METHODIST UNIVERSITY COLLEGE GHANA

Design and Implementation of Appropriate Vlan to Assist In the Elimination of Local Area Network Flooding, Looping and gratuitous Collision Domain for efficient routing and packet flow. Case study of AAL COMPANY LTD.

Isaac Lamptey----------------BIT/EP/08/09/1216 Samuel Otu Afotey---------BIT/EP/08/09/ 1228 Theophilus Nii Armah------BIT/EP/08/09/1191

June 2012 Submitted in partial fulfillment of the requirements for The degree of Bsc in Information Technology

DECLARATION

This is to declare, the research work underlying this dissertation has been carried out by the under mentioned students under the supervision of the mentioned supervisor. Both the students and the supervisor certifies that the work documented in this dissertation is the output of the research connected by the students as part of their final year project work in partial fulfillments of the Bachelor of science in information technology.

STUDENT'S SUPERVISOR SAMUEL OTU AFOTEY MR ISAAC BANSAH

ISAAC LAMPTEY

THEOPHILUS NII ARMAH

I. ABSTRACT Techniques and issues regarding the development of appropriate virtual local area network (Vlan) aredetailed. The step in design and the protocols used to efficiently support the system. The objectives of this design is to outline the various effective planning stages and target of deploying any network devices and its Vlan support benefit before it's installed This will also give most business and organization the competitive advantages of technology A careful study has been made on how business wants to effectively manage space time and power (energy) its advantages and limitations. This will be followed by a brief review of architecture Vlan network which is made up of a router, switch (layer3, layer2, layer 1),the aim of this the aim of this project is to develop efficient and effective VLAN which will do away with ambiguous cost of network implementation cost. This project will involve three phases the development of detailed VLAN diagrams, the development of method of device and configuration documentation (physical link and logical link) and the development of device running configuration documentation. This will be demonstrated with three laptops each connecting to a separate VLAN, resource will be available on a desktop computer as a server for the laptop to access. 3
II. ACKNOWLEDGMENT

We would like to thank: our supervisor Mr Isaac Bansah, for his help in the formative stages of this project and for teaching us an alternative way of thinking, for hisearly help regarding the design of the VLAN and for teaching us in an innovative way. Duringour Bsc program (this applies also to all lectures who taught us); the Head of Department Drofori for hissupport and inspiration. We are also grateful to our Heavenly Father who has supported us in all ways throughout our degreeProgram. We also thankall participating panel members for every effort and time provisioned for us in numerous ways to aid our program, friends and colleagues for their understanding and support when we most needed.

3. SCOPE AND DEFINITION In a traditional LAN, workstations are connected to each other by means of a hub or a repeater. These devices propagate any incoming data throughout the network. However, if two people attempt to send information at the same time, a collision will occur and all the transmitted data will be lost. Once the collision has occurred, it will continue to be propagated throughout the network by hubs and repeaters. The original information will therefore need to be resent after waiting for the collision to be resolved, thereby incurring a significant wastage of time and resources. To prevent collisions from traveling through all the workstations in the network, a bridge or a switch can be used. These devices will not forward collisions, but will allow broadcasts (to every user in the network) and multicasts (to a pre-specified group of users) to pass through. A router may be used to prevent broadcasts and multicasts from traveling through the network. The workstations, hubs, and repeaters together form a LAN segment. A LAN segment is also known as a collision domain since collisions remain within the segment. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. Thus a LAN can consist of one or more LAN segments. Defining broadcast and collision domains in a LAN depends on how the

5 TABLE OF CONTENTS I.Abstract 0.Acknowledgement III.Scope and Definition PAGES 3 4

LIST OF FIGURES LIST OF TABLE

CHAPTER ONE 1.1 General Overview 1.2 Plan of project 1.3 Aims and objectives 1.4 Client

INTRODUCTION 8 9 15 19 CHAPTER TWO 2.1 TCP/IP Overview Protocol Suites 2.3 SNMP and MIB Network Management Overview 2.5 OSI Management Functions Management 2.5.2 Configuration Management 2.5.3 Performance Management 25 2.5.1 Fault 24 2.4 LITERATURE REVIEW20 21 2.2 TCP/IP

2.5.3 Accounting Management 2.5.4 Security Management

2.5 Client Server Paradigm 2.6 Routing and Routing Protocols Unicast Routing 2.8 Multicast Routing 2.8.1 Routing Table Updates 2.8.2 LSP 2.9 Overview of VLANS Benefits of VLANS

25 26 2.7

28 31 2.9.1

CHAPTER THREE REQUIREMENTS ANALYSIS AND DESIGN 3.1 Background and research Context Review of Existing Infrastructure 3.3 Methodology Requirements 3.5 Requirement Analysis and Specification 3.6 VLAN Design 3.7 Design Testing 3.8 Testing Problems

33 34 3.2

411 3.4

CHAPTER FOUR IMPLEMENTATION TESTING AND EVALUATION 4.1 Installation and Configuration of VLAN 4.2 Demonstrating Prototype Functionality with Simulators

4.3 Results 4.4 Effects of Load on Throughput and Latency 4.5 Bandwidth versus Throughput

CHAPTER FIVE CONCLUSION RECOMMENDATION 5.1 Conclusion 36 5.2 Recommendation 5.3 Suggested Future Work 37 5.4 Project Difficulties

BIBLIOGRAPHY APPENDICES 38 APPENDIX 1 Questionnaire APPENDIX 2 Data Dictionary APPENDIX 3 Table Creation Configuration Script APPENDIX 4 Interface Configuration Script APPENDIX 5 Default Route APPENDIX 6 Port Groupings APPENDIX 7 Subnet Gateways IV. LIST OF FIGURES Figure 4.4.1 Diagram of a well structure VLAN Figure 4.4.2 Internet Distribution on a VLAN Figure 5.1.1 Structured Systems Approach OF A VLAN Figure 5.2.1 Research Finding-businesses & organization Figure 5.2.2 Research Findings- organization Figure 6.1.1 System Architecture

Figure 6.3.1 Configuration Structure

8 APPENDIX 1 QUESTIONNAIRE APPENDIX 2 DATA DICTIONNARY APPENDIX 3 TABLE CREATION CONFIGURATION SCRIPT APPENDIX 4 INTERFACE CONFIGURATIION SCRIPT APPENDIX 5 DEFAULT ROUTE APPENDIX 6 PORT GROUPINGS APPENDIX 7 SUBNET GATEWAYS
IV. LIST OF FIGURES

Figure 4.4.1 Diagram of a well structure VLAN Figure 4.4.2 Internet Distribution on a VLAN Figure 5.1.1 Structured Systems Approach OF A VLAN Figure 5.2.1 Research Finding-

businesses&organization Figure 5.2.2 Research Findings- organization Figure 6.1.1 System Architecture Figure 6.3.1 Configuration Structure

1.0 INTRODUCTION A VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches, normally it is router creating that broadcast domain with VLANs, A switch can create the broadcast domain. A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. LAN membership can be configured through software instead of physically relocating devices or connections. To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and equipment which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering.

1.1 GENERAL OVERVIEW The requirements of information security within an organization have undergone two major changes in the last decades. Before the widespread use of data processing equipment, the security of information felt to be valuable to an organization was provided primarily by physical and administrative means. An example of the former is the use of rugged filing cabinets with a combination lock for storing sensitive documents. An example of the latter is personnel screening procedures used during the hiring process. With the introduction of the computer, the need for automated tools for protecting files and other information stored on the computer became evident. This is especially the case for a shred system, such as a time-sharing system, and the need even more acute for systems that can be

accessed over a public telephone network, data network, or the internet. The genetic name for the collection of tools designed to protect data and to thwart hackers is computer security.

10

The second major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer. Networks security measures are needed to protect data during their transmission. In fact, the term network security is somewhat misleading, because virtually all business, government, and academic organizations interconnect their data processing equipment with a collection of interconnected networks. Such a collection is often referred to as an internet, and the term internet security is used. There are no clear boundaries between these two forms of security. For example, one of the most publicized types of attack on information systems is the computer virus. A virus may be introduced into a system physically when it arrives on a diskette or optical disk and is subsequently loaded onto a computer. Viruses may also arrive over an internet. In either case, once the virus is resident on a computer system, internal computer security tools are needed to detect and recover from the virus. This book focuses on internet security, which consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information. That is a broad statement that covers a host of possibilities. To give you a feel for the areas covered in this book, consider the following examples of security violations: 1. User A transmits a file to user B. the file contains sensitive information (e.g., payroll records) that is to be protected from disclosure. User C, who is not authorized to read the file, is able to monitor the transmission and capture a copy of the file during its

transmission. 2. A network manager, D, transmits a message to a computer, E, under its management. The message instructs computer E to update an authorization file to include the identities of a number of new users who are to be given access to that computer. User F intercepts the message, alters its contents to add or delete entries and then forwards the message to E, which accepts the message as coming from manager D and updates its authorization file accordingly. 3. Rather than intercepts a message, user F constructs its own message with the desired entries and transmits that message to E as if it had come from manager D and updates its authorization file from manager D and updates its authorization file accordingly.
11

