imagine we have 2 distribution switches A and B connected to an access switch C (double connection)
switch A is the root. blocked port is in switch C (uplink to B).
-1-i apply root guard to swA and B but not to swC
-2- i connect a swD to swC and swD has a best Bridg priority so that it could be the new root.
will this cause a problem for swC.
ok swA and B will ignore swD BPDU but what about the behavior of swC?
With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.
To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.
Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.
After that Switch C & D will negotiate that Switch D is now the root.
The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!
Hope this helps!