Quote from http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swstpopt.html#wp1046220
Understanding BPDU Guard
The BPDU guard feature can be globally enabled on the switch or can be
enabled per port, but the feature operates with some differences.
At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default
global configuration command. Spanning tree shuts down ports that are
in a Port Fast-operational state if any BPDU is received on them. In a
valid configuration, Port Fast-enabled ports do not receive BPDUs.
Receiving a BPDU on a Port Fast-enabled port means an invalid
configuration, such as the connection of an unauthorized device, and the
BPDU guard feature puts the port in the error-disabled state. When this
happens, the switch shuts down the entire port on which the violation
occurred.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred.
At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.
The BPDU guard feature provides a secure response to invalid
configurations because you must manually put the interface back in
service. Use the BPDU guard feature in a service-provider network to
prevent an access port from participating in the spanning tree.
Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can
be enabled per interface, but the feature operates with some
differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default
global configuration command. This command prevents interfaces that are
in a Port Fast-operational state from sending or receiving BPDUs. The
interfaces still send a few BPDUs at link-up before the switch begins to
filter outbound BPDUs. You should globally enable BPDU filtering on a
switch so that hosts connected to these interfaces do not receive BPDUs.
If a BPDU is received on a Port Fast-enabled interface, the interface
loses its Port Fast-operational status, and BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.