CHAPTER 1

INTRODUCTION

1.1 MOTIVATION
A computer network which is also known as a data network is
a telecommunications network which permits computers to interchange data. In
computer networks, networked computing campaigns licensed data to each other along
data connections taking the help of present uplinks. Transmission is done in the form of
packets. Cable media or wireless media helps these nodes to do the task of transmission
of the packets. The best-known computer network is the Internet. Network nodes are
nothing but a devices that initiate, route and dismiss the data. Nodes can be anything
such as personal computers, phones, servers as well as networking hardware. Two or
more devices are said to be ready to communicate with each other when they can
transfer the data even though they are not directly connected.

Computer networks diverges in different domains such as the transmission

media used to carry their signals, the communications protocols to organize network
traffic, the network's size, topology and organizational intent. In most of the scenarios,
communications protocols are encrusted on other more specific or more general
communications protocols.

A network switch is a device that does forwarding and filtering OSI layer
two datagrams between ports established on the MAC addresses in the packets. A switch
is an individual from a hub in that it only forwards the frames to the physical ports
convoluted in the communication. If embattled is done on an unknown switch, the
switch broadcasts to all ports but the source. Switches normally have numerous ports,
facilitating a star topology for devices, and tumbling supplementary switches. Multi-
layer switches are proficient of routing based on layer three addressing or supplementary
logical levels. The term switch is often used loosely to take in campaigns such as routers
and bridges, as well as campaigns that may deal out traffic based on load or based on
application content.

1
1.2 VLAN CONCEPTS

A local area network is a network that bonds computers and devices in a

restricted environmental region such as a home, school, office building or diligently
sited group of buildings. Each computer or device on the network is a node. Wired
LANs are most probable established on Ethernet technology. Newer standards such
as ITU-T G.hn also make available a way to craft a wired LAN with the help of an
existing wiring, such as coaxial cables, telephone lines, and power lines. All interlocked
campaigns custom the network layer three to handgrip multiple subnets. Those
privileged the library have 10/100 Mbit/s Ethernet connections to the user device and a
Gigabit Ethernet connection to the central router. They could be called Layer three
switches, because they only have Ethernet interfaces and upkeep the Internet Protocol.

The describing appearances of a LAN, in divergence to a wide area network,

include higher data transfer rates, limited geographic range, and lack of reliance
on leased lines to provide connectivity. Current Ethernet or other IEEE 802.3 LAN
technologies run at data transfer rates up to 10 Gbit/s. A VLAN is a group of end
stations with a common set of requirements, independent of physical location. VLANs
have the same attributes as a physical LAN but allow you to group end stations even if
they are not located physically on the same LAN segment. VLANs are usually
associated with IP sub networks. For example, all the end stations in a particular IP
subnet belong to the same VLAN. Traffic between VLANs must be routed. LAN port
VLAN membership is assigned manually on a port-by-port basis.

VLANs allow network administrators to partition their networks physically and

logically without having to run new cables or make major changes in their current
network infrastructure. A switch that supports VLANs allows the administrator to select
which ports will participate in the VLAN. These ports are then grouped to become one
VLAN, and any broadcasts or information passed among these ports will not be seen by
the remaining ports on the switch.

There are only two types of VLAN possible today, cell-based VLANs and
frame-based VLANs.

2
 i. Cell-based VLANs are used in switched networks with LAN Emulation. LANE
allows hosts on traditional LAN segments to communicate using ATM networks
without having to use special hardware or software modification.
ii. Frame-based VLANs are used in Ethernet networks with frame tagging. The two
primary types of frame tagging are IEEE 802.10 and ISL. Keep in mind that the
802.10 standard makes it possible to deploy VLANs with 802.3, 802.5, and
FDDI, but Ethernet is most common.

1.3 ISSUES

At Layer two, network devices on a VLAN use the same broadcast domain and
interconnect directly with each other. For the purpose of security, there are network
arrangements where there need to be conservation of direct communication between
network devices on the same VLAN. They are normally the kind of networks where a
heterogeneous pool of users stakes the same network infrastructure and a certain level of
device isolation and control over network connectivity should be prescribed. Some of
the use case deployment scenarios which need this kind of isolation are conferred
below:

i. In Hotels where each room has internet access, direct communications between
end users in each room may not desired. All traffic would be routed through the
site‟s firewall or gateway before any communication can be established. This
could be for various reasons like security, policy enforcements, billing or audit.

ii. In enterprise networks where multiple end user systems are on the same LAN, if
one end user system and is infected with a worm, it might try to form
connections with other machines in the same broadcast domain and try to
proliferate or attempt Denial Of Service attacks on the broadcast domain.

3
 However if these end user systems were kept isolated, possibility of this
proliferation and network attack can be greatly reduced.

iii. An ISP could have a server farm that offers web-hosting functionality for a
number of customers. Co-locating servers in a server farm offers ease of
management but at the same time may raise security concerns. Like in the
corporate networks use case discussed earlier, if all the servers were in one
VLAN and an attacker gets access to one of the servers, the compromised server
can be used to launch an attack on other servers in the server farm. To prevent
such form of malicious attacks, ISP customers would want their servers to be
isolated from other machines in the same server farm.

The traditional solution to the problem of layer two isolation has been to put
each user in a separate VLAN. So, this income that in the Hotel scenario, link from each
room to the access switch has to be on a devoted VLAN. While this will prevent any
direct layer two communication between end users, it has the following disadvantages:

i. Conveying a unique VLAN per user is a significant administrative overhead.

ii. Hard limit on the number of VLANs that can be supported 4095 limits the
scalability of this solution.
iii. Each VLAN would have to be on its own IP subnet resulting in a significant
increase in the number of subnets to manage and requires careful allocation of
subnets to minimize wastage of IP address space.

To relate port filters to include/exclude ports from directly talking to each other
could be a substitute solution.

Private VLANs feature described here delivers a tool for dividing a VLAN into
smaller sub domains to hold traffic isolation without the administration overhead and
scalability constraints connected with the traditional „One VLAN per user‟ solution.

1.4 ISSUES SOLUTION

4
 Private VLAN feature divides a VLAN by making a cluster of several sets of
ports that should have traffic isolation from one another into independent broadcast sub
domains. The VLAN that is being divided is referred to as the Primary VLAN and the
sub domains stamped out of this primary VLAN are raised to as Secondary VLANs. The
Secondary VLANs are also regular VLANs, created by a subgroup of ports of the
original VLAN and also they have a unique VLAN ID which we have to set it for
particular VLAN type that has type Integer, Octet String etc. However, they are
generally local to a switch whose Primary VLAN is being partitioned and it is limited to
the downstream layers. Upstream switches does not have to be aware of these Secondary
VLAN IDs. Liable on the level of isolation delivered, Secondary VLANs can be further
classified into Isolated and Community VLANs.

i. Isolated VLAN

An Isolated VLAN is generated keeping in the set of ports that have a necessity
for layer two isolation, which is nothing but traffic interchange among member ports is
not permitted. Ports that require complete isolation are referred to as isolated ports, they
are untagged members of the Isolated VLAN and traffic coming in on an isolated port
can only go out an uplink to a router or a firewall which in turn decide the forwarding
path for this traffic. Now the uplink connectivity for Isolated VLAN ports is provided
via a designated port of the Primary VLAN referred to as the Promiscuous port that
hooks the switch up to a router or a firewall. The Promiscuous port carries traffic of
Isolated VLAN ports up to the router/firewall and transports upstream traffic back to
these Isolated VLAN ports.

Isolated ports are untagged members of the Isolated VLAN ID while the
Promiscuous ports are untagged members of the Primary VLAN ID. These ports do not
belong to any other VLAN in the system either. Downstream traffic coming in on the
Isolated VLAN ID is pushed out of the Promiscuous port untagged and the upstream
assigns Isolated VLAN traffic to the Primary VLAN ID. Similarly the upstream traffic
coming in on Promiscuous ports on the Primary VLAN ID is pushed out untagged on
the isolated ports to end hosts that are typically VLAN unaware. Even if they are, they

5
would associate these packets with the Secondary VLAN ID as the isolated link is a
Secondary VLAN link.

Fig. 1.1 Isolated VLAN and Promiscuous Ports

ii. Community VLAN

In the case, where a set of ports have its place to one function/group and must do
interchange traffic directly with one another but not beyond their group such a set of
ports is gathered into a Community VLAN. Several Community VLANs can be stamped
out of the original VLAN which is reliant on the number of such port sets needing
isolation from one another. These ports are denoted to as Community ports and hosts
connected to ports of to the same Community VLAN can interconnect straight with each
other. For hosts in one Community VLAN cannot talk to hosts on another Community
or to hosts elsewhere in the network, if they want to communicate, Community port
traffic has to go out the uplink to a router or a firewall which will pick the forwarding
path for this traffic.

6
 Uplink connectivity to the router/firewall for the Community VLANs is again
delivered taking the help of the Promiscuous port that transports traffic of all
Community VLAN ports to the upstream and also transports traffic sourced in the
upstream back to the Community VLAN ports. Community ports are untagged members
of the Community VLAN ID. Downstream traffic impending on the Community VLAN
ID is pressed out of the Promiscuous port untagged and the upstream sees this traffic as
belonging to the Primary VLAN ID. In the same way the upstream traffic impending on
Promiscuous ports on the Primary VLAN ID is pressed out untagged on the Community
ports to end hosts that are typically VLAN unaware.

Fig. 1.2 Community VLAN and Promiscuous Ports

iii. Traffic and VLAN boundaries

7
 Downstream traffic impending on isolated ports belongs to the Isolated VLAN
ID while downstream traffic impending on Community ports belongs to the Community
VLAN ID. Upstream traffic impending in on Promiscuous ports is associated with the
Primary VLAN ID.

Promiscuous ports transport the downstream Secondary VLAN traffic while

Isolated and Community ports transport upstream Primary VLAN traffic in the direction
of hosts.

While this may look like traffic exceeding VLAN boundaries at Layer two, we should
be careful about the fact that Secondary VLANs are actually nothing but a stub VLANs
and all Secondary VLAN ports are actually virtual members of the Primary VLAN.

iv. Interswitch links

Assume a network concept in which Secondary VLANs have been organized on

the basis of a set of entree switches but out of that only one of those switches has uplink
connectivity. This tells us that the Secondary VLAN traffic on switches on which an
uplink is not organized have to verve through several switching hops to the device
which has an uplink connection. Private VLAN traffic forwarding rules have to be
preserved on all access switches in the path that are configured for Private VLANs, as
Secondary VLAN traffic criss-crosses Interswitch links,

For Ex., As traffic initiates on an Isolated VLAN on one switch that does not
have a Promiscuous port would get promoted out the Interswitch link to the next access
switch and so on and ultimately be promoted to that switch which has a Promiscuous
port configuration. The switches in the path must not know that the traffic have its place
to an Isolated VLAN so it should not forward to any of its local Isolated/Community
ports. In the same way, the switch on which uplink is empowered desires to frontward
the Isolated VLAN traffic out the uplink only and not to its local Isolated ports.

This tells us that the VLAN information is to be conserved as traffic criss-

crosses Interswitch links and this can be achieved by having Secondary VLAN
information be clearly accepted in the frame that is nothing but a VLAN tags.

8
1.5 PRIVATE VLAN

Private VLAN, also known as port isolation, is a system in a computer

networking where a VLAN encloses switch ports that are constrained such that they can
only communicate with a given "uplink". Private VLAN has two types named as
Primary VLAN and Secondary VLAN. Secondary VLAN again has two sub-types
Isolated VLAN and Community VLAN. Secondary VLAN should be associated with
the Primary VLAN. It also has Promiscuous ports which helps VLAN to transfer
packets in-between them. More security features have been added to this Private VLAN
feature, which was drawback of exiting VLAN feature.

