investigation of inter vlan routing and ......cite this article: goli swapan mohit, jayakrishna p,...

http://www.iaeme.com/IJEET/index.asp 372 [email protected]

International Journal of Electrical Engineering and Technology (IJEET)

Volume 11, Issue 3, May 2020, pp. 372-383, Article ID: IJEET_11_03_040

Available online at http://www.iaeme.com/IJEET/issues.asp?JType=IJEET&VType=11&IType=3

ISSN Print: 0976-6545 and ISSN Online: 0976-6553

Journal Impact Factor (2020): 10.1935 (Calculated by GISI) www.jifactor.com

© IAEME Publication

INVESTIGATION OF INTER VLAN ROUTING

AND DEPLOYING ACCESS CONTROL LIST

FOR CORPORATE NETWORK

Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C

B. Tech, ECE, VIT University, Vellore, India

Ravi Kumar CV and Venugopal P

Sr. Asst. Professor, SENSE, VIT University, Vellore, India

ABSTRACT

This article presents a usage of IPV4 and IPV6 legitimate tending to for an

Organization Network, Various configurtions done in this system are Access Control

Lists(ACL's) for an Internet Service Provider (ISP) switch associated with edge Router

of an organsitation Network to obstruct a few administrations from our Network to

outside web which is associated with ISP switch and system address translation(NAT)

to be done in edge switch of an association. Virtual LAN's (VLAN's) 15,25,35,88 to be

done in each switch of an association. Time Delay has been determined to ping from

same VLAN's, Different VLAN's and between IPV4 &IPV6 systems utilizing CISCO

PACKET TRACER 7

Key words: Access Control List (ACL), Network Address Translation (NAT), Virtual

LAN (VLAN), IPV 4, IPV 6, Cisco Packet Tracer (CPT).

Cite this Article: Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV

and Venugopal P, Investigation of Inter vlan Routing and Deploying Access Control

List for corporate Network, International Journal of Electrical Engineering and

Technology, 11(3), 2020, pp. 372-383.

http://www.iaeme.com/IJEET/issues.asp?JType=IJEET&VType=11&IType=3

1. INTRODUCTION

Cisco Packet Tracer (CPT) is multi-tasking network simulation software to perform and analyse

various network activities such as implementation of different topologies, select optimum path

based on various routing algorithms, create DNS and DHCP server, subnetting, analyse various

network configuration and troubleshooting commands. In order to start communication

between end user devices and to design a network, we need to select appropriate networking

devices [3] like routers, switches, hubs etc. from the component list of packet tracer.

Networking devices are costly so it is better to perform first on packet tracer to understand the

concept and behaviour of networking

Goli Swapan Mohit, Jayakrishna P, Sai Bhararth C, Ravi Kumar CV and Venugopal P


IP Address: It is used for identifying a specific device in a particular network. It is used for

communication between two different networks. Two versions of IP Address

IP version 4 (32 Bit): IPV 4 is a 4 fielded Octet Configuration with length of 8 Bits/Octet

.Each Octet can be specified as Network and Host portions based on classes (A,B,C,D)

.Network portion bits are denoted by “1”& Host portion by “0” in means of Binary notation

IP version 6 (128 Bit): It is represented in Hexa Decimal Format with 8 fielded

configuration .Each portion has 16 bits .First 4 portions are 64 Bit Global Prefix similar to

network portion in IPV4 and last 4 portions are 64 Bit Interface ID.

2. ACCESS CONTROL LIST’S(ACL’S)

Set of rules which allow or deny the traffic moving through the router. Controls the flow of

traffic from one router via router. Access control lists can generally be configured to control

both inbound and outbound traffic, and in this context, they are similar to Firewalls. Like

Firewalls, ACLs could be subject to security regulations and standards. Types of ACL’s

2.1. Standard ACL’s

It can be named or numbered.no range 1-99 (or1300-1699)can block a network host or subnet

not blocks selected services(i.e ftp http etc).filtering done by source ip address only.

2.2. Extended ACL’s

It can be named or numbered no range 100-199(or2000-2699) can block a network host or

subnet blocks selected services.filtering done based on source ip Destination ip ,protocol ,port

number.

3. NETWORK ADDRESS TRANSLATION SYSTEM MODEL

NAT is not only used for networks that connect to the Internet. You can use NAT even between

private networks as we will see in the pages to follow, but because most networks use it for

their Internet connection, we are focusing on that. The NAT concept is simple: it allows a single

device to act as an Internet gateway for internal LAN clients by translating the clients' internal

network IP Addresses into the IP Address on the NAT-enabled gateway device. NAT is

transparent to your network, meaning all internal network devices are not required to be

reconfigured in order to access the Internet. All that's required is to let your network devices

know that the NAT device is the default gateway to the Internet.

3.1. Static NAT

One to One mapping done manually.every private address needs one registered public ip

address.

3.2. Dynamic NAT

One to One mapping done automatically by nat device.for every private ip one registered ip.Port

address translation(dyanamic natoverload):Thousands of private users use single public

address.Uses port address to differentiate between different Users

Investigation of Inter vlan Routing and Deploying Access Control List for corporate Network


Figure 1 NAT System Model

4. VIRTUAL LOCAL AREA NETWORKS

One of the main problems of the poorly designed network is due to excessive flooding to every

departmental port. One way to separate every department broadcast signal is to have them in

separate physical switches, but switches are expensive to buy, so network engineers came up

with the idea of being able to separate the department broadcast signals using a logical method.

The logical method allows the physical switch to be logically divided into logical segments.

Each logical segment is called a virtual LAN, or VLAN for short. The objective of the VLAN

is to separate each department's broadcast signals. The VLAN gives us the ability to segment

our switch into logical divisions. When dividing the switch into logical partitions, we have the

flexibility to group appropriate users to the same VLANs. Although the objective of the VLAN

is to separate each department's broadcast signals, but the division is so complete that all signals,

be it the unicast or broadcast signals, are isolated within each VLAN, and we consider this full

isolation a security advantage.In order to carry the vlan traffic between same switch we need

to configure ports which carry vlan traffic as trunk ports .to communicate between same vlans.

4.1. Intervlan Routing using Subinterface

When we want communication between different VLANs we’ll need a device that can do

routing. We could use an external router but it’s also possible to use a multilayer switch (aka

layer 3 switches)

Figure 2 Router on Stick with different VLANs



4.2. Subinterface

We need subinterfaces when we have more vlans than physical links we have to setup a

trunking port between the switch and router, then configure the interface and sub interfaces in

router.

Figure 3 Router with subinterfaces

5. OSPF(OPEN SHORTEST PATH FIRST)

It’s a link state protocol.It uses Shortest Path First or Disjkistra’s algorithm. Unlimited hop

count.It has a Metric cost of 10^8/Bandwidth with administrative distance of 110.it’s a classless

routing protocol (carry ,subnet mask information &supports VLSM ).It supports equal cost load

balancing. Area is logical grouping of routers for which all router smaintain same data base

with in same area .If any change impacts all routers with in thesame area .Concept of areas

minimizes size of data base also restricts any changes within that area(not floods out -side

area).Routers within the same area participate in algorithm.

Figure 4 OSPF with single area



Figure 5 Network Diagram System Model

Table 1 Device Parameters

NAME OF DEVICE SPECIFICATIONS

Generic Router 2-serial ports,2-Gig ports

Generic Siwtch 9-Fast Ethernet ports

Generic Server 1-Fast Ethernet Port

End Devices PC’s

Connections Serial DCE, Copper Straight-Through and Copper

Cross-Over Cable

5.1. Steps to configure System Model

Step 1:

Using the address information in the topology diagram configure:

- Web Server:

ip address - 192.168.35.252



subnet mask - 255.255.255.0

gateway - 192.168.35.1

DNS server - 192.168.35.253

- DNS Server:

ip address - 192.168.35.253

subnet mask - 255.255.255.0

gateway - 192.168.35.1

DNS server - 127.0.0.1

- PC-Admin:

ip address - 192.168.88.10

subnet mask - 255.255.255.0

gateway - 192.168.88.1

DNS server - 192.168.35.253

Step 2

Using the information in topology diagram configure

S1, S2, S3 with the following initial settings:

1. hostname

2. vlans and vlan names

3. trunks (allowed vlans, and native vlan) - S1, S2, S3 VLANs allowed: 15, 25, 35, 88, 98,

native: 98

4. access switchports with vlans

5. shutdown unused switchports

6. management interface vlan 88 with an ip address

7. use the planned R1 address 192.168.88.1 as the default gateway

Step 3:

Using the address information in the topology diagram configure

R1, R2, R3 with the following initial settings:

1. hostname,

2. interface addresses and subnet masks R1, R2, R3

3. R1 g0/0 & R3 g0/0

- sub-interface addressing and 802.1q encapsulation

4. Enable IPv6 routing on R2 and R3

5. R2 s0/1/1, s0/0/0, s0/0/1, g0/0 - IPv6 addressing (see topology diagram)

R3 g0/0 , g0/1 s0/0/0 - IPv6 addressing (see topology diagram)

Step 4

Configure single area OSPFv2 on R1, R2, R3

R1

ospf process id 1

router-id 1.1.1.1

networks all (area 0)

do not send router advertisements out of all LAN interfaces



R2

first create a default route on R2 out of s0/1/0

ospf process id 1

router-id 2.2.2.2

networks 192.168.5.0 and 192.168.5.4 (area 0)

do not send router advertisements out of s0/1/0 interface

advertise the default route to other OSPF routers

R3

ospf process id 1

router-id 3.3.3.3



R4

ospf process id 1

router-id 5.5.5.5



Step 5:

configure OSPFv3 on R2 and R3

R3

ipv6 ospf process id 10

router-id 3.3.3.3

passive-interfaces on g0/0 and g0/1

configure s0/0/0 and g0/1 with ipv6 ospf 10 area 0

R2

ipv6 ospf process id 10

router-id 2.2.2.2

passive interface on s0/0/0

configure s0/0/1 and g 0/0with ipv6 ospf 10 area 0

Step6:

Configure static and dynamic NAT on R2.

1. Configure a static nat rule:

- translating global 209.165.201.65 to the local web server at 192.168.35.252

2. Configure int s0/1/0 as the outside NAT interface

3. Configure int s0/0/0 and s0/0/1 as the inside NAT interfaces

4. Configure a NAT pool named R2NATPOOL for:

209.165.201.66 through 209.165.201.69

make the netmask as close as possible to masking just those addresses

5. Configure access-list 15 to permit the 192.168.15.0/24 network

6. Configure access-list 25 to permit the 192.168.25.0/24 network

7. Create two separate dynamic NAT rules:



- "ip nat inside" that maps access-list 15 to the nat pool with overload

- "ip nat inside" that maps access-list 25 to the nat pool with overload

Step 7:

Configure access lists on R4 to limit outside access into the network

1. configure an extended access-list 100 to achieve the following goals (3 lines only):

- from the outside permit port 80 access to the web server

- from the outside permit pings that were initiated from within the network only

- permit "established" web page requests generated from within the network only

(you will need to use the established keyword at the end of the line)

- deny all other kinds of communication from outside the network

2. permit "established" web page requests generated from within the network only

(you will need)

- deny all other kinds of communication from outsidethe network

Step 8

Configure the following on R3:

- password min length 10 characters

- encrypt all passwords

- banner motd "No unauthorized access allowed!"

- administrative user account:

username: admin,

secret pass: 12345

- enable secret: class12345

- named access-list ADMIN-MGT

permit only host PC-Admin remote Telnet access

- console 0 and vty 0 4:

use local database for logins,

timeout after 5 min

apply ADMIN-MGT access-list to vty

- save running-config to startup-config

6. CONFIGURATION

Switch Configuration(S1)



Similarly configure for S2,S3

Router(R2-edgerouter-NATconfig)

Router(R4-isprouter –ACL config)

Go to particular interface give out bond so that acls get implemented on that interface

Ospf configuration

OSPF v3 extra configurations

Go to below interface g0/0 for ipv6-config to complete

7. EXAMING THE CONFIGURATION

Verification of ACL configurations:

Ping from our network to internet :



Ping from internet to our network :

Web service request from internet to our Web server :

Verification for NATing

Static NAT:

Resolves 209.165.201.65 to 192.168.35.252

Port Address Translation:

Resolves our network pc’s ip address to 209.165.201.66 -209.165.201.69 and pings outside internet

OSPF v3 ping verification from test network to ipv6 server



Time delay calculations

1)For same VLAN 15

2)For VLAN15 to VLAN 25

3)For VLAN 15 to VLAN 35

8. CONCLUSION

From above all results we can say that all above configurations are verified successfully.acls

used in above network act as firewall between our network and internet . nat is used to translate

private ipto public ip when connected to internet as private ip is non-routable on internet .valns

provides layer 2 security.as it doesnot allow differrnt valns to communicate until specific

configurations are done .ospf dynamic routing protocol.Used in order to share network

information between routers through router advertisements. When communicating with same

vlan round trip delay is 1msec but if the workstations are communicating in different vlans

round trip delay of app 25 msec.



