Republic of Tunisia

The Ministry of Higher Education

and Scientific Research
The University of Carthage
The Higher Institute of Information and
Communication Technologies

END-OF-STUDY PROJECT REPORT

Submitted in Partial Fulfillment of the Requirements for the
Bachelor’s degree in Information and Communication
Technologies
Field of Study : Telecommunication

Implementation of a secure LAN

architecture

By
Ounis Malek AND Ghabi Imen

Conducted within Prologic

Publicly defended on May 24, 2024 in front of the jury members:

Chairman: Ms.Ons Khaled, professor, ISTIC

Reporter: Ms, Rim Guedria, professor, ISTIC
Professional Supervisor: Ms,Aaza ben Chaieb, Ingineer, Prologic
Academic Supervisor: Ms, Rym Ouartani, Professor, ISTIC

Academic Year: 2023-2024

 Republic of Tunisia
The Ministry of Higher Education
and Scientific Research
The University of Carthage
The Higher Institute of Information and
Communication Technologies

END-OF-STUDY PROJECT REPORT

Submitted in Partial Fulfillment of the Requirements for the
Bachelor’s degree in Information and Communication
Technologies
Field of Study : Telecommunicatons

Implementation of a secure LAN

architecture

By
Ghabi Imen AND Ounis Malek

Conducted within Prologic

Authorization of graduation project report submission:

Professional Supervisor: Academic Supervisor:

Ms.Aaza BenChaeib Ms.Rym Ouartani

Issued on : Issued on :

Signature: Signature:
Dedication

I humbly dedicate this work to those who are precious to me

To my parents
who has made countless sacrifices for me , for their unconditionally support which has
been source of strength and happiness, your support has empowered me to break the
barriers and fight for my way , without their guidance and inspiration, I wouldn’t be the
person I am today.
To my brother
I am overwhelmed with gratitude for the bond we share.Your unsparing devotion has
been a constant source of encouragement throughout my journey . Your unshakeable
confidence in me has been .
I’m also honored to dedicate this work to myself as it shows my hard work dedication
and passion.

Ounis Malek

i
Dedication

I dedicate this modest work to my dear mother ”Nadia” and my dear father ”Ali” for
their patience, sacrifice and support.

No homage could be equal to the love with which they never cease to shower me. May
God grant them health and long life.

I dedicate this work to my brothers and sisters, for always being by my side during
my years of study.

I dedicate this work to my dear fiance. May this day be filled with joy and shared
love. You are the greatest blessing in my life, a priceless treasure that I cherish every day.

Thank you for being there for me, supporting me and encouraging me. Your presence
by my side fills me with happiness and gratitude.

May our family ties remain strong forever and may our love flourish. You are my
strength, my inspiration and my greatest comfort.

I love you from the bottom of my heart.

Ghabi Imen

ii
Acknowledgements

We are honored to express our profound gratitude towards our professional supervisor
Aaza BenChaieb and the member of the department’s team for their assistance and
valuable contributions.

We would be delighted to take this opportunity to express our appreciation to our

academic supervisor Rym Ouartani for her guidance and support.

Unable to mention all the names, we would like to express our sincere thanks to all
those who, through their advice and expertise, have made this work possible.

Finally, we’d like to thank the members of the jury for their willingness to give us
their attention and their support.

iii
Contents

Dedication i

Dedication ii

Remerciements iii

General Introduction 1

1 Project presentation 2
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Host Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 The company activities . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Project Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1 Project context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.2 Study of the existing . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 State of the art of a secure LAN 7

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Computer networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Local Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.1 Types of Local Area Network: . . . . . . . . . . . . . . . . . . . . . 10
2.3.2 LAN components: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Network segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.2 Virtual Local Area Network . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3 VLAN Trunking Protocol . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.4 Ling Aggregation Group . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.5 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . 16
2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 Design and implementation of the LAN architecture 18

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Implementation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.1 ENSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.2 Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Implementation devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1 Access Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iv
Contents Contents

3.3.2 Switches : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3.3 Access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 Showcasing the new architecture . . . . . . . . . . . . . . . . . . . . . . . . 26
3.5 The Topology configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.5.1 Configuration of Switch Core . . . . . . . . . . . . . . . . . . . . . 27
3.5.2 LAG configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.5.3 Configuration of Switch Access . . . . . . . . . . . . . . . . . . . . 29
3.6 AC configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.6.1 Wired network connectivity . . . . . . . . . . . . . . . . . . . . . . 31
3.6.2 APs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.6.3 WLAN service parameters . . . . . . . . . . . . . . . . . . . . . . . 34
3.7 Tests: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.8 Firewall huawei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.8.1 Firewall USG6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.8.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.8.3 HA between two firewalls . . . . . . . . . . . . . . . . . . . . . . . . 41
3.8.4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4 Network monitoring 49
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.2 Network monitoring tools . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.3 Simple Network Management Protocol . . . . . . . . . . . . . . . . 52
4.2.4 Zabbix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.3.1 Vmware and Zabbix download . . . . . . . . . . . . . . . . . . . . . 54
4.3.2 SNMP’s firewall configuration . . . . . . . . . . . . . . . . . . . . . 57
4.3.3 SNMPv3 display . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

General Conclusion 64

Webographie 65

v
List of Figures

1.1 Company logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Company activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Current architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 PAN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 LAN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Man example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 WAN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.5 Standards of computer networks . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.7 LAN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.8 LAN components[1] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.9 VLAN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.10 VLAN Trunking Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.11 Link Aggregation Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.12 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . 16

3.1 Ensp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 AC6605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4 Capwap tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.5 VAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.6 SSID example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.7 Radio management example . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.8 S5700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.9 Switch core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.10 AP3030 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.11 New topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.12 VLANs display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.13 DHCP display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.14 DHCP-client example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.15 Link-aggregation SC1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.16 Lacp SC1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.17 VTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.18 Switch access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.19 VLAN ip interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.20 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.21 AP-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.22 Regulatory domain profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

vi
List of Figures List of Figures

3.23 Capwap tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.24 APs displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.25 Security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.26 SSID-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.27 VAP-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.28 Radio-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.29 Radio simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.30 Switch core 1 connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.31 Switch access connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.32 The RH connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.33 The AC tracert output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.34 Host Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.35 Host Connectivty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.36 Packet interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.37 I/O graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.38 Flow graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.39 USG6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.40 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.41 Cloud configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.42 Device’ s configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.43 Firewall’ web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.44 LAG settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.45 Vlan settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.46 Route-static settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.47 Zone settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.48 The security-policy measures . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.49 The security-policy measures . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.50 HA/FW1 setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.51 HA/FW2 setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.52 Firewall 2 Dual-System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.53 Firewall 2 Dual-System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.1 Network monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3 Tool’s aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.4 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.5 SNMP components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.6 Snmp components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.7 Zabbix-appliance interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.8 Packages upgrading command . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.9 Zabbix Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.10 Zabbix-Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.11 Zabbix-Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.12 Zabbix-Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.13 Zabbix-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.14 Web ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.15 Web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.16 SNMP’s firewall setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

vii
List of Figures List of Figures

4.17 SNMP’s server setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.18 Host setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.19 Encryption setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.20 SNMPv3 displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.21 SNMPv3’s host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.22 Zabbix connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.23 Hosts supervised by ZABBIX . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.24 Server-Web installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.25 Installation of the Chrome . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.26 Server-address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.27 Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.28 Detected problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

viii
List of Tables

3.1 Large-capacity features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2 Wireless user management . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3 Security measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Switch’s Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.5 Network’s department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.6 System’s department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.7 RH’s department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.8 Large-capacity features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.1 Monitoring tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

ix
General introduction

It’s undeniable that IT technology has evolved enormously and has become an integral
part of our daily lives. From social life to professional one , It’s amazing to think how far
we’ve come and how much we can achieve with a way that become impossible to survive
without it.

