Professional Documents
Culture Documents
Undergrad Thesis HTT Fixed
Undergrad Thesis HTT Fixed
i
TABLE OF CONTENT
TABLE OF CONTENT........................................................................II
ACKNOWLEDGEMENTS................................................................IV
LIST OF FIGURES..............................................................................V
LIST OF TABLES...............................................................................IX
ABSTRACT............................................................................................1
CHAPTER 1 LOCAL NETWORKS AND FUNDAMENTAL
CONCEPTS.................................................................................................2
1.1 COMPUTER NETWORK OVERVIEW...................................................2
1.1.1 What is a computer network?.................................................2
1.1.2 Classification of computer networks......................................4
1.1.2.1 Scale.................................................................................4
1.1.2.2 Transmission medium......................................................4
1.1.2.3 Functional relationship.....................................................4
1.1.2.4 Topology..........................................................................5
1.1.3 OSI Reference Model..............................................................9
1.1.3.1 Application layer............................................................10
1.1.3.2 Presentation layer...........................................................11
1.1.3.3 Session layer..................................................................11
1.1.3.4 Transport layer...............................................................11
1.1.3.5 Network layer.................................................................13
1.1.3.6 Data link layer...............................................................13
1.1.3.7 Physical layer.................................................................13
1.2 INTRODUCING LOCAL NETWORK..................................................14
1.2.1 Local Area Network (LAN)...................................................14
1.2.2 Virtual LAN (VLAN).............................................................16
1.3 A BRIEF ON SIMULATION TOOLS AND OPNET.............................18
1.4 CONCLUSIONS...............................................................................20
CHAPTER 2 VIRTUAL LOCAL AREA NETWORK (VLAN).....22
2.1 DEFINITION OF VLAN..................................................................22
2.2 VLAN ID RANGE.........................................................................23
2.3 OPERATION OF VLAN..................................................................24
2.4 TYPES OF VLAN..........................................................................25
2.4.1 Data VLAN............................................................................25
2.4.2 Default VLAN........................................................................26
2.4.3 Native VLAN.........................................................................26
2.4.4 Management VLAN...............................................................27
2.4.5 Voice VLAN..........................................................................27
ii
2.5 THE STANDARDS AND PROTOCOLS USED IN VLAN.....................29
2.5.1 VLAN Trunking.....................................................................29
2.5.1.1 Trunk’s definition and its benefit...................................29
2.5.1.2 IEEE 802.1q...................................................................30
2.5.2 VLAN Trunking Protocol (VTP)...........................................32
2.5.2.1 What is VTP?.................................................................32
2.5.2.2 VTP Pruning..................................................................33
2.5.3 Spanning tree protocol (STP)...............................................34
2.5.3.1 The importance of redundancy in designing a network. 34
2.5.3.2 Redundancy and loop issues..........................................35
2.5.3.3 The Spanning tree protocol-STP....................................38
2.5.4 Rapid spanning tree protocol (RSTP)...................................38
2.5.4.1 The differences from STP..............................................38
2.5.4.2 RSTP operation..............................................................38
2.6 CONCLUSIONS...............................................................................39
CHAPTER 3 BENEFITS OF VLAN IN NETWORK DESIGN.....40
3.1 MAIN BENEFITS OF VLAN...........................................................40
3.1.1 VLAN and Quality of service (QoS)......................................40
3.1.1.1 The Definition of QoS....................................................40
3.1.1.2 Queuing mechanisms.....................................................41
3.1.2 VLAN and security................................................................42
3.1.2.1 Basic security: Handling physical accesses to network
devices ..........................................................................................42
3.1.2.2 Tools and best practices in securing VLAN..................43
3.1.2.3 Improve network security using Access Control Lists. .44
3.2 SIMULATIONS AND RESULTS.........................................................45
3.2.1 Objective...............................................................................45
3.2.2 NoVLAN network vs. VLAN network....................................46
3.2.3 Restrict the accessibility.......................................................55
3.2.4 The DDoS attack and defense simulation [7].........................57
3.3 CONCLUSIONS...............................................................................60
CONCLUSIONS..................................................................................61
REFRENCES.......................................................................................62
APPENDIX 1.........................................................................................63
iii
ACKNOWLEDGEMENTS
iv
LIST OF FIGURES
Figure 1.1 ARPANET.................................................................................................3
Figure 1.2 A Bus network........................................................................5
Figure 1.3 A Star network........................................................................6