9
 CHAPTER 2

LITERATURE SURVEY

Routing implementation techniques using VLAN technology for topologies that

include loops have been developed [1], [2]. The VLAN technology was not intended for
increasing network throughput, but for partitioning hosts into multiple groups, and it has
been used in intranets and in the Internet backbone for the Quality of Service control.
Multiple paths between hosts can be obtained by using VLANs as follows:
multiple VLANs, each having a different tree of the physical network, are assigned to a
physical network with loops. Each host is configured as a member of each VLAN i.e., it
has a virtual network interface to a VLAN. In this way, all pairs of hosts can
communicate with each other via any VLAN tree topology, and there are multiple paths
that consist of different link sets between each pair of hosts.
Since each path is assigned to a single VLAN, each source host selects a path by
specifying a virtual interface that corresponds to the appropriate VLAN. Each tagged
frame is transferred by the usual layer two Ethernet mechanism within its VLAN
topology. Although each VLAN topology is logically a tree, the physical topologies of
layer two Ethernet are free from tree structures.
The Simple Network Management Protocol [1] allows for management data to
be collected from remote devices, for devices to be configured remotely, and it supports
the dissemination of event notifications. Since its first publication in August 1988, it has
been widely used to manage and monitor networks.
The first version of SNMP did not provide cryptographic security and hence it
was open to many simple attacks. The efforts in the early 1990s to add strong security to
SNMP failed since the engineered solution turned out to be too complex to be used in
practice. As a result, the security mechanisms were removed and the remaining protocol
improvements were published as SNMPversion 2c, which is as insecure as SNMPv1.
A WDM-based switched Ethernet network architecture to provide Virtual
Private LAN Services is supposed, It is shown that an effective VLAN separation

10
method based on the traffic matrix analysis bow affects the working channel needs of
the optical layer, and the application of the VLAN-sensitive and differentiated optical
protection solution how affects the protection cannel needs of the optical layer, so how
enables scalable SLA definition and reduces the total network cost.
Customers like Ethernet because it is able to match their requirements easily and
carriers like Ethernet because it is able to meet their business needs. This intersection of
customer requirements and carrier business needs is reflected in the expected growth for
Ethernet services. New services based on Ethernet, particularly within the metropolitan
area, are expected to grow significantly over the next few years. These new services
include metro transport, LAN-LAN interconnection and Internet access.
Virtual Private LAN Service is one of the emerging solutions for providing
Ethernet services. VPLS allows customer networks at geographically diverse locations
to communicate with each other as if they were directly attached to each other i.e., the
WAN becomes transparent to all customer locations. This is achieved by a Layer two
VPN solution. VPLS combines the cost effectiveness and high bandwidth of Ethernet
with the scalability and resiliency of the under laying adaptation and transport layers and
allows service providers to address the needs of their customers while achieving the
goals of their business.

11
 CHAPTER 3

DETAILED DESIGN OF THE PROJECT

3.1 PRIVATE VLAN

The Private VLANs technology panels a superior VLAN transmission domain

into smaller sub-domains. So-far, two categories of special sub domains precise to the
private VLAN technology have been defined: an isolated sub-domain and community
sub domain. Each sub-domain is defined by assigning a proper designation to a group of
switch ports. Within a private VLAN domain, a port designation exists. A port
designation has its own set of rules which adjust an associated endpoint‟s ability to
converse with other connected endpoints within the same private VLAN domain. The
port designation is promiscuous. An endpoint linked to a promiscuous port has the
ability to transfer with any endpoint within the private VLAN. Multiple promiscuous
ports may be defined within single private VLAN domain. In most networks, layer two
default doorways or network management stations are universally associated to
promiscuous ports. An endpoint associated to isolated port will only retain the capacity
to link with those endpoints associated to promiscuous ports.

Fig. 3.1 below illustrates the private VLAN model from a switch port classification
perspective.

Fig. 3.1 Private VLAN classification of Switch Ports

12
 A, B – Isolated Devices

C, D – Community Devices

R – Router

p1 – Promiscuous switch port

t1 – Inter-switch link port

Promiscuous port

As the name suggests, a promiscuous port can talk to all other types of ports. A
promiscuous port can talk to isolated ports as well as promiscuous ports and vice versa.
Layer three doorways, DHCP servers and other trusted devices that need to
communicate with the customer endpoints are typically associated via promiscuous
ports. An inter-switch link port is basically a steady port that attaches two switches.

3.2 A PRIVATE VLAN DOMAIN WITH ONE OR MORE VLAN ID

PAIRS

In general, layer two communication constraints can be prescribed by crafting

sub-domains within the same VLAN domain. However, a sub-domain within a VLAN
domain cannot be easily executed with only one VLAN ID. Instead, a mechanism of
pairing VLAN IDs can be recycled to accomplish this concept. A private VLAN domain
is assembled with at least one pair of VLAN IDs such as one primary VLAN ID plus
one or more secondary VLAN IDs. Secondary VLANs can be of two types such as
Isolated VLANs and Community VLANs.

A primary VLAN is the unique and common VLAN identifier of the whole
private VLAN domain and of all its VLAN ID pairs.

13
 An isolated VLAN is a secondary VLAN whose distinctive characteristic is that
all hosts connected to its ports are isolated at Layer two. Therefore, its primary quality is
that agrees a design based on private VLANs to use a total of only two VLAN
identifiers.

A community VLAN is a secondary VLAN that is associated to a group of ports

that connect to a certain community of end devices with mutual trust relationships.
While only one isolated VLAN is allowed in a private VLAN domain, there can be
multiple distinct community VLANs. All traffic transported within primary and
secondary VLANs should be tagged according to the IEEE 802.1Q standard, with at
most a single standard VLAN tag. No special double-tagging is necessary between due
to 1:1 correspondence between a secondary VLAN and its associated primary VLAN.
The ports in a private VLAN domain derive their special characteristics from the VLAN
pairings they are constituted with. In particular, a promiscuous port is a port that can
interconnect with all other private VLAN port types via the primary VLAN and
associated secondary VLANs.

3.3 EXTENDING PRIVATE VLANs ACROSS SWITCHES

Some switch dealers have endeavoured to provide a port isolation feature within
a VLAN by employing special logic at the port level. However, the isolation behaviour
is restricted to a single switch, when executed at the port level. When a VLAN spans
multiple switches, there is no standard mechanism to transmit port-level isolation
information to other switches and, subsequently, the isolation behaviour fails in other
switches. In this document, the proposal is to implement the port isolation information
implicitly at the VLAN level. A particular VLAN ID can be constituted to be the
isolated VLAN. All switches in the network would offer special "isolated VLAN"
action to frames tagged with this particular VLAN ID. Thereby, the isolated VLAN
behaviour can be sustained regularly across all switches in a Layer two network. In
general, isolated, community and primary VLANs can all span multiple switches, just
like regular VLANs.

