Difficulty: Easy
Correct Answer: BPDU Guard
Explanation:
Introduction / Context:
Cisco provides several Spanning Tree Protocol (STP) extensions that enhance stability and security in switched networks. One common security feature is designed to protect access layer ports that are configured with PortFast and should never receive BPDUs from another switch. If a BPDU appears on such a port, it may indicate that an unauthorized switch or loop has been connected. The extension that reacts by placing the port into an err-disabled state is the focus of this question, which is important for both certification exams and real world network hardening.
Given Data / Assumptions:
Concept / Approach:
BPDU Guard is a Cisco enhancement that works with PortFast. When enabled on a PortFast interface, BPDU Guard monitors for incoming BPDUs. Under normal conditions, host devices do not send BPDUs, so none should appear. If a BPDU is detected, BPDU Guard assumes that a switch or loop has been connected where only an end host should be, and it immediately puts the port into an err-disabled state. This behavior prevents potential topology loops or unintended participation in STP. Other extensions such as BPDU Filter, Root Guard, and Loop Guard have different roles and do not automatically err-disable an access port on BPDU reception in the same way.
Step-by-Step Solution:
1. Identify that the port is intended as a PortFast enabled access port that should connect only to end hosts.
2. Recognize that receiving a BPDU on such a port is considered an error and a security concern.
3. Recall that BPDU Guard is designed specifically to protect PortFast ports by shutting them down if a BPDU is received.
4. Understand that when BPDU Guard triggers, the port moves into an err-disabled state, requiring manual intervention or automatic recovery configuration.
5. Confirm that none of the other listed STP extensions exactly match this behavior.
Verification / Alternative check:
In practice, Cisco documentation and configuration examples show that enabling spanning-tree bpduguard enable on an interface or globally causes PortFast interfaces to be disabled if BPDUs appear. Network engineers often use this in access networks to protect against misconnected switches or malicious attempts to manipulate STP. When a port goes err-disabled due to BPDU Guard, show interface status will display the err-disabled state and the reason, confirming that BPDU Guard is responsible.
Why Other Options Are Wrong:
Option b: BPDU Filter suppresses the transmission or reception of BPDUs under certain conditions, but by itself does not automatically place a port into err-disabled on BPDU reception.
Option c: Root Guard is used on ports where you do not want a new root bridge to appear, and it places the port into a root inconsistent state if superior BPDUs are received, not an err-disabled state for simple BPDU reception on access ports.
Option d: Loop Guard is designed to prevent alternate or root ports from erroneously transitioning to forwarding state when BPDUs stop arriving, not for blocking access ports when BPDUs are received.
Option e: UplinkFast improves convergence for access layer switches that lose a root port link, but it does not protect PortFast access ports from BPDUs.
Common Pitfalls:
A common confusion is between BPDU Guard and BPDU Filter. While both involve BPDUs on access ports, their behavior is different. BPDU Filter may stop BPDUs from being sent or acted upon, which can be dangerous if misused. BPDU Guard, on the other hand, takes a protective action by shutting down the port when a BPDU appears. Remember that Guard is about protecting the network by disabling the port, while Filter is about controlling BPDU traffic flow. Keeping these roles clear helps avoid configuration mistakes that could weaken network stability or security.
Final Answer:
The Cisco STP extension that err-disables a PortFast port when a BPDU is received is BPDU Guard.
Discussion & Comments