LIST OF ACRONYMS

ARPANET Advanced Research Projects Agency Network

ACL Access Control List
BID Bridge ID
BPDU Bridge Protocol Data Unit
CSMA-CD Carrier sence Multiple Access-Collision Detection
DNS Domain Name Service
DHCP Dynamic Host Configuration Protocol
FCS Frame Check Sequence
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
LAN Local Area Network
RSTP Rapid Spaning tree Protocol
STP Spaning tree Protocol
STA Spanning Tree Algorithm
TCP Transmission Control Protocol
TPID Trunking Protocol ID
UDP User Data Protocol
VPN Virtual Private Network
VLAN ID VLAN Identification
VLAN Virtual LAN
VTP VLAN Trunking Protocol
WAN Wide Area Network

i
 TABLE OF CONTENT
TABLE OF CONTENT........................................................................II
ACKNOWLEDGEMENTS................................................................IV
LIST OF FIGURES..............................................................................V
LIST OF TABLES...............................................................................IX
ABSTRACT............................................................................................1
CHAPTER 1 LOCAL NETWORKS AND FUNDAMENTAL
CONCEPTS.................................................................................................2
1.1 COMPUTER NETWORK OVERVIEW...................................................2
1.1.1 What is a computer network?.................................................2
1.1.2 Classification of computer networks......................................4
1.1.2.1 Scale.................................................................................4
1.1.2.2 Transmission medium......................................................4
1.1.2.3 Functional relationship.....................................................4
1.1.2.4 Topology..........................................................................5
1.1.3 OSI Reference Model..............................................................9
1.1.3.1 Application layer............................................................10
1.1.3.2 Presentation layer...........................................................11
1.1.3.3 Session layer..................................................................11
1.1.3.4 Transport layer...............................................................11
1.1.3.5 Network layer.................................................................13
1.1.3.6 Data link layer...............................................................13
1.1.3.7 Physical layer.................................................................13
1.2 INTRODUCING LOCAL NETWORK..................................................14
1.2.1 Local Area Network (LAN)...................................................14
1.2.2 Virtual LAN (VLAN).............................................................16
1.3 A BRIEF ON SIMULATION TOOLS AND OPNET.............................18
1.4 CONCLUSIONS...............................................................................20
CHAPTER 2 VIRTUAL LOCAL AREA NETWORK (VLAN).....22
2.1 DEFINITION OF VLAN..................................................................22
2.2 VLAN ID RANGE.........................................................................23
2.3 OPERATION OF VLAN..................................................................24
2.4 TYPES OF VLAN..........................................................................25
2.4.1 Data VLAN............................................................................25
2.4.2 Default VLAN........................................................................26
2.4.3 Native VLAN.........................................................................26
2.4.4 Management VLAN...............................................................27
2.4.5 Voice VLAN..........................................................................27

ii
 2.5 THE STANDARDS AND PROTOCOLS USED IN VLAN.....................29
2.5.1 VLAN Trunking.....................................................................29
2.5.1.1 Trunk’s definition and its benefit...................................29
2.5.1.2 IEEE 802.1q...................................................................30
2.5.2 VLAN Trunking Protocol (VTP)...........................................32
2.5.2.1 What is VTP?.................................................................32
2.5.2.2 VTP Pruning..................................................................33
2.5.3 Spanning tree protocol (STP)...............................................34
2.5.3.1 The importance of redundancy in designing a network. 34
2.5.3.2 Redundancy and loop issues..........................................35
2.5.3.3 The Spanning tree protocol-STP....................................38
2.5.4 Rapid spanning tree protocol (RSTP)...................................38
2.5.4.1 The differences from STP..............................................38
2.5.4.2 RSTP operation..............................................................38
2.6 CONCLUSIONS...............................................................................39
CHAPTER 3 BENEFITS OF VLAN IN NETWORK DESIGN.....40
3.1 MAIN BENEFITS OF VLAN...........................................................40
3.1.1 VLAN and Quality of service (QoS)......................................40
3.1.1.1 The Definition of QoS....................................................40
3.1.1.2 Queuing mechanisms.....................................................41
3.1.2 VLAN and security................................................................42
3.1.2.1 Basic security: Handling physical accesses to network
devices ..........................................................................................42
3.1.2.2 Tools and best practices in securing VLAN..................43
3.1.2.3 Improve network security using Access Control Lists. .44
3.2 SIMULATIONS AND RESULTS.........................................................45
3.2.1 Objective...............................................................................45
3.2.2 NoVLAN network vs. VLAN network....................................46
3.2.3 Restrict the accessibility.......................................................55
3.2.4 The DDoS attack and defense simulation [7].........................57
3.3 CONCLUSIONS...............................................................................60
CONCLUSIONS..................................................................................61
REFRENCES.......................................................................................62
APPENDIX 1.........................................................................................63

iii
 ACKNOWLEDGEMENTS

I wish to express my sincere gratitude to all who contributed their time

and talent for the completion of this work, in particular to:

First of all, I would sincerely like to thank my scientific supervisor, Dr.

Cuong Dinh The at the Le Quy Don Technical University for his unlimited
guidance, many discussion hours, valuable advice, as well as his precious
encouragement.
I would also like to acknowledge Mr.Thanh Nguyen, the Assistant
Professor at the Faculty of Electrical Engineering, Le Quy Don technical
University, who helped me so much in using OPNET as well as gave me
many advices in modeling. In spite of being busy, he still reserved some
hours for my questions, and these hours helped me so much in modeling
and driving my simulations to the right way. Additionally, he also shows
me how to write a thesis, especially in English.
English is becoming the global language, thus this is the reason I decide
to write my thesis in this language. I would like to acknowledge to Van
Thuy Vu, a zealous friend, each time I finished a part of this thesis, she
helped me in fixing grammar mistakes I had.
Last, I would also like to thank the Internet, without it, I can’t find any
document that serve as references in my thesis.

iv
 LIST OF FIGURES
Figure 1.1 ARPANET.................................................................................................3
Figure 1.2 A Bus network........................................................................5
Figure 1.3 A Star network........................................................................6
Figure 1.4 A Ring network......................................................................7
Figure 1.5 Mesh network.........................................................................9
Figure 1.6 OSI model............................................................................10
Figure 1.7 The network devices used in LAN.......................................14
Figure 1.8 Hierarchical network............................................................15
Figure 1.9 The small university with its LAN.......................................16
Figure 1.10 The university network after several years with VLAN.....17
Figure 1.11 OPNET ITGuru..................................................................20
Figure 2.1 The different VLANs in a network.......................................22
Figure 2.2 Port-based VLAN................................................................23
Figure 2.3 Broadcast traffic in normal LAN..........................................24
Figure 2.4 Controlling broadcast domain with VLAN..........................24
Figure 2.5 Tagging information.............................................................25
Figure 2.6 Data VLANs.........................................................................26
Figure 2.7Figure 2.8 Management VLAN.............................................27
Figure 2.9 Voice VLAN.........................................................................28
Figure 2.10 Voice traffic........................................................................28
Figure 2.11 VLANs without Trunk........................................................29
Figure 2.12 VLAN with Trunk..............................................................30
Figure 2.13 IEEE 802.1q Ethernet Type allocations..............................31
Figure 2.14 IEEE 802.1Q VLAN Tag Fields.........................................31
Figure 2.15 TCI format..........................................................................31
Figure 2.16 Configuring a small network with only 3 switches............33
Figure 2.17 A network with redundancy...............................................34

v
Figure 2.18 When the main link fails.....................................................35
Figure 2.19 layer 2 loop-1......................................................................35
Figure 2.20 Layer 2 loop-2....................................................................36
Figure 2.21 Layer 2 loop-3....................................................................37
Figure 3.1 A company’s network topology...........................................41
Figure 3.2 NoVLAN network................................................................46
Figure 3.3 VLAN network.....................................................................47
Figure 3.4 Traffic demand in the network without VLAN....................49
Figure 3.5 Only one traffic demand is allowed to reach its server........50
Figure 3.6 one of the traffics are not allowed by the switch..................50
Figure 3.7 Ethernet load (bit/s)on ServerManager.................................51
Figure 3.8 Ethernet load (bit/s) on ServerTeacher.................................51
Figure 3.9 Ethernet Load (bit/s) on servers:..........................................52
Figure 3.10 Server performance statistics:.............................................53
Figure 3.11 End-to-end Delay................................................................54
Figure 3.12 Link utilization...................................................................54
Figure 3.13 inter-VLAN communication...............................................55
Figure 3.14 Ping report..........................................................................56
Figure 3.15 DDoS attack........................................................................57
Figure 3.16 The results after the attack..................................................59

vi
 LIST OF TABLES
Table 3.1 Applications used in the lab...................................................48
Table 3.2 Statistic is collected in the lab................................................48
Table 3.3 ACLs configuring..................................................................56
Table 3.4 Searching properties...............................................................63
Table 3.5 WebBrowsing properties.......................................................64
Table 3.6 http attack properties..............................................................65

vii
 ABSTRACT
Derived from the need of sharing the network resources between hosts
and users, the computer network was born. And it plays more and more
important role in our life. Since it was born in 1960s, the computer network
has continuously grown. The more it grows, the more issues appear such as
the network delay, performance, security, etc. In local network, VLAN is a
solution for these issues. And now VLANs are extensively used in practice
and represent a critical and time-consuming activity in both enterprise and
campus network management.
For this reason, I have chosen researching the topic “Study and
designing virtual local area network-VLAN” for my graduation thesis.
This thesis attends to introduce VLAN and its benefits for campus network
and enterprise one as well. It is organized into four parts which is followed
by a reference and an appendix part. The outline of the thesis is as follows:
- Part 1: Local networks and fundamental concepts
This part introduces the fundamental concept of local computer
network, LAN and VLAN.
Also in this part, a brief on simulation tools and OPNET is introduced.
- Parts 2: VIRTUAL LOACAL AREA NETWORKS-VLANs
This part introduces about VLAN, its definitions and operations. The
reason why we should use VLAN is also presented by introducing its
benefits in performing, managing, and securing.
- Part 3: Benefits of VLAN in network design
In this part, I introduced the main benefits of VLAN implementation;
measurements are then done to demonstrate the benefits of VLAN in
comparison with traditional LAN.
- Part 4: Conclusion
This part presents the results of my work

1
 CHAPTER 1 LO
CAL NETWORKS AND FUNDAMENTAL
CONCEPTS

1.1 Computer network overview

1.1.1 What is a computer network?

Recently, branches of telecommunication in VietNam in particular and
on the world in general have evolved very quickly. In this evolution, there
are not only contributions of the transmission, multiplexing and coding
technologies and so forth, but also computer networks contribute
significantly to this evolution. It can be said that computer networks not
only make a great contribution to tPhe development of the
telecommunication but also almost other branches. The 21 st Century is the
era of information technology. We not only need a powerful computer but
we also need a good computer network with high performance, reliability
and security. To design an optimal computer network, first of all, we must
have knowledge about a computer network, what it is? When it appear?
And why we must use it?
Derived from the need of sharing the network resources between hosts
and users, the computer network was born. The first one appeared in late
1960's and early 1970's, it was "Advanced Research Projects Agency
Network" (ARPANET) (see Figure 1) which was designed for the United
States Department of Defense by The Advance Research Projects Agency
(ARPA). Initially, the ARPANET was used for military purposes; it
connected national defense units, the Research department of government
and some Universities. The ARPANET was getting bigger and became the
predecessor of the Internet today.

2
Figure 1.1 ARPANET

3
 Today, we can define the computer network as a group of computers (at
least two computers) that were connected each to other by a physical or
logical link. It allows us to share our resource with each other. Larger scale
networks such as WAN; Internet also consist of the small network like that.

1.1.2 Classification of computer networks

There are four criteria used for classifying networks.

1.1.2.1 Scale
Computer networks can be classified based on their scale. We have
Local Area Network (LAN), Personal Area Network (PAN), Campus Area
Network (CAN), Virtual Private Network (VPN), Metropolitan Area
Network (MAN), and Wide Area Network (WAN).

1.1.2.2 Transmission medium

Based on transmission medium, networks can be classified as follows:

 Fiber networks are those that use fiber (optical cable) to transmit
data.

 Copper networks: the transmission medium is copper cable. Ethernet

is a very popular copper network, which uses CSMA/CD as the
medium access control.

 Wireless LANs or WLANs don’t use cable to transmit data, they do

in the air. Its medium access control is CSMA/CA.

1.1.2.3 Functional relationship

Computer networks may be classified according to the functional
relationships which exist among the elements of the network.

4
  Peer to peer (P2P) networks are networks in which computers has
the same role among each other in sharing network resources. Any
user can request data from another and vice versa. To day, Bittorrent
is the most common P2P application.

 Client – Server networks are networks which have at least one server
and client(s). Clients make requests to servers and severs fulfill these
requests from the clients.

1.1.2.4 Topology
We can also classify the network based on its topology, such as bus,
star, ring and mesh network.

 A bus networks uses only one common medium (called bus) to

transmit data among network nodes.

Figure 1.2 A Bus network

A Bus network is the simplest way to make a computer network; it has

some advantages such as:

 It is the cheapest to establish a network.

5
  It is simple to understand and implement.

 Because of network nodes operate independently, if a node is

broken, the network still works properly.
However, bus networks have some disadvantages as follows:

 Due to the use of the common medium, the probability of

collision is very high, so that the number of stations is limited.

 The length of the bus is limited as well due to the attenuation of

the signal when traveling on

 At a time, only one station has the right to transmit data, so the
capacity of bus network is low
If a network is a large scale, these disadvantages make it unsuitable.

Figure 1.3 A Star network

Nowadays, a star network is one of the most popular networks. It

consists of a center mode which is a hub, a switch, a router, or a computer
with many NIC (Network interface card), and peripheral nodes.

6
 A Star networks has more advantages than a bus network. Its
performance is higher because the unnecessary traffic is eliminated. In a
bus network, when a station sends a frame, this frame will be sent to all of
nodes attached to the bus. Meanwhile, in a star network, if the central node
is a switch, the frame will only be sent to it destination. On the other hand,
this also makes the probability of collision decrease. It is easy to upgrade
the network by using a more powerful central node and adding more leaf
nodes.
The disadvantage of star networks is the dependence on the central
node. If this one is broken, whole network will be broken as well.

a) b)

Figure 1.4 A Ring network

A Ring network is the network in which network nodes are connected in

a closed loop configuration. Each node only connects to its two neighbors.
In small computer network, every node is connected to a central node that
is a token ring hub or switch like on the figure 1.4
The Token Ring is a widely-implemented kind of ring networks. In
Token ring networks, the information is transmitted in one way from the
source to the destination. The token ring hub carries out it by receiving the
frame and forward it out to the next port, and so on. There is a frame called
token which travels around the network. If a station wants to send its
frames, it must wait for a “free” token, then it claims the token by

7
removing it from the ring and begins transmitting its frames. Each station
examines the destination address in each passing frame to see whether this
address matches its own address. If not, this station forwards it to the next
link after few delay, if it is the frame for this station, it is copied to the
buffer of the station, then, the station sets some status bit of the frame and
forwards it to the ring. When the frame gets back to the source again, the
source removes it from the ring and gives the “free” token back to the ring.
Ring networks are the orderly network, where every node has the same
chance to transmit data with each other. It operates with higher
performance than the star and bus network in heavy load condition. It does
not require any server to control the network operation. Ring network has a
high security level. If a node is broken, this node will be cut out of the ring
by shorting-circuit it.
However, the ring network also has some disadvantages. Token ring
network cards and MAUs (Multistation Access Unit) are much more
expensive than NIC and hub or switch. Ring networks are not flexible in
adding or dropping network elements. Ring networks have lower
performance under low load traffic conditions. Ring networks are suitable
for the network that has heavy traffic like backbone network,
A Mesh networks is the most stable and reliable type of network
topology, but also the most expensive one. In a mesh network, each node
connects directly to others, so the large number of cables and connections
is required.

8
 Figure 1.5 Mesh network

Normally, mesh networks are associated with other types of networks to

make the suitable network topology.

1.1.3 OSI Reference Model

In order to decrease the complexity in designing and installing, almost
computer networks are designed by layers. The most common model is
OSI model and TCP/IP model. Due to the similar of these two models, OSI
model will be discussed in more details.
The OSI model was built in 1984 by ISO Organization. According to
this model, the operation of network is divided into 7 layers (see Figure
1.6).

9
 Figure 1.6 OSI model

1.1.3.1 Application layer

The application layer is the top layer in the OSI model and closest to the
end user also. It is the source and destination of communications in the
network. Applications, services and protocols of the application layer help
user effectively interact with the OSI model.

 Applications are computer programs which help user interact with

the OSI model

 Services are background programs provide the connection of the

application layer and the lower ones in the OSI model.

10
  Protocols are the rules in communicating among network nodes.
There are some application layer protocols such as:

 DNS (Domain Name Service) used to map IP addresses to

names that are easy to remember.

 DHCP (Dynamic Host Configuration Protocol) used to

dynamically assign IP configuration to hosts. The configuration
consists of IP address, default gateway, DNS server address.

 HTTP (Hypertext Transfer Protocol) defines the commands,

headers, and processes by which web servers and web browsers
transfer files. Etc.

1.1.3.2 Presentation layer

The Presentation layer has following functions: (1) Coding and
converting data that come from application layer to ensure that when these
data reach the destination, the corresponding applications at destination
node can understand them; (2) compressing and decompressing data to
save the bandwidth; (3) encrypting and decrypting data.

1.1.3.3 Session layer

The Session layer establishes and maintains the communication between
source and destination nodes.

1.1.3.4 Transport layer

The Transport layer provides the two main network services that are
TCP and UDP.
TCP is the reliable method of transmission. It is used in the application
that requires high reliability like email, web, etc. To make it reliable a
communication, TCP uses a mechanism of the three-way-handshake and,

11
flow control. In a TCP session, the source must ensure that a frame was
delivered successfully to the destination, if not, it must retransmit the
frame.
UDP is the Transport layer’s protocol used in the applications that need
to deliver data across the network quickly but don’t need high exactitude,
and reliability. UDP uses neither the mechanism of “three-way-
handshake”, flow control, nor retransmission of the broken frames.
Consequently, it minimizes the size of frame’s header.
In order to provide these two services, the Transport layer has the
following functions:

 Tracking the individual communications between source and

destination:

When access a network, users can use many applications

simultaneously. The Transport layer must add more information
about the type of applications into the header of frames to deliver
them exactly.

 Segmenting data into pieces, reassembling these pieces and

managing them: In order to run many different applications on the
same transmission medium simultaneously, the Transport layer
segments frames into many pieces. And when these pieces of
segments reach the destination, they are reassembled into the original
frame.

 To ensure the reliability and improve the network performance, the

Transport layer has functions of flow control and errors check.

12
1.1.3.5 Network layer
The Network layer has responsibility of routing and forwarding packets
to the right destination. To implement this, the Network layer must address
a frame, and then encapsulates it into a packet. The packet header has fields
that include source and destination addresses of the packet. After
encapsulating, the network layer must route the packet to its destination,
this is done by intermediary devices called routers. When the packet
reaches its destination, the network layer at destination node must
decapsulate this packet to take the data inside it and forward to the upper
layers.

1.1.3.6 Data link layer

After encapsulating a packet, the network layer sends it down to the
datalink layer (OSI layer 2). The datalink layer plays the role in connecting
software (OSI layer 3) and hardware (OSI layer 1) of the network. This
layer consists of two sublayers that are MAC sublayer and LLC sublayer.
MAC sublayer controls the accessing and sharing the medium, some OSI
layer 2 standards can be found in this thesis such as Ethernet IEEE 802.3
(CSMA-CD), IEEE 802.5 (Token Ring), 802.11 (WLAN) and some other
ones (optional). The LLC sublayer is considered as the bridge between the
MAC sublayer and the network layer. It allows the upper layers to access
medium by framing. When a packet which comes from network layer is
sent to datalink layer, it is encapsulated into a frame which consists of
source and destination MAC addresses, types of protocol, FCS (Frame
Check Sequence), and the network layer packet.

1.1.3.7 Physical layer

The Physical layer is the lowest layer in OSI model. This layer’s
purpose is minimizing the interferences’ effect in the medium on the signal.

13
So physical layer has the responsibility of coding and converting the frames
from datalink layer into signals, and then transmits the signals to the
medium.

1.2 Introducing Local network

1.2.1 Local Area Network (LAN)

Derived from the needs of sharing information between computers of
users in the same organization, the first LANs were born in 1970s to create
high rate connections between computers. Initially, LAN is defined as a
group of computers connected together, and is placed under the
management of a common administrator. But along with the evolution of
technologies, the term of “LAN” is getting larger. Nowadays, LAN also
refers to a network that is much larger than home or small office networks.
Almost LANs are designed according to the hierarchical architecture
with redundancy, twisted pair cable is used as the transmission medium
(normally, Cat5E), depending on the NIC and type of medium, the network
speed is 10 Mbps, 100Mbps, 1Gbps, or even 10Gbps.
The network devices used in LAN include: routers, switches, DSL-
modems, IP phones, PCs, printers, and servers.(Figure 1.7)

Figure 1.7 The network devices used in LAN

14
 .

Figure 1.8 Hierarchical network

The Access layer is the lowest and closest to the end user devices. The
Access layer has responsibility of providing the ability of connecting to end
user devices. In addition, the Access layer can determine whether a device
can connect to the network or not.
The Distribution layer gathers all traffic which comes from the Access
layer, and then, if possible, it distributes the traffic to the true destinations
as long as the destinations belong to the same subnet with the traffic. If not,
the Distribution layer sends the traffic to the Core layer for routing to its
final destination. This layer controls the network flow; separates VLANs
that is defined at the access layer. Distribution layer devices are typically

15
high-performance switches that have high availability and redundancy to
ensure reliability.
The Core layer is the highest rate layer in hierarchical network model.
Typically, the core layer devices are routers and switches that have high
availability, rates, and redundancy. They can process properly the traffic in
heavy load condition because it must receive and process almost traffic of
the whole network. Its functions are connecting the local network with the
outside network (example: the internet) and routing the traffic to its end
points.

1.2.2 Virtual LAN (VLAN)

LAN is the good choice for the small networks in home or small offices,
because it is easy and cheap to install and the QoS is not critical. For
instance, initially, a university has only one branch with one building. A
computer room for students was on the fifth floor, the other for teachers
and officers was on the third floor. We can design and configure the
university’s network like the following figure:

Figure 1.9 The small university with its LAN

After several years, this university grows and has two branches more.
Suppose that its network still remains as before.

