So if I disable all Port It Will remain Always default for other traffic as stp or vtp. But if I Will change native VLAN in VLAN2 without 99 It Is good. VLAN99 or 44 are used so for convenience only. 

Yes it will still be used for certain traffic ie. some control protocols. 

You can use any number you want for native vlan, it makes no difference which number you use. 

Jon

It Is clear that changing native VLAN hacker cannot Attack. What Is not clear i why VLAN 1. I could set VLAN1 as VLAN native on trunk but simultaneously I move all ports in other vlans removing all access Port F01 f02 etc..... So  In this case:

TRUNK LINK: VLAN 1 NATIVE VLAN

VLAN1: NO ACCESS PORT 

VLAN 2: PORTS FOR F01 TO F12 

VLAN3: PORTS FOR F13 TO F24 

In this case how spese the hacker do the Attack?

We suppose that hacker Is located and connect Port fa0/8 of the VLAN 2 and wanted attaché VLAN3.

He should add both VLAN2  AND VLAN3 in the frame ethernet 

On trunk Is VLAN1 native.

When switch 1 (where Is connect hacker) see the frame, It see First tag so VLAN2 and not VLAN3.

I might be wrong ( correct me of I'm wrong) but hacker Is limited to comunicate VLAN 2 only.

I could think only best practice change VLAN1 in VLAN99 because VLAN1 Is default (as all you said), and then if there are free ports on switch with VLAN1 native, un attacker connect One Port and Attack 

Correct me of I wrong

Double Tag Attack, 

you admin and you are separate the Server from the Host by using VLAN, 

VLAN 100 for Server

VLAN 1 for Host 

the attacker which can access to VLAN 1 easily BUT to access to Server it must pass through Router L3 or FW... Here the attacker couldn't attack Server.

So attacker use the limitation of SW to see only one tag of VLAN. 

How attacker Work ?

SW1-SW2 in-between there is trunk with VLAN 1 as native, 

attacker connect to SW1, 

attacker send double tag packet 

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

SW1 receive this packet It see Native VLAN 1 it will flood to all port include trunk between the two SW, 

SW1 will remove the outer tag "VLAN1 " and here is limitation of SW" and flood it through trunk

SW2 receive the frame with inner tag VLAN 100!!!

SW2 will flood it through all port of VLAN 100 include the port for Server 

here the attacker can attack the Server even if it not in same VLAN, i.e. it pass R/FW.

after ALL 

do you see how the attacker is start attack?

by native VLAN, if we can broke this series by change native VLAN with value not predict by attacker what will happened?

let see again but this time we change the native VLAN from VLAN 1 to VLAN 99 "as your example"

attacker connect to SW1, 

attacker send double tag packet 

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

SW1 receive this packet It see OUTER VLAN 1 it will flood to all port NOT include trunk between the two SW, 

WoW and attacker stop here..

So that is why we change the native VLAN to not predict VLAN. 

and this is why make default native VLAN 1 without ports.

UPDATE REPLY.

Ok let's see if I understand. Only if DTP is enabled on a switch A (default is enabled), an attacker can also connect with his pc makes switch A believe that his PC is a switch B and since by default the dtp service enables the vlan as native vlan 1, the attacker automatically makes a vlan hopping attack. Then the problem would be solved by disabling the DTP service and setting the trunk manually. But maybe since a company would like to adopt a solution with DTP for convenience, it is always useful to set a different native vlan which can also be vlan 2 but since usually vlan 2-3-4 etc are used for convenience it is used as native vlan a vlan example 99 or 120 that is it doesn't make sense.Correct?

That is (I know that in reality it will never happen but it is to better understand) if I have switch A and switch B on both switches I disable the DTP, I move all the ports from VLAN1 to VLAN 2 - 3 - 4 for example I leave on the trunk switch A and switch B vlan native VLAN 1, would you attacker be able to do a hopping and double tagging? There is no auto-negotiation between A and B, the ports have not been assigned to VLAN 1 at this point unless there is another service that would allow an attacker to make another type of attack, I don't see how it can succeed to make an attack with a VLAN 1 as native. Obviously mine is a consideration based on theoretical concepts if I miss something correct me

OK, how many native VLAN in SW ?
there is only one, so when you config native VLAN 1 between two SW, that meaning that both SW use native VLAN 1 for all trunk port.
attacker as I explain above will form trunk to one of SW, using DTP and native VLAN 1, the victim SW will make port trunk with attacker "SW don't know this is attacker or other SW".
this make Attacker now allow to use all VLAN, and hence VLAN hopping happened.

So 

VLAN1: all Port moved for example VLAN2 

DTP: Disable 

Native VLAN : VLAN1 

If hacker not find access Port in VLAN 1 and sto Disable hacker can still Attack 

sorry what is sto ?