as already said - this can be covered with adequate processes and management (even so far as, not doing your job right? time for HR...). however, there are many ways to ensure that random ports arent doing anything other than what they should be doing - most of these are L2 security features - port-security, BPDUGAURD, default vlan pruning, along with other protections such as DHCP snooping etc. however, if its the network team doing this - then they could just turn those things off anyway - so you need to also ensure all managed switch configs have their configs audited and checked - grabbed by SNMP and checked/audited against known template etc etc. if a switch cannot be audited then disconnect its uplink..... but then your end users/customers no longer have connections - which is why its really down to management processes. WHY are they doing this? there could be other reasons why due process isnt being followed other than eg incompetence, malice, laziness etc alan