on a port and if a superior BPDU (indicating a better root) is received, the port is moved to a root-inconsistent state (blocking) until the superior BPDUs stop, effectively enforcing the current root bridge. In a real-world scenario, an attacker could connect a switch with a lower priority to become root and disrupt traffic; Root Guard on uplinks to distribution switches mitigates this without requiring manual priority changes on every VLAN.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-401 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-401 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-401 question test?

Spanning Tree Protocol — This question tests Spanning Tree Protocol — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports. — Option A is correct because setting the spanning-tree priority to 61440 (the highest possible value) ensures the access switch will never become the root bridge, even if the current root bridges fail. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thus protecting the root bridge election.

What should I do if I get this 350-401 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 350-401

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A network engineer is configuring a new switch that will be used as an access layer switch. The switch connects to two distribution switches via trunk links. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN. The engineer also wants to provide redundancy so that if one uplink fails, the other uplink takes over quickly. The engineer is using Rapid PVST+. What configuration should the engineer apply on the access switch?

easy
  • A.Configure 'spanning-tree vlan vlan-list priority 61440' on the access switch.
  • B.Configure 'spanning-tree vlan vlan-list priority 0' on the access switch.
  • C.Enable UplinkFast on the access switch to provide fast failover.
  • D.Enable PortFast on the trunk ports to speed up convergence.

Why A: Option A is correct because setting the spanning-tree priority to 61440 (which is 0xF000 in hex) makes the switch a very unlikely root bridge candidate. In Rapid PVST+, the bridge priority is a 4-bit value (0-15) multiplied by 4096, so 61440 corresponds to priority 15 — the highest possible value. This ensures the access switch will never become the root bridge for any VLAN, while Rapid PVST+ provides fast failover (sub-second convergence) via its alternate/backup port mechanism without needing UplinkFast.

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.