Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering the
spanning-tree topology of a network?
A.
BPDU guard can guarantee proper selection of the root bridge.
B.
BPDU guard can be utilized along with PortFast to shut down ports when a switch is connected
to the port.
C.
BPDU guard can be utilized to prevent the switch from transmitting BPDUs and incorrectly
altering the root bridge election.
D.
BPDU guard can be used to prevent invalid BPDUs from propagating throughout the network.
Explanation:
As long as a port participates in STP, some device can assume the root bridge function and affect
active STP topology. To assume the root bridge function, the device would be attached to the port
and would run STP with a lower bridge priority than that of the current root bridge. If another
device assumes the root bridge function in this way, it renders the network suboptimal. This is a
simple form of a denial of service (DoS) attack on the network. The temporary introduction and
subsequent removal of STP devices with low (0) bridge priority cause a permanent STP
recalculation.
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP
domain borders and keep the active topology predictable. The devices behind the ports that have
STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the
BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions
the port into errdisable state, and a message appears on the console.
Reference: Spanning Tree PortFast BPDU Guard Enhancement
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml