LMS3.2/UT: Bad entries in Switch port report Reclaim UP

Similar Messages

• Time Capsule, NAS and Switch port issues

  I purchased a Time Capsule yesterday I can get the wifi to work but I am having some other issues.
  I need to be able to attach an exisiting Western Digital NAS drive to the TC through ethernet. When I connect it, it shows up in the finder but will not connect.
  I also need to be able to connect a Switch port into the TC as well. The switch runs ethernet thoughout the building to wall jacks as well as running a dedicated PC server.
  When I plug both these devices into the ISP modem/router they work but the TC wont recognize them.
  Am I missing some settings or steps that I need to take to make this work?

  Did you put the TC into bridge mode.. ??
  If it is a router.. all kinds of bad things can happen.. like dhcp server is working and double NAT preventing access.. much like you describe.
  Setup the TC in isolation from the network. before you plug it in.
  Bridge in v5 utility.. (if you run lion it is easy to download and install is still preferred).
  Bridge in v6 utility go to the Network tab and change it from DHCP and NAT to off bridge mode.
  Picture pending if you need it.

• Jabber and Meida Interface Service - Switch port

  Hi All,
  here is from Cisco:
  Before Cisco Jabber for Windows sends audio media or video media, it checks for Cisco Media Services Interface .
  • If the service exists on the computer , Cisco Jabber for Windows provides flow information to Cisco Media Services Interface . The service then signals the network so that routers classify the flow and provide priority to the Cisco Jabber for Windows traffic.
  • If the service does not exist, Cisco Jabber for Windows does not use it and sends audio media and video media as normal.
  My Question is : what does normal means?
  1- we can identify ports for Jabber in CUCM, then create ACL and apply QoS.in that Case what " Normal Traffic " means?
  2- for MSI, do we need to configure anything on the switch port to work peoperly?
  3- How switch knows which Qos to apply based on what MSI saying? still needs an ACL, if yes, what s apoint of using MSI dfor Qos?
  Thanks,
  Hamed

  This would be EF for voice, AF41 for video/voice, and CS3 for SIP signal. Two things typically cause this to get treated as best effort:
  The Windows PC is not allowing the application to set DSCP markings. Group or local security policy can be used to allow this
  The switch is not trusting the data VLAN. Most SRND material suggests using a policer to limit the amount of EF/AF41/CS3 traffic from the data VLAN and to remark the violation traffic to best effort.
  You'll want to start with the MediaNet Deployment Guide. There is a lot going on to make this work.
  The MSI tells the switch what application and ports are being used. The switch then sets the DSCP marking on that traffic.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Two VLANs on one switch port?

  Currently we have the following
  Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
  What I would like to do is on those exterior switches have two vlans assigned to it.
  We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
  Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
  The switch ports on those phones support vlan tagging
  How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

  To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
  In cat switches, voice vlan is created using command,
  set port auxiliaryvlan vlan
  In IOS based switches,
  int fa0/1
  switchport mode trunk
  switchport trunk encap dot1q
  switchport trunk native vlan
  switchport voice vlan
  switchport priority cos extend 0
  or
  int fa0/1
  switchport mode access
  switchport access vlan
  switchport voice vlan
  I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

• Failed while creating virtual Ethernet switch. Failed to connect Ethernet switch port

  Hello Folks
  I am completely stuck with the configuration of my virtual networks. I have one logical switch left to add to one of my Hyper-V 2012 R2 hosts when I started getting the error below when I try to add logical switches to either Hyper-V Host. I have been using
  the document. 'Hybrid Cloud with NVGRE (Cloud OS)' to implement the virtual networking. Basically using the exact configuration that is in the document. I have added the PA Logical Network and the Network adapters and added the logical switch for it to my
  hyper-v 2012 R2 host and everything was fine. I am now trying to add my ISCSI Logical Switch to the host and this is the error I get. My other Hyper-V host I get this error for any logical switch I am trying to add. Can someone help me with this error. I haven't
  been able to find any information about it.
  Also a some quick info on tracing an error like this so I can figure out what is causing it.
  Thsi is my configuration so far
  So as far as I know everything is peachy untill the error below. Dead stop now
  Error (12700)
  VMM cannot complete the host operation on the 08-NY-VHOST01.accounts.ccac-ont.ca server because of the error: Failed while creating virtual Ethernet switch.
  Failed to connect Ethernet switch port (switch name = '******', port name = '88C16766-ED02-4AC0-8CD7-660AC9D424DD', adapter GUID = '{FAF431D8-0124-4E40-BB3B-9234BAA02973}'): The system cannot find the file specified. (0x80070002).
  Unknown error (0x800b)
  Thank you for your time
  Christopher
  Christopher Scannell

  notice your GUID?  you may want to consider ensuring that is the same GUID associated in your database.  Sometimes during data corruption theres a smidge of a chance your sql database kind of either pulls old guids esp if this was reverted to snapshot
  without it being powered off etc.  
  I would try that first.  then i would consider if you get to configure that with your current liscense associated with the host.  I would need way more info to help any further

