After much research I have decided on the following configuration methodologies for various switchports and global entries:
no cdp enable
switchport mode access
switchport port-security aging time 1
!** Causes mac-address-table to age out mac entries port-security in one second. ie you can add another mac address to the port in 1 second and port security won't kick in, but if you get to 200 entries, it will block the port. This effectively prevents the CAM from being flooded, which turns the switch into a hub, which might be used by someone plugging into an available port to set up a situation where vlan bleeding can occur.
storm-control broadcast level 75.00 20.00
storm-control multicast level 80.00 20.00
storm-control action shutdown
spanning-tree bpduguard enable
errdisable recovery cause all
errdisable recovery interval 30
spanning-tree loopguard default
spanning-tree vlan 1 priority 61440 !*** I never want this switch to be root.
Never use BPDU filter. You want to be able to see another switch, should someone accidently plug one in.
Do not use bpduguard on your L2 uplinks.
Do not use switchport mode access on your L2uplinks.
Use switchport and switchport access vlan # on your L2 uplinks.