Undergrad Thesis Htt Fixed

LIST OF ACRONYMS ARPANET ACL BID BPDU CSMA-CD DNS DHCP FCS FTP HTTP LAN RSTP STP STA TCP TPID UDP VPN VLAN ID VLAN VTP WAN

Advanced Research Projects Agency Network Access Control List Bridge ID Bridge Protocol Data Unit Carrier sence Multiple Access-Collision Detection Domain Name Service Dynamic Host Configuration Protocol Frame Check Sequence File Transfer Protocol Hypertext Transfer Protocol Local Area Network Rapid Spaning tree Protocol Spaning tree Protocol Spanning Tree Algorithm Transmission Control Protocol Trunking Protocol ID User Data Protocol Virtual Private Network VLAN Identification Virtual LAN VLAN Trunking Protocol Wide Area Network

i

TABLE OF CONTENT TABLE OF CONTENT.......................................................................II ACKNOWLEDGEMENTS...............................................................IV LIST OF FIGURES.............................................................................V LIST OF TABLES............................................................................VII ABSTRACT...........................................................................................1 CHAPTER 1 LOCAL NETWORKS AND FUNDAMENTAL CONCEPTS..............................2 1.1 COMPUTER NETWORK OVERVIEW...........................................................2 1.1.1 What is a computer network?.................................................2 1.1.2 Classification of computer networks .....................................4 1.1.2.1 Scale.................................................................................4 1.1.2.2 Transmission medium......................................................4 1.1.2.3 Functional relationship ....................................................5 1.1.2.4 Topology..........................................................................5 1.1.3 OSI Reference Model............................................................10 1.1.3.1 Application layer ...........................................................10 1.1.3.2 Presentation layer...........................................................11 1.1.3.3 Session layer .................................................................12 1.1.3.4 Transport layer ..............................................................12 1.1.3.5 Network layer.................................................................13 1.1.3.6 Data link layer................................................................14 1.1.3.7 Physical layer ................................................................14 1.2 INTRODUCING LOCAL NETWORK .........................................................14 1.2.1 Local Area Network (LAN)...................................................14 1.2.2 Virtual LAN (VLAN).............................................................17 1.3 A BRIEF ON SIMULATION TOOLS AND OPNET.....................................19 1.4 CONCLUSIONS...................................................................................21 CHAPTER 2 VIRTUAL LOCAL AREA NETWORK (VLAN)....................................................................23 2.1 DEFINITION OF VLAN.....................................................................23 2.2 VLAN ID RANGE...........................................................................24 2.3 OPERATION OF VLAN.....................................................................25 2.4 TYPES OF VLAN............................................................................26 2.4.1 Data VLAN............................................................................26 2.4.2 Default VLAN........................................................................27 2.4.3 Native VLAN.........................................................................27 2.4.4 Management VLAN...............................................................28 ii

2.4.5 Voice VLAN..........................................................................28 2.5 THE STANDARDS AND PROTOCOLS USED IN VLAN ................................30 2.5.1 VLAN Trunking.....................................................................30 2.5.1.1 Trunk’s definition and its benefit...................................30 2.5.1.2 IEEE 802.1q...................................................................31 2.5.2 VLAN Trunking Protocol (VTP)...........................................33 2.5.2.1 What is VTP?.................................................................33 2.5.2.2 VTP Pruning..................................................................34 2.5.3 Spanning tree protocol (STP)...............................................35 2.5.3.1 The importance of redundancy in designing a network. 35 2.5.3.2 Redundancy and loop issues..........................................36 2.5.3.3 The Spanning tree protocol-STP....................................39 2.5.4 Rapid spanning tree protocol (RSTP)...................................39 2.5.4.1 The differences from STP..............................................39 2.5.4.2 RSTP operation..............................................................39 2.6 CONCLUSIONS...................................................................................40 CHAPTER 3 BENEFITS OF VLAN IN NETWORK DESIGN.............................................................41 3.1 MAIN BENEFITS OF VLAN................................................................41 3.1.1 VLAN and Quality of service (QoS)......................................41 3.1.1.1 The Definition of QoS....................................................41 3.1.1.2 Queuing mechanisms.....................................................42 3.1.2 VLAN and security................................................................43 3.1.2.1 Basic security: Handling physical accesses to network devices 43 3.1.2.2 Tools and best practices in securing VLAN..................44 3.1.2.3 Improve network security using Access Control Lists . 45 3.2 SIMULATIONS AND RESULTS................................................................46 3.2.1 Objective...............................................................................46 3.2.2 NoVLAN network vs. VLAN network....................................47 3.2.3 Restrict the accessibility ......................................................57 3.2.4 The DDoS attack and defense simulation [7].......................59 3.3 CONCLUSIONS...................................................................................62 CONCLUSIONS.................................................................................63 REFRENCES......................................................................................64 APPENDIX 1.......................................................................................65

iii

ACKNOWLEDGEMENTS I wish to express my sincere gratitude to all who contributed their time and talent for the completion of this work, in particular to: First of all, I would sincerely like to thank my scientific supervisor, Dr. Cuong Dinh The at the Le Quy Don Technical University for his unlimited guidance, many discussion hours, valuable advice, as well as his precious encouragement. I would also like to acknowledge Mr.Thanh Nguyen, the Assistant Professor at the Faculty of Electrical Engineering, Le Quy Don technical University, who helped me so much in using OPNET as well as gave me many advices in modeling. In spite of being busy, he still reserved some hours for my questions, and these hours helped me so much in modeling and driving my simulations to the right way. Additionally, he also shows me how to write a thesis, especially in English. English is becoming the global language, thus this is the reason I decide to write my thesis in this language. I would like to acknowledge to Van Thuy Vu, a zealous friend, each time I finished a part of this thesis, she helped me in fixing grammar mistakes I had. Last, I would also like to thank the Internet, without it, I can’t find any document that serve as references in my thesis.

iv

LIST OF FIGURES FIGURE 1.1 ARPANET........................................................................3 FIGURE 1.2 A BUS NETWORK.........................................................6 FIGURE 1.3 A STAR NETWORK......................................................7 FIGURE 1.4 A RING NETWORK......................................................8 FIGURE 1.5 MESH NETWORK .......................................................9 FIGURE 1.6 OSI MODEL.................................................................10 FIGURE 1.7 THE NETWORK DEVICES USED IN LAN.............15 FIGURE 1.8 HIERARCHICAL NETWORK ..................................16 FIGURE 1.9 THE SMALL UNIVERSITY WITH ITS LAN..........17 FIGURE 1.10 THE UNIVERSITY NETWORK AFTER SEVERAL YEARS WITH VLAN...............................................................................18 FIGURE 1.11 OPNET ITGURU. ......................................................21 FIGURE 2.12 THE DIFFERENT VLANS IN A NETWORK........23 FIGURE 2.13 PORT-BASED VLAN................................................24 FIGURE 2.14 BROADCAST TRAFFIC IN NORMAL LAN.........25 FIGURE 2.15 CONTROLLING BROADCAST DOMAIN WITH VLAN..........................................................................................................25 FIGURE 2.16 DATA VLANS.............................................................27 FIGURE 2.17FIGURE 2.18 MANAGEMENT VLAN.....................28 FIGURE 2.17FIGURE 2.18 MANAGEMENT VLAN.....................28 FIGURE 2.19 VOICE VLAN..............................................................29 FIGURE 2.20 VOICE TRAFFIC.......................................................29 FIGURE 2.21 VLANS WITHOUT TRUNK.....................................30 FIGURE 2.22 VLAN WITH TRUNK................................................31 FIGURE 2.23 IEEE 802.1Q ETHERNET TYPE ALLOCATIONS .....................................................................................................................32 FIGURE 2.24 IEEE 802.1Q VLAN TAG FIELDS...........................32 FIGURE 2.25 TCI FORMAT.............................................................32

