• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.449-456
• /
• 2018

Many organizations divide the network to manage the network in order to prevent the leakage of internal data between separate organizations / departments by sending and receiving unnecessary traffic. The most fundamental network separation method is based on physically separate equipment. However, there is a case where a network is divided and operated logically by utilizing a virtual LAN (VLAN) network access control function that can be constructed at a lower cost. In this study, we first examined the possibility of bypassing the logical network separation through VLAN ID scanning and double encapsulation VLAN hopping attack. Then, we showed and implemented a data leak scenario by utilizing the acquired VLAN ID. Furthermore, we proposed a simple and effective technique to detect and prevent the double encapsulation VLAN hopping attack, which is also implemented for validation. We hope that this study improves security of organizations that use the VLAN-based logical network separation by preventing internal data leakage or external cyber attack exploiting double encapsulation VLAN vulnerability.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2001.10a
• /
• pp.84-88
• /
• 2001

Security and degradation by broadcast is the most important part that must handle in LAN. Virtual LAN can improve LAN's degradation by method to form and manages network group logically. MAC Address VLAN algorithm that propose in this research give overlap special qualify to VLAN adding extension VID field and VID connection extent table to FDB, manage overlap extent dynamically. VLAN that apply this proposal algorithm can share information and resource in network without additional equipment. Application is possible switch or Bridge that this algorithm achieves Layer 2 functions.

• Journal of Information Processing Systems
• /
• v.12 no.3
• /
• pp.511-524
• /
• 2016

The Virtual Local Area Network (VLAN) has been used for a long time in campus and enterprise networks as the most popular network virtualization solution. Due to the benefits and advantages achieved by using VLAN, network operators and administrators have been using it for constructing their networks up until now and have even extended it to manage the networking in a cloud computing system. However, their configuration is a complex, tedious, time-consuming, and error-prone process. Since Software Defined Networking (SDN) features the centralized network management and network programmability, it is a promising solution for handling the aforementioned challenges in VLAN management. In this paper, we first introduce a new architecture for campus and enterprise networks by leveraging SDN and OpenFlow. Next, we have designed and implemented an application for easily managing and flexibly troubleshooting the VLANs in this architecture. This application supports both static VLAN and dynamic VLAN configurations. In addition, we discuss the hybrid-mode operation where the packet processing is involved by both the OpenFlow control plane and the traditional control plane. By deploying a real test-bed prototype, we illustrate how our system works and then evaluate the network latency in dynamic VLAN operation.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10e
• /
• pp.502-504
• /
• 2002

기존 라우터시스템에서의 패킷 포워딩 엔진은 최적화된 룩업 알고리즘을 통한 소프트웨어 방식으로 구현되었으나, 처리해야 할 데이터가 폭주하면서 전용화된 룩업칩을 이용한 포워딩 엔진으로 대체되어 가고 있다. 그러나, 이러한 룩업칩 기반 패킷 포워딩 엔진은 가격이 비싼 것은 물론. 급변하는 통신 프로토콜에 적응하기 힘든 단점을 가지게 되었으며, 이로 인해서 최근에는 Network Processor 기반의 패킷 포워딩 엔진에 대한 개발이 활발해지고 있다. 본 연구소에서도 초고속광가입자망 사업에 적용되는 포워딩 엔진을 IBM의 2.5G Network Processor 인 NP4GS3 칩을 이용하고 있으며, GbE／POS／E-PON 등의 인터페이스를 지원하고 있다. 또한 본 사업에서는 가입자망에서의 Layer2 broadcasting시의 트래픽 폭주와 가입자간의 보안 기능 등을 지원하기 위해 VLAN 서비스를 적용할 예정이다. 본 논문에서는 일반적인 VLAN 기능에 대해서 알아보고, IBM NP4GS3에서 지원되는 VLAN 기능을 분석하였으며, 이를 토대로 NP4GS3 기반 패킷 포워딩 엔진에서 VLAN 구현 방안에 대하여 기술하였다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.16 no.1
• /
• pp.25-36
• /
• 2021