14
 Inter-switch link ports need not be conscious of the special VLAN type and will
transfer frames tagged with these VLANs just like they do any other frames. One of the
objectives of the private VLANs architecture is to ensure that traffic from an isolated
port in one switch does not influence another isolated or community port in a unlike
switch even after crisscrossing an inter-switch link. By implicitly entrenching the
isolation information at the VLAN level and by enrapturing it along with the packet, it is
possible to maintain a consistent behaviour throughout the network. Therefore, the
mechanism discussed earlier, which will restrict Layer two communication between two
isolated ports in the same switch, will also hamper Layer two communication between
two isolated ports in two diverse switches.

3.4 PRIVATE VLAN ARCHITECTURE

Private VLAN distributes a VLAN into sub-VLANs while possessing existing IP

subnet and layer three configurations. A regular VLAN is a single transmitting domain,
while private VLAN partitions one transmitting domain into multiple smaller
transmitting subdomains.

i. Primary VLAN

Simply the original VLAN. This type of VLAN is used to frontward frames
downstream to all Secondary VLANs.

ii. Secondary VLAN

Secondary VLAN is constituted with one of the following types:

a. Isolated

Any switch ports associated with an Isolated VLAN can reach the primary
VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same
Isolated VLAN cannot reach each other. There can be multiple Isolated VLANs in one
Private VLAN domain; the ports remain isolated from each other within each VLAN.

15
 b. Community

Any switch ports connected with a common community VLAN can interconnect
with each other and with the primary VLAN but not with any other secondary VLAN.
There can be several distinctive community VLANs within one Private VLAN domain.

Fig. 3.2 Private VLAN Architecture

There is a type of port in a Private VLAN: Promiscuous port.

i. Promiscuous port

The switch port connects to a router, firewall or other common gateway device.
This port can transfer with anything else connected to the primary or any secondary
VLAN. In further words, it is a kind of a port that is permitted to send and receive
frames from any other port on the VLAN.

16
 Fig. 3.3 Promiscuous Port Concept

Example scenario

A switch with VLAN 100, altered into a Private VLAN with one P-Port, two I-
Ports in Isolated VLAN 101 and two community VLANs 102 and 103, with two ports in
each. The switch has one uplink port, associated to another switch. The diagram
illustrates this configuration explicitly.

17
3.5 PRIVATE VLAN TRAFFIC FLOW

Fig. 3.4 Private VLAN Traffic Flow

3.6 USE CASES

3.6.1 Network Segregation

Private VLANs are used for network segregation when

i. Moving from a flat network to an isolated network deprived of fluctuating the IP

addressing of the hosts. A firewall can interchange a router, and then hosts can
be slowly relocated to their secondary VLAN assignment without interchanging
their IP addresses.
ii. There is a necessity for a firewall with various tens, hundreds or even thousands
interfaces. Using Private VLANs the firewall can have only one interface for all
the isolated networks.

18
 iii. There is a necessity to have backup of IP addressing. With Private VLANs, all
Secondary VLANs can use the same IP subnet.
iv. Overwhelmed license fees for number of sustained VLANs per firewall.
v. There is a need for more than 4095 segregated networks. With Isolated VLAN,
there can be endless number of segregated networks.

3.6.2 Secure Hosting

Private VLANs in hosting operation sanctions isolation between customers with

the following benefits:

i. No necessity of discrete IP subnet for each customer.

ii. Using Isolated VLAN, there is no bound on the number of customers.
iii. No need to modify firewall's interface configuration to spread out the number of
constituted VLANs.

3.6.3 Secure VDI

Isolated VLAN can be used to isolate VDI desktop one from the other, allowing
purifying and assessment of desktop to desktop communication. Using a firewall will
require a VLAN and a subnet per VDI desktop.

3.6.4 Backup Network

On a backup network, there is no necessity for hosts to reach each other. Hosts
should only influence their backup destination. Backup clients can be placed in one
Isolated VLAN and the backup servers can be located as promiscuous on the Primary
VLAN, this will agree hosts to communicate only with the backup servers.

3.7 SIMPLE NETWORK MANAGEMENT PROTOCOL

Simple Network Management Protocol is an "Internet-standard protocol for

handling devices on IP networks". Devices that usually support SNMP include routers,
switches, servers, workstations, printers, modem racks and more. SNMP is used

19
typically in network management systems to observe network-attached devices for
conditions that authorize administrative attention. SNMP is a module of the Internet
Protocol Suite as well-defined by the Internet Engineering Task Force. It consists of set
of standards for network management, together with an application layer protocol, a
database schema, and a set of data objects. SNMP revelations management data in the
form of variables on the managed systems, which enunciate the system configuration.
These variables can then be searched by managing applications.

In natural practices of SNMP one or more organizational computers,

called managers, have the task of witnessing or managing a group of hosts or devices on
a computer network. Each accomplished system executes, at all times, a software
component called an agent which states information via SNMP to the manager. SNMP
agents uncover management data on the proficient systems as variables. The protocol
also authorizes active management responsibilities, such as adjusting and concerning a
new configuration through remote adjustment of these variables. The variables
accessible via SNMP are organized in hierarchies. These hierarchies, and other
metadata, are described by Management Information Bases.

An SNMP-managed network consists of three key components:

i. Managed device
ii. Agent- software which tracks on managed devices
iii. Network management station- software which tracks on the manager

i. A managed device is a network node that outfits an SNMP interface that permits
unidirectional or bidirectional access to node-specific information. Managed
devices interchange node-specific information with the NMSs. Occasionally
called network elements, the managed devices can be any type of device,
together with, but not limited to, routers, access
servers, switches, bridges, hubs, IP telephones, IP video cameras,
computer hosts, and printers. An agent is a network-management software
module that locates on a managed device. An agent has local knowledge of

20
 management information and interprets that information to or from an SNMP-
specific form.
ii. A network management station accomplishes applications that monitor and
control managed devices. NMSs deliver the bulk of the processing and memory
assets required for network management. One or more NMSs may exist on any
managed network. SNMP empowers network administrators to achieve network
performance, discover and resolve network problems, and plan for network
growth. Managing computer networks involves an approach that simplifies the
potentially multifarious problems of communication and coordination. The
dominant methodology, which has been adopted by the SNMP, is to give the
network as a collection of cooperative, communicating entities. There are two
basic types of entities: management processes and managed processes.