v

FIGURE 2.26 CONFIGURING A SMALL NETWORK WITH ONLY 3 SWITCHES................................................................................34 FIGURE 2.27 A NETWORK WITH REDUNDANCY....................35 FIGURE 2.28 WHEN THE MAIN LINK FAILS.............................36 FIGURE 2.29 LAYER 2 LOOP-1......................................................36 FIGURE 2.30 LAYER 2 LOOP-2......................................................37 FIGURE 2.31 LAYER 2 LOOP-3......................................................38 FIGURE 3.32 A COMPANY’S NETWORK TOPOLOGY............42 FIGURE 3.33 NOVLAN NETWORK...............................................48 FIGURE 3.34 VLAN NETWORK.....................................................49 FIGURE 3.35 TRAFFIC DEMAND IN THE NETWORK WITHOUT VLAN.....................................................................................51 FIGURE 3.36 ONLY ONE TRAFFIC DEMAND IS ALLOWED TO REACH ITS SERVER.......................................................................52 FIGURE 3.37 ONE OF THE TRAFFICS ARE NOT ALLOWED BY THE SWITCH....................................................................................52 FIGURE 3.38 ETHERNET LOAD (BIT/S)ON SERVERMANAGER................................................................................53 FIGURE 3.39 ETHERNET LOAD (BIT/S) ON SERVERTEACHER.................................................................................53 FIGURE 3.40 ETHERNET LOAD (BIT/S) ON SERVERS:...........54 FIGURE 3.41 SERVER PERFORMANCE STATISTICS: ...........55 FIGURE 3.42 END-TO-END DELAY...............................................56 FIGURE 3.43 LINK UTILIZATION.................................................56 FIGURE 3.44 INTER-VLAN COMMUNICATION........................57 FIGURE 3.45 PING REPORT...........................................................58 FIGURE 3.46 DDOS ATTACK..........................................................59 FIGURE 3.47 THE RESULTS AFTER THE ATTACK.................61

vi

LIST OF TABLES TABLE 3.1 APPLICATIONS USED IN THE LAB.........................50 TABLE 3.2 STATISTIC IS COLLECTED IN THE LAB...............50 TABLE 3.3 ACLS CONFIGURING..................................................58 TABLE 3.4 SEARCHING PROPERTIES........................................65 TABLE 3.5 WEBBROWSING PROPERTIES.................................66 TABLE 3.6 HTTP ATTACK PROPERTIES....................................67

vii

ABSTRACT Derived from the need of sharing the network resources between hosts and users, the computer network was born. And it plays more and more important role in our life. Since it was born in 1960s, the computer network has continuously grown. The more it grows, the more issues appear such as the network delay, performance, security, etc. In local network, VLAN is a solution for these issues. And now VLANs are extensively used in practice and represent a critical and time-consuming activity in both enterprise and campus network management. For this reason, I have chosen researching the topic “Study and designing virtual local area network-VLAN” for my graduation thesis. This thesis attends to introduce VLAN and its benefits for campus network and enterprise one as well. It is organized into four parts which is followed by a reference and an appendix part. The outline of the thesis is as follows: - Part 1: Local networks and fundamental concepts This part introduces the fundamental concept of local computer network, LAN and VLAN. Also in this part, a brief on simulation tools and OPNET is introduced. - Parts 2: VIRTUAL LOACAL AREA NETWORKS-VLANs This part introduces about VLAN, its definitions and operations. The reason why we should use VLAN is also presented by introducing its benefits in performing, managing, and securing. - Part 3: Benefits of VLAN in network design In this part, I introduced the main benefits of VLAN implementation; measurements are then done to demonstrate the benefits of VLAN in comparison with traditional LAN. - Part 4: Conclusion This part presents the results of my work 1

CHAPTER 1

LO

CAL NETWORKS AND FUNDAMENTAL CONCEPTS 1.1 Computer network overview 1.1.1 What is a computer network? Recently, branches of telecommunication in VietNam in particular and on the world in general have evolved very quickly. In this evolution, there are not only contributions of the transmission, multiplexing and coding technologies and so forth, but also computer networks contribute significantly to this evolution. It can be said that computer networks not only

make

a

great

contribution

to

tPhe

development

of

the

telecommunication but also almost other branches. The 21st Century is the era of information technology. We not only need a powerful computer but we also need a good computer network with high performance, reliability and security. To design an optimal computer network, first of all, we must have knowledge about a computer network, what it is? When it appear? And why we must use it? Derived from the need of sharing the network resources between hosts and users, the computer network was born. The first one appeared in late 1960's and early 1970's, it was "Advanced Research Projects Agency Network" (ARPANET) (see Figure 1) which was designed for the United States Department of Defense by The Advance Research Projects Agency (ARPA). Initially, the ARPANET was used for military purposes; it connected national defense units, the Research department of government and some Universities. The ARPANET was getting bigger and became the predecessor of the Internet today. 2

Figure 1.1 ARPANET

3

Today, we can define the computer network as a group of computers (at least two computers) that were connected each to other by a physical or logical link. It allows us to share our resource with each other. Larger scale networks such as WAN; Internet also consist of the small network like that. 1.1.2 Classification of computer networks There are four criteria used for classifying networks. 1.1.2.1 Scale Computer networks can be classified based on their scale. We have Local Area Network (LAN), Personal Area Network (PAN), Campus Area Network (CAN), Virtual Private Network (VPN), Metropolitan Area Network (MAN), and Wide Area Network (WAN). 1.1.2.2 Transmission medium Based on transmission medium, networks can be classified as follows: • Fiber networks are those that use fiber (optical cable) to transmit data. • Copper networks: the transmission medium is copper cable. Ethernet is a very popular copper network, which uses CSMA/CD as the medium access control. • Wireless LANs or WLANs don’t use cable to transmit data, they do in the air. Its medium access control is CSMA/CA.

4

1.1.2.3 Functional relationship Computer networks may be classified according to the functional relationships which exist among the elements of the network. • Peer to peer (P2P) networks are networks in which computers has the same role among each other in sharing network resources. Any user can request data from another and vice versa. To day, Bittorrent is the most common P2P application. • Client – Server networks are networks which have at least one server and client(s). Clients make requests to servers and severs fulfill these requests from the clients. 1.1.2.4 Topology We can also classify the network based on its topology, such as bus, star, ring and mesh network. • A bus networks uses only one common medium (called bus) to transmit data among network nodes.

5

Figure 1.2 A Bus network A Bus network is the simplest way to make a computer network; it has some advantages such as: 

It is the cheapest to establish a network.



It is simple to understand and implement.



Because of network nodes operate independently, if a

node is broken, the network still works properly. However, bus networks have some disadvantages as follows: 

Due to the use of the common medium, the probability

of collision is very high, so that the number of stations is limited. 

The length of the bus is limited as well due to the

attenuation of the signal when traveling on 

At a time, only one station has the right to transmit

data, so the capacity of bus network is low 6

If a network is a large scale, these disadvantages make it unsuitable.

Figure 1.3 A Star network

Nowadays, a star network is one of the most popular networks. It consists of a center mode which is a hub, a switch, a router, or a computer with many NIC (Network interface card), and peripheral nodes. A Star networks has more advantages than a bus network. Its performance is higher because the unnecessary traffic is eliminated. In a bus network, when a station sends a frame, this frame will be sent to all of nodes attached to the bus. Meanwhile, in a star network, if the central node is a switch, the frame will only be sent to it destination. On the other hand, this also makes the probability of collision decrease. It is easy to upgrade the network by using a more powerful central node and adding more leaf nodes. The disadvantage of star networks is the dependence on the central node. If this one is broken, whole network will be broken as well.

