Undergrad Thesis Htt Fixed

LIST OF ACRONYMS

ARPANET Advanced Research Projects Agency Network

ACL Access Control List

BID Bridge ID

BPDU Bridge Protocol Data Unit

CSMA-CD Carrier sence Multiple Access-Collision Detection

DNS Domain Name Service

DHCP Dynamic Host Configuration Protocol

FCS Frame Check Sequence

FTP File Transfer Protocol

HTTP Hypertext Transfer Protocol

LAN Local Area Network

RSTP Rapid Spaning tree Protocol

STP Spaning tree Protocol

STA Spanning Tree Algorithm

TCP Transmission Control Protocol

TPID Trunking Protocol ID

UDP User Data Protocol

VPN Virtual Private Network

VLAN ID VLAN Identification

VLAN Virtual LAN

VTP VLAN Trunking Protocol

WAN Wide Area Network

i

TABLE OF CONTENT

TABLE OF CONTENT........................................................................II

ACKNOWLEDGEMENTS................................................................IV

LIST OF FIGURES..............................................................................V

LIST OF TABLES...............................................................................IX

ABSTRACT............................................................................................1

CHAPTER 1 LOCAL NETWORKS AND FUNDAMENTAL CONCEPTS.................................................................................................2

1.1 COMPUTER NETWORK OVERVIEW...................................................21.1.1 What is a computer network?..................................................21.1.2 Classification of computer networks.......................................4

1.1.2.1 Scale.................................................................................41.1.2.2 Transmission medium......................................................41.1.2.3 Functional relationship.....................................................41.1.2.4 Topology..........................................................................5

1.1.3 OSI Reference Model..............................................................91.1.3.1 Application layer............................................................101.1.3.2 Presentation layer...........................................................111.1.3.3 Session layer..................................................................111.1.3.4 Transport layer...............................................................111.1.3.5 Network layer.................................................................131.1.3.6 Data link layer...............................................................131.1.3.7 Physical layer.................................................................13

1.2 INTRODUCING LOCAL NETWORK..................................................141.2.1 Local Area Network (LAN)...................................................141.2.2 Virtual LAN (VLAN)..............................................................16

1.3 A BRIEF ON SIMULATION TOOLS AND OPNET.............................181.4 CONCLUSIONS...............................................................................20

CHAPTER 2 VIRTUAL LOCAL AREA NETWORK (VLAN).....22

2.1 DEFINITION OF VLAN..................................................................222.2 VLAN ID RANGE.........................................................................232.3 OPERATION OF VLAN..................................................................242.4 TYPES OF VLAN..........................................................................25

2.4.1 Data VLAN............................................................................252.4.2 Default VLAN........................................................................262.4.3 Native VLAN.........................................................................262.4.4 Management VLAN...............................................................272.4.5 Voice VLAN...........................................................................27

ii

2.5 THE STANDARDS AND PROTOCOLS USED IN VLAN.....................292.5.1 VLAN Trunking.....................................................................29

2.5.1.1 Trunk’s definition and its benefit...................................292.5.1.2 IEEE 802.1q...................................................................30

2.5.2 VLAN Trunking Protocol (VTP)...........................................322.5.2.1 What is VTP?.................................................................322.5.2.2 VTP Pruning..................................................................33

2.5.3 Spanning tree protocol (STP)...............................................342.5.3.1 The importance of redundancy in designing a network.342.5.3.2 Redundancy and loop issues..........................................352.5.3.3 The Spanning tree protocol-STP....................................38

2.5.4 Rapid spanning tree protocol (RSTP)...................................382.5.4.1 The differences from STP..............................................382.5.4.2 RSTP operation..............................................................38

2.6 CONCLUSIONS...............................................................................39

CHAPTER 3 BENEFITS OF VLAN IN NETWORK DESIGN.....40

3.1 MAIN BENEFITS OF VLAN...........................................................403.1.1 VLAN and Quality of service (QoS)......................................40

3.1.1.1 The Definition of QoS....................................................403.1.1.2 Queuing mechanisms.....................................................41

3.1.2 VLAN and security................................................................423.1.2.1 Basic security: Handling physical accesses to network

devices ..........................................................................................423.1.2.2 Tools and best practices in securing VLAN..................433.1.2.3 Improve network security using Access Control Lists. .44

3.2 SIMULATIONS AND RESULTS.........................................................453.2.1 Objective...............................................................................453.2.2 NoVLAN network vs. VLAN network....................................463.2.3 Restrict the accessibility........................................................553.2.4 The DDoS attack and defense simulation [7].........................57

3.3 CONCLUSIONS...............................................................................60

CONCLUSIONS..................................................................................61

REFRENCES.......................................................................................62

APPENDIX 1.........................................................................................63

iii

ACKNOWLEDGEMENTS

I wish to express my sincere gratitude to all who contributed their time

and talent for the completion of this work, in particular to:

First of all, I would sincerely like to thank my scientific supervisor, Dr.

Cuong Dinh The at the Le Quy Don Technical University for his unlimited

guidance, many discussion hours, valuable advice, as well as his precious

encouragement.

I would also like to acknowledge Mr.Thanh Nguyen, the Assistant

Professor at the Faculty of Electrical Engineering, Le Quy Don technical

University, who helped me so much in using OPNET as well as gave me

many advices in modeling. In spite of being busy, he still reserved some

hours for my questions, and these hours helped me so much in modeling

and driving my simulations to the right way. Additionally, he also shows

me how to write a thesis, especially in English.

English is becoming the global language, thus this is the reason I decide

to write my thesis in this language. I would like to acknowledge to Van

Thuy Vu, a zealous friend, each time I finished a part of this thesis, she

helped me in fixing grammar mistakes I had.

Last, I would also like to thank the Internet, without it, I can’t find any

document that serve as references in my thesis.

iv

LIST OF FIGURES

Figure 1.1 ARPANET.................................................................................................3

Figure 1.2 A Bus network........................................................................5

Figure 1.3 A Star network........................................................................6

Figure 1.4 A Ring network......................................................................7

Figure 1.5 Mesh network.........................................................................9

Figure 1.6 OSI model............................................................................10

Figure 1.7 The network devices used in LAN.......................................14

Figure 1.8 Hierarchical network............................................................15

Figure 1.9 The small university with its LAN.......................................16

Figure 1.10 The university network after several years with VLAN.....17

Figure 1.11 OPNET ITGuru..................................................................20

Figure 2.1 The different VLANs in a network.......................................22

Figure 2.2 Port-based VLAN................................................................23

Figure 2.3 Broadcast traffic in normal LAN..........................................24

Figure 2.4 Controlling broadcast domain with VLAN..........................24

Figure 2.5 Tagging information.............................................................25

Figure 2.6 Data VLANs.........................................................................26

Figure 2.7Figure 2.8 Management VLAN.............................................27

Figure 2.9 Voice VLAN.........................................................................28

Figure 2.10 Voice traffic........................................................................28

Figure 2.11 VLANs without Trunk........................................................29

Figure 2.12 VLAN with Trunk..............................................................30

Figure 2.13 IEEE 802.1q Ethernet Type allocations..............................31

Figure 2.14 IEEE 802.1Q VLAN Tag Fields.........................................31

Figure 2.15 TCI format..........................................................................31

Figure 2.16 Configuring a small network with only 3 switches............33

Figure 2.17 A network with redundancy...............................................34

v

Figure 2.18 When the main link fails.....................................................35

Figure 2.19 layer 2 loop-1......................................................................35

Figure 2.20 Layer 2 loop-2....................................................................36

Figure 2.21 Layer 2 loop-3....................................................................37

Figure 3.1 A company’s network topology...........................................41

Figure 3.2 NoVLAN network................................................................46

Figure 3.3 VLAN network.....................................................................47

