investigation of inter vlan routing and ......cite this article: goli swapan mohit, jayakrishna p,...
TRANSCRIPT
http://www.iaeme.com/IJEET/index.asp 372 [email protected]
International Journal of Electrical Engineering and Technology (IJEET)
Volume 11, Issue 3, May 2020, pp. 372-383, Article ID: IJEET_11_03_040
Available online at http://www.iaeme.com/IJEET/issues.asp?JType=IJEET&VType=11&IType=3
ISSN Print: 0976-6545 and ISSN Online: 0976-6553
Journal Impact Factor (2020): 10.1935 (Calculated by GISI) www.jifactor.com
© IAEME Publication
INVESTIGATION OF INTER VLAN ROUTING
AND DEPLOYING ACCESS CONTROL LIST
FOR CORPORATE NETWORK
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C
B. Tech, ECE, VIT University, Vellore, India
Ravi Kumar CV and Venugopal P
Sr. Asst. Professor, SENSE, VIT University, Vellore, India
ABSTRACT
This article presents a usage of IPV4 and IPV6 legitimate tending to for an
Organization Network, Various configurtions done in this system are Access Control
Lists(ACL's) for an Internet Service Provider (ISP) switch associated with edge Router
of an organsitation Network to obstruct a few administrations from our Network to
outside web which is associated with ISP switch and system address translation(NAT)
to be done in edge switch of an association. Virtual LAN's (VLAN's) 15,25,35,88 to be
done in each switch of an association. Time Delay has been determined to ping from
same VLAN's, Different VLAN's and between IPV4 &IPV6 systems utilizing CISCO
PACKET TRACER 7
Key words: Access Control List (ACL), Network Address Translation (NAT), Virtual
LAN (VLAN), IPV 4, IPV 6, Cisco Packet Tracer (CPT).
Cite this Article: Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV
and Venugopal P, Investigation of Inter vlan Routing and Deploying Access Control
List for corporate Network, International Journal of Electrical Engineering and
Technology, 11(3), 2020, pp. 372-383.
http://www.iaeme.com/IJEET/issues.asp?JType=IJEET&VType=11&IType=3
1. INTRODUCTION
Cisco Packet Tracer (CPT) is multi-tasking network simulation software to perform and analyse
various network activities such as implementation of different topologies, select optimum path
based on various routing algorithms, create DNS and DHCP server, subnetting, analyse various
network configuration and troubleshooting commands. In order to start communication
between end user devices and to design a network, we need to select appropriate networking
devices [3] like routers, switches, hubs etc. from the component list of packet tracer.
Networking devices are costly so it is better to perform first on packet tracer to understand the
concept and behaviour of networking
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 373 [email protected]
IP Address: It is used for identifying a specific device in a particular network. It is used for
communication between two different networks. Two versions of IP Address
IP version 4 (32 Bit): IPV 4 is a 4 fielded Octet Configuration with length of 8 Bits/Octet
.Each Octet can be specified as Network and Host portions based on classes (A,B,C,D)
.Network portion bits are denoted by “1”& Host portion by “0” in means of Binary notation
IP version 6 (128 Bit): It is represented in Hexa Decimal Format with 8 fielded
configuration .Each portion has 16 bits .First 4 portions are 64 Bit Global Prefix similar to
network portion in IPV4 and last 4 portions are 64 Bit Interface ID.
2. ACCESS CONTROL LIST’S(ACL’S)
Set of rules which allow or deny the traffic moving through the router. Controls the flow of
traffic from one router via router. Access control lists can generally be configured to control
both inbound and outbound traffic, and in this context, they are similar to Firewalls. Like
Firewalls, ACLs could be subject to security regulations and standards. Types of ACL’s
2.1. Standard ACL’s
It can be named or numbered.no range 1-99 (or1300-1699)can block a network host or subnet
not blocks selected services(i.e ftp http etc).filtering done by source ip address only.
2.2. Extended ACL’s
It can be named or numbered no range 100-199(or2000-2699) can block a network host or
subnet blocks selected services.filtering done based on source ip Destination ip ,protocol ,port
number.
3. NETWORK ADDRESS TRANSLATION SYSTEM MODEL
NAT is not only used for networks that connect to the Internet. You can use NAT even between
private networks as we will see in the pages to follow, but because most networks use it for
their Internet connection, we are focusing on that. The NAT concept is simple: it allows a single
device to act as an Internet gateway for internal LAN clients by translating the clients' internal
network IP Addresses into the IP Address on the NAT-enabled gateway device. NAT is
transparent to your network, meaning all internal network devices are not required to be
reconfigured in order to access the Internet. All that's required is to let your network devices
know that the NAT device is the default gateway to the Internet.
3.1. Static NAT
One to One mapping done manually.every private address needs one registered public ip
address.
3.2. Dynamic NAT
One to One mapping done automatically by nat device.for every private ip one registered ip.Port
address translation(dyanamic natoverload):Thousands of private users use single public
address.Uses port address to differentiate between different Users
Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network
http://www.iaeme.com/IJEET/index.asp 374 [email protected]
Figure 1 NAT System Model
4. VIRTUAL LOCAL AREA NETWORKS
One of the main problems of the poorly designed network is due to excessive flooding to every
departmental port. One way to separate every department broadcast signal is to have them in
separate physical switches, but switches are expensive to buy, so network engineers came up
with the idea of being able to separate the department broadcast signals using a logical method.
The logical method allows the physical switch to be logically divided into logical segments.
Each logical segment is called a virtual LAN, or VLAN for short. The objective of the VLAN
is to separate each department's broadcast signals. The VLAN gives us the ability to segment
our switch into logical divisions. When dividing the switch into logical partitions, we have the
flexibility to group appropriate users to the same VLANs. Although the objective of the VLAN
is to separate each department's broadcast signals, but the division is so complete that all signals,
be it the unicast or broadcast signals, are isolated within each VLAN, and we consider this full
isolation a security advantage.In order to carry the vlan traffic between same switch we need
to configure ports which carry vlan traffic as trunk ports .to communicate between same vlans.
4.1. Intervlan Routing using Subinterface
When we want communication between different VLANs we’ll need a device that can do
routing. We could use an external router but it’s also possible to use a multilayer switch (aka
layer 3 switches)
Figure 2 Router on Stick with different VLANs
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 375 [email protected]
4.2. Subinterface
We need subinterfaces when we have more vlans than physical links we have to setup a
trunking port between the switch and router, then configure the interface and sub interfaces in
router.
Figure 3 Router with subinterfaces
5. OSPF(OPEN SHORTEST PATH FIRST)
It’s a link state protocol.It uses Shortest Path First or Disjkistra’s algorithm. Unlimited hop
count.It has a Metric cost of 10^8/Bandwidth with administrative distance of 110.it’s a classless
routing protocol (carry ,subnet mask information &supports VLSM ).It supports equal cost load
balancing. Area is logical grouping of routers for which all router smaintain same data base
with in same area .If any change impacts all routers with in thesame area .Concept of areas
minimizes size of data base also restricts any changes within that area(not floods out -side
area).Routers within the same area participate in algorithm.
Figure 4 OSPF with single area
Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network
http://www.iaeme.com/IJEET/index.asp 376 [email protected]
Figure 5 Network Diagram System Model
Table 1 Device Parameters
NAME OF DEVICE SPECIFICATIONS
Generic Router 2-serial ports,2-Gig ports
Generic Siwtch 9-Fast Ethernet ports
Generic Server 1-Fast Ethernet Port
End Devices PC’s
Connections Serial DCE, Copper Straight-Through and Copper
Cross-Over Cable
5.1. Steps to configure System Model
Step 1:
Using the address information in the topology diagram configure:
- Web Server:
ip address - 192.168.35.252
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 377 [email protected]
subnet mask - 255.255.255.0
gateway - 192.168.35.1
DNS server - 192.168.35.253
- DNS Server:
ip address - 192.168.35.253
subnet mask - 255.255.255.0
gateway - 192.168.35.1
DNS server - 127.0.0.1
- PC-Admin:
ip address - 192.168.88.10
subnet mask - 255.255.255.0
gateway - 192.168.88.1
DNS server - 192.168.35.253
Step 2
Using the information in topology diagram configure
S1, S2, S3 with the following initial settings:
1. hostname
2. vlans and vlan names
3. trunks (allowed vlans, and native vlan) - S1, S2, S3 VLANs allowed: 15, 25, 35, 88, 98,
native: 98
4. access switchports with vlans
5. shutdown unused switchports
6. management interface vlan 88 with an ip address
7. use the planned R1 address 192.168.88.1 as the default gateway
Step 3:
Using the address information in the topology diagram configure
R1, R2, R3 with the following initial settings:
1. hostname,
2. interface addresses and subnet masks R1, R2, R3
3. R1 g0/0 & R3 g0/0
- sub-interface addressing and 802.1q encapsulation
4. Enable IPv6 routing on R2 and R3
5. R2 s0/1/1, s0/0/0, s0/0/1, g0/0 - IPv6 addressing (see topology diagram)
R3 g0/0 , g0/1 s0/0/0 - IPv6 addressing (see topology diagram)
Step 4
