Why is BPDU guard an effective way to prevent an unauthorized rogue switch from altering
the spanning-tree topology of a network?
A.
BPDU guard can guarantee proper selection of the root bridge.
B.
BPDU guard can be utilized along with PortFast to shut down ports when a switch is
connected to the port.
C.
BPDU guard can be utilized to prevent the switch from transmitting BPDUs and
incorrectly altering the root bridge election.
D.
BPDU guard can be used to prevent invalid BPDUs from propagating throughout the
network.
Explanation:
As long as a port participates in STP, some device can assume the root bridge function and
affect active STP topology. To assume the root bridge function, the device would be
attached to the port and would run STP with a lower bridge priority than that of the currentroot bridge. If another device assumes the root bridge function in this way, it renders the
network suboptimal. This is a simple form of a denial of service (DoS) attack on the network.
The temporary introduction and subsequent removal of STP devices with low (0) bridge
priority cause a permanent STP recalculation.
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP
domain borders and keep the active topology predictable. The devices behind the ports that
have STP PortFast enabled are not able to influence the STP topology. At the reception of
BPDUs, the BPDU guard operation disables the port that has PortFast configured. The
BPDU guard transitions the port into errdisable state, and a message appears on the
console.
Reference:
Spanning Tree PortFast BPDU Guard Enhancement
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.sh
tml