On the access ports connecting to end devices (Fa0/1, Fa0/2, etc.), you need to lock down the MAC addresses.
Disable DTP and set trunking manually.
interface g0/1 switchport trunk native vlan 999 Then, ensure VLAN 999 exists but is used nowhere else. No user devices, no DHCP, no routing. 14.9.11 packet tracer - layer 2 vlan security