16
 Figure 1.10 The university network after several years with VLAN

The headmaster of the university wants to make only two subnets, one
for students, the other for teachers and officers, and he wants all students
can share their resources as well as all the teachers and officers. Obviously,
it is impossible to create a large LAN for students as well as teachers.
VLAN is the solution for this.
A VLAN is simply a LAN by logical meaning. But in VLAN, the
network devices and users are not limited by the geography but can be
located based on their functions and purposes in using network resources.
Using VLANs, we can handle the network traffic, prevent the network
from what is called “Broadcast storm”, improve security level, and manage
the QoS policies. Thus, if a VLAN is designed and configured well, we
will get much more benefit in comparison with using a normal LAN such
as improving the performance, increasing security level, and advancing the
capability of network management, etc. However, the IT engineers must
have knowledge about VLAN and its configurations. In a big company or
university that use switches from many different vendor, it is complex to

17
configure VLANs, the incorrect configurations may degrade the network
performance or even make the network impossible to operate.

1.3 A Brief on simulation tools and OPNET

In recent years, sciences and technologies have developed very quickly.
And it is extremely necessary to analyze, and evaluate a new technologies
and protocols. But sometimes, it is prohibitively expensive and too
dangerous to test a real system. Telecommunication systems are really
complex and expensive. In VietNam, almost universities have not enough
money to buy real-world systems for their laboratories. Fortunately, with
the significant evolution of computer science, the term of “simulation” was
born. With a simulation tools, real-world systems can be simulated and
then evaluated at a certain level. And the received results is widely
accepted by the science community. Using simulation tools can support the
shortage of capital investment, so it is the cost-effective choice for small
university and businesses.

There are many networking simulation tools such as: OPNET, QuadNet,
NS-2, OMNET++, Matlab, etc. Almost of them are built in C or C++ and
their simulation results are accepted by the scientific community. Among
of these tools OPNET and NS-2 are preferred and are used commonly in
education and research. NS-2 is a new open-source simulation tool for
simulating the wireless communication. There are many modules
associated with it, and NS-2 also includes substantial contributions from
researchers all over the world. But the biggest disadvantage of NS-2 is the
difficulty for beginners in learning how to use and utilize it.
OPNET seems to be the appropriate tool for student in study and
research. OPNET stands for Optimized Network Engineering Tools.

18
Initially, OPNET was Alain Cohen’s (co-founder and current CTO &
President of OPNET Technology) graduate project when he was a
networking student at MIT (Massachusetts Institute of Technologies). The
first company’s product is OPNET Modeler which is commercial software
used for simulating and modeling communication networks, network
devices and protocols. OPNET is a widely used Windows and Linux based
simulator. It is built in C++ and provides virtual environment for modeling,
analyzing, and calculating network performance. This tool is often updated
new protocols, and devices to catch up with the fast evolving network
technology trends.
OPNET is used by many commercial, government organizations and
universities worldwide. With OPNET Modeler, basically, users can:
 Create and edit networks and nodes followed by their purpose.
 Modify the operation inside network nodes.
 Analyze and evaluate their network by using the statistics that
are received after simulating.
However, it is very difficult for beginners to learn and make the most
use of OPNET Modeler in implementing a new protocol; they must be
familiar with the oriented approach and C++ language as well as the
knowledge of telecommunication. Therefore, OPNET Technology
Corporation developed OPNET IT Guru version which is a free version,
and is used for educational purposes.

19
 Figure 1.11 OPNET ITGuru.

This version is widely used in either university to simulate what they

teach and study in university or small company in planning their networks.
There are many new network protocols, devices have been modeled in this
version. This makes it much more easier to build a network, and all the
beginners need are their knowledge of telecommunication and computers.
Since OPNET IT Guru is a free version, it is not allowed in modifying a
network node as well as watching the architecture inside nodes.

1.4 Conclusions
In this chapter, we have seen that computer networks are crucial. This
chapter also shows the overview of LAN and VLAN, thus, we can see
advantages of VLAN in comparison with traditional LAN. Along with
advantages of itself, VLAN has become an indispensable tool for the
network administration to segment the network; to increase bandwidth per
user, to provide security, and to provision multimedia service [10].

20
 This chapter also point out the role of simulation in designing a
network. Along with the evolution of computer science, networking
simulation tools help efficiently in network designing. Among various
simulation tools, OPNET which is made to answer the “what-if” question is
the suitable tool for student in study.
So, in the next two parts of this thesis, the issues in designing a
computer network such as performance, security level are discussed. The
next part shows that what VLAN is, and its characteristics. The VLAN’s
advantages are introduced in the last part, and then they are proved by
performing some simulations.

21
 CHAPTER 2 VIR
TUAL LOCAL AREA NETWORK (VLAN)

2.1 Definition of VLAN

Essentially, a VLAN is also a local network. The difference is in LAN,
network devices are restricted by location and distance between them while
in VLAN, regardless of location, network devices are logically connected
together.

Figure 2.12 The different VLANs in a network

According to the figure 2.1, we can define that a VLAN is a group of

network devices that are logically connected, regardless of either location
or physical link in the network. In order to make it easier for managing and
configuring the network, VLANs can be named based on their functions.

22
 VLAN is fully configured by software on switches. Similar to LAN,
each VLAN is assigned a range of IP addresses, and a number of switch
ports. If a device wants to join a VLAN, it must be connected to the port
that belongs to this VLAN, and has an IP address that matches with this
VLAN IP address range. (see figure 2.2)

Figure 2.13 Port-based VLAN

2.2 VLAN ID range

VLANs are numbered from 1 to 4096; these ordinal numbers are called
VLAN ID and divided into a normal range and an extended range.
The Normal range consists of VLANs from 1 to 1005. Among these,
VLANs from 1002 to 1005 are used for Token Ring and FDDI networks.
the others are used for Ethernet neworks. Whereas VLAN 1 is a default
VLAN. Initially, every switch ports belongs to this VLAN, and it can not
be deleted or modified.
The Extended range consists of all remain other VLANs. These VLANs
support fewer VLAN features than normal VLANs, so they are not used
commonly.

23
2.3 Operation of VLAN
In many ways, the operation of VLAN is similar to LAN. The only
different thing is that by using VLAN we can create a logical group of
network devices to make a separated broadcast domain without the
dependence of their location. In a normal LAN, every device connected to
a switch belongs to a common broadcast domain. When an user sent a
broadcast message to his/her network, this message will be sent to all users
that connect to this switch whether they belong to the user’s department or
not.

Figure 2.14 Broadcast traffic in normal LAN

In VLAN, due to the network devices of a department are logically

grouped into a separated virtual LAN, the broadcast message only travels
in this VLAN, the users in other department do not receive this message.

Figure 2.15 Controlling broadcast domain with VLAN

24
 In order to distinguish among VLANs, each frame is tagged an
information field of the VLAN it belongs to. This field consists of 3
priority bits, 1 CFI bit that is used to allow the Token ring frames to travel
on the Ethernet transmission medium, and 12 VLAN ID bits to identify
4096 VLAN IDs. (see figure 2.5)

Figure STYLEREF 1 \s 2. SEQ Figure \* ARABIC \s 1 5 Tagging

information

If a local network has many VLANs, the VLANs can communicate by

using OSI layer 3 devices like router or layer 3 switches.

2.4 Types of VLAN

Today port-based VLAN is the main way to implement VLAN. In this
approach, a set of switch ports are assigned to each VLAN; these ports are
called access ports. If a device is connected to an access port, it will belong
to the VLAN associated with that port.
The term of “VLAN type” refers to the type of data that the VLAN
carries, and function of this VLAN. There are 5 types of VLAN.

2.4.1 Data VLAN

A data VLAN (also called user VLAN) is configured to carry only user-
generated traffic. However, users can generate management traffics or

25
voice ones. These traffics do not belong to data VLAN, but they belong to
management VLANs and voice VLANs which will be mentioned later.

Figure 2.16 Data VLANs

2.4.2 Default VLAN

Default VLAN is the VLAN that always exists in switches. when the
switch is first configured or each time it is set to manufactory’s default
mode, all ports of the switch are members of this VLAN. Essentially, the
default VLAN is similar to other VLANs, but it is impossible to rename or
delete it. For Cisco switches, VLAN 1 is default VLAN and Layer 2
control traffic, such as CDP and STP traffic always belong to this VLAN.

2.4.3 Native VLAN

Native VLAN is the concept related to the port that is configured as a
trunk port. An IEEE 802.1Q trunk port supports both tagged traffic and
untagged traffic. Tagged traffic is the traffic of certain VLAN; untagged
traffic is the traffic that does not belong to any VLAN. Except the native
VLAN and default VLAN frames, every frames passing through a trunk
port are tagged their VLANs information. The reason of using native

26
VLAN is that some devices of different vendors can’t understand as well as
are not compatible with each other in tagging IEEE 802.1Q or ISL
information.

2.4.4 Management VLAN

Management VLAN is used to remotely manage switches. With
management VLAN, we can remotely access to switches via Telnet, SSH,
HTTP, etc, to manage and configure it. Management VLAN is assigned an
IP address and a subnet mask. It is not recommended to set VLAN 1 as a
management VLAN. It is a security best practice to define the management
VLAN to be a VLAN which distincts from all other VLANs defined in the
switched nework.

Figure 2.17Figure 2.18 Management VLAN

2.4.5 Voice VLAN

Today, the trend is to approach a convergent network where the VoIP
service is more and more familiar. Voice VLANs are used for carrying the
voice traffic. In order to guarantee the communication quality, voice
VLANs must ensure the following requirements: wide bandwidth, highest

27
priority level, ability to be routed around the congested areas of network
traffic, and low delay.

Figure 2.19 Voice VLAN

Figure 2.20 Voice traffic

28
2.5 The standards and protocols used in VLAN

2.5.1 VLAN Trunking

2.5.1.1 Trunk’s definition and its benefit

Trunk is the Ethernet point-to-point link between two VLAN-aware
devices (switches and routers). It can be considered that trunk is similar to
a highway where there are many types of traffic flow. Trunk carries the
traffic of multiple VLAN over a single link.
Unless trunk is used, we must use a number of switch interfaces that is
equal to the number of VLANs, this will make the cost of network more
expensive.

Figure 2.21 VLANs without Trunk

29
 With Trunk, we only use one switch port for carrying multiple VLAN
traffics.

Figure 2.22 VLAN with Trunk

2.5.1.2 IEEE 802.1q

IEEE 802.1q helps multiple LANs share the common link without
leakage of information between them. This is the name of an encapsulation
type over Ethernet networks.
This protocol also determines the VLAN ID and allows individual
VLANs to communicate with each other by using a layer-3 switch or a
router.
When a frame coming from a VLAN-unaware device, arrives to an
access port, it is only original Ethernet frame, i.e, it does not consist of any
information about the VLAN it belongs to. A switch tags a VLAN tag field
which comprises the VLAN information that the frame belongs to into that
frame. Here is the frame structure:
TPID Tag protocol Identifier

30
 The TPID includes Ethernet type field, which is used to distinguish with
other protocols. Its value is set to 0x8100 in order to identify the frame as
an IEEE 802.1Q-tagged frame.

Figure 2.23 IEEE 802.1q Ethernet Type allocations

Figure 2.24 IEEE 802.1Q VLAN Tag Fields

Figure 2.25 TCI format

Tag Control information (TCI) (figure 2.14)

TCI is two octets long, in which:
- 3 user priority bits are used to indicate the priority levels of data. In
IEEE 802.1p, they specify 8 levels, from level 0 (lowest) to 7
(highest).

31
 - 1 CFI bit (Canonical Format Indicator): If the value of CFI is 1, the
MAC address is in non-canonical format, this enables Token Ring
and FDDI frame to be transmitted on the Ethernet transmission
medium. If the value is 0, the MAC address is in canonical format,
this is the default value for Ethernet frame.
- 12 VLAN ID bits are used to indicate the VLAN to which the
frame belongs; its decimal is from 0 to 4095. If the frame received
has VLAN ID with the value of 0, this frame doesn’t belong to any
VLAN, and the tag header contains only priority information. The
VLAN ID with value of hex FFF is reserved for implementation
use.
After tagging the frame, the switch recalculates FCS value and then
sends the tagged frame out to the trunk port.

2.5.2 VLAN Trunking Protocol (VTP)

2.5.2.1 What is VTP?

There would be nothing to say about VTP if the network size is small.
For instance, a small company in the beginning days has a small network. It
is not too difficult for administrator to configure the switch one by one. But
when the network grows, the VLAN management challenge becomes
clearer. Suppose that the company network has 10 switches, so when they
want to update or modify their network, the IT engineers have to configure
10 times on each switch. It is the repetitive and boring job; it could make
the administrators get some mistakes in configuring VLAN. VTP is the
solution for this problem.

32
 Figure 2.26 Configuring a small network with only 3 switches

VTP is a Cisco proprietary protocol, comparable with GVRP from

IEEE.802.1q. By enabling VTP on all switches, the administrator only has
to do some VLAN configurations such as creating, adding, deleting,
renaming, etc, on the server-mode switch, and then, this switch propagates
the VLAN information to others in network. This switch is called a VTP
server. VTP allows the network to update the VLAN information itself by
configuring the VTP sever, and then, the VTP sever advertises the VLAN
information it has to other VTP enabled switches in the network. The VTP
server stores the VLAN information in vlan.dat file. VTP advertisement
can only be exchanged on the active trunk.

2.5.2.2 VTP Pruning

VTP pruning is the Cisco switch feature that increases the available
network bandwidth. In a VLAN domain, when a station of certain VLAN
generates broadcast traffic to others in its VLAN, assume that it is VLAN
10, if switches are not enabled VTP pruning, they will flood this traffic to
others in the network. If a switch have no VLAN 10’s port, the traffics

33
which are sent to this switch are unnecessary. They consume the available
bandwidth and processor time on this switch. VTP pruning increases the
available bandwidth by pruning the unnecessary traffic.

2.5.3 Spanning tree protocol (STP)

2.5.3.1 The importance of redundancy in designing a network

As said before, computer network plays an important role in a company
or any organization. If a computer network of a company is unstable, may
be it does a lot of damage to this company. To make a computer network
stable, they always design the network in hierarchical model, and some
redundant links must be used. Suppose that a company has only one link to
the internet, and the failure probability of this link is 10 %. It means the
link’s available probability is only 90%. If this company adds one more
similar link to the internet, the failure probability of the link to the internet
now is 1%, it means that the available probability is 99%. Obviously, by
using the redundant links, the network is more stable.

Figure 2.27 A network with redundancy

34
 Figure 2.28 When the main link fails

2.5.3.2 Redundancy and loop issues

The redundant links are important, but if we only add the redundant
links without using any protocol to handle the transmission, it is sure that
the layer 2 loop occurs which makes the network unavailable.
For instance, a small network has only three switches as shown in the
figure below:

Figure 2.29 layer 2 loop-1

35
 At the beginning, the MAC address table of the two switches: S3 and S1
haven’t got the entry for PC1. When PC1 sends a broadcast message to
switch S2, due to this is a broadcast message, so any switch receiving it
must forward it to all other ports. S2 forward it to all active ports except the
port F0/11 which receives this message. When the other switches receive
the broadcast message from S2, they add the entry for PC 1 into their MAC
address table.

Figure 2.30 Layer 2 loop-2

36
 Figure 2.31 Layer 2 loop-3

After updating the MAC address of PC1, S3 and S1 send the message to
other ports. And when S1 and S3 send the message to each other, they will
update the MAC address of PC1 again, and then they send the message to
other ports including the one that connects to S2 via trunk link. The switch
S2, after receiving the message from these two switches, will update the
MAC table again and forward the message repeatedly, and so on. That is
layer-2 loop, and it makes network traffic more and more heavy.
When more than one device send broadcast messages in the network
like this one, the broadcast storm occurs. And it consumes all available
bandwidth. Therefore, the network is unavailable. So in order to solve this
issue, it is necessary to find out the way to handle the transmission with
redundant links.

37
2.5.3.3 The Spanning tree protocol-STP
The STP is a layer 2 protocol which helps to solve the layer 2-loop
issue. The STP is based on the STA which is an algorithm invented by
Radia Perlman while working for Digital Equipment Corporation. The STP
is defined in the IEEE Standard 802.1D.
STP’s function is preventing the OSI layer-2 loop in a redundant
network. It ensures that there is only one logical path which has the lowest
cost path between all destinations on the network by intentionally blocking
redundant paths that could cause a loop. The network traffic can not pass
through a blocked port, but the BPDU can. If the best path is failure, the
STA will recalculate the path cost and then, enables the redundant path.

2.5.4 Rapid spanning tree protocol (RSTP)

2.5.4.1 The differences from STP

STP is original protocol for preventing layer 2 loop. Nowadays, STP is
replaced by RSTP (Rapid Spanning tree protocol). RSTP was introduced in
IEEE 802.1w standard, in 1998 by IEEE as an evolution of STP. RSPT has
only a little bit differences from STP to make it converge much faster.
Indeed, while STP can take from 30 to 50 seconds to respond to a topology
change, RSTP is typically able to respond to changes within only a second.

2.5.4.2 RSTP operation

RSRP operation is similar to STP operation, but RSTP convergence is
quite faster. In STP, in order to complete the convergence, STP has to elect
root bridge, elect root port, and elect designated and non-designated port,
and it takes two times forward delay in the election for designated port.
RSTP convergence is significant faster. The RSTP proposal and agreement

38
process is implemented link by link, and it does not rely on timers expiring
before the port can transition.
Both STP and RSTP determine the port roles based on the BID and path
cost. And the ways they use the BID and path cost are the same.

2.6 Conclusions
This chapter shows what VLAN is; how VLAN operates. Thence, we
will see the benefit of using VLAN such as improving the performance;
enhancing secureity level, and make it easier to manage the network, which
are intrdoced in the next chapter.
Additionaly, using VLAN also makes it flexible to manage and design
a network. Assume that when a company is reorganized, one personel are
changed their position, by configuring switch ports, he does not need to
change their location. Using VLAN also makes it cheaper in network
design because it utilize the number of switch ports in a room, and it is easy
to add or remove users of the network.
This chapter also talk a little bit of the two issues in network design, in
particular, VLAN design, that are VTP and STP. VTP makes it easier to
configure VLAN, and STP is a solution for the redundant issues and loop
layer2 problems.
Due to its serious benefits, VLAN is used widely in network design, we
will make it clearer in the next part.

39
 CHAPTER 3 BEN
EFITS OF VLAN IN NETWORK DESIGN

3.1 Main benefits of VLAN

3.1.1 VLAN and Quality of service (QoS)

3.1.1.1 The Definition of QoS

QoS which stands for Quality of Service is an extremely important part
in telecommunication. QoS is a wide range definition; there are many ways
to approach it. According to Microsoft, QoS is “the ability of the network
to handle this traffic such that it meets the service needs of certain
applications”. According to Wikipedia, “QoS is the ability to provide
different priority to different applications, users, or data flows, or to
guarantee a certain level of performance to a data flow”.
Every user generating traffic want to transmit their traffic at expected
rate. If the network resource is infinite, these traffic will be transmitted
without latency, jitter or lost. But in fact, the network resource is finite, so
the network administrator must determine which is important traffic and
which is not.
The common meaning of QoS is classifying traffics, handling them so
that the network can meet all network traffic requirements from users.
Using VLAN, the network operator can make use of VLAN ID and
User Priority bits in the VLAN tag field to prioritize packets .
In order to see clearly the importance of the QoS in networking, let's
examine the following network:

40
 Figure 3.32 A company’s network topology

In figure 3.1, a company uses a frame relay link to connect their two
building: Branch office and server farm. In working hours, officers can
access database server to look for the data they need or use email and web
service. For the rest time, they can relax by playing music or video or even
a computer game. But in business hours, especially, rush hours, if some
guys load an illegal traffic such as music or video from Music-and-video
server. These traffics consume much more bandwidth than others,
therefore, they slow down the company network’s performance. In order to
make the network performance better, QoS is located to set the multimedia
traffic priority the lowest level, or even to block them by using queuing
mechanism, ALCs, firewall and the like.

3.1.1.2 Queuing mechanisms

In small LANs, nowadays, the typical bandwidth is 100 Mbps that can
meet almost kind of traffic demand. So QoS seems to be unneccessary. But
for instance, in the figure 2-31, the link connecting the two building is only
512Kbps, so at rush hours, congestion may occur. On the other hand, if
applications such as Video confrence, VoIP are used, the traffic generated
by these applicationS are much heavier than others . The reality, is that

41
there are multiple users that uses multiple application which require
network resource at the same time, therefore, it is necessary to allocate
network resources to application traffics so that the network can meet all
service requirements. In order to apply QoS on a network, the following
QoS parameters are usually used:
Bandwidth - the rate at which an application's traffic must be carried by
the network
Latency (or delay)- the delay that an application can tolerate in
delivering a packet of data
Jitter - the variation in latency
Loss - the percentage of lost data
In these above parameters, bandwidth is the most interesting one. If a
application has bandwidth wide enough, other parameters (delay, loss, and
jitter) can be acceptable. To increase the available bandwidth, one of
several approaches is to classify traffic into QoS classes and then, prioritize
and queue it according to its importance. There are several QoS
mechanisms or Queuing mechanisms as follows: Priority Queuing (PQ),
Custom Queuing (CQ), Weighted Fair Queuing (WFQ) with its distributed
versions, IP RTP Prioritization, Modified Deficit Round Robin (MDRR),
Class-based Weighted Fair Queuing (CB-WFQ) and Class-based Low-
latency Queuing (CB-LLQ).

3.1.2 VLAN and security

3.1.2.1 Basic security: Handling physical accesses to network devices

For big company, threats from malicious user will be very great if they
gain access to a network device. For example, if they can access to a switch
and configure it they can get any other users’ information and use them for
their advantages, or even if not, they can carry out some attacks such as

42
DDoS to break the network. Along with the evolution of computer science
and information technology, threats can appear from everywhere, either
inside or outside the network with many types of attack such as:
• MAC Flooding Attack
• 802.1Q and ISL Tagging Attack
• Double-Encapsulated 802.1Q/Nested VLAN Attack
• ARP Attacks
• Private VLAN Attack
• Multicast Brute Force Attack
• Spanning-Tree Attack
• Random Frame Stress Attack
• DDoS Attack, etc
Even, a normal user can also make use of attack tools distributed
popularly on the internet to perform these attacks, or to propagate virus,
worm, or spy-ware to victim PCs

3.1.2.2 Tools and best practices in securing VLAN

First of all, the best practice for a network is physical security. It means
that do not let unauthorized users connect their computer to network
devices and configure them. Even if they can connect to a switch,
configuring all ports that used at access layer to be an access port, and shut
down all unused port can improve the security level. In additional, Port-
security configurations provided by Cisco can improve the network
security by using more security parameters such as: MAC address,
password.
At higher security level, ACLs and firewall are used to prevent the
network from internal or external threats such as illegal traffics, and
harmful one such as virus, Trojan horse or worm, etc. Additionally,

43
antivirus software installed on each computer in LAN play an important
role in detecting and killing the harmful computer programs.