• How to get Networking Switch Port Configuration (I guess SNMP4j will help)

  Greetings :)
  We have extreme Summit 450e switches installed in our organization. approximately 2000 desktops are connected to these switches.
  Now, I want to make a utility to get info from these switches, for example, which IP, MAC etc is running on a particular switch port. I want to extract these kind of info from all switches and export it into a database.
  Any help, how to start this work.
  Thanks...

  > Any help, how to start this work.
  First research what programmable interfaces it supports.  That includes any management API including SNMP, TCP and HTTP.
  And then from that figure out what you want to do with it.
  After you do both of the above then you start looking to java to program the solution.

• Can't get switch ports to work

  Okay so I have a basic home lab, 2600 router x2 and 2900 XL switch x 2. I've connected each router together (they "see" each other in cdp), and each router to one switch. My problem is that the interfaces that the router connects to the switch won't accept an ip address, (it says unrecognized command) and the switch lights are off). A "show status" says only the trunk port (22 on each switch) are connected. I've checked the cabling, it works, and the cables are out of the box. What am I missing/forgetting?
  Sorry if i newb :\ I'm Looking forward to going over static routes xD
  Thanks,
  Devlin
  (I looked throught the documentation, maybe I missed it? I did a config reset on the switches. I bought these used, I hope they aren't broken :\)

  No, they don't work, POST is fine (The switches boot normally), CABLING IS FINE, they are NOT admin down
  Switch1#sho run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname Switch1
  ip subnet-zero
  !!!!! Omitted fa ports 1-24
  interface VLAN1
  no ip directed-broadcast
  no ip route-cache
  line con 0
  transport input none
  stopbits 1
  line vty 5 15
  end
  Switch1#sho int status
  Says every port except the ports trunking between the two switches is "not connected"
  !!!!!HERES AN EXAMPLE OF ON OF THE DOWN SWITCHPORTS!!!!!
  Switch1#sho int fa0/1
  FastEthernet0/1 is down, line protocol is down
  Hardware is Fast Ethernet, address is 00b0.647f.6681 (bia 00b0.647f.6681)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex , Auto Speed , 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 1d23h, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast 0 input packets with dribble condition detected
  2 packets output, 424 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
  Switch1# sh version
  Cisco Internetwork Operating System Software
  IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC8, RELEASE SOFTWAR
  E (fc1)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 19-Jun-03 13:09 by antonino
  Image text-base: 0x00003000, data-base: 0x0034E2F4
  ROM: Bootstrap program is C2900XL boot loader
  Switch1 uptime is 1 day, 23 hours, 31 minutes
  System returned to ROM by power-on
  System image file is "flash:c2900xl-c3h2s-mz.120-5.WC8.bin"
  cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
  es of memory.
  Processor board ID FAA0402G17B, with hardware revision 0x03
  Last reset from power-on
  Processor is running Enterprise Edition Software
  Cluster command switch capable
  Cluster member switch capable
  24 FastEthernet/IEEE 802.3 interface(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:B0:64:7F:66:80
  Motherboard assembly number: 73-3425-10
  Power supply part number: 34-0920-01
  Motherboard serial number: FAA04019FEM
  Power supply serial number: NONE
  Model revision number: A0
  Model number: WS-C2924M-XL-EN
  System serial number: FAA0402G17B
  Configuration register is 0xF
  I'm really desperate here I have no idea what the problem is, and I cannot prepare for the exam without being able to assign ip addresses to the switch ports. If anyone can help me I would be EXTREMELY grateful.
  Thanks
  Devlin

