A Bridge Protocol Data Unit (BPDU) Guard Violation occurs when BPDUs are being received on an ONT port that was not intended to be receiving BPDU frames.
Typically, ONT ports are expected to be attached to end stations. This Access Violation is designed to prevent ports not a part of the core infrastructure from participating in RSTP and becoming the root bridge of the STP topology. The BPDU Guard alarm occurs when the "BPDU Guard Violation" is enabled on the RSTP profile and BPDU frames are seen from that port. The Auto Port disable will be triggered, and the port is disabled.
BPDU Guard is configured in the RSTP profile of the Ethernet port. It can be found in the RSTP profile. Profiles icon->RSTP Tab>Edit icon->Edit Ethernet Port RSTP Profiles.
If a BPDU Guard violation is detected, it will be alarmed via the Access Violation alarm and Additional Text will indicate "BPDU Guard".
Trouble Clearing
Configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that it receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.
If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received. By shutting the port down we prevent the rogue switch from affecting our spanning-tree topology. Remove the switch from the nework.
If auto-disable is enabled, the port will be disabled for a programmed amount of time before coming back online. The default time is normally set to 5 minutes.
Should the port remain disabled by BDPU Guard, you will need to identify and remove the offending device to re-enable the ONT port.
If it is determined that the attached device is valid and should be permitted on the network with RSTP enabled, then enable RSTP on the port using a profile which has the BPDU Guard unchecked. This will allow BPDUs to flow on that port and the alarm will clear.
icon->RSTP Tab>Edit 
icon->Edit Ethernet Port RSTP Profiles.