Here is one way to combat against unauthorized switches being connected by end users, which is typically done to increase the number of ports available at a location.

Enable port security:

Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#int fa0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#end

The configuration above will enable port security on fastethernet0/1, which would go out to an end user workstation. If someone placed a small switch/hub at the end of the connection in order to connect a second device (such as a network printer, another workstation, etc.), a second mac-address would be detected. This triggers the access switch to shutdown the port (and sending an snmp trap), effectively cutting off all connectivity to the network.

The global configuration command shown above: errdisable recovery cause psecure-violation causes the port to be brought out of shutdown state automatically after the default timer expires. The errdisable recovery timer can be changed from the default of 300 seconds using the errdisable recovery interval command.