Figure 1.4 A Ring network......................................................................7
Figure 1.5 Mesh network.........................................................................9
Figure 1.6 OSI model............................................................................10
Figure 1.7 The network devices used in LAN.......................................14
Figure 1.8 Hierarchical network............................................................15
Figure 1.9 The small university with its LAN.......................................16
Figure 1.10 The university network after several years with VLAN.....17
Figure 1.11 OPNET ITGuru..................................................................20
Figure 2.1 The different VLANs in a network.......................................22
Figure 2.2 Port-based VLAN................................................................23
Figure 2.3 Broadcast traffic in normal LAN..........................................24
Figure 2.4 Controlling broadcast domain with VLAN..........................24
Figure 2.5 Tagging information.............................................................25
Figure 2.6 Data VLANs.........................................................................26
Figure 2.7Figure 2.8 Management VLAN.............................................27
Figure 2.9 Voice VLAN.........................................................................28
Figure 2.10 Voice traffic........................................................................28
Figure 2.11 VLANs without Trunk........................................................29
Figure 2.12 VLAN with Trunk..............................................................30
Figure 2.13 IEEE 802.1q Ethernet Type allocations..............................31
Figure 2.14 IEEE 802.1Q VLAN Tag Fields.........................................31
Figure 2.15 TCI format..........................................................................31
Figure 2.16 Configuring a small network with only 3 switches............33
Figure 2.17 A network with redundancy...............................................34
v
Figure 2.18 When the main link fails.....................................................35
Figure 2.19 layer 2 loop-1......................................................................35
Figure 2.20 Layer 2 loop-2....................................................................36
Figure 2.21 Layer 2 loop-3....................................................................37
Figure 3.1 A company’s network topology...........................................41
Figure 3.2 NoVLAN network................................................................46
Figure 3.3 VLAN network.....................................................................47
Figure 3.4 Traffic demand in the network without VLAN....................49
Figure 3.5 Only one traffic demand is allowed to reach its server........50
Figure 3.6 one of the traffics are not allowed by the switch..................50
Figure 3.7 Ethernet load (bit/s)on ServerManager.................................51
Figure 3.8 Ethernet load (bit/s) on ServerTeacher.................................51
Figure 3.9 Ethernet Load (bit/s) on servers:..........................................52
Figure 3.10 Server performance statistics:.............................................53
Figure 3.11 End-to-end Delay................................................................54
Figure 3.12 Link utilization...................................................................54
Figure 3.13 inter-VLAN communication...............................................55
Figure 3.14 Ping report..........................................................................56
Figure 3.15 DDoS attack........................................................................57
Figure 3.16 The results after the attack..................................................59
vi
LIST OF TABLES
Table 3.1 Applications used in the lab...................................................48
Table 3.2 Statistic is collected in the lab................................................48
Table 3.3 ACLs configuring..................................................................56
Table 3.4 Searching properties...............................................................63
Table 3.5 WebBrowsing properties.......................................................64
Table 3.6 http attack properties..............................................................65
vii
ABSTRACT
Derived from the need of sharing the network resources between hosts
and users, the computer network was born. And it plays more and more
important role in our life. Since it was born in 1960s, the computer network
has continuously grown. The more it grows, the more issues appear such as
the network delay, performance, security, etc. In local network, VLAN is a
solution for these issues. And now VLANs are extensively used in practice
and represent a critical and time-consuming activity in both enterprise and
campus network management.
For this reason, I have chosen researching the topic “Study and
designing virtual local area network-VLAN” for my graduation thesis.
This thesis attends to introduce VLAN and its benefits for campus network
and enterprise one as well. It is organized into four parts which is followed
by a reference and an appendix part. The outline of the thesis is as follows:
- Part 1: Local networks and fundamental concepts
This part introduces the fundamental concept of local computer
network, LAN and VLAN.
Also in this part, a brief on simulation tools and OPNET is introduced.
- Parts 2: VIRTUAL LOACAL AREA NETWORKS-VLANs
This part introduces about VLAN, its definitions and operations. The
reason why we should use VLAN is also presented by introducing its
benefits in performing, managing, and securing.
- Part 3: Benefits of VLAN in network design
In this part, I introduced the main benefits of VLAN implementation;
measurements are then done to demonstrate the benefits of VLAN in
comparison with traditional LAN.
- Part 4: Conclusion
This part presents the results of my work
1
CHAPTER 1 LO
CAL NETWORKS AND FUNDAMENTAL
CONCEPTS
2
Figure 1.1 ARPANET
3
Today, we can define the computer network as a group of computers (at
least two computers) that were connected each to other by a physical or
logical link. It allows us to share our resource with each other. Larger scale
networks such as WAN; Internet also consist of the small network like that.