4. An employee is fired without warning. The personnel manager sends a message to a server system to invalidate the employee's account. When the invalidation is accomplished, the server is to post a notice to the employee's file as confirmation of the action. The employee is able to intercept the message and delay it long enough to make a final access to the server to retrieve sensitive information. The message is then forwarded, the action taken, and the confirmation posted. The employee's action may go unnoticed for some considerable time. 5. A message is sent from a customer to a stockbroker with instructions for various transactions. Subsequently, the investments lose value and the customer denies sending the message. Although this list by no means exhausts the possible types of security violations, it illustrates the range of concerns of network security. Internetwork security is both fascinating and complex. Some of the reasons follow:

1. Security involving communications and networks is not as simple as it might first appear to the novice. The requirement seems to be straightforward; indeed, most of the requirements for security services can be given self-explanatory one-word labels: confidentiality, authentication, non repudiation, integrity. But the mechanism s used to meet those requirements can be quite complex, and understanding them may involve rather subtle reasoning. 2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features. in many cases, successful attacks are designed by looking at the problem in a completely different way, therefore exploiting an unexpected weakness in the mechanism. 3. Because of point 2, the procedures used to provide particular services are often counterintuitive: it is not obvious from the statement of a particular requirement that such elaborate measures are needed. it is only when the various countermeasures are considered that the measures used make sense. 0. Having designed various security mechanisms, it is necessary to decide where to use them. This is true both in terms of physical placement (example at what points in a network are certain security mechanisms needed) and in a logical sense [e.g., at what
12

layer or layers of an architecture such TCP/IP (Transmission Control Protocol/Internet Protocol) should mechanisms be placed] 5. Security mechanisms usually involve more than a particular algorithm or protocol. They usually also require that participants be in possession of some secret information (e.g., an encryption key), which raises questions about the creation, distribution, and protection of that secret information. There is also a reliance on communications protocols whose behavior may complicate the task of developing the security mechanism. For example, if the proper functioning of the security mechanism requires setting time limits on the transit time of message from sender to receiver, then any ' protocol or network that introduces variable, unpredictable delays may render such time limits meaningless. Thus, there is much to consider. This chapter provides a general overview of the subject matter that structures the material in the remainder of the book. We begin with

a general discussion of network security services and mechanisms and of the types of attacks they are designed for. Then we develop a general overall model within which the security services and mechanisms can be viewed.

1.1.0 SECURITY TRENDS

In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" (RFC 1636). This report stated the general consensus that the Internet needs more and better security, and it identified key areas for security mechanisms. Among these were the need to secure the network infrastructure form authorized monitoring and control of network traffic and the need to secure end-userto end-user traffic using authentication and encryption mechanism. These concerns are fully justified. As confirmation, consider the trends reported by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). Figure 1 shows the trend in Internet related vulnerabilities reported to CERT over a 10-year period these include security weakness in the operating systems of attached computers (e.g.,
13

`1 Windows, Linux)as well as vulnerabilities in Internet routers and other network devices. Figure 1.1b shows the number of security-related incidents reported to CERT these include denial of service attacks; IP spoofing, in which intruders create packets with false IP addresses and exploit applications that use authentication based on IP; various forms of eavesdropping and packet sniffing, in which attackers read transmitted information, including logon information and database contents. Over time, the attacks on the Internet and Internet-attached systems have grown more sophiscated while the amount of skill and knowledge required to amount an attack has declined (Figure 1.2). Attacks have become more automated and can cause greater amounts of damage. Figure 1.1 CERT Statistics This increase in attacks coincides with an increased use of the Internet and with increases in the complexity of protocols, applications, and the Internet itself. Critical infrastructures

increasingly rely on the Internet for operations. Individual users rely on the security of the Internet, email, the Web, and Web-based applications to a greater extent than ever. Thus, a wide range of technologies and tools re needed to counter the growing threat. At a basic level. At a basic, cryptographic algorithms for confidentiality and authentication assume greater importance. As well, designers need to focus on Internet-base protocols and the vulnerabilities of attached operating systems and applications. This book surveys all of these technical areas.