7

a)

b) Figure 1.4 A Ring network

A Ring network is the network in which network nodes are connected in a closed loop configuration. Each node only connects to its two neighbors. In small computer network, every node is connected to a central node that is a token ring hub or switch like on the figure 1.4 The Token Ring is a widely-implemented kind of ring networks. In Token ring networks, the information is transmitted in one way from the source to the destination. The token ring hub carries out it by receiving the frame and forward it out to the next port, and so on. There is a frame called token which travels around the network. If a station wants to send its frames, it must wait for a “free” token, then it claims the token by removing it from the ring and begins transmitting its frames. Each station examines the destination address in each passing frame to see whether this address matches its own address. If not, this station forwards it to the next link after few delay, if it is the frame for this station, it is copied to the buffer of the station, then, the station sets some status bit of the frame and forwards it to the ring. When the frame gets back to the source again, the source removes it from the ring and gives the “free” token back to the ring. Ring networks are the orderly network, where every node has the same chance to transmit data with each other. It operates with higher performance than the star and bus network in heavy load condition. It does 8

not require any server to control the network operation. Ring network has a high security level. If a node is broken, this node will be cut out of the ring by shorting-circuit it. However, the ring network also has some disadvantages. Token ring network cards and MAUs (Multistation Access Unit) are much more expensive than NIC and hub or switch. Ring networks are not flexible in adding or dropping network elements. Ring networks have lower performance under low load traffic conditions. Ring networks are suitable for the network that has heavy traffic like backbone network, A Mesh networks is the most stable and reliable type of network topology, but also the most expensive one. In a mesh network, each node connects directly to others, so the large number of cables and connections is required.

Figure 1.5 Mesh network Normally, mesh networks are associated with other types of networks to make the suitable network topology. 9

1.1.3 OSI Reference Model In order to decrease the complexity in designing and installing, almost computer networks are designed by layers. The most common model is OSI model and TCP/IP model. Due to the similar of these two models, OSI model will be discussed in more details. The OSI model was built in 1984 by ISO Organization. According to this model, the operation of network is divided into 7 layers (see Figure 1.6).

Figure 1.6 OSI model 1.1.3.1 Application layer The application layer is the top layer in the OSI model and closest to the end user also. It is the source and destination of communications in the 10

network. Applications, services and protocols of the application layer help user effectively interact with the OSI model. • Applications are computer programs which help user interact with the OSI model • Services are background programs provide

the

connection

of

the

application layer and the lower ones in the OSI model. • Protocols

are

the

rules

in

communicating among network nodes. There are some application layer protocols such as:  DNS (Domain Name Service) used to map IP addresses to names that are easy to remember.  DHCP (Dynamic Host Configuration Protocol) used to dynamically assign IP configuration to hosts. The configuration consists of IP address, default gateway, DNS server address.  HTTP (Hypertext Transfer Protocol) defines the commands, headers, and processes by which web servers and web browsers transfer files. Etc. 1.1.3.2 Presentation layer The Presentation layer has following functions: (1) Coding and converting data that come from application layer to ensure that when these

11

data reach the destination, the corresponding applications at destination node can understand them; (2) compressing and decompressing data to save the bandwidth; (3) encrypting and decrypting data. 1.1.3.3 Session layer The Session layer establishes and maintains the communication between source and destination nodes. 1.1.3.4 Transport layer The Transport layer provides the two main network services that are TCP and UDP. TCP is the reliable method of transmission. It is used in the application that requires high reliability like email, web, etc. To make it reliable a communication, TCP uses a mechanism of the three-way-handshake and, flow control. In a TCP session, the source must ensure that a frame was delivered successfully to the destination, if not, it must retransmit the frame. UDP is the Transport layer’s protocol used in the applications that need to deliver data across the network quickly but don’t need high exactitude, and reliability. UDP uses neither the mechanism of “three-wayhandshake”, flow control, nor retransmission of the broken frames. Consequently, it minimizes the size of frame’s header. In order to provide these two services, the Transport layer has the following functions: • Tracking

the

individual

communications between source and destination:

12

When access a network, users can use many applications simultaneously. The Transport layer must add more information about the type of applications into the header of frames to deliver them exactly. • Segmenting reassembling

data these

into

pieces,

pieces

and

managing them: In order to run many different applications on the same transmission medium simultaneously, the Transport layer segments frames into many pieces. And when these pieces

of

segments

reach

the

destination, they are reassembled into the original frame. • To ensure the reliability and improve the network performance, the Transport layer has functions of flow control and errors check. 1.1.3.5 Network layer The Network layer has responsibility of routing and forwarding packets to the right destination. To implement this, the Network layer must address a frame, and then encapsulates it into a packet. The packet header has fields that include source and destination addresses of the packet. After encapsulating, the network layer must route the packet to its destination, this is done by intermediary devices called routers. When the packet reaches its destination, the network layer at destination node must

13

decapsulate this packet to take the data inside it and forward to the upper layers. 1.1.3.6 Data link layer After encapsulating a packet, the network layer sends it down to the datalink layer (OSI layer 2). The datalink layer plays the role in connecting software (OSI layer 3) and hardware (OSI layer 1) of the network. This layer consists of two sublayers that are MAC sublayer and LLC sublayer. MAC sublayer controls the accessing and sharing the medium, some OSI layer 2 standards can be found in this thesis such as Ethernet IEEE 802.3 (CSMA-CD), IEEE 802.5 (Token Ring), 802.11 (WLAN) and some other ones (optional). The LLC sublayer is considered as the bridge between the MAC sublayer and the network layer. It allows the upper layers to access medium by framing. When a packet which comes from network layer is sent to datalink layer, it is encapsulated into a frame which consists of source and destination MAC addresses, types of protocol, FCS (Frame Check Sequence), and the network layer packet. 1.1.3.7 Physical layer The Physical layer is the lowest layer in OSI model. This layer’s purpose is minimizing the interferences’ effect in the medium on the signal. So physical layer has the responsibility of coding and converting the frames from datalink layer into signals, and then transmits the signals to the medium.

1.2 Introducing Local network 1.2.1 Local Area Network (LAN) Derived from the needs of sharing information between computers of users in the same organization, the first LANs were born in 1970s to create 14

high rate connections between computers. Initially, LAN is defined as a group of computers connected together, and is placed under the management of a common administrator. But along with the evolution of technologies, the term of “LAN” is getting larger. Nowadays, LAN also refers to a network that is much larger than home or small office networks. Almost LANs are designed according to the hierarchical architecture with redundancy, twisted pair cable is used as the transmission medium (normally, Cat5E), depending on the NIC and type of medium, the network speed is 10 Mbps, 100Mbps, 1Gbps, or even 10Gbps. The network devices used in LAN include: routers, switches, DSLmodems, IP phones, PCs, printers, and servers.(Figure 1.7)

Figure 1.7 The network devices used in LAN

15

.

Figure 1.8 Hierarchical network The Access layer is the lowest and closest to the end user devices. The Access layer has responsibility of providing the ability of connecting to end user devices. In addition, the Access layer can determine whether a device can connect to the network or not. The Distribution layer gathers all traffic which comes from the Access layer, and then, if possible, it distributes the traffic to the true destinations as long as the destinations belong to the same subnet with the traffic. If not, the Distribution layer sends the traffic to the Core layer for routing to its final destination. This layer controls the network flow; separates VLANs that is defined at the access layer. Distribution layer devices are typically

16

high-performance switches that have high availability and redundancy to ensure reliability. The Core layer is the highest rate layer in hierarchical network model. Typically, the core layer devices are routers and switches that have high availability, rates, and redundancy. They can process properly the traffic in heavy load condition because it must receive and process almost traffic of the whole network. Its functions are connecting the local network with the outside network (example: the internet) and routing the traffic to its end points. 1.2.2 Virtual LAN (VLAN) LAN is the good choice for the small networks in home or small offices, because it is easy and cheap to install and the QoS is not critical. For instance, initially, a university has only one branch with one building. A computer room for students was on the fifth floor, the other for teachers and officers was on the third floor. We can design and configure the university’s network like the following figure:

Figure 1.9 The small university with its LAN After several years, this university grows and has two branches more. Suppose that its network still remains as before.

