a) interfaces that are pointing towards other monitored nodes using LLDP
i.e. these (SWQL custom query resource):
SELECT n1.ipaddress, LocalPortNumber, RemoteSystemName, RemotePortDescription
FROM Orion.NodeLldpEntry NLE inner join orion.nodes N1
inner join orion.nodes N2
left outer join Orion.NPM.Interfaces i
on i.interfaceindex = nle.localportnumber and i.nodeid=nle.nodeid
where i.interfaceid is null
b) interfaces that are pointing towards the spanning-tree root
(I haven't figured out which interfaces these are in solarwinds, and I mostly don't care because LLDP provides the right information.)
c) all interfaces ON the spanning-tree root (because in my environment this is an aggregation switch and this should only be interfaces pointing towards edge switches or the routers.
d) Unfortunately we have many (probably over 5000) users who have connected their own switch, otherwise I'd suggest interfaces that have more than one MAC address in the bridge table, since that probably points to a switch that should be monitored, or a VM host, or a switch fabric inside a blade chassis.
I monitor uplink ports and any ports that have something worth monitoring connected such as servers etc.
All physical ports with all except uplinks set to unpluggable.
VLan ports because that's where our netflow is reporting from.
maybe I should monitor loopback since its the trap source but I did not find it likely that loopback would be explicitly shutdown, node still polling, but not sending traps.
Similar to superfly99, typically WAN ports, uplink/trunk ports, and ports connected to important servers/devices.