Guarding Against Rogue STP Root Bridges
How to configure root guard

Configuring Root Guard
Here are the commands to configure and to verify root guard.

To enable root guard on a Layer 2 access port (to force it to become a designated port), or to disable root guard, use this command:

Switch(config-if)#spanning-tree guard root

Verifying Root Guard
To verify root guard use the following commands:

Switch#show running-config interface fastethernet 5/8

Figure shows how to determine whether any ports are in a root-inconsistent state: