ABSTRACT
The advancements in network technology and the spread of internet has led to a host of network technology and applications of which Virtual Local Area Network is one of them. In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. These networks were characterized by low speed, insecurity, and failure due to none redundancy in the network. VLANs technology logically group networks so that the location of users is no longer so tightly coupled to their physical location. Virtual Local Area Networks (VLANs) are extensively used in Ethernet networks and are widely deployed to reduce management complexity, to improve network performance and security in enterprise, campus and Data Center Networks (DCNs). In a bid to improve enterprise efficiency and drive down operational cost, enterprises have tapped into this cutting edge technology. This project aimed to look extensively at the VLANs technology, identifying the component and features of the technology and its benefits. In this project the technology was used as a tool to upgrade an existing network to increase the network performance, security, speed and make the network more efficient.
CHAPTER 1
INTRODUCTION
Most IP internetworks as stated by Cormac L (2006) can be thought of as falling within one of two categories in relation to their design. There are the networks that have clearly been well designed and there are those that have merely been pieced together over time. The perceptible difference between these two types of networks illustrates the importance of good design. A network that has been well designed is characterized by predictability and consistency in relation to each of the following areas:Performance, Resilience, Scalability, and Running costs .A competent network design is the foundation upon which all successful network implementations are built. A well-designed network is a successful network.
In a traditional LAN (Local Area Network), workstations are connected to each other by means of a hub or a repeater. These devices propagate any incoming data throughout the network. However, if two people attempt to send information at the same time, a collision will occur and all the transmitted data will be lost. Once the collision has occurred, it will continue to be propagated throughout the network by hubs and repeaters. The original information will therefore need to be resent after waiting for the collision to be resolved, thereby incurring a significant wastage of time and resources Suba V (1997). In a large production network where there are large numbers of users, this can slow the network functionality, thereby reducing production efficiency in the network. To prevent collisions from traveling through all the workstations in the network, managed switches can be used and the users in the network segmented into different broadcast domain using the concept known as VLANs (Virtual Local Area Networks). Within this project, extensive research into the VLANs technology and the various enterprise deployment options available with their strengths and limitations were highlighted.
1.1 BACKGROUND OF STUDY
For years, virtual LANs have played an important role in basic enterprise networking Elaine J (2011), enabling engineers to segment portions of their networks for security, management and scalability. The emergence of virtualization and cloud computing networks only makes understanding VLAN implementation more important. VLANs are keys to providing management in a world of virtualization; even where virtual machines are constantly migrating, challenging the very basics of network management.
A VLAN is a separate IP sub-network which allows for multiple networks and subnets to reside on the same switched network – services that are typically provided by routers. A VLAN essentially becomes its own broadcast domain Michael F (2012). Meaning broadcast traffic generated by a particular domain, stays in that domain without affecting devices in other domains even though they are physically in the same switch. VLANs can be structured by department, function, or protocol, allowing for a smaller layer of granularity. VLANs are defined on the switch by individual ports; this allows VLANs to be placed on specific ports to restrict access. A VLAN cannot communicate directly with another VLAN, which is done by design. If VLANs are required to communicate with one another the use of a router or layer 3 switching is required. VLANs are capable of spanning multiple switches and one can have more than one VLAN on multiple switches. For the most part VLANs are related via Telnet and GUI interfaces, which are becoming increasingly popular.
VLAN’s can address many issues such as:
Security – Security is an important function of VLANs. A VLAN will separate data that could be sensitive from the general network, thus allowing sensitive or confidential data to traverse the network, decreasing the chance that unauthorized users will gain access to data that they are not authorized to see. Example: An HR Dept.’s computers/nodes can be placed in one VLAN and an Accounting Dept.’s can be place in another allowing this traffic to completely separate.
Cost – Cost savings can be seen by eliminating the need for additional expensive network equipment. VLANs will also allow the network to work more efficiently and command better use of bandwidth and resources.
Performance – Splitting up a switch into VLANs allows for multiple broadcast domains which reduces unnecessary traffic on the network and increases network performance.
