Enhancement of LAN Infrastructure Performance for Data Center in ...

Enhancement of LAN Infrastructure Performance for Data Center in Presence of Network Security Bhargavi Goswami and Seyed Saleh Asadollahi

Abstract Policy-based LAN infrastructure implementation has always been a challenge for the corporate bodies that has diversified networking situations to be handled in limited resources especially in presence of servers with firewall securities. This paper provides solution to many problems that are compromised by the corporate organizations so far, even when updated technology is present in today’s world. Here, in this paper, we have improved the performance of existing LAN infrastructure by modifying certain corners of the networking scenario in presence of security considerations. Here, we have also implemented AAA and RADIUS security to overcome the remaining loopholes of the system. By proposing a novel approach toward network implementation, we obtained reports that brought overwhelming networking boost. Researchers, field workers at networking site, and all those who are part of the networking world must read this article before starting any implementation of networking scenario to get to know the do’s and don’ts before the implementation phase is initiated. Keywords Radius CAT-6




MD5




ACL




Distribution list




DMZ




LAN




AAA

1 Introduction In accordance with the specification provided in the research project, it is well thought-out that they have appointed me as Project Coordinator with a team of few research fellows, networking group for a huge data center company ‘BG Networking Solutions’ with three network managers assigned to me. We have B. Goswami (&) MCA Department, Sunshine Group of Institutions, Rajkot, Gujarat, India e-mail: [email protected] S.S. Asadollahi MSc. IT and CA Department, Saurashtra University, Rajkot, Gujarat, India e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2018 D.K. Lobiyal et al. (eds.), Next-Generation Networks, Advances in Intelligent Systems and Computing 638, https://doi.org/10.1007/978-981-10-6005-2_44

419

420

B. Goswami and S.S. Asadollahi

provided particulars of the allocated task as follows. The registered headquarters of the corporation is in Bangalore, and this group is spread in due division workplace in Hong Kong and Sydney. Our main responsibility is to develop a blueprint, execute and experiment an innovative LAN infrastructure for all of the subdivisions. We must also put into practice novel protection measures for diversified subdivisions of the group and to permit far-off remote access to employees for definite task to be completed on time by these employees, being operational far-off from offices. Major troubles in the existing network are: • Managers of all section must get rights to use supplementary concealed resources which the staff is not permitted. • The group has presently taken number of new IT maintenance personnel, but at present, the IT support department is packed so they have to take a seat in the HR section. IT support personnel require access to technological resources, but they are not provided. IT support team can barely access to the HR department resources as they are connecting to ‘HR’ switch. • A few workers want to have right of entry to the network while operational away from the workplace. • The network is sluggish since the group is developing and growing quantity of employees/customers. • Managing director desires to put in a fresh advertising section to the corporation which necessitates that all spare equipment must be equipped for this purpose. The group has provided us with Table 1, outlining how their employees are alienated in different level at different site and what safety measures and policy must be functional to them. The group has clearly mentioned how clustered strategies are put into action and is given as follows: • Only HR division employees can have access to HR division network and no one else. • Two senior managers are given rights to access finance division other than HR division employees and no one else. • Manager of the division is not allowed to access network of another division but can access HR division.

Table 1 Branch-wise requirement and department-wise requirement of remote access and number of users Department

Bangalore

Hong Kong

Sydney

Remote access

Human Resource Finance Managers Electrical Mechanical IT support

3 4 3 2 2 6

3 2 2 3 2 3

1 1 3 1 3 2

No No Yes No No Yes

Enhancement of LAN Infrastructure Performance …

421

• Electrical engineers are provided with access rights only to their own departmental subdivision network. • Mechanical engineers can access only their own departmental subdivision network. • IT support section employees are provided with the access to each and every network but no more than administrative and technical rights. They are not privileged to access or modify any files and folders of other section employees. Now we desire to construct a trustworthy and proficient LAN infrastructure used for the specified circumstances in a model-based simulated environment prior to actually put into operation the network. All the simulations developed are provided in this article. Section 2 describes analysis of LAN implementation, and Sect. 3 describes design of LAN with improvements. Section 4 has implementation of newly proposed design followed by Sect. 5 that shows the obtained results and its analysis, followed by Sect. 6 Conclusion and Sect. 7 Future Scope.