Figure 3.4 Traffic demand in the network without VLAN....................49

Figure 3.5 Only one traffic demand is allowed to reach its server........50

Figure 3.6 one of the traffics are not allowed by the switch..................50

Figure 3.7 Ethernet load (bit/s)on ServerManager.................................51

Figure 3.8 Ethernet load (bit/s) on ServerTeacher.................................51

Figure 3.9 Ethernet Load (bit/s) on servers:..........................................52

Figure 3.10 Server performance statistics:.............................................53

Figure 3.11 End-to-end Delay................................................................54

Figure 3.12 Link utilization...................................................................54

Figure 3.13 inter-VLAN communication...............................................55

Figure 3.14 Ping report..........................................................................56

Figure 3.15 DDoS attack........................................................................57

Figure 3.16 The results after the attack..................................................59

vi

LIST OF TABLES

Table 3.1 Applications used in the lab...................................................48

Table 3.2 Statistic is collected in the lab................................................48

Table 3.3 ACLs configuring..................................................................56

Table 3.4 Searching properties...............................................................63

Table 3.5 WebBrowsing properties.......................................................64

Table 3.6 http attack properties..............................................................65

vii

ABSTRACT

Derived from the need of sharing the network resources between hosts

and users, the computer network was born. And it plays more and more

important role in our life. Since it was born in 1960s, the computer network

has continuously grown. The more it grows, the more issues appear such as

the network delay, performance, security, etc. In local network, VLAN is a

solution for these issues. And now VLANs are extensively used in practice

and represent a critical and time-consuming activity in both enterprise and

campus network management.

For this reason, I have chosen researching the topic “Study and

designing virtual local area network-VLAN” for my graduation thesis.

This thesis attends to introduce VLAN and its benefits for campus network

and enterprise one as well. It is organized into four parts which is followed

by a reference and an appendix part. The outline of the thesis is as follows:

- Part 1: Local networks and fundamental concepts

This part introduces the fundamental concept of local computer

network, LAN and VLAN.

Also in this part, a brief on simulation tools and OPNET is introduced.

- Parts 2: VIRTUAL LOACAL AREA NETWORKS-VLANs

This part introduces about VLAN, its definitions and operations. The

reason why we should use VLAN is also presented by introducing its

benefits in performing, managing, and securing.

- Part 3: Benefits of VLAN in network design

In this part, I introduced the main benefits of VLAN implementation;

measurements are then done to demonstrate the benefits of VLAN in

comparison with traditional LAN.

- Part 4: Conclusion

This part presents the results of my work

1

CHAPTER 1 LO

CAL NETWORKS AND FUNDAMENTAL

CONCEPTS

1.1 Computer network overview

1.1.1 What is a computer network?

Recently, branches of telecommunication in VietNam in particular and

on the world in general have evolved very quickly. In this evolution, there

are not only contributions of the transmission, multiplexing and coding

technologies and so forth, but also computer networks contribute

significantly to this evolution. It can be said that computer networks not

only make a great contribution to tPhe development of the

telecommunication but also almost other branches. The 21st Century is the

era of information technology. We not only need a powerful computer but

we also need a good computer network with high performance, reliability

and security. To design an optimal computer network, first of all, we must

have knowledge about a computer network, what it is? When it appear?

And why we must use it?

Derived from the need of sharing the network resources between hosts

and users, the computer network was born. The first one appeared in late

1960's and early 1970's, it was "Advanced Research Projects Agency

Network" (ARPANET) (see Figure 1) which was designed for the United

States Department of Defense by The Advance Research Projects Agency

(ARPA). Initially, the ARPANET was used for military purposes; it

connected national defense units, the Research department of government

and some Universities. The ARPANET was getting bigger and became the

predecessor of the Internet today.

2

Figure 1.1 ARPANET

3

Today, we can define the computer network as a group of computers (at

least two computers) that were connected each to other by a physical or

logical link. It allows us to share our resource with each other. Larger scale

networks such as WAN; Internet also consist of the small network like that.

1.1.2 Classification of computer networks

There are four criteria used for classifying networks.

1.1.2.1 Scale

Computer networks can be classified based on their scale. We have

Local Area Network (LAN), Personal Area Network (PAN), Campus Area

Network (CAN), Virtual Private Network (VPN), Metropolitan Area

Network (MAN), and Wide Area Network (WAN).

1.1.2.2 Transmission medium

Based on transmission medium, networks can be classified as follows:

Fiber networks are those that use fiber (optical cable) to transmit

data.

Copper networks: the transmission medium is copper cable. Ethernet

is a very popular copper network, which uses CSMA/CD as the

medium access control.

Wireless LANs or WLANs don’t use cable to transmit data, they do

in the air. Its medium access control is CSMA/CA.

1.1.2.3 Functional relationship

Computer networks may be classified according to the functional

relationships which exist among the elements of the network.

4

Peer to peer (P2P) networks are networks in which computers has

the same role among each other in sharing network resources. Any

user can request data from another and vice versa. To day, Bittorrent

is the most common P2P application.

Client – Server networks are networks which have at least one server

and client(s). Clients make requests to servers and severs fulfill these

requests from the clients.

1.1.2.4 Topology

We can also classify the network based on its topology, such as bus,

star, ring and mesh network.

A bus networks uses only one common medium (called bus) to

transmit data among network nodes.

Figure 1.2 A Bus network

A Bus network is the simplest way to make a computer network; it has

some advantages such as:

It is the cheapest to establish a network.

5

It is simple to understand and implement.

Because of network nodes operate independently, if a node is

broken, the network still works properly.

However, bus networks have some disadvantages as follows:

Due to the use of the common medium, the probability of

collision is very high, so that the number of stations is limited.

The length of the bus is limited as well due to the attenuation of

the signal when traveling on

At a time, only one station has the right to transmit data, so the

capacity of bus network is low

If a network is a large scale, these disadvantages make it unsuitable.

Figure 1.3 A Star network

Nowadays, a star network is one of the most popular networks. It

consists of a center mode which is a hub, a switch, a router, or a computer

with many NIC (Network interface card), and peripheral nodes.

6

A Star networks has more advantages than a bus network. Its

performance is higher because the unnecessary traffic is eliminated. In a

bus network, when a station sends a frame, this frame will be sent to all of

nodes attached to the bus. Meanwhile, in a star network, if the central node

is a switch, the frame will only be sent to it destination. On the other hand,

this also makes the probability of collision decrease. It is easy to upgrade

the network by using a more powerful central node and adding more leaf

nodes.

The disadvantage of star networks is the dependence on the central

node. If this one is broken, whole network will be broken as well.

a) b)

Figure 1.4 A Ring network

A Ring network is the network in which network nodes are connected in

a closed loop configuration. Each node only connects to its two neighbors.

In small computer network, every node is connected to a central node that

is a token ring hub or switch like on the figure 1.4

The Token Ring is a widely-implemented kind of ring networks. In

Token ring networks, the information is transmitted in one way from the

source to the destination. The token ring hub carries out it by receiving the

frame and forward it out to the next port, and so on. There is a frame called

token which travels around the network. If a station wants to send its

frames, it must wait for a “free” token, then it claims the token by

7

removing it from the ring and begins transmitting its frames. Each station

examines the destination address in each passing frame to see whether this

address matches its own address. If not, this station forwards it to the next

link after few delay, if it is the frame for this station, it is copied to the

buffer of the station, then, the station sets some status bit of the frame and

forwards it to the ring. When the frame gets back to the source again, the

source removes it from the ring and gives the “free” token back to the ring.

Ring networks are the orderly network, where every node has the same

chance to transmit data with each other. It operates with higher

performance than the star and bus network in heavy load condition. It does

not require any server to control the network operation. Ring network has a

high security level. If a node is broken, this node will be cut out of the ring

by shorting-circuit it.

However, the ring network also has some disadvantages. Token ring

network cards and MAUs (Multistation Access Unit) are much more

expensive than NIC and hub or switch. Ring networks are not flexible in

adding or dropping network elements. Ring networks have lower

performance under low load traffic conditions. Ring networks are suitable

for the network that has heavy traffic like backbone network,

A Mesh networks is the most stable and reliable type of network

topology, but also the most expensive one. In a mesh network, each node

connects directly to others, so the large number of cables and connections

is required.

8

Figure 1.5 Mesh network

Normally, mesh networks are associated with other types of networks to

make the suitable network topology.

1.1.3 OSI Reference Model

In order to decrease the complexity in designing and installing, almost

computer networks are designed by layers. The most common model is

OSI model and TCP/IP model. Due to the similar of these two models, OSI

model will be discussed in more details.

The OSI model was built in 1984 by ISO Organization. According to

this model, the operation of network is divided into 7 layers (see Figure

1.6).

9

Figure 1.6 OSI model

1.1.3.1 Application layer

The application layer is the top layer in the OSI model and closest to the

end user also. It is the source and destination of communications in the

network. Applications, services and protocols of the application layer help

user effectively interact with the OSI model.

Applications are computer programs which help user interact with

the OSI model

Services are background programs provide the connection of the

application layer and the lower ones in the OSI model.

10

Protocols are the rules in communicating among network nodes.

There are some application layer protocols such as:

DNS (Domain Name Service) used to map IP addresses to

names that are easy to remember.

DHCP (Dynamic Host Configuration Protocol) used to

dynamically assign IP configuration to hosts. The configuration

consists of IP address, default gateway, DNS server address.

HTTP (Hypertext Transfer Protocol) defines the commands,

headers, and processes by which web servers and web browsers

transfer files. Etc.

1.1.3.2 Presentation layer

The Presentation layer has following functions: (1) Coding and

converting data that come from application layer to ensure that when these

data reach the destination, the corresponding applications at destination

node can understand them; (2) compressing and decompressing data to

save the bandwidth; (3) encrypting and decrypting data.

1.1.3.3 Session layer

The Session layer establishes and maintains the communication between

source and destination nodes.

1.1.3.4 Transport layer

The Transport layer provides the two main network services that are

TCP and UDP.

TCP is the reliable method of transmission. It is used in the application

that requires high reliability like email, web, etc. To make it reliable a

communication, TCP uses a mechanism of the three-way-handshake and,

11

flow control. In a TCP session, the source must ensure that a frame was

delivered successfully to the destination, if not, it must retransmit the

frame.

UDP is the Transport layer’s protocol used in the applications that need

to deliver data across the network quickly but don’t need high exactitude,

and reliability. UDP uses neither the mechanism of “three-way-

handshake”, flow control, nor retransmission of the broken frames.

Consequently, it minimizes the size of frame’s header.

In order to provide these two services, the Transport layer has the

following functions:

Tracking the individual communications between source and

destination:

When access a network, users can use many applications

simultaneously. The Transport layer must add more information

about the type of applications into the header of frames to deliver

them exactly.

Segmenting data into pieces, reassembling these pieces and

managing them: In order to run many different applications on the

same transmission medium simultaneously, the Transport layer

segments frames into many pieces. And when these pieces of

segments reach the destination, they are reassembled into the original

frame.

To ensure the reliability and improve the network performance, the

Transport layer has functions of flow control and errors check.

12

1.1.3.5 Network layer

The Network layer has responsibility of routing and forwarding packets

to the right destination. To implement this, the Network layer must address

a frame, and then encapsulates it into a packet. The packet header has fields

that include source and destination addresses of the packet. After

encapsulating, the network layer must route the packet to its destination,

this is done by intermediary devices called routers. When the packet

reaches its destination, the network layer at destination node must

decapsulate this packet to take the data inside it and forward to the upper

layers.

1.1.3.6 Data link layer

After encapsulating a packet, the network layer sends it down to the

datalink layer (OSI layer 2). The datalink layer plays the role in connecting

software (OSI layer 3) and hardware (OSI layer 1) of the network. This

layer consists of two sublayers that are MAC sublayer and LLC sublayer.

MAC sublayer controls the accessing and sharing the medium, some OSI

layer 2 standards can be found in this thesis such as Ethernet IEEE 802.3

(CSMA-CD), IEEE 802.5 (Token Ring), 802.11 (WLAN) and some other

ones (optional). The LLC sublayer is considered as the bridge between the

MAC sublayer and the network layer. It allows the upper layers to access

medium by framing. When a packet which comes from network layer is

sent to datalink layer, it is encapsulated into a frame which consists of

source and destination MAC addresses, types of protocol, FCS (Frame

Check Sequence), and the network layer packet.

1.1.3.7 Physical layer

The Physical layer is the lowest layer in OSI model. This layer’s

purpose is minimizing the interferences’ effect in the medium on the signal.

13

So physical layer has the responsibility of coding and converting the frames

from datalink layer into signals, and then transmits the signals to the

medium.

1.2 Introducing Local network

1.2.1 Local Area Network (LAN)

Derived from the needs of sharing information between computers of

users in the same organization, the first LANs were born in 1970s to create

high rate connections between computers. Initially, LAN is defined as a

group of computers connected together, and is placed under the

management of a common administrator. But along with the evolution of

technologies, the term of “LAN” is getting larger. Nowadays, LAN also

refers to a network that is much larger than home or small office networks.

Almost LANs are designed according to the hierarchical architecture

with redundancy, twisted pair cable is used as the transmission medium

(normally, Cat5E), depending on the NIC and type of medium, the network

speed is 10 Mbps, 100Mbps, 1Gbps, or even 10Gbps.

The network devices used in LAN include: routers, switches, DSL-

modems, IP phones, PCs, printers, and servers.(Figure 1.7)

Figure 1.7 The network devices used in LAN

14

.

Figure 1.8 Hierarchical network

The Access layer is the lowest and closest to the end user devices. The

Access layer has responsibility of providing the ability of connecting to end

user devices. In addition, the Access layer can determine whether a device

can connect to the network or not.

The Distribution layer gathers all traffic which comes from the Access

layer, and then, if possible, it distributes the traffic to the true destinations

as long as the destinations belong to the same subnet with the traffic. If not,

the Distribution layer sends the traffic to the Core layer for routing to its

final destination. This layer controls the network flow; separates VLANs

that is defined at the access layer. Distribution layer devices are typically

15

high-performance switches that have high availability and redundancy to

ensure reliability.

The Core layer is the highest rate layer in hierarchical network model.

Typically, the core layer devices are routers and switches that have high

availability, rates, and redundancy. They can process properly the traffic in

heavy load condition because it must receive and process almost traffic of

the whole network. Its functions are connecting the local network with the

outside network (example: the internet) and routing the traffic to its end

points.

1.2.2 Virtual LAN (VLAN)

LAN is the good choice for the small networks in home or small offices,

because it is easy and cheap to install and the QoS is not critical. For

instance, initially, a university has only one branch with one building. A

computer room for students was on the fifth floor, the other for teachers

and officers was on the third floor. We can design and configure the

university’s network like the following figure:

Figure 1.9 The small university with its LAN

After several years, this university grows and has two branches more.

Suppose that its network still remains as before.

16

Figure 1.10 The university network after several years with VLAN

The headmaster of the university wants to make only two subnets, one

for students, the other for teachers and officers, and he wants all students

can share their resources as well as all the teachers and officers. Obviously,

it is impossible to create a large LAN for students as well as teachers.

VLAN is the solution for this.

A VLAN is simply a LAN by logical meaning. But in VLAN, the

network devices and users are not limited by the geography but can be

located based on their functions and purposes in using network resources.

Using VLANs, we can handle the network traffic, prevent the network

from what is called “Broadcast storm”, improve security level, and manage

the QoS policies. Thus, if a VLAN is designed and configured well, we

will get much more benefit in comparison with using a normal LAN such

as improving the performance, increasing security level, and advancing the

capability of network management, etc. However, the IT engineers must

have knowledge about VLAN and its configurations. In a big company or

university that use switches from many different vendor, it is complex to

17

configure VLANs, the incorrect configurations may degrade the network

performance or even make the network impossible to operate.

1.3 A Brief on simulation tools and OPNET

In recent years, sciences and technologies have developed very quickly.

And it is extremely necessary to analyze, and evaluate a new technologies

and protocols. But sometimes, it is prohibitively expensive and too

dangerous to test a real system. Telecommunication systems are really

complex and expensive. In VietNam, almost universities have not enough

money to buy real-world systems for their laboratories. Fortunately, with

the significant evolution of computer science, the term of “simulation” was

born. With a simulation tools, real-world systems can be simulated and

then evaluated at a certain level. And the received results is widely

accepted by the science community. Using simulation tools can support the

shortage of capital investment, so it is the cost-effective choice for small

university and businesses.

There are many networking simulation tools such as: OPNET, QuadNet,

NS-2, OMNET++, Matlab, etc. Almost of them are built in C or C++ and

their simulation results are accepted by the scientific community. Among

of these tools OPNET and NS-2 are preferred and are used commonly in

education and research. NS-2 is a new open-source simulation tool for

simulating the wireless communication. There are many modules

associated with it, and NS-2 also includes substantial contributions from

researchers all over the world. But the biggest disadvantage of NS-2 is the

difficulty for beginners in learning how to use and utilize it.

OPNET seems to be the appropriate tool for student in study and

research. OPNET stands for Optimized Network Engineering Tools.

18

Initially, OPNET was Alain Cohen’s (co-founder and current CTO &

President of OPNET Technology) graduate project when he was a

networking student at MIT (Massachusetts Institute of Technologies). The

first company’s product is OPNET Modeler which is commercial software

used for simulating and modeling communication networks, network

devices and protocols. OPNET is a widely used Windows and Linux based

simulator. It is built in C++ and provides virtual environment for modeling,

analyzing, and calculating network performance. This tool is often updated

new protocols, and devices to catch up with the fast evolving network

technology trends.

OPNET is used by many commercial, government organizations and

universities worldwide. With OPNET Modeler, basically, users can:

Create and edit networks and nodes followed by their purpose.

Modify the operation inside network nodes.

Analyze and evaluate their network by using the statistics that

are received after simulating.

However, it is very difficult for beginners to learn and make the most

use of OPNET Modeler in implementing a new protocol; they must be

familiar with the oriented approach and C++ language as well as the

knowledge of telecommunication. Therefore, OPNET Technology

Corporation developed OPNET IT Guru version which is a free version,

and is used for educational purposes.

19

Figure 1.11 OPNET ITGuru.

This version is widely used in either university to simulate what they

teach and study in university or small company in planning their networks.

There are many new network protocols, devices have been modeled in this

version. This makes it much more easier to build a network, and all the

beginners need are their knowledge of telecommunication and computers.

Since OPNET IT Guru is a free version, it is not allowed in modifying a

network node as well as watching the architecture inside nodes.

1.4 Conclusions

In this chapter, we have seen that computer networks are crucial. This

chapter also shows the overview of LAN and VLAN, thus, we can see

advantages of VLAN in comparison with traditional LAN. Along with

advantages of itself, VLAN has become an indispensable tool for the

network administration to segment the network; to increase bandwidth per

user, to provide security, and to provision multimedia service [10].

20

This chapter also point out the role of simulation in designing a

network. Along with the evolution of computer science, networking

simulation tools help efficiently in network designing. Among various

simulation tools, OPNET which is made to answer the “what-if” question is

the suitable tool for student in study.

So, in the next two parts of this thesis, the issues in designing a

computer network such as performance, security level are discussed. The

next part shows that what VLAN is, and its characteristics. The VLAN’s

advantages are introduced in the last part, and then they are proved by

performing some simulations.

21

CHAPTER 2 VIR

TUAL LOCAL AREA NETWORK (VLAN)

2.1 Definition of VLAN

Essentially, a VLAN is also a local network. The difference is in LAN,

network devices are restricted by location and distance between them while

in VLAN, regardless of location, network devices are logically connected

together.

Figure 2.12 The different VLANs in a network

According to the figure 2.1, we can define that a VLAN is a group of

network devices that are logically connected, regardless of either location

or physical link in the network. In order to make it easier for managing and

configuring the network, VLANs can be named based on their functions.

22

VLAN is fully configured by software on switches. Similar to LAN,

each VLAN is assigned a range of IP addresses, and a number of switch

ports. If a device wants to join a VLAN, it must be connected to the port

that belongs to this VLAN, and has an IP address that matches with this

VLAN IP address range. (see figure 2.2)

Figure 2.13 Port-based VLAN

2.2 VLAN ID range

VLANs are numbered from 1 to 4096; these ordinal numbers are called

VLAN ID and divided into a normal range and an extended range.

The Normal range consists of VLANs from 1 to 1005. Among these,

VLANs from 1002 to 1005 are used for Token Ring and FDDI networks.

the others are used for Ethernet neworks. Whereas VLAN 1 is a default

VLAN. Initially, every switch ports belongs to this VLAN, and it can not

be deleted or modified.

The Extended range consists of all remain other VLANs. These VLANs

support fewer VLAN features than normal VLANs, so they are not used

commonly.

23

2.3 Operation of VLAN

In many ways, the operation of VLAN is similar to LAN. The only

different thing is that by using VLAN we can create a logical group of

network devices to make a separated broadcast domain without the

dependence of their location. In a normal LAN, every device connected to

a switch belongs to a common broadcast domain. When an user sent a

broadcast message to his/her network, this message will be sent to all users

that connect to this switch whether they belong to the user’s department or

not.

Figure 2.14 Broadcast traffic in normal LAN

In VLAN, due to the network devices of a department are logically

grouped into a separated virtual LAN, the broadcast message only travels

in this VLAN, the users in other department do not receive this message.

Figure 2.15 Controlling broadcast domain with VLAN

24

In order to distinguish among VLANs, each frame is tagged an

information field of the VLAN it belongs to. This field consists of 3

priority bits, 1 CFI bit that is used to allow the Token ring frames to travel

on the Ethernet transmission medium, and 12 VLAN ID bits to identify

4096 VLAN IDs. (see figure 2.5)

Figure STYLEREF 1 \s 2. SEQ Figure \* ARABIC \s 1 5 Tagging

information

If a local network has many VLANs, the VLANs can communicate by

using OSI layer 3 devices like router or layer 3 switches.

2.4 Types of VLAN

Today port-based VLAN is the main way to implement VLAN. In this

approach, a set of switch ports are assigned to each VLAN; these ports are

called access ports. If a device is connected to an access port, it will belong

to the VLAN associated with that port.

The term of “VLAN type” refers to the type of data that the VLAN

carries, and function of this VLAN. There are 5 types of VLAN.

2.4.1 Data VLAN

A data VLAN (also called user VLAN) is configured to carry only user-

generated traffic. However, users can generate management traffics or

25

voice ones. These traffics do not belong to data VLAN, but they belong to

management VLANs and voice VLANs which will be mentioned later.

Figure 2.16 Data VLANs

2.4.2 Default VLAN

Default VLAN is the VLAN that always exists in switches. when the

switch is first configured or each time it is set to manufactory’s default

mode, all ports of the switch are members of this VLAN. Essentially, the

default VLAN is similar to other VLANs, but it is impossible to rename or

delete it. For Cisco switches, VLAN 1 is default VLAN and Layer 2

control traffic, such as CDP and STP traffic always belong to this VLAN.

2.4.3 Native VLAN

Native VLAN is the concept related to the port that is configured as a

trunk port. An IEEE 802.1Q trunk port supports both tagged traffic and

untagged traffic. Tagged traffic is the traffic of certain VLAN; untagged

traffic is the traffic that does not belong to any VLAN. Except the native

VLAN and default VLAN frames, every frames passing through a trunk

port are tagged their VLANs information. The reason of using native

26

VLAN is that some devices of different vendors can’t understand as well as

are not compatible with each other in tagging IEEE 802.1Q or ISL

information.

2.4.4 Management VLAN

Management VLAN is used to remotely manage switches. With

management VLAN, we can remotely access to switches via Telnet, SSH,

HTTP, etc, to manage and configure it. Management VLAN is assigned an

IP address and a subnet mask. It is not recommended to set VLAN 1 as a

management VLAN. It is a security best practice to define the management

VLAN to be a VLAN which distincts from all other VLANs defined in the

switched nework.

Figure 2.17Figure 2.18 Management VLAN

2.4.5 Voice VLAN

Today, the trend is to approach a convergent network where the VoIP

service is more and more familiar. Voice VLANs are used for carrying the

voice traffic. In order to guarantee the communication quality, voice

VLANs must ensure the following requirements: wide bandwidth, highest

27

priority level, ability to be routed around the congested areas of network

traffic, and low delay.

Figure 2.19 Voice VLAN

Figure 2.20 Voice traffic

28

2.5 The standards and protocols used in VLAN

2.5.1 VLAN Trunking

2.5.1.1 Trunk’s definition and its benefit

Trunk is the Ethernet point-to-point link between two VLAN-aware

devices (switches and routers). It can be considered that trunk is similar to

a highway where there are many types of traffic flow. Trunk carries the

traffic of multiple VLAN over a single link.

Unless trunk is used, we must use a number of switch interfaces that is

equal to the number of VLANs, this will make the cost of network more

expensive.

Figure 2.21 VLANs without Trunk

29

With Trunk, we only use one switch port for carrying multiple VLAN

traffics.

Figure 2.22 VLAN with Trunk

2.5.1.2 IEEE 802.1q

IEEE 802.1q helps multiple LANs share the common link without

leakage of information between them. This is the name of an encapsulation

type over Ethernet networks.

This protocol also determines the VLAN ID and allows individual

VLANs to communicate with each other by using a layer-3 switch or a

router.

When a frame coming from a VLAN-unaware device, arrives to an

access port, it is only original Ethernet frame, i.e, it does not consist of any

information about the VLAN it belongs to. A switch tags a VLAN tag field

which comprises the VLAN information that the frame belongs to into that

frame. Here is the frame structure:

TPID Tag protocol Identifier

30

The TPID includes Ethernet type field, which is used to distinguish with

other protocols. Its value is set to 0x8100 in order to identify the frame as

an IEEE 802.1Q-tagged frame.

Figure 2.23 IEEE 802.1q Ethernet Type allocations

Figure 2.24 IEEE 802.1Q VLAN Tag Fields

Figure 2.25 TCI format

Tag Control information (TCI) (figure 2.14)

TCI is two octets long, in which:

- 3 user priority bits are used to indicate the priority levels of data. In

IEEE 802.1p, they specify 8 levels, from level 0 (lowest) to 7

(highest).

31

- 1 CFI bit (Canonical Format Indicator): If the value of CFI is 1, the

MAC address is in non-canonical format, this enables Token Ring

and FDDI frame to be transmitted on the Ethernet transmission

medium. If the value is 0, the MAC address is in canonical format,

this is the default value for Ethernet frame.

- 12 VLAN ID bits are used to indicate the VLAN to which the

frame belongs; its decimal is from 0 to 4095. If the frame received

has VLAN ID with the value of 0, this frame doesn’t belong to any

VLAN, and the tag header contains only priority information. The

VLAN ID with value of hex FFF is reserved for implementation

use.

After tagging the frame, the switch recalculates FCS value and then

sends the tagged frame out to the trunk port.

2.5.2 VLAN Trunking Protocol (VTP)

2.5.2.1 What is VTP?

There would be nothing to say about VTP if the network size is small.

For instance, a small company in the beginning days has a small network. It

is not too difficult for administrator to configure the switch one by one. But

when the network grows, the VLAN management challenge becomes

clearer. Suppose that the company network has 10 switches, so when they

want to update or modify their network, the IT engineers have to configure

10 times on each switch. It is the repetitive and boring job; it could make

the administrators get some mistakes in configuring VLAN. VTP is the

solution for this problem.

32

Figure 2.26 Configuring a small network with only 3 switches

VTP is a Cisco proprietary protocol, comparable with GVRP from

IEEE.802.1q. By enabling VTP on all switches, the administrator only has

to do some VLAN configurations such as creating, adding, deleting,

renaming, etc, on the server-mode switch, and then, this switch propagates

the VLAN information to others in network. This switch is called a VTP

server. VTP allows the network to update the VLAN information itself by

configuring the VTP sever, and then, the VTP sever advertises the VLAN

information it has to other VTP enabled switches in the network. The VTP

server stores the VLAN information in vlan.dat file. VTP advertisement

can only be exchanged on the active trunk.

2.5.2.2 VTP Pruning

VTP pruning is the Cisco switch feature that increases the available

network bandwidth. In a VLAN domain, when a station of certain VLAN

generates broadcast traffic to others in its VLAN, assume that it is VLAN

10, if switches are not enabled VTP pruning, they will flood this traffic to

others in the network. If a switch have no VLAN 10’s port, the traffics

33

which are sent to this switch are unnecessary. They consume the available

bandwidth and processor time on this switch. VTP pruning increases the

available bandwidth by pruning the unnecessary traffic.

2.5.3 Spanning tree protocol (STP)

2.5.3.1 The importance of redundancy in designing a network

As said before, computer network plays an important role in a company

or any organization. If a computer network of a company is unstable, may

be it does a lot of damage to this company. To make a computer network

stable, they always design the network in hierarchical model, and some

redundant links must be used. Suppose that a company has only one link to

the internet, and the failure probability of this link is 10 %. It means the

link’s available probability is only 90%. If this company adds one more

similar link to the internet, the failure probability of the link to the internet

now is 1%, it means that the available probability is 99%. Obviously, by

using the redundant links, the network is more stable.

Figure 2.27 A network with redundancy

34

Figure 2.28 When the main link fails

2.5.3.2 Redundancy and loop issues

The redundant links are important, but if we only add the redundant

links without using any protocol to handle the transmission, it is sure that

the layer 2 loop occurs which makes the network unavailable.

For instance, a small network has only three switches as shown in the

figure below:

Figure 2.29 layer 2 loop-1

35

At the beginning, the MAC address table of the two switches: S3 and S1

haven’t got the entry for PC1. When PC1 sends a broadcast message to

switch S2, due to this is a broadcast message, so any switch receiving it

must forward it to all other ports. S2 forward it to all active ports except the

port F0/11 which receives this message. When the other switches receive

the broadcast message from S2, they add the entry for PC 1 into their MAC

address table.

Figure 2.30 Layer 2 loop-2

36

Figure 2.31 Layer 2 loop-3

After updating the MAC address of PC1, S3 and S1 send the message to

other ports. And when S1 and S3 send the message to each other, they will

update the MAC address of PC1 again, and then they send the message to

other ports including the one that connects to S2 via trunk link. The switch

S2, after receiving the message from these two switches, will update the

MAC table again and forward the message repeatedly, and so on. That is

layer-2 loop, and it makes network traffic more and more heavy.