Management: VLANs allow for flexibility with the current infrastructure and for simplified administration of multiple network segments within one switching environment.
1.2 STATEMENT OF THE PROBLEM
JWD Hospital network system currently supports email, basic Internet access, and a few specialized medical software tools. Users have complained about occasional downtime and slow response times when accessing the network, especially at peak access times. The hospital network carries critical patient care data in real time from both a mainframe host and several servers to workstations in operating rooms, doctors’ offices, the billing office, teaching labs. Of course, all of the data transferred is highly confidential and must not be lost or accessed by unauthorized personnel. The current hardware used throughout the network was purchased over a long period of time and uses many different technologies. The new basic physical network architecture will require several upgrades in hardware that address these incompatibilities and older technologies. The result will be higher speeds, more reliability, and easier maintenance of network components. The upgraded hardware will use up-to-date, compatible technologies that will greatly facilitate troubleshooting and maintenance as well as resolve the slow access times that are currently being reported. In addition to updating the hardware, the solution outlines some changes in the network configuration where each of the departments in the hospital system will be grouped logically based on their specific functions using VLANs. These changes, when implemented, will provide greater speed, reliability, efficiency and security for all users of JWD network.
1.3 OBJECTIVES OF THE STUDY
The major aim of this project is to upgrade JWD Hospital’s network in order to:
- Provide more than adequate bandwidth to increase speed for smooth operation of the day-to-day activities of the hospital by using 50-125 micron multimode fiber optic cable for the network backbone and redundant connections.
- Provide adequate security for the network by using port security and access-list to filter traffic and deny unauthorized access to certain data and resources.
- Provide future expansion capability by using structured office cabling standard to upgrade the network.
- Improve the network’s fault tolerance by providing redundant links and switches at the distribution and core layers of the network.
1.4 SIGNIFICANCE OF THE STUDY
Apart from the use of structured office cabling system (A Structured Office Cabling System is a cabling and connectivity products that integrates data, voice, video and various management system of a building) standard which allows for network robustness and expansibility to upgrade the existing network, and also separating the existing traffics in the network into different broadcast domain using VLANs, this project also emphasizes the fact that using VLANs, one can control traffic patterns and react quickly to relocations, that VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
Another significance of this project is that partitioning a local network into several distinctive segments for e.g.
- production
- Voice over IP
- network management
- storage area network (SAN)
- guest network
- demilitarized zone (DMZ)
a common infrastructure shared across VLAN trunks can provide a very high level of security with great flexibility to a comparatively low cost.
1.5 SCOPE OF WORK
The project shall consider among other things the following issues:
- Provide an understanding about what VLANs technology is and how it works.
- Upgrade the WAN link: The upgrade of the WAN links is essential because, according to the company, the current bandwidth seems insufficient.
- Redesign JWD LAN by identifying single points of failure and provide redundant links.
- Isolate the administrative staff, accounting staffs, operating room, medical school and doctor’s office into different VLANs.
- Firewall: Provide a firewall in between the router in order to prevent unauthorized access from outside JWD.
1.6 LIMITATIONS
There are a few limitations to using VLANs, some of the more notable being:
- Broadcast limitations
- Management costs
- Performance
Broadcast limitation
In order to handle broadcast traffic in an ATM VLAN environment it is necessary to have a special server that is an integrated part of the ATM infrastructure. This server has limitations in the number of broadcasts that may be forwarded. Some network protocols that will be running within individual VLANs, such as IPX and AppleTalk, make extensive use of broadcast traffic. This has the potential of impacting thresholds on the switches or broadcast servers and may require special consideration when determining VLAN size and configuration.
Management costs
In regard to management costs: A VLAN is a wide area network and typically requires additional security such as that provided by IPsec and PKI. The need to support geographically dispersed locations and extra security can increase overhead.
