I agree with the best practices as described by the previous post. That is very helpful... a few key points that I think should be added is:
1. Enable spanning-tree root guard
or Hard code the spanning-tree root bridge
2. BPDU-guard to avoid possible L2 loops if someone plugs in a brainless Netgear switch into two different VLANs.
3. Enable DHCP snooping (if using as access switch, if someone's workstation becomes a DHCP server... you will see lots of fun there if this isnt enabled).
4. VLAN Pruning and VTP domain passwords, so if another switch out-of-box is connected. Unable to join VTP or modify existin VLAN database automatically, etc.
5. Port-Security for max mac addresses recorded per port. It will help in preventing MAC flooding DoS and also prevent additional unauthorized switches to be inserted into the network without your knowledge.