2 Analysis of LAN We would like to have a helicopter view upon the available options for implementing and executing LAN infrastructure. Further, we would like to discuss the high-performing service provisions considering the concentration of traffic during office hours. Again, we would not come to the end before discussing about the performance, trustworthiness, and security measures to be considered during design of the LAN.

2.1

Assessment of Available LAN Technologies

It is a cardinal decision of selection of technology that is to be implemented during the building of LAN infrastructure, as it not only affects the capital of the working group but also the performance to a great extent. While looking into the most admired LAN technologies, top among the list will be Ethernet, Fast Ethernet, Gigabit Ethernet, Fiber Optics, etc. During the assignment of the research project, there was no limitation specified over the usage of the type of media whether guided or unguided. So taking into consideration the recognition, features, and expenditure, we would prefer usage of wired networks. Let us have a look upon available options. In 1980, IEEE 802.3 was standardized and given a name Ethernet that became very well known later which is basically using technique called CSMA/CD for performing collision detection. This technology is widely implemented with hubs and switches by means of Cat-5 UTP twisted pair cables or coax thick cables using

422

B. Goswami and S.S. Asadollahi

STAR topology having the data rate of 10 mbps with 10 Base-T encoding techniques. But, the major disadvantage of Ethernet is its high collision domain. Again, the fact remains that in presence of this limitations, about 80% of the world prefers Ethernet over other available options. Further, Ethernet evolved by adding to its data rate ten times making it to 100 mbps which was a major step ahead that got standardized and named Fast Ethernet in 1995. Two most popular among all the options available were 100 Base-T and 100 Base-FX where the only difference among them was the type of wires. UTP cable is used with 100 Base-T and uses fibers with 100 Base-Fx. The parameter to be considered while selecting among the options is the distance between the end hosts. Priority is given to fiber options when the distance is large and when the distance is small; we opt for UTP, unshielded twisted pair. Moving ahead, Ethernet does not stop there, and within a short time of 3 years, superior technology was introduced that was Gigabit Ethernet also widely known as IEEE802.3ab/ah. Drastic boost of data rate was a major milestone for Ethernet that achieved data rate of 1000 mbps. Yes, we would like to mention that 802.3ab is using UTP Cat-7 cables, whereas 802.3ah is using fiber optics. Still moving forward, Ethernet does not stop evolving and took a further step and brought 10 Gigabit Ethernet which was using both copper and fiber optics. The largest lifespan of the communication technology is of Ethernet, and still it is moving ahead with the support of researchers like us. The question arises in the readers mind about the selection of Ethernet then we would like them to make a note that the feature with which it wins upon all other available technologies is the reliable data delivery at nominal expenditure.

2.2

Performance Analysis of Traffic Intensive Networks

As mentioned earlier in Sect. 1 of introduction that our network is having issues of delayed delivery and the network is behaving very sluggish because of the growing number of employees and customers of the BG Networking Group, especially in office hours network is suffering from drained throughput, huge delay inspiring the circumstances of high drop rate, and further worsen situation to multiple retransmission feeding congestion itself. We would propose Fast Ethernet and Gigabit Ethernet instead of Classic Ethernet as a solution to the problem solving also the issue of delay, throughput and control over drop rate and congestion.

2.3

Performance and Security Concerns

Network Security: For providing security to our BG networking group network, there are two options available, EAPOL and RADIUS [1, 2]. When remote access is to be provided, it is necessary to provide minimum EAPOL security and preferably

