Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

Authentication Overview

April 15, 2011 Page 11 of 36

• Value:Indicatesthetypeoftunnel.Avalueof0x0D(decimal13)indicatesthatthe tunneling

protocolisaVLAN.

Tunnel‐Medium‐Typeindicatesthetransportmediumtousewhencreatingatunnelforthe

tunnelingprotocol,determinedfromTunnel‐Typeattribute.SetTunnel‐Medium‐Typeattribute

parametersasfollows:

•Type:Set

to65forTunnel‐Medium‐TypeRADIUSattribute

•Length:Setto6forsix‐bytelengthofthisRADIUSattribute

•Tag:Providesameansofgroupingattributesinthesamepacketwhichrefertothesame

tunnel.Validvalueforthisfieldare0x01through0x1F,inclusive.Setto0if

unused.Unless

alternativetunneltypesareprovided,itisonlynecessaryfortunnelattributestospecifya

singletunnel.Asaresult,whereitisonlydesiredtospecifytheVLANID,thetagfieldshould

besettozero(0x00)inalltunnelattributes.

• Value:Indicatesthetypeoftunnel.A

valueof0x06indicatesthatthetunnelingmedium

pertainsto802media(includingEthernet)

Tunnel‐Private‐Group‐IDattributeindicatesthegroupIDforaparticulartunneledsession.Setthe

Tunnel‐Private‐Group‐IDattributeparametersasfollows:

•Type:Setto81forTunnel‐Private‐Group‐IDRADIUSattribute

•Length:Setto

avaluegreaterthanorequalto3.

•Tag:Providesameansofgroupingattributesinthesamepacketwhichrefertothesame

tunnel.Validvaluesforthisfieldarefrom0x01through0x1F,inclusive.Setto0ifunused.

Unlessalternativetunneltypesareprovided,itisonlynecessary

fortunnelattributesto

specifyasingletunnel.Asaresult,whereitisonlydesiredtospecifytheVLANID,the tag

fieldshouldbesettozero(0x00)inalltunnelattributes.

•String:Indicatesthegroup.FortheVLANIDintegervalue,itisencodedasastringusing

ASCII.

Forexample,theVLANIDintegervalue103wouldberepresentedas0x313033

VLAN Authorization Considerations

VLANAuthorizationposessomeoperationalandmanagementissuesonthenetwork.

•AVLANisnotasecuritycontainer.Itisabroadcastcontainerandusedtosegmentbroadcast

trafficonthenetwork.ACLsimplementedatthelayer3routedinterfaceforaVLANonly

provideaccesscontrolfortrafficintoand

outoftheVLAN.Noaccesscontrolmechanismfor

intra‐VLANcommunicationsexists,thereforeuserswithintheVLANarenotprotectedfrom

eachother.MalicioustrafficallowedontoaVLANcanpotentiallyinfectalltrafficonthe

VLAN.Suchaninfectioncanconsumevaluablehardwareresourcesontheinfra stru c ture, 

suchas

CPUcyclesandmemory.Infectionscanbetransmittedtootherhostswithinthe

VLANandtothelayer3routedboundary.Thisleadstothedirectcompetitionofmalicious

trafficwithbusinesscriticaltrafficonthenetwork.

•End‐To‐EndQoScannotbetrulyguaranteedifQoSisimplementedatthe

layer3routed

interfaceforanetworkwherebusinesscriticalapplicationsareclassifiedandprioritized.

•IfVLANsareimplementedtogrouptogetherusersthataremembersofthesame

organizationalgroup,thenaVLANmustbeconfiguredeverywhereinthenetworktopology

whereamemberofthatorganizationalunitmay

connecttothenetwork.Forexample,ifan

engineermayconnecttothenetworkfromanylocation,thentheEngineeringVLANmustbe

configuredonallaccesslayerdevicesinthenetwork.TheseVLAN configurationsleadto

over‐extendedbroadcastdomainsaswellasaddedconfiguration complexityinthenetwork

topology.