Layer2 attacks are difficult but the fix for them has existed for some years now: 802.1X. In a nutshell, it's asymmetric (certificate-based) authentication for all of your devices.
So even if an attacker plugs in to your network, each device is authenticated from the certificate that's been pre-applied to it. So if an attacker on the network plugs in a rogue device but does not have a certificate, the port will never become active to allow the rogue connection to start performing any Layer2+ attacks on your University network.
The limiting factors are the need for a PKI architecture and devices that accept x509 certificates and understand (and can use) 802.1X. If you don't already have a secure PKI architecture, this will be a rather monumental undertaking to do correctly.
Edit: To specifically address netcut, apparently there is a free tool that will work against it: https://arcai.com/netcut-defender/ -- I'm not making any claims on its effectiveness but if you don't want to fix the problem properly (802.1x), you're going to have to resort to something like this.