From: "Congdon, Paul T (ProCurve)" <paul.congdon@hp.com>
To: <radiusext@ops.ietf.org>
Subject: FW: Vlan draft - relationhip of tunnel attributes and egress-xxx
attributes
Date: Thu, 27 Apr 2006 21:12:57 -0700
some how the list got dropped... Comments welcome.
________________________________
From: Congdon, Paul T (ProCurve)
Sent: Thursday, April 27, 2006 8:05 PM
To: Sanchez, Mauricio (ProCurve)
Subject: RE: Vlan draft - relationhip of tunnel attributes and
egress-xxx attributes
Ooops... Here are the suggested changes I was going to make. Word
smithing expected... Replace the two paragraphs suggested with the
following.
"The tunnel attributes used for VLAN assignment described in [RFC3580]
configure both the ingress VLAN ID for untagged packets, also know as
the PVID, and the egress VLAN ID for untagged packets on that same VLAN.
The Egress-VLANID configures only the egress VLAN ID for either tagged
or untagged packets. It is not necessary to use the Egress-VLANID
attribute to configure the same untagged VLANID that the tunnel
attributes of [RFC3580] confiures. These attributes can be used
concurrently and MAY appear in the same RADIUS message. To configure an
untagged VLAN for both ingress and egress the tunnel attrubutes of
[RFC3580] MUST be used."
Paul
________________________________
From: owner-radiusext@ops.ietf.org
[mailto:owner-radiusext@ops.ietf.org] On Behalf Of Sanchez, Mauricio
(ProCurve)
Sent: Thursday, April 27, 2006 5:44 PM
To: radiusext@ops.ietf.org
Subject: Vlan draft - relationhip of tunnel attributes and
egress-xxx attributes
Relationship of tunnel attributes and egress-xxx attributes
address: mauricio.sanchez@hp.com Date first submitted: 4/27/06
Reference: none
Document: draft-ietf-radext-vlan-04.txt
Comment type: T
Priority: S
Section: 2.1, 2.3
Rationale/Explanation of issue:
While the introduction acknowledges tunnel attributes from
rfc2868 and rfc3580, there is no guidance on their use with the
egress-vlanid and egress-vlan-name attributes. I suggest formalizing
the fact that they can be used concurrently and providing guidance on
their interaction/relationship.
Requested change:
1) To section 2.1 add the following paragraph between the second
and third paragraphs of the description section for egress-vlanid:
"Tunnel attributes, as described in [RFC2868] and [RFC3580], and
Egress-VLANID both can be used to configure the egress VLAN for
untagged packets. These attributes can be used concurrently and MAY
appear in the same RADIUS message. When they do appear concurrently,
the list of allowed VLANs consists of the concatenation of all
Egress-VLANID attributes and the Tunnel-Private-Group-ID(81) attribute.
Egress-VLANID does not alter the ingress VLAN untagged traffic
on a port, also known as the PVID. The tunnel attributes from [RFC2868]
and [RFC3580] should be relied upon instead to set the PVID."
2) To section 2.3 add the following paragraph between the first
and second paragraphs of the description section for egress-vlan-name:
"Tunnel attributes, as described in [RFC2868] and [RFC3580], and
Egress-VLAN-Name both can be used to configure the egress VLAN for
untagged packets. These attributes can be used concurrently and MAY
appear in the same RADIUS message. When they do appear concurrently,
the list of allowed VLANs consists of the concatenation of all
Egress-VLAN-Name attributes and the Tunnel-Private-Group-ID(81)
attribute.
Egress-VLAN-Name does not alter the ingress VLAN for untagged
traffic on a port, also known as the PVID. The tunnel attributes from
[RFC2868] and [RFC3580] should be relied upon instead to set the PVID."
--------------------------------------------
Mauricio Sanchez, CISSP
Network Security Architect
ProCurve Networking Business
Hewlett Packard
8000 Foothills Boulevard, ms 5557
Roseville CA, 95747-5557
916.785.1910 Tel
916.785.1815 Fax
mauricio.sanchez@hp.com
--------------------------------------------