nerdexam
Cisco

352-001 · Question #472

In Layer 2 access campus design, which mechanism should be enabled on access ports to protect the campus network from undesired access switches and looped ports?

The correct answer is C. BPDU guard. BPDU guard protects access ports by err-disabling them upon receiving any BPDU, preventing rogue switches and accidental loops from affecting the campus network.

Layer 2 Control Plane

Question

In Layer 2 access campus design, which mechanism should be enabled on access ports to protect the campus network from undesired access switches and looped ports?

Options

  • Aroot guard
  • BEtherChannel guard
  • CBPDU guard
  • Dloop guard

How the community answered

(46 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    91% (42)
  • D
    2% (1)

Why each option

BPDU guard protects access ports by err-disabling them upon receiving any BPDU, preventing rogue switches and accidental loops from affecting the campus network.

Aroot guard

Root guard prevents a designated port from accepting a superior BPDU and becoming a root port, protecting root bridge placement rather than blocking unauthorized switch connections on access ports.

BEtherChannel guard

EtherChannel guard detects and responds to misconfigured EtherChannel bundles between switches and does not prevent rogue switch connections on individual access ports.

CBPDU guardCorrect

BPDU guard, when enabled on an access port, immediately transitions the port to err-disabled state if any BPDU is received, preventing unauthorized switches from connecting and triggering unwanted spanning-tree topology changes. This is the recommended STP edge-port protection mechanism for ports that should never receive BPDUs, such as end-user-facing access ports in a campus LAN design. It directly addresses both rogue switch attachment and accidental loop creation on access-layer ports.

Dloop guard

Loop guard prevents an alternate or root port from transitioning to a forwarding state when BPDUs stop arriving due to a unidirectional link failure, which is unrelated to blocking unauthorized switch connections.

Concept tested: STP BPDU guard on access ports

Source: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10586-65.html

Topics

#BPDU guard#STP security#access ports#campus design

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice