The best answer is BPDU Guard on edge ports. CEH network defense material explains that BPDU Guard is used on access or edge ports where end-user devices are expected, not switches. If a device connected to such a port begins sending Bridge Protocol Data Units, the switch treats that as an abnormal condition and can shut the port down or place it in an error-disabled state. This prevents unauthorized or misconfigured devices from participating in spanning-tree and influencing root bridge election or topology decisions. That matches the scenario, where a newly connected device introduced a more favorable bridge priority and triggered spanning-tree recalculations. Root Guard is also related to protecting spanning-tree hierarchy, but it is typically applied where you want to prevent a downstream switch from becoming root while still allowing BPDU participation under controlled conditions. CEH exam framing usually expects BPDU Guard when the threat originates from an end-host-facing access port in a conference room or office edge location. Because the goal is to stop unauthorized edge-connected devices from affecting spanning-tree at all, enabling BPDU Guard on edge ports is the most appropriate control.