@JQueiroz wrote: If you have full confidence that this will never occur, then you can just ignore these options, set up your switches and be happy.
The OP should not have such level of confidence, in any case (I mean: no matter neither the confidence level it is believed to have nor the contrary).
If I were the OP I would act at two levels:
- at Core level (Where STP Root should be placed)
- at Distribution/Access levels
At Core level: at least enforce the planned STP Topology by protecting the STP Root position through root-guard feature applied on each port used as downlink to any downstream Distribution/Access Switches.
The purpose is nicely summarized here:
"Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position. The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge it is imperative that root guard is enabled on all ports where the root bridge should never appear."
At Distribution/Access levels (where it is supposed edge devices are/will be connected): some STP releated featurs such as bpdu-protection, admin-edge-port, point-to-point-mac and loop-protect can be used as protection mechanisms based on switch port type and purpose (as example, interfaces used for uplinks to Core would be set with point-to-point-mac true...instead loop-protect, bpdu-protection and admin-edge-port would be used and enabled on every port that as an end device connected).
Edit: what is reported above is referred to (HP ProVision of ProCurve line) ArubaOS-Switch based switches.