Network Management

So I have 6300M Switches in Aruba Central and I configure them via multi-edit.  I want to enable spanning-tree on all the ports except I believe the trunk ports?  Is that correct?  What I don't understand is if I did not enable STP on trunk ports that would include lots of ports since all my desktop/phone ports are configured as trunks:
 description Desktop & Phone
    no shutdown
    no routing
    vlan trunk native 205
    vlan trunk allowed 205-206

vlan 205 being my data port and 206 being my voice port

I also have trunk for my Aruba AP ports:

 description **Aruba535-BackHall-2**
    no shutdown
    no routing
    vlan trunk native 206
    vlan trunk allowed 205-206,999
  

Next question.  Can I do command:

spanning-tree vlan 205

spanning-tree vlan 206 

Would that put spanning tree on all ports with those vlans? 

Also when would I use stp vs loop-protect command?  What is the difference?

Last question.  should I put on bpdu guard or bpdu filter on each port or only desktop/voice ports?  Which one should I use?

Hi there dklein@mahealthcare.com,

Spanning Tree its main function is to avoid loops inside the network, now I have seen in several clients that know how to leave the STP enabled and nothing else. That is incorrect because STP should only be enabled in my upstream ports (interconnection ports between switches), the rest of user ports must be enabled certain features of STP Security that will help to indicate the switch that x amount of ports go directly to forwarding state without going through any previous state of STP and if for some reason one of the user ports receives a BPDU packet this port will be blocked with the security features that I comment. Here are the two commands:

interface 1/1/13
    no shutdown
    no routing
    vlan trunk native 205
    vlan trunk allowed 205-206
    spanning-tree bpdu-guard (BPDU GUARD)
    spanning-tree port-type admin-edge (In Aruba it is known as admin-edge in Cisco it is called Port-Fast )

Now to answer your questions, the user and AP ports can be left enabled with the STP security features as indicated (spanning-tree bpdu-guard - spanning-tree port-type admin-edge).

My recommendation is to enable MSTP as it is an enhancement of the STP protocol. Here is the command to configure it per cli.

switch(config)# spanning-tree mode mstp

Regarding the difference between loop protect and spanning tree.

I invite you to read this published by the manufacturer, this will clarify completely your doubts 

https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/l2_bridging_4100i-6000-6100-6200/Content/Chp_loop_pro/int-wit-oth-pro.htm

Greetings 

Desktop/Phone:
    no shutdown
    no routing
    vlan trunk native 205
    vlan trunk allowed 205-206
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge

AP Port:
    description **Aruba 535 BackHall-VC**
    no shutdown
    no routing
    vlan trunk native 206
    vlan trunk allowed 205-206,999
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge

I put in command spanning-tree mode mstp to also globally put stp on switch? correct?
No need to do loop-protect on any ports?

I have a trunk port which goes from our switch to a Palo Alto firewall currently configured like this:

interface 1/1/48
    description **Trunk from Aruba 6300 to PA440**
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed 205-206,999

Do you recommend bpdu guard and portfast on this port like desktop/phone or what do you recommend?

You mentioned:
That is incorrect because STP should only be enabled in my upstream ports (interconnection ports between switches), the rest of user ports must be enabled certain features of STP Security that will help to indicate the switch that x amount of ports go directly to forwarding state without going through any previous state of STP and if for some reason one of the user ports receives a BPDU packet this port will be blocked with the security features that I comment.

When you say upstream ports or interconnection ports between switches are you referring to ports with DAC cable connections in a stack and also LAG ports(port-channel)?
What do you recommend adding on those ports?