• Enumerate switch ports

  I need a way to list out the last mac address known to port-security per port in IOS, and EEM may be my answer.  
  The command  "show port-security address" gets me close - it shows current mac on all up ports, like: 
  > AS5#show port-security address
  >         Secure Mac Address Table
  > ------------------------------------------------------------------------
  > Vlan   Mac Address       Type                     Ports   Remaining Age
  >                                                             (mins)  
  > ----   -----------       ----                     -----   -------------
  >   6   001d.e5ea.a1d5   SecureDynamic           Gi1/0/26   < 1
  >   6   0007.7d43.638b   SecureDynamic           Gi1/0/31   < 1
  >   6   0050.6003.76ce   SecureDynamic           Gi1/0/40   < 1
  >   1   0050.b607.c3a3   SecureDynamic           Gi1/0/43   < 1
  >   1   c42c.030c.05d4   SecureDynamic           Gi1/0/44   < 1
  >   1   0023.5e20.a48e   SecureDynamic           Gi1/0/45   < 1
  > ------------------------------------------------------------------------
  however, I also need the last mac known to the port. For example "show port-security int g7/11" has the info I need:
  > DEVON-3RDFL-138-4#sh port-security int gi 7/11              
  > Port Security             : Enabled
  > Port Status               : Secure-down
  > Violation Mode             : Restrict
  > Aging Time                 : 1 mins
  > Aging Type                 : Absolute
  > Maximum MAC Addresses     : 1
  > Total MAC Addresses       : 0
  > Configured MAC Addresses   : 0
  > Sticky MAC Addresses       : 0
  > Last Source Address       : d4be.d995.8159 <-- We are looking for > this, but we may not know which port it was last connected to...
  > Last Source Address VlanId : 455
  > Security Violation Count   : 0
  However, enumerating all ports on a switch to find which one has a specific mac address is painful.
  So, my intent is to wrte an EEM script that will enumerate all ports on a switch and hold that in an array that I can then sequentially run commands again.
  Surely someone has already written a script to enumerate all switch interfaces.   Anyone know where to find it?
  Thanks,
  Neville

  Thanks Joseph! 
  With your code I got my script working! I'm attaching it here.
  Some notes of mine.
  1) I sure like PERL *a lot* more than TCL.   I find TCL weird where I don't do a ; at the end of lines, don't declare my variables with $ and not having a conecpt of an @array is killing me!
  2) I changed the 1st part of the script from port-security ports to all Ethernet interfaces. If a port is down it does not show in "show port-security adresses", where it will show with "show interface summary | inc Ethernet".
  3) I added Catalyst switches output port-security info two ways: either "Last Source Address : aa.bb.cc.dd.ee.ff"  (older code) or "Last Source Address:Vlan : aa.bb.cc.dd.ee.ff:1" (newer code).   I added logic to deal with either output.
  4) The script seems to run pretty slow. It takes ~15 seconds for a switch with 24 interfaces on it.  In a stack I'd run into MAXRUN time issues for sure.
  Again thanks Joseph! - Finished Script below:
  ::cisco::eem::event_register_none
  # Written 2012 by Neville Aga ([email protected])
  # Make an alias to trigger this script, such as
  # "alias exec show-last-macs event manager run show_last_macs.tcl"
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  # Open the CLI
  if [catch {cli_open} result] {
     error $result $errorInfo
  } else {
      array set cli1 $result
  # Go into enable mode 
  if [catch {cli_exec $cli1(fd) "en"} result] {
      error $result $errorInfo
  # Enumerate switch ethernet interfaces and put them into array..
  # er list. TCL doesnt do arrays
  # Enumerate all ports here
  set output [cli_run [list "show interfaces summary | inc Ethernet"]]
  set ports [list]
  foreach line [split $output "\n"] {
  regsub {\*} $line "" line
  set line [string trim $line]
  regsub -all {\s+} $line " " line
  #puts "line is $line\n"
  lappend ports [lindex $line 0]
  puts "Last MAC associated with all port-security switch ports:"
  puts "by Neville Aga ([email protected]). Follow me on twitter @nevilleaga"
  foreach port $ports {
  set output [cli_run [list "sh port-security int $port"]]
  if { [regexp {Port Security\s+:\s(Enabled)} $output -> enabled] } {
  if { [regexp {Port Status\s+:\s+(\S+)} $output -> portstatus] } {}
  # This will get output returned like "Last Source Address  :  aa.bb.cc.dd.ee.ff" - 6500 typical
  if { [regexp {Last Source Address\s+:\s+([a-fA-F0-9\.]+)} $output -> mac] } {
  puts "Last MAC for $port is $mac -- $portstatus "
  # This will get output returned like "Last Source Address:Vlan :  aa.bb.cc.dd.ee.ff:1" - 3560 12.2.53
  if { [regexp {Last Source Address:Vlan\s+:\s+([a-fA-F0-9\.]+)} $output -> mac] } {
  puts "Last MAC for $port is $mac -- $portstatus"
  # Close the CLI
  if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
      error $result $errorInfo