Enhancement of LAN Infrastructure Performance …

423

RADIUS server security that has advantage of AAA—authentication, authorization, and accounting. MD5 hash is the most trusted authentication algorithm that ensures security not over just the masquerading but also assures integrity. The requirement of distribution of data over the large distance covering multiple cities and multiple branches can be achieved using implementation of secure tunnel between the RADIUS servers additionally assisted with the facility of remote access. To avoid further intruders eavesdropping and unauthorized access to our networks, we would like to keep our servers on demoralized zone (DMZ). Reliability: Reliability is directly proportional to the robustness of the network. And robustness assures that network is never going to fail whatsoever adversities it comes across. Again, it assures that network is available round the clock no matter what. To provide this service, we would invest upon backup data center along with main data center. Ether Channel is required to fulfill the requirement of backbone line between the two most busy heavily loaded routers that works over distributed layer. Usage of Ether Channel does protect us against traffic aggregation other than fault tolerance and heavy congestion control over backbone links between the routers. And, fault tolerance provides us the service of reliability over the network. Performance: Usage of Ether Channel on backbone links over the network boosts the performance bringing it to almost double the one obtained before. If requirement exist, we would use fibers without hesitation. Reliable LAN technologies like Gigabit Ethernet and Fast Ethernet over the end host assure reliability to the networks. Ether Channel boosts the data rate over the traffic-studded routers. As a result, controlled congestion demotivates retransmission. As a result, once transmitted, packet gets delivered at first go with desired rate of transmission at the end providing expected network throughput.

3 Designing of LAN This section describes the design requirements taken into consideration for the development of LAN infrastructure for BG networking group’s data center networks. Further, we will also evaluate the criticality and suitability of the planned design and included components for doing the task. Table 2 explains how the network that is developed will run in three branches and manage the departments of those branches critically. Table 2 carries the information about the number of users with their subnet range, which is clearly revealed in Fig. 1. Table 2 also describes the access rights and policy implementation very clearly to show which of the users are not permitted to remotely access the servers. We would like to incorporate few laptops and computers, some routers and switches, dedicated servers with firewalls. There are two cardinal-linked routers that distribute data between the branches and working on the distributed layer that are most of the times crowded and congested. We would like to facilitate the link between these two routers with Ether Channel which once implemented so that,

424

B. Goswami and S.S. Asadollahi

Table 2 Indicating the number of staffs and remote access facility provision Assigned network

Facilitated with remote access?

# Users

Networking departments

172.24.0.0 192.168.0.0 172.16.0.0 172.20.0.0 172.22.0.0 172.21.0.0 172.19.0.0 172.18.0.0 172.17.0.0

Yes Yes No Yes No Yes Yes Yes Yes

N N + 47 4 8 7 6 6 4 N

Remote access to staff Server zone (DMZ) HR Manager’s Finance IT support Mechanical Electrical Marketing

Fig. 1 BG networking group’s infrastructure planning and development

congestion and jitter can be avoided over such a high-delay network links. There were two options, either use of a switch or a router over access layers. But, considering cost-effectiveness in accordance with future perspectives and flexibility needed over number of users, we would like to opt for L3 switches. Again, we would like the readers to note that we would make use of a RADIUS servers that provides authentication, authorization, and accounting facility in addition to EAPOL services with RADIUS servers giving the strong protection from intruders and opponents against the system. Addition of MD5 would be an added advantage over the implementation of security over the servers especially for remote servers. We would like to provide distribution of network load between different departments so that there is no interference between the routing activities with the

Enhancement of LAN Infrastructure Performance …

425

independence of operational activities. We confine the subnet mask of 255.255.255.0, and IP address to every department will be provided separately to maintain control over access. Each server will be provided with different network address and its series so that unauthorized access is not permitted. We also need to provide fault tolerance along with uninterrupted availability, and for that we are facilitating our data center networks with backup servers [3]. Again, to provide strategic implementation of company policies, we will use access list in addition to distribution list. To keep control and monitor the smooth running of network activities, we will use Syslog Servers of Kiwi to keep logging the events of server, backup server, and routers connected to it [4]. There are some problems that BG networking group has come across over the years, and we suggest solution to the problems with less modification during the implementation stage. (a) As the network seems to be behaving too slow because of increasing number of users and staff, we recommend the use of Ether Channel over backbone distribution layer routers that will use Layer 3 switches to support more number of end host with all the supporting features of a router with high data rate. (b) Managers generally demand additional resources in comparison with other staff which was not permitted earlier. To have a control over each of the resources, we can implement access list and solve this issue without any compromise with the access rights. (c) Now, as the group has hired few of the IT-supporting candidates before the department could arrange for their space, they are assigned the space of HR Department temporarily. But, their switch is different. To solve this issue, we have provided the solution by using access list that will allow IT Department employees to work comfortably while sitting in HR Department by using the same router. (d) There is a requirement of additional Marketing Department that will be privileged with additional resources in comparison with other existing departments. We would recommend usage of Layer 3 switches connected with Fast Ethernet-wired connectivity that can be defined in the company policy for implementation of distributed list over the switches. (e) There is a requirement by some of the staff members that they must be given the access to the network considering them not able to remain at the location of the work. The solution to this problem is provision of remote access in secure mode [3]. We will develop iterative tunnel mode for server access through remote connectivity. For implementing company policy, we will use access list with distribution list.