When more than one device send broadcast messages in the network

like this one, the broadcast storm occurs. And it consumes all available

bandwidth. Therefore, the network is unavailable. So in order to solve this

issue, it is necessary to find out the way to handle the transmission with

redundant links.

37

2.5.3.3 The Spanning tree protocol-STP

The STP is a layer 2 protocol which helps to solve the layer 2-loop

issue. The STP is based on the STA which is an algorithm invented by

Radia Perlman while working for Digital Equipment Corporation. The STP

is defined in the IEEE Standard 802.1D.

STP’s function is preventing the OSI layer-2 loop in a redundant

network. It ensures that there is only one logical path which has the lowest

cost path between all destinations on the network by intentionally blocking

redundant paths that could cause a loop. The network traffic can not pass

through a blocked port, but the BPDU can. If the best path is failure, the

STA will recalculate the path cost and then, enables the redundant path.

2.5.4 Rapid spanning tree protocol (RSTP)

2.5.4.1 The differences from STP

STP is original protocol for preventing layer 2 loop. Nowadays, STP is

replaced by RSTP (Rapid Spanning tree protocol). RSTP was introduced in

IEEE 802.1w standard, in 1998 by IEEE as an evolution of STP. RSPT has

only a little bit differences from STP to make it converge much faster.

Indeed, while STP can take from 30 to 50 seconds to respond to a topology

change, RSTP is typically able to respond to changes within only a second.

2.5.4.2 RSTP operation

RSRP operation is similar to STP operation, but RSTP convergence is

quite faster. In STP, in order to complete the convergence, STP has to elect

root bridge, elect root port, and elect designated and non-designated port,

and it takes two times forward delay in the election for designated port.

RSTP convergence is significant faster. The RSTP proposal and agreement

38

http://en.wikipedia.org/wiki/IEEE_802.1D

http://en.wikipedia.org/wiki/Standardization

http://en.wikipedia.org/wiki/IEEE

http://en.wikipedia.org/wiki/Digital_Equipment_Corporation

process is implemented link by link, and it does not rely on timers expiring

before the port can transition.

Both STP and RSTP determine the port roles based on the BID and path

cost. And the ways they use the BID and path cost are the same.

2.6 Conclusions

This chapter shows what VLAN is; how VLAN operates. Thence, we

will see the benefit of using VLAN such as improving the performance;

enhancing secureity level, and make it easier to manage the network, which

are intrdoced in the next chapter.

Additionaly, using VLAN also makes it flexible to manage and design

a network. Assume that when a company is reorganized, one personel are

changed their position, by configuring switch ports, he does not need to

change their location. Using VLAN also makes it cheaper in network

design because it utilize the number of switch ports in a room, and it is easy

to add or remove users of the network.

This chapter also talk a little bit of the two issues in network design, in

particular, VLAN design, that are VTP and STP. VTP makes it easier to

configure VLAN, and STP is a solution for the redundant issues and loop

layer2 problems.

Due to its serious benefits, VLAN is used widely in network design, we

will make it clearer in the next part.

39

CHAPTER 3 BEN

EFITS OF VLAN IN NETWORK DESIGN

3.1 Main benefits of VLAN

3.1.1 VLAN and Quality of service (QoS)

3.1.1.1 The Definition of QoS

QoS which stands for Quality of Service is an extremely important part

in telecommunication. QoS is a wide range definition; there are many ways

to approach it. According to Microsoft, QoS is “the ability of the network

to handle this traffic such that it meets the service needs of certain

applications”. According to Wikipedia, “QoS is the ability to provide

different priority to different applications, users, or data flows, or to

guarantee a certain level of performance to a data flow”.

Every user generating traffic want to transmit their traffic at expected

rate. If the network resource is infinite, these traffic will be transmitted

without latency, jitter or lost. But in fact, the network resource is finite, so

the network administrator must determine which is important traffic and

which is not.

The common meaning of QoS is classifying traffics, handling them so

that the network can meet all network traffic requirements from users.

Using VLAN, the network operator can make use of VLAN ID and

User Priority bits in the VLAN tag field to prioritize packets .

In order to see clearly the importance of the QoS in networking, let's

examine the following network:

40

Figure 3.32 A company’s network topology

In figure 3.1, a company uses a frame relay link to connect their two

building: Branch office and server farm. In working hours, officers can

access database server to look for the data they need or use email and web

service. For the rest time, they can relax by playing music or video or even

a computer game. But in business hours, especially, rush hours, if some

guys load an illegal traffic such as music or video from Music-and-video

server. These traffics consume much more bandwidth than others,

therefore, they slow down the company network’s performance. In order to

make the network performance better, QoS is located to set the multimedia

traffic priority the lowest level, or even to block them by using queuing

mechanism, ALCs, firewall and the like.

3.1.1.2 Queuing mechanisms

In small LANs, nowadays, the typical bandwidth is 100 Mbps that can

meet almost kind of traffic demand. So QoS seems to be unneccessary. But

for instance, in the figure 2-31, the link connecting the two building is only

512Kbps, so at rush hours, congestion may occur. On the other hand, if

applications such as Video confrence, VoIP are used, the traffic generated

by these applicationS are much heavier than others . The reality, is that

41

there are multiple users that uses multiple application which require

network resource at the same time, therefore, it is necessary to allocate

network resources to application traffics so that the network can meet all

service requirements. In order to apply QoS on a network, the following

QoS parameters are usually used:

Bandwidth - the rate at which an application's traffic must be carried by

the network

Latency (or delay)- the delay that an application can tolerate in

delivering a packet of data

Jitter - the variation in latency

Loss - the percentage of lost data

In these above parameters, bandwidth is the most interesting one. If a

application has bandwidth wide enough, other parameters (delay, loss, and

jitter) can be acceptable. To increase the available bandwidth, one of

several approaches is to classify traffic into QoS classes and then, prioritize

and queue it according to its importance. There are several QoS

mechanisms or Queuing mechanisms as follows: Priority Queuing (PQ),

Custom Queuing (CQ), Weighted Fair Queuing (WFQ) with its distributed

versions, IP RTP Prioritization, Modified Deficit Round Robin (MDRR),

Class-based Weighted Fair Queuing (CB-WFQ) and Class-based Low-

latency Queuing (CB-LLQ).

3.1.2 VLAN and security

3.1.2.1 Basic security: Handling physical accesses to network devices

For big company, threats from malicious user will be very great if they

gain access to a network device. For example, if they can access to a switch

and configure it they can get any other users’ information and use them for

their advantages, or even if not, they can carry out some attacks such as

42

DDoS to break the network. Along with the evolution of computer science

and information technology, threats can appear from everywhere, either

inside or outside the network with many types of attack such as:

• MAC Flooding Attack

• 802.1Q and ISL Tagging Attack

• Double-Encapsulated 802.1Q/Nested VLAN Attack

• ARP Attacks

• Private VLAN Attack

• Multicast Brute Force Attack

• Spanning-Tree Attack

• Random Frame Stress Attack

• DDoS Attack, etc

Even, a normal user can also make use of attack tools distributed

popularly on the internet to perform these attacks, or to propagate virus,

worm, or spy-ware to victim PCs

3.1.2.2 Tools and best practices in securing VLAN

First of all, the best practice for a network is physical security. It means

that do not let unauthorized users connect their computer to network

devices and configure them. Even if they can connect to a switch,

configuring all ports that used at access layer to be an access port, and shut

down all unused port can improve the security level. In additional, Port-

security configurations provided by Cisco can improve the network

security by using more security parameters such as: MAC address,

password.

