Hello,

Following are the modes in which we can configure BPDU Gaurd in switches

Interface mode:

spanning-tree bpduguard enable                       (Puts port in errdisable upon receiving any bpdu).

Global mode:

spanning-tree portfast bpduguard default           (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).

Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Your later note, about using switch-port security, is probably your best option (because unmanaged switches and hubs aren't really visible - also unmanaged switches won't generate BPDUs).