This paper presents a topology based on packet tracer and a five-step scenario model to make it easier for students to understand the network on which VLANs are applied. Virtual LAN (VLAN), developed as an alternative solution to the Routers that distribute broadcast traffic, is a virtual local area network that logically configured regardless of the physical network. The VLAN prevents the network performance degradation resulting from the broadcast traffic by dividing the broadcast domain so that the bandwidth can be used more efficiently. In addition, it enhances the security because on communication between the devices belonging to different VLANs is impossible. The five-step scenarios in this paper presented an efficient implementation case for students to understand and validate the various functions of VLANs through ping/telnet/tracert test and simulation, after setting up each step of programming switches and routers in the virtual network.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.30 no.11B
• /
• pp.722-729
• /
• 2005

Ethernet passive optical networks (EPONs) are an emerging access network technology which has a point-to-multipoint topology. EPONs operate point-to-multipoint in the OLT-ONU direction, and point-to-point in the ONU-OLT direction. To support point-to-point emulation and shared LAM emulation, EPONs use multi-point control protocol (MPCP). The MPCP uses logical link identification (LLID) field for frame tagging and filtering between the OLT and ONUs. In this paper, I propose logical-group identification (LGID) for logical link-based multicasting or VLAN services in EPONs. Using LGID with new frame tagging and filtering rules, EPONs support differentiated multimedia broadcasting or multicasting services. Additionally, EPONs can support logical link-based VLAN services that divides ONUs into several subsets.

• Convergence Security Journal
• /
• v.5 no.1
• /
• pp.35-43
• /
• 2005

It is need to control network access that a user personally change own IP or network devices in managing network address. Also, When we use new network devices or assign network address, we do them by design, not arbitrarily. And then, we can immediately control network's problems. It could be used network management and security in low level. But most of managers do this works by hand not automatically. This paper propose the solutions that improve the security by network address authentication in VLAN environment, such as corporations and public offices.

• Proceedings of the IEEK Conference
• /
• 2003.11c
• /
• pp.97-100
• /
• 2003

This paper propose a simple and efficient scheme to deliver frames between TDM interfaces and IP interfaces in NGTSs. Next Generation Transport Systems (NGTSs) are new conceptual transmission equipments fur next generation network. They consist of TDM interfaces and IP interfaces. NGTSs are suitable fur high-speed transmission links such as SONET/SDH and Gigabit Ethernet. The proposed VLAN scheme for NGTSs is implemented successfully.

• Journal of KIISE:Information Networking
• /
• v.29 no.2
• /
• pp.117-128
• /
• 2002

Virtual LAN (VLAN) is an architecture to enable communication between end stations as if they were on the same LAN regardless of their physical locations. VLAN defines a limited broadcast domain to reduce the bandwidth waste. The Newbridge Inc. developed a layer 3 VLAN product called VIVID, which configures a VLAN based on W subnet addresses. In a VIVID system, a single route server is deployed for address resolution, VLAN configuration, and data broadcasting to a VLAN. If the size of the network, over which the VLANS supported by the VIVID system spans, becomes larger, this single route server could become a bottleneck point of the system performance. One possible approach to cope with this problem is to deploy multiple route servers. We propose two architectures, organic and independent, to expand the original VIVID system to deploy multiple route servers. A course of simulations are done to analyze the performance of each architecture that we propose. The simulation results show that the performances of the proposed architectures depend on the lengths of VLAN broadcasting sessions and the number of broadcast data frames generated by a session. It has also been shown that there are tradeoffs between the scalability of the architecture and their efficiency in data transmissions.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.33 no.4B
• /
• pp.224-231
• /
• 2008

EPONs are a low cost, high speed solution to the bottleneck problem of broadband access networks. To support point-to-point and shared LAN emulation, EPONs use the multi-point control protocol (MPCP), which uses logical link identification (LLID) for frame tagging and filtering between the OLT and ONUs. In this paper, ONU-based multicast or multiple shared LAN emulation is used for IPTV channel package delivery services. Using ONU-based VLAN services, EPONs can support separate and secure connections between providers and subscribers in a simple manner. Also, IPTV channel packages can be delivered through EPONs by implementing ONU-based VLAN and IGMP snooping mechanisms. By showing fast channel zapping time of proposed architecture, I show that EPONs is suitable for IPTV channel package delivery service.