1.1.2.1 Scale
Computer networks can be classified based on their scale. We have
Local Area Network (LAN), Personal Area Network (PAN), Campus Area
Network (CAN), Virtual Private Network (VPN), Metropolitan Area
Network (MAN), and Wide Area Network (WAN).
Fiber networks are those that use fiber (optical cable) to transmit
data.
4
Peer to peer (P2P) networks are networks in which computers has
the same role among each other in sharing network resources. Any
user can request data from another and vice versa. To day, Bittorrent
is the most common P2P application.
Client – Server networks are networks which have at least one server
and client(s). Clients make requests to servers and severs fulfill these
requests from the clients.
1.1.2.4 Topology
We can also classify the network based on its topology, such as bus,
star, ring and mesh network.
5
It is simple to understand and implement.
At a time, only one station has the right to transmit data, so the
capacity of bus network is low
If a network is a large scale, these disadvantages make it unsuitable.
6
A Star networks has more advantages than a bus network. Its
performance is higher because the unnecessary traffic is eliminated. In a
bus network, when a station sends a frame, this frame will be sent to all of
nodes attached to the bus. Meanwhile, in a star network, if the central node
is a switch, the frame will only be sent to it destination. On the other hand,
this also makes the probability of collision decrease. It is easy to upgrade
the network by using a more powerful central node and adding more leaf
nodes.
The disadvantage of star networks is the dependence on the central
node. If this one is broken, whole network will be broken as well.
a) b)
7
removing it from the ring and begins transmitting its frames. Each station
examines the destination address in each passing frame to see whether this
address matches its own address. If not, this station forwards it to the next
link after few delay, if it is the frame for this station, it is copied to the
buffer of the station, then, the station sets some status bit of the frame and
forwards it to the ring. When the frame gets back to the source again, the
source removes it from the ring and gives the “free” token back to the ring.
Ring networks are the orderly network, where every node has the same
chance to transmit data with each other. It operates with higher
performance than the star and bus network in heavy load condition. It does
not require any server to control the network operation. Ring network has a
high security level. If a node is broken, this node will be cut out of the ring
by shorting-circuit it.
However, the ring network also has some disadvantages. Token ring
network cards and MAUs (Multistation Access Unit) are much more
expensive than NIC and hub or switch. Ring networks are not flexible in
adding or dropping network elements. Ring networks have lower
performance under low load traffic conditions. Ring networks are suitable
for the network that has heavy traffic like backbone network,
A Mesh networks is the most stable and reliable type of network
topology, but also the most expensive one. In a mesh network, each node
connects directly to others, so the large number of cables and connections
is required.
8
Figure 1.5 Mesh network
9
Figure 1.6 OSI model
10
Protocols are the rules in communicating among network nodes.
There are some application layer protocols such as:
11
flow control. In a TCP session, the source must ensure that a frame was
delivered successfully to the destination, if not, it must retransmit the
frame.
UDP is the Transport layer’s protocol used in the applications that need
to deliver data across the network quickly but don’t need high exactitude,
and reliability. UDP uses neither the mechanism of “three-way-
handshake”, flow control, nor retransmission of the broken frames.
Consequently, it minimizes the size of frame’s header.
In order to provide these two services, the Transport layer has the
following functions:
12
1.1.3.5 Network layer
The Network layer has responsibility of routing and forwarding packets
to the right destination. To implement this, the Network layer must address
a frame, and then encapsulates it into a packet. The packet header has fields
that include source and destination addresses of the packet. After
encapsulating, the network layer must route the packet to its destination,
this is done by intermediary devices called routers. When the packet
reaches its destination, the network layer at destination node must
decapsulate this packet to take the data inside it and forward to the upper
layers.
13
So physical layer has the responsibility of coding and converting the frames
from datalink layer into signals, and then transmits the signals to the
medium.
14
.
The Access layer is the lowest and closest to the end user devices. The
Access layer has responsibility of providing the ability of connecting to end
user devices. In addition, the Access layer can determine whether a device
can connect to the network or not.
The Distribution layer gathers all traffic which comes from the Access
layer, and then, if possible, it distributes the traffic to the true destinations
as long as the destinations belong to the same subnet with the traffic. If not,
the Distribution layer sends the traffic to the Core layer for routing to its
final destination. This layer controls the network flow; separates VLANs
that is defined at the access layer. Distribution layer devices are typically
15
high-performance switches that have high availability and redundancy to
ensure reliability.
