After configuring the desired VLANs and assigning the interfaces to them, you have to decide what to do with the interfaces that are not in use. A common recommendation is for all unused switch ports to be assigned to a black hole VLAN and administratively shut down (both interfaces and the VLAN).
A black hole VLAN is a VLAN that is not operational, meaning one that is not associated with a subnet and does not have a default gateway configured. This way, when somebody connects to an interface that belongs to such a VLAN, no harm is possible to the network.
The configuration example below shows how to create a black hole VLAN and assign all unused ports to it. When you shut down a VLAN, all traffic on that VLAN stops.
Another very important thing you should pay attention to is the range of VLAN that will be allowed on the trunk links. By default, a trunk port allows all VLANs available in the VLAN database. However, when this is not desired, and only a few VLANs should be allowed, you should explicitly permit only those that will deny packets to the rest by default.
Lastly, besides changing the default native VLAN on the trunk ports, you can also tag the native VLAN. Tagging the native VLAN improves security on the trunk links. To tag the native VLAN, you must enter the switchport trunk native vlan tag command in the configuration mode of the trunk interface.