17

Figure 1.10 The university network after several years with VLAN The headmaster of the university wants to make only two subnets, one for students, the other for teachers and officers, and he wants all students can share their resources as well as all the teachers and officers. Obviously, it is impossible to create a large LAN for students as well as teachers. VLAN is the solution for this. A VLAN is simply a LAN by logical meaning. But in VLAN, the network devices and users are not limited by the geography but can be located based on their functions and purposes in using network resources. Using VLANs, we can handle the network traffic, prevent the network from what is called “Broadcast storm”, improve security level, and manage the QoS policies. Thus, if a VLAN is designed and configured well, we will get much more benefit in comparison with using a normal LAN such as improving the performance, increasing security level, and advancing the capability of network management, etc. However, the IT engineers must have knowledge about VLAN and its configurations. In a big company or university that use switches from many different vendor, it is complex to

18

configure VLANs, the incorrect configurations may degrade the network performance or even make the network impossible to operate.

1.3 A Brief on simulation tools and OPNET In recent years, sciences and technologies have developed very quickly. And it is extremely necessary to analyze, and evaluate a new technologies and protocols. But sometimes, it is prohibitively expensive and too dangerous to test a real system. Telecommunication systems are really complex and expensive. In VietNam, almost universities have not enough money to buy real-world systems for their laboratories. Fortunately, with the significant evolution of computer science, the term of “simulation” was born. With a simulation tools, real-world systems can be simulated and then evaluated at a certain level. And the received results is widely accepted by the science community. Using simulation tools can support the shortage of capital investment, so it is the cost-effective choice for small university and businesses. There are many networking simulation tools such as: OPNET, QuadNet, NS-2, OMNET++, Matlab, etc. Almost of them are built in C or C++ and their simulation results are accepted by the scientific community. Among of these tools OPNET and NS-2 are preferred and are used commonly in education and research. NS-2 is a new open-source simulation tool for simulating the wireless communication. There are many modules associated with it, and NS-2 also includes substantial contributions from researchers all over the world. But the biggest disadvantage of NS-2 is the difficulty for beginners in learning how to use and utilize it. OPNET seems to be the appropriate tool for student in study and research. OPNET stands for Optimized Network Engineering Tools.

19

Initially, OPNET was Alain Cohen’s (co-founder and current CTO & President of OPNET Technology) graduate project when he was a networking student at MIT (Massachusetts Institute of Technologies). The first company’s product is OPNET Modeler which is commercial software used for simulating and modeling communication networks, network devices and protocols. OPNET is a widely used Windows and Linux based simulator. It is built in C++ and provides virtual environment for modeling, analyzing, and calculating network performance. This tool is often updated new protocols, and devices to catch up with the fast evolving network technology trends. OPNET is used by many commercial, government organizations and universities worldwide. With OPNET Modeler, basically, users can:  Create and edit networks and nodes followed by their purpose.  Modify the operation inside network nodes.  Analyze and evaluate their network by using the statistics that are received after simulating. However, it is very difficult for beginners to learn and make the most use of OPNET Modeler in implementing a new protocol; they must be familiar with the oriented approach and C++ language as well as the knowledge

of

telecommunication.

Therefore,

OPNET Technology

Corporation developed OPNET IT Guru version which is a free version, and is used for educational purposes.

20

Figure 1.11 OPNET ITGuru. This version is widely used in either university to simulate what they teach and study in university or small company in planning their networks. There are many new network protocols, devices have been modeled in this version. This makes it much more easier to build a network, and all the beginners need are their knowledge of telecommunication and computers. Since OPNET IT Guru is a free version, it is not allowed in modifying a network node as well as watching the architecture inside nodes.

1.4 Conclusions In this chapter, we have seen that computer networks are crucial. This chapter also shows the overview of LAN and VLAN, thus, we can see advantages of VLAN in comparison with traditional LAN. Along with advantages of itself, VLAN has become an indispensable tool for the network administration to segment the network; to increase bandwidth per user, to provide security, and to provision multimedia service [10]. 21

This chapter also point out the role of simulation in designing a network. Along with the evolution of computer science, networking simulation tools help efficiently in network designing. Among various simulation tools, OPNET which is made to answer the “what-if” question is the suitable tool for student in study. So, in the next two parts of this thesis, the issues in designing a computer network such as performance, security level are discussed. The next part shows that what VLAN is, and its characteristics. The VLAN’s advantages are introduced in the last part, and then they are proved by performing some simulations.

22

CHAPTER 2

VIR

TUAL LOCAL AREA NETWORK (VLAN) 2.1 Definition of VLAN Essentially, a VLAN is also a local network. The difference is in LAN, network devices are restricted by location and distance between them while in VLAN, regardless of location, network devices are logically connected together.

Figure 2.12 The different VLANs in a network

According to the figure 2.1, we can define that a VLAN is a group of network devices that are logically connected, regardless of either location or physical link in the network. In order to make it easier for managing and configuring the network, VLANs can be named based on their functions. 23

VLAN is fully configured by software on switches. Similar to LAN, each VLAN is assigned a range of IP addresses, and a number of switch ports. If a device wants to join a VLAN, it must be connected to the port that belongs to this VLAN, and has an IP address that matches with this VLAN IP address range. (see figure 2.2)

Figure 2.13 Port-based VLAN

2.2 VLAN ID range VLANs are numbered from 1 to 4096; these ordinal numbers are called VLAN ID and divided into a normal range and an extended range. The Normal range consists of VLANs from 1 to 1005. Among these, VLANs from 1002 to 1005 are used for Token Ring and FDDI networks. the others are used for Ethernet neworks. Whereas VLAN 1 is a default VLAN. Initially, every switch ports belongs to this VLAN, and it can not be deleted or modified. The Extended range consists of all remain other VLANs. These VLANs support fewer VLAN features than normal VLANs, so they are not used commonly.

24

2.3 Operation of VLAN In many ways, the operation of VLAN is similar to LAN. The only different thing is that by using VLAN we can create a logical group of network devices to make a separated broadcast domain without the dependence of their location. In a normal LAN, every device connected to a switch belongs to a common broadcast domain. When an user sent a broadcast message to his/her network, this message will be sent to all users that connect to this switch whether they belong to the user’s department or not.

Figure 2.14 Broadcast traffic in normal LAN In VLAN, due to the network devices of a department are logically grouped into a separated virtual LAN, the broadcast message only travels in this VLAN, the users in other department do not receive this message.

Figure 2.15 Controlling broadcast domain with VLAN 25

In order to distinguish among VLANs, each frame is tagged an information field of the VLAN it belongs to. This field consists of 3 priority bits, 1 CFI bit that is used to allow the Token ring frames to travel on the Ethernet transmission medium, and 12 VLAN ID bits to identify 4096 VLAN IDs. (see figure 2.5)

Figure STYLEREF 1 \s 2. SEQ Figure \* ARABIC \s 1 5 Tagging information If a local network has many VLANs, the VLANs can communicate by using OSI layer 3 devices like router or layer 3 switches.

