<P> 2 . Ensure that ports that are not meant to be trunks are explicitly configured as access ports </P> <P> In a double tagging attack, an attacking host connected on a 802.1 q interface prepends two VLAN tags to packets that it transmits . The packet (which corresponds to the VLAN that the attacker is really a member of) is forwarded without the first tag, because it is the native VLAN . The second (false) tag is then visible to the second switch that the packet encounters . This false VLAN tag indicates that the packet is destined for a target host on a second switch . The packet is then sent to the target host as though it originated on the target VLAN bypassing the network mechanisms that logically isolate VLANs from one another . However, possible answers are not forwarded to the attacking host . </P> <P> Double Tagging can only be exploited when switches use "Native VLANs". Ports with a specific access VLAN (the native VLAN) don't apply a VLAN tag when sending frames, allowing the attacker's fake VLAN tag to be read by the next switch . </P> <P> Double Tagging can be mitigated by either one of the following actions (Incl . IOS example): </P>

Which type of attack can be mitigated by configuring the default native vlan to be unused