Fig. 3.5 SNMP Architecture

21
3.7.1 Key Elements of SNMP Model

i. Network Management Station

In terms of the network management model, a network management station is

one that implements network management applications that monitor and control network
elements such as hosts, gateways and terminal servers. These network elements use
a management agent to perform the network management functions requested by the
network management stations. The Simple Network Management Protocol is used to
communicate management information between the network management stations and
the agents in the network elements. NMS is described in RFC 1157 "A Simple Network
Management Protocol". A NMS provides FCAPS functionality for the whole network.
FCAPS: Fault, Configuration, Accounting, Performance, Security, are the categories
defined by the ISO model. In non-billing organizations accounting is sometimes
replaced with administration.

ii. Network Elements

A network element is usually defined as a manageable logical entity uniting one

or more physical devices. This allows distributed devices to be managed in a unified
way using one management system. According to Telecommunications Act of 1996, the
term `network element' means a facility or equipment used in the provision of a
telecommunications service. Such term also includes features, functions, and capabilities
that are provided by means of such facility or equipment, including subscriber numbers,
databases, signaling systems, and information sufficient for billing and collection or
used in the transmission, routing, or other provision of a telecommunications service.

iii. Agent

An SNMP agent is any computer or other network device that monitors and
responds to queries from SNMP managers. The agent can also send a trap message to
the manager when specified events, such as a system reboot or illegal access, occur. An
agent is nothing but network management software module that resides in a managed

22
device. An agent has local knowledge of management information. It translated
information from local/internal form to SNMP compatible form and vice versa. On
input/trigger from NMS, performs operation on behalf of NMS.

iv. Management Information Base

A database of managed objects accessed by network management protocols. A SNMP

MIB is a set of parameters which a SNMP management station can query or set in the
SNMP agent of a network device.

3.7.2 SNMP Operations

i. The get-operation

Fig. 3.6 Get-command is useful for retrieving value of 1 or more MIB objects at a
time

23
 ii. The set-operation

Fig. 3.7 To assign a value to an existing object instance and to create new instances

iii. Trap

Fig. 3.8 To signal an event

24
 iv. Inform

Fig. 3.9 Confirmed trap, PDU similar to GET/SET PDU format and to inform a
high level manager

3.7.3 SNMP Types

i. SNMPv1

SNMP version one is the initial implementation of the SNMP protocol. SNMPv1
operates over protocols such as User Datagram Protocol, Internet Protocol, OSI
Connectionless Network Service, AppleTalk Datagram-Delivery Protocol, and Novell
Internet Packet Exchange. SNMPv1 is widely used and is the de facto network-
management protocol in the Internet community. Version 1 has been criticized for its
poor security. Authentication of clients is performed only by a "community string", in
effect a type of password, which is transmitted in clear text. The '80s design of SNMP
V1 was done by a group of collaborators who viewed the officially sponsored
OSI/IETF/NSF effort as both not an implementable in the computing platforms of the
time as well as potentially unworkable. SNMP was approved based on a belief that it
was an interim protocol needed for taking steps towards large scale deployment of the
Internet and its commercialization. In that time period Internet-standard

25
authentication/security was both a dream and discouraged by focused protocol design
groups.

ii. SNMPv2

SNMPv2 revises version one and includes improvements in the areas of

performance, security, confidentiality, and manager-to-manager communications. It
introduced GetBulkRequest, an alternative to iterative GetNextRequests for retrieving
large amounts of management data in a single request. However, the new party-based
security system in SNMPv2, viewed by many as overly complex, was not widely
accepted. This version of SNMP reached the Proposed Standard level of maturity, but
was deemed obsoleted by later versions. SNMPv2c comprises SNMPv2 without the
controversial new SNMP v2 security model, using instead the simple community-based
security scheme of SNMPv1. This version is one of relatively few standards to meet the
IETF's Draft Standard maturity level, and was widely considered the de facto SNMPv2
standard. It too was later obsoleted, by SNMPv3.This is a compromise that attempts to
offer greater security than SNMPv1, but without incurring the high complexity of
SNMPv2. A variant of this was commercialized as SNMP v2*, and the mechanism was
eventually adopted as one of two security frameworks in SNMP v3.

iii. SNMPv3

SNMPv3 primarily added security and remote configuration enhancements to

SNMP. Due to lack of security with the use of SNMP, network administrators were
using other means, such as telnet for configuration, accounting, and fault management.
SNMPv3 addresses issues related to the large-scale deployment of SNMP, accounting,
and fault management. Currently, SNMP is predominantly used for monitoring and
performance management. SNMPv3 defines a secure version of SNMP and also
facilitates remote configuration of the SNMP entities. SNMPv3 focuses on two main
aspects, namely security and administration. The security aspect is addressed by offering
both strong authentication and data encryption for privacy. The administration aspect is

26
focused on two parts, namely notification originators and proxy forwarders. SNMPv3
defines a number of security-related capabilities. The initial specifications defined the
USM and VACM, which were later followed by a transport security model that provided
support for SNMPv3 over SSH and SNMPv3 over TLS and DTLS.

a. USM (User-based Security Model) provides authentication and privacy functions

and operates at the message level.
b. VACM (View-based Access Control Model) determines whether a given
principal is allowed access to a particular MIB object to perform specific
functions and operates at the PDU level.
c. TSM (Transport Security Mode) provides a method for authenticating and
encrypting messages over external security channels. Two transports, SSH and
TLS/DTLS, have been defined that make use of the TSM specification.

SNMPv3 provides important security features:

i. Confidentiality - Encryption of packets to prevent snooping by an unauthorized

source.
ii. Integrity - Message integrity to ensure that a packet has not been tampered while
in transit including an optional packet replay protection mechanism.
iii. Authentication - to verify that the message is from a valid source.

3.8 MANAGEMENT INFORMATION BASE

A management information base is a database used for managing the entities in a

communications network. Most often associated with the Simple Network Management
Protocol, the term is also used more generically in contexts such as in OSI/ISO Network
management model. While intended to refer to the complete collection of management
information available on an entity, it is often used to refer to a particular subset, more
correctly referred to as MIB-module. Objects in the MIB are defined using a subset of
Abstract Syntax Notation One called "Structure of Management Information Version
two". The software that performs the parsing is a MIB compiler.

27
3.8.1 MIB Syntax

Every object within an SNMP MIB is defined in a format way: the definition
specifies the data type of the object, its allowable forms and value ranges, and its
relationship to other objects within the MIB. To define the objects themselves, ASN.1
form is used. The basic building block of an ASN.1 specification is the module.

Modules have the basic form

<modulereference> DEFINITIONS ::= BEGIN

EXPORTS

IMPORTS

AssignmentList

END

The “modulereference” is a module name followed optionally by an object

identifier to identify the module.

The EXPORTS construct indicates which definitions in this module other

modules may import.

The IMPORTS construct indicates which type and value definitions from other
modules are to be imported into this module.

The assignment list consists of type assignments, value assignments, and macro
definitions. Type and value assignments have the form

< name > :: = <description>

28
Object Reading in a MIB

<name> OBJECT-TYPE

SYNTAX <data type>

ACCESS <ro, rw, wo, na>

STATUS <mandotary, optional, obsolete>

DESCRIPTION

“Textual description describing this particular managed object”

: = {<unique OID that define this object>}

3.8.2 MIB Objects

Generally, SNMP leaf objects can be partitioned into two similar but slightly
different types that reflect the organization of the tree structure:

i. Discrete/Scalar MIB Objects. Discrete SNMP objects contain one precise piece
of management data. These objects are often distinguished from “Table” items
by adding a “.0”extension to their names.
ii. Table MIB Objects. Table SNMP objects contain multiple pieces of management
data. These objects are distinguished from “Discrete” items by requiring a “.”
extension to their names that uniquely distinguishes the particular value being
referenced.

29
3.9 MODULE DESCRIPTIONS OF THE PROPOSED SYSTEM WITH DESIGN

Fig. 3.10 Proposed System Module

i. CLI

A command-line interface, also known as command-line user interface, console

user interface and character user interface is a means of interacting with a computer
program where the user issues commands to the program in the form of successive lines
of text. An application program may support none, any, or all of these three major types
of command line interface mechanisms:

a. Parameters: Most operating systems support a means to pass additional

information to a program when it is launched. When a program is

30
 launched from an OS command line shell, additional text provided along
with the program name is passed to the launched program.
b. Interactive command line sessions: After launch, a program may
provide an operator with an independent means to enter commands in the
form of text.
c. OS inter-process communication: Most operating systems support
means of inter-process communication. Command lines from client
processes may be redirected to a CLI program by one of these methods.
ii. SNMP

Simple Network Management Protocol is an "Internet-standard protocol for

managing devices on IP networks". Devices that typically support SNMP include
routers, switches, servers, workstations, printers, modem racks and more. SNMP is used
mostly in network management systems to monitor network-attached devices for
conditions that warrant administrative attention. SNMP is a component of the Internet
Protocol Suite as defined by the Internet Engineering Task Force. It consists of a set
of standards for network management, including an application layer protocol, a
database schema, and a set of data objects. An SNMP-managed network consists of
three key components:

a. Managed device
b. Agent :software which runs on managed devices
c. Network management station: software which runs on the manager

iii. MIB

A management information base is a database used for managing the entities in a

communications network. Most often associated with the Simple Network Management
Protocol, the term is also used more generically in contexts such as in OSI/ISO Network
management model. While intended to refer to the complete collection of management
information available on an entity, it is often used to refer to a particular subset, more
correctly referred to as MIB-module.

31
 Objects in the MIB are defined using a subset of Abstract Syntax Notation One
called "Structure of Management Information Version 2" RFC 2578. The software that
performs the parsing is a MIB compiler.

iv. Configuration

It is nothing but a database which keeps the configuration records. Private VLAN
feature takes the configuration records from this configuration database. Whatever
commands are being developed which are required to a feature is being taken by that
feature from the configuration records.

3.10 REQUIREMENTS SPECIFICATION

3.10.1 Software Requirements

i. Softwares : VNC, Putty.

ii. Software version : INTEGRITY v5.0.11

iii. Tools : MULTI debugger by Green Hills
iv. Compiler : ccintppc (ppc 8540)
v. Development environment : Linux (Real Time Operating System)
vi. Code version : GIT

32
 3.10.2 Hardware Requirements

ProCurve Switch

i. Differentiator
a. 12-slot modular switch chassis with 4 open module slots
b. ships with 92 10/100/1000 PoE+ and 2 SFP+ 10-GbE ports
c. management, fabric and support modules and 2 PoE+ power supplies
already installed
d. Premium switch software included
ii. Ports
a. 92 RJ-45 autosensing 10/100/1000 PoE+ ports
b. 2 SFP+ 10GbE ports
iii. open module slots

a. Supports a maximum of 288 autosensing 10/100/1000 ports or 96 10GbE

ports or 288 mini-GBICs, or a combination
b. Included
iv. Memory and processor
a. Freescale PowerPC 8540 @ 666 MHz
v. MB flash
a. 128 MB compact flash
b. 256 MB DDR SDRAM
vi. Latency
a. 1000 Mb Latency: < 3.7 µs
b. 10 Gbps Latency: < 2.1 µs
vii. Throughput
a. 739 Mpps
viii. Routing/switching capacity
a. 993.6 Gbps
ix. Switch fabric speed

33
 a. Tbps
x. Management features
a. IMC - Intelligent Management Center
b. command-line interface
c. Web browser
d. configuration menu
e. out-of-band management (serial RS-232C)

xi. Power and operating requirements

a. Power supply name
x J9306A

xii. Dimensions and weight

a. Dimensions (W x D x H)
b. 17.5 x 18.7 x 15.6 in (44.45 x 47.5 x 39.62 cm)
c. Weight
d. 102.76 lb (46.61 kg)

34
 CHAPTER 4

IMPLEMENTATION OF SYSTEM

4.1 DESIGN OF MIB TABLES

i. Private VLAN Configuration Table

PrivateVlanConfigTable OBJECT-TYPE
SYNTAX SEQUENCE OF PrivateVlanConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An proprietary extension to dot1qVlanStaticTable
to configure a Private VLAN."
::= { PrivateVlanConfig 1 }

PrivateVlanConfigEntry OBJECT-TYPE
SYNTAX PrivateVlanConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An entry for Specific extensiondot1qVlanStaticTable
table to configure a Private VLAN "
AUGMENTS { dot1qVlanStaticEntry }
::= { PrivateVlanConfigTable 1 }

PrivateVlanConfigEntry ::=
SEQUENCE {
PrivateVlanType PVLANType

35
 PrivateVlanType OBJECT-TYPE

SYNTAX PVLANType

MAX-ACCESS read-only

STATUS current
DESCRIPTION "This object refers to the type of a Private VLAN
which can be a primary, isolated or a community VLAN."

