You are on page 1of 25

METHODIST UNIVERSITY COLLEGE GHANA

Design and Implementation of Appropriate Vlan to Assist In the Elimination of Local Area Network Flooding, Looping and gratuitous Collision Domain for efficient routing and packet flow. Case study of AAL COMPANY LTD.

Isaac Lamptey----------------BIT/EP/08/09/1216 Samuel Otu Afotey---------BIT/EP/08/09/ 1228 Theophilus Nii Armah------BIT/EP/08/09/1191

June 2012 Submitted in partial fulfillment of the requirements for The degree of Bsc in Information Technology

1

DECLARATION

This is to declare, the research work underlying this dissertation has been carried out by the under mentioned students under the supervision of the mentioned supervisor. Both the students and the supervisor certifies that the work documented in this dissertation is the output of the research connected by the students as part of their final year project work in partial fulfillments of the Bachelor of science in information technology.

STUDENT'S SUPERVISOR SAMUEL OTU AFOTEY MR ISAAC BANSAH

ISAAC LAMPTEY

THEOPHILUS NII ARMAH

2

the development of method of device and configuration documentation (physical link and logical link) and the development of device running configuration documentation. We are also grateful to our Heavenly Father who has supported us in all ways throughout our degreeProgram. for his help in the formative stages of this project and for teaching us an alternative way of thinking. layer2.I. friends and colleagues for their understanding and support when we most needed. ABSTRACT Techniques and issues regarding the development of appropriate virtual local area network (Vlan) aredetailed.the aim of this the aim of this project is to develop efficient and effective VLAN which will do away with ambiguous cost of network implementation cost. resource will be available on a desktop computer as a server for the laptop to access. This project will involve three phases the development of detailed VLAN diagrams. The step in design and the protocols used to efficiently support the system. switch (layer3. layer 1). We also thankall participating panel members for every effort and time provisioned for us in numerous ways to aid our program. the Head of Department Drofori for hissupport and inspiration. 3 II. Duringour Bsc program (this applies also to all lectures who taught us). ACKNOWLEDGMENT We would like to thank: our supervisor Mr Isaac Bansah. The objectives of this design is to outline the various effective planning stages and target of deploying any network devices and its Vlan support benefit before it's installed This will also give most business and organization the competitive advantages of technology A careful study has been made on how business wants to effectively manage space time and power (energy) its advantages and limitations. . This will be followed by a brief review of architecture Vlan network which is made up of a router. for hisearly help regarding the design of the VLAN and for teaching us in an innovative way. This will be demonstrated with three laptops each connecting to a separate VLAN.

The original information will therefore need to be resent after waiting for the collision to be resolved. These devices will not forward collisions. The workstations. and repeaters together form a LAN segment. hubs. thereby incurring a significant wastage of time and resources. Once the collision has occurred. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. To prevent collisions from traveling through all the workstations in the network. workstations are connected to each other by means of a hub or a repeater. SCOPE AND DEFINITION In a traditional LAN.4 3. These devices propagate any incoming data throughout the network. a collision will occur and all the transmitted data will be lost. but will allow broadcasts (to every user in the network) and multicasts (to a pre-specified group of users) to pass through. a bridge or a switch can be used. if two people attempt to send information at the same time. Thus a LAN can consist of one or more LAN segments. A LAN segment is also known as a collision domain since collisions remain within the segment. it will continue to be propagated throughout the network by hubs and repeaters. Defining broadcast and collision domains in a LAN depends on how the . However. A router may be used to prevent broadcasts and multicasts from traveling through the network.

2 Plan of project 1.4 Client INTRODUCTION 8 9 15 19 CHAPTER TWO 2.3 Aims and objectives 1.2 Configuration Management 2.Abstract 0.Scope and Definition PAGES 3 4 LIST OF FIGURES LIST OF TABLE CHAPTER ONE 1.5.1 TCP/IP Overview Protocol Suites 2.5.5.5 TABLE OF CONTENTS I.3 SNMP and MIB Network Management Overview 2.1 Fault 24 2.5 OSI Management Functions Management 2.Acknowledgement III.3 Performance Management 25 2.2 TCP/IP .4 LITERATURE REVIEW20 21 2.1 General Overview 1.

