On which of the following layers of the hierarchical network design model should you implement PortFast,
BPDU guard, and root guard? (Select the best answer.)
A.
only on core layer ports
B.
only on distribution layer ports
C.
only on access layer ports
D.
only on core and distribution layer ports
E.
on core, distribution, and access layer ports
Explanation:
You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU
guard, and root guard are enhancements to Spanning Tree Protocol (STP). The access layer is the network
hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect the
devices at the access layer to those in the core layer. The core layer, which is also referred to as the backbone,
is used to provide connectivity to devices connected through the distribution layer.
PortFast reduces convergence time by immediately placing user access ports into a forwarding state.
PortFast is recommended only for ports that connect to enduser devices, such as desktop computers.
Therefore, you would not enable PortFast on ports that connect to other switches, including distribution layer
ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from interface
configuration mode.
BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports
should never receive BPDUs, because user access ports should be connected only to enduser devices, not to
other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabled will
result in the port being placed into a disabled state, which prevents loops from occurring. To enable BPDU
guard, issue the spanningtree bpduguard enable command from interface configuration mode.
Root guard is used to prevent newly introduced switches from being elected as the root. The device with the
lowest bridge priority is elected the root. If an additional device is added to the network with a lower priority than
the current root, it will become the new root. However, this could cause the network to reconfigure in
unintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard can
be applied to ports that connect to other switches in order to maintain control over which switch is the root. Root
guard is applied on a perport basis with the spanningtree guard root command.Cisco: Campus Network for High Availability Design Guide: Spanning Tree Protocol Versions
Cisco: Campus Network for High Availability Design Guide: Best Practices for Optimal ConvergenceCategory:
Security Concepts