3.1.2.3 Improve network security using Access Control Lists

What is Access Control List (ACL)?

Access Control List is the basic knowledge that every network
administrators must be master. ACLs (short for Access Control List) are
used to restrict the accessibility of users to different types of data in a local
network by using the basic IP filtering.
In a network that has ACL-configured router, this router not only carries
out the routing in network, but also operates as an IP filter. When a packet
comes in or goes out its interface which is applied an ACL rule, the router
analyzes it and then determines basing on the packet’s header and the filter
rules about whether the packet can be permitted or denied. According
Cisco, ACL is divided into two types, standard ACLs and Extend ACLs.
With standard ACLs, a router can only filter arriving packets based on
source IP address. Extend ACLs is also divided into static extended ACLs
and complex extended ACLs. Using static extended ACLs, a router can
filter packets more powerfully; it can make a decision based on source and
destination IP address, source and destination TCP and UDP port, and
protocol type (IP, ICMP, UDP, etc.). In order to make the rules more
flexible and securable, complex extended ACLs are used.

ACL’s function and its benefit

Everything that ACL must perform is fitter IP arriving packets at its
interfaces and then determines whether passing or discarding the packets
according the rules given by the administrator. Consequently, ACL can
improve the network performance by discarding the illegal traffic such as

44
video traffic in the example in section 2.6.1. ACL restricts the accessibility
to selected users in a network, this is a basic level of security in
networking.
ACL also gives the network administrator some benefits and flexibility
by applying complex extended ACLs. In Cisco router, three categories of
complex ACLs are supported as follows:
Dynamic ACLs: user who wants to access or traverse a Dynamic ACL-
configured router must be authenticated by connecting to this router using
Telnet. Using dynamic ACLs can improve the security level for network
access.
Reflexive ACLs: Reflexive ACLs is used when the administrator wants
to block all traffics originated from outside of his network, other traffics are
allowed. Using this category of ACLs can give the best security practices to
close networks-the networks which don’t want to advertise their
information; it helps to secure the network against hackers, especially DoS
attacks.
Time-based ACLs: this category of ACL allows access control based
on time. It is more flexible when applying time-based ACLs.

3.2 Simulations and results

3.2.1 Objective
The Optimization is always the major object in designing a computer
network. Companies always expect their computer network to operate with
the maximum performance, a high security level and of course, an
acceptable cost. There are some factors of interest in designing a computer
network that is price, reliability, security and performance. With the same
price, the networking designer can completely utilize the characteristics of
networking hardware to improve the remaining factors.

45
 As it has been said earlier, in order to understand and anticipated
benefits of new networking resources, it is prohibitively expensive to test a
real system because the networking hardware and software can be both
complicated and expensive. Simulation and modeling is considered as a
quite cheap approach to computer network designing and testing.
This chapter aims to investigate the VLAN’s operation and its
advantages. In this chapter, I have done some simulations by using OPNET
IT Guru to provide two objects as follows:
 The performance improvement by using VLAN.
 The improvement of security level by using VLAN.
In which, the first two scenarios are done to demonstrate the first
objects, and the last two ones are done to prove the second object.

3.2.2 NoVLAN network vs. VLAN network

In this simulation, I have created two scenarios using the same network
topology of the Electronics and Telecommunications of a University.

Figure 3.33 NoVLAN network

46
 Figure 3.34 VLAN network

For simplicity, we assumed that, the university has not an internet

connection yet. So, this is only a local network including 4 rooms, in
which: there are two rooms for laboratory, one room for teachers, one is for
manager, and the remaining one is server farm.
Normally, students usually go to Lab room to study, or load the
information from sever farm. Therefore, in this topology, the following
applications and profiles are used: file transfer, remote login, and database
access. Teacher and Student manager always access to their servers to
download their documents, to prepare their lecture, etc. So, there are some
applications configured for Student, teachers and student_manager.

47
 Profile Application Load level
Student Remote_login High load
File_transfer High load
database access High load
Teacher Remote_login Medium load
File_transfer High load
File_print Medium load
Manager Remote_login Low load
File_print Medium load
Database_access Medium load
Table 3.1 Applications used in the lab

Therefore, to evaluate these scenarios, it is necessary to gather these

statistics as follows:
Global statistic: Ethernet/delay (s)
Server’s statistics: Ethernet/ Delay (s)
Ethernet/Load (bit/s).
Server performance Load (request/s).
Server performance Load (task/s)
Server performance Task processing time
(request/s)
Link’s statistics: Utilization
Throughput (bit/s)
Load (bit/s)
Table 3.2 Statistic is collected in the lab

If VLAN is not applied on the network, every station can communicate

with each other.

48
 Figure 3.35 Traffic demand in the network without VLAN

As shown in the figure 3-4, three traffic demands are created from the
workstation student 14 to three nodes that belong to different VLANs. And
all traffics reach their destinations. But, in the second scenario, there is only
one traffic demand that directs to the Server student can reach its
destination. These others are blocked by the switch because they belong to
other VLANs.

49
 Figure 3.36 Only one traffic demand is allowed to reach its server.

Figure 3.37 one of the traffics are not allowed by the switch

By blocking all traffics that belong to other VLANs, the network

performance is improved, the Ethernet load and Ethernet delay becomes
smaller.

50
Figure 3.38 Ethernet load (bit/s)on ServerManager

Figure 3.39 Ethernet load (bit/s) on ServerTeacher

51
 c)

Figure 3.40 Ethernet Load (bit/s) on servers:

These figures above show that the network load decreases at all servers
when using VLAN. At the first scenario, traffic generated by users,
regardless of who they are, is sent to all servers. Thus, this makes the
network load higher than usual, and the network delay increases along with
this. The second scenario makes three separated VLANs so that they can
not communicate. And a large amount of traffic can’t reach two servers that
do not belong to the same VLAN with them. Consequently, the load at each
server decreases significantly.
Because the traffic at each server is lighter, the server can process them
faster. We can examine the performance of servers in these two scenarios
by collecting the statistics:

52
 a)

b)

Figure 3.41 Server performance statistics:

a) Load (request/s); b) Task processing time(s)

Because it takes servers less time to process its received traffics, the
delay on each server as well as the end-to-end delay is smaller.

53
 Figure 3.42 End-to-end Delay

The last factor that helps to examine the network is link utilization. If at
the same request rate from workstations, the network which has smaller
link utilization is the better one. In the figure below, the network using
VLAN consumes bandwidth three times less than NoVLAN network

Figure 3.43 Link utilization

54
3.2.3 Restrict the accessibility
The second scenario of the first simulation has created three separated
VLANs, but they can not communicate. In fact, two or more VLANs must
be able to communicate with each other to share information and network
resource. In this instance, the student manager needs to share information
with teachers in order to create the student’s database. To make it possible
to communicate among VLANs, a layer 3 device such as router or layer-3
switch is used. In this case, an one-armed-router is used to route between
the VLAN teacher and the VLAN manager.

Figure 3.44 inter-VLAN communication

Additionally, by applying ACLs to this router, it is possible to allow the

VLAN Teacher to communicate with VLAN manager, but the VLAN
Student can not.

55
List name Action Source Destination
Incoming_3 Permit Any Any
Outgoing_3 Permit 192.168.2.254 Any
Deny 192.168.2.0/24 192.168.3.0
Permit Any Any
Incoming_4 Permit Any Any
Outgoing_4 Permit 192.168.2.254 Any
Deny 192.168.2.0/24 192.168.3.0
Permit Any Any
Table 3.3 ACLs configuring

After adding a router with ACLs-configured into the network, as a

result, every client belonging to VLAN student can not ping to the other
that belongs to other VLANs, but both teacher and manager can ping to
server Student (see ping report in appendix 1). It means that they can
access the Server student to take the information of their students, or to
send them their information.