However, the network computing still faces critical problems that stand in the way
for a perfect productivity that we can summarize in connectivity availability and security
issues . Those factors can raise significant challenges for users,so it’s important to address
them properly,whether it’s related to internet connectivity, difficulty accessing certain
websites and data, or security problems that may range from minor inconveniences to
major breaches that compromise sensitive data.

In order to minimize those problems,certain precautions would be taken, so our project

would be based on the creation of a LAN architecture where it meet the needs of providing
a secure environment and a reliable connectivity.

Our report describes the necessary steps to achieve our goals and it based on four
chapters:

-The first chapter aims to clarify the goal of our project by identifying the issues and
offers a practical solutions.

-The second chapter focuses on the theoretical study of the secure LAN and the nec-
essary policy and protocols.

-The third chapter spotlights the theoretical implementation and the necessary con-
figurations to ensure the availability and security.

-The fourth chapter is based on the network monitoring by using an advanced tech-
nology to determine, in real time, whether a network is operating optimally.

1
Chapter 1

Project presentation

1.1 Introduction
This chapter is devoted to the general scope of our project ”Study and implementation
of a secure LAN and WLAN architecture”starting with a thorough introduction to PRO-
LOGIC, followed by an overview of the project context, problems and solutions.

1.2 Host Company

PROLOGIC: Systems administration company founded in 1985 by experts and enthusiasts
of new technologies.with a capital of 3,415,500DT, PROLOGIC Tunisie is a high value-
added services limited company.The company supports large, small and medium-sized
companies in the design, development, operation and maintenance of solutions requiring
the use of new information technologies.

Figure 1.1: Company logo

1.2.1 The company activities

[2] PROLOGIC Tunisie’s know-how is based on a permanent study of the international
consulting, sales, service and software markets.The group provides its customers with the
resources they need to ensure the success of their project.

2
Chapter 1. Project presentation 1.2. Host Company

Figure 1.2: Company activities

IT infrastructure :
[2]PROLOGIC Tunisia has put all its efforts and experience into setting up a successful
IT infrastructure includes:

Servers and storage:

Servers and storage systems are the foundations of the information system.
the company provide innovative solutions that improve efficiency and offer flexible, scal-
able solutions to meet your company’s specific needs.

Virtualization:
To keep peace with today’s high-performance businesses, IT departments need to provide
a digital infrastructure that supports modern applications everywhere and to do this vir-
tualized environments are essential.

Integration data center Tunisia:

Prologic ensure the installation of low-voltage networks, electricity, air-conditioning, UPS,
fire extinguishing systems, fire doors, access control, video, monitoring, is carried out in
compliance with international standards.

PRA - PCA security system :

Prologic offer backup systems that provide comprehensive backup software and storage
solutions for powerful data backup, recovery and archiving.

Cloud Solutions :

PaaS-Platform As A Service :
Prologic enables to modernize your IT infrastructure by migrating to the public cloud
services and infrastructure-as-a-service for on-premise workloads, fully managed in a pay-
per-use model.

3
Chapter 1. Project presentation 1.3. Project Presentation

SaaS Software As A Service En Tunisie :

With SaaS Software tunisie from Prologic, the company no longer needs to manage ap-
plications or invest in hardware to run them. In addition to hosting, it can take care of
securing environments and automatically applying updates and patches.

Ict Housing :
Information systems have become crucial to every organization. Hosting an ICT infras-
tructure in a secure, highly available, energy-efficient and ultra-connected datacenter has
become a must.

PC and Impression :

Business Workstations:
PROLOGIC Tunisia brings you the solution and provides :
- The right IT equipment and solution in the right place.
- Solutions that simplify the administration of your IT assets.

Professional Printing Solutions in Tunisia :

Prologic relies on its expertise and the quality of its partnerships to offer you hardware
and software printing and scanning solutions that meet quality and profitability require-
ments while being environmentally responsible.
Fleet Management and Supervision: Customized Software Solution:
Prologic provides you with IT solutions for workstation asset management. A customized
software solution, in compliance with ITIL standards, providing you with real-time infor-
mation relevant to the management of IT assets.

IT as a Service:
DaaS-Device As A Service in Tunisia :
We offer you Prologic’s DAAS ”Device as a Service” service. Hardware, software and
services combined in a single contract with a single price per device. With ”Device as a
Service” or DAAS, itcan offer the employees the latest, best-performing devices on the
market.

MPS-Managed Print Services in Tunisia :

If you need high-quality document production, but printing is not your core business, our
Managed Print Services (MPS) provide customized solutions.

1.3 Project Presentation

In this section, we study the current problem that led to the birth of the project by
following the path of the adequate solution.

1.3.1 Project context

Ensuring the connectivity ,the availability and confidentiality represent an enormous chal-
lenge due to their vulnerability and instability making them a global problem for IT in-
frastructure.

4
Chapter 1. Project presentation 1.3. Project Presentation

Network connectivity describes the extensive process of connecting various parts of a net-
work together, for instance, through the use of routers, switches and gateways,and how
it works
Availability guarantees that users can access the systems and the needed resources .
Confidentiality means that data, objects and resources are protected from unauthorized
viewing and other access.
Therefore Prologic recognized the need for a robust network architecture that would
guarantee not only the high connectivity but also the necessary protection as well as the
network supervision.

1.3.2 Study of the existing

Our study of the current architecture has allowed us to detect a several problems that
undermine the company productivity mentioning:
1.Connectivity problems due to devices bad-function
2.Lack of network segmentation into sub-networks causing collisions .
3.Shortcoming of the WiFi access control system .
4.Data distribution due to lack in switch core .
5.Lack of monitoring tools.

The figure 1.3 shows the current architecture where only access switches access exist
with an absence of the core switches as well as the out-of-balance fragmentation concerning
the sub-departments that caused a traffic problems without mentioning the equipment
bad choice with no back-up plans.

Figure 1.3: Current architecture

1.3.3 Solutions
In an attempt to resolve the above problems ,a number of measures have been taken.
First of all we propose to create a new architecture that aims to :

5
Chapter 1. Project presentation 1.4. Conclusion

*Ensure data protection by the installation of the firewalls , using two instead of one
applying High availability (HA) configuration within which leads to the existence of a
standby firewall.
*Ensure data distribution and management by adding two switch core interconnected with
a Link Aggregation Group (LAG) configuration for connection reliability and resilience.
*Network segmentation by dividing the edge switches into department where each one
has an own sub-departments improving network performance, better security and traffic
management.
*Network monitoring to track and analyze the network execution in order to prevent fail-
ure and violation.

1.4 Conclusion
In this chapter, we dived into the inner workings of the company,studying the primary
issues that brought about the inception of our project, analyzing the challenges and
preparing the path for strategic approach to resolve these problems where our next step
will be to immerse into the necessary requirements of our project.

6
Chapter 2

State of the art of a secure LAN

2.1 Introduction
Whether the network is down or there is an unauthorized access ,a traffic sniffing
threatening the company infrastructure, it is important to take cautions to prevent any
catastrophic events.
LAN availability is a common issue that affects the productivity and the customers con-
fidence. LAN security is vital in ensuring the data and resources safeguard.
This chapter dives into the fundamentals of the network computer, with a focus on the
LAN components ,the network segmentation basics and the various protocols that will
facilities our work.

2.2 Computer networks

[2]A computer network is a system that connects two or more computing devices for trans-
mitting and sharing information. Computing devices include everything from a mobile
phone to a server. These devices are connected using wireless connection or physical wires
such as optical fibres.
Computer networking is the branch of computer science that deals with the edition, ar-
chitecture, creation, maintenance, and security of computer networks. It is a combination
of computer science, computer engineering, and telecommunication.

Computer network components: from links between the network devices to

network defense through Communication Protocols represent a base that connects billions
devices across the world.
Network devices: that represents the computing devices including; switches, routers
,servers, computers,gateways..
Links: there are two types of links :
-Wired such as Coaxial cables,Optical fibres, Twisted-pair cabling used in telephone net-
works..
-Wireless created through radio and electromagnetic signals used in broadcast ,radar com-
munications ,GPS...
Communication Protocols: that represents a set of rules followed by all nodes in-
volved in the information transfer like tcp/ip ,http/https..
Network Defense: in order to prevent any kind of data usurpation,a defensive mea-
sure must be taken, such as the implementation of the Firewalls...

7
Chapter 2. State of the art of a secure LAN 2.2. Computer networks

The figure below present the components of a computer network:

Types of Computer Networks: there are four main types :

Personal area network (PAN): refers to a network used by just one person to
connect multiple devices, such as laptops or scanners with small connectivity range as
shown below

Figure 2.1: PAN example

Local area network (LAN): connects devices within a limited geographical area,
such as schools, hospitals where data transmission is much more higher as displaced in
the figure 2.3

8
Chapter 2. State of the art of a secure LAN 2.2. Computer networks

Figure 2.2: LAN example

Metropolitan area network(MAN): is a large computer network that spans

across a city where it supplies Full-Duplx data exchange as exists in figure 2.4.

Figure 2.3: Man example

Wide area network (WAN): it cover larger areas such as large cities, states, and
even countries using satellites as shown in the figure2.5.

Figure 2.4: WAN example

The figure 2.6 shows a global view on the computer network’s standards:
Since our work is limited in the enterprise environment we will be interested in the LAN
maintenance.

9
Chapter 2. State of the art of a secure LAN 2.3. Local Area Networks

Figure 2.5: Standards of computer networks

2.3 Local Area Networks

Local Area Network (LAN) is a collection of devices connected together in a network
location such as buildings, enterprises. A LAN can be small or large.From a single-user
network to a corporate network with thousands of users [3].

Figure 2.6: LAN

2.3.1 Types of Local Area Network:

The classification of the LAN is normally based on the different types of devices, the used
medium, and the architecture.
The main types of LANs are:

Client-server LAN:
In a client-server LAN environment, a single server connects multiple devices known as
clients. Users devices could not establish an inter-communication.A centralized machine
handles and control activities such as network traffic management.

10
Chapter 2. State of the art of a secure LAN 2.3. Local Area Networks

This LAN type is preferred to be used in small perimeters because it cause too much
pressure on the central server.

Peer to peer (P2P) LAN:

In a P2P LAN,have no centralized server, where connected devices have access to each
other, whether they are servers or clients. P2P LAN devices can freely exchange data.
On the downside, they tend to be less powerful than client-server LANs.

Token ring LAN:

The equipment are arranged in a ring when they are connected. A token is assigned to
every connected device based on its requirements.

Token bus LAN:

In a token bus LAN, connected nodes are arranged in a tree-like topology, and tokens
are transferred either left or right. Typically, it offers stronger bandwidth ability than a
token ring LAN environment.

Wired LAN:
Wired LAN is the most common LAN type in use nowdays. It uses electronic waves to
transfer data across optical fiber. it is highly reliable and it depends on the performance
of the central server

Wireless LAN:
Commonly used in home environments to connect computing devices, smart appliances,
etc.

Cloud-managed LAN:
It is a specific type of wireless LAN where a centralized cloud platform isin place to con-
trol network provisioning, access control, network performance and security[4].

11
Chapter 2. State of the art of a secure LAN 2.3. Local Area Networks

Figure 2.7: LAN Types

2.3.2 LAN components:

[1]To create a functional LAN architecture,multiple elements must be present :
1. Public internet:
The public internet is what’s being accessed through the LAN. Typically, Data packets
from the public internet and requests from client devices are both directed towards the
centralized server.

2. Wired end-user devices:

In a normal LAN environment a mix of both wired and wireless equipment will take place
.with an Ethernet port that it help plug in the local area network directly into the device
itself. Wired end-user devices have high-speed internet connectivity, high-quality and fast
processing.

3. Mobile end-user devices:

Mobile end-user devices are devices that connect Wi-Fi instead of an Ethernet cable.

4. Centralized server:
The centralized server is the most crucial component ,particularly for enterprise implemen-
tations. Enterprises may purchase or lease servers from vendors like IBM, Cisco, HPE, etc.

5. Network switches:
A LAN cannot function properly without a network switch, which plays a crucial role
in managing the distribution of data packets and network resources among the devices

12
Chapter 2. State of the art of a secure LAN 2.4. Network segmentation

linked to the central server. There are two kinds of switches that we can consider for LAN
environment managed and unmanaged, where in one hand , managed switches provide
more control ,performance and a range of data on performance ,in the other hand unman-
aged switches are used to plug in and run without configuration and it may be cheaper
and easier to maintain but less efficient and secure.

6. Wi-Fi router:
A Wi-Fi router is now a staple component of LAN . The router is connected to the modem
so that it can receive network signals, and it converts them into wireless signals that a
mobile end-user devices can process.

7. Modem:
A modem is an indispensable component as this is what converts the analog signals trans-
mitted into a digital format.

8. Firewall appliance :
A firewall protects end-user devices and servers from network-related security attacks by
restricting specific kinds of traffic.Most end-user devices ship with built-in firewall soft-
ware where its possible to download additional software from the internet

The figure 2.9 highlights the different LAN:

Figure 2.8: LAN components[1]

After understanding the LAN environment. we will proceed with conducting a study
on network segmentation.

2.4 Network segmentation

This section outlines a significant phase for our work.

13
Chapter 2. State of the art of a secure LAN 2.4. Network segmentation

2.4.1 Definition
Network segmentation represents the division of the network into sub-networks where
Each segment acts as its own network.
The segmentation network enhances data security by preventing and minimizing the
chances of getting hacked ensuring the confidentiality and integrity of the information.
Additionally, it improves the traffic management performance and manageability.

It could be logical or physical segmentation :

1.Physical segmentation:
Where we deploy switches firewalls cables,access points to provide efficient and reliability.
It’s the simplest way and the most expensive.

2.Logical segmentation:
It applies the concept of the existing network infrastructure using VLANs or network
addressing scheme.It’s less pricey and more efficient.

2.4.2 Virtual Local Area Network

VLAN: it’s a logical grouping of devices on a network, can be used to segment a network
into different broadcast domains as shown in the figure bellow:

Figure 2.9: VLAN example

VLAN’s types:
Port-based VLAN: Devices are grouped into VLANs based on the physical switch ports
they are connected to.

MAC-based VLAN:Devices are assigned to VLANs based on their MAC addresses,

allowing for flexibility when devices are moved to different ports.

Protocol-based VLAN: Devices are assigned to VLANs based on the network pro-
tocol used, such as IP addresses or specific application requirements.

14
Chapter 2. State of the art of a secure LAN 2.4. Network segmentation

In our work , we are going TO assign each department itS own VLAN, improving the
performance by reducing the size of the broadcast domain and adding an additional layer
of security.
After understanding the virtual local network? we will proceed to the used protocols.

2.4.3 VLAN Trunking Protocol

The Virtual Local Area Network (VLAN) Trunking Protocol (VTP) is a distinctive pro-
tocol developed by Cisco that enables networks to transmit network functionality across
all switches in a domain. This approach removes the necessity for multiple VLAN config-
urations across the system.
VTP’s major goal is to make it easier to manage VLAN settings in a network. Without
VTP, network administrators would have to manually establish VLAN information on
each switch in the network, which might be time-consuming and error-prone, particularly
in large-scale networks.

The figure 2.11 illustrates the VTP works where in this example the VTP server where
we create or modify the VLANs, the remain switch are the clients where every time there
is a change in the VTP server,it will be synchronized to the VTP clients.
As for the VTP pruning it is used to shutdown any unused VLAN traffic on trunks when
no one is using it so we reduce the bandwidth loss:[5]

Figure 2.10: VLAN Trunking Protocol

2.4.4 Ling Aggregation Group

A link aggregation group (LAG) is a logical interface that uses the Link Aggregation Con-
trol Protocol (LACP) to aggregate multiple connections at a single Amazon Web Services
(AWS: a cloud platform) Direct Connect endpoint, allowing you to treat them as a single,
managed connection.[6]

The figure 2.12 explains how LAG works.

15
Chapter 2. State of the art of a secure LAN 2.4. Network segmentation

Figure 2.11: Link Aggregation Group

The link aggregation group provides:

-Increased reliability and availability. If one physical link in the LAG becomes inopera-
tive, traffic is dynamically and transparently reassigned to another physical link.
-Better utilization of physical resources.
-Increased bandwidth. The physical links contribute to higher bandwidth than one link.
LAG can avoid saturation of one physical link.

2.4.5 Dynamic Host Configuration Protocol

DHCP (Dynamic Host Configuration Protocol) is used to dynamically assign IP addresses
to every host on the organization’s network.A host can refer to any device that allows
access to a network as explained in figure 2.13.

Figure 2.12: Dynamic Host Configuration Protocol

Benefits of DHCP:

-DHCP ensures the safety of IP addresses by eliminating configuration errors resulting

from typographical mistakes or assigning the same IP address to multiple devices.
-It reduces network administration through several functions. Firstly, it automates central
TCP/IP configuration.
-It enables the definition of TCP/IP configurations from a single location.
-It efficiently manages frequent client IP address changes, such as portable devices moving

16
Chapter 2. State of the art of a secure LAN 2.5. Conclusion

across different locations on a wireless network. Finally, the DHCP relay agent transfers
initial DHCP messages, eliminating the need for each subnet to have its own server.

2.5 Conclusion
In this part, we have learned the fundamental concepts of safeguarding a LAN.The use of
VLANs was discussed as means of partitioning the network into smaller units, resulting
in improved security and administration. It is crucial that we stay alert to guarantee the
successful safeguarding of our information.The next chapter will take action on what we
previously explored.

17
Chapter 3

Design and implementation of the

LAN architecture

3.1 Introduction
In this chapter we will walk through our new topology from the devices configuration to
the firewalls deployments with a focus on ensuring security and high availability .

3.2 Implementation tools

3.2.1 ENSP
ENSP is a top software tool for simulating Huawei network equipment, widely used for
training and practice among network engineers. Zabbix, on the other hand, is a leading
software for infrastructure monitoring .

Figure 3.1: Ensp

3.2.2 Wireshark
Wireshark is a widely used, open source network analyzer that captures and displays
real-time details of network traffic. It is particularly useful for troubleshooting network
issues, analyzing network protocols and ensuring network security.[7]

18
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

Figure 3.2: Wireshark

3.3 Implementation devices

This section will present the core of our efforts.

3.3.1 Access Controller

There is two types of well-known access controller used in the huawei devices.

AC6005:
The AC6005 is a small-capacity fixed wireless access controller designed for small and
medium-sized organizations. It can manage up to 256 access points and has integrated
Ethernet switch functionality. The AC is highly scalable and can be used to build various
types of networks. There are two models available, one of which supports PoE and can
power eight gigabit-Ethernet ports.[8]

AC6605:
The AC6605 is designed for larger-scale deployments and can support more access points
and clients compared to the AC6005. It is suitable for medium to large enterprises, uni-
versities, stadiums, or large public venues. With its higher capacity and performance
capabilities, it can handle more traffic and provide higher throughput for environments
with heavier network usage and larger numbers of users.[9]

After examining the distinctive features of all the available ACs, we have made
the decision to go with the AC6605 as our primary working device for its qualities and
capabilities .

The figure represents a real image of the AC6605:

19
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

Figure 3.3: AC6605

AC6605 features:
-Large-capacity as shown in the table 3.1 :

Items Descriptions
APs 1024
Users 10K
User group management 128 user groups
ssid 16K
address-Mac 16k
VLANs 4k
ARP entries 16K
Routing entries 10K
DHCP IP address pools 128 IP address pools

Table 3.1: Large-capacity features

Wireless features:

Wireless protocols:
AC6605 supports multiple standards such as IEEE 802.11a, 802.11b, 802.11g, 802.11d,
WMM/802.11e, 802.11h, 802.11k, 802.11n, 802.11ac.

WLAN deployment:
-AP-AC CAPWAP (Control And Provisioning of Wireless Access Points) tunnel rep-
resents a protocol that permit to manage a group of APs where it holds two types of traffic:

.Control traffic: Acting as controller center , it displays the necessary commands

and configurations to the AP.

.Data traffic It holds the actual data packet where the APs . The AP forwards
this data traffic to the AC for centralized processing to guarantee a secure and efficiently
process, making communication easier.

20
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

Figure 3.4: Capwap tunnel

-VAP-based forwarding : Virual access point allows the administrator to control

the wireless user access alongside with their security where it contains two main modes:

.Tunnel Mode: Encapsulates data packets delivered from wireless users in a

CAPWAP packet, where the tunnel presents a secure connection to the wireless LAN
controller (WLC),who forwards the de-encapsulated data to the wired network.

.Direct Forwarding Mode : It’s an efficient manner to control data traffic where
the AP directly sends packets from wireless users to the wired network without encapsu-
lation within a CAPWAP tunnel.

Figure 3.5: VAP

21
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

-Mapping between SSID ,or service set identifier represents the name given to the wifi
network that helps users identifies the APs, and the VLANs.

Figure 3.6: SSID example

-Radio management:
AP zone-based configuration and management:
It’s the method for setting up SSIDs, encryption, VLANs and controlling APs by par-
titioning them into logical groups known as zones improving network segmentation and
performance.