1 Background and research Context Review of Existing Infrastructure 3.6 VLAN Design 3.2 411 3.2 LSP 2.4 CHAPTER FOUR IMPLEMENTATION TESTING AND EVALUATION 4.7 28 31 2.1 Routing Table Updates 2.2.5 Client Server Paradigm 2.7 Design Testing 3.2 Demonstrating Prototype Functionality with Simulators .8 Testing Problems 33 34 3.5.4 Security Management 6 2.3 Methodology Requirements 3.1 Installation and Configuration of VLAN 4.5 Requirement Analysis and Specification 3.8 Multicast Routing 2.6 Routing and Routing Protocols Unicast Routing 2.8.3 Accounting Management 2.8.9.1 CHAPTER THREE REQUIREMENTS ANALYSIS AND DESIGN 3.9 Overview of VLANS Benefits of VLANS 25 26 2.5.

1 — Diagram of a well structure VLAN Figure 4.1.5 Bandwidth versus Throughput 7 CHAPTER FIVE CONCLUSION RECOMMENDATION 5.4.3 Suggested Future Work 37 5.organization Figure 6.4.1— Research Finding-businesses & organization Figure 5.1 — System Architecture .4 Effects of Load on Throughput and Latency 4.2 Recommendation 5.2.3 Results 4.4.1 — Structured Systems Approach OF A VLAN Figure 5.1.2.4 Project Difficulties BIBLIOGRAPHY APPENDICES 38 APPENDIX 1 — Questionnaire APPENDIX 2 — Data Dictionary APPENDIX 3 — Table Creation Configuration Script APPENDIX 4 — Interface Configuration Script APPENDIX 5 —Default Route APPENDIX 6 — Port Groupings APPENDIX 7 — Subnet Gateways IV.1 Conclusion 36 5.2 — Internet Distribution on a VLAN Figure 5. LIST OF FIGURES Figure 4.2 — Research Findings.

1.organization Figure 6.Figure 6. LIST OF FIGURES Figure 4.2 — Research Findings.3.1— Diagram of a well structure VLAN Figure 4.4.1 — Structured Systems Approach OF A VLAN Figure 5.1.1— Research Finding- businesses&organization Figure 5.3.2.1— System Architecture Figure 6.2.1 —Configuration Structure 8 APPENDIX 1— QUESTIONNAIRE APPENDIX 2 — DATA DICTIONNARY APPENDIX 3— TABLE CREATION CONFIGURATION SCRIPT APPENDIX 4 — INTERFACE CONFIGURATIION SCRIPT APPENDIX 5— DEFAULT ROUTE APPENDIX 6— PORT GROUPINGS APPENDIX 7— SUBNET GATEWAYS IV.1 —Configuration Structure .4.2 — Internet Distribution on a VLAN Figure 5.

.

tagging frames when entering. a VLAN is a broadcast domain created by switches. A switch can create the broadcast domain. However unlike a physically separate network. parallel collection of network cables and equipment which are kept separate from the primary network. normally it is router creating that broadcast domain with VLANs. 1. and the need even more acute for systems that can be . An example of the former is the use of rugged filing cabinets with a combination lock for storing sensitive documents. two separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both reduced throughput and congestion. This is especially the case for a shred system. is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain.0 INTRODUCTION A VLAN is a virtual LAN. LAN membership can be configured through software instead of physically relocating devices or connections. virtual LAN or VLAN. It virtualizes VLAN behaviors (configuring switch ports. the security of information felt to be valuable to an organization was provided primarily by physical and administrative means. VLANs must share bandwidth. but it allows for end stations to be grouped together even if they are not located on the same network switch. such as a time-sharing system. regardless of their physical location. An example of the latter is personnel screening procedures used during the hiring process. To physically replicate the functions of a VLAN. A VLAN has the same attributes as a physical local area network (LAN). In technical terms. With the introduction of the computer. A virtual local area network. Before the widespread use of data processing equipment.1 GENERAL OVERVIEW The requirements of information security within an organization have undergone two major changes in the last decades.1. the need for automated tools for protecting files and other information stored on the computer became evident. it would be necessary to install a separate.