4 Implementation of LAN Network simulator GNS-3 0.8.6 developed under GPL v2 license [5] has been used for implementation of the designing model for the task assigned. For implementing policy-based routing over remote access and other specified requirements, we have

426

B. Goswami and S.S. Asadollahi

used EIGRP [6, 7], as EIGRP being implemented widely for fulfilling enterprise requirements. For keeping track of the activity of users, further monitoring and profound management of log information, Kiwi Syslog server [4] is chosen. For the provision of availability service round the clock, development of actual and backup server both is done over RADIUS [1]. In this section, all the design specification is implemented by configuring the LAN of BG networking group’s data center according to the requirements specified. Further, security implementation is done over infrastructure. As a final point, we would vitally evaluate and check our LAN. Few loopback for each network and subnets have been developed to examine the effectiveness of the policy implementation. It is understood that department-wise routers are different, and all the three branches are connected through single router. (a) Other than HR staff and managers, there must be no access to anyone to the department of HR. This is achieved by implementing distribution list over access list applied over RADIUS server configurations. Successful implementation was tested where Marketing (172.17.10.1), Electrical (172.18.10.1) or Mechanical (172.19.10.1) Department tried to ping HR Department (172.16.0.0), but could not ping. However, Manager’s department (172.20.10.1) has access to HR Department. (b) All the managers have control over network of just their own department and over HR Department. Figure 5 shows the ping testing done over Marketing Department when tried to ping other departments, which reveled that it has access to only his department. Yes, remote access provision is made available securely through 172.24.10.1 over tunnel mode. (c) The only department that has access to all other department is IT support team but only for technical assistance. To implement this policy where IT team can only provide technical solutions and cannot modify files and folders, we have used RADIUS servers. Resources are accessible by technical team but just for maintenance (Fig. 2). (d) All the major economical transactions and decision of Finance Department is dealt with HR Departmental staff and due senior managers of the Management Department. In dealing with finance of the group, we have critically given access to this department only to the HR personals and managers. Figure 4 depicts the testing done over the manager’s department loopback 172.20.10.1 over remote login from Electrical and Mechanical Department. (e) Figure 7 shows how Mechanical Engineers were deprived access to other departments but just their own department using distribution list. Yes, again, remote access provision is made available for them through 172.24.10.1. (f) Similarly, Fig. 6 shows that Electrical Engineers have access only to their own department. Electrical Department employees are allowed to work from home, and so there is a provision of remote access connectivity to its department only, i.e., Electrical Department 172.18.10.1 can make remote access through 172.24.10.1, but it cannot access Marketing Department 172.17.10.1 (Figs. 3, 4, 5, 6 and 7).

Enhancement of LAN Infrastructure Performance …

427

Fig. 2 Subnetting and implementing policy-based routing over the network of BG Networking Group

Fig. 3 Policy implementation and testing of access rights of HR Department

428

B. Goswami and S.S. Asadollahi

Fig. 4 Policy implementation and testing of access rights of Finance Department

Fig. 5 Policy implementation and testing of access rights of Manager’s Department

Enhancement of LAN Infrastructure Performance …

429

Fig. 6 Policy implementation and testing of access rights of Electrical Department

Fig. 7 Policy implementation and testing of access rights of Mechanical Department

5 Result Analysis of LAN This section discusses the assistance provided for monitoring the activities and management of the system after the implementation phase is over to avoid issues post-implementation. Later, we evaluate the performance of the LAN infrastructure developed by checking its security and reliability aspects.

