Protecting and Optimizing STP

PortFast Ports

An Edge port becomes forwarding immediately after coming up, does not generate topology change events, does not flush MAC addresses from the CAM table as a result of topology change handling, and is not influenced by the Sync step in the Proposal/Agreement procedure.

spanning-tree portfast (interface level), spanning-tree portfast default (global level)
spanning-tree portfast disable (interface level)
Both of these commands apply only to ports operating in access mode. Never activate PortFast on ports toward other switches.

Root Guard, BPDU Guard, and BPDU Filter: Protecting Access Ports 

BPDU Guard and Root Guard can be enabled on these access ports to monitor for incoming BPDUs

   - BPDU Guard: Enabled per port or globally per PortFast-enabled ports; error disables the port immediately upon receipt of any BPDU.
   - Root Guard: Enabled per port; ignores any received superior BPDUs to prevent this port from becoming the Root Port. Upon receipt of superior BPDUs, this switch puts the port in a root-inconsistent blocking state, ceasing forwarding and receiving data frames until the superior BPDUs cease.  

spanning-tree bpduguard enable interface command or globally using the spanning-tree portfast bpduguard default command.The global command, however, activates the BPDU Guard only on ports that operate as PortFast ports (it does not matter how the port was configured for PortFast operation).
To deactivate, spanning-tree bpduguard disable interface command can be used.

Root Guard can be activated only on a per-port basis using the spanning-tree guard root interface command. With Root Guard, the port recovers automatically when the undesired superior BPDUs are no longer received for the usual MaxAge-Message age in STP, or 3x Hello in RSTP (effectively, when they expire).

The BPDU Filter feature is concerned with stopping the transmission, and optionally the reception as well, of BPDUs on a port. Its behavior differs depending on how it is activated
  -If configured globally using spanning-tree portfast bpdufilter default, it applies only to Edge ports (that is, to ports on which PortFast is active). The port will send only 11 BPDUs (one immediately after the port comes up, and then ten more during the ten Hello intervals) and then cease sending BPDUs. If a BPDU arrives at any time, during the first ten Hello intervals or anytime after, BPDU Filter will be operationally deactivated on that port, and the port will start sending and receiving BPDUs according to usual STP rules. You can exempt the port using the spanning-tree bpdufilter disable command
  -If configured locally on a port using the spanning-tree bpdufilter enable command, BPDU Filter will cause the port to unconditionally stop sending and receiving BPDUs altogether.  

BPDU Filter configured directly on a port prevents STP from participating with any other switch on the port. If a port on which BPDU Filter is active because of global configuration (meaning that it must have been an Edge port) receives a BPDU, it will lose its Edge status, and because the global BPDU Filter configuration applies to Edge ports, BPDU Filter on this port will be deactivated.

It is possible to combine globally configured BPDU Filter with BPDU Guard (the BPDU Guard can be also configured globally or per-port in this case). Should a port protected both with global BPDU Filter and BPDU Guard receive a BPDU, it will be automatically err-disabled. On the other hand, it does not make sense to combine port-level BPDU Filter with BPDU Guard.

Protecting Against Unidirectional Link Issues  

Unidirectional links are links for which one of the two transmission paths on the link has failed, but not both. Because STP monitors incoming BPDUs to know when to reconverge the network, adjacent switches on a unidirectional link could both become Forwarding, causing a loop.

On Catalyst switches, several mechanisms available to detect and avoid issues caused by unidirectional links are  UDLD, STP Loop Guard, Bridge Assurance, and the RSTP/MST Dispute mechanism.

Unidirectional Link Detection (UDLD), a Cisco-proprietary Layer 2 messaging protocol, serves as an echo mechanism between a pair of devices. Using UDLD messages, each switch advertises its identity and port identifier pair as the message originator, and a list of all neighboring switch/port pairs heard on the same segment.
A unidirectional link can be detected by looking for one of the following symptoms:
 -UDLD messages arriving from a neighbor do not contain the exact switch/port pair matching the receiving switch and its port in the list of detected neighbors.
 -UDLD messages arriving from a neighbor contain the same switch/port originator pair as used by the receiving switch. This suggests a self-looped port.
 -A switch has detected only a single neighbor but that neighbor’s UDLD messages contain more than one switch/port pair in the list of detected neighbors. This suggests a shared media interconnection with an issue in its capability to provide full visibility between all connected devices. If any of these symptoms are detected, UDLD will declare the link as unidirectional and will err-disable the port.  

UDLD has two modes of operation. In the normal mode, if UDLD messages cease being received, a switch will try to reconnect with its neighbors (eight times), if fails,UDLD takes absolutely no action, the port that stops receiving UDLD messages will remain up. In the aggressive mode, UDLD will err-disable the port. UDLD can be activated either on a global level or on a per-port basis, and needs to be activated on both interconnected devices. Global UDLD configuration applies only to fiber ports.

udld {enable | aggressive} //global level;enable refers to normal mode
udld port [aggressive] //interfacelevel
show udld
show udld neighbors

STP Loop Guard prevents Root and Alternate Ports from becoming Designated as a result of total loss of incoming BPDUs. If BPDUs cease being received on these ports and their stored BPDUs expire, Loop Guard will put them into a  loop-inconsistent blocking state. They will be brought out of this state automatically after they start receiving BPDUs again. Loop Guard can be activated either globally or on a per-port basis, and is a local protection mechanism.

The global spanning-tree loopguard default command automatically protects all Root and Alternate Ports on STP point-to-point link types on the switch. Global Loop Guard does not protect ports on shared type links and we can configure per-port basis using the spanning-tree guard loop command.

The Bridge Assurance, applicable only with RPVST+ and MST and only on point-to-point links, is a further extension of the idea used by Loop Guard. Bridge Assurance modifies the rules for sending BPDUs. With Bridge Assurance activated on a port, this port always sends BPDUs each Hello interval, whether it is Root, Designated, Alternate, or Backup. A Bridge Assurance–protected port is absolutely required to receive BPDUs. If no BPDUs are received, the port will be put into a BA-inconsistent blocking state until it starts receiving BPDUs again. The neighboring device must also be configured for Bridge Assurance.

In Dispute mechanism, if a port receives an inferior BPDU from a port that claims to be Designated Learning or Forwarding, it will itself move to the Discarding state. The Dispute mechanism is an integral part of RSTP/MST and requires no configuration.