once the virus is resident on a computer system. internal computer security tools are needed to detect and recover from the virus. and the term internet security is used. There are no clear boundaries between these two forms of security. government. For example. Viruses may also arrive over an internet. who is not authorized to read the file. prevent. That is a broad statement that covers a host of possibilities. In either case. This book focuses on internet security.accessed over a public telephone network. In fact. which consists of measures to deter. because virtually all business.g. data network. payroll records) that is to be protected from disclosure. User C. User A transmits a file to user B. one of the most publicized types of attack on information systems is the computer virus. or the internet. and academic organizations interconnect their data processing equipment with a collection of interconnected networks. is able to monitor the transmission and capture a copy of the file during its . consider the following examples of security violations: 1. A virus may be introduced into a system physically when it arrives on a diskette or optical disk and is subsequently loaded onto a computer. Such a collection is often referred to as an internet. and correct security violations that involve the transmission of information.. the term network security is somewhat misleading. the file contains sensitive information (e. detect. 10 The second major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer. Networks security measures are needed to protect data during their transmission. To give you a feel for the areas covered in this book. The genetic name for the collection of tools designed to protect data and to thwart hackers is computer security.

Some of the reasons follow: . D. transmits a message to a computer. under its management. Subsequently. The employee's action may go unnoticed for some considerable time. The personnel manager sends a message to a server system to invalidate the employee's account. The message is then forwarded. alters its contents to add or delete entries and then forwards the message to E. A network manager. 3. E. 11 4. The employee is able to intercept the message and delay it long enough to make a final access to the server to retrieve sensitive information. Although this list by no means exhausts the possible types of security violations. 5. it illustrates the range of concerns of network security. the action taken. When the invalidation is accomplished. Internetwork security is both fascinating and complex. A message is sent from a customer to a stockbroker with instructions for various transactions. which accepts the message as coming from manager D and updates its authorization file accordingly.transmission. An employee is fired without warning. and the confirmation posted. the investments lose value and the customer denies sending the message. Rather than intercepts a message. the server is to post a notice to the employee's file as confirmation of the action. User F intercepts the message. user F constructs its own message with the desired entries and transmits that message to E as if it had come from manager D and updates its authorization file from manager D and updates its authorization file accordingly. The message instructs computer E to update an authorization file to include the identities of a number of new users who are to be given access to that computer. 2.

indeed. there is much to consider. For example. Security mechanisms usually involve more than a particular algorithm or protocol. it is only when the various countermeasures are considered that the measures used make sense.. This is true both in terms of physical placement (example at what points in a network are certain security mechanisms needed) and in a logical sense [e. most of the requirements for security services can be given self-explanatory one-word labels: confidentiality. Having designed various security mechanisms. then any ' protocol or network that introduces variable. Because of point 2.g. and protection of that secret information. and understanding them may involve rather subtle reasoning. distribution. non repudiation. The requirement seems to be straightforward. integrity. if the proper functioning of the security mechanism requires setting time limits on the transit time of message from sender to receiver.1. it is necessary to decide where to use them.. They usually also require that participants be in possession of some secret information (e. Security involving communications and networks is not as simple as it might first appear to the novice. This chapter provides a general overview of the subject matter that structures the material in the remainder of the book. We begin with . which raises questions about the creation. successful attacks are designed by looking at the problem in a completely different way. There is also a reliance on communications protocols whose behavior may complicate the task of developing the security mechanism. 2. 3. unpredictable delays may render such time limits meaningless. therefore exploiting an unexpected weakness in the mechanism. 0. at what 12 layer or layers of an architecture such TCP/IP (Transmission Control Protocol/Internet Protocol) should mechanisms be placed] 5. an encryption key). In developing a particular security mechanism or algorithm. authentication.g. one must always consider potential attacks on those security features. Thus. But the mechanism s used to meet those requirements can be quite complex. in many cases. the procedures used to provide particular services are often counterintuitive: it is not obvious from the statement of a particular requirement that such elaborate measures are needed.

