Hello,

I wanted to ask some advice on a concept that has bothered me for a while.

I have been deploying cisco SG300 series switches in our network infrastructures that we build out for a while now, but i would like to make some adjustments in regards to security.  Here is the general idea of our existing network layouts:

Core switch:

Management VLAN: 1
1 trunk port going to our router
   -native VLAN 1
   -tagged vlans 999-1500
trunk ports going to other switches in the network
   -native VLAN 1
   -tagged vlans 999-1500

Edge switches:

Management VLAN 1
1 trunk port going back to core switch
   -native VLAN 1
   -tagged vlans 999-1500
Remainder of ports are trunk ports which connect wireless access points
   -native VLAN 1
   -tagged vlans 999-1500
   -wireless users may be on any VLAN between 999-1500 (assigned dynamically by radius server)

My goal is to tighten up security in order to prevent VLAN hopping.

I am thinking of the following changes specifically:

-change switch management VLAN to 99
-change access point ports to have native VLAN of 99
-change interswitch uplink ports native VLAN to something else (10)

My questions are:

Should I change the switch management VLAN to 10 instead?  or 99?
Will this prevent VLAN hopping as intended?
Should i configuring the ports to send default-vlan traffic as tagged instead of untagged (switchport default-vlan tagged)?
Am I misunderstanding something?

thanks in advance for any help/suggestions!