Figure 3.45 Ping report

56
3.2.4 The DDoS attack and defense simulation [7]
The Distributed Denial of Service (DDoS) attack is a type of network
attack in which an attacker uses malicious code installed on various
computers to attack a single target. If the hacker can not access a victim
target, he/she makes it unavailable for other in accessing it by performing
DDoS attack.
We assume that all of computer in the network has been infected by
malicious software. The hacker who created this software programmed it so
that all computer request a HTTP service at the same time he wants.

Figure 3.46 DDoS attack

If the network does not use VLAN, all computers can send traffic to the
server_teacher, and make it over load. It is easily seen that in traditional
LAN, the hacker can attack any target he wants, and the whole of network
may be collapsed easily. The figure on the next page shows that when
being attacked, the CPU Utilization of the victim server is equally 100
percent, so it can not serve anymore services.

57
 If the network is divided into 3 VLAN, obviously, the number of client
that request fake services is much smaller. Even if the attack target is
Server_student, only the VLAN student is collapsed, the others still work
properly.
a)

b)

Figure 50 The results after the attack

58
a) CPU Utilization of the victim server. b) Service load of the victim server
c)

d)

Figure 3.47 The results after the attack

59
 b) Link utilization between the victim server and the switch
to which it is connected
c) Service response time of other client.

3.3 Conclusions
These two simulations show the main benefits of VLAN.
Using VLAN can improve the network performance because it is
possible to reduce overall broadcast traffic which can degrade network
performance if not properly managed. Additionally, using VLAN can
segment the broadcast domain into many smaller ones, so, it minimizes
problems in one segment.
On the other hand, using VLAN can make it easier and more efficient in
managing big computer network. Users can change their location easily
without changing their IP address according to network address as well as
changing the router’s configuration.
The second simulation shows the high security level when using VLAN.
Normal LANs often have confidential, mission-critical data moving across
them, but VLANs do not. The information belonging to different VLANs
can not move across each other without the permission of administrator. In
communicating among VLANs, an ACLs-configured router is used to
permit or deny traffics in the network.
Although it is complex to configure VLAN on a network, with a lot of
benefit, VLAN play a very important role in computer network today,
especially in big networks.

60
 CONCLUSIONS

After along time researching and doing the thesis, with the guidance of
doctor Cuong Dinh The, I have completed my thesis on time.
The thesis introduces VLAN and its benefits. It introduces the
comparison between the two networks, one does not use VLAN, the other
does. In the second network, the performance is improved because the
broadcast traffic is decreased.
Using VLAN also makes it more flexible in allocating network devices.
When a network device is moved to another position, it can keep its IP
configuration, and the administrator does not need to re-configure the
router of the network.
Finally, the thesis shows the main advantage of VLAN that is security
improvement. By using VLAN, the administrator can divide the network
into subnets based on their functions and demands. Additionally, by using
VLAN ACLs, it is possible to permit or deny a specified traffic as well as
to allow specified VLANs to communicate with each other.
These advantages explain why VLAN is used widely in campus and
enterprise network as well. However, it is complex to configure VLAN for
a network, administrators easily misconfigure, and indeliberately, they
create some weakness for hacker to attack the network.
To sum up, this thesis has presented useful information about benefits of
VLAN and how to configure VLAN for a campus or enterprise network.
Future work, I will study more about OPNET Modeler, this is a powerful
tool for simulating and modeling not only computer network but also other
communication one.

61
 REFRENCES
[1] Vũ Minh Tiến, Mạng máy tính, people's Amy Publishing, 2002.
[2] Alberto Leon-Garcia & Indra Widjaja, Communication Networks
Fundamental Concepts and Key Architectures, Mc Graw Hill, 2001.
[3] Cesc Canet & Juan Agustín Zaballos,Security Labs in OPNET IT
Guru, OPNET.com
[4] Chriss Hoffmann, VLAN Security in the LAN and MAN
Environment, SANS Institute 2003.

[5] Cisco system, Virtual LAN Security Best Practices

[6] Emad Aboelela, Ph.D, Computer network- A system approach 3 rd
Edition- Network simulation experiments manual, University of
Massachusetts Dartmouth, Morgan Kaufmann Publishers, 2003
[7] Mattias Björlin, A study of Modeling and Simulation for computer
and network security, University of Stockholm / Royal Institute of
Technology, June 2005.
[8] Saad Mohamed Abuguba, Performance Evaluation of Rapid
Spanning Tree Protocol by Measurements and Simulation,
Budapest University of Technology and Economics, Department of
Telecommunications and Media Informatics, 2006.
[9] Securing Networks with Private VLANs and VLAN Access
Control Lists, Cisco system.
[10] Virtual LAN-Application and technology-a white paper, Micrel.
[11] Wayne Lewis, Ph.D. LAN Switching and Wireless CCNA
Exploration Companion Giude, Cisco Press, 2008.
[12] ANSI/IEEE Std 802.1D, 1998 Edition
[13] http://en.wikipedia.org/wiki/Vlan

62
 [14] http://en.wikipedia.org/wiki/STP

APPENDIX 1
List of application used in this simulation
Searching
HTTP Specification HTTP 1.1
Page Interarrival Exponential(10)
time (seconds)
Page properties Object Size (bytes) Constant Medium
(1000) image
Number of objects Constant(1) Constant(2)
(object per page)
Location HTTP server
Server selection Initial Repeat Search
Probability
Page per Server Exponential(2)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.4 Searching properties

63
 WebBrowsing (HTTP_heavy Browsing)
HTTP Specification HTTP 1.1
Page Interarrival Exponential(60)
time (seconds)
Page properties Object Size (bytes) Constant Medium
(1000) image
Number of objects Constant(1) Constant(5)
(object per page)
Location HTTP server
Server selection Initial Repeat Browse
Probability
Page per Server Exponential(10)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.5 WebBrowsing properties

64
 http attack (HTTP_extreme heavy Browsing)
HTTP Specification HTTP 1.1
Page Interarrival Exponential(10)
time (seconds)
Page properties Object Size (bytes) Constant Large Image
(100000)
Number of objects Constant(1) Constant(10)
(object per page)
Location HTTP server
Server selection Initial Repeat Browse
Probability
Page per Server Exponential(20)
RSVP Parameter None
Type of Service Best effort (0)
Table 3.6 http attack properties

65
 Profile Operation mode Start time Duration Repeatibility

Teacher
Manager
Simultaneous Uniform(100,110) End of simulation Once at start time
High_loadAndimagin
g

Application used in each profile:

Teacher:

Manager:

High_loadAndImagining:

1
 Imaging
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Page properties Object Size (bytes) Constant (1000) Large image
Number of objects (object per page) Constant(1) Constant(7)
Location HTTP server
Server selection Initial Repeat Probability Research
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)

2
filetransfer_heavy:

3
 DDoS attack:
Profile in use:
attacher
Profile Operation mode Start time Duration Repeatibility

attache Simultaneous Uniform(100,110) Constant(200) Inter-repetition Time(s) Constant(600)

r Number of repetition 5
Repetition pattern serial
Application used in attacker profile

httpattack
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Page properties Object Size (bytes) Constant (100000) Large image
Number of objects (object per page) Constant(1) Constant()
Location HTTP server
Server selection Initial Repeat Probability Research
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)

4
 httpattack
HTTP Specification HTTP 1.1
Page Interarrival time (seconds) uniform(10,20)
Object Size (bytes) Constant (100000) Large image
Page properties Number of objects (object per page) Constant(1) Constant()
Location HTTP server
Initial Repeat Probability Research
Server selection
Page per Server exponential(20)
RSVP Parameter None
Type of Service Best effort (0)