2.4 Types of VLAN Today port-based VLAN is the main way to implement VLAN. In this approach, a set of switch ports are assigned to each VLAN; these ports are called access ports. If a device is connected to an access port, it will belong to the VLAN associated with that port. The term of “VLAN type” refers to the type of data that the VLAN carries, and function of this VLAN. There are 5 types of VLAN. 2.4.1 Data VLAN A data VLAN (also called user VLAN) is configured to carry only usergenerated traffic. However, users can generate management traffics or

26

voice ones. These traffics do not belong to data VLAN, but they belong to management VLANs and voice VLANs which will be mentioned later.

Figure 2.16 Data VLANs 2.4.2 Default VLAN Default VLAN is the VLAN that always exists in switches. when the switch is first configured or each time it is set to manufactory’s default mode, all ports of the switch are members of this VLAN. Essentially, the default VLAN is similar to other VLANs, but it is impossible to rename or delete it. For Cisco switches, VLAN 1 is default VLAN and Layer 2 control traffic, such as CDP and STP traffic always belong to this VLAN. 2.4.3 Native VLAN Native VLAN is the concept related to the port that is configured as a trunk port. An IEEE 802.1Q trunk port supports both tagged traffic and untagged traffic. Tagged traffic is the traffic of certain VLAN; untagged traffic is the traffic that does not belong to any VLAN. Except the native VLAN and default VLAN frames, every frames passing through a trunk port are tagged their VLANs information. The reason of using native

27

VLAN is that some devices of different vendors can’t understand as well as are not compatible with each other in tagging IEEE 802.1Q or ISL information. 2.4.4 Management VLAN Management VLAN is used to remotely manage switches. With management VLAN, we can remotely access to switches via Telnet, SSH, HTTP, etc, to manage and configure it. Management VLAN is assigned an IP address and a subnet mask. It is not recommended to set VLAN 1 as a management VLAN. It is a security best practice to define the management VLAN to be a VLAN which distincts from all other VLANs defined in the switched nework.

Figure 2.17Figure 2.18 Management VLAN 2.4.5 Voice VLAN Today, the trend is to approach a convergent network where the VoIP service is more and more familiar. Voice VLANs are used for carrying the voice traffic. In order to guarantee the communication quality, voice VLANs must ensure the following requirements: wide bandwidth, highest

28

priority level, ability to be routed around the congested areas of network traffic, and low delay.

Figure 2.19 Voice VLAN

Figure 2.20 Voice traffic

29

2.5 The standards and protocols used in VLAN 2.5.1 VLAN Trunking 2.5.1.1 Trunk’s definition and its benefit Trunk is the Ethernet point-to-point link between two VLAN-aware devices (switches and routers). It can be considered that trunk is similar to a highway where there are many types of traffic flow. Trunk carries the traffic of multiple VLAN over a single link. Unless trunk is used, we must use a number of switch interfaces that is equal to the number of VLANs, this will make the cost of network more expensive.

Figure 2.21 VLANs without Trunk

30

With Trunk, we only use one switch port for carrying multiple VLAN traffics.

Figure 2.22 VLAN with Trunk 2.5.1.2 IEEE 802.1q IEEE 802.1q helps multiple LANs share the common link without leakage of information between them. This is the name of an encapsulation type over Ethernet networks. This protocol also determines the VLAN ID and allows individual VLANs to communicate with each other by using a layer-3 switch or a router. When a frame coming from a VLAN-unaware device, arrives to an access port, it is only original Ethernet frame, i.e, it does not consist of any information about the VLAN it belongs to. A switch tags a VLAN tag field which comprises the VLAN information that the frame belongs to into that frame. Here is the frame structure: TPID Tag protocol Identifier 31

The TPID includes Ethernet type field, which is used to distinguish with other protocols. Its value is set to 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame.

Figure 2.23 IEEE 802.1q Ethernet Type allocations

Figure 2.24 IEEE 802.1Q VLAN Tag Fields

Figure 2.25 TCI format Tag Control information (TCI) (figure 2.14) TCI is two octets long, in which: - 3 user priority bits are used to indicate the priority levels of data. In IEEE 802.1p, they specify 8 levels, from level 0 (lowest) to 7 (highest).

32

- 1 CFI bit (Canonical Format Indicator): If the value of CFI is 1, the MAC address is in non-canonical format, this enables Token Ring and FDDI frame to be transmitted on the Ethernet transmission medium. If the value is 0, the MAC address is in canonical format, this is the default value for Ethernet frame. - 12 VLAN ID bits are used to indicate the VLAN to which the frame belongs; its decimal is from 0 to 4095. If the frame received has VLAN ID with the value of 0, this frame doesn’t belong to any VLAN, and the tag header contains only priority information. The VLAN ID with value of hex FFF is reserved for implementation use. After tagging the frame, the switch recalculates FCS value and then sends the tagged frame out to the trunk port. 2.5.2 VLAN Trunking Protocol (VTP) 2.5.2.1 What is VTP? There would be nothing to say about VTP if the network size is small. For instance, a small company in the beginning days has a small network. It is not too difficult for administrator to configure the switch one by one. But when the network grows, the VLAN management challenge becomes clearer. Suppose that the company network has 10 switches, so when they want to update or modify their network, the IT engineers have to configure 10 times on each switch. It is the repetitive and boring job; it could make the administrators get some mistakes in configuring VLAN. VTP is the solution for this problem.

33

Figure 2.26 Configuring a small network with only 3 switches VTP is a Cisco proprietary protocol, comparable with GVRP from IEEE.802.1q. By enabling VTP on all switches, the administrator only has to do some VLAN configurations such as creating, adding, deleting, renaming, etc, on the server-mode switch, and then, this switch propagates the VLAN information to others in network. This switch is called a VTP server. VTP allows the network to update the VLAN information itself by configuring the VTP sever, and then, the VTP sever advertises the VLAN information it has to other VTP enabled switches in the network. The VTP server stores the VLAN information in vlan.dat file. VTP advertisement can only be exchanged on the active trunk. 2.5.2.2 VTP Pruning VTP pruning is the Cisco switch feature that increases the available network bandwidth. In a VLAN domain, when a station of certain VLAN generates broadcast traffic to others in its VLAN, assume that it is VLAN 10, if switches are not enabled VTP pruning, they will flood this traffic to others in the network. If a switch have no VLAN 10’s port, the traffics 34

which are sent to this switch are unnecessary. They consume the available bandwidth and processor time on this switch. VTP pruning increases the available bandwidth by pruning the unnecessary traffic. 2.5.3 Spanning tree protocol (STP) 2.5.3.1 The importance of redundancy in designing a network As said before, computer network plays an important role in a company or any organization. If a computer network of a company is unstable, may be it does a lot of damage to this company. To make a computer network stable, they always design the network in hierarchical model, and some redundant links must be used. Suppose that a company has only one link to the internet, and the failure probability of this link is 10 %. It means the link’s available probability is only 90%. If this company adds one more similar link to the internet, the failure probability of the link to the internet now is 1%, it means that the available probability is 99%. Obviously, by using the redundant links, the network is more stable.

Figure 2.27 A network with redundancy

35

Figure 2.28 When the main link fails 2.5.3.2 Redundancy and loop issues The redundant links are important, but if we only add the redundant links without using any protocol to handle the transmission, it is sure that the layer 2 loop occurs which makes the network unavailable. For instance, a small network has only three switches as shown in the figure below:

Figure 2.29 layer 2 loop-1 36

At the beginning, the MAC address table of the two switches: S3 and S1 haven’t got the entry for PC1. When PC1 sends a broadcast message to switch S2, due to this is a broadcast message, so any switch receiving it must forward it to all other ports. S2 forward it to all active ports except the port F0/11 which receives this message. When the other switches receive the broadcast message from S2, they add the entry for PC 1 into their MAC address table.