Figure 3.7: Radio management example

-wireless user management:

Represents the tools used for maintaining the wireless environment.
The tables 3.2 shows WLAN user and group management as shown below

WLAN user management User group management

User blacklist and whitelist and limited connections ACLs based on user groups
Support for multiple queries including online user information Isolation based on user groups

Table 3.2: Wireless user management

-Wireless security and authentication:

It ensures that the authorized devices only have access to the network and information.
The table 3.3 below shows the description of the security measures.

22
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

Wireless security Descriptions

Authentication and encryption PSK-WPA2
User authentication and control MAC ,portal and 802.1x authentication
Security and defense ACLs and isolation based on VAPs and user groups
aaa Local and radius authentication/local accounts

Table 3.3: Security measures

After understanding the access controller features and deployments,we will pass to
study the switches functionalities.

3.3.2 Switches :
Huawei’s switches the S5700 and S3700 are widely recognized in the market. The selection
between the two is based on their unique characteristics:

The S3700 designed for the small business with a limited performance and scalability
and a lower bandwidth requirements.

The S5700 series Ethernet switches are energy-saving GE switches that offer high-
bandwidth access and Ethernet multi-service aggregation. With a large switching capac-
ity and high reliability, they can accommodate 10 Gbit/s upstream transmissions.These
switches also support Energy Efficient Ethernet (EEE) and Intelligent Stack (iStack:permits
different stacking-capable switches to act as a single logical switch),that allows multiple
stacking-capable switches to function as a single logical switch, making them suitable for
various enterprise network scenarios.[10]
The huawei S5700 switch solution offers high performance and a reliability net-
work for enterprise networks.

Figure 3.8: S5700

To enhance the efficiency and effectiveness of our network, we implemented a smart

strategy where we divided our switches into switch core and switch access where we con-
nected the switches core with a LAG connections to ensure availability and a virtual
network protocol (VTP) between the core and access.
With this setup, we have been able to optimize our network’s performance and ensure

23
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

that it can handle the workload without any errors.

Switching basics
Switching is a process in which data transmits from source to destination where we can
defines three types:

.Layer 2 switching:Data will be switch from source to destination on the basis

of layer 2 address(mac-address).It is simple to set for small network with limited scalabil-
ity and High-speed data transfer ,it’s more vulnerable and profitable.

.Layer 3 switching:Data will be switch from source to destination on the basis

of layer 3 address(ip-address).it requires advanced configurations to manage with Higher
scalability and High-speed data transfer, equipped with integrated security systems and
it’s more expensive.

.Multi-layer switching:Data will pass from source to destination on the basis

of layer 4 address(port numbers). It operates and cover the functionalities of both Layer
2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model for network commu-
nication.

Switch Core:
The switch core is like the backbone of the network,where it mainly operates at layer 2
switching , enables high-speed data transfer and forwards traffic between different com-
ponents of the network, providing the necessary support and connectivity for all network
activities. With its high-speed capabilities and efficient routing mechanisms.
Switch Access:
The switch Access exists at the edge of the network connecting end-devices within a LAN
allowing users to interact with devices,mainly runs at layer 3 switching,it serves as a valu-
able tool that bridges the gap between client with physical limitations and the digital
world. Its implementation can significantly enhance the accessibility devices for individ-
uals .
In the figure below, we notice the existing of two architecture ,the one without the
core layer seems,unorganized used for a small network with a lower traffic flow ,it’s less
secured.The second architecture with the core layer seems more organized, used for large
networks with a better securing by isolating different network elements from each other.

After distinguishing between the different models of switchers , the next device would
be the access point.

24
Chapter 3. Design and implementation of the LAN architecture
3.3. Implementation devices

Figure 3.9: Switch core

3.3.3 Access points

Before we choose between the AP2050 and AP3030 , we will conduct a comparative study
of the two acces points.

AP 2050 is an older Huawei access point that supports Wi-Fi 802.11a/b/g/n stan-
dards. With a maximum throughput of 600 Mbps and a maximum capacity of 128 con-
nected clients,it provides a basic solution for Wi-Fi network management. While it re-
mains a valid solution for certain deployment designs,it will sometimes seem that the AP
2050 model is limited compared to newer models in terms of performance and functionality.

AP 3030 on the other hand, represents a major evolution. This Huawei access
point model supports WI-FI standards up to and including 802.11ac to deliver impressive
11ac Gbps performance.With a maximum capacity of 256 connected clients and enhanced
Wi-Fi management features,the AP 3030 offers a better user experience while support-
ing multi-channel techniques and smart antennas,providing better Wi-Fi coverage in the
ENSP environment.

The choice we have made is AP3030.

Figure 3.10: AP3030

25
Chapter 3. Design and implementation of the LAN
3.4.
architecture
Showcasing the new architecture

3.4 Showcasing the new architecture

The new topology is shown on ENSP simulator interface which contains:

-Two firewalls connected to a cloud to enhance security,defend the network of any in-
coming and outgoing threatens such as viruses,hackers... and to control the data flow by
allowing or blocking traffic.The second firewall represent a backup plan in case of a failure
of the first one.

-The two firewalls are related to two switch core which helps increasing the bandwidth,redundancy.

-Those ones are connected from one hand to the access controller that offers the wireless
connectivity with a level of protection and compliance increasing.
In the other hand each core is related to an access switch where it represent a specific
department.Each one is connected to a sub-departments displayed by the access points.

The figure 3.11 represents the enterprise architecture.

Figure 3.11: New topology

26
Chapter 3. Design and implementation of the LAN architecture
3.5. The Topology configuration

After identifying the specific devices to be used , now we will pass to the configuration
strps.

3.5 The Topology configuration

3.5.1 Configuration of Switch Core
VLAN configuration
The figure 3.12 shows the VLANs associated to each interface for both switches.

Figure 3.12: VLANs display

DHCP configuration
The figure 3.13 shows the address pool configuration for each VLAN.

Figure 3.13: DHCP display

27
Chapter 3. Design and implementation of the LAN architecture
3.5. The Topology configuration

The figure 3.14 shows a DHCP client configuration.

Figure 3.14: DHCP-client example

3.5.2 LAG configuration

The figure 3.15 and 3.16 represent the link-aggregation interfaces and the Link Aggre-
gation Control Protocol(LACP).The LAG merges the physical ports for improving the
bandwidth while the LACP manages the LAG itself and simplifies the work of the ad-
ministrator in switch core SC1.

Figure 3.15: Link-aggregation SC1

28
Chapter 3. Design and implementation of the LAN architecture
3.5. The Topology configuration

Figure 3.16: Lacp SC1

The figure 3.17 below shows the Virtual trunk protocol.

Figure 3.17: VTP

Note: Same configuration for SC2.

3.5.3 Configuration of Switch Access

VLAN configuration
We got three switch access,each one represents a department as listed in the table below.

Switch Department VLAN Mode

Access 1 Network 10,14,99,110 Trunk
Access 2 System 10,14,99,110 Trunk
Access 3 RH 10,14,99,110 Trunk

Table 3.4: Switch’s Department

Each department got a sub-department with a specific Vlan.The table 3.5 explains the
first department details.

Where the PVID refers to ’Port VLAN ID’ used to handle the untagged traffic that
represents the unassigned data packets(don’t have a VLAN header), the PVID offer to
them a default VLAN.

29
Chapter 3. Design and implementation of the LAN architecture
3.5. The Topology configuration

Sub-department Physical-port VLAN PVID

Sec-IT 0/0/2 110 14
NOC 0/0/3 14 14
Ing-Networks 0/0/4 99 14

Table 3.5: Network’s department

The table 3.6 explains the second department details.

Sub-department Physical-port VLAN PVID

Cloud 0/0/2 110 14
Development 0/0/3 14 14
administration-Sys 0/0/4 99 14

Table 3.6: System’s department

The table 3.7 explains the third department details.

Sub-department Physical-port VLAN PVID

RH 0/0/2 10 14

Table 3.7: RH’s department

The figure shows the switches access.

Figure 3.18: Switch access

30
Chapter 3. Design and implementation of the LAN architecture 3.6. AC configuration

3.6 AC configuration
In this section we are going to create a WLAN to provide mobility to the workspace.

3.6.1 Wired network connectivity

VLANs
The figure 3.19 shows the VLAN IP-address interfaces.

Figure 3.19: VLAN ip interfaces

DHCP
The figure 3.20 represents the DHCP configuration.

Figure 3.20: DHCP

31
Chapter 3. Design and implementation of the LAN architecture 3.6. AC configuration

3.6.2 APs configuration

AP groups
The figure 3.21 illustrates the AP-group names.

Figure 3.21: AP-group

The regulatory domain

Within the configuration of an Access Controller (AC), the regulatory domain pertains
to the specifications that establish the wireless radio characteristics.
The figure 3.22 indicates the regulatory domain of each group.

Figure 3.22: Regulatory domain profile

The Capwap tunnel

The figure 3.23 reveals the capwap configuration.

32
Chapter 3. Design and implementation of the LAN architecture 3.6. AC configuration

Figure 3.23: Capwap tunnel

After adding the AP authentication mode , we are going to assign each AP with a
uniqueID , mac-address as well as a name as displays the figure 3.24.

Figure 3.24: APs displays

From the AC basics configuration to it security settings to help creating a secure and a
performing network .

33
Chapter 3. Design and implementation of the LAN architecture 3.6. AC configuration

3.6.3 WLAN service parameters

In this section we will focus on the defence line of our access controller

A security policy
We created three security profiles and we gived each one a password.
The figure 3.25 depicts an example of a security profile of a groups.

Figure 3.25: Security policy

Then we sets for each group an SSID and a VAP profile as represented in the figure
3.26 and figure 3.27.

Figure 3.26: SSID-profiles

Figure 3.27: VAP-profiles

34
Chapter 3. Design and implementation of the LAN architecture 3.6. AC configuration

Finally,we bonded the VAP profiles to the AP groups and applied it configurations to
radio 0 and radio 1 of the APs in the AP groups as proven in the figure below.

Figure 3.28: Radio-profiles

The figure 3.29 represents the Radio interfaces on the simulator .

Figure 3.29: Radio simulator

35
Chapter 3. Design and implementation of the LAN architecture 3.7. Tests:

Following the deployment of the devices ,our work will expressed by the tests section.

3.7 Tests:
To check the connectivity ,locate network malfunction and host reachability we will use
the Ping command .
The source sends an ICMP(Internet Control Message Protocol) Echo Request message.
The quality of the link used to reach the destination is then evaluated by the source based
on the number of ICMP Echo Request messages sent and ICMP Echo Response messages
received, as well as the round-trip time (RTT) of ping packets.

The figure 3.30 describe the ping output in one switch core .

Figure 3.30: Switch core 1 connectivity

The figure 3.31 describes the availability of the switch access where the SA2 represent the
system department:

Figure 3.31: Switch access connectivity

The figure 3.32 shows the connectivity of the AP of the sub-department ’RH’ .
The 0.00 % loss of packets indicates that the related department and the core of the
switch are working perfectly.

36
Chapter 3. Design and implementation of the LAN architecture 3.7. Tests:

Figure 3.32: The RH connectivity

To track the gateways through which packets pass from the source host to the desti-
nation host , the Tracert command will be displayed.

The figure 3.34 shows the output where it’s noticed that the destination was reached
in one hop (a device that sends data packets along a network path) the round trip time
is 1 ms for each packet.

Figure 3.33: The AC tracert output

The figure 3.34 and 3.35 demonstrates the wireless connectivity between a PC and an AP
which indicates the presence of availability as well as security where the host can’t access
without a password .

37
Chapter 3. Design and implementation of the LAN architecture 3.7. Tests:

Figure 3.34: Host Security

Figure 3.35: Host Connectivty

The Wireshark open source a powerful tool that analyzes and monitor the traffic.
We are going to capture data between two pcs engaged in two different calls

38
Chapter 3. Design and implementation of the LAN architecture 3.7. Tests:

The figure 3.36 displays the Wireshark interface.We can see the packet number,the
time where it been captured, the source and the destination, the protocols and lengths.

Figure 3.36: Packet interface

The figure 3.37 shows the I/O graph (input/output graph) :the number of packets over
time as well the periods of higher and lower network activity.

Figure 3.37: I/O graph

The huwaei devices uses mac-address where each got a specific one. based on that mac
we can monitor the data traffic , we can see the way from source to destination:

39
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Figure 3.38: Flow graph

Our final step in devices configuration would be for the first line defence the Firewall.

3.8 Firewall huawei

Networks play an important role in the enterprise operations and must be protected , the
network attackers use various methods such as identify spoofing, malware.., to initiate
network penetration .
Deploying firewalls on network is a common way of protection, however firewalls can only
analyze and block threats based on signatures, this method cannot effectively handle un-
known threats
That why the huawei’s next generation (USG) firewall provide the latest capabilities work-
ing with other security devices.

3.8.1 Firewall USG6000

The USG6000 series next-generation firewalls offer comprehensive protection for small to
big enterprise networks. They are an excellent option for avoiding the branches.Integrated
firewall, intrusion prevention, antivirus, and data leak prevention allow for high perfor-
mance throughput.The figure 3.39 represents a real USG device.

40
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Figure 3.39: USG6000

3.8.2 Features
The table 3.8 highlights the Firewall’s features.

Features Descriptions
High reliability Design highly reliable hardware design,hot standby,link backup , hot back
User authentication and control MAC ,portal and 802.1x authentication
Security and defense ACLs and isolation based on VAPs and user groups
aaa Local and radius authentication/local accounts

Table 3.8: Large-capacity features

The USG6000 use the VRP operating system as its core component where the VRP
is an operating system dedicated platform for data communication. It got a flexible zone
management and dynamic security policy control

3.8.3 HA between two firewalls

When it comes to ensuring uninterrupted network security, High Availability (HA) is the
way to go. Essentially, it’s a cluster of two firewalls that work together seamlessly to keep
the system safe.
In this setup, one firewall is designated as the ”active” one, while the other is the ”passive”
one. If the active firewall fails or if the cable connecting gets disconnected, the passive
firewall takes over without any interruption in service. The figure below demonstrates the
HA between two firewalls.

41
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Figure 3.40: High Availability

3.8.4 Configuration
Web interface : To open the web interface of each firewall we need to connect them
to a cloud as shown below.

Figure 3.41: Cloud configuration

42
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Then comes the configuration of the device management IP address where the IP
address is used to access the firewall web interface as appears in figure 3.42 and figure
3.43

Figure 3.42: Device’ s configuration

Figure 3.43: Firewall’ web interface

Step 1: Interface and VLANs configuration.

The figure 3.44 indicates the Lag settings between the firewall and the two switches Core.

43
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Figure 3.44: LAG settings

The figure 3.45 presents the VLans settings.

Figure 3.45: Vlan settings

44
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

The figure 3.46 demonstrates the route static.