1.1.1 THE OSI SECURITY ARCHITECTURE

14

OSI Model
Data Layer

::nom,:=;
wY
..t

Netwrk
r:..Packets Path oetermtnslon
and $P (Logical Addressing)

To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements of security and characterizing the approaches to satisfying those requirements. This is difficult enough in a centralized data processing environment; with the use of local area and wide area networks, the problems are compounded.
15

1.1.2 Plan of Project This thesis documents the development of a VLAN has been structured to include discussion of the following areas.

1.1.3. AIMS AND OBJECTIVES nUnderstand the AAL Company limited Network design nUnderstand and implement VLAN technologies in a company network nPlan, configure, and verify trunking, Private VLANs, link aggregation with Etherchannel nUnderstand Spanning Tree protocols nConfigure, verify and troubleshoot Basic, Rapid and Multiple Spanning Tree nConfigure Inter-VLAN routing and DHCP in a Multilayer Switched environment nUnderstand how to deploy CEF-based Multilayer Switching nUnderstand and impermanent High Availability nUnderstand, configure and verify First Hop redundancy protocols Understand, configure, and verify security in the Campus infrastructure Monitor, analyze, and troubleshoot switch performance, connectivity and security issues Plan for wireless, voice and video application in the company network nUnderstand Quos Prepare the company infrastructure to support wireless, voice and video

omain) Figure 1: Physical view of a VLAN.

16

VLAN's allow a network manager to logically segment a LAN into different broadcast domains (see Figure2). Since this is a logical segmentation and not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN.

17
Physical View

Logical View
Figure 2: Physical and logical view of a VLAN.

VLAN's also allow broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are to be included in the broadcast domain. Routers would only have to be used to communicate between two VLAN's
18

3.1 VLAN BENEFITS Increasedp erformance

I

Improved manageability Network tuning and simplification of software

configurations I Physical topology independence Increased security options INCREASED PERFORMANCE Switched networks by nature will increase performance over shared media devices in use

today, primarily by reducing the size of collision domains. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Additionally, less traffic will need to be routed, and the latency ' added by routers will be reduced. IMPROVED MANAGEABILITY VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically diverse locations. NETWORK TUNING AND SIMPLIFICATION OF SOFTWARE CONFIGURATIONS VLANs will allow LAN administrators to "fine tune" their networks by logically grouping users. Software configurations can be made uniform across machines with the consolidation of a department's resources into a single subnet. IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN. Fewer implementations of local server resources such as BOOTP and DHCP will be needed in this environment. These services can be more effectively deployed when they can span buildings within a VLAN. 19
PHYSICAL TOPOLOGY INDEPENDENCE

VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain. If the physical infrastructure is already in place, it now becomes a simple matter to add ports in new locations to existing VLANs if a department expands or relocates. These assignments can take place in advance of the move, and it is then a simple matter to move devices with their existing configurations from one location to another. The old ports can then be "decommissioned" for future use, or reused by the department for new users on the VLAN.
INCREASED SECURITY OPTIONS

VLANs have the ability to provide additional security not available in a shared media network environment. By nature, a switched network delivers frames only to the intended recipients, and

broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult. It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic.

CLIENT: AAL SYSTEMS LIMITED

20

CHAPTER TWO LITERATURE REVIEW A literature review is a body of text that aims to review the critical points of current knowledge including substantive findings as well as theoretical and methodological contributions to a particular topic. Literature reviews are secondary source, and as such, do not report any new or original experimental work. Most often associated with academic-oriented literature, such as a thesis, a literature review

usually precedes a research proposal and results section. Its ultimate goal is to bring the reader up to date with current literature on a topic and forms the basis for another goal, such as future research that may be needed in the area. A well-structured literature review is characterized by a logical flow of ideas; current and relevant references with consistent, appropriate referencing style; proper use of terminology and an unbiased and comprehensive view of the previous research on the topic. Network management refers to the activities, methods, procedures, and tools that pertain to the operation administration, maintenance, and provisioning of networked systems.111 Operation deals with keeping the network (and the services that the network provides) up and running smoothly. It includes monitoring the network to spot problems as soon as possible, ideally before users are affected. Administration deals with keeping track of resources in the network and how they are assigned. It includes all the "housekeeping" that is necessary to keep the network under control. Maintenance is concerned with performing repairs and upgradesfor example, when equipment must be replaced, when a router needs a patch for an operating system image, when a new switch is added to a network. Maintenance also involves corrective and preventive measures to make the managed network run "better", such as adjusting device configuration parameters.