The Core layer is the highest rate layer in hierarchical network model.
Typically, the core layer devices are routers and switches that have high
availability, rates, and redundancy. They can process properly the traffic in
heavy load condition because it must receive and process almost traffic of
the whole network. Its functions are connecting the local network with the
outside network (example: the internet) and routing the traffic to its end
points.
After several years, this university grows and has two branches more.
Suppose that its network still remains as before.
16
Figure 1.10 The university network after several years with VLAN
The headmaster of the university wants to make only two subnets, one
for students, the other for teachers and officers, and he wants all students
can share their resources as well as all the teachers and officers. Obviously,
it is impossible to create a large LAN for students as well as teachers.
VLAN is the solution for this.
A VLAN is simply a LAN by logical meaning. But in VLAN, the
network devices and users are not limited by the geography but can be
located based on their functions and purposes in using network resources.
Using VLANs, we can handle the network traffic, prevent the network
from what is called “Broadcast storm”, improve security level, and manage
the QoS policies. Thus, if a VLAN is designed and configured well, we
will get much more benefit in comparison with using a normal LAN such
as improving the performance, increasing security level, and advancing the
capability of network management, etc. However, the IT engineers must
have knowledge about VLAN and its configurations. In a big company or
university that use switches from many different vendor, it is complex to
17
configure VLANs, the incorrect configurations may degrade the network
performance or even make the network impossible to operate.
There are many networking simulation tools such as: OPNET, QuadNet,
NS-2, OMNET++, Matlab, etc. Almost of them are built in C or C++ and
their simulation results are accepted by the scientific community. Among
of these tools OPNET and NS-2 are preferred and are used commonly in
education and research. NS-2 is a new open-source simulation tool for
simulating the wireless communication. There are many modules
associated with it, and NS-2 also includes substantial contributions from
researchers all over the world. But the biggest disadvantage of NS-2 is the
difficulty for beginners in learning how to use and utilize it.
OPNET seems to be the appropriate tool for student in study and
research. OPNET stands for Optimized Network Engineering Tools.
18
Initially, OPNET was Alain Cohen’s (co-founder and current CTO &
President of OPNET Technology) graduate project when he was a
networking student at MIT (Massachusetts Institute of Technologies). The
first company’s product is OPNET Modeler which is commercial software
used for simulating and modeling communication networks, network
devices and protocols. OPNET is a widely used Windows and Linux based
simulator. It is built in C++ and provides virtual environment for modeling,
analyzing, and calculating network performance. This tool is often updated
new protocols, and devices to catch up with the fast evolving network
technology trends.
OPNET is used by many commercial, government organizations and
universities worldwide. With OPNET Modeler, basically, users can:
Create and edit networks and nodes followed by their purpose.
Modify the operation inside network nodes.
Analyze and evaluate their network by using the statistics that
are received after simulating.
However, it is very difficult for beginners to learn and make the most
use of OPNET Modeler in implementing a new protocol; they must be
familiar with the oriented approach and C++ language as well as the
knowledge of telecommunication. Therefore, OPNET Technology
Corporation developed OPNET IT Guru version which is a free version,
and is used for educational purposes.
19
Figure 1.11 OPNET ITGuru.
1.4 Conclusions
In this chapter, we have seen that computer networks are crucial. This
chapter also shows the overview of LAN and VLAN, thus, we can see
advantages of VLAN in comparison with traditional LAN. Along with
advantages of itself, VLAN has become an indispensable tool for the
network administration to segment the network; to increase bandwidth per
user, to provide security, and to provision multimedia service [10].
20
This chapter also point out the role of simulation in designing a
network. Along with the evolution of computer science, networking
simulation tools help efficiently in network designing. Among various
simulation tools, OPNET which is made to answer the “what-if” question is
the suitable tool for student in study.
So, in the next two parts of this thesis, the issues in designing a
computer network such as performance, security level are discussed. The
next part shows that what VLAN is, and its characteristics. The VLAN’s
advantages are introduced in the last part, and then they are proved by
performing some simulations.
21
CHAPTER 2 VIR
TUAL LOCAL AREA NETWORK (VLAN)
22
VLAN is fully configured by software on switches. Similar to LAN,
each VLAN is assigned a range of IP addresses, and a number of switch
ports. If a device wants to join a VLAN, it must be connected to the port
that belongs to this VLAN, and has an IP address that matches with this
VLAN IP address range. (see figure 2.2)
23
2.3 Operation of VLAN
In many ways, the operation of VLAN is similar to LAN. The only
different thing is that by using VLAN we can create a logical group of
network devices to make a separated broadcast domain without the
dependence of their location. In a normal LAN, every device connected to
a switch belongs to a common broadcast domain. When an user sent a
broadcast message to his/her network, this message will be sent to all users
that connect to this switch whether they belong to the user’s department or
not.