Figure 3.46: Route-static settings

The zones confiuration:

There is multiple zones:Trust-Untrust-dmz-HA

The trust zone : represents the most reliable and the safest zone and usually con-
tains the internal workstations section

The untrust zone: represents the less trust-worthy section,and usually contains the
devices that related to the internet where the traffic flow is well monitored

The demilitarized Zone: represents the in-between zone,and usually contains pub-
licly accessible servers like DNS and web servers

The High Availability zone: represents a zone added manually where it refers to
the ongoing service and the quick fail-over in case of a dysfunction .

The figure 3.47 displays the different zones in our firewalls

45
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

Figure 3.47: Zone settings

The policy section

To enhance the protection and the control of the data a security policy musts take place
as a rule-book that control the incoming and outgoing network traffic.

It specifies the source and destination, the type of traffic such as the service , the port
and the actions permit or deny the traffic flow as shown in the figure 3.48.

Figure 3.48: The security-policy measures

The Nat security:

Nat policy or network address translation policy .It’s a way to map multiple private
addresses inside a local network to a public IP address before transferring the information
onto the internet as shown in the figure 3.49.

Figure 3.49: The security-policy measures

Note: It’s same configuration for the two firewalls.

46
Chapter 3. Design and implementation of the LAN architecture 3.8. Firewall huawei

High availability :
HA Port settings for the first firewall as proven in the figure below.

Figure 3.50: HA/FW1 setups

Ha port settings for the second firewall as shown below.

Figure 3.51: HA/FW2 setups

47
Chapter 3. Design and implementation of the LAN architecture 3.9. Conclusion

The first firewall is an active one as we used the active/standby model and its shown in
figure 3.52.

Figure 3.52: Firewall 2 Dual-System

The second firewall was a standby firewall ,final configuration are shown in the figure 3.53.

Figure 3.53: Firewall 2 Dual-System

3.9 Conclusion
This chapter dives into configuring our new network topology, from devices all the way
to firewall deployments. Security and high availability WERE our top priorities.
The next chapter will focus to monitoring, ensuring a high-performing network.

48
Chapter 4

Network monitoring

4.1 Introduction
Since the IT system become indispensable for societies , any failure in any part of those
systems could have a major consequence .It is vital, therefore, to set up a network moni-
toring system .
In this chapter ,we will focus on network monitoring from the concept , through the
required tools to the installation and configuration.

4.2 Monitoring
4.2.1 Definition
Network monitoring is a powerful IT procedure that detects, maps, and monitors com-
puter networks.with components such as routers, switches, servers, and firewalls.It allows
network administrators to monitor network performance and connection in real time.

Figure 4.1: Network monitoring

Monitoring importance
In case of a network breakdown , all valuable business can become not just vulnerable
but also can cause a significant loss of customers , productivity and money .
Therefore infrastructure monitoring is a valuable tool for detecting network issues and
resolving them promptly to prevent downtime. It allows for pinpointing the exact lo-
cation of a problem so that it can be addressed promptly, reducing response times and
improving customer satisfaction. By identifying and fixing the root cause of a problem
early on, significant cost savings can be achieved, and the company’s reputation can be

49
Chapter 4. Network monitoring 4.2. Monitoring

protected.
The figure 4.2 highlights the multiple benefits of network supervision.

Figure 4.2: Features

Concept
Network monitoring system can detect any irregularities or breakdown of any network
devices or resources whether the network resources are situated on-premises, in a data
center, hosted by a cloud services provider, or are part of a hybrid ecosystem.It can also
collect data to analyze traffic flow and performance .One approach to monitoring for per-
formance issues involves the configuration of thresholds. This enables the instantaneous
receipt of alerts in the event of a threshold violation.

There are four types of network monitoring :

Performance monitoring is the process of evaluating the standard and effectiveness

of a network’s operations involves scrutinizing real-time and historical metrics, including
bandwidth usage, packet loss, latency, and response times.

Availability Monitoring is the process to help ensuring the availability of resources

and infrastructures.Availability monitoring tools offer immediate identification of various
issues, including hardware malfunctions like router breakdowns, software issues related to
critical web applications, and connectivity problems.

Traffic monitoring is designed to analyze the data flow across the network, enabling
administrators to gain a better understanding of how the network is being utilized and
for what specific purposes. Additionally, this software provides bandwidth monitoring ca-
pabilities, which involve the measurement of data transmission rates and overall volume
to ensure optimal network performance and to prevent potential bottlenecks.

Security monitoringEffective security network monitoring is imperative to ensure

the protection of the confidentiality, availability and integrity of IT resources and data,
and to prevent incurring steep expenses due to security-related disruptions.

50
Chapter 4. Network monitoring 4.2. Monitoring

4.2.2 Network monitoring tools

There are three primary types of network monitoring tools.

SNMP-based tools which rely on Simple Network Management Protocol (SNMP)

to communicate with network hardware. These particular tools are designed to keep track
of the present status and utilization of resources, including but not limited to CPU statis-
tics, memory usage, bytes transmitted and received, and various other metrics. SNMP is
among the most commonly employed monitoring protocols, alongside Microsoft Windows
Management Instrumentation (WMI) for Windows servers and Secure Shell (SSH) for
Unix and Linux servers.[11]

Flow-based tools are utilized for monitoring traffic flow to provide statistics re-
garding protocols and users. These tools also examine packet sequences to identify any
performance issues between two IP addresses. The data pertaining to the traffic flow
is captured by these flow tools and subsequently transmitted to a central collector for
processing and storage.[12]

Active network monitoring solutions employ packet injection into the network to
evaluate end-to-end reach-ability, round-trip time, bandwidth, packet loss, link utiliza-
tion, and other relevant metrics. In this manner, these solutions enable the prompt and
dependable detection of outages and performance degradation by conducting and assess-
ing real-time transactions from a user’s perspective.[13]

The figure 4.3 indicates the network supervision tool’s aspects.

Figure 4.3: Tool’s aspects

The table beneath shows a comparative study between different supervision tools :

51
Chapter 4. Network monitoring 4.2. Monitoring

Feature Zabbix Nagios PRTG

Features Full monitoring,open source Robust monitoring, various plugins great visibility
Strengths customized performance Intuitive dashboards
weakness Less intuitive interface complex configuration Paid license
Price Free (Core), Paid Free

Table 4.1: Monitoring tools

Our work would be using the zabbix server and the SNMP as protocol to connects the
firewalls with our server.

4.2.3 Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) is an Internet Standard protocol that
collects and organizes information on managed devices on IP networks. It also allows for
changes to device behavior as demonstrates the figure 4.4.

Figure 4.4: SNMP

SNMP functions
SNMP consists ON several components:

- An NMS (Network Management System), which corresponds to a software applica-

tion or a set of hardware and/or software tools used to supervise network activity as well
as servers and applications.

- An SNMP agent, which runs on a managed device to receive requests from the NMS
and send responses back to it.

- A MIB (Management Information Database), commonly shared between the agent

and the manager, which is used to manage entities in a communication network used with

52
Chapter 4. Network monitoring 4.2. Monitoring

the SNMP protocol.

- Managed devices, which represent a part of the network requiring some form of anal-
ysis and management, such as routers, switches, servers, workstations, printers, UPS as
Reveals the figure 4.5.