• Cisco Prime Infrastructure 2.0 Alarms (switch port down)

  We have a cisco Prime Infrastructure 2.0 managing switches, routers and AP.
  By default, when a port of a switch goes down, the cisco Prime Infrastructre generates a Critical Alarm for that. (this is a problem, because every phone of laptop disconnection will generate a critical alarm for me)
  I found out that if we go to Administration --> Alarm Severity --> Link down, I can change the Alarm from Critical to another type of alarm.(ex: warning)
  The problem is that I want to keep the Critical Alarm for my Uplinks ports and for some important switch ports, and I would like to make the alarm as warning for the normal user ports.
  I know that I can create Port Groupping and add ports to each group and apply monitoring templates on those groups. But This couldn't Help me solving my alarm problem.
  So I just need to know how to manage the alarms severity for each group of ports.
  Thank you

  Hi,
  Same problem here.
  I am using Cisco Prime Infrastructure 2.0 (evaluation version for 60 days). I want to deploy port monitoring for my trunk ports between switches and some other important ports e.g. servers. Basically I want to get alarms when these ports are down, there are errors on ports and etc.
  So in Design>Port Grouping I created User Defined group with important ports. In Deploy>Monitoring Deployment I selected Interface Health (default)>Deploy selected Port Groups and when selected port group I created.
  Now the rule shows Deployed: Yes and Status: Active. After that I just pulled out one port which was in monitored group, waited 5min as it is set in Interface Health (default) template, and nothing happened, and worse, alarms started to show up of other ports where regular users are connected (computers was turned off), which I do not want to see at all. I tried redeploy template, I even created my own template but still no desired result.
  Any suggestions how to make port monitoring work?

• LMS 4.2 - How do I find switch ports that are configured as trunks.

  I've been tasked with finding all switch ports that are configured as Trunks. We plan to use LMS 4.2 to push (via Netconfig) new interface level commands to all user (non-trunked) ports. From my experience, this poses a problem because we do not know which ports are configured as trunks -vs- user ports.
  Using Netconfig is not going to be easy since there is no way to script this. It would be great if I could run a show command on a switch and then have CWSI peform a change based upon the output.
  In other words, we need a way to run a job based upon the output of a command.
  Is there a section of LMS that I could use for help with this?
  Thanks,

  You need to go to Monitoring>Dashboard. Here Just click the switch in the Llisted device and then click the interface you will find the all the down and Up interface with type of configuration (i.e. Trunk or Access.)

• Switch port in dot1x multi-auth mode stops passing traffic

  Dear All,
  I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
  interface GigabitEthernet2/34
  switchport mode access
  ip arp inspection limit rate 30
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  dot1x pae authenticator
  dot1x timeout tx-period 5
  dot1x max-reauth-req 6
  spanning-tree portfast
  ip verify source vlan dhcp-snooping
  end
  It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
  Did anyone experience a simmilar problem? Any advice?
  Thanks.
  Mirek

  We have the same issue on 3750E switch running 12.2.(58)SE

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

  Hi
  All our switchports is configured to validate the connected device with 802.1x
  However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
  I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

  Hi,
  The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
  Cisco unified APs however supports only EAP-FAST as the EAP method.
  Here is a config example, hope it'll be useful.
  http://goo.gl/HMbiHL
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Switch port configuration for 3500i AP

  Hi,
  We are due to install a brand new enterprise WLAN based on the WiSM2 platform, 3502i AP and WCS. The APs will be plugged into the 2960S-24TPS-L.
  I have scanned over all documentation and cannot for the life of me find a recommended switch port configuration for connecting the AP to the switch in terms of speed / duplex etc. For example, should I just configure the port to auto detect, or is forcing the speed / duplex the way to go. I could also do with knowing other best practice configurations for AP connectivity.
  Any help would be greatly appreciated.
  Chris.

  The AP comes online with just auto detect, but I want to know if there are any benefits to forcing this to 1Gbps / Full duplex, or even if this is the right way to go. I suspect auto detect is the best method.

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.