24
In order to distinguish among VLANs, each frame is tagged an
information field of the VLAN it belongs to. This field consists of 3
priority bits, 1 CFI bit that is used to allow the Token ring frames to travel
on the Ethernet transmission medium, and 12 VLAN ID bits to identify
4096 VLAN IDs. (see figure 2.5)
25
voice ones. These traffics do not belong to data VLAN, but they belong to
management VLANs and voice VLANs which will be mentioned later.
26
VLAN is that some devices of different vendors can’t understand as well as
are not compatible with each other in tagging IEEE 802.1Q or ISL
information.
27
priority level, ability to be routed around the congested areas of network
traffic, and low delay.
28
2.5 The standards and protocols used in VLAN
29
With Trunk, we only use one switch port for carrying multiple VLAN
traffics.
30
The TPID includes Ethernet type field, which is used to distinguish with
other protocols. Its value is set to 0x8100 in order to identify the frame as
an IEEE 802.1Q-tagged frame.
31
- 1 CFI bit (Canonical Format Indicator): If the value of CFI is 1, the
MAC address is in non-canonical format, this enables Token Ring
and FDDI frame to be transmitted on the Ethernet transmission
medium. If the value is 0, the MAC address is in canonical format,
this is the default value for Ethernet frame.
- 12 VLAN ID bits are used to indicate the VLAN to which the
frame belongs; its decimal is from 0 to 4095. If the frame received
has VLAN ID with the value of 0, this frame doesn’t belong to any
VLAN, and the tag header contains only priority information. The
VLAN ID with value of hex FFF is reserved for implementation
use.
After tagging the frame, the switch recalculates FCS value and then
sends the tagged frame out to the trunk port.
32
Figure 2.26 Configuring a small network with only 3 switches
33
which are sent to this switch are unnecessary. They consume the available
bandwidth and processor time on this switch. VTP pruning increases the
available bandwidth by pruning the unnecessary traffic.
34
Figure 2.28 When the main link fails
35
At the beginning, the MAC address table of the two switches: S3 and S1
haven’t got the entry for PC1. When PC1 sends a broadcast message to
switch S2, due to this is a broadcast message, so any switch receiving it
must forward it to all other ports. S2 forward it to all active ports except the
port F0/11 which receives this message. When the other switches receive
the broadcast message from S2, they add the entry for PC 1 into their MAC
address table.
36
Figure 2.31 Layer 2 loop-3
After updating the MAC address of PC1, S3 and S1 send the message to
other ports. And when S1 and S3 send the message to each other, they will
update the MAC address of PC1 again, and then they send the message to
other ports including the one that connects to S2 via trunk link. The switch
S2, after receiving the message from these two switches, will update the
MAC table again and forward the message repeatedly, and so on. That is
layer-2 loop, and it makes network traffic more and more heavy.
When more than one device send broadcast messages in the network
like this one, the broadcast storm occurs. And it consumes all available
bandwidth. Therefore, the network is unavailable. So in order to solve this
issue, it is necessary to find out the way to handle the transmission with
redundant links.
37
2.5.3.3 The Spanning tree protocol-STP
The STP is a layer 2 protocol which helps to solve the layer 2-loop
issue. The STP is based on the STA which is an algorithm invented by
Radia Perlman while working for Digital Equipment Corporation. The STP
is defined in the IEEE Standard 802.1D.
STP’s function is preventing the OSI layer-2 loop in a redundant
network. It ensures that there is only one logical path which has the lowest
cost path between all destinations on the network by intentionally blocking
redundant paths that could cause a loop. The network traffic can not pass
through a blocked port, but the BPDU can. If the best path is failure, the
STA will recalculate the path cost and then, enables the redundant path.
38
process is implemented link by link, and it does not rely on timers expiring
before the port can transition.
Both STP and RSTP determine the port roles based on the BID and path
cost. And the ways they use the BID and path cost are the same.
2.6 Conclusions
This chapter shows what VLAN is; how VLAN operates. Thence, we
will see the benefit of using VLAN such as improving the performance;
enhancing secureity level, and make it easier to manage the network, which
are intrdoced in the next chapter.