Figure 4.5: SNMP components

4.2.4 Zabbix
Zabbix is a software package that monitors a wide range of network parameters as well
as the health and integrity of servers. Zabbix uses a flexible notification mechanism that
allows users to configure an e-mail alert base for virtually any event.[14]

Figure 4.6: Snmp components

The table below shows the Zabbix features:

53
Chapter 4. Network monitoring 4.3. Settings

Features Description
Scalability Licenses for 1, 8, or 32 access points
Network Flexible network connections (Layer 2 or 3)
Services Mapping services between VLANs and SSIDs
Transfer Deployment in various network topologies
Radio Management Automatic radio parameter optimization
Access Control Secure access with ACLs and user/role controls
User Rights Management User access control based on ACLs, VLANs, and bandwidth limits

Table 4.2: Features

Now, we are ready to the installation and the configuration.

4.3 Settings
This section is based on three steps:

-Vmware and Zabbix download.

-SNMP firewall settings.
-SNMPv3 display.

4.3.1 Vmware and Zabbix download

First step would be the download of the Zabbix appliance as virtual machine in the
VMwarework station.

The VMware workstation:a virtual machine software that is used to run multiple
operating systems over a single physical host compute.

The Zabbix appliance:a pre-packaged VM containing a Linux operating system

(often AlmaLinux) with Zabbix server pre-installed, configured, and ready to use.

The figure shows the Zabbix appliance interface on the VMwarework station:

54
Chapter 4. Network monitoring 4.3. Settings

Figure 4.7: Zabbix-appliance interface

Then upgrading our packages as shown below

Figure 4.8: Packages upgrading command

Where the packages include:

-Web server: Controls the web demands ans supplies contents to the web browsers.

Figure 4.9: Zabbix Server

-Office-suite: Offers Word Processing, Spreadsheet and Presentation applications.

Figure 4.10: Zabbix-Office

55
Chapter 4. Network monitoring 4.3. Settings

-Database: Stores and handles data for diverse applications.

Figure 4.11: Zabbix-Database

-Kernel: Manages hardware and software resources.

Figure 4.12: Zabbix-Kernel

-Zabbix-agent: Zabbix agent is distributed on a monitoring target to actively mon-

itor local resources and applications ).Where it gathers operational information locally
and reports data to Zabbix server for further act.

Figure 4.13: Zabbix-agent

After the installation and the upgrading of the packages, we will access to the zabbix
web-interface as proven in figure 4.14 and 4.15.

Figure 4.14: Web ip-address

56
Chapter 4. Network monitoring 4.3. Settings

Figure 4.15: Web interface

4.3.2 SNMP’s firewall configuration

The figure 4.16 and 4.17 show the necessary setups on the firewall.

Figure 4.16: SNMP’s firewall setup

Figure 4.17: SNMP’s server setups

57
Chapter 4. Network monitoring 4.3. Settings

Note: Same for both firewalls.

After that , we click on Configuration then , Hosts , where the figure below shows host
setups.

Figure 4.18: Host setups

Followed by the ensuring the encryption method as we can see below.

Figure 4.19: Encryption setups

4.3.3 SNMPv3 display

It refers to the ability to use SNMP SET commands on MIB objects that provide the
agent configuration to dynamically configure the SNMP agent. Add, remove, and modify
configuration elements locally or remotely thanks to this dynamic configuration capabili-
ties.

The figures below shows the SNMPv3 as a discovery rule for the host0

58
Chapter 4. Network monitoring 4.3. Settings

Figure 4.20: SNMPv3 displays

Figure 4.21: SNMPv3’s host

The ping output prove the server is operating correctly as shown in figure 4.22:

59
Chapter 4. Network monitoring 4.3. Settings

Figure 4.22: Zabbix connectivity

After creating a host, specifying its name, associating it with a template,adding it to

a host group configuring the listening interface (SNMP/ Agent),we intend to monitor as
it appears as below .

Figure 4.23: Hosts supervised by ZABBIX

After adding a template for the firewalls,we will prepare the reporting section by:

-Installing the Zabbix Server-Web as in figure 4.24.

60
Chapter 4. Network monitoring 4.3. Settings

Figure 4.24: Server-Web installation

-Installing the Chrome on the server as in figure 4.25.

Figure 4.25: Installation of the Chrome

61
Chapter 4. Network monitoring 4.3. Settings

-Adding the address server to the file Zabbix-Web-Service.conf as shown in figure 4.26.

Figure 4.26: Server-address Configuration

-Adding port number on Zabbix-Server.conf file as illustrated below.

Figure 4.27: Port Configuration

Finally, Zabbix can display equipment problems as demonstrated by the example in the
figure 4.28.

Figure 4.28: Detected problems

62
Chapter 4. Network monitoring 4.4. Conclusion

4.4 Conclusion
This chapter defined the network monitoring term with a focus on the supervision im-
portance role,features and variety.After a comparative study between the various tools,we
have chosen ’Zabbix’ for it comprehensive and compatible system where the installation
and the configuration of the chosen tool has been explored.

63
General Conclusion

It seems that the organizations still face the availability and security problems which leads
to decreased productivity,money loss and data vulnerability.

Our project goal was creating a LAN architecture where it holds the essential fea-
tures from connectivity availability to security and monitoring .Throughout the deploy-
ment, we paid particular attention to configuring and optimizing Huawei equipments to
ensure a reliable, high-performance as well as an effective traffic management and data
flow controlling with a stable and secure connectivity for workstations, regardless of their
location.

The deployment of the Huawei firewall significantly enhanced network protection

against external threats from viruses to malwares. We filtered and protected incom-
ing and outgoing traffic transmissions according to strict security rules.

The network monitoring upgraded the safeguard of our systems,Now we are one step
ahead of any potential security breaches,attacks.It helps the organizations determine the
outcoming traffic as well where it’s possible to supervise the employees productivity .

In terms of prospects, despite that every step has been implemented, we proposed
,for the future,to improve the work by using a Cloud-based Management for its scalability
and manageability and implementing a network Operations Center (NOC) for maintaining
Network Security.

64
Webography

[1] LAN components. https://www.spiceworks.com/tech/networking/articles/what-is-

local-area-network/ .

[2] The comapany activities. https://www.prologic.com.tn/.

[3] Local Area network. https://www.cisco.com/c/en/us/products/switches/what-is-a-

lan-local-area-network.html .

[4] Types of Local Area Network. https://www.spiceworks.com/tech/networking/articles/what-

is-local-area-network/ .

[5] VLAN Trunking Protocol. https://www.cisco.com/c/en/us/support/docs/lan-

switching/vtp/10558-21.html .

[6] Link Aggregation group. https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html

.

[7] Wireshark. https://www.techtarget.com/whatis/definition/Wireshark.

[8] AC6005. https://www.router-switch.com/media/upload/product-pdf/huawei-

ac6005-wireless-access-controller-datasheet.pdf .

[9] AC6605. https://www.router-switch.com/media/upload/product-pdf/huawei-

ac6605-26-pwr-wireless-access-controller-datasheet.pdf.

[10] S5700. https://support.huawei.com/enterprise/en/doc/EDOC1000027454.

[11] SNMP-based tool. https://www.ibm.com/topics/network-monitoring .

[12] Flow-based tool. https://www.ibm.com/topics/network-monitoring .

[13] active network monitoring. https://www.ibm.com/topics/network-monitoring .

[14] Zabbix. https://www.zabbix.com/documentation/1.8/en/manual/about/overviewo fz abbix.

65