Firewall build (part 3) VLAN Security

Since I plan on using VLANs on the WiFi Access Points to separate guest vs friend vs trusted traffic, I need to make sure that I'm doing VLANs in a secure fashion and not leaving any large holes.

The primary recommendations from the listed sources are:

• Don't use VLAN 1 (the default VLAN) for anything
• Any ports that do VLAN trunking should use a dedicated VLAN ID
• Do explicit tagging of the native VLAN on trunking ports
• Set all end-user ports to non-trunking (a.k.a. "access ports"?)
• Disable unused ports and put them in a separate VLAN
• Disable Spanning Tree Protocol (STP) on end-user ports
• Use MD5 authentication for Virtual Trunking Protocol (VTP)
• Physically secure the switch and control access to the management functions

Reference Links:

1. Virtual LAN Security: weaknesses and countermeasures (SANS)
2. VLAN Hacking (InfoSec Institute)
3. VLAN Hopping (Wikipedia)