- A
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.
Correct because setting the priority to 61440 ensures the switch will not become root, and Root Guard on uplinks prevents any superior BPDUs from making the switch root.
- B
Configure 'spanning-tree vlan 1-4094 priority 0' and enable BPDU Guard on the uplink ports.
Why wrong: Incorrect because priority 0 makes the switch likely to become root, and BPDU Guard would disable the uplink ports if BPDUs are received, causing loss of connectivity.
- C
Configure 'spanning-tree vlan 1-4094 priority 4096' and enable Loop Guard on the uplink ports.
Why wrong: Incorrect because priority 4096 is low and could allow the switch to become root if distribution switches fail; Loop Guard does not prevent root bridge election.
- D
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable BPDU Guard on the uplink ports.
Why wrong: Incorrect because BPDU Guard would disable the uplink ports upon receiving BPDUs, which is not desired on trunk links.
Quick Answer
The correct configuration is to set the spanning-tree priority to 61440 on the access switch and enable Root Guard on its uplink ports. Setting the priority to 61440, the highest possible value, ensures the switch will never become the root bridge for any VLAN, even if the current distribution-layer roots fail, because its bridge ID will always be inferior in the election process. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thereby protecting the existing root bridge topology. On the ENCOR 350-401 exam, this question tests your understanding of STP manipulation and security mechanisms; a common trap is to assume that simply lowering the priority or using BPDU Guard alone is sufficient, but BPDU Guard only protects against unexpected BPDUs on access ports, not against a superior BPDU on a trunk. Remember the memory tip: “61440 keeps you low, Root Guard keeps you safe.”
CCNP Spanning Tree Protocol Practice Question
This 350-401 practice question tests your understanding of spanning tree protocol. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An engineer is configuring a new access switch that connects to two distribution switches via trunk links. The distribution switches are configured with Rapid PVST+ and are both running as root bridges for different VLANs. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN, even if the distribution switches fail. The engineer also wants to prevent any unauthorized switch from becoming root. What configuration should the engineer apply on the access switch?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.
Option A is correct because setting the spanning-tree priority to 61440 (the highest possible value) ensures the access switch will never become the root bridge, even if the current root bridges fail. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thus protecting the root bridge election.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.
Why this is correct
Correct because setting the priority to 61440 ensures the switch will not become root, and Root Guard on uplinks prevents any superior BPDUs from making the switch root.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Configure 'spanning-tree vlan 1-4094 priority 0' and enable BPDU Guard on the uplink ports.
Why it's wrong here
Incorrect because priority 0 makes the switch likely to become root, and BPDU Guard would disable the uplink ports if BPDUs are received, causing loss of connectivity.
- ✗
Configure 'spanning-tree vlan 1-4094 priority 4096' and enable Loop Guard on the uplink ports.
Why it's wrong here
Incorrect because priority 4096 is low and could allow the switch to become root if distribution switches fail; Loop Guard does not prevent root bridge election.
- ✗
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable BPDU Guard on the uplink ports.
Why it's wrong here
Incorrect because BPDU Guard would disable the uplink ports upon receiving BPDUs, which is not desired on trunk links.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between Root Guard and BPDU Guard, where candidates mistakenly apply BPDU Guard (which shuts down ports receiving any BPDU) instead of Root Guard (which specifically protects the root bridge election) on trunk links.
Detailed technical explanation
How to think about this question
The spanning-tree bridge priority is a 4-bit value (0-61440 in increments of 4096) that determines root bridge election; the lowest priority wins. Root Guard works by monitoring incoming BPDUs on a port and if a superior BPDU (indicating a better root) is received, the port is moved to a root-inconsistent state (blocking) until the superior BPDUs stop, effectively enforcing the current root bridge. In a real-world scenario, an attacker could connect a switch with a lower priority to become root and disrupt traffic; Root Guard on uplinks to distribution switches mitigates this without requiring manual priority changes on every VLAN.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Spanning Tree Protocol — study guide chapter
Learn the concepts, then practise the questions
- →
Spanning Tree Protocol practice questions
Targeted practice on this topic area only
- →
All 350-401 questions
2,015 questions across all exam domains
- →
ENCOR 350-401 study guide
Full concept coverage aligned to exam objectives
- →
350-401 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 350-401 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Architecture practice questions
Practise 350-401 questions linked to Architecture.
Enterprise Network Design practice questions
Practise 350-401 questions linked to Enterprise Network Design.
SD-Access Architecture practice questions
Practise 350-401 questions linked to SD-Access Architecture.
SD-WAN Architecture practice questions
Practise 350-401 questions linked to SD-WAN Architecture.
QoS Architecture practice questions
Practise 350-401 questions linked to QoS Architecture.
Virtualization practice questions
Practise 350-401 questions linked to Virtualization.
Network Function Virtualization practice questions
Practise 350-401 questions linked to Network Function Virtualization.
Virtual Machines and Hypervisors practice questions
Practise 350-401 questions linked to Virtual Machines and Hypervisors.
VRF and Path Isolation practice questions
Practise 350-401 questions linked to VRF and Path Isolation.
Infrastructure practice questions
Practise 350-401 questions linked to Infrastructure.
OSPF practice questions
Practise 350-401 questions linked to OSPF.
BGP practice questions
Practise 350-401 questions linked to BGP.
Practice this exam
Start a free 350-401 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 350-401 question test?
Spanning Tree Protocol — This question tests Spanning Tree Protocol — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports. — Option A is correct because setting the spanning-tree priority to 61440 (the highest possible value) ensures the access switch will never become the root bridge, even if the current root bridges fail. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thus protecting the root bridge election.
What should I do if I get this 350-401 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on 350-401
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A network engineer is configuring a new switch that will be used as an access layer switch. The switch connects to two distribution switches via trunk links. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN. The engineer also wants to provide redundancy so that if one uplink fails, the other uplink takes over quickly. The engineer is using Rapid PVST+. What configuration should the engineer apply on the access switch?
easy- ✓ A.Configure 'spanning-tree vlan vlan-list priority 61440' on the access switch.
- B.Configure 'spanning-tree vlan vlan-list priority 0' on the access switch.
- C.Enable UplinkFast on the access switch to provide fast failover.
- D.Enable PortFast on the trunk ports to speed up convergence.
Why A: Option A is correct because setting the spanning-tree priority to 61440 (which is 0xF000 in hex) makes the switch a very unlikely root bridge candidate. In Rapid PVST+, the bridge priority is a 4-bit value (0-15) multiplied by 4096, so 61440 corresponds to priority 15 — the highest possible value. This ensures the access switch will never become the root bridge for any VLAN, while Rapid PVST+ provides fast failover (sub-second convergence) via its alternate/backup port mechanism without needing UplinkFast.
Last reviewed: Jun 24, 2026
This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.