Additionaly, using VLAN also makes it flexible to manage and design
a network. Assume that when a company is reorganized, one personel are
changed their position, by configuring switch ports, he does not need to
change their location. Using VLAN also makes it cheaper in network
design because it utilize the number of switch ports in a room, and it is easy
to add or remove users of the network.
This chapter also talk a little bit of the two issues in network design, in
particular, VLAN design, that are VTP and STP. VTP makes it easier to
configure VLAN, and STP is a solution for the redundant issues and loop
layer2 problems.
Due to its serious benefits, VLAN is used widely in network design, we
will make it clearer in the next part.
39
CHAPTER 3 BEN
EFITS OF VLAN IN NETWORK DESIGN
40
Figure 3.32 A company’s network topology
In figure 3.1, a company uses a frame relay link to connect their two
building: Branch office and server farm. In working hours, officers can
access database server to look for the data they need or use email and web
service. For the rest time, they can relax by playing music or video or even
a computer game. But in business hours, especially, rush hours, if some
guys load an illegal traffic such as music or video from Music-and-video
server. These traffics consume much more bandwidth than others,
therefore, they slow down the company network’s performance. In order to
make the network performance better, QoS is located to set the multimedia
traffic priority the lowest level, or even to block them by using queuing
mechanism, ALCs, firewall and the like.
41
there are multiple users that uses multiple application which require
network resource at the same time, therefore, it is necessary to allocate
network resources to application traffics so that the network can meet all
service requirements. In order to apply QoS on a network, the following
QoS parameters are usually used:
Bandwidth - the rate at which an application's traffic must be carried by
the network
Latency (or delay)- the delay that an application can tolerate in
delivering a packet of data
Jitter - the variation in latency
Loss - the percentage of lost data
In these above parameters, bandwidth is the most interesting one. If a
application has bandwidth wide enough, other parameters (delay, loss, and
jitter) can be acceptable. To increase the available bandwidth, one of
several approaches is to classify traffic into QoS classes and then, prioritize
and queue it according to its importance. There are several QoS
mechanisms or Queuing mechanisms as follows: Priority Queuing (PQ),
Custom Queuing (CQ), Weighted Fair Queuing (WFQ) with its distributed
versions, IP RTP Prioritization, Modified Deficit Round Robin (MDRR),
Class-based Weighted Fair Queuing (CB-WFQ) and Class-based Low-
latency Queuing (CB-LLQ).
42
DDoS to break the network. Along with the evolution of computer science
and information technology, threats can appear from everywhere, either
inside or outside the network with many types of attack such as:
• MAC Flooding Attack
• 802.1Q and ISL Tagging Attack
• Double-Encapsulated 802.1Q/Nested VLAN Attack
• ARP Attacks
• Private VLAN Attack
• Multicast Brute Force Attack
• Spanning-Tree Attack
• Random Frame Stress Attack
• DDoS Attack, etc
Even, a normal user can also make use of attack tools distributed
popularly on the internet to perform these attacks, or to propagate virus,
worm, or spy-ware to victim PCs
43
antivirus software installed on each computer in LAN play an important
role in detecting and killing the harmful computer programs.
44
video traffic in the example in section 2.6.1. ACL restricts the accessibility
to selected users in a network, this is a basic level of security in
networking.
ACL also gives the network administrator some benefits and flexibility
by applying complex extended ACLs. In Cisco router, three categories of
complex ACLs are supported as follows:
Dynamic ACLs: user who wants to access or traverse a Dynamic ACL-
configured router must be authenticated by connecting to this router using
Telnet. Using dynamic ACLs can improve the security level for network
access.
Reflexive ACLs: Reflexive ACLs is used when the administrator wants
to block all traffics originated from outside of his network, other traffics are
allowed. Using this category of ACLs can give the best security practices to
close networks-the networks which don’t want to advertise their
information; it helps to secure the network against hackers, especially DoS
attacks.
Time-based ACLs: this category of ACL allows access control based
on time. It is more flexible when applying time-based ACLs.
3.2.1 Objective
The Optimization is always the major object in designing a computer
network. Companies always expect their computer network to operate with
the maximum performance, a high security level and of course, an
acceptable cost. There are some factors of interest in designing a computer
network that is price, reliability, security and performance. With the same
price, the networking designer can completely utilize the characteristics of
networking hardware to improve the remaining factors.
45
As it has been said earlier, in order to understand and anticipated
benefits of new networking resources, it is prohibitively expensive to test a
real system because the networking hardware and software can be both
complicated and expensive. Simulation and modeling is considered as a
quite cheap approach to computer network designing and testing.