Figure 2.30 Layer 2 loop-2

37

Figure 2.31 Layer 2 loop-3 After updating the MAC address of PC1, S3 and S1 send the message to other ports. And when S1 and S3 send the message to each other, they will update the MAC address of PC1 again, and then they send the message to other ports including the one that connects to S2 via trunk link. The switch S2, after receiving the message from these two switches, will update the MAC table again and forward the message repeatedly, and so on. That is layer-2 loop, and it makes network traffic more and more heavy. When more than one device send broadcast messages in the network like this one, the broadcast storm occurs. And it consumes all available bandwidth. Therefore, the network is unavailable. So in order to solve this issue, it is necessary to find out the way to handle the transmission with redundant links.

38

2.5.3.3 The Spanning tree protocol-STP The STP is a layer 2 protocol which helps to solve the layer 2-loop issue. The STP is based on the STA which is an algorithm invented by Radia Perlman while working for Digital Equipment Corporation. The STP is defined in the IEEE Standard 802.1D. STP’s function is preventing the OSI layer-2 loop in a redundant network. It ensures that there is only one logical path which has the lowest cost path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. The network traffic can not pass through a blocked port, but the BPDU can. If the best path is failure, the STA will recalculate the path cost and then, enables the redundant path. 2.5.4 Rapid spanning tree protocol (RSTP) 2.5.4.1 The differences from STP STP is original protocol for preventing layer 2 loop. Nowadays, STP is replaced by RSTP (Rapid Spanning tree protocol). RSTP was introduced in IEEE 802.1w standard, in 1998 by IEEE as an evolution of STP. RSPT has only a little bit differences from STP to make it converge much faster. Indeed, while STP can take from 30 to 50 seconds to respond to a topology change, RSTP is typically able to respond to changes within only a second. 2.5.4.2 RSTP operation RSRP operation is similar to STP operation, but RSTP convergence is quite faster. In STP, in order to complete the convergence, STP has to elect root bridge, elect root port, and elect designated and non-designated port, and it takes two times forward delay in the election for designated port. RSTP convergence is significant faster. The RSTP proposal and agreement

39

process is implemented link by link, and it does not rely on timers expiring before the port can transition. Both STP and RSTP determine the port roles based on the BID and path cost. And the ways they use the BID and path cost are the same.

2.6 Conclusions This chapter shows what VLAN is; how VLAN operates. Thence, we will see the benefit of using VLAN such as improving the performance; enhancing secureity level, and make it easier to manage the network, which are intrdoced in the next chapter. Additionaly, using VLAN also makes it flexible to manage and design a network. Assume that when a company is reorganized, one personel are changed their position, by configuring switch ports, he does not need to change their location. Using VLAN also makes it cheaper in network design because it utilize the number of switch ports in a room, and it is easy to add or remove users of the network. This chapter also talk a little bit of the two issues in network design, in particular, VLAN design, that are VTP and STP. VTP makes it easier to configure VLAN, and STP is a solution for the redundant issues and loop layer2 problems. Due to its serious benefits, VLAN is used widely in network design, we will make it clearer in the next part.

40

CHAPTER 3

BEN

EFITS OF VLAN IN NETWORK DESIGN 3.1 Main benefits of VLAN 3.1.1 VLAN and Quality of service (QoS) 3.1.1.1 The Definition of QoS QoS which stands for Quality of Service is an extremely important part in telecommunication. QoS is a wide range definition; there are many ways to approach it. According to Microsoft, QoS is “the ability of the network to handle this traffic such that it meets the service needs of certain applications”. According to Wikipedia, “QoS is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow”. Every user generating traffic want to transmit their traffic at expected rate. If the network resource is infinite, these traffic will be transmitted without latency, jitter or lost. But in fact, the network resource is finite, so the network administrator must determine which is important traffic and which is not. The common meaning of QoS is classifying traffics, handling them so that the network can meet all network traffic requirements from users. Using VLAN, the network operator can make use of VLAN ID and User Priority bits in the VLAN tag field to prioritize packets . In order to see clearly the importance of the QoS in networking, let's examine the following network:

41

Figure 3.32 A company’s network topology In figure 3.1, a company uses a frame relay link to connect their two building: Branch office and server farm. In working hours, officers can access database server to look for the data they need or use email and web service. For the rest time, they can relax by playing music or video or even a computer game. But in business hours, especially, rush hours, if some guys load an illegal traffic such as music or video from Music-and-video server. These traffics consume much more bandwidth than others, therefore, they slow down the company network’s performance. In order to make the network performance better, QoS is located to set the multimedia traffic priority the lowest level, or even to block them by using queuing mechanism, ALCs, firewall and the like. 3.1.1.2 Queuing mechanisms In small LANs, nowadays, the typical bandwidth is 100 Mbps that can meet almost kind of traffic demand. So QoS seems to be unneccessary. But for instance, in the figure 2-31, the link connecting the two building is only 512Kbps, so at rush hours, congestion may occur. On the other hand, if applications such as Video confrence, VoIP are used, the traffic generated by these applicationS are much heavier than others . The reality, is that

42

there are multiple users that uses multiple application which require network resource at the same time, therefore, it is necessary to allocate network resources to application traffics so that the network can meet all service requirements. In order to apply QoS on a network, the following QoS parameters are usually used: Bandwidth - the rate at which an application's traffic must be carried by the network Latency (or delay)- the delay that an application can tolerate in delivering a packet of data Jitter - the variation in latency Loss - the percentage of lost data In these above parameters, bandwidth is the most interesting one. If a application has bandwidth wide enough, other parameters (delay, loss, and jitter) can be acceptable. To increase the available bandwidth, one of several approaches is to classify traffic into QoS classes and then, prioritize and queue it according to its importance. There are several QoS mechanisms or Queuing mechanisms as follows: Priority Queuing (PQ), Custom Queuing (CQ), Weighted Fair Queuing (WFQ) with its distributed versions, IP RTP Prioritization, Modified Deficit Round Robin (MDRR), Class-based Weighted Fair Queuing (CB-WFQ) and Class-based Lowlatency Queuing (CB-LLQ). 3.1.2 VLAN and security 3.1.2.1 Basic security: Handling physical accesses to network devices For big company, threats from malicious user will be very great if they gain access to a network device. For example, if they can access to a switch and configure it they can get any other users’ information and use them for their advantages, or even if not, they can carry out some attacks such as 43

DDoS to break the network. Along with the evolution of computer science and information technology, threats can appear from everywhere, either inside or outside the network with many types of attack such as: • MAC Flooding Attack • 802.1Q and ISL Tagging Attack • Double-Encapsulated 802.1Q/Nested VLAN Attack • ARP Attacks • Private VLAN Attack • Multicast Brute Force Attack • Spanning-Tree Attack • Random Frame Stress Attack • DDoS Attack, etc Even, a normal user can also make use of attack tools distributed popularly on the internet to perform these attacks, or to propagate virus, worm, or spy-ware to victim PCs 3.1.2.2 Tools and best practices in securing VLAN First of all, the best practice for a network is physical security. It means that do not let unauthorized users connect their computer to network devices and configure them. Even if they can connect to a switch, configuring all ports that used at access layer to be an access port, and shut down all unused port can improve the security level. In additional, Portsecurity configurations provided by Cisco can improve the network security by using more security parameters such as: MAC address, password. At higher security level, ACLs and firewall are used to prevent the network from internal or external threats such as illegal traffics, and harmful one such as virus, Trojan horse or worm, etc. Additionally,

