1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.
2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 1
3. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast, bpdufiler, bpduguard, and root guard on the switches.
4. Disable all unused ports on the switch to prevent hackers from plugging into unused ports to communicate with the rest of the network.
5. Turn off VLAN Trunking Protocol if not in used. If required, VTP should be used with passwords enabled.
6. Review the network or configuration to limit thresholds for multicast and broadcast traffic on switch ports.
The Hacka Man