This chapter aims to investigate the VLAN’s operation and its
advantages. In this chapter, I have done some simulations by using OPNET
IT Guru to provide two objects as follows:
The performance improvement by using VLAN.
The improvement of security level by using VLAN.
In which, the first two scenarios are done to demonstrate the first
objects, and the last two ones are done to prove the second object.
46
Figure 3.34 VLAN network
47
Profile Application Load level
Student Remote_login High load
File_transfer High load
database access High load
Teacher Remote_login Medium load
File_transfer High load
File_print Medium load
Manager Remote_login Low load
File_print Medium load
Database_access Medium load
Table 3.1 Applications used in the lab
48
Figure 3.35 Traffic demand in the network without VLAN
As shown in the figure 3-4, three traffic demands are created from the
workstation student 14 to three nodes that belong to different VLANs. And
all traffics reach their destinations. But, in the second scenario, there is only
one traffic demand that directs to the Server student can reach its
destination. These others are blocked by the switch because they belong to
other VLANs.
49
Figure 3.36 Only one traffic demand is allowed to reach its server.
Figure 3.37 one of the traffics are not allowed by the switch
50
Figure 3.38 Ethernet load (bit/s)on ServerManager
51
c)
These figures above show that the network load decreases at all servers
when using VLAN. At the first scenario, traffic generated by users,
regardless of who they are, is sent to all servers. Thus, this makes the
network load higher than usual, and the network delay increases along with
this. The second scenario makes three separated VLANs so that they can
not communicate. And a large amount of traffic can’t reach two servers that
do not belong to the same VLAN with them. Consequently, the load at each
server decreases significantly.
Because the traffic at each server is lighter, the server can process them
faster. We can examine the performance of servers in these two scenarios
by collecting the statistics:
52
a)
b)
Because it takes servers less time to process its received traffics, the
delay on each server as well as the end-to-end delay is smaller.
53
Figure 3.42 End-to-end Delay
The last factor that helps to examine the network is link utilization. If at
the same request rate from workstations, the network which has smaller
link utilization is the better one. In the figure below, the network using
VLAN consumes bandwidth three times less than NoVLAN network
54
3.2.3 Restrict the accessibility
The second scenario of the first simulation has created three separated
VLANs, but they can not communicate. In fact, two or more VLANs must
be able to communicate with each other to share information and network
resource. In this instance, the student manager needs to share information
with teachers in order to create the student’s database. To make it possible
to communicate among VLANs, a layer 3 device such as router or layer-3
switch is used. In this case, an one-armed-router is used to route between
the VLAN teacher and the VLAN manager.
55
List name Action Source Destination
Incoming_3 Permit Any Any
Outgoing_3 Permit 192.168.2.254 Any
Deny 192.168.2.0/24 192.168.3.0
Permit Any Any
Incoming_4 Permit Any Any
Outgoing_4 Permit 192.168.2.254 Any
Deny 192.168.2.0/24 192.168.3.0
Permit Any Any
Table 3.3 ACLs configuring
56
3.2.4 The DDoS attack and defense simulation [7]
The Distributed Denial of Service (DDoS) attack is a type of network
attack in which an attacker uses malicious code installed on various
computers to attack a single target. If the hacker can not access a victim
target, he/she makes it unavailable for other in accessing it by performing
DDoS attack.
We assume that all of computer in the network has been infected by
malicious software. The hacker who created this software programmed it so
that all computer request a HTTP service at the same time he wants.
If the network does not use VLAN, all computers can send traffic to the
server_teacher, and make it over load. It is easily seen that in traditional
LAN, the hacker can attack any target he wants, and the whole of network
may be collapsed easily. The figure on the next page shows that when
being attacked, the CPU Utilization of the victim server is equally 100
percent, so it can not serve anymore services.
57
If the network is divided into 3 VLAN, obviously, the number of client
that request fake services is much smaller. Even if the attack target is
Server_student, only the VLAN student is collapsed, the others still work
properly.
a)
b)
58
a) CPU Utilization of the victim server. b) Service load of the victim server
c)
d)
59
b) Link utilization between the victim server and the switch
to which it is connected
c) Service response time of other client.
3.3 Conclusions
These two simulations show the main benefits of VLAN.
Using VLAN can improve the network performance because it is
possible to reduce overall broadcast traffic which can degrade network
performance if not properly managed. Additionally, using VLAN can
segment the broadcast domain into many smaller ones, so, it minimizes
problems in one segment.