At higher security level, ACLs and firewall are used to prevent the

network from internal or external threats such as illegal traffics, and

harmful one such as virus, Trojan horse or worm, etc. Additionally,

43

antivirus software installed on each computer in LAN play an important

role in detecting and killing the harmful computer programs.

3.1.2.3 Improve network security using Access Control Lists

What is Access Control List (ACL)?

Access Control List is the basic knowledge that every network

administrators must be master. ACLs (short for Access Control List) are

used to restrict the accessibility of users to different types of data in a local

network by using the basic IP filtering.

In a network that has ACL-configured router, this router not only carries

out the routing in network, but also operates as an IP filter. When a packet

comes in or goes out its interface which is applied an ACL rule, the router

analyzes it and then determines basing on the packet’s header and the filter

rules about whether the packet can be permitted or denied. According

Cisco, ACL is divided into two types, standard ACLs and Extend ACLs.

With standard ACLs, a router can only filter arriving packets based on

source IP address. Extend ACLs is also divided into static extended ACLs

and complex extended ACLs. Using static extended ACLs, a router can

filter packets more powerfully; it can make a decision based on source and

destination IP address, source and destination TCP and UDP port, and

protocol type (IP, ICMP, UDP, etc.). In order to make the rules more

flexible and securable, complex extended ACLs are used.

ACL’s function and its benefit

Everything that ACL must perform is fitter IP arriving packets at its

interfaces and then determines whether passing or discarding the packets

according the rules given by the administrator. Consequently, ACL can

improve the network performance by discarding the illegal traffic such as

44

video traffic in the example in section 2.6.1. ACL restricts the accessibility

to selected users in a network, this is a basic level of security in

networking.

ACL also gives the network administrator some benefits and flexibility

by applying complex extended ACLs. In Cisco router, three categories of

complex ACLs are supported as follows:

Dynamic ACLs: user who wants to access or traverse a Dynamic ACL-

configured router must be authenticated by connecting to this router using

Telnet. Using dynamic ACLs can improve the security level for network

access.

Reflexive ACLs: Reflexive ACLs is used when the administrator wants

to block all traffics originated from outside of his network, other traffics are

allowed. Using this category of ACLs can give the best security practices to

close networks-the networks which don’t want to advertise their

information; it helps to secure the network against hackers, especially DoS

attacks.

Time-based ACLs: this category of ACL allows access control based

on time. It is more flexible when applying time-based ACLs.

3.2 Simulations and results

3.2.1 Objective

The Optimization is always the major object in designing a computer

network. Companies always expect their computer network to operate with

the maximum performance, a high security level and of course, an

acceptable cost. There are some factors of interest in designing a computer

network that is price, reliability, security and performance. With the same

price, the networking designer can completely utilize the characteristics of

networking hardware to improve the remaining factors.

45

As it has been said earlier, in order to understand and anticipated

benefits of new networking resources, it is prohibitively expensive to test a

real system because the networking hardware and software can be both

complicated and expensive. Simulation and modeling is considered as a

quite cheap approach to computer network designing and testing.

This chapter aims to investigate the VLAN’s operation and its

advantages. In this chapter, I have done some simulations by using OPNET

IT Guru to provide two objects as follows:

The performance improvement by using VLAN.

The improvement of security level by using VLAN.

In which, the first two scenarios are done to demonstrate the first

objects, and the last two ones are done to prove the second object.

3.2.2 NoVLAN network vs. VLAN network

In this simulation, I have created two scenarios using the same network

topology of the Electronics and Telecommunications of a University.

Figure 3.33 NoVLAN network

46

Figure 3.34 VLAN network

For simplicity, we assumed that, the university has not an internet

connection yet. So, this is only a local network including 4 rooms, in

which: there are two rooms for laboratory, one room for teachers, one is for

manager, and the remaining one is server farm.

Normally, students usually go to Lab room to study, or load the

information from sever farm. Therefore, in this topology, the following

applications and profiles are used: file transfer, remote login, and database

access. Teacher and Student manager always access to their servers to

download their documents, to prepare their lecture, etc. So, there are some

applications configured for Student, teachers and student_manager.

47

Profile Application Load level

Student Remote_login

File_transfer

database access

High load

High load

High load

Teacher Remote_login

File_transfer

File_print

Medium load

High load

Medium load

Manager Remote_login

File_print

Database_access

Low load

Medium load

Medium load

Table 3.1 Applications used in the lab

Therefore, to evaluate these scenarios, it is necessary to gather these

statistics as follows:

Global statistic: Ethernet/delay (s)

Server’s statistics: Ethernet/ Delay (s)

Ethernet/Load (bit/s).

Server performance Load (request/s).

Server performance Load (task/s)

Server performance Task processing time

(request/s)

Link’s statistics: Utilization

Throughput (bit/s)

Load (bit/s)

Table 3.2 Statistic is collected in the lab

If VLAN is not applied on the network, every station can communicate

with each other.

48

Figure 3.35 Traffic demand in the network without VLAN

As shown in the figure 3-4, three traffic demands are created from the

workstation student 14 to three nodes that belong to different VLANs. And

all traffics reach their destinations. But, in the second scenario, there is only

one traffic demand that directs to the Server student can reach its

destination. These others are blocked by the switch because they belong to

other VLANs.

49

Figure 3.36 Only one traffic demand is allowed to reach its server.

Figure 3.37 one of the traffics are not allowed by the switch

By blocking all traffics that belong to other VLANs, the network

performance is improved, the Ethernet load and Ethernet delay becomes

smaller.

50

Figure 3.38 Ethernet load (bit/s)on ServerManager

Figure 3.39 Ethernet load (bit/s) on ServerTeacher

51

c)

Figure 3.40 Ethernet Load (bit/s) on servers:

These figures above show that the network load decreases at all servers

when using VLAN. At the first scenario, traffic generated by users,

regardless of who they are, is sent to all servers. Thus, this makes the

network load higher than usual, and the network delay increases along with

this. The second scenario makes three separated VLANs so that they can

not communicate. And a large amount of traffic can’t reach two servers that

do not belong to the same VLAN with them. Consequently, the load at each

server decreases significantly.

Because the traffic at each server is lighter, the server can process them

faster. We can examine the performance of servers in these two scenarios

by collecting the statistics:

52

a)

b)

Figure 3.41 Server performance statistics:

a) Load (request/s); b) Task processing time(s)

Because it takes servers less time to process its received traffics, the

delay on each server as well as the end-to-end delay is smaller.

53

Figure 3.42 End-to-end Delay

The last factor that helps to examine the network is link utilization. If at

the same request rate from workstations, the network which has smaller

link utilization is the better one. In the figure below, the network using

VLAN consumes bandwidth three times less than NoVLAN network

Figure 3.43 Link utilization

54

3.2.3 Restrict the accessibility

The second scenario of the first simulation has created three separated

VLANs, but they can not communicate. In fact, two or more VLANs must

be able to communicate with each other to share information and network

resource. In this instance, the student manager needs to share information

with teachers in order to create the student’s database. To make it possible

to communicate among VLANs, a layer 3 device such as router or layer-3

switch is used. In this case, an one-armed-router is used to route between

the VLAN teacher and the VLAN manager.

Figure 3.44 inter-VLAN communication

Additionally, by applying ACLs to this router, it is possible to allow the

VLAN Teacher to communicate with VLAN manager, but the VLAN

Student can not.

55

List name Action Source Destination

Incoming_3 Permit Any Any

Outgoing_3 Permit 192.168.2.254 Any

Deny 192.168.2.0/24 192.168.3.0

Permit Any Any

Incoming_4 Permit Any Any

Outgoing_4 Permit 192.168.2.254 Any

Deny 192.168.2.0/24 192.168.3.0

Permit Any Any

Table 3.3 ACLs configuring

After adding a router with ACLs-configured into the network, as a

result, every client belonging to VLAN student can not ping to the other

that belongs to other VLANs, but both teacher and manager can ping to

server Student (see ping report in appendix 1). It means that they can

access the Server student to take the information of their students, or to

send them their information.