44

antivirus software installed on each computer in LAN play an important role in detecting and killing the harmful computer programs. 3.1.2.3 Improve network security using Access Control Lists What is Access Control List (ACL)? Access Control List is the basic knowledge that every network administrators must be master. ACLs (short for Access Control List) are used to restrict the accessibility of users to different types of data in a local network by using the basic IP filtering. In a network that has ACL-configured router, this router not only carries out the routing in network, but also operates as an IP filter. When a packet comes in or goes out its interface which is applied an ACL rule, the router analyzes it and then determines basing on the packet’s header and the filter rules about whether the packet can be permitted or denied. According Cisco, ACL is divided into two types, standard ACLs and Extend ACLs. With standard ACLs, a router can only filter arriving packets based on source IP address. Extend ACLs is also divided into static extended ACLs and complex extended ACLs. Using static extended ACLs, a router can filter packets more powerfully; it can make a decision based on source and destination IP address, source and destination TCP and UDP port, and protocol type (IP, ICMP, UDP, etc.). In order to make the rules more flexible and securable, complex extended ACLs are used. ACL’s function and its benefit Everything that ACL must perform is fitter IP arriving packets at its interfaces and then determines whether passing or discarding the packets according the rules given by the administrator. Consequently, ACL can improve the network performance by discarding the illegal traffic such as

45

video traffic in the example in section 2.6.1. ACL restricts the accessibility to selected users in a network, this is a basic level of security in networking. ACL also gives the network administrator some benefits and flexibility by applying complex extended ACLs. In Cisco router, three categories of complex ACLs are supported as follows: Dynamic ACLs: user who wants to access or traverse a Dynamic ACLconfigured router must be authenticated by connecting to this router using Telnet. Using dynamic ACLs can improve the security level for network access. Reflexive ACLs: Reflexive ACLs is used when the administrator wants to block all traffics originated from outside of his network, other traffics are allowed. Using this category of ACLs can give the best security practices to close networks-the networks which don’t want to advertise their information; it helps to secure the network against hackers, especially DoS attacks. Time-based ACLs: this category of ACL allows access control based on time. It is more flexible when applying time-based ACLs.

3.2 Simulations and results 3.2.1 Objective The Optimization is always the major object in designing a computer network. Companies always expect their computer network to operate with the maximum performance, a high security level and of course, an acceptable cost. There are some factors of interest in designing a computer network that is price, reliability, security and performance. With the same price, the networking designer can completely utilize the characteristics of networking hardware to improve the remaining factors. 46

As it has been said earlier, in order to understand and anticipated benefits of new networking resources, it is prohibitively expensive to test a real system because the networking hardware and software can be both complicated and expensive. Simulation and modeling is considered as a quite cheap approach to computer network designing and testing. This chapter aims to investigate the VLAN’s operation and its advantages. In this chapter, I have done some simulations by using OPNET IT Guru to provide two objects as follows:  The performance improvement by using VLAN.  The improvement of security level by using VLAN. In which, the first two scenarios are done to demonstrate the first objects, and the last two ones are done to prove the second object. 3.2.2 NoVLAN network vs. VLAN network In this simulation, I have created two scenarios using the same network topology of the Electronics and Telecommunications of a University.

47

Figure 3.33 NoVLAN network

48

Figure 3.34 VLAN network For simplicity, we assumed that, the university has not an internet connection yet. So, this is only a local network including 4 rooms, in which: there are two rooms for laboratory, one room for teachers, one is for manager, and the remaining one is server farm. Normally, students usually go to Lab room to study, or load the information from sever farm. Therefore, in this topology, the following applications and profiles are used: file transfer, remote login, and database access. Teacher and Student manager always access to their servers to download their documents, to prepare their lecture, etc. So, there are some applications configured for Student, teachers and student_manager.

49

Profile

Application

Load level

Student

Remote_login

High load

File_transfer

High load

database access Remote_login

High load Medium load

File_transfer

High load

File_print Remote_login

Medium load Low load

File_print

Medium load

Database_access

Medium load

Teacher

Manager

Table 3.1 Applications used in the lab Therefore, to evaluate these scenarios, it is necessary to gather these statistics as follows: Global statistic: Server’s statistics:

Ethernet/delay (s) Ethernet/ Delay (s) Ethernet/Load (bit/s). Server performance Load (request/s). Server performance Load (task/s) Server performance Task processing time

Link’s statistics:

(request/s) Utilization Throughput (bit/s) Load (bit/s)

Table 3.2 Statistic is collected in the lab If VLAN is not applied on the network, every station can communicate with each other.

50

Figure 3.35 Traffic demand in the network without VLAN As shown in the figure 3-4, three traffic demands are created from the workstation student 14 to three nodes that belong to different VLANs. And all traffics reach their destinations. But, in the second scenario, there is only one traffic demand that directs to the Server student can reach its destination. These others are blocked by the switch because they belong to other VLANs.

51

Figure 3.36 Only one traffic demand is allowed to reach its server.

Figure 3.37 one of the traffics are not allowed by the switch By blocking all traffics that belong to other VLANs, the network performance is improved, the Ethernet load and Ethernet delay becomes smaller. 52

Figure 3.38 Ethernet load (bit/s)on ServerManager

Figure 3.39 Ethernet load (bit/s) on ServerTeacher

53

c) Figure 3.40 Ethernet Load (bit/s) on servers: These figures above show that the network load decreases at all servers when using VLAN. At the first scenario, traffic generated by users, regardless of who they are, is sent to all servers. Thus, this makes the network load higher than usual, and the network delay increases along with this. The second scenario makes three separated VLANs so that they can not communicate. And a large amount of traffic can’t reach two servers that do not belong to the same VLAN with them. Consequently, the load at each server decreases significantly. Because the traffic at each server is lighter, the server can process them faster. We can examine the performance of servers in these two scenarios by collecting the statistics:

54

a)

b) Figure 3.41 Server performance statistics: a) Load (request/s); b) Task processing time(s) Because it takes servers less time to process its received traffics, the delay on each server as well as the end-to-end delay is smaller.

55

Figure 3.42 End-to-end Delay The last factor that helps to examine the network is link utilization. If at the same request rate from workstations, the network which has smaller link utilization is the better one. In the figure below, the network using VLAN consumes bandwidth three times less than NoVLAN network

Figure 3.43 Link utilization

56

3.2.3 Restrict the accessibility The second scenario of the first simulation has created three separated VLANs, but they can not communicate. In fact, two or more VLANs must be able to communicate with each other to share information and network resource. In this instance, the student manager needs to share information with teachers in order to create the student’s database. To make it possible to communicate among VLANs, a layer 3 device such as router or layer-3 switch is used. In this case, an one-armed-router is used to route between the VLAN teacher and the VLAN manager.

Figure 3.44 inter-VLAN communication

Additionally, by applying ACLs to this router, it is possible to allow the VLAN Teacher to communicate with VLAN manager, but the VLAN Student can not.

57

List name Incoming_3 Outgoing_3

Incoming_4 Outgoing_4

Action Permit Permit Deny Permit Permit Permit Deny Permit

Source Any 192.168.2.254 192.168.2.0/24 Any Any 192.168.2.254 192.168.2.0/24 Any

Destination Any Any 192.168.3.0 Any Any Any 192.168.3.0 Any

Table 3.3 ACLs configuring After adding a router with ACLs-configured into the network, as a result, every client belonging to VLAN student can not ping to the other that belongs to other VLANs, but both teacher and manager can ping to server Student (see ping report in appendix 1). It means that they can access the Server student to take the information of their students, or to send them their information.

