I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?
This is my current understanding of the attack:
Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim
The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)
SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.
If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.
Unfortunately I don't have a PC to send double-tagged packet so I cannot test.
Is my misunderstanding incorrect?
Thanks
