BPDU Guard is a feature of STP that shuts down a port configured with PortFast in the event that a BPDU is detected. This protects against employees bringing in their own switches, connecting them to their network jacks in their offices, possibly causing their “rogue” switches to become a root bridge. Only hosts should be connected to PortFast ports, and this mechanism protects against such situations.

For additional STP fine tuning features, take a look at STP fine tuning the spanning tree protocol.