During STP troubleshooting , you determined that the problem is caused by a user connecting a rogue switch to an access port, and that rogue switch becoming the Root Bridge. What can you do to prevent that kind of situation from happening in the future?

A.
Lower the bridge priority on the desired Root Bridge

B.
enable VACL to filter the traffic

C.
enable IP Source Guard on the portfast access ports

D.
enable BPDU Guard on the portfast access ports

E.
Lower the port priority on the portfast access ports

Explanation:
Answer A is wrong because
VACL is an acronym for VLAN Access Control Lists where VLAN stands for Virtual Local Area Network. Specifically created to filter and move VLAN traffic. May be used like a SPAN port or network tap it is a way to replicate computer network data that is coming and going from a computer or a network of computers. This is useful if you want to monitor that traffic to determine the health of the application(s) running on those computer(s) or health of the network itself. VACL or VACL Ports can be much more discriminating of the traffic they forward than a standard SPAN port. They may be set to only forward specific types or specific VLANS to the monitoring port. However, they forward all traffic that matches the criteria as they do not have the functionality to select from ingress or egress traffic like SPAN ports.

Spanning-Tree Protocol is a link management protocol that provides path redundancy while preventing undesirable loops in the network. For an Ethernet network to function properly, only one active path can exist between two stations.
Election of the Root Switch
All switches in an extended LAN participating in Spanning-Tree Protocol gather information on other switches in the network through an exchange of data messages. These messages are bridge protocol data units (BPDUs). This exchange of messages results in the following:
The election of a unique root switch for the stable spanning-tree network topology. The election of a designated switch for every switched LAN segment. The removal of loops in the switched network by placing redundant switch ports in a backup state.

The Spanning-Tree Protocol root switch is the logical center of the spanning-tree topology in a switched network. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in Spanning-Tree Protocol backup mode. Table C-1 describes the root switch variables, that affect the entire spanning-tree performance.
Table C-1: Root Switch Variables Affecting STP

BPDUs contain information about the transmitting switch and its ports, including switch and port Media Access Control (MAC) addresses, switch priority, port priority, and port cost. The Spanning- Tree Protocol uses this information to elect the root switch and root port for the switched network, as well as the root port and designated port for each switched segment.

B is correct because
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console.

C is wrong because
IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IP source guard is supported only on Layer 2 ports, including access and trunk ports.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.

D & E are wrong because neither is a perminate solution to the problem