g.1.. Figure 1. As confirmation. and it identified key areas for security mechanisms. These concerns are fully justified. the attacks on the Internet and Internet-attached systems have grown more sophiscated while the amount of skill and knowledge required to amount an attack has declined (Figure 1. Among these were the need to secure the network infrastructure form authorized monitoring and control of network traffic and the need to secure end-userto —end-user traffic using authentication and encryption mechanism. 1. consider the trends reported by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). Over time. Critical infrastructures . the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" (RFC 1636). including logon information and database contents.1 CERT Statistics This increase in attacks coincides with an increased use of the Internet and with increases in the complexity of protocols. and the Internet itself. in which attackers read transmitted information.2). applications. Figure 1. Figure 1 shows the trend in Internet —related vulnerabilities reported to CERT over a 10-year period these include security weakness in the operating systems of attached computers (e. in which intruders create packets with false IP addresses and exploit applications that use authentication based on IP.1b shows the number of security-related incidents reported to CERT these include denial of service attacks. This report stated the general consensus that the Internet needs more and better security.0 SECURITY TRENDS In 1994. IP spoofing. 13 `1 Windows.a general discussion of network security services and mechanisms and of the types of attacks they are designed for. various forms of eavesdropping and packet sniffing. Then we develop a general overall model within which the security services and mechanisms can be viewed. Attacks have become more automated and can cause greater amounts of damage. Linux)as well as vulnerabilities in Internet routers and other network devices.

a wide range of technologies and tools re needed to counter the growing threat.increasingly rely on the Internet for operations.1 THE OSI SECURITY ARCHITECTURE 14 OSI Model Data Layer ::nom. wY . designers need to focus on Internet-base protocols and the vulnerabilities of attached operating systems and applications. This book surveys all of these technical areas. As well. the Web. At a basic.. Individual users rely on the security of the Internet. email. Thus.. and Web-based applications to a greater extent than ever.:=. cryptographic algorithms for confidentiality and authentication assume greater importance.Packets Path oetermtnslon and $P (Logical Addressing) .1. 1.t ~• Netwrk r:. At a basic level.

1. the problems are compounded. connectivity and security issues •Plan for wireless. verify and troubleshoot Basic. with the use of local area and wide area networks.3. voice and video . voice and video application in the company network nUnderstand Quos •Prepare the company infrastructure to support wireless. and troubleshoot switch performance.To assess effectively the security needs of an organization and to evaluate and choose various security products and policies. link aggregation with Etherchannel nUnderstand Spanning Tree protocols nConfigure. configure and verify First Hop redundancy protocols •Understand. Private VLANs. Rapid and Multiple Spanning Tree nConfigure Inter-VLAN routing and DHCP in a Multilayer Switched environment nUnderstand how to deploy CEF-based Multilayer Switching nUnderstand and impermanent High Availability nUnderstand. configure. AIMS AND OBJECTIVES nUnderstand the AAL Company limited Network design nUnderstand and implement VLAN technologies in a company network nPlan. configure.1. the manager responsible for security needs some systematic way of defining the requirements of security and characterizing the approaches to satisfying those requirements. analyze. and verify security in the Campus infrastructure •Monitor.1.2 Plan of Project This thesis documents the development of a VLAN has been structured to include discussion of the following areas. 15 1. This is difficult enough in a centralized data processing environment. and verify trunking.