Configure single area OSPFv2 on R1, R2, R3
R1
ospf process id 1
router-id 1.1.1.1
networks all (area 0)
do not send router advertisements out of all LAN interfaces
Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network
http://www.iaeme.com/IJEET/index.asp 378 [email protected]
R2
first create a default route on R2 out of s0/1/0
ospf process id 1
router-id 2.2.2.2
networks 192.168.5.0 and 192.168.5.4 (area 0)
do not send router advertisements out of s0/1/0 interface
advertise the default route to other OSPF routers
R3
ospf process id 1
router-id 3.3.3.3
networks all (area 0)
do not send router advertisements out of all LAN interfaces
R4
ospf process id 1
router-id 5.5.5.5
networks all (area 0)
do not send router advertisements out of all LAN interfaces
Step 5:
configure OSPFv3 on R2 and R3
R3
ipv6 ospf process id 10
router-id 3.3.3.3
passive-interfaces on g0/0 and g0/1
configure s0/0/0 and g0/1 with ipv6 ospf 10 area 0
R2
ipv6 ospf process id 10
router-id 2.2.2.2
passive interface on s0/0/0
configure s0/0/1 and g 0/0with ipv6 ospf 10 area 0
Step6:
Configure static and dynamic NAT on R2.
1. Configure a static nat rule:
- translating global 209.165.201.65 to the local web server at 192.168.35.252
2. Configure int s0/1/0 as the outside NAT interface
3. Configure int s0/0/0 and s0/0/1 as the inside NAT interfaces
4. Configure a NAT pool named R2NATPOOL for:
209.165.201.66 through 209.165.201.69
make the netmask as close as possible to masking just those addresses
5. Configure access-list 15 to permit the 192.168.15.0/24 network
6. Configure access-list 25 to permit the 192.168.25.0/24 network
7. Create two separate dynamic NAT rules:
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 379 [email protected]
- "ip nat inside" that maps access-list 15 to the nat pool with overload
- "ip nat inside" that maps access-list 25 to the nat pool with overload
Step 7:
Configure access lists on R4 to limit outside access into the network
1. configure an extended access-list 100 to achieve the following goals (3 lines only):
- from the outside permit port 80 access to the web server
- from the outside permit pings that were initiated from within the network only
- permit "established" web page requests generated from within the network only
(you will need to use the established keyword at the end of the line)
- deny all other kinds of communication from outside the network
2. permit "established" web page requests generated from within the network only
(you will need)
- deny all other kinds of communication from outsidethe network
Step 8
Configure the following on R3:
- password min length 10 characters
- encrypt all passwords
- banner motd "No unauthorized access allowed!"
- administrative user account:
username: admin,
secret pass: 12345
- enable secret: class12345
- named access-list ADMIN-MGT
permit only host PC-Admin remote Telnet access
- console 0 and vty 0 4:
use local database for logins,
timeout after 5 min
apply ADMIN-MGT access-list to vty
- save running-config to startup-config
6. CONFIGURATION
Switch Configuration(S1)
Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network
http://www.iaeme.com/IJEET/index.asp 380 [email protected]
Similarly configure for S2,S3
Router(R2-edgerouter-NATconfig)
Router(R4-isprouter –ACL config)
Go to particular interface give out bond so that acls get implemented on that interface
Ospf configuration
OSPF v3 extra configurations
Go to below interface g0/0 for ipv6-config to complete
7. EXAMING THE CONFIGURATION
Verification of ACL configurations:
Ping from our network to internet :
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 381 [email protected]
Ping from internet to our network :
Web service request from internet to our Web server :
Verification for NATing
Static NAT:
Resolves 209.165.201.65 to 192.168.35.252
Port Address Translation:
Resolves our network pc’s ip address to 209.165.201.66 -209.165.201.69 and pings outside internet
OSPF v3 ping verification from test network to ipv6 server
Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network
http://www.iaeme.com/IJEET/index.asp 382 [email protected]
Time delay calculations
1)For same VLAN 15
2)For VLAN15 to VLAN 25
3)For VLAN 15 to VLAN 35
8. CONCLUSION
From above all results we can say that all above configurations are verified successfully.acls
used in above network act as firewall between our network and internet . nat is used to translate
private ipto public ip when connected to internet as private ip is non-routable on internet .valns
provides layer 2 security.as it doesnot allow differrnt valns to communicate until specific
configurations are done .ospf dynamic routing protocol.Used in order to share network
information between routers through router advertisements. When communicating with same
vlan round trip delay is 1msec but if the workstations are communicating in different vlans
round trip delay of app 25 msec.
Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P
http://www.iaeme.com/IJEET/index.asp 383 [email protected]
REFERENCES
[1] Weinstein, S. B and Ebert, P. M. (1971) ‘Data transmission by frequency-division
multiplexing using the discrete Fourier transform’IEEE Transactions on Communications,
Vol. 19 No.5, pp. 628–634.
[2] Fettweis, G,Bahai, A. S andAnvari, K. (1994),‘On multi-carrier code division multiple
access (MC–CDMA) modem design’ in VTC 1994:Proceedings of IEEE Vehicular
Technology Conference, Stockholm, 1670 - 1674.
[3] Hanzo L andKeller, T. (2006) OFDM and MC–CDMA: A primer,John Wiley,West Sussex.
[4] Yee, N. andLinnartz, J. P.,(1993),‘Multicarrier CDMA in indoor wireless radio networks’
in PIMRC 1993: Proceeding of PIMRC, Yokohama, pp. 109–113.
[5] Proakis, J. G. (1995) Digital Communications,Mc–Graw Hill,New York.
[6] Steele, R andHanzo, L. (1999) Mobile Radio Communications,John Wiley and IEEE
Press,New York.
[7] Verdu, S. (1998) Multiuser Detection,Cambridge University Press, Cambridge.
[8] Bhaskar, V andPai, L. S. (2013), ‘Performance analysis of MC–CDMAsystems under
Nakagami Hoyt Fading’,Wireless Personal Communications, Vol. 69 No. 4,pp. 1885–1898.
[9] Silva, A, Teodoro, S, Dinis, Rand Gameiro, A. (2014), ‘Iterative frequency-domain
detection for IA-precodedMC–CDMA system’,IEEE Transactions on Communications,
Vol. 62 No. 4,pp. 1240–1248.
[10] Yan, Y and Ma, M. (2015), ‘Novel frequency-domain oversampling receiver for CP MC–
CDMA systems’,IEEE Communications Letters, Vol. 19 No. 4,pp. 661–664.
[11] Sung, W. L, Chang, Y. K, Ueng, F. B andShen, Y. S.(2015),‘A New SAGE-Based Receiver
for MC–CDMA Communication Systems’, Wireless Personal Communications, Vol. 85 No.
3, pp. 1617–1634.
[12] Hornik, K.(1989), ‘Multilayer feedforward networks are universal approximators.Neural
Networks’, Vol. 2 No. 5,pp. 359–366.
[13] Hornik, K.(1991), ‘Approximation capabilities of multilayer feedforward networks’,Neural
Networks, Vol. 4 No. 2,pp. 251–257.
[14] Haykin, S. (1999) Neural networks,Pearson Education,Singapore.
[15] TaspnarN andCicek, M. (2013), ‘Neural Network Based Receiver for Multiuser Detection
in MC–CDMA Systems’,Wireless Personal Communications, Vol. 68 No. 2, pp. 463–472.
[16] Patra, J. C, Pal, R. N,Baliarsingh, R andPanda, G. (1999), ‘Nonlinear Channel Equalization
for QAM Signal Constellation Using Artificial Neural Networks’, IEEE Transactions on
Systems, Man, and Cybernetics, Vol. 29 No. 2, pp. 262 – 271.
[17] Ravikumar CV, Kalapraveen bagadi.―Robust Neural Network based multiuser detector in
MC-CDMA for multiple access mitigation‖, Indian Journal of Science & Technology. Vol
9, issue 30, 2016.
[18] Ravikumar CV, Kalapraveen B―Performance analysis of HSRP in provisioning layer-3
Gateway redundancy for corporate networks ‖, Indian Journal of Science & Technology.
Vol 9, issue 20, 2016.
[19] Kalapraveen bagadi, Ravikumar CV―Performance analysis of ipv4 to ipv6 transition
methods ‖, Indian Journal of Science & Technology. Vol 9, issue 20, 2016.
[20] A. K. Mishra and A. Sahoo, “S-OSPF: A Traffic Engineering Solution for OSPF Based on
Best Effort Network”, IEEE Globecom, (2007), pp.1845-1849
[21] P. Srisuresh and K. Egevang, “Traditional IP Network Address Translator (Traditional
NAT),” Internet Engineering Task Force, RFC 3022, January 2001. Available at
http://www.faqs.org/rfcs/rfc3022.html