430

B. Goswami and S.S. Asadollahi

For maintaining the logs, analyzing the reports, and taking necessary actions, further, we maintained a standardized logging system called Syslog which not just has facility of logging the information but aid of checking severity of the messages by attaching labels like notice, warning, error which may be just an alert that is critical or of highest priority like emergency. Syslog server is set on 192.168.0.0. Usage of RADIUS server facilitates us with AAA that assures security and reliability [1]. Group-wise users are maintained for each department that provides access privileges to the users and put into operation business policy in addition to access rights. There is no difference in the rights whether the employee is working within the organization or making remote access. We have implemented actual and backup servers supporting data center networks to assist the entire network with the service of availability and sustainability to fault tolerance that at the end provides us the facility of reliability. Performance evaluation of this network was observed by generating consecutive ping to multiple hosts of different networks from different networks for checking of different loopholes of the system. Ether Channel usage has overcome the limitations of network’s sluggish behavior. Usage of advanced LAN technologies like Fast and Gigabit Ethernet over L3 switches has controlled congestion and data rate to great extend reducing the maintenance work of network administrators in addition to increased number of users and customers. The following graphs are obtained in comparison to previously implemented scenario showing us the comparison between the network situation currently and earlier. Graph 1 shows the throughput analysis of the LAN taken before the implementation of novel approach in comparison with the situation after the implementation of newly proposed approach. Red line indicates the values obtained after the modifications made. The graph clearly indicates that 31% of hike is observed in overall throughput of the LAN infrastructure. This is a remarkable enhancement of performance. Graph 2 shows the delay observed in delivery of packets. Red line shows the delay observed after the implementation of newly proposed solution to resolve the

Throughput---->

50 40 30 20 10

New Throughput Old Throughput

0

Time ----> Graph 1 Throughput analysis of network in office hours

Enhancement of LAN Infrastructure Performance …

431

35 30

Delay ---->

25 20 15 10

Old Delay

5 0

New Delay

Time ---->

Graph 2 Delay analysis of network in office hours

issues of delayed instable network behavior. It was observed that 26% improvement is observed in the delay observed in previous situations. It was observed that the graph seems to be stable in comparison with earlier situation where the behavior was unpredictable and unstable. This small recommendation can make a remarkable performance boost in the network performance which was the aim of researchers and was achieved successfully.

6 Conclusion The research project successfully reduced the congestion, increased the reliability over the network’s behavior, enhanced the security, and improved sluggish behavior of the network to a great extend. The objectives indicated in section I have been achieved completely, and company policies have been implemented without addition to the complexity of handling data with minimum redundancy and more than expected performance. We could improve throughput by 31% and end-to-end delay by 26% which is a notable improvement in the performance of the network. The biggest advantage of this project is everything defined in the objectives have been achieved within the grant allocated to the project. Even, prospective customers and supplementary users have already been well thought-out at the time of design of the system which was major reason for the selection of L3 switches instead of routers.

7 Future Scope In the assignment of research task, it was not clearly defined the number of staffs and users of the system in Marketing Department that are to be given access from office and remotely too which can be developed in future.

432

B. Goswami and S.S. Asadollahi

References 1. Cisco.: Configuring RADIUS and TACACS + Servers (Chapter 13). Available: http://www. cisco.com/c/en/us/td/docs/wireless/access_point/12-4_10b_JA/configuration/guide/scg12410b/ scg12410b-chap13-radius-tacacs.html. Last accessed 20th Oct 2014 (August 2015) 2. Cisco.: Implementation of RADIUS. Available: http://www.cisco.com/c/en/us/support/docs/ security-vpn/remote-authentication-dial-user-service-radius/12433-32.html (September 2015) 3. GNS.: Network Simulator GNS3 v2. Available: http://www.gns3.com/. Last accessed 20th Oct 2014 (2014) 4. Cisco.: EIGRP Commands. Available: http://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/ command/reference/fiprrp_r/1rfeigrp.html. Last accessed 20th Oct 2014 (June 2015) 5. Cisco.: Cisco Nexus 5000 Series NX-OS Software Configuration Guide. Available: http:// www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_ rel_4_0_1a/CLIConfigurationGuide/sm_syslog.html. Last accessed 20th Oct 2014 (Last updated: January 2012) 6. Hucaby, D.: Designing campus network. In: Keith Cline CCNP Switch 642-813, pp. 100–280. Cisco Press, Indianapolis, USA (February 2013) 7. Odom, W.: Path control. In: Plumbs, M., Swan, J. (eds.) CCNP Route 642-902, pp. 289–387. Cisco Press, Indianapolis, USA (January 2010)