REFERENCES

[1] Weinstein, S. B and Ebert, P. M. (1971) ‘Data transmission by frequency-division

multiplexing using the discrete Fourier transform’IEEE Transactions on Communications,

Vol. 19 No.5, pp. 628–634.

[2] Fettweis, G,Bahai, A. S andAnvari, K. (1994),‘On multi-carrier code division multiple

access (MC–CDMA) modem design’ in VTC 1994:Proceedings of IEEE Vehicular

Technology Conference, Stockholm, 1670 - 1674.

[3] Hanzo L andKeller, T. (2006) OFDM and MC–CDMA: A primer,John Wiley,West Sussex.

[4] Yee, N. andLinnartz, J. P.,(1993),‘Multicarrier CDMA in indoor wireless radio networks’

in PIMRC 1993: Proceeding of PIMRC, Yokohama, pp. 109–113.

[5] Proakis, J. G. (1995) Digital Communications,Mc–Graw Hill,New York.

[6] Steele, R andHanzo, L. (1999) Mobile Radio Communications,John Wiley and IEEE

Press,New York.

[7] Verdu, S. (1998) Multiuser Detection,Cambridge University Press, Cambridge.

[8] Bhaskar, V andPai, L. S. (2013), ‘Performance analysis of MC–CDMAsystems under

Nakagami Hoyt Fading’,Wireless Personal Communications, Vol. 69 No. 4,pp. 1885–1898.

[9] Silva, A, Teodoro, S, Dinis, Rand Gameiro, A. (2014), ‘Iterative frequency-domain

detection for IA-precodedMC–CDMA system’,IEEE Transactions on Communications,

Vol. 62 No. 4,pp. 1240–1248.

[10] Yan, Y and Ma, M. (2015), ‘Novel frequency-domain oversampling receiver for CP MC–

CDMA systems’,IEEE Communications Letters, Vol. 19 No. 4,pp. 661–664.

[11] Sung, W. L, Chang, Y. K, Ueng, F. B andShen, Y. S.(2015),‘A New SAGE-Based Receiver

for MC–CDMA Communication Systems’, Wireless Personal Communications, Vol. 85 No.

3, pp. 1617–1634.

[12] Hornik, K.(1989), ‘Multilayer feedforward networks are universal approximators.Neural

Networks’, Vol. 2 No. 5,pp. 359–366.

[13] Hornik, K.(1991), ‘Approximation capabilities of multilayer feedforward networks’,Neural

Networks, Vol. 4 No. 2,pp. 251–257.

[14] Haykin, S. (1999) Neural networks,Pearson Education,Singapore.

[15] TaspnarN andCicek, M. (2013), ‘Neural Network Based Receiver for Multiuser Detection

in MC–CDMA Systems’,Wireless Personal Communications, Vol. 68 No. 2, pp. 463–472.

[16] Patra, J. C, Pal, R. N,Baliarsingh, R andPanda, G. (1999), ‘Nonlinear Channel Equalization

for QAM Signal Constellation Using Artificial Neural Networks’, IEEE Transactions on

Systems, Man, and Cybernetics, Vol. 29 No. 2, pp. 262 – 271.

[17] Ravikumar CV, Kalapraveen bagadi.―Robust Neural Network based multiuser detector in

MC-CDMA for multiple access mitigation‖, Indian Journal of Science & Technology. Vol

9, issue 30, 2016.

[18] Ravikumar CV, Kalapraveen B―Performance analysis of HSRP in provisioning layer-3

Gateway redundancy for corporate networks ‖, Indian Journal of Science & Technology.

Vol 9, issue 20, 2016.

[19] Kalapraveen bagadi, Ravikumar CV―Performance analysis of ipv4 to ipv6 transition

methods ‖, Indian Journal of Science & Technology. Vol 9, issue 20, 2016.

[20] A. K. Mishra and A. Sahoo, “S-OSPF: A Traffic Engineering Solution for OSPF Based on

Best Effort Network”, IEEE Globecom, (2007), pp.1845-1849

[21] P. Srisuresh and K. Egevang, “Traditional IP Network Address Translator (Traditional

NAT),” Internet Engineering Task Force, RFC 3022, January 2001. Available at

http://www.faqs.org/rfcs/rfc3022.html

investigation of inter vlan routing and ......cite this article: goli swapan mohit, jayakrishna p,...

Documents