Why would you configure root protection?
A.
You want to protect the root bridge from receiving BPDUs on unauthorized interfaces.
B.
You want to protect your network from unwanted topology changes from a rogue switch attempting to become the root bridge.
C.
You want to avoid a broadcast storm that originates on the root bridge.
D.
You want to prevent unwanted user authentication to the root bridge by defining an acceptable source-address list for authorized access.
Explanation:
Root Protection for Spanning-Tree Instance Interfaces OverviewRoot protect helps to enforce the root bridge placement in a Layer2 switched network. Enable root protect on interfaces that should not receive superior bridge protocol data units (BPDUs) from the root bridge. Typically, these ports are Spanning-Tree-Protocol-designated ports on an administrative boundary. Enabling root protect ensures the port remains a spanning-tree designated port.
If the bridge receives superior BPDUs on a port that has root protect enabled, that port transitions to a root-prevented STP state and the interface is blocked. This prevents a bridge that should not be the root bridge from being elected the root bridge.
After the bridge stops receiving superior BPDUs on the port with root protect enabled and the received BPDUs time out, that port transitions back to the STP-designated port state.