17 Physical View Logical View Figure 2: Physical and logical view of a VLAN. or even in different buildings can now belong to the same LAN.1 VLAN BENEFITS • Increasedp erformance I • Improved manageability • Network tuning and simplification of software configurations I• Physical topology independence • Increased security options INCREASED PERFORMANCE Switched networks by nature will increase performance over shared media devices in use . Routers would only have to be used to communicate between two VLAN's 18 3. Since this is a logical segmentation and not a physical one. VLAN's also allow broadcast domains to be defined without using routers. workstations do not have to be physically located together. Bridging software is used instead to define which workstations are to be included in the broadcast domain. 16 VLAN's allow a network manager to logically segment a LAN into different broadcast domains (see Figure2).omain) Figure 1: Physical view of a VLAN. Users on different floors of the same building.

NETWORK TUNING AND SIMPLIFICATION OF SOFTWARE CONFIGURATIONS VLANs will allow LAN administrators to "fine tune" their networks by logically grouping users. Software configurations can be made uniform across machines with the consolidation of a department's resources into a single subnet. flexible. These assignments can take place in advance of the move. less costly way to modify logical groups in changing environments. IMPROVED MANAGEABILITY VLANs provide an easy. IP addresses. or reused by the department for new users on the VLAN. and local network protocols will be more consistent across the entire VLAN. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations. and the latency ' added by routers will be reduced.today. and it is then a simple matter to move devices with their existing configurations from one location to another. Additionally. and . 19 PHYSICAL TOPOLOGY INDEPENDENCE I I VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. subnet masks. INCREASED SECURITY OPTIONS VLANs have the ability to provide additional security not available in a shared media network environment. If the physical infrastructure is already in place. less traffic will need to be routed. These services can be more effectively deployed when they can span buildings within a VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. primarily by reducing the size of collision domains. By nature. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. a switched network delivers frames only to the intended recipients. The old ports can then be "decommissioned" for future use. it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates.

CLIENT: AAL SYSTEMS LIMITED 20 CHAPTER TWO LITERATURE REVIEW A literature review is a body of text that aims to review the critical points of current knowledge including substantive findings as well as theoretical and methodological contributions to a particular topic. Most often associated with academic-oriented literature. making discreet monitoring of network traffic more difficult. Literature reviews are secondary source. do not report any new or original experimental work. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location.broadcast frames only to other members of the VLAN. a literature review . What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic. In addition. such as a thesis. and as such. monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port. It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements.

as well as many other. maintenance. Maintenance is concerned with performing repairs and upgrades—for example.111 Operation deals with keeping the network (and the services that the network provides) up and running smoothly. Its ultimate goal is to bring the reader up to date with current literature on a topic and forms the basis for another goal. LI 21 Provisioning is concerned with configuring resources in the network to support a given service. proper use of terminology and an unbiased and comprehensive view of the previous research on the topic. a department. ideally before users are affected. or even the processes to build a product or service. A well-structured literature review is characterized by a logical flow of ideas. appropriate referencing style. this might include setting Performance management (PM) includes activities that ensure that goals are consistently being met in an effective and efficient manner. procedures. Maintenance also involves corrective and preventive measures to make the managed network run "better". and provisioning of networked systems. It includes monitoring the network to spot problems as soon as possible. For example. Performance management can focus on the performance of an organization. current and relevant references with consistent. Performance management does not alone guarantee improvement. methods. when equipment must be replaced. innovation. such as adjusting device configuration parameters. It includes all the "housekeeping" that is necessary to keep the network under control. Network management refers to the activities. and tools that pertain to the operation administration. Performance . employee. when a router needs a patch for an operating system image. and other forms of continuous improvement. Administration deals with keeping track of resources in the network and how they are assigned. when a new switch is added to a network. Improvement comes through process redesign.usually precedes a research proposal and results section. such as future research that may be needed in the area.

