VLAN best practices: Change native VLAN from 1 to unused VLAN, disable DTP (Dynamic Trunking Protocol) on access ports, manually configure trunks, prune unused VLANs from trunks, document VLAN purpose.
VLAN 1 is the default native VLAN — change it to prevent double-tagging attacks. DTP auto-negotiates trunking — disable on all access ports to prevent unauthorized trunk establishment. Native VLAN must match on both ends of a trunk (mismatched = VLAN mismatch, connectivity issues).