Turn off DTP.

Use port security

Assign it to an unused VLAN.

Assign the same VLAN number as the management VLAN.

all end-user ports

only ports that attach to a neighboring switch

all trunk ports that are not root ports

only ports that are elected as designated ports

shutdown

ip dhcp snooping

switchport port-security mac-address sticky

switchport port-security violation shutdown

switchport port-security mac-address sticky mac-address

port security

extended ACL

DHCP snooping

DHCP server failover

strong password on DHCP servers

Disable STP on all nontrunk ports.

Use ISL encapsulation on all trunk links.

Use VLAN 1 as the native VLAN on trunk ports.

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Enable port security globally.

Enable DHCP snooping on selected VLANs.

Enable DAI on the management VLAN.

Enable IP Source Guard on trusted ports.

unknown port

untrusted port

unauthorized port

trusted DHCP port

authorized DHCP port