What protocol should be disabled to help mitigate VLAN attacks?

To help mitigate VLAN attacks, you should disable DTP (Dynamic Trunking Protocol). DTP can be used by an attacker to negotiate a trunk link with a switch, which can allow them to access all VLANs across that trunk. Disabling DTP on switch ports that do not need to form trunks is a best practice for VLAN security.

While STP (Spanning Tree Protocol) and CDP (Cisco Discovery Protocol) have their own associated security risks, they are not specifically used to mitigate VLAN attacks. ARP (Address Resolution Protocol) is unrelated to VLAN security specifically and is necessary for IPv4 communication within a network.