Figure 3.45 Ping report

58

3.2.4 The DDoS attack and defense simulation [7] The Distributed Denial of Service (DDoS) attack is a type of network attack in which an attacker uses malicious code installed on various computers to attack a single target. If the hacker can not access a victim target, he/she makes it unavailable for other in accessing it by performing DDoS attack. We assume that all of computer in the network has been infected by malicious software. The hacker who created this software programmed it so that all computer request a HTTP service at the same time he wants.

Figure 3.46 DDoS attack If the network does not use VLAN, all computers can send traffic to the server_teacher, and make it over load. It is easily seen that in traditional LAN, the hacker can attack any target he wants, and the whole of network may be collapsed easily. The figure on the next page shows that when being attacked, the CPU Utilization of the victim server is equally 100 percent, so it can not serve anymore services.

59

If the network is divided into 3 VLAN, obviously, the number of client that request fake services is much smaller. Even if the attack target is Server_student, only the VLAN student is collapsed, the others still work properly. a)

b)

Figure 50 The results after the attack

60

a)

CPU Utilization of the victim server. b) Service load of the

victim server c)

d)

Figure 3.47 The results after the attack

61

b) Link utilization between the victim server and the switch to which it is connected c) Service response time of other client.

3.3 Conclusions These two simulations show the main benefits of VLAN. Using VLAN can improve the network performance because it is possible to reduce overall broadcast traffic which can degrade network performance if not properly managed. Additionally, using VLAN can segment the broadcast domain into many smaller ones, so, it minimizes problems in one segment. On the other hand, using VLAN can make it easier and more efficient in managing big computer network. Users can change their location easily without changing their IP address according to network address as well as changing the router’s configuration. The second simulation shows the high security level when using VLAN. Normal LANs often have confidential, mission-critical data moving across them, but VLANs do not. The information belonging to different VLANs can not move across each other without the permission of administrator. In communicating among VLANs, an ACLs-configured router is used to permit or deny traffics in the network. Although it is complex to configure VLAN on a network, with a lot of benefit, VLAN play a very important role in computer network today, especially in big networks.

62

CONCLUSIONS After along time researching and doing the thesis, with the guidance of doctor Cuong Dinh The, I have completed my thesis on time. The thesis introduces VLAN and its benefits. It introduces the comparison between the two networks, one does not use VLAN, the other does. In the second network, the performance is improved because the broadcast traffic is decreased. Using VLAN also makes it more flexible in allocating network devices. When a network device is moved to another position, it can keep its IP configuration, and the administrator does not need to re-configure the router of the network. Finally, the thesis shows the main advantage of VLAN that is security improvement. By using VLAN, the administrator can divide the network into subnets based on their functions and demands. Additionally, by using VLAN ACLs, it is possible to permit or deny a specified traffic as well as to allow specified VLANs to communicate with each other. These advantages explain why VLAN is used widely in campus and enterprise network as well. However, it is complex to configure VLAN for a network, administrators easily misconfigure, and indeliberately, they create some weakness for hacker to attack the network. To sum up, this thesis has presented useful information about benefits of VLAN and how to configure VLAN for a campus or enterprise network. Future work, I will study more about OPNET Modeler, this is a powerful tool for simulating and modeling not only computer network but also other communication one.

63

REFRENCES [1] Vũ Minh Tiến, Mạng máy tính, people's Amy Publishing, 2002. [2] Alberto Leon-Garcia & Indra Widjaja, Communication Networks Fundamental Concepts and Key Architectures, Mc Graw Hill, 2001. [3] Cesc Canet & Juan Agustín Zaballos,Security Labs in OPNET IT Guru, OPNET.com [4] Chriss Hoffmann, VLAN Security in the LAN and MAN Environment, SANS Institute 2003. [5] Cisco system, Virtual LAN Security Best Practices [6] Emad Aboelela, Ph.D, Computer network- A system approach 3rd Edition- Network simulation experiments manual, University of Massachusetts Dartmouth, Morgan Kaufmann Publishers, 2003 [7] Mattias Björlin, A study of Modeling and Simulation for computer and network security, University of Stockholm / Royal Institute of Technology, June 2005. [8] Saad Mohamed Abuguba, Performance Evaluation of Rapid Spanning Tree Protocol by Measurements and Simulation, Budapest University of Technology and Economics, Department of Telecommunications and Media Informatics, 2006. [9] Securing Networks with Private VLANs and VLAN Access Control Lists, Cisco system. [10] Virtual LAN-Application and technology-a white paper, Micrel. [11]Wayne Lewis, Ph.D. LAN Switching and Wireless CCNA Exploration Companion Giude, Cisco Press, 2008. [12]ANSI/IEEE Std 802.1D, 1998 Edition [13]http://en.wikipedia.org/wiki/Vlan

64

[14]http://en.wikipedia.org/wiki/STP

APPENDIX 1 List of application used in this simulation Searching HTTP Specification Page Interarrival

HTTP 1.1 Exponential(10)

time (seconds) Page properties

Object Size (bytes)

Constant

Medium

Number of objects

(1000) Constant(1)

image Constant(2)

Server selection

(object per page) Location Initial Repeat

HTTP server Search

RSVP Parameter Type of Service

Probability Page per Server None Best effort (0)

Exponential(2)

Table 3.4 Searching properties

65

WebBrowsing (HTTP_heavy Browsing) HTTP Specification HTTP 1.1 Page Interarrival Exponential(60) time (seconds) Page properties

Object Size (bytes)

Constant

Medium

Number of objects

(1000) Constant(1)

image Constant(5)

Server selection

(object per page) Location Initial Repeat

HTTP server Browse

RSVP Parameter Type of Service

Probability Page per Server None Best effort (0)

Exponential(10)

Table 3.5 WebBrowsing properties

66

http attack (HTTP_extreme heavy Browsing) HTTP Specification HTTP 1.1 Page Interarrival Exponential(10) time (seconds) Page properties

Object Size (bytes)

Constant

Large Image

Number of objects

(100000) Constant(1)

Constant(10)

Server selection

(object per page) Location Initial Repeat

HTTP server Browse

RSVP Parameter Type of Service

Probability Page per Server None Best effort (0)

Exponential(20)

Table 3.6 http attack properties

67

Profile Teacher Manager High_loadAndimagin g

Operation mode Start time

Simultaneous

Duration

Repeatibility

Uniform(100,110) End of simulation Once at start time

Application used in each profile: Teacher:

Manager:

High_loadAndImagining:

1

Imaging HTTP Specification HTTP 1.1 Page Interarrival time (seconds) uniform(10,20) Page properties Object Size (bytes) Number of objects (object per page) Location Server selection Initial Repeat Probability Page per Server RSVP Parameter None Type of Service Best effort (0)

Constant (1000) Large image Constant(1) Constant(7) HTTP server Research exponential(20)

2

filetransfer_heavy:

3

DDoS attack: Profile in use: attacher Profile Operation mode attache r

Simultaneous

Start time

Duration

Repeatibility

Uniform(100,110) Constant(200) Inter-repetition Time(s) Constant(600) Number of repetition 5 Repetition pattern serial

Application used in attacker profile

httpattack HTTP Specification HTTP 1.1 Page Interarrival time (seconds) uniform(10,20) Page properties Object Size (bytes) Number of objects (object per page) Location Server selection Initial Repeat Probability Page per Server RSVP Parameter None Type of Service Best effort (0)

Constant (100000) Large image Constant(1) Constant() HTTP server Research exponential(20)

4

httpattack HTTP Specification Page Interarrival time (seconds) Page properties Server selection RSVP Parameter Type of Service

HTTP 1.1 uniform(10,20) Object Size (bytes) Constant (100000) Large image Number of objects (object per page) Constant(1) Constant() Location HTTP server Initial Repeat Probability Research Page per Server exponential(20) None Best effort (0)

5