The following recipe contains one method to protect against the addition of unauthorized switches to a Cisco Catalyst. This refers to the 6500 series, but it may be available on other platforms as well.
Unauthorized switches can pose a significant problem for networks. Oddball switches can win a spanning-tree root election or can increase network diameter beyond accepted specifications.
One way to prevent the addition of an unauthorized switch is to enable BPDU Guard.
In global configuration mode, enter:spanning-tree portfast bpduguard default
This command enables the switch to disable a port that receives a BPDU (Bridge Protocol Data Unit).
Normally, a port configured for portfast will be connected to an end device, like a workstation, server, or printer. End devices do not send BPDUs, so this condition is not triggered. A switch, however, will normally send BPDUs on every port. When a switch is connected, the 6500 receives a BPDU and shuts down the offending port.
After 12.1, this configuration may be applied to interfaces. When configured in this manner, the 6500 will disable the port upon receipt of a BPDU, regardless of the portfast configuration.