LI
21

Provisioning is concerned with configuring resources in the network to support a given service. For example, this might include setting Performance management (PM) includes activities that ensure that goals are consistently being met in an effective and efficient manner. Performance management can focus on the performance of an organization, a department, employee, or even the processes to build a product or service, as well as many other. Performance management does not alone guarantee improvement. Improvement comes through process redesign, innovation, and other forms of continuous improvement. Performance

Management highlights how a range of activities needs to come together in a conscious, single process of reflection. There are various features of the organization (including resources, structure, systems, culture) and external factors (for example public engagement, partnerships) that need to be developed to create improvement. 2.1 TCP/IP Network overview SharePoint is Document management software that runs over TCP/IP network TCP/IP Transfer Control Protocol/internet Protocol's (TCP/IP) discover according to Held (1995) was an initiative of the Department of Defense of the United States of America through a research project in an attempt to bring together different network providers to form a network of networks. This is now known as the internet. It initially delivered basic services like the file transfer. Electronic mail and remote logon across a large network of client and server systems. At this early stage it had unnoticed problems and lapses due to the automatic recovery systems it employs.

22

Presentation Session Transport Network

Physical Application Transport Internet Network Interface HTTP FTP

Sockets

TCP

IUDP
OSI and TCP/IP model Source: Understanding TCP/IP

The following are descriptions for the layer that from the OSI and TCP/IP model.

Network Interface Reference the model above, the network is the equivalent of the physical and data link in the OSI model

23

Internet Layer The internet layer, for that matter the network layer in the OSI model employs the use of a group of protocols for packet delivery as listed and described below:

Internet Protocol (IP): The IP protocol ensures that packets are addressed and routed to its correct destination between networks Address Resolution Protocol (ARP): ARP ensures all destination computers on the network have its hardware address matched to their IPs. Internet Control Management Protocol (ICMP): ICMP is also for testing TCP/IP networks alongside having the responsibility of reporting errors and messages of packets being delivered. Transport Layer Transport layer ensures that communication between the source and the destination computer exists and converts all information on the application layer into packets.

Application Layer High-protocol TCP/IP services like FTP, HTTP and SMTP are often run at the application layer. Network Interface Referencing the model above, the network is the equivalent of the physical and data link in the OSI model. This section normally refers to the hardware and software components of the frame interchange between computers. It also indicates the link between the host and the network.

24

2.3 SNMP SNMP is a widely used protocol in networks for data collection and configuring of network devices. It is a very flexible protocol that is employed for many network

services. SNMP was designed to help manage centralized TCP/IP networks. Most network management software employs the use of SNMP which helps transfer data from remote or client locations to a log on the central server. SNMP performs its functions by the use if a master/client concept where the agent is located on the managed device and master on the managing workstation. An SNMP managed network consists of three key components: managed devices, agents, and network-management systems (NMSs). A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. An agent is a network management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. An NMS executes applications that monitor and control managed devices.

25 2.4 NETWORK MANAGEMENT Network management can be described as a list of activities performed on a network to ensure smooth and efficient running with minimal down time. The amount of down time experienced

by a network determines the reliability of the network. These activities include the OSI management functions listed below: Configuration Management Performance Management Accounting Management

2.4.1 CLIENT SERVER PARADIGM Is a form of computer network paradigm that involves request and dispatch of information between the client and the server, THE INITIAL CONTACT IS ALWAYS the client to server in form of information or service request. The server in this case has all the resources and based on the kind of resource request by the clients the server honors it and execute as the client has not got the resource to do so. Lange and oshima (1998) described the client as not intelligent enough to execute this requests since the server has all the 'know- how', processor and resources. These highlight the limitation the paradigm office when put to use though it is still supported by a couple of technologies. Although there are several ways to achieve process-to-process communication, the most common one is through the client/server paradigm. A process on the local host, called a client, needs services from a process usually on the remote host, called a server. Both processes (client and server) have the same name. For example, to get the day and time from a remote machine, we need a Daytime client process running on the local host and a Daytime server process running on a remote machine.

26