§One
to three VLANs per access module and limit those VLANs to a couple of access
switches and the distribution switches.
§Avoid
using VLAN 1 as the "blackhole" for all unused ports. Use a dedicated
VLAN separate from VLAN 1 to assign all the unused ports.
§Separate
the voice VLANs, data VLANs, the management VLAN, the native VLAN, blackhole
VLANs, and the default VLAN (VLAN 1).
§Avoid
VTP when using local VLANs; use manually allowed VLANs on trunks.
§For
trunk ports, turn off Dynamic Trunking Protocol (DTP) and configure trunking.
Use IEEE 802.1Q rather than ISL
because it has better support for QoS and is a standard protocol.
§Manually
configure access ports that are not specifically intended for a trunk link.
§Prevent
all data traffic from VLAN 1; only permit control protocols to run on VLAN 1
(DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.).
§Avoid
using Telnet because of security risks; enable SSH support on management VLANs.