Figure 3.45 Ping report

56

3.2.4 The DDoS attack and defense simulation [7]

The Distributed Denial of Service (DDoS) attack is a type of network

attack in which an attacker uses malicious code installed on various

computers to attack a single target. If the hacker can not access a victim

target, he/she makes it unavailable for other in accessing it by performing

DDoS attack.

We assume that all of computer in the network has been infected by

malicious software. The hacker who created this software programmed it so

that all computer request a HTTP service at the same time he wants.

Figure 3.46 DDoS attack

If the network does not use VLAN, all computers can send traffic to the

server_teacher, and make it over load. It is easily seen that in traditional

LAN, the hacker can attack any target he wants, and the whole of network

may be collapsed easily. The figure on the next page shows that when

being attacked, the CPU Utilization of the victim server is equally 100

percent, so it can not serve anymore services.

57

If the network is divided into 3 VLAN, obviously, the number of client

that request fake services is much smaller. Even if the attack target is

Server_student, only the VLAN student is collapsed, the others still work

properly.

a)

b)

Figure 50 The results after the attack

58

a) CPU Utilization of the victim server. b) Service load of the victim server

c)

d)

Figure 3.47 The results after the attack

59

b) Link utilization between the victim server and the switch

to which it is connected

c) Service response time of other client.

3.3 Conclusions

These two simulations show the main benefits of VLAN.

Using VLAN can improve the network performance because it is

possible to reduce overall broadcast traffic which can degrade network

performance if not properly managed. Additionally, using VLAN can

segment the broadcast domain into many smaller ones, so, it minimizes

problems in one segment.

On the other hand, using VLAN can make it easier and more efficient in

managing big computer network. Users can change their location easily

without changing their IP address according to network address as well as

changing the router’s configuration.

The second simulation shows the high security level when using VLAN.

Normal LANs often have confidential, mission-critical data moving across

them, but VLANs do not. The information belonging to different VLANs

can not move across each other without the permission of administrator. In

communicating among VLANs, an ACLs-configured router is used to

permit or deny traffics in the network.

Although it is complex to configure VLAN on a network, with a lot of

benefit, VLAN play a very important role in computer network today,

especially in big networks.

60

CONCLUSIONS

After along time researching and doing the thesis, with the guidance of

doctor Cuong Dinh The, I have completed my thesis on time.

The thesis introduces VLAN and its benefits. It introduces the

comparison between the two networks, one does not use VLAN, the other

does. In the second network, the performance is improved because the

broadcast traffic is decreased.

Using VLAN also makes it more flexible in allocating network devices.

When a network device is moved to another position, it can keep its IP

configuration, and the administrator does not need to re-configure the

router of the network.

Finally, the thesis shows the main advantage of VLAN that is security

improvement. By using VLAN, the administrator can divide the network

into subnets based on their functions and demands. Additionally, by using

VLAN ACLs, it is possible to permit or deny a specified traffic as well as

to allow specified VLANs to communicate with each other.

These advantages explain why VLAN is used widely in campus and

enterprise network as well. However, it is complex to configure VLAN for

a network, administrators easily misconfigure, and indeliberately, they

create some weakness for hacker to attack the network.

To sum up, this thesis has presented useful information about benefits of

VLAN and how to configure VLAN for a campus or enterprise network.

Future work, I will study more about OPNET Modeler, this is a powerful

tool for simulating and modeling not only computer network but also other

communication one.

61

REFRENCES

[1] Vũ Minh Tiến, Mạng máy tính, people's Amy Publishing, 2002.

[2] Alberto Leon-Garcia & Indra Widjaja, Communication Networks

Fundamental Concepts and Key Architectures, Mc Graw Hill, 2001.

[3] Cesc Canet & Juan Agustín Zaballos,Security Labs in OPNET IT

Guru, OPNET.com

[4] Chriss Hoffmann, VLAN Security in the LAN and MAN

Environment, SANS Institute 2003.

[5] Cisco system, Virtual LAN Security Best Practices

[6] Emad Aboelela, Ph.D, Computer network- A system approach 3rd

Edition- Network simulation experiments manual, University of

Massachusetts Dartmouth, Morgan Kaufmann Publishers, 2003

[7] Mattias Björlin, A study of Modeling and Simulation for computer

and network security, University of Stockholm / Royal Institute of

Technology, June 2005.

[8] Saad Mohamed Abuguba, Performance Evaluation of Rapid

Spanning Tree Protocol by Measurements and Simulation,

Budapest University of Technology and Economics, Department of

Telecommunications and Media Informatics, 2006.

[9] Securing Networks with Private VLANs and VLAN Access

Control Lists, Cisco system.

[10] Virtual LAN-Application and technology-a white paper, Micrel.

[11]Wayne Lewis, Ph.D. LAN Switching and Wireless CCNA

Exploration Companion Giude, Cisco Press, 2008.

[12]ANSI/IEEE Std 802.1D, 1998 Edition

[13]http://en.wikipedia.org/wiki/Vlan

[14]http://en.wikipedia.org/wiki/STP

62

http://en.wikipedia.org/wiki/STP

http://en.wikipedia.org/wiki/Vlan

APPENDIX 1

List of application used in this simulation

Searching

HTTP Specification HTTP 1.1

Page Interarrival

time (seconds)

Exponential(10)

Page properties Object Size (bytes) Constant

(1000)

Medium

image

Number of objects

(object per page)

Constant(1) Constant(2)

Location HTTP server

Server selection Initial Repeat

Probability

Search

Page per Server Exponential(2)

RSVP Parameter None

Type of Service Best effort (0)

Table 3.4 Searching properties

63

WebBrowsing (HTTP_heavy Browsing)


Page Interarrival

time (seconds)

Exponential(60)


(1000)

Medium

image

Number of objects

(object per page)




Probability

Browse


RSVP Parameter None


Table 3.5 WebBrowsing properties

64

http attack (HTTP_extreme heavy Browsing)


Page Interarrival

time (seconds)

Exponential(10)


(100000)

Large Image

Number of objects

(object per page)




Probability

Browse


RSVP Parameter None


Table 3.6 http attack properties

65

Application used in each profile:Teacher:

Manager:

High_loadAndImagining:

Profile Operation mode Start time Duration Repeatibility

Teacher

Simultaneous Uniform(100,110) End of simulation Once at start timeManagerHigh_loadAndimaging

1

Imaging


Page Interarrival time (seconds) uniform(10,20)

Page properties Object Size (bytes) Constant (1000) Large

image

Number of objects (object per page) Constant(1) Constant(7)


Server selection Initial Repeat Probability Research

Page per Server exponential(20)

RSVP Parameter None


2

filetransfer_heavy:

3

DDoS attack:Profile in use:attacher

Application used in attacker profile

Profile Operation mode Start time Duration Repeatibility

attacher

Simultaneous Uniform(100,110) Constant(200) Inter-repetition Time(s) Constant(600)Number of repetition 5Repetition pattern serial

httpattackHTTP Specification HTTP 1.1


Page properties Object Size (bytes) Constant (100000) Large

image

Number of objects (object per page) Constant(1) Constant()


Server selection Initial Repeat Probability Research


RSVP Parameter None

Type of Service Best effort (0)4

httpattack



Page properties

Object Size (bytes) Constant (100000)Large

image

Number of objects (object per page) Constant(1) Constant()


Server selectionInitial Repeat Probability Research


RSVP Parameter None


5

Date post:	16-Nov-2014
Category:	Documents
Upload:	hafthanhf
View:	115 times
Download:	4 times

Undergrad Thesis Htt Fixed

Documents