On the other hand, using VLAN can make it easier and more efficient in
managing big computer network. Users can change their location easily
without changing their IP address according to network address as well as
changing the router’s configuration.
The second simulation shows the high security level when using VLAN.
Normal LANs often have confidential, mission-critical data moving across
them, but VLANs do not. The information belonging to different VLANs
can not move across each other without the permission of administrator. In
communicating among VLANs, an ACLs-configured router is used to
permit or deny traffics in the network.
Although it is complex to configure VLAN on a network, with a lot of
benefit, VLAN play a very important role in computer network today,
especially in big networks.
60
CONCLUSIONS
After along time researching and doing the thesis, with the guidance of
doctor Cuong Dinh The, I have completed my thesis on time.
The thesis introduces VLAN and its benefits. It introduces the
comparison between the two networks, one does not use VLAN, the other
does. In the second network, the performance is improved because the
broadcast traffic is decreased.
Using VLAN also makes it more flexible in allocating network devices.
When a network device is moved to another position, it can keep its IP
configuration, and the administrator does not need to re-configure the
router of the network.
Finally, the thesis shows the main advantage of VLAN that is security
improvement. By using VLAN, the administrator can divide the network
into subnets based on their functions and demands. Additionally, by using
VLAN ACLs, it is possible to permit or deny a specified traffic as well as
to allow specified VLANs to communicate with each other.
These advantages explain why VLAN is used widely in campus and
enterprise network as well. However, it is complex to configure VLAN for
a network, administrators easily misconfigure, and indeliberately, they
create some weakness for hacker to attack the network.
To sum up, this thesis has presented useful information about benefits of
VLAN and how to configure VLAN for a campus or enterprise network.
Future work, I will study more about OPNET Modeler, this is a powerful
tool for simulating and modeling not only computer network but also other
communication one.
61
REFRENCES
[1] Vũ Minh Tiến, Mạng máy tính, people's Amy Publishing, 2002.
[2] Alberto Leon-Garcia & Indra Widjaja, Communication Networks
Fundamental Concepts and Key Architectures, Mc Graw Hill, 2001.
[3] Cesc Canet & Juan Agustín Zaballos,Security Labs in OPNET IT
Guru, OPNET.com
[4] Chriss Hoffmann, VLAN Security in the LAN and MAN
Environment, SANS Institute 2003.
62
[14] http://en.wikipedia.org/wiki/STP
APPENDIX 1
List of application used in this simulation
Searching
HTTP Specification HTTP 1.1
Page Interarrival Exponential(10)
time (seconds)
Page properties Object Size (bytes) Constant Medium
(1000) image
Number of objects Constant(1) Constant(2)
(object per page)
Location HTTP server
Server selection Initial Repeat Search
Probability
Page per Server Exponential(2)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.4 Searching properties
63
WebBrowsing (HTTP_heavy Browsing)
HTTP Specification HTTP 1.1
Page Interarrival Exponential(60)
time (seconds)
Page properties Object Size (bytes) Constant Medium
(1000) image
Number of objects Constant(1) Constant(5)
(object per page)
Location HTTP server
Server selection Initial Repeat Browse
Probability
Page per Server Exponential(10)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.5 WebBrowsing properties
64
http attack (HTTP_extreme heavy Browsing)
HTTP Specification HTTP 1.1
Page Interarrival Exponential(10)
time (seconds)
Page properties Object Size (bytes) Constant Large Image
(100000)
Number of objects Constant(1) Constant(10)
(object per page)
Location HTTP server
Server selection Initial Repeat Browse
Probability
Page per Server Exponential(20)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.6 http attack properties
65
Profile Operation mode Start time Duration Repeatibility
Teacher
Manager
Simultaneous Uniform(100,110) End of simulation Once at start time
High_loadAndimagin
g
Manager:
High_loadAndImagining:
1
Imaging
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Page properties Object Size (bytes) Constant (1000) Large image
Number of objects (object per page) Constant(1) Constant(7)
Location HTTP server
Server selection Initial Repeat Probability Research
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)
2
filetransfer_heavy:
3
DDoS attack:
Profile in use:
attacher
Profile Operation mode Start time Duration Repeatibility
httpattack
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Page properties Object Size (bytes) Constant (100000) Large image
Number of objects (object per page) Constant(1) Constant()
Location HTTP server
Server selection Initial Repeat Probability Research
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)
4
httpattack
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Object Size (bytes) Constant (100000) Large image
Page properties Number of objects (object per page) Constant(1) Constant()
Location HTTP server
Initial Repeat Probability Research
Server selection
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)