DEFVAL { notAPrivateVLan }

::= { PrivateVlanConfigEntry 1 }

ii. Primary to Secondary VLAN Mapping Table

PrivateVlanMappingTable OBJECT-TYPE

SYNTAX SEQUENCE OF PrivateVlanMappingEntry

MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "A table containing the mapping of a primary to
secondary VLANs."
::= { PrivateVlanConfig 3 }

PrivateVlanMappingEntry OBJECT-TYPE
SYNTAX PrivateVlanMappingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An entry which containing the configuration of Primary
to Secondary VLAN."
INDEX { PrivateVlanPrimary }
::= { PrivateVlanMappingTable 1 }

36
PrivateVlanMappingEntry ::= SEQUENCE {
PrivateVlanPrimary VlanId,
PrivateVlanIsolated VlanId,
PrivateVlanCommunity VidList,
PrivateVlanPromiscuousPort PortList,
PrivateVlanMappingEntry RowStatus
}

PrivateVlanPrimary OBJECT-TYPE
SYNTAX VlanId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "This is the Primary VLAN."
::= { PrivateVlanMappingEntry 1 }

PrivateVlanIsolated OBJECT-TYPE
SYNTAX VlanId
MAX-ACCESS read-create
STATUS current
DESCRIPTION "Isolated VLAN associated to a primary
VLAN."
::= { PrivateVlanMappingEntry 2 }

PrivateVlanCommunity OBJECT-TYPE
SYNTAX VidList
MAX-ACCESS read-create
STATUS current
DESCRIPTION "List of community VLANs which are associated to a
primary VLAN."
::= { PrivateVlanMappingEntry 3 }

37
 PrivateVlanPromiscuousPorts OBJECT-TYPE
SYNTAX PortList
MAX-ACCESS read-create
STATUS current
DESCRIPTION "This object refers to the list of promiscuous ports
Of the primary VLAN."
::= { PrivateVlanMappingEntry 4 }

PrivateVlanMappingRowStatus OBJECT-TYPE

SYNTAX RowStatus

MAX-ACCESS read-create
STATUS current
DESCRIPTION "The Row status for the Primary to Secondary VLAN
entry."
::= { PrivateVlanMappingEntry 5}

In Private VLAN configuration table, there is configuration entry. VLAN-ID

gives identity to a particular Private VLAN. Dot1qvlanstaticEntry is being augmented in
Private VLAN configuration table.

In Primary to Secondary VLAN mapping table, there is

PrimaryVlanMappingEntry which has object types such as PrivateVlanPrimary,
PrivateVlanIsolated, PrivateVlanCommunity, PrivateVlanPromiscuousPorts and
PrivateVlanMappingRowStatus.

PrivateVlanPrimary gives the existence of Primary VLAN in a Private VLAN.

PrivateVlanIsolated gives the existence of Isolated VLAN which is associated

with Primary VLAN.

PrivateVlanCommunity gives the number of Community VLANs which are

associated with Primary VLAN.

38
 PrivateVlanPromiscuousPorts gives the list of the ports associated with
particular VLAN.

For one Primary VLAN, there is only one Isolated VLAN and for that one
Isolated VLAN, there is maximum of 8 Secondary VLAN which can be mapped.

4.2 MIB COMPILATION STEPS

Before compiling the MIB, we should create our .mib file in mib.ss directory.

After that compilation should be done. Steps are as follows.

i. We should be in mib.ss directory

ii. First do mosy

/ws/<username>/<workspace>/tools/bin-x86-linux/mosy newfile.mib

iii. Now create config.cnf file with MODULE-IDENTITY of the mib file being
modified
For example:
config PrivateVlan MIB
all 0 1 2

iv. Do build btm or sbm etc whichever is required

v. Again do mosy
This will create a .def file as newfile.mib.def

vi. Go to directory code/build/btm/obj/mib.ss

Execute command "cat *.def > netswitch.def

vii. Do postmosy

39
 /ws/<username>/<workspace>/tools/bin-x86-linux/postmosy -f config.cnf -agent
-classic_v -row_status -storage_type -snmpmibh newfile.mib.def
/ws/<username>/<workspace>/code/build/btm/obj/mib.ss/netswitch.def

4.3 K AND V ROUTINES

Implementation starts with compilation of MIB tables. K-routines and V-routines

are generated after the compilation of MIB tables.

K-routines contains
i. k_get
ii. k_test
iii. k_ready
iv. k_set
v. k_undo

V-routines contains
i. v_get
ii. v_test
iii. v_set

V-routines are system independent routines.

K-routines contain system dependent code.

GET requests: SET requests:

Agent Agent
|-- v_get |--v_test
|--k_get |--k_test |--k_ready
Agent
|--v_set
|--k_set

40
 Agent calls v_set routine only after all variable binds pass the v_test routine.
k_set_defaults is called before k_test in the case of new row creation.
Agent
|--v_test
|--k_get fails->k_set_defaults |--k_test |--k_ready
Agent
|--v_set
|--k_set

i. Setting values in k_routine

In k_set routine, values have to be set in a configuration record.

For Example:

#ifdef I_PrivateVlanMappingEntry

if (VALID (I_PrivateVlanMappingEntry , data-> valid))

if (! cfg_tree_set_num ( PVLANr, Private_Vlan_Types, Rec_Index , data-

>PrivateVlanMappingEntry))

ASSERT (0);

return GEN_ERROR;

#endif I_PrivateVlanMappingEntry

41
 ii. Getting values from k-routines

#ifdef I_PrivateVlanMappingEntry

if (! cfg_tree_get_num ( PVLANr, Private_Vlan_Types, Rec_Index , data-

>PrivateVlanMappingEntry))

return (NULL);

SET_VALID (I_PrivateVlanMappingEntry, data.valid);

#endif I_PrivateVlanMappingEntry

4.4 PRIVATE VLAN COMMANDS

i. system (config)# vlan 10

In this command, we are creating simply a normal VLAN and assigning
it as a VLAN ID 10.
ii. system (vlan-10) #private-vlan primary
After creation of a VLAN ID 10, we are making VLAN 10 as a Primary
VLAN which is part of a Private VLAN.
iii. system (vlan-10) #private-vlan isolated 11
In this command, we are making VLAN 11 as an Isolated VLAN in
VLAN ID 10 context, which is part of a Private VLAN, which will get
associated to Primary VLAN ID 10.
iv. system (vlan-10)#private-vlan community 15-20

42
 In this command, we are making VLAN IDs 15 to 20 as a Community
VLAN which is part of a Private VLAN, which will get associated to Primary
VLAN ID 10.

v. system (vlan-10) #private-vlan promiscuous ports A1-A5

In this command, we are assigning A1 to A5 ports as a Promiscuous
ports which will get associated to Primary VLAN ID 10.