Performance
In regard to performance, local area networks typically operate at 100Mbps with latencies of less than 5ms. On the other hand, wide area networks typically connect at 1.5Mps or less with latencies averaging around 100ms. So, a VLAN will not perform as well as a local network. This is generally not a problem, but can be if applications are chatty (i.e., send a lot of small messages back and forth just to accomplish one task) or require a lot of bandwidth (e.g., video streaming). So, when designing a VLAN, one must take care to provide enough bandwidth to accommodate the applications beingserviced. Mark T (2002)
1.7 DEFINITION OF TERMS
ATM: Asynchronous Transfer Mode: International standard for cell relay in which multiple service types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. ATM is designed to take advantage of high-speed transmission media.
Bridge: A device that connects and passes packets between two network segments that use the same communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In general, a bridge will filter, forward, or flood an incoming frame based on the MAC address of that frame.
Broadcast Domain: The set of all devices that will receive broadcast frames originating from any device within the set.
Collision: In Ethernet, the result of two nodes that transmit simultaneously. The frames from each device impact and are damaged when they meet on the physical media.
Collision Domain: In Ethernet, the network areas within which frames that have collided are propagated. Repeaters and hubs propagate collisions; LAN switches, bridges and routers do not.
DHCP: Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer needs them.
Edge Device: A physical device that is capable of forwarding packets between legacy interfaces (such as Ethernet and Token Ring) and ATM interfaces based on data-link and network layer information. An edge device does not participate in the running of any network layer routing protocol.
Ethernet: Baseband LAN specification invented by Xerox Corporation and developed jointly by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD and run over a variety of cable types ranging from 10 Mbps to gigabits. Ethernet is similar to the IEEE 802.3 series of standards.
Fast Ethernet: Any of a number of 100-Mbps Ethernet specifications, Fast Ethernet offers a speed increase ten times that of the 10BaseT Ethernet specification, while preserving such qualities as frame format, MAC mechanisms, and MTU. Fast Ethernet is based on an extension to the IEEE 802.3 specification.
Frame: The logical grouping of information sent as a data link layer unit over a transmission medium. Often refers to the header and trailer, used for synchronization and error control, which surround the user data contained in the unit.
Hub: Generally, a device that serves as the center of a star-topology shared network.
IEEE: Institute of Electrical and Electronics Engineers. The IEEE is a professional organization whose activities include the development of communications and network standards.
IP: Internet Protocol.Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, security, and fragmentation and reassembly.
Convergence: Thisis the time it takes for routers to arrive at a consistent understanding of the internetwork topology after a change takes place.
IP Address: 32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as four octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, while the host number is used to address an individual host within the network or sub network. A subnet mask is used to extract network and subnetwork information from the IP address.
LAN: Local-Area Network. High-speed, low-error data network covering a relatively small geographic area (up to a few thousand meters). LANs connect workstations, peripherals, terminals, and other devices in a single building or other geographically limited area. LAN standards specify cabling and signaling at the physical and data link layers of the OSI model. Ethernet, FDDI, and Token Ring are widely used LAN technologies.
LANE: LAN emulation. Technology that allows an ATM network to function as a LAN backbone.
Latency: Delay between the times a device requests access to a network and the time it is granted permission to transmit.
Node: Endpoint of a network connection or a junction common to two or more lines in a network. Nodes can be processors, controllers, or workstations.
OSI Model: Open System Interconnection reference model. Network architectural model developed by ISO and ITU-T. The model consists of seven layers, each of which specifies particular network functions such as addressing, flow control, error control, encapsulation, and reliable message transfer. The lowest layer (the physical layer) is closest to the media technology. The lower two layers are implemented in hardware and software, while the upper five layers are implemented only in software. The highest layer (the application layer) is closest to the user. The OSI reference model is used universally as a method for teaching and understanding network functionality.
Packet: A logical grouping of information that includes a header containing control information and (usually) user data, packets are most often used to refer to network layer units of data.
Router: Network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information.
Subnet: In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks.
Subnet Mask: 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. The subnet mask is sometimes referred to simply as mask.
Switch: A network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.
VLAN: Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.