400-007 Question #37: Real Exam Question with Answer & Explanation

Question

Exhibit

Options

• ABPDU guard on access ports
• BBPDU guard on the aggregation switch downlinks toward access switches
• Croot guard on the aggregation switch downlinks toward access switches
• Droot guard on access ports
• Eedge port on access ports
• Faccess switch pairs explicitly determined to be root and backup root bridges

Explanation

In this data center design - VLANs spanning multiple access switches with HSRP and Layer 3 SVIs on aggregation switches - the aggregation switches are the natural STP root bridges, and access ports connect only to end hosts or servers. Choice A (BPDU guard on access ports) is correct because access ports should never receive BPDUs from legitimate end devices. BPDU guard immediately err-disables any access port that receives a BPDU, protecting the STP topology from rogue or unauthorized switches plugged into host ports. Choice E (edge port / PortFast on access ports) is correct because configuring access ports as edge ports allows them to skip the STP listening and learning states, transitioning immediately to forwarding. This eliminates unnecessary Topology Change Notifications (TCNs) every time a server or host connects or disconnects, which is a major source of STP instability. These two features are complementary and should always be deployed together on host-facing ports. Choice B is incorrect - enabling BPDU guard on aggregation downlinks would err-disable those ports the moment a legitimate access switch BPDU arrives. Choice C (root guard on aggregation downlinks) would be valid for protecting root placement but is not among the correct answers here. Choice D is incorrect - root guard on access ports is redundant given BPDU guard is already there. Choice F is not a Cisco STP stability feature.

No community discussion yet for this question.