43
 CHAPTER 5

RESULTS AND DISCUSSION

Fig. 5.1 Setting Row Status and Primary VLAN ID.

In this, with the help of command RowStatus and Primary VLAN ID are being
set as 4 and 3 respectively.

44
 Fig. 5.2 Setting up Isolated VLAN ID.

In this, with the help of command Isolated VLAN ID is being set as 5.

45
 Fig. 5.3 Setting up Community VLAN IDs

In this, with the help of command Community VLAN IDs are being set as 5, 6,
9, 10, 2056, 2057, 2058 and 2064 respectively.

46
 Fig. 5.4 Shows the Values of Community VLAN IDs

In this, we can see the values whatever being set by us to Community VLAN IDs.

47
 Fig. 5.5 Setting up Promiscuous Ports

In this, we can set the values for Promiscuous Ports which are associated to
Private VLAN.

48
 Fig. 5.6 Shows the Value of Row Status

Fig. 5.7 Shows the Value of Isolated VLAN.

49
Fig. 5.8 Shows the Values of Community VLANs

Fig. 5.9 Shows the Values of Promiscuous Ports

50
 Fig. 5.10 Walkmib Operation

Fig. 5.11 Shows the Values of Promiscuous Ports and RowStatus

51
 Fig. 5.12 Displays the PVLAN Record

Fig. 5.13 Displays the Default VLAN Record

52
Fig. 5.14 Displays the VLAN Record

Fig. 5.15 Displays the VLAN Record

53
Fig. 5.16 Displays the VLAN Record

Fig. 5.17 Displays the VLAN Record

54
 Fig. 5.18 Displays the Internally Created VLANs

Above six figures displays the VLAN record, shows the VLANs created
internally whatever created by us.

55
 CHAPTER 6

CONCLUSION AND FUTURE WORK

6.1 CONCLUSION

Development of Private VLAN adds more parameters to the existing VLAN

feature. Such as security is one of the important one. Private VLANs are used for
network segregation when moving from a flat network to a segregated network without
changing the IP addressing of the hosts. A firewall can replace a router, and then hosts
can be slowly moved to their secondary VLAN assignment without changing their IP
addresses. There is a need to preserve IP addressing.

With Private VLANs, all Secondary VLANs can share the same IP subnet. With
Isolated VLAN, there can be endless number of segregated networks. Private VLANs in
hosting operation allows segregation between customers with the following benefits: No
need for separate IP subnet for each customer. Using Isolated VLAN, there is no limit
on the number of customers. No need to change firewall's interface configuration to
extend the number of configured VLANs. Isolated VLAN can be used to segregate VDI
desktop one from the other, allowing filtering and inspection of desktop to desktop
communication. Using a firewall will require a VLAN and a subnet per VDI desktop.
Isolated VLAN can be used to segregate VDI desktop one from the other, allowing
filtering and inspection of desktop to desktop communication.

6.2 FUTURE WORK

In practice, SNMP implementations often support multiple versions: typically SNMPv1,

SNMPv2c, and SNMPv3. In future, we can use SNMPv3 to implement Private VLAN
feature among SNMPv1, SNMPv2c, and SNMPv3. SNMPv3 primarily added security
and remote configuration enhancements to SNMP. Due to lack of security with the use
of SNMP, network administrators were using other means, such as telnet for
configuration, accounting, and fault management. SNMPv3 addresses issues related to
the large-scale deployment of SNMP, accounting, and fault management.

56
 REFERENCES

[1]. T. Kudoh, H. Tezuka, M. Matsuda, Y. Kodama, O. Tatebe, and S.

Sekiguchi, “VLAN-Based Routing: Multi-Path L2 Ethernet Network for
HPC Clusters,” Proc. IEEE Int‟l Conf. Cluster Computing (Cluster), Sept.
2004.

[2]. S. Sharma, K. Gopalan, S. Nanda, and T. Chiueh, “Viking: A Multi-

Spanning-Tree Ethernet Architecture for Metropolitan Area and Cluster
Networks,” Proc. IEEE INFOCOM, pp. 2283-2294, Mar. 2004.

[3]. Virtual Bridged Local Area Networks, IEEE Std 802.1QTM, 2005.
[4]. W. Stallings, Snmp, Snmpv2 and Rmon, 2nd ed. Reading, MA: Addison-
Wesley, 1996.

[5]. D. Harrington, R. Presuhn, and B. Wijnen, “An Architecture for

Describing SNMP Management Frameworks,” RFC 2271, Jan.1998.

[6]. F. Daitx, F. Daitx, R. P. Esteves, and L. Z. Granville, “On the Use of

SNMP as a Management Interface for Virtual Networks,” Proc. of
theIFIP/IEEE Intl. Symp.on Integrated Network Management (IM’11), pp.
177–184, May 2011.

[7]. P. Goncalves, J. Oliveira, and R. Aguiar, “An evaluation of network

management protocols,” Proc. of the IFIP/IEEE International
Symposiumon Integrated Network Management (IM’09), pp. 537–544,
Jun. 2009.
[8]. Case J, Fedor M, Schoffstall M, Davin J.A Simple Network Management
Protocol（SNMP）. RFC1157. 1990

57
[9]. Mengjun Wu, Developing network Management Soft- ware Based on
SNMP in Visual C++, BeiJing: people post & telecom press, 2007.

[10]. P. Garimella et al., “Characterizing VLAN Usage in an

Operational Network,” Proc. Wksp. Internet NetworkMgmt., Aug. 2007.

58