Yaan,
Per the user guide:
Rootguard provides a way to enforce the root bridge placement in the network. The rootguard feature guarantees that a port will not be selected as Root Port for the CIST or any MSTI. If a bridge receives superior spanning tree BPDUs on a rootguard-enabled port, the port is selected as an Alternate Port instead of Root Port and no traffic is forwarded across this port.
By selecting the port as an Alternate Port, the rootguard configuration prevents bridges, external to the region, from becoming the root bridge and influencing the active spanning tree topology.
So yes traffic is allowed into the port but we still process the BPDUs to ensure that the 3rd party connected switch cannot either maliciously or accidentally start being recognized as the root bridge. If we do start seeing superior BPDUs from that port, we will stop forwarding traffic through that port.
(S35-TST-SW-01) #show spanning-tree
MST 0
Root ID Address: 0019.0655.3a80, Priority: 4097
Regional Root ID Address: 000b.866c.3200, Priority: 16384
Bridge ID Address: 000b.866c.3200, Priority: 16384
External root path cost 40000, Internal root path cost 0
Interface Role State Port Id Cost Type
--------- ---- ----- ------- ---- ----
GE0/0/1 Altn(Root-Inc) BLK 128.22 20000 P2p
GE0/0/2 Desg FWD 128.301 20000 P2p
GE0/0/22 Root FWD 128.23 20000 P2p