Management highlights how a range of activities needs to come together in a conscious. Electronic mail and remote logon across a large network of client and server systems. culture) and external factors (for example public engagement. There are various features of the organization (including resources. single process of reflection. At this early stage it had unnoticed problems and lapses due to the automatic recovery systems it employs. structure. partnerships) that need to be developed to create improvement. 22 Presentation Session Transport Network . 2.1 TCP/IP Network overview SharePoint is Document management software that runs over TCP/IP network TCP/IP Transfer Control Protocol/internet Protocol's (TCP/IP) discover according to Held (1995) was an initiative of the Department of Defense of the United States of America through a research project in an attempt to bring together different network providers to form a network of networks. systems. It initially delivered basic services like the file transfer. This is now known as the internet.

the network is the equivalent of the physical and data link in the OSI model 23 Internet Layer The internet layer.Physical Application Transport Internet Network Interface HTTP FTP Sockets TCP IUDP OSI and TCP/IP model Source: Understanding TCP/IP The following are descriptions for the layer that from the OSI and TCP/IP model. for that matter the network layer in the OSI model employs the use of a group of protocols for packet delivery as listed and described below: . Network Interface Reference the model above.

Network Interface • Referencing the model above. Application Layer •High-protocol TCP/IP services like FTP.Internet Protocol (IP): The IP protocol ensures that packets are addressed and routed to its correct destination between networks Address Resolution Protocol (ARP): ARP ensures all destination computers on the network have its hardware address matched to their IPs. Transport Layer •Transport layer ensures that communication between the source and the destination computer exists and converts all information on the application layer into packets. This section normally refers to the hardware and software components of the frame interchange between computers. HTTP and SMTP are often run at the application layer. 24 2.3 SNMP • SNMP is a widely used protocol in networks for data collection and configuring of network devices. the network is the equivalent of the physical and data link in the OSI model. Internet Control Management Protocol (ICMP): ICMP is also for testing TCP/IP networks alongside having the responsibility of reporting errors and messages of packets being delivered. It is a very flexible protocol that is employed for many network . It also indicates the link between the host and the network.

• An agent has local knowledge of management information and translates that information into a form compatible with SNMP. 25 2. Most network management software employs the use of SNMP which helps transfer data from remote or client locations to a log on the central server. • SNMP performs its functions by the use if a master/client concept where the agent is located on the managed device and master on the managing workstation.4 NETWORK MANAGEMENT Network management can be described as a list of activities performed on a network to ensure smooth and efficient running with minimal down time. switches and bridges. agents. • An NMS executes applications that monitor and control managed devices. computer hosts. sometimes called network elements. • SNMP was designed to help manage centralized TCP/IP networks. or printers. • An SNMP managed network consists of three key components: managed devices.services. hubs. can be routers and access servers. and network-management systems (NMSs). • A managed device is a network node that contains an SNMP agent and that resides on a managed network. The amount of down time experienced . • Managed devices. • Managed devices collect and store management information and make this information available to NMSs using SNMP. • An agent is a network management software module that resides in a managed device.

These activities include the OSI management functions listed below: •Configuration Management •Performance Management •Accounting Management 2. A process on the local host. called a server.1 CLIENT SERVER PARADIGM Is a form of computer network paradigm that involves request and dispatch of information between the client and the server. THE INITIAL CONTACT IS ALWAYS the client to server in form of information or service request. we need a Daytime client process running on the local host and a Daytime server process running on a remote machine. called a client. These highlight the limitation the paradigm office when put to use though it is still supported by a couple of technologies.how'. to get the day and time from a remote machine. For example. Both processes (client and server) have the same name. the most common one is through the client/server paradigm. 26 . processor and resources.by a network determines the reliability of the network.4. The server in this case has all the resources and based on the kind of resource request by the clients the server honors it and execute as the client has not got the resource to do so. Although there are several ways to achieve process-to-process communication. Lange and oshima (1998) described the client as not intelligent enough to execute this requests since the server has all the 'know. needs services from a process usually on the remote host.