According to Cisco SAFE blueprint following points should be considered to maintain a secure L2 infrastructure.
01. Disable dynamic protocols like CDP, DTP on user / access ports.
02. Enable BPDU Guard & Root Guard to prevent STP attacks.
03. Use Dynamic ARP Inspection or Private VLANs to prevent frame sniffing.
04. Enable port security to at least limit the number of allowed MAC addresses.
05. Use DHCP Snooping & IP Source Guard to prevent DHCP DoS and MITM attacks.
06. Disable VTP or if using, configure VTP authentication globally on each switch.
07. Disable unused switch ports and place them in an unused VLAN.
08. Avoid using VLAN 1.
09. Do not use the native VLAN on trunks.
10. Configure Storm Control commands.
Reference: Cisco SAFE Blueprint
01. Disable dynamic protocols like CDP, DTP on user / access ports.
02. Enable BPDU Guard & Root Guard to prevent STP attacks.
03. Use Dynamic ARP Inspection or Private VLANs to prevent frame sniffing.
04. Enable port security to at least limit the number of allowed MAC addresses.
05. Use DHCP Snooping & IP Source Guard to prevent DHCP DoS and MITM attacks.
06. Disable VTP or if using, configure VTP authentication globally on each switch.
07. Disable unused switch ports and place them in an unused VLAN.
08. Avoid using VLAN 1.
09. Do not use the native VLAN on trunks.
10. Configure Storm Control commands.
Reference: Cisco SAFE Blueprint
