Some of the recommendations and best practice are as below.
- The best practice is to have the layer 3 ports configured for "route-only" under interface config. This will drop the BPDU right when itingresses and does notegress out on default VLAN
- Enable RSTP on default VLAN to prevent loop if some of the ports are not configured as 'route-only'